From owner-freebsd-security Mon Dec 10 17:10: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 466DC37B405; Mon, 10 Dec 2001 17:09:59 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fBB19YN13120; Mon, 10 Dec 2001 20:09:34 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Mon, 10 Dec 2001 20:09:33 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Alfred Perlstein Cc: Mike Tancsa , security@FreeBSD.org, alc@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: AIO vulnerability (from bugtraq) In-Reply-To: <20011210130803.B92148@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since kkenn is gone for a period of time, should anyone on security-officer respond publically? Or has this already been done and I'm behind email.. On Mon, 10 Dec 2001, Alfred Perlstein wrote: :* Mike Tancsa [011210 12:25] wrote: :> :> For those not on bugtraq, : :Yah, this needs to be fixed, do note that AIO is not enabled by :default in FreeBSD and the warning is pretty clear. : :Alan, can you take a look at this? I'd really like to get AIO :enabled by default one of these days. :) : :> :> ---Mike :> :> ------------------------------------------------------------------------------ :> Soniq Security Advisory :> David Rufino Dec 9, 2001 :> :> Race Condition in FreeBSD AIO implementation :> http://elysium.soniq.net/dr/tao/tao.html :> ------------------------------------------------------------------------------ :> :> RISK FACTOR: LOW :> :> SYNOPSIS :> :> AIO is a POSIX standard for asynchronous I/O. Under certain conditions, :> scheduled AIO operations persist after an execve, allowing arbitrary :> overwrites in the memory of the new process. Combined with the permission :> to execute suid binaries, this can yield elevated priviledges. :> Currently VFS_AIO is not enabled in the default FreeBSD kernel config, :> however comments in ``LINT'' suggest security issues have been known about :> privately for some time: :> :> # Use real implementations of the aio_* system calls. There are numerous :> # stability issues in the current aio code that make it unsuitable for :> # inclusion on shell boxes. : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message