On May 6, 2:10pm, Kevin Day wrote: } Subject: Re: KKIS.05051999.003b } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > Report title : Security problem with sockets in FreeBSD's } > implementation of UNIX-domain protocol family. } > Problem found by : Lukasz Luzar (lluzarat_private) } > Report created by : Robert Pajak (shadowat_private) } > Lukasz Luzar (lluzarat_private) } > Raport published : 5th May 1999 } > Raport code : KKIS.05051999.003.b } > Systems affected : FreeBSD-3.0 and maybe 3.1, } > Archive : http://www.security.kki.pl/advisories/ } > Risk level : high } > } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > As you know, "The UNIX-domain protocol family is a collection of protocols } > that provides local interprocess communication through the normal socket } > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses } > filesystem pathnames for addressing." } > The SOCK_STREAM sockets also supports the communication of UNIX file } > descriptors through the use of functions sendmsg() and recvmsg(). } > While testing UNIX-domain protocols, we have found probable bug in } > FreeBSD's implementation of this mechanism. } > When we had run attached example on FreeBSD-3.0 as local user, system } > had crashed imediatelly with error "Supervisor read, page not present" } > in kernel mode. } > } } Here's my testing so far: } } 2.2.2 - Vulnerable } 2.2.6 - Vulnerable } 2.2.8 - Vulnerable } 3.1-RELEASE - Ran 15 minutes, no crash. I'd be willing to bet that 3.0-RELEASE is also vulnerable. I believe Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of sys/kern/uipc-usrreq.c. The RELENG_3 branch fix was committed just before 3.1-RELEASE.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:24 PDT