Question - how is upgrade to current a fix for this. Did you research
3.3 --stable et al ?
Jason Houx
On Wed, 10 Sep 2003, blexim wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Local security bug in OpenBSD semaphore handling
>
> Product: OpenBSD kernel (3.3-release, -current before 10/09/2003)
> Impact: Root may bypass securelevel
> Bug class: Integer overflow
> Vendor notified: Yes
> Fix available: Yes
>
> Details:
> An integer overflow condition exists in the OpenBSD 3.3-release kernel
> and all previous versions. It is possible for root to write to semi-
> arbitrary kernel memory irrespective of securelevel(7). This potentially
> bypasses securelevel as root may modify the running kernel, introducing
> kernel level backdoors etc. The mechanism used to achieve this is an
> integer overflow in the semget(2) syscall, described below:
>
> sys_semget() allocates a buffer here:
>
> src/sys/kern/sysv_sem.c:
> sys_semget():
> semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
> M_SEM, M_WAITOK);
>
>
> provided the following checks are passed:
>
> src/sys/kern/sysv_sem.c:
> sys_semget():
> if (nsems <= 0 || nsems > seminfo.semmsl) {
> DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
> seminfo.semmsl));
> return (EINVAL);
> }
> if (nsems > seminfo.semmns - semtot) {
> DPRINTF(("not enough semaphores left (need %d, got %d)\n",
> nsems, seminfo.semmns - semtot));
> return (ENOSPC);
> }
>
> If these checks are passed and the buffer is successfully allocated,
>
> the nsems (number of semaphores) value associated with the semaphore
>
> set is set here:
>
> src/sys/kern/sysv_sem.c:
> sys___semctl():
> semaptr_new->sem_nsems = nsems;
>
> Please also note that an int is being assigned to a short here, which
>
> is a potential source of another bug. Since root is able to raise the
>
> values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
> it is possible to mis-size the malloc'd buffer, allowing memory to be
> read and written via the semctl(2) syscall.
>
> Exploit:
> This condition may be reproduced using the attached programs, allowing
> root to inspect and modify kernel memory.
>
> Workaround:
> None, don't trust securelevel(7) to protect your kernel.
>
> Fix:
> Upgrade to -current or apply the following patch:
>
> ===================================================================
> RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
> retrieving revision 1.20
> retrieving revision 1.21
> diff -u -r1.20 -r1.21
> - --- src/sys/kern/sysv_sem.c 2003/08/20 18:02:20 1.20
> +++ src/sys/kern/sysv_sem.c 2003/09/09 18:57:36 1.21
> @@ -1,4 +1,4 @@
> - -/* $OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $ */
> +/* $OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $ */
> /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */
>
> /*
> @@ -884,7 +884,7 @@
> if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
> val == seminfo.semmns)
> return (error);
> - - if (val < seminfo.semmns)
> + if (val < seminfo.semmns || val > 0xffff)
> return (EINVAL); /* can't decrease semmns */
> seminfo.semmns = val;
> return (0);
> @@ -902,7 +902,7 @@
> if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
> val == seminfo.semmsl)
> return (error);
> - - if (val < seminfo.semmsl)
> + if (val < seminfo.semmsl || val > 0xffff)
> return (EINVAL); /* can't decrease semmsl */
> seminfo.semmsl = val;
> return (0);
>
>
> Discovered by:
> blexim@hush.com of isen
>
> Thanks go to the OpenBSD team for an extremely fast response and fix.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.3
>
> wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA
> oKpLdVg3FZaPnTNPhKH2qMx+UvYe
> =5Lmq
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
