OpenBSD Journal

[Patch 010] Security: reference count overflow in shmat()

Contributed by jose on from the class-of-bugs dept.

CMF writes: "This was posted to Bugtraq earlier today. Please note that FreeBSD has already released a security errata for this issue:
Pine Digital Security Advisory

Advisory ID : PINE-CERT-20040201 (CAN-2004-0114)
Authors : Joost Pol
Vendor Informed : 2004-02-01
Issue date : 2004-02-05
Application : kernel / sysv shared memory
Platforms : FreeBSD, NetBSD and OpenBSD
Availability :


        While gathering material for a security training Pine
        Digital Security encountered a reference count overflow
        condition which could lead to privilege escalation.


        Vulnerable versions include:

        FreeBSD >= 2.2.0, NetBSD >= 1.3 and OpenBSD >= 2.6



        Local users can elevate their privileges.


        The shmat(2) function maps a shared memory segment, previously
        created with the shmget(2) function, into the address space of
        the calling process.

UPDATE: Patches are out for 3.4-stable and 3.3-stable .

Here is the mail from security-announce:

Date: Thu, 05 Feb 2004 16:35:48 -0700
From: Todd C. Miller

Subject: Reference counting bug in shmat(2)

A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain

The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.

Patches for OpenBSD 3.4 and 3.3 respectively are also available:

The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.

For more information on the bug, see Joost Pol's description at:

(Comments are closed)

  1. By Anonymous Coward () on

    how do you patch?

    1. By Anonymous Coward () on

      oops nevermind

      Apply by doing:
      cd /usr/src
      patch -p0 <010_sysvshm.patch

      And then rebuild your kernel.

      1. By Anonymous Coward () on

        How do you rebuild the kernel?

        The FAQ says
        make obj && make depend && make

        but make obj fails.

        Just plain 'make' doesn't actually seem to build anything. The command prompt returns in a second or so with no feedback.

        1. By tedu () on

          faq says nothing about running make obj when building a kernel. read 5.4 again.

          1. By Anonymous Coward () on

            Thanks for the tip.

            I was looking at the patch faq, but that appears to be for apps, mostly.

    2. By Christian () on

      I have a extra disk in my notebook with openbsd on it. So i compile patches on them and copy the binary files via scp over to the "real" machines.
      If you need binary patches for OBSD 3.4/i386 have a look at my site.

      Cheers, Christian.

  2. By Jason Wong () on

    I have one server still running openbsd 3.2 and can't but upgraded for various reasons.

    Instead of:

    if (error)

    the sys/kern/sysv_shm.c file for 3.2 has:

    if (rv != KERN_SUCCESS) {
    return ENOMEM;

    Any suggestions? Unfortunately, I'm not a kernel hacker...

    1. By Colin Percival () on

      Looks like OpenBSD 3.2 is using the same code as FreeBSD at this point, so the same patch should work: Add the line
      just before "return ENOMEM;".


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]