OpenBSD Journal

y Patch 003: sysvsem

Contributed by jose on from the integer-overflows dept.

(Pasting from security-announce and Todd Miller's original message.) It is possible for root to raise the value of the seminfo.semmns and seminfo.semmsl sysctls to values sufficiently high such that an integer overflow occurs. This can allow root to write to kernel memory irrespective of the security level. The default security level on OpenBSD is 1 ("secure mode") which does not allow writing to /dev/mem and /dev/kmem. It may be possible for a root user to exploit this bug to reduce the security level itself.

The impact of this bug is quite low for most systems since it is only useful to an attacker who already has root on the local system with the expertise to modify the running kernel.

Thanks to blexim for finding this bug and notifying us.

The problem has been fixed in the OpenBSD 3.3-stable branch. In addition, a patch is available for OpenBSD 3.3: 003_sysvsem.patch

This bug affects OpenBSD 3.3 only.

(Comments are closed)

  1. By Fredrik () on

    Does anywone know why the patch is'nt added to the errata page?

    1. By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com

      It was on the errata page before even being mentioned on O.J.

    2. By Anonymous Coward () on

      It is on the errata page, and a mail has been sent to security-announce. The patch wasn't on all mirrors yet when I patched my systems, but I think by now all mirrors will be up-to-date again.

      Maybe you're using a HTTP proxy (or your ISP is), that's still serving you an older version of the page.

      1. By Fredrik () on

        my fault :)

        A reload and there was the patch


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]