Subject: kern/13158: settime() fail to splx when securelevel is set
To: None <gnats-bugs@gnats.netbsd.org>
From: None <lha@stacken.kth.se>
List: netbsd-bugs
Date: 06/07/2001 08:40:08
>Number: 13158
>Category: kern
>Synopsis: settime() fail to splx when securelevel is set
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 10 15:18:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Love
>Release: NetBSD-1.5V
>Organization:
Stacken Computer Club
>Environment:
System: NetBSD nutcracker.dynarc.se 1.5V NetBSD 1.5V (NUTCRACKER) #20: Wed Jun 6 01:02:14 CEST 2001 root@nutcracker.dynarc.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:
settime(): kern/kern_time.c contain the following code:
<<<<
s = splclock();
timersub(tv, &time, &delta);
if ((delta.tv_sec < 0 || delta.tv_usec < 0) && securelevel > 1)
return (EPERM);
[...]
splx(s);
resettodr();
return (0);
>>>>
So if securelevel is set the interrupt priority is never
lowered and the machine will wack it self on syscall exit (or
somewere else)
This is not a security hole since it done after a suser() check.
>How-To-Repeat:
Read the code
>Fix:
Obvious, don't forget the notyet:ed code.
>Release-Note:
>Audit-Trail:
>Unformatted: