[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: Free/Net have bug in soreceive, and I'm not sure if OpenBSD does also
From:       Artur Grabowski <art () blahonga ! org>
Date:       2002-05-27 15:01:37
[Download RAW message or body]

Greg Troxel <gdt@ir.bbn.com> writes:

> In NetBSD, sys/kern/uipc_socket:soreceive() can violate the
> MT_SONAME/MT_DATA invariant if the uiomove to copy data to user space
> fails.  From reading code in OpenBSD-current, I think it handles this
> case, because there is no 'goto release', and instead the while loop
> exits (due to error != 0), and sbdroprecord is called.  Nevertheless,
> someone perhaps should check this out a bit further; the bug enables a
> malicious (or confused) unprivileged local user to cause the kernel to
> hit the 'soreceive 1a' panic on the other BSDs.

If I recall correctly we fixed this bug sometime in 1999.

//art

> The NetBSD PR with the details:
> 
> http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=16990
> 
> The FreeBSD PR is just a pointer to the NetBSD PR:
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=38495
> 
> I'm not subscribed to the list.  Let me know if anyone needs more
> info, and feel free to copy me on any discussions.

[prev in list] [next in list] [prev in thread] [next in thread]