Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Dec 2001 13:23:19 -0600
From:      "Alan L. Cox" <alc@imimic.com>
To:        Alfred Perlstein <bright@mu.org>
Cc:        Mike Tancsa <mike@sentex.net>, security@freebsd.org, alc@freebsd.org
Subject:   Re: AIO vulnerability (from bugtraq)
Message-ID:  <3C150BA7.9D5EC72E@imimic.com>
References:  <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> <20011210130803.B92148@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Will do.  You might also send it to tegge.

Alfred Perlstein wrote:
> 
> * Mike Tancsa <mike@sentex.net> [011210 12:25] wrote:
> >
> > For those not on bugtraq,
> 
> Yah, this needs to be fixed, do note that AIO is not enabled by
> default in FreeBSD and the warning is pretty clear.
> 
> Alan, can you take a look at this?  I'd really like to get AIO
> enabled by default one of these days. :)
> 
> >
> >       ---Mike
> >
> > ------------------------------------------------------------------------------
> > Soniq Security Advisory
> > David Rufino <dr@soniq.net> Dec 9, 2001
> >
> > Race Condition in FreeBSD AIO implementation
> > http://elysium.soniq.net/dr/tao/tao.html
> > ------------------------------------------------------------------------------
> >
> > RISK FACTOR: LOW
> >
> > SYNOPSIS
> >
> > AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
> > scheduled AIO operations persist after an execve, allowing arbitrary
> > overwrites in the memory of the new process. Combined with the permission
> > to execute suid binaries, this can yield elevated priviledges.
> > Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
> > however comments in ``LINT'' suggest security issues have been known about
> > privately for some time:
> >
> > # Use real implementations of the aio_* system calls.  There are numerous
> > # stability issues in the current aio code that make it unsuitable for
> > # inclusion on shell boxes.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C150BA7.9D5EC72E>