Hi!
Why don't you look at the code in current? This was fixed in early may
in rev 1.19.
-moj
On Sat, 30 Aug 2003, ned wrote:
> OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c
>
> Ohk, here is the function:
>
> int
> kthread_create(void (*func)(void *), void *arg,
> struct proc **newpp, const char *fmt, ...) <---- where the data is
> {
> struct proc *p2; <--------- New proc struct
> register_t rv[2];
> int error;
> va_list ap;
>
> /*
> * First, create the new process. Share the memory, file
> * descriptors and don't leave the exit status around for the
> * parent to wait for.
> */
> error = fork1(&proc0, 0,
> FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg,
> rv);
> if (error)
> return (error);
>
> p2 = pfind(rv[0]);
>
> /*
> * Mark it as a system process and not a candidate for
> * swapping.
> */
> p2->p_flag |= P_INMEM | P_SYSTEM; /* XXX */
>
> /* Name it as specified. */
> va_start(ap, fmt);
> vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
> va_end(ap);
>
> /* All done! */
> if (newpp != NULL)
> *newpp = p2;
> return (0);
> }
>
> some notes:
> - proc.h defines p_comm for a size of MAXCOMLEN+1
> - MAXCOMLEN is defined in param.h as 16.
> - This gives use 17 bytes to overflow.
>
> but how? you wont be able to do it from user-land (i presume) and the only
> way i can imagine this being done is via a LKM. but then i realise that
> you need root to do anything associated with lkm's. so the chances of
> actually exploiting it, comes down to modifying a call in init_main.c and
> watvhing your system not power up!
>
> for patch wise..is there a vslprintf i can stick in there?
> - nd
>
> --
> http://felinemenace.org/~nd
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Aug 31 2003 - 09:41:20 PDT