OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c
Ohk, here is the function:
int
kthread_create(void (*func)(void *), void *arg,
struct proc **newpp, const char *fmt, ...) <---- where the data is
{
struct proc *p2; <--------- New proc struct
register_t rv[2];
int error;
va_list ap;
/*
* First, create the new process. Share the memory, file
* descriptors and don't leave the exit status around for the
* parent to wait for.
*/
error = fork1(&proc0, 0,
FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg,
rv);
if (error)
return (error);
p2 = pfind(rv[0]);
/*
* Mark it as a system process and not a candidate for
* swapping.
*/
p2->p_flag |= P_INMEM | P_SYSTEM; /* XXX */
/* Name it as specified. */
va_start(ap, fmt);
vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
va_end(ap);
/* All done! */
if (newpp != NULL)
*newpp = p2;
return (0);
}
some notes:
- proc.h defines p_comm for a size of MAXCOMLEN+1
- MAXCOMLEN is defined in param.h as 16.
- This gives use 17 bytes to overflow.
but how? you wont be able to do it from user-land (i presume) and the only
way i can imagine this being done is via a LKM. but then i realise that
you need root to do anything associated with lkm's. so the chances of
actually exploiting it, comes down to modifying a call in init_main.c and
watvhing your system not power up!
for patch wise..is there a vslprintf i can stick in there?
- nd
--
http://felinemenace.org/~nd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Aug 30 2003 - 19:42:44 PDT