Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 May 1999 12:01:06 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Nate Williams <nate@mt.sri.com>, Don Lewis <truckman@FreeBSD.org>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/kern uipc_usrreq.c
Message-ID:  <199905101901.MAA24520@salsa.gv.tsc.tdk.com>
In-Reply-To: Nate Williams <nate@mt.sri.com> "Re: cvs commit: src/sys/kern uipc_usrreq.c" (May 10, 12:41pm)

next in thread | previous in thread | raw e-mail | index | archive | help
On May 10, 12:41pm, Nate Williams wrote:
} Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c
} > truckman    1999/05/10 11:36:37 PDT
} > 
} >   Modified files:        (Branch: RELENG_3)
} >     sys/kern             uipc_usrreq.c 
} >   Log:
} >   MFC: Fix descriptor leak provoked by KKIS.05051999.003b exploit code.
} 
} David G. backed out the code that caused the leak, so will this do bad
} things now?  Should the 'security fix' be brought back in?

I'm pretty sure that's a different leak.  The KKIS (unintentionally I
think) exploits a bug in the code that implements the passing of
descriptors across Unix domain datagram sockets.  If there is a failure in
the middle of the operation, there is an extra reference to the descriptor
which is being passed that gets orphaned.  The reason I think this exploit
is unintentional in FreeBSD >= 3.1, is that it exploits another bug in
older versions of FreeBSD that pretty quickly provokes a panic.  The
descriptor leak takes longer to DoS the machine.

BTW, should someone prepare a patch for both bugs in 2.2.X?

I haven't observed the other leak.  It looks like a problem with stream
sockets.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905101901.MAA24520>