OpenBSD Journal

Reliability Fix: kernel NULL pointer dereference in getsockopt()

Contributed by weerd on from the evil-ipsec dept.

A bug has been found in the IPsec parts of ip_output.c that can lead to NULL pointer dereference in getsockopt(). On kernels from before 4.4, this could lead to a local privilege escalation on certain architectures. The currently supported releases, however, protect against this by no longer allowing userland to map the NULL page in the kernel, reducing the attack to a local Denial of Service by panicking the kernel.

Patches are available for OpenBSD 4.6 (patch, errata), OpenBSD 4.5 (patch, errata) and OpenBSD 4.4 (patch, errata). Of course, the patches are already available in -current, the commit message for the IPv4 case can be found below, the IPv6 commit is nearly identical. This issue affects all architectures. 

Date: Wed, 28 Oct 2009 12:02:01 -0600 (MDT)
From: Theo de Raadt 
To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src

CVSROOT:        /cvs
Module name:    src
Changes by:     deraadt@cvs.openbsd.org 2009/10/28 12:02:00

Modified files:
        sys/netinet    : ip_output.c

Log message:
*NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL,
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on
userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not
sparc64), sh, ...) on OpenBSD 4.3 or older
ok claudio

Please update your systems at your earliest convenience.

(Comments are closed)

Comments

  1. By Anonymous Coward (anon) on

    > Of course, the patches are already available in -current

    For the avoidance of doubt, the patches also in -stable for 4.4, 4.5 and 4.6.

    For 4.4 and later it's a reliability fix (local users can crash the system, but not escalate privileges). For OS versions before 4.4 it's a security fix (local user privilege escalation).

  2. By Joachim Schipper (Joachim) j.schipper@math.uu.nl on http://wwww.joachimschipper.nl

    Unless I severely misunderstand the commit, this can only be triggered by an attacker who already has root privileges.

    That is rather less interesting than "any user", and while root->kernel privilege escalation is somewhat serious, root panic'ing the kernel isn't terribly interesting (I managed it consistently by creating a too-large ffs partition on a softraid volume, for instance.)

    It should still be fixed, of course, but there is no reason for panic. ;-)

    Comments

    1. By Clement LECIGNE (clem1) on http://www.clem1.be

      > Unless I severely misunderstand the commit, this can only be triggered by an attacker who already has root privileges.

      No, this security bug can be triggered by a local non-root user just by issuing an evil getsockopt(), this will cause a kernel panic on OpenBSD versions >= 4.4. On OpenBSD < 4.3, I was able to gain root exploiting this vulnerability since we could mmap() a NULL address in these versions.

      Comments

      1. By Joachim Schipper (Joachim) on http://www.joachimschipper.nl/About me

        > > Unless I severely misunderstand the commit, this can only be triggered by an attacker who already has root privileges.
        >
        > No, this security bug can be triggered by a local non-root user (...)

        Thanks for the correction!

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]