Re: OpenBSD 3.2 Kthread Madness

[Mats O Jansson <maja () cntw com>]

Hi!

Why don't you look at the code in current? This was fixed in early may
in rev 1.19.

-moj

On Sat, 30 Aug 2003, ned wrote:

> OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c
>
> Ohk, here is the function:
>
> int
> kthread_create(void (*func)(void *), void *arg,
>     struct proc **newpp, const char *fmt, ...) <---- where the data is
> {
>       struct proc *p2; <--------- New proc struct
>       register_t rv[2];
>       int error;
>       va_list ap;
>
>       /*
>        * First, create the new process.  Share the memory, file
>        * descriptors and don't leave the exit status around for the
>        * parent to wait for.
>        */
>       error = fork1(&proc0, 0,
>           FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg, 
> rv);
>       if (error)
>               return (error);
>
>       p2 = pfind(rv[0]);
>
>       /*
>        * Mark it as a system process and not a candidate for
>        * swapping.
>        */
>       p2->p_flag |= P_INMEM | P_SYSTEM;       /* XXX */
>
>       /* Name it as specified. */
>       va_start(ap, fmt);
>       vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
>       va_end(ap);
>
>       /* All done! */
>       if (newpp != NULL)
>               *newpp = p2;
>       return (0);
> } 
>
> some notes:
> - proc.h defines p_comm for a size of MAXCOMLEN+1
> - MAXCOMLEN is defined in param.h as 16.
> - This gives use 17 bytes to overflow.
>
> but how? you wont be able to do it from user-land (i presume) and the only 
> way i can imagine this being done is via a LKM. but then i realise that 
> you need root to do anything associated with lkm's. so the chances of 
> actually exploiting it, comes down to modifying a call in init_main.c and 
> watvhing your system not power up!
>
> for patch wise..is there a vslprintf i can stick in there?
>  - nd
>
> -- 
> http://felinemenace.org/~nd