Date: Sat, 4 Sep 1999 17:48:41 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: another local DoS fix (PR ???) Message-ID: <199909050048.RAA63733@apollo.backplane.com> References: <Pine.BSF.4.10.9909041930390.76486-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
:I can't find the PR for it again (it was from will@iki.fi, supposedly) :for the problem, but this is something I have been working on : :crashopen.c and crashwrite.c had the ability to DoS a system easily. :I fixed crashopen.c with the addition of badfileops. Crashwrite.c and :other problems that could crop up like it are fixed by my patch up at : : http://www.FreeBSD.org/~green/fdfix2.patch : :Let me know how useful you find them. I'd like to get my diffs in :4.0 soon, since I've been running with them with no problems for :months, and they make FreeBSD more robust. Let me know what you :think, even if you don't try them, please :) : :-- : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ I haven't run this patch, but I took a gander at it and it looks quite reasonable to me. There is one area of concern, not so much with the patch itself but the weakness that it reveals in the existing code. Most of the places you patch run the fo_*() op on the fp and then return, not using the fp again. Some, however, use the fp after the fo_*() function returns. I only see one place where this occurs, F_SETFL in kern/kern_descrip.c, and it's a degenerate case since the fcntl's in question typically do not block. - The proper way to deal with the fp stuff would probably be to make the getfp*() inline global and have it bump the ref count, then require the fp to be released. But this would require a considerable amount of rewriting to cleanup all the code so it may not be worth doing. kern/sys_generic.c has a static getfp() which takes an extra 'flags' argument while the rest of the kernel obtains the fp manually and typically without a test against flags. Rewriting the mess would also require all the 'return ( ... fo_* .... )' code in the switch statements to be converted to error = ... fo_* ... so the fp can be released in the outer code. If you did things this way you would then not bother writing inlines for the fo_*() functions but would instead keep the original function dispatch code. -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909050048.RAA63733>