[Patch 010] Security: reference count overflow in shmat()

Contributed by jose on 2004-02-05 from the class-of-bugs dept.

CMF writes: "This was posted to Bugtraq earlier today. Please note that FreeBSD has already released a security errata for this issue:
Pine Digital Security Advisory Advisory ID : PINE-CERT-20040201 (CAN-2004-0114) Authors : Joost Pol Vendor Informed : 2004-02-01 Issue date : 2004-02-05 Application : kernel / sysv shared memory Platforms : FreeBSD, NetBSD and OpenBSD Availability : http://www.pine.nl/press/pine-cert-20040201.txt Synopsis While gathering material for a security training Pine Digital Security encountered a reference count overflow condition which could lead to privilege escalation. Versions Vulnerable versions include: FreeBSD >= 2.2.0, NetBSD >= 1.3 and OpenBSD >= 2.6 Impact Serious. Local users can elevate their privileges. Description The shmat(2) function maps a shared memory segment, previously created with the shmget(2) function, into the address space of the calling process.

UPDATE: Patches are out for 3.4-stable and 3.3-stable .

Here is the mail from security-announce:

Date: Thu, 05 Feb 2004 16:35:48 -0700
From: Todd C. Miller

To: security-announce@openbsd.org
Subject: Reference counting bug in shmat(2)

A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain
circumstances.

The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.

Patches for OpenBSD 3.4 and 3.3 respectively are also available:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch

The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.

For more information on the bug, see Joost Pol's description at:
    http://www.pine.nl/press/pine-cert-20040201.txt

(Comments are closed)

Comments

By Anonymous Coward () on 2004-02-05 19:20

how do you patch?
Comments
1. By Anonymous Coward () on 2004-02-05 19:21
  
  oops nevermind
  
  Apply by doing:
  cd /usr/src
  patch -p0 <010_sysvshm.patch
  
  And then rebuild your kernel.
  Comments
  1. By Anonymous Coward () on 2004-02-06 17:42
    
    How do you rebuild the kernel?
    
    The FAQ says
    make obj && make depend && make
    
    but make obj fails.
    
    Just plain 'make' doesn't actually seem to build anything. The command prompt returns in a second or so with no feedback.
    
    Comments
    
    By tedu () on 2004-02-06 19:24
    
    faq says nothing about running make obj when building a kernel. read 5.4 again.
    
    Comments
    
    By Anonymous Coward () on 2004-02-08 17:43
    
    Thanks for the tip.
    
    I was looking at the patch faq, but that appears to be for apps, mostly.
2. By Christian () on 2004-02-06 04:38 www.cschwede.de
  
  I have a extra disk in my notebook with openbsd on it. So i compile patches on them and copy the binary files via scp over to the "real" machines.
  If you need binary patches for OBSD 3.4/i386 have a look at my site.
  
  Cheers, Christian.
By Jason Wong () annoyed@eudoramail.com on 2004-02-05 21:18 mailto:annoyed@eudoramail.com

I have one server still running openbsd 3.2 and can't but upgraded for various reasons.

Instead of:

if (error)

the sys/kern/sysv_shm.c file for 3.2 has:

if (rv != KERN_SUCCESS) {
return ENOMEM;
}

Any suggestions? Unfortunately, I'm not a kernel hacker...
Comments
1. By Colin Percival () cperciva@daemonology.net on 2004-02-05 22:04 http://www.daemonology.net
  
  Looks like OpenBSD 3.2 is using the same code as FreeBSD at this point, so the same patch should work: Add the line
  uao_detach(shm_handle->shm_object);
  just before "return ENOMEM;".

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]