lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.02.10308310811460.20865-100000@world.cntw.com>
Date: Sun, 31 Aug 2003 08:15:49 +0200 (MET DST)
From: Mats O Jansson <maja@...w.com>
To: ned <nd@...inemenace.org>
Cc: bugs@...nbsd.org, misc@...nbsd.org, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: Re: OpenBSD 3.2 Kthread Madness


Hi!

Why don't you look at the code in current? This was fixed in early may
in rev 1.19.

-moj

On Sat, 30 Aug 2003, ned wrote:

> OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c
> 
> Ohk, here is the function:
> 
> int
> kthread_create(void (*func)(void *), void *arg,
>     struct proc **newpp, const char *fmt, ...) <---- where the data is
> {
> 	struct proc *p2; <--------- New proc struct
> 	register_t rv[2];
> 	int error;
> 	va_list ap;
> 
> 	/*
> 	 * First, create the new process.  Share the memory, file
> 	 * descriptors and don't leave the exit status around for the
> 	 * parent to wait for.
> 	 */
> 	error = fork1(&proc0, 0,
> 	    FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg, 
> rv);
> 	if (error)
> 		return (error);
> 
> 	p2 = pfind(rv[0]);
> 
> 	/*
> 	 * Mark it as a system process and not a candidate for
> 	 * swapping.
> 	 */
> 	p2->p_flag |= P_INMEM | P_SYSTEM;	/* XXX */
> 
> 	/* Name it as specified. */
> 	va_start(ap, fmt);
> 	vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
> 	va_end(ap);
> 
> 	/* All done! */
> 	if (newpp != NULL)
> 		*newpp = p2;
> 	return (0);
> } 
> 
> some notes:
> - proc.h defines p_comm for a size of MAXCOMLEN+1
> - MAXCOMLEN is defined in param.h as 16.
> - This gives use 17 bytes to overflow.
> 
> but how? you wont be able to do it from user-land (i presume) and the only 
> way i can imagine this being done is via a LKM. but then i realise that 
> you need root to do anything associated with lkm's. so the chances of 
> actually exploiting it, comes down to modifying a call in init_main.c and 
> watvhing your system not power up!
> 
> for patch wise..is there a vslprintf i can stick in there?
>  - nd
> 
> -- 
> http://felinemenace.org/~nd



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ