Contributed by jose on from the patch--p0 dept.
"I'm sure everybody checks errata once a day or more, anyway there's a new patch from http://www.openbsd.org/errata.html . Quoting:Looking at the patch, it looks like another bounds checking problem. Simple fix, directions in the patch.# 015: SECURITY FIX: October 2, 2002 Incorrect argument checking in the setitimer(2) system call may allow an attacker to write to kernel memory.A source code ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/015_kerntime.patch exists which remedies the problem."
(Comments are closed)
By Aaron Campbell () aaron@monkey.org on http://www.monkey.org/~aaron
#define ITIMER_PROF 2
int
sys_setitimer(p, v, retval)
struct proc *p;
register void *v;
register_t *retval;
{
register struct sys_setitimer_args /* {
syscallarg(u_int) which;
syscallarg(struct itimerval *) itv;
syscallarg(struct itimerval *) oitv;
} */ *uap = v;
...
if (SCARG(uap, which) > ITIMER_PROF)
return (EINVAL);
...
p->p_stats->p_timer[SCARG(uap, which)] = aitv;
...
The ITIMER_PROF bounds check looks fine, doesn't it? Since `which' is passed in as u_int, the syscall should return EINVAL if `which' is greater than 2.
But the "syscallarg(u_int) which" declaration shown above is non-functional; it's commented out. The real argument structure is defined in syscallargs.h:
struct sys_setitimer_args {
syscallarg(int) which;
syscallarg(const struct itimerval *) itv;
syscallarg(struct itimerval *) oitv;
};
Here it is defined as int! Comment rot. So an attacker passes in which as a negative number and is able to overwrite kernel memory. Nifty.
By Anonymous Coward () on
By Anonymous Coward () on
By Dom De Vitto () dom@devitto.com on mailto:dom@devitto.com
Dom
By Han () on http://www.xs4all.nl/~hanb/software/errata_check
By RC () on
Their two big security benefits over modern systems were 1) a programming language that would not allow input without bounds, so there could not be unchecked input and 2) a processor with a positive incrimenting stack.
While 2 would have to be done by processor designers, perhaps #1 could be added to GCC? Modify it so that it does not allow input without an explicit boundary. Or perhaps have GCC outmatically determine the length of a string, and modify the output to prevent over-sized input.