Re: netbsd vulnerabilities

From: Andrew R. Reiter (
Date: 09/08/01

Date: Sat, 8 Sep 2001 06:43:49 -0400 (EDT)
From: "Andrew R. Reiter" <>
To: Kris Kennaway <>


The attached code fixes the semop bug which is specified in the recent
NetBSD security announcement. I'm not positive about hte naming scheme
wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made
it u_int b/c i saw in sysproto.h that there seemed to be more u_int's
instead of size_t's :-) Great logic.

Btw, this was written for:
FreeBSD aitutaki 4.4-RC FreeBSD 4.4-RC #4: Sat Sep 8 00:38:48 PDT 2001
root@aitutaki:/usr/obj/usr/src/sys/GENERIC i386

Anyway, in terms of there being an exploit or not... From what we (eugene
t. and myself) did, basically we can cause the machine to panic and that's
about it. Seem to lose control over what occurs b/c we cause copyin to
copy 2gigs (iirc) of junk to kernel space... Guh.

Also, if you want to do a different patch than what was simply done in
what is attached, just keep in mind that nsops should be unsigned 32-bits.


| Andrew R. Reiter
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead

--- kern/sysv_sem.c.orig Sat Sep 8 03:11:21 2001
+++ kern/sysv_sem.c Sat Sep 8 03:20:23 2001
@@ -672,7 +672,7 @@
 struct semop_args {
         int semid;
         struct sembuf *sops;
- int nsops;
+ u_int nsops;
@@ -682,17 +682,18 @@
         register struct semop_args *uap;
         int semid = uap->semid;
- int nsops = uap->nsops;
+ u_int nsops = uap->nsops;
         struct sembuf sops[MAX_SOPS];
         register struct semid_ds *semaptr;
         register struct sembuf *sopptr;
         register struct sem *semptr;
         struct sem_undo *suptr = NULL;
- int i, j, eval;
+ u_int i, j;
+ int eval;
         int do_wakeup, do_undos;
 #ifdef SEM_DEBUG
- printf("call to semop(%d, 0x%x, %d)\n", semid, sops, nsops);
+ printf("call to semop(%d, 0x%x, %u)\n", semid, sops, nsops);
         if (!jail_sysvipc_allowed && p->p_prison != NULL)
@@ -718,14 +719,14 @@
         if (nsops > MAX_SOPS) {
 #ifdef SEM_DEBUG
- printf("too many sops (max=%d, nsops=%d)\n", MAX_SOPS, nsops);
+ printf("too many sops (max=%d, nsops=%u)\n", MAX_SOPS, nsops);
         if ((eval = copyin(uap->sops, &sops, nsops * sizeof(sops[0]))) != 0) {
 #ifdef SEM_DEBUG
- printf("eval = %d from copyin(%08x, %08x, %d)\n", eval,
+ printf("eval = %d from copyin(%08x, %08x, %u)\n", eval,
                     uap->sops, &sops, nsops * sizeof(sops[0]));
--- sys/sem.h.orig Sat Sep 8 03:21:08 2001
+++ sys/sem.h Sat Sep 8 03:21:27 2001
@@ -101,7 +101,7 @@
 int semsys __P((int, ...));
 int semctl __P((int, int, int, ...));
 int semget __P((key_t, int, int));
-int semop __P((int, struct sembuf *,unsigned));
+int semop __P((int, struct sembuf *, u_int));
 #endif /* !_KERNEL */

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message