Subject: kern/13158: settime() fail to splx when securelevel is set
To: None <gnats-bugs@gnats.netbsd.org>
From: None <lha@stacken.kth.se>
List: netbsd-bugs
Date: 06/07/2001 08:40:08
>Number:         13158
>Category:       kern
>Synopsis:       settime() fail to splx when securelevel is set
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 10 15:18:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Love
>Release:        NetBSD-1.5V
>Organization:
	Stacken Computer Club
>Environment:
	
System: NetBSD nutcracker.dynarc.se 1.5V NetBSD 1.5V (NUTCRACKER) #20: Wed Jun 6 01:02:14 CEST 2001 root@nutcracker.dynarc.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:

	settime(): kern/kern_time.c contain the following code:

	<<<<
	s = splclock();
	timersub(tv, &time, &delta);
	if ((delta.tv_sec < 0 || delta.tv_usec < 0) && securelevel > 1)
		return (EPERM);
	[...]
	splx(s);
	resettodr();
	return (0);
	>>>>

	So if securelevel is set the interrupt priority is never
	lowered and the machine will wack it self on syscall exit (or
	somewere else)

	This is not a security hole since it done after a suser() check.

>How-To-Repeat:

	Read the code

>Fix:

	Obvious, don't forget the notyet:ed code.
>Release-Note:
>Audit-Trail:
>Unformatted: