race in i386_set_ldt(2)
From: David Schultz (dschultz@uclink.Berkeley.EDU)
Date: 09/17/02
- Next message: Miroslav Pendev: "Re: asmtp 587 - quickie faq submission"
- Previous message: Greg Panula: "Re: asmtp 587 - quickie faq submission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Sep 2002 06:59:34 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: security@FreeBSD.ORG
There seems to be a nasty exploitable race in i386_set_ldt(2), as
David Xu pointed out some months ago in i386/38021. As this is a
vulnerability when the kernel is compiled with the USER_LDT
option, I thought I'd do my part to try to convince someone to
commit a fix. Although David's patch has a few nits in it, his
basic approach of copying the descriptors into a temporary kernel
buffer is necessary if i386_set_ldt() is to be both safe and
transactional.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Miroslav Pendev: "Re: asmtp 587 - quickie faq submission"
- Previous message: Greg Panula: "Re: asmtp 587 - quickie faq submission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
