|
|
Info |
Last Modified |
| 10 months ago |
|
|
|
|
Description |
A local overflow exists in NetBSD as a result of sys_semop() function mismatched data types. With a specially crafted request, an attacker can cause a denial of service and/or execute arbitrary code, resulting in a loss of integrity, and/or availability.
|
|
Classification |
Location:
Local Access Required
Attack Type:
Denial of Service,
Input Manipulation
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Unavailable
Disclosure:
OSVDB Verified
|
|
Technical |
The kernel function sys_semop provides a number of atomic operations (operations that are not interrupted and must all occur at once) on a set of semaphores. Semaphores are protected variables used to restrict access to shared resources. The semaphore set has sops, which is an array of semaphore operations, and it also has nsops, which is the number of operations in this array.
A malicious user can pass a value for nsops that is greater than INT_MAX, causing nsops to flip negative (because it is a signed integer) and pass the existing check on bounds. The value is then used in the copyin() function, which copies data from user memory to a local array on the process's kernel stack. Since the number of bytes to copyin is computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an almost arbitrary number of bytes from userland to the caller process's kernel stack.
|
|
Solution |
Upgrade to version 1.5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
|
|
Products |
|
NetBSD
 |
1.4 |
1.5 |
1.5.1 |
1.4.x |
|
|
|
|
Credit |
- Jaromir Dolecek - jdolecek
 netbsd.org -
- Christos Zoulas -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
