Bugtraq mailing list archives
FreeBSD Security Advisory: FreeBSD-SA-97:05.open
From: bagel () NEOSOFT COM (Tony Hagale)
Date: Tue, 4 Nov 1997 17:30:54 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From: FreeBSD Security Officer <security-officer () FreeBSD ORG> To: freebsd-announce () FreeBSD ORG Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET) Reply-To: security-officer () FreeBSD ORG Sender: owner-freebsd-announce () FreeBSD ORG X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- =====================================================================
========
FreeBSD-SA-97:05 Security
Advisory
FreeBSD, Inc.
Topic: security compromise via open()
Category: core
Module: kern
Announced: 1997-10-29
Affects: FreeBSD 2.1.*, FreeBSD 2.2.*,
FreeBSD-stable and FreeBSD-current
Corrected: FreeBSD-current as of 1997/10/23 (partly even on
1997/04/14)
FreeBSD-stable as of 1997/10/24
FreeBSD 2.1-stable as of 1997/10/29
FreeBSD only: yes
Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/
=====================================================================
========
I. Background
In FreeBSD, the open() system call is used in normal file
operations.
When calling open(), the caller should specify if the file is
to be opened for reading, for writing or for both.
The right to reading from and/or writing to a file is
controlled
by the file's mode bits in the filesystem.
In FreeBSD, open() is also used to obtain the right to do
privileged io instructions.
II. Problem Description
A problem exists in the open() syscall that allows processes
to obtain a valid file descriptor without having read or write
permissions on the file being opened. This is normally not a
problem. The FreeBSD way of obtaining the right to do io
instructions however, is based on the right to open a specific
file (/dev/io).
III. Impact
The problem can be used by any user on the system to do
unauthorised
io instructions.
IV. Workaround
No workaround is available.
V. Solution
Apply the following patches. The first one in
/usr/src/sys/kern,
and the second one in /usr/src/sys/i386/i386,
Rebuild your kernel, install it and reboot your system.
patch 1:
For FreeBSD-current before 1997/10/23:
Index: vfs_syscalls.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- vfs_syscalls.c 1997/10/12 20:24:27 1.76
+++ vfs_syscalls.c 1997/10/22 07:28:51 1.77
@@ -863,11 +863,13 @@
struct flock lf;
struct nameidata nd;
+ flags = FFLAGS(SCARG(uap, flags));
+ if ((flags & FREAD + FWRITE) == 0)
+ return (EINVAL);
error = falloc(p, &nfp, &indx);
if (error)
return (error);
fp = nfp;
- flags = FFLAGS(SCARG(uap, flags));
cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~
S_ISTXT;
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path),
p);
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
For FreeBSD 2.1.* and 2.2.*:
Index: vfs_syscalls.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.51.2.5
diff -u -r1.51.2.5 vfs_syscalls.c
--- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5
+++ vfs_syscalls.c 1997/10/28 22:04:43
@@ -688,11 +688,13 @@
struct flock lf;
struct nameidata nd;
+ flags = FFLAGS(uap->flags);
+ if ((flags & FREAD + FWRITE) == 0)
+ return (EINVAL);
error = falloc(p, &nfp, &indx);
if (error)
return (error);
fp = nfp;
- flags = FFLAGS(uap->flags);
cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
patch 2:
For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before
1997/04/14:
Index: mem.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
retrieving revision 1.38
retrieving revision 1.38.2.1
diff -u -r1.38 -r1.38.2.1
--- mem.c 1996/09/27 13:25:06 1.38
+++ mem.c 1997/10/23 22:14:24 1.38.2.1
@@ -169,6 +169,7 @@
int fmt;
struct proc *p;
{
+ int error;
struct trapframe *fp;
switch (minor(dev)) {
@@ -179,6 +180,11 @@
return ENODEV;
#endif
case 14:
+ error = suser(p->p_ucred, &p->p_acflag);
+ if (error != 0)
+ return (error);
+ if (securelevel > 0)
+ return (EPERM);
fp = (struct trapframe *)curproc->p_md.md_regs;
fp->tf_eflags |= PSL_IOPL;
break;
=====================================================================
========
FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer () freebsd org PGP Key:
ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications () freebsd org
Security public discussion: security () freebsd org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer
software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=====================================================================
========
-----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX skpX4qluhBM= =47P3 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNF+wLfE0YW+shGjqEQLMTgCg35IBdHPA8L8fYmdGGk3+MAk6hcsAoMvN OUfcNBJTrbYZy+tv0De4bnCz =gYka -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- .,_-================-_,. bagel () neosoft com admin () bagel neosoft com .,_-================-_,. Tony Hagale +---------------------------------------------------+ |-BAGEL.NEOSOFT.COM,BAGEL.NET sysadmin..............| |-WWW Designer......http://www.neosoft.com/~bagel...| |-bagel on #sj on EFNet.............................| |-Guru-for-hire UNIX/WIN/c/c++/vb/pascal............| |-Strake Jesuit College Prep CCX Debator/CX Pres....| |-ICQ ID# 3568586...................................| |-U.S. Air Force Auxillary Member...................| |-PGP Key ID 0xAC8468EA.............................| +---------------------------------------------------+
Current thread:
- FreeBSD Security Advisory: FreeBSD-SA-97:05.open Tony Hagale (Nov 04)