FreeBSD Security Advisory: FreeBSD-SA-97:05.open

Tony Hagale (bagel@NEOSOFT.COM)
Tue, 04 Nov 1997 17:30:54 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>From: FreeBSD Security Officer <security-officer@FreeBSD.ORG>
>To: freebsd-announce@FreeBSD.ORG
>Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open
>Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET)
>Reply-To: security-officer@FreeBSD.ORG
>Sender: owner-freebsd-announce@FreeBSD.ORG
>X-Loop: FreeBSD.org
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>=====================================================================
========
>FreeBSD-SA-97:05 Security
Advisory
>
FreeBSD, Inc.
>
>Topic: security compromise via open()
>
>Category: core
>Module: kern
>Announced: 1997-10-29
>Affects: FreeBSD 2.1.*, FreeBSD 2.2.*,
> FreeBSD-stable and FreeBSD-current
>Corrected: FreeBSD-current as of 1997/10/23 (partly even on
1997/04/14)
> FreeBSD-stable as of 1997/10/24
> FreeBSD 2.1-stable as of 1997/10/29
>FreeBSD only: yes
>
>Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/
>
>=====================================================================
========
>
>I. Background
>
> In FreeBSD, the open() system call is used in normal file
operations.
> When calling open(), the caller should specify if the file is
> to be opened for reading, for writing or for both.
> The right to reading from and/or writing to a file is
controlled
> by the file's mode bits in the filesystem.
> In FreeBSD, open() is also used to obtain the right to do
> privileged io instructions.
>
>
>II. Problem Description
>
> A problem exists in the open() syscall that allows processes
> to obtain a valid file descriptor without having read or write
> permissions on the file being opened. This is normally not a
> problem. The FreeBSD way of obtaining the right to do io
> instructions however, is based on the right to open a specific
> file (/dev/io).
>
>III. Impact
>
> The problem can be used by any user on the system to do
unauthorised
> io instructions.
>
>
>IV. Workaround
>
> No workaround is available.
>
>V. Solution
>
> Apply the following patches. The first one in
/usr/src/sys/kern,
> and the second one in /usr/src/sys/i386/i386,
> Rebuild your kernel, install it and reboot your system.
>
> patch 1:
> For FreeBSD-current before 1997/10/23:
>
> Index: vfs_syscalls.c
>
===================================================================
> RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
> retrieving revision 1.76
> retrieving revision 1.77
> diff -u -r1.76 -r1.77
> --- vfs_syscalls.c 1997/10/12 20:24:27 1.76
> +++ vfs_syscalls.c 1997/10/22 07:28:51 1.77
> @@ -863,11 +863,13 @@
> struct flock lf;
> struct nameidata nd;
>
> + flags = FFLAGS(SCARG(uap, flags));
> + if ((flags & FREAD + FWRITE) == 0)
> + return (EINVAL);
> error = falloc(p, &nfp, &indx);
> if (error)
> return (error);
> fp = nfp;
> - flags = FFLAGS(SCARG(uap, flags));
> cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~
S_ISTXT;
> NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path),
p);
> p->p_dupfd = -indx - 1; /* XXX check for fdopen */
>
>
> For FreeBSD 2.1.* and 2.2.*:
>
> Index: vfs_syscalls.c
>
===================================================================
> RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
> retrieving revision 1.51.2.5
> diff -u -r1.51.2.5 vfs_syscalls.c
> --- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5
> +++ vfs_syscalls.c 1997/10/28 22:04:43
> @@ -688,11 +688,13 @@
> struct flock lf;
> struct nameidata nd;
>
> + flags = FFLAGS(uap->flags);
> + if ((flags & FREAD + FWRITE) == 0)
> + return (EINVAL);
> error = falloc(p, &nfp, &indx);
> if (error)
> return (error);
> fp = nfp;
> - flags = FFLAGS(uap->flags);
> cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
> NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
> p->p_dupfd = -indx - 1; /* XXX check for fdopen */
>
> patch 2:
> For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before
1997/04/14:
>
> Index: mem.c
>
===================================================================
> RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
> retrieving revision 1.38
> retrieving revision 1.38.2.1
> diff -u -r1.38 -r1.38.2.1
> --- mem.c 1996/09/27 13:25:06 1.38
> +++ mem.c 1997/10/23 22:14:24 1.38.2.1
> @@ -169,6 +169,7 @@
> int fmt;
> struct proc *p;
> {
> + int error;
> struct trapframe *fp;
>
> switch (minor(dev)) {
> @@ -179,6 +180,11 @@
> return ENODEV;
> #endif
> case 14:
> + error = suser(p->p_ucred, &p->p_acflag);
> + if (error != 0)
> + return (error);
> + if (securelevel > 0)
> + return (EPERM);
> fp = (struct trapframe *)curproc->p_md.md_regs;
> fp->tf_eflags |= PSL_IOPL;
> break;
>
>=====================================================================
========
>FreeBSD, Inc.
>
>Web Site: http://www.freebsd.org/
>Confidential contacts: security-officer@freebsd.org
>PGP Key:
ftp://freebsd.org/pub/CERT/public_key.asc
>Security notifications: security-notifications@freebsd.org
>Security public discussion: security@freebsd.org
>
>Notice: Any patches in this document may not apply cleanly due to
> modifications caused by digital signature or mailer
software.
> Please reference the URL listed at the top of this document
> for original copies of all patches if necessary.
>=====================================================================
========
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT
>SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE
>L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX
>skpX4qluhBM=
>=47P3
>-----END PGP SIGNATURE-----
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNF+wLfE0YW+shGjqEQLMTgCg35IBdHPA8L8fYmdGGk3+MAk6hcsAoMvN
OUfcNBJTrbYZy+tv0De4bnCz
=gYka
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

.,_-================-_,.
bagel@neosoft.com
admin@bagel.neosoft.com
.,_-================-_,.

Tony Hagale
+---------------------------------------------------+
|-BAGEL.NEOSOFT.COM,BAGEL.NET sysadmin..............|
|-WWW Designer......http://www.neosoft.com/~bagel...|
|-bagel on #sj on EFNet.............................|
|-Guru-for-hire UNIX/WIN/c/c++/vb/pascal............|
|-Strake Jesuit College Prep CCX Debator/CX Pres....|
|-ICQ ID# 3568586...................................|
|-U.S. Air Force Auxillary Member...................|
|-PGP Key ID 0xAC8468EA.............................|
+---------------------------------------------------+