Bugtraq mailing list archives
Re: Integer overflow in OpenBSD kernel
From: Jason Houx <coldiso () houx org>
Date: Wed, 10 Sep 2003 11:07:49 -0400 (EDT)
Question - how is upgrade to current a fix for this. Did you research 3.3 --stable et al ? Jason Houx On Wed, 10 Sep 2003, blexim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local security bug in OpenBSD semaphore handling Product: OpenBSD kernel (3.3-release, -current before 10/09/2003) Impact: Root may bypass securelevel Bug class: Integer overflow Vendor notified: Yes Fix available: Yes Details: An integer overflow condition exists in the OpenBSD 3.3-release kernel and all previous versions. It is possible for root to write to semi- arbitrary kernel memory irrespective of securelevel(7). This potentially bypasses securelevel as root may modify the running kernel, introducing kernel level backdoors etc. The mechanism used to achieve this is an integer overflow in the semget(2) syscall, described below: sys_semget() allocates a buffer here: src/sys/kern/sysv_sem.c: sys_semget(): semaptr_new->sem_base = malloc(nsems * sizeof(struct sem), M_SEM, M_WAITOK); provided the following checks are passed: src/sys/kern/sysv_sem.c: sys_semget(): if (nsems <= 0 || nsems > seminfo.semmsl) { DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems, seminfo.semmsl)); return (EINVAL); } if (nsems > seminfo.semmns - semtot) { DPRINTF(("not enough semaphores left (need %d, got %d)\n", nsems, seminfo.semmns - semtot)); return (ENOSPC); } If these checks are passed and the buffer is successfully allocated, the nsems (number of semaphores) value associated with the semaphore set is set here: src/sys/kern/sysv_sem.c: sys___semctl(): semaptr_new->sem_nsems = nsems; Please also note that an int is being assigned to a short here, which is a potential source of another bug. Since root is able to raise the values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl, it is possible to mis-size the malloc'd buffer, allowing memory to be read and written via the semctl(2) syscall. Exploit: This condition may be reproduced using the attached programs, allowing root to inspect and modify kernel memory. Workaround: None, don't trust securelevel(7) to protect your kernel. Fix: Upgrade to -current or apply the following patch: =================================================================== RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 - --- src/sys/kern/sysv_sem.c 2003/08/20 18:02:20 1.20 +++ src/sys/kern/sysv_sem.c 2003/09/09 18:57:36 1.21 @@ -1,4 +1,4 @@ - -/* $OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -884,7 +884,7 @@ if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) || val == seminfo.semmns) return (error); - - if (val < seminfo.semmns) + if (val < seminfo.semmns || val > 0xffff) return (EINVAL); /* can't decrease semmns */ seminfo.semmns = val; return (0); @@ -902,7 +902,7 @@ if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) || val == seminfo.semmsl) return (error); - - if (val < seminfo.semmsl) + if (val < seminfo.semmsl || val > 0xffff) return (EINVAL); /* can't decrease semmsl */ seminfo.semmsl = val; return (0); Discovered by: blexim () hush com of isen Thanks go to the OpenBSD team for an extremely fast response and fix. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA oKpLdVg3FZaPnTNPhKH2qMx+UvYe =5Lmq -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Integer overflow in OpenBSD kernel blexim (Sep 10)
- Re: Integer overflow in OpenBSD kernel Jason Houx (Sep 10)
- Re: Integer overflow in OpenBSD kernel Steve Shockley (Sep 10)
- Re: Integer overflow in OpenBSD kernel Jedi/Sector One (Sep 10)
- <Possible follow-ups>
- Re: Integer overflow in OpenBSD kernel blexim (Sep 10)
- Re: Integer overflow in OpenBSD kernel Jason Houx (Sep 10)