lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Sep 2003 11:07:49 -0400 (EDT)
From: Jason Houx <coldiso@...x.org>
To: blexim <blexim@...h.com>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: Integer overflow in OpenBSD kernel



Question - how is upgrade to current a fix for this.   Did you research 
3.3 --stable et al ?

Jason Houx


On Wed, 10 Sep 2003, blexim wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Local security bug in OpenBSD semaphore handling
> 
> Product:         OpenBSD kernel (3.3-release, -current before 10/09/2003)
> Impact:          Root may bypass securelevel
> Bug class:       Integer overflow
> Vendor notified: Yes
> Fix available:   Yes
> 
> Details:
> An integer overflow condition exists in the OpenBSD 3.3-release kernel
> and all previous versions.  It is possible for root to write to semi-
> arbitrary kernel memory irrespective of securelevel(7). This potentially
> bypasses securelevel as root may modify the running kernel, introducing
> kernel level backdoors etc. The mechanism used to achieve this is an
> integer overflow in the semget(2) syscall, described below:
> 
> sys_semget() allocates a buffer here:
> 
> src/sys/kern/sysv_sem.c:
> sys_semget():
>   semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
>       M_SEM, M_WAITOK);
> 
> 
> provided the following checks are passed:
> 
> src/sys/kern/sysv_sem.c:
> sys_semget():
>   if (nsems <= 0 || nsems > seminfo.semmsl) {
>       DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
>         seminfo.semmsl));
>       return (EINVAL);
>   }
>   if (nsems > seminfo.semmns - semtot) {
>       DPRINTF(("not enough semaphores left (need %d, got %d)\n",
>         nsems, seminfo.semmns - semtot));
>       return (ENOSPC);
>   }
> 
> If these checks are passed and the buffer is successfully allocated,
> 
> the nsems (number of semaphores) value associated with the semaphore
> 
> set is set here:
> 
> src/sys/kern/sysv_sem.c:
> sys___semctl():
>   semaptr_new->sem_nsems = nsems;
> 
> Please also note that an int is being assigned to a short here, which
> 
> is a potential source of another bug. Since root is able to raise the
> 
> values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
>  it is possible to mis-size the malloc'd buffer, allowing memory to be
> read and written via the semctl(2) syscall.
> 
> Exploit:
> This condition may be reproduced using the attached programs, allowing
> root to inspect and modify kernel memory.
> 
> Workaround:
> None, don't trust securelevel(7) to protect your kernel.
> 
> Fix:
> Upgrade to -current or apply the following patch:
> 
> ===================================================================
> RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
> retrieving revision 1.20
> retrieving revision 1.21
> diff -u -r1.20 -r1.21
> - --- src/sys/kern/sysv_sem.c	2003/08/20 18:02:20	1.20
> +++ src/sys/kern/sysv_sem.c	2003/09/09 18:57:36	1.21
> @@ -1,4 +1,4 @@
> - -/*	$OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $	*/
> +/*	$OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $	*/
>  /*	$NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $	*/
> 
>  /*
> @@ -884,7 +884,7 @@
>  		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
>  		    val == seminfo.semmns)
>  			return (error);
> - -		if (val < seminfo.semmns)
> +		if (val < seminfo.semmns || val > 0xffff)
>  			return (EINVAL);	/* can't decrease semmns */
>  		seminfo.semmns = val;
>  		return (0);
> @@ -902,7 +902,7 @@
>  		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
>  		    val == seminfo.semmsl)
>  			return (error);
> - -		if (val < seminfo.semmsl)
> +		if (val < seminfo.semmsl || val > 0xffff)
>  			return (EINVAL);	/* can't decrease semmsl */
>  		seminfo.semmsl = val;
>  		return (0);
> 
> 
> Discovered by:
> blexim@...h.com of isen
> 
> Thanks go to the OpenBSD team for an extremely fast response and fix.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.3
> 
> wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA
> oKpLdVg3FZaPnTNPhKH2qMx+UvYe
> =5Lmq
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
> 
> Promote security and make money with the Hushmail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
> 



Powered by blists - more mailing lists