FreeBSD Kernel buffer overflow
Matt Emmerton
matt at gsicomp.on.ca
Sat Sep 18 00:25:55 PDT 2004
----- Original Message -----
From: "Devon H. O'Dell" <dodell at sitetronics.com>
To: "Matt Emmerton" <matt at gsicomp.on.ca>; "Mike Meyer" <mwm at mired.org>
Cc: <viro at parcelfarce.linux.theplanet.co.uk>; <gerarra at tin.it>;
<freebsd-hackers at freebsd.org>
Sent: Saturday, September 18, 2004 4:01 AM
Subject: Re: FreeBSD Kernel buffer overflow
> --------- Original Message --------
> From: Matt Emmerton <matt at gsicomp.on.ca>
> To: Mike Meyer <mwm at mired.org>
> Cc: viro at parcelfarce.linux.theplanet.co.uk, gerarra at tin.it,
> freebsd-hackers at freebsd.org
> Subject: Re: FreeBSD Kernel buffer overflow
> Date: 18/09/04 05:41
>
> >
> >
> > ----- Original Message -----
> > From: "Mike Meyer" <mwm at mired.org>
> > To: "Matt Emmerton" <matt at gsicomp.on.ca>
> > Cc: <viro at parcelfarce.linux.theplanet.co.uk>; "Avleen
Vig"
> > <lists-freebsd at silverwraith.com>;
> <freebsd-hackers at freebsd.org>;
> > <gerarra at tin.it>
> > Sent: Saturday, September 18, 2004 1:22 AM
> > Subject: Re: FreeBSD Kernel buffer overflow
> >
> >
> > > In <001801c49d38$1c8cb790$1200a8c0 at gsicomp.on.ca>, Matt
> Emmerton
> > <matt at gsicomp.on.ca> typed:
> > > > I disagree. It really comes down to how secure you want
FreeBSD
> to be,
> > and
> > > > the attitude of "we don't need to protect against this
case
> because
> > anyone
> > > > who does this is asking for trouble anyway" is one of the
> main reason
> > why
> > > > security holes exist in products today. (Someone else had
> brought this
> > up
> > > > much earlier on in the thread.)
> > >
> > > You haven't been paying close enough attention to the discussion.
To
> > > exploit this "security problem" you have to be root. If
> it's an
> > > external attacker, you're already owned.
> >
> > I'm well aware of that fact. That's still not a reason to protect
against
> > the problem.
> >
> > If your leaky bucket has 10 holes in it, would you at least try and plug
> > some of them?
> >
> > --
> > Matt Emmerton
>
> So should we stop the command ``shutdown -h now'' from working for root?
> After all, he can DoS the system with it?
>
> How about this: let's disallow root from loading kernel modules! That way
> this can't ever happen.
>
> Even better: Why don't we just not boot into a usable environment! Then we
> have NO security holes.
>
> You guys are failing to see: ROOT HAS OMNIPOTENT POWER. SOMEBODY MUST HAVE
> OMNIPOTENT POWER. THIS IS NOT A BUG. THERE IS NOTHING TO SEE HERE, MOVE
ON.
>
> Not to be sarcastic, but you guys are missing the problem. The problem was
> that someone was unaware of a kernel API. When you start programming for
the
> kernel, you need to make sure that the code is secure. If you think this
is
> a problem, take a look at init(8) and learn about securelevels.
>
> What happened: someone was unfamiliar with the syscall API. They crashed
> their system. They screamed wildly, believing they'd found a buffer
> overflow, when they'd merely overloaded the function stack and screwed up
> the call. This caused the system to reboot. Solution: make it more clear
> that syscalls take only 8 arguments. Make it clear that you can pass
> arguments in a struct to a syscall. Make it clear that many/most syscalls
do
> this anyway. If there's beef on this, take it to doc at .
Mike and I discussed this offline. Can someone just step up to work on and
commit the KASSERT code which handles the problem and end the thread?
The only reason I piped up was because nothing had been done yet, and
suggested two alternate ways of hardening the system that could be
enabled/disabled by the system administrator, instead of being always
enabled (like a KASSERT, which always incurs a run-time check and thus could
hurt performance.)
--
Matt Emmerton
More information about the freebsd-hackers
mailing list