Contributed by jose on from the more-invalid-arguments dept.
For OpenBSD 3.3, Patch 013 addresses this issue.
UPDATE: Read on for the security-announce mail.
Date: Sat, 22 Nov 2003 15:36:16 -0700 From: Todd C. Miller
To: security-announce@OpenBSD.org Subject: two localhost panics Two localhost panics were recently fixed in the OpenBSD source tree. We do not believe these can be used to escalate privileges but they can be used to crash a machine given local access. The first bug involves an unsigned integer wraparound in uvm_vslock() and uvm_vsunlock() that can be triggered by passing the sysctl() function certain arguments. Fixes have been committed to the 3.3 and 3.4 -stable cvs branches, and patches are also available at: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/007_uvm.patch and ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/012_uvm.patch The second bug was due to an incorrect bounds check in the semop() and semctl() functions that can be triggered by passing certain arguments to these functions when the kern.seminfo.semmni sysctl value is less than the value of kern.seminfo.semmsl (this is the case for the default settings). Fixes have been committed to the 3.3 and 3.4 -stable cvs branches, and patches are also available at: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/008_sem.patch and ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/013_sem.patch Alternately, a workaround is to set kern.seminfo.semmni equal to kern.seminfo.semmsl, e.g. sysctl -w kern.seminfo.semmni=`sysctl -n kern.seminfo.semmsl`
(Comments are closed)