Patch 015: setitimer

Contributed by jose on 2002-10-04 from the patch--p0 dept.

Indigo writes:

"I'm sure everybody checks errata once a day or more, anyway there's a new patch from http://www.openbsd.org/errata.html . Quoting:
# 015: SECURITY FIX: October 2, 2002
Incorrect argument checking in the setitimer(2) system call
may allow an attacker to write to kernel memory.
A source code ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/015_kerntime.patch exists which remedies the problem."

Looking at the patch, it looks like another bounds checking problem. Simple fix, directions in the patch.

(Comments are closed)

Comments

By Aaron Campbell () aaron@monkey.org on 2002-10-04 03:12 http://www.monkey.org/~aaron

This one is tricky. The old code:

#define ITIMER_PROF 2

int
sys_setitimer(p, v, retval)
struct proc *p;
register void *v;
register_t *retval;
{
register struct sys_setitimer_args /* {
syscallarg(u_int) which;
syscallarg(struct itimerval *) itv;
syscallarg(struct itimerval *) oitv;
} */ *uap = v;
...
if (SCARG(uap, which) > ITIMER_PROF)
return (EINVAL);
...
p->p_stats->p_timer[SCARG(uap, which)] = aitv;
...

The ITIMER_PROF bounds check looks fine, doesn't it? Since `which' is passed in as u_int, the syscall should return EINVAL if `which' is greater than 2.

But the "syscallarg(u_int) which" declaration shown above is non-functional; it's commented out. The real argument structure is defined in syscallargs.h:

struct sys_setitimer_args {
syscallarg(int) which;
syscallarg(const struct itimerval *) itv;
syscallarg(struct itimerval *) oitv;
};

Here it is defined as int! Comment rot. So an attacker passes in which as a negative number and is able to overwrite kernel memory. Nifty.
By Anonymous Coward () on 2002-10-04 03:49

Local compromise? Remote?
By Anonymous Coward () on 2002-10-04 10:13

Sadly, I don't look at errata every day. But I do look at OpenBSD Journal daily, so thanks Indigo for notifying us of the patch.
By Dom De Vitto () dom@devitto.com on 2002-10-04 10:23 mailto:dom@devitto.com

I thought just about everything was compiled -Wall, which IIRC would warn on type mismatch..?

Dom
By Han () on 2002-10-04 12:49 http://www.xs4all.nl/~hanb/software/errata_check

I wrote this script that checks the errata. Run it from cron. or /etc/daily.local or whatever.
By RC () on 2002-10-04 21:47

I was reading the recently released document on Multics security... It was an interesting read.

Their two big security benefits over modern systems were 1) a programming language that would not allow input without bounds, so there could not be unchecked input and 2) a processor with a positive incrimenting stack.

While 2 would have to be done by processor designers, perhaps #1 could be added to GCC? Modify it so that it does not allow input without an explicit boundary. Or perhaps have GCC outmatically determine the length of a string, and modify the output to prevent over-sized input.

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]