Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 May 1999 17:21:24 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Kevin Day <toasty@HOME.DRAGONDATA.COM>, BUGTRAQ@netspace.org
Cc:        security@freebsd.org
Subject:   Re: KKIS.05051999.003b
Message-ID:  <199905080021.RAA16889@salsa.gv.tsc.tdk.com>
In-Reply-To: Kevin Day <toasty@HOME.DRAGONDATA.COM> "Re: KKIS.05051999.003b" (May  6,  2:10pm)
next in thread | previous in thread | raw e-mail | index | archive | help 
On May 6,  2:10pm, Kevin Day wrote:
} Subject: Re: KKIS.05051999.003b
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} >  Report title        : Security problem with sockets in FreeBSD's
} >                        implementation of UNIX-domain protocol family.
} >  Problem found by    : Lukasz Luzar (lluzar@security.kki.pl)
} >  Report created by   : Robert Pajak (shadow@security.kki.pl)
} >                        Lukasz Luzar (lluzar@security.kki.pl)
} >  Raport published    : 5th May 1999
} >  Raport code         : KKIS.05051999.003.b
} >  Systems affected    : FreeBSD-3.0 and maybe 3.1,
} >  Archive             : http://www.security.kki.pl/advisories/
} >  Risk level          : high
} >
} > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
} >   As you know, "The UNIX-domain protocol family is a collection of protocols
} >  that provides local interprocess communication through the normal socket
} >  mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses
} >  filesystem pathnames for addressing."
} >  The SOCK_STREAM sockets also supports the communication of UNIX file
} >  descriptors through the use of functions sendmsg() and recvmsg().
} >   While testing UNIX-domain protocols, we have found probable bug in
} >  FreeBSD's implementation of this mechanism.
} >   When we had run attached example on FreeBSD-3.0 as local user, system
} >  had crashed imediatelly with error "Supervisor read, page not present"
} >  in kernel mode.
} >
} 
} Here's my testing so far:
} 
} 2.2.2 - Vulnerable
} 2.2.6 - Vulnerable
} 2.2.8 - Vulnerable
} 3.1-RELEASE - Ran 15 minutes, no crash.

I'd be willing to bet that 3.0-RELEASE is also vulnerable.  I believe
Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT
branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of
sys/kern/uipc-usrreq.c.  The RELENG_3 branch fix was committed just before
3.1-RELEASE.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905080021.RAA16889>