FreeBSD is "a modern operating system for x86, amd64, Alpha, IA-64, PC-98 and SPARC architectures. It's based on the UNIX operating system, BSD, which was created at the University of California, Berkeley". The PT_LWPINFO ptrace command allows a tracer to get information on a running thread.
Vulnerable Systems:
* FreeBSD version 6.0-RELEASE
* FreeBSD version 6.1-RELEASE
Due to the use of signed integers and a lack of proper input validation, a situation can occur in the kernel where a panic will cause DoS. The affected code follows.
953 case PT_LWPINFO:
954 if (data == 0 || data > sizeof(*pl))
955 return (EINVAL);
Since the "data" variable is a signed integer, the check on line 954 can easily be bypassed. Eventually, the negative value is passed to copyout(), which will result in a kernel panic or corruption of the user space memory.
Vendor response:
"The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum."
