Bugtraq mailing list archives
Re: FreeBSD kernel buffer overflow
From: Tim Newsham <newsham () lava net>
Date: Fri, 17 Sep 2004 12:21:08 -1000 (HST)
This is a non-issue. On Thu, 16 Sep 2004 gerarra () tin it wrote:
narg = callp->sy_narg & SYF_ARGMASK; (<- you can see it's the only one check)
At this point, callp points to the sysent entry for a particular system call that is to be called. These entries are not under the control of the attacker (unless, as you point out, you are root and you add a new system call to the system). If there's an entry in the system call table with a sy_narg field greater than 8, then yes, there will be a buffer overflow. However, the programmers who wrote the kernel don't provide you with any such system calls.
It's exploitable, but the only one way I discovered is to link a new syscall to the sysent array and to do this you need to be root; I've no time to work on this vulnerability, but i think another way could be found. However it could give serious problems (e.g. kernel crashes).
rookie
Tim N.
Current thread:
- FreeBSD kernel buffer overflow gerarra (Sep 17)
- Re: FreeBSD kernel buffer overflow Tim Newsham (Sep 18)
- Re: FreeBSD kernel buffer overflow Wesley Shields (Sep 18)