Integer overflow in OpenBSD kernel

From: blexim (blexim_at_hush.com)
Date: 09/10/03

  • Next message: blexim: "Re: Integer overflow in OpenBSD kernel"
    Date: Wed, 10 Sep 2003 06:56:08 -0700
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Local security bug in OpenBSD semaphore handling

    Product: OpenBSD kernel (3.3-release, -current before 10/09/2003)
    Impact: Root may bypass securelevel
    Bug class: Integer overflow
    Vendor notified: Yes
    Fix available: Yes

    Details:
    An integer overflow condition exists in the OpenBSD 3.3-release kernel
    and all previous versions. It is possible for root to write to semi-
    arbitrary kernel memory irrespective of securelevel(7). This potentially
    bypasses securelevel as root may modify the running kernel, introducing
    kernel level backdoors etc. The mechanism used to achieve this is an
    integer overflow in the semget(2) syscall, described below:

    sys_semget() allocates a buffer here:

    src/sys/kern/sysv_sem.c:
    sys_semget():
      semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
          M_SEM, M_WAITOK);

    provided the following checks are passed:

    src/sys/kern/sysv_sem.c:
    sys_semget():
      if (nsems <= 0 || nsems > seminfo.semmsl) {
          DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
            seminfo.semmsl));
          return (EINVAL);
      }
      if (nsems > seminfo.semmns - semtot) {
          DPRINTF(("not enough semaphores left (need %d, got %d)\n",
            nsems, seminfo.semmns - semtot));
          return (ENOSPC);
      }

    If these checks are passed and the buffer is successfully allocated,

    the nsems (number of semaphores) value associated with the semaphore

    set is set here:

    src/sys/kern/sysv_sem.c:
    sys___semctl():
      semaptr_new->sem_nsems = nsems;

    Please also note that an int is being assigned to a short here, which

    is a potential source of another bug. Since root is able to raise the

    values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
     it is possible to mis-size the malloc'd buffer, allowing memory to be
    read and written via the semctl(2) syscall.

    Exploit:
    This condition may be reproduced using the attached programs, allowing
    root to inspect and modify kernel memory.

    Workaround:
    None, don't trust securelevel(7) to protect your kernel.

    Fix:
    Upgrade to -current or apply the following patch:

    ===================================================================
    RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
    retrieving revision 1.20
    retrieving revision 1.21
    diff -u -r1.20 -r1.21
    - --- src/sys/kern/sysv_sem.c 2003/08/20 18:02:20 1.20
    +++ src/sys/kern/sysv_sem.c 2003/09/09 18:57:36 1.21
    @@ -1,4 +1,4 @@
    - -/* $OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $ */
    +/* $OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $ */
     /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */

     /*
    @@ -884,7 +884,7 @@
                     if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
                         val == seminfo.semmns)
                             return (error);
    - - if (val < seminfo.semmns)
    + if (val < seminfo.semmns || val > 0xffff)
                             return (EINVAL); /* can't decrease semmns */
                     seminfo.semmns = val;
                     return (0);
    @@ -902,7 +902,7 @@
                     if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
                         val == seminfo.semmsl)
                             return (error);
    - - if (val < seminfo.semmsl)
    + if (val < seminfo.semmsl || val > 0xffff)
                             return (EINVAL); /* can't decrease semmsl */
                     seminfo.semmsl = val;
                     return (0);

    Discovered by:
    blexim@hush.com of isen

    Thanks go to the OpenBSD team for an extremely fast response and fix.
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAj9fLIMACgkQsE7ilXLZoGZ1uQCfZGsR74VHR4VUar9xeoZ/gwUj5CcA
    oKpLdVg3FZaPnTNPhKH2qMx+UvYe
    =5Lmq
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427


  • Next message: blexim: "Re: Integer overflow in OpenBSD kernel"

    Relevant Pages

    • please pull from the trivial tree
      ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
      (Linux-Kernel)
    • Re: [DRIVER SUBMISSION] DRBD wants to go mainline
      ... For the guys on netdev, would you please look at the tcp_recvmsg- threading and TCP_NAGLE_CORK issues below and give opinions on the best way to proceed? ... I'd assume there's some equivalent way in kernelspace based around the "struct kiocb *iocb" and "int nonblock" parameters to the tcp_recvmsgkernel function. ... Typically if $KERNEL_FEATURE is insufficient for your needs you should fix $KERNEL_FEATURE instead of duplicating a replacement in your driver. ... When I earlier said I thought I was in macro hell, well, I was ...
      (Linux-Kernel)
    • Super Kernel Sunday!
      ... Linux "headcase" Torvalds today announced ... Before downloading the actual new kernel, ... syntax errors that nerds are expected to fix at home before completing ... Fixes, fixes. ...
      (Linux-Kernel)
    • [RFC v8][PATCH 0/12] Kernel based checkpoint/restart
      ... Support "external" checkpoint ... Fix save/restore state of FPU ... Memory restore now maps user pages explicitly to copy data into them, ... all the stakeholders was that doing checkpoint/restart in the kernel ...
      (Linux-Kernel)
    • Re: [Devel] [RFC v8][PATCH 0/12] Kernel based checkpoint/restart
      ... Support "external" checkpoint ... Fix save/restore state of FPU ... Memory restore now maps user pages explicitly to copy data into them, ... all the stakeholders was that doing checkpoint/restart in the kernel ...
      (Linux-Kernel)