Subject: bin/2485: some kvm progs insecure
To: None <gnats-bugs@NetBSD.ORG>
From: None <kashmir@umiacs.UMD.EDU>
List: netbsd-bugs
Date: 05/30/1996 01:01:08
>Number: 2485
>Category: bin
>Synopsis: some kvm progs insecure
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu May 30 01:20:14 1996
>Last-Modified:
>Originator: Mike Grupenhoff
>Organization:
UMIACS
>Release: current - May 24
>Environment:
System: NetBSD snarf.umiacs.umd.edu 1.1B NetBSD 1.1B (SNARF) #107: Tue May 28 01:53:22 EDT 1996 kashmir@snarf.umiacs.umd.edu:/usr/src/sys/arch/i386/compile/SNARF i386
>Description:
Many libkvm programs in the tree do not drop their setgidness when
an alternate kernel is specified. Thanks to Sujal Patel
<smpatel@umiacs.umd.edu> for noticing this.
>How-To-Repeat:
>Fix:
Index: sbin/ccdconfig/ccdconfig.c
===================================================================
RCS file: /snarf/netbsd/master/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 ccdconfig.c
--- ccdconfig.c 1996/05/24 21:45:53 1.1.1.5
+++ ccdconfig.c 1996/05/30 02:50:33
@@ -163,6 +163,13 @@
if (options > 1)
usage();
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (core != NULL || kernel != NULL)
+ setgid(getgid());
+
switch (action) {
case CCD_CONFIG:
case CCD_UNCONFIG:
Index: usr.sbin/slstats/slstats.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/slstats/slstats.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 slstats.c
--- slstats.c 1995/11/16 02:30:16 1.1.1.1
+++ slstats.c 1996/05/30 02:54:35
@@ -104,6 +104,13 @@
kflag++;
}
}
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (system != _PATH_UNIX || kmemf != _PATH_KMEM)
+ setgid(getgid());
+
if (kopen(system, kmemf, "slstats") < 0)
exit(1);
if (knlist(system, nl, "slstats") < 0)
Index: usr.sbin/trpt/trpt.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/trpt/trpt.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 trpt.c
--- trpt.c 1995/11/16 02:30:22 1.1.1.1
+++ trpt.c 1996/05/30 02:56:37
@@ -163,6 +163,13 @@
else
system = _PATH_UNIX;
+ /*
+ * Discard setgid priviledges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (core != _PATH_KMEM || system != _PATH_UNIX)
+ setgid(getgid());
+
if (nlist(system, nl) < 0 || !nl[0].n_value) {
fprintf(stderr, "trpt: %s: no namelist\n", system);
exit(1);
Index: usr.sbin/trsp/trsp.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.sbin/trsp/trsp.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 trsp.c
--- trsp.c 1995/11/16 02:30:23 1.1.1.1
+++ trsp.c 1996/05/30 02:58:36
@@ -145,6 +145,12 @@
argc--, argv++;
mask++;
}
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (system != _PATH_UNIX || core != _PATH_KMEM)
+ setgid(getgid());
(void) nlist(system, nl);
if (nl[0].n_value == 0) {
fprintf(stderr, "trsp: %s: no namelist\n", system);
Index: usr.bin/ipcs/ipcs.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/ipcs/ipcs.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ipcs.c
--- ipcs.c 1995/11/16 02:27:32 1.1.1.1
+++ ipcs.c 1996/05/30 03:11:56
@@ -181,6 +181,12 @@
default:
usage();
}
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (namelist != NULL || core != NULL)
+ setgid(getgid());
if ((kd = kvm_open(namelist, core, NULL, O_RDONLY, "ipcs")) == NULL)
exit(1);
Index: usr.bin/w/w.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/w/w.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 w.c
--- w.c 1996/04/13 17:38:28 1.1.1.2
+++ w.c 1996/05/30 03:06:22
@@ -166,6 +166,13 @@
argc -= optind;
argv += optind;
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (nlistf != NULL || memf != NULL)
+ setgid(getgid());
+
if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf)) == NULL)
errx(1, "%s", errbuf);
>Audit-Trail:
>Unformatted: