[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Integer overflow in OpenBSD kernel

To: blexim <blexim@xxxxxxxx>
Subject: Re: Integer overflow in OpenBSD kernel
From: Jason Houx <coldiso@xxxxxxxx>
Date: Wed, 10 Sep 2003 11:07:49 -0400 (EDT)

Question - how is upgrade to current a fix for this.   Did you research 
3.3 --stable et al ?

Jason Houx


On Wed, 10 Sep 2003, blexim wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Local security bug in OpenBSD semaphore handling
> 
> Product:         OpenBSD kernel (3.3-release, -current before 10/09/2003)
> Impact:          Root may bypass securelevel
> Bug class:       Integer overflow
> Vendor notified: Yes
> Fix available:   Yes
> 
> Details:
> An integer overflow condition exists in the OpenBSD 3.3-release kernel
> and all previous versions.  It is possible for root to write to semi-
> arbitrary kernel memory irrespective of securelevel(7). This potentially
> bypasses securelevel as root may modify the running kernel, introducing
> kernel level backdoors etc. The mechanism used to achieve this is an
> integer overflow in the semget(2) syscall, described below:
> 
> sys_semget() allocates a buffer here:
> 
> src/sys/kern/sysv_sem.c:
> sys_semget():
>   semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
>       M_SEM, M_WAITOK);
> 
> 
> provided the following checks are passed:
> 
> src/sys/kern/sysv_sem.c:
> sys_semget():
>   if (nsems <= 0 || nsems > seminfo.semmsl) {
>       DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
>         seminfo.semmsl));
>       return (EINVAL);
>   }
>   if (nsems > seminfo.semmns - semtot) {
>       DPRINTF(("not enough semaphores left (need %d, got %d)\n",
>         nsems, seminfo.semmns - semtot));
>       return (ENOSPC);
>   }
> 
> If these checks are passed and the buffer is successfully allocated,
> 
> the nsems (number of semaphores) value associated with the semaphore
> 
> set is set here:
> 
> src/sys/kern/sysv_sem.c:
> sys___semctl():
>   semaptr_new->sem_nsems = nsems;
> 
> Please also note that an int is being assigned to a short here, which
> 
> is a potential source of another bug. Since root is able to raise the
> 
> values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
>  it is possible to mis-size the malloc'd buffer, allowing memory to be
> read and written via the semctl(2) syscall.
> 
> Exploit:
> This condition may be reproduced using the attached programs, allowing
> root to inspect and modify kernel memory.
> 
> Workaround:
> None, don't trust securelevel(7) to protect your kernel.
> 
> Fix:
> Upgrade to -current or apply the following patch:
> 
> ===================================================================
> RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
> retrieving revision 1.20
> retrieving revision 1.21
> diff -u -r1.20 -r1.21
> - --- src/sys/kern/sysv_sem.c 2003/08/20 18:02:20     1.20
> +++ src/sys/kern/sysv_sem.c   2003/09/09 18:57:36     1.21
> @@ -1,4 +1,4 @@
> - -/* $OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $   */
> +/*   $OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $      */
>  /*   $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $   */
> 
>  /*
> @@ -884,7 +884,7 @@
>               if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
>                   val == seminfo.semmns)
>                       return (error);
> - -           if (val < seminfo.semmns)
> +             if (val < seminfo.semmns || val > 0xffff)
>                       return (EINVAL);        /* can't decrease semmns */
>               seminfo.semmns = val;
>               return (0);
> @@ -902,7 +902,7 @@
>               if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
>                   val == seminfo.semmsl)
>                       return (error);
> - -           if (val < seminfo.semmsl)
> +             if (val < seminfo.semmsl || val > 0xffff)
>                       return (EINVAL);        /* can't decrease semmsl */
>               seminfo.semmsl = val;
>               return (0);
> 
> 
> Discovered by:
> blexim@xxxxxxxx of isen
> 
> Thanks go to the OpenBSD team for an extremely fast response and fix.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.3
> 
> wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA
> oKpLdVg3FZaPnTNPhKH2qMx+UvYe
> =5Lmq
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
> 
> Promote security and make money with the Hushmail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>

Follow-Ups:
- Re: Integer overflow in OpenBSD kernel
  - From: Steve Shockley
- Re: Integer overflow in OpenBSD kernel
  - From: Jedi/Sector One

References:
- Integer overflow in OpenBSD kernel
  - From: blexim

Prev by Date: MSIE->NAFfileJPU
Next by Date: MSIE->WsBASEjpu
Previous by thread: Integer overflow in OpenBSD kernel
Next by thread: Re: Integer overflow in OpenBSD kernel
Index(es):
- Date
- Thread