[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-tech
Subject: Re: Free/Net have bug in soreceive, and I'm not sure if OpenBSD does also
From: Artur Grabowski <art () blahonga ! org>
Date: 2002-05-27 15:01:37
[Download RAW message or body]
Greg Troxel <gdt@ir.bbn.com> writes:
> In NetBSD, sys/kern/uipc_socket:soreceive() can violate the
> MT_SONAME/MT_DATA invariant if the uiomove to copy data to user space
> fails. From reading code in OpenBSD-current, I think it handles this
> case, because there is no 'goto release', and instead the while loop
> exits (due to error != 0), and sbdroprecord is called. Nevertheless,
> someone perhaps should check this out a bit further; the bug enables a
> malicious (or confused) unprivileged local user to cause the kernel to
> hit the 'soreceive 1a' panic on the other BSDs.
If I recall correctly we fixed this bug sometime in 1999.
//art
> The NetBSD PR with the details:
>
> http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=16990
>
> The FreeBSD PR is just a pointer to the NetBSD PR:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=38495
>
> I'm not subscribed to the list. Let me know if anyone needs more
> info, and feel free to copy me on any discussions.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic