|
|
|
|
| |
The OpenBSD project "produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. OpenBSD's effort emphasize on portability, standardization, correctness, proactive security and integrated cryptography."
An integer overflow condition exists in the OpenBSD 3.3-release kernel and all previous versions. It is possible for root to write to semi-arbitrary kernel memory irrespective of securelevel(7). This potentially bypasses securelevel as root may modify the running kernel, introducing kernel level backdoors etc. |
| |
Credit:
The information has been provided by blexim
|
| |
Vulnerable Systems:
* OpenBSD kernel (3.3-release, -current before 10/09/2003) and prior
The mechanism used to achieve this is an integer overflow in the semget(2) syscall, described below:
sys_semget() allocates a buffer here:
src/sys/kern/sysv_sem.c:
sys_semget():
semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
M_SEM, M_WAITOK);
Provided the following checks are passed:
src/sys/kern/sysv_sem.c:
sys_semget():
if (nsems <= 0 || nsems > seminfo.semmsl) {
DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
seminfo.semmsl));
return (EINVAL);
}
if (nsems > seminfo.semmns - semtot) {
DPRINTF(("not enough semaphores left (need %d, got %d)\n",
nsems, seminfo.semmns - semtot));
return (ENOSPC);
}
If these checks are passed and the buffer is successfully allocated, the nsems (number of semaphores) value associated with the semaphore set is set here:
src/sys/kern/sysv_sem.c:
sys___semctl():
semaptr_new->sem_nsems = nsems;
Please also note that an int is being assigned to a short here, which is a potential source of another bug. Since root is able to raise the values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl, it is possible to mis-size the malloc'd buffer, allowing memory to be read and written via the semctl(2) syscall.
Workaround:
None, don't trust securelevel(7) to protect your kernel.
Fix:
Upgrade to -current
|
|
|
|
|
|
|
