3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
168 lines
5.6 KiB
Text
168 lines
5.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-97:05 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: security compromise via open()
|
|
|
|
Category: core
|
|
Module: kern
|
|
Announced: 1997-10-29
|
|
Affects: FreeBSD 2.1.*, FreeBSD 2.2.*,
|
|
FreeBSD-stable and FreeBSD-current
|
|
Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14)
|
|
FreeBSD-stable as of 1997/10/24
|
|
FreeBSD 2.1-stable as of 1997/10/29
|
|
FreeBSD only: yes
|
|
|
|
Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/
|
|
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
In FreeBSD, the open() system call is used in normal file operations.
|
|
When calling open(), the caller should specify if the file is
|
|
to be opened for reading, for writing or for both.
|
|
The right to reading from and/or writing to a file is controlled
|
|
by the file's mode bits in the filesystem.
|
|
In FreeBSD, open() is also used to obtain the right to do
|
|
privileged io instructions.
|
|
|
|
|
|
II. Problem Description
|
|
|
|
A problem exists in the open() syscall that allows processes
|
|
to obtain a valid file descriptor without having read or write
|
|
permissions on the file being opened. This is normally not a
|
|
problem. The FreeBSD way of obtaining the right to do io
|
|
instructions however, is based on the right to open a specific
|
|
file (/dev/io).
|
|
|
|
III. Impact
|
|
|
|
The problem can be used by any user on the system to do unauthorised
|
|
io instructions.
|
|
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Apply the following patches. The first one in /usr/src/sys/kern,
|
|
and the second one in /usr/src/sys/i386/i386,
|
|
Rebuild your kernel, install it and reboot your system.
|
|
|
|
patch 1:
|
|
For FreeBSD-current before 1997/10/23:
|
|
|
|
Index: vfs_syscalls.c
|
|
===================================================================
|
|
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
|
|
retrieving revision 1.76
|
|
retrieving revision 1.77
|
|
diff -u -r1.76 -r1.77
|
|
--- vfs_syscalls.c 1997/10/12 20:24:27 1.76
|
|
+++ vfs_syscalls.c 1997/10/22 07:28:51 1.77
|
|
@@ -863,11 +863,13 @@
|
|
struct flock lf;
|
|
struct nameidata nd;
|
|
|
|
+ flags = FFLAGS(SCARG(uap, flags));
|
|
+ if ((flags & FREAD + FWRITE) == 0)
|
|
+ return (EINVAL);
|
|
error = falloc(p, &nfp, &indx);
|
|
if (error)
|
|
return (error);
|
|
fp = nfp;
|
|
- flags = FFLAGS(SCARG(uap, flags));
|
|
cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
|
|
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
|
|
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
|
|
|
|
|
|
For FreeBSD 2.1.* and 2.2.*:
|
|
|
|
Index: vfs_syscalls.c
|
|
===================================================================
|
|
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
|
|
retrieving revision 1.51.2.5
|
|
diff -u -r1.51.2.5 vfs_syscalls.c
|
|
--- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5
|
|
+++ vfs_syscalls.c 1997/10/28 22:04:43
|
|
@@ -688,11 +688,13 @@
|
|
struct flock lf;
|
|
struct nameidata nd;
|
|
|
|
+ flags = FFLAGS(uap->flags);
|
|
+ if ((flags & FREAD + FWRITE) == 0)
|
|
+ return (EINVAL);
|
|
error = falloc(p, &nfp, &indx);
|
|
if (error)
|
|
return (error);
|
|
fp = nfp;
|
|
- flags = FFLAGS(uap->flags);
|
|
cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
|
|
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
|
|
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
|
|
|
|
patch 2:
|
|
For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14:
|
|
|
|
Index: mem.c
|
|
===================================================================
|
|
RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
|
|
retrieving revision 1.38
|
|
retrieving revision 1.38.2.1
|
|
diff -u -r1.38 -r1.38.2.1
|
|
--- mem.c 1996/09/27 13:25:06 1.38
|
|
+++ mem.c 1997/10/23 22:14:24 1.38.2.1
|
|
@@ -169,6 +169,7 @@
|
|
int fmt;
|
|
struct proc *p;
|
|
{
|
|
+ int error;
|
|
struct trapframe *fp;
|
|
|
|
switch (minor(dev)) {
|
|
@@ -179,6 +180,11 @@
|
|
return ENODEV;
|
|
#endif
|
|
case 14:
|
|
+ error = suser(p->p_ucred, &p->p_acflag);
|
|
+ if (error != 0)
|
|
+ return (error);
|
|
+ if (securelevel > 0)
|
|
+ return (EPERM);
|
|
fp = (struct trapframe *)curproc->p_md.md_regs;
|
|
fp->tf_eflags |= PSL_IOPL;
|
|
break;
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT
|
|
SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE
|
|
L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX
|
|
skpX4qluhBM=
|
|
=47P3
|
|
-----END PGP SIGNATURE-----
|