lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309101356.h8ADu9sc024408@mailserver3.hushmail.com>
Date: Wed, 10 Sep 2003 06:56:08 -0700
From: "blexim" <blexim@...h.com>
To: bugtraq@...urityfocus.com
Subject: Integer overflow in OpenBSD kernel


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Local security bug in OpenBSD semaphore handling

Product:         OpenBSD kernel (3.3-release, -current before 10/09/2003)
Impact:          Root may bypass securelevel
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes

Details:
An integer overflow condition exists in the OpenBSD 3.3-release kernel
and all previous versions.  It is possible for root to write to semi-
arbitrary kernel memory irrespective of securelevel(7). This potentially
bypasses securelevel as root may modify the running kernel, introducing
kernel level backdoors etc. The mechanism used to achieve this is an
integer overflow in the semget(2) syscall, described below:

sys_semget() allocates a buffer here:

src/sys/kern/sysv_sem.c:
sys_semget():
  semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
      M_SEM, M_WAITOK);


provided the following checks are passed:

src/sys/kern/sysv_sem.c:
sys_semget():
  if (nsems <= 0 || nsems > seminfo.semmsl) {
      DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
        seminfo.semmsl));
      return (EINVAL);
  }
  if (nsems > seminfo.semmns - semtot) {
      DPRINTF(("not enough semaphores left (need %d, got %d)\n",
        nsems, seminfo.semmns - semtot));
      return (ENOSPC);
  }

If these checks are passed and the buffer is successfully allocated,

the nsems (number of semaphores) value associated with the semaphore

set is set here:

src/sys/kern/sysv_sem.c:
sys___semctl():
  semaptr_new->sem_nsems = nsems;

Please also note that an int is being assigned to a short here, which

is a potential source of another bug. Since root is able to raise the

values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
 it is possible to mis-size the malloc'd buffer, allowing memory to be
read and written via the semctl(2) syscall.

Exploit:
This condition may be reproduced using the attached programs, allowing
root to inspect and modify kernel memory.

Workaround:
None, don't trust securelevel(7) to protect your kernel.

Fix:
Upgrade to -current or apply the following patch:

===================================================================
RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
- --- src/sys/kern/sysv_sem.c	2003/08/20 18:02:20	1.20
+++ src/sys/kern/sysv_sem.c	2003/09/09 18:57:36	1.21
@@ -1,4 +1,4 @@
- -/*	$OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $	*/
+/*	$OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $	*/
 /*	$NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $	*/

 /*
@@ -884,7 +884,7 @@
 		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
 		    val == seminfo.semmns)
 			return (error);
- -		if (val < seminfo.semmns)
+		if (val < seminfo.semmns || val > 0xffff)
 			return (EINVAL);	/* can't decrease semmns */
 		seminfo.semmns = val;
 		return (0);
@@ -902,7 +902,7 @@
 		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
 		    val == seminfo.semmsl)
 			return (error);
- -		if (val < seminfo.semmsl)
+		if (val < seminfo.semmsl || val > 0xffff)
 			return (EINVAL);	/* can't decrease semmsl */
 		seminfo.semmsl = val;
 		return (0);


Discovered by:
blexim@...h.com of isen

Thanks go to the OpenBSD team for an extremely fast response and fix.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA
oKpLdVg3FZaPnTNPhKH2qMx+UvYe
=5Lmq
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ