A vulnerability has been discovered by Georgi Guninski in OpenBSD, the vulnerability allows local attackers that can execute a specially crafted binary to cause kernel panic on at least OpenBSD 3.3 and 2.8.
Credit:
The information has been provided by Georgi Guninski.
Vulnerable code:
The problem seems in "ibcs2_exec.c" line 619 of 738 --83%-- col 1-8 /* read in segment table */
xs = (struct xseg *)malloc(xep->xe_segsize, M_TEMP, M_WAITOK);
error = vn_rdwr(UIO_READ, epp->ep_vp, (caddr_t)xs,
Looks like malloc can return NULL. Another potential problem is in "exec_elf.c" line 792 of 827 --95%-- col 6-20: np = (Elf_Note *)malloc(ph->p_filesz, M_TEMP, M_WAITOK);
Vendor status:
* OpenBSD was notified on Mon, 3 Nov 2003 16:04:40 +0200.
* Fix was available in CVS in less than 24 hours.
* Fix available at http://www.openbsd.org/errata.html.
/*
* Copyright (c) 1994, 1995 Scott Bartram
* All rights reserved.
*
* adapted from sys/sys/exec_ecoff.h
* based on Intel iBCS2
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _IBCS2_EXEC_H_
#define _IBCS2_EXEC_H_
/*
* COFF file header
*/
struct coff_filehdr {
u_short f_magic; /* magic number */
u_short f_nscns; /* # of sections */
long f_timdat; /* timestamp */
long f_symptr; /* file offset of symbol table */
long f_nsyms; /* # of symbol table entries */
u_short f_opthdr; /* size of optional header */
u_short f_flags; /* flags */
};
struct coff_aouthdr {
short a_magic;
short a_vstamp;
long a_tsize;
long a_dsize;
long a_bsize;
long a_entry;
long a_tstart;
long a_dstart;
};
/* magic */
#define COFF_OMAGIC 0407 /* text not write-protected; data seg
is contiguous with text */
#define COFF_NMAGIC 0410 /* text is write-protected; data starts
at next seg following text */
#define COFF_ZMAGIC 0413 /* text and data segs are aligned for
direct paging */
#define COFF_SMAGIC 0443 /* shared lib */
/*
* COFF section header
*/
struct coff_scnhdr {
char s_name[8];
long s_paddr;
long s_vaddr;
long s_size;
long s_scnptr;
long s_relptr;
long s_lnnoptr;
u_short s_nreloc;
u_short s_nlnno;
long s_flags;
};
struct xiter {
long xi_size; /* text/data size */
long xi_rep; /* number of replications */
long xi_offset; /* offset within segment to replicated data */
};
