netbsd-bugs: bin/2485: some kvm progs insecure

Subject: bin/2485: some kvm progs insecure
To: None <gnats-bugs@NetBSD.ORG>
From: None <kashmir@umiacs.UMD.EDU>
List: netbsd-bugs
Date: 05/30/1996 01:01:08
>Number:         2485
>Category:       bin
>Synopsis:       some kvm progs insecure
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 30 01:20:14 1996
>Last-Modified:
>Originator:     Mike Grupenhoff
>Organization:
	UMIACS
>Release:        current - May 24
>Environment:
System: NetBSD snarf.umiacs.umd.edu 1.1B NetBSD 1.1B (SNARF) #107: Tue May 28 01:53:22 EDT 1996 kashmir@snarf.umiacs.umd.edu:/usr/src/sys/arch/i386/compile/SNARF i386

>Description:
	Many libkvm programs in the tree do not drop their setgidness when
	an alternate kernel is specified.  Thanks to Sujal Patel
	<smpatel@umiacs.umd.edu> for noticing this.
>How-To-Repeat:
>Fix:
Index: sbin/ccdconfig/ccdconfig.c
===================================================================
RCS file: /snarf/netbsd/master/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 ccdconfig.c
--- ccdconfig.c	1996/05/24 21:45:53	1.1.1.5
+++ ccdconfig.c	1996/05/30 02:50:33
@@ -163,6 +163,13 @@
 	if (options > 1)
 		usage();
 
+	/*
+	 * Discard setgid privileges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (core != NULL || kernel != NULL)
+		setgid(getgid());
+
 	switch (action) {
 		case CCD_CONFIG:
 		case CCD_UNCONFIG:
Index: usr.sbin/slstats/slstats.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/slstats/slstats.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 slstats.c
--- slstats.c	1995/11/16 02:30:16	1.1.1.1
+++ slstats.c	1996/05/30 02:54:35
@@ -104,6 +104,13 @@
 			kflag++;
 		}
 	}
+        /*
+	 * Discard setgid privileges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (system != _PATH_UNIX || kmemf != _PATH_KMEM)
+		setgid(getgid());
+
 	if (kopen(system, kmemf, "slstats") < 0)
 		exit(1);
 	if (knlist(system, nl, "slstats") < 0)
Index: usr.sbin/trpt/trpt.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/trpt/trpt.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 trpt.c
--- trpt.c	1995/11/16 02:30:22	1.1.1.1
+++ trpt.c	1996/05/30 02:56:37
@@ -163,6 +163,13 @@
 	else
 		system = _PATH_UNIX;
 
+	/*
+	 * Discard setgid priviledges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (core != _PATH_KMEM || system != _PATH_UNIX)
+		setgid(getgid());
+
 	if (nlist(system, nl) < 0 || !nl[0].n_value) {
 		fprintf(stderr, "trpt: %s: no namelist\n", system);
 		exit(1);
Index: usr.sbin/trsp/trsp.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/trsp/trsp.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 trsp.c
--- trsp.c	1995/11/16 02:30:23	1.1.1.1
+++ trsp.c	1996/05/30 02:58:36
@@ -145,6 +145,12 @@
 		argc--, argv++;
 		mask++;
 	}
+	/*
+	 * Discard setgid privileges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (system != _PATH_UNIX || core != _PATH_KMEM)
+		setgid(getgid());
 	(void) nlist(system, nl);
 	if (nl[0].n_value == 0) {
 		fprintf(stderr, "trsp: %s: no namelist\n", system);
Index: usr.bin/ipcs/ipcs.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/ipcs/ipcs.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ipcs.c
--- ipcs.c	1995/11/16 02:27:32	1.1.1.1
+++ ipcs.c	1996/05/30 03:11:56
@@ -181,6 +181,12 @@
 		default:
 			usage();
 		}
+	/*
+	 * Discard setgid privileges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (namelist != NULL || core != NULL)
+		setgid(getgid());
 	if ((kd = kvm_open(namelist, core, NULL, O_RDONLY, "ipcs")) == NULL)
 		exit(1);
 
Index: usr.bin/w/w.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/w/w.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 w.c
--- w.c	1996/04/13 17:38:28	1.1.1.2
+++ w.c	1996/05/30 03:06:22
@@ -166,6 +166,13 @@
 	argc -= optind;
 	argv += optind;
 
+	/*
+	 * Discard setgid privileges if not the running kernel so that bad
+	 * guys can't print interesting stuff from kernel memory.
+	 */
+	if (nlistf != NULL || memf != NULL)
+		setgid(getgid());
+
 	if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf)) == NULL)
 		errx(1, "%s", errbuf);
 
>Audit-Trail:
>Unformatted: