From owner-cvs-all Mon May 10 12: 1:16 1999 Delivered-To: cvs-all@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 8598315201; Mon, 10 May 1999 12:01:12 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id MAA25952; Mon, 10 May 1999 12:01:08 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id MAA22577; Mon, 10 May 1999 12:01:07 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id MAA24520; Mon, 10 May 1999 12:01:06 -0700 (PDT) From: Don Lewis Message-Id: <199905101901.MAA24520@salsa.gv.tsc.tdk.com> Date: Mon, 10 May 1999 12:01:06 -0700 In-Reply-To: Nate Williams "Re: cvs commit: src/sys/kern uipc_usrreq.c" (May 10, 12:41pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Nate Williams , Don Lewis Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk On May 10, 12:41pm, Nate Williams wrote: } Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c } > truckman 1999/05/10 11:36:37 PDT } > } > Modified files: (Branch: RELENG_3) } > sys/kern uipc_usrreq.c } > Log: } > MFC: Fix descriptor leak provoked by KKIS.05051999.003b exploit code. } } David G. backed out the code that caused the leak, so will this do bad } things now? Should the 'security fix' be brought back in? I'm pretty sure that's a different leak. The KKIS (unintentionally I think) exploits a bug in the code that implements the passing of descriptors across Unix domain datagram sockets. If there is a failure in the middle of the operation, there is an extra reference to the descriptor which is being passed that gets orphaned. The reason I think this exploit is unintentional in FreeBSD >= 3.1, is that it exploits another bug in older versions of FreeBSD that pretty quickly provokes a panic. The descriptor leak takes longer to DoS the machine. BTW, should someone prepare a patch for both bugs in 2.2.X? I haven't observed the other leak. It looks like a problem with stream sockets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message