[4191] in bugtraq
buffer over in hp-ux 10.20 kernel
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Mar 24 03:56:41 1997
Date: Mon, 24 Mar 1997 11:33:59 +1100
Reply-To: Darren Reed <darrenr@CYBER.COM.AU>
From: Darren Reed <darrenr@CYBER.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
This is from the latest HP bug reports (i.e. there is a patch)....does anyone
know if this can be used to get root or crash the box ?
Darren
> Document ID: PHKL_10406
> Date Loaded: 970320
> Title: s800 10.24 (VVOS) kernel audit buffer overflow
>
> Patch Name: PHKL_10406
>
> Patch Description: s800 10.24 (VVOS) kernel audit buffer overflow
>
> Creation Date: 97/03/13
>
> Post Date: 97/03/19
>
> Hardware Platforms - OS Releases:
> s800: 10.24
>
> Products: N/A
>
> Filesets:
> VirtualVaultOS.VVOS-KRN
>
> Automatic Reboot?: Yes
>
> Status: General Release
>
> Critical: No
>
> Path Name: /hp-ux_patches/s800/10.X/PHKL_10406
>
> Symptoms:
> PHKL_10406:
> The audit statistics available from auditcmd -c
> will show that the largest amount of audit buffer
> space used is greater than the configured limit.
>
> Defect Description:
> PHKL_10406:
> Under heavy system load with auditing enabled,
> the kernel buffer used to hold audit records queued
> for delivery to the audit daemon can contain more
> audit data than the configured size for the audit
> buffer.
>
> SR:
> 4701349381
>
> Patch Files:
> /usr/conf/lib/libsec.a(sec_audit.o)
> /usr/conf/lib/libsec.a(audit_dev.o)
>
> what(1) Output:
> /usr/conf/lib/libsec.a(audit_dev.o):
> kern/sec/audit_dev.c, sysaudit, vvos_davis, davis11
> $Date: 97/03/13 18:49:34 $ $Revision: 1.37 P
> ATCH_10.24 (PHKL_10406) $
> /usr/conf/lib/libsec.a(sec_audit.o):
> kern/sec/sec_audit.c, sysaudit, vvos_davis, davis11
> $Date: 97/03/13 18:49:34 $ $Revision: 1.36 P
> ATCH_10.24 (PHKL_10406) $
>
> cksum(1) Output:
> 3353318163 15680 /usr/conf/lib/libsec.a(audit_dev.o)
> 3404447330 19952 /usr/conf/lib/libsec.a(sec_audit.o)
>
> Patch Conflicts: None
>
> Patch Dependencies: None
>
> Hardware Dependencies: None
>
> Other Dependencies: None
>
> Supersedes: None
>
> Equivalent Patches:
> PHKL_10407:
> s700: 10.24
>
> Patch Package Size: 90 Kbytes
>
> Installation Instructions:
> Please review all instructions and the Hewlett-Packard
> SupportLine User Guide or your Hewlett-Packard support terms
> and conditions for precautions, scope of license,
> restrictions, and, limitation of liability and warranties,
> before installing this patch.
> ------------------------------------------------------------
> 1. Back up your system before installing a patch.
>
> 2. Login as root.
>
> 3. Copy the patch to the /tmp directory.
>
> 4. Move to the /tmp directory and unshar the patch:
>
> cd /tmp
> sh PHKL_10406
>
> 5a. For a standalone system, run swinstall to install the
> patch:
>
> swinstall -x autoreboot=true -x match_target=true \
> -s /tmp/PHKL_10406.depot
>
> 5b. For a homogeneous NFS Diskless cluster run swcluster on the
> server to install the patch on the server and the clients:
>
> swcluster -i -b
>
> This will invoke swcluster in the interactive mode and
> force all clients to be shut down.
>
> WARNING: All cluster clients must be shut down prior to the
> patch installation. Installing the patch while the
> clients are booted is unsupported and can lead to
> serious problems.
>
> The swcluster command will invoke an swinstall session in which
> you must specify:
>
> alternate root path - default is /export/shared_root/OS_700
> source depot path - /tmp/PHKL_10406.depot
>
> To complete the installation, select the patch by choosing
> "Actions -> Match What Target Has" and then "Actions -> Install"
> from the Menubar.
>
> 5c. For a heterogeneous NFS Diskless cluster:
>
> - run swinstall on the server as in step 5a to install
> the patch on the cluster server.
>
> - run swcluster on the server as in step 5b to install
> the patch on the cluster clients.
>
> By default swinstall will archive the original software in
> /var/adm/sw/patch/PHKL_10406. If you do not wish to retain a
> copy of the original software, you can create an empty file
> named /var/adm/sw/patch/PATCH_NOSAVE.
>
> Warning: If this file exists when a patch is installed, the
> patch cannot be deinstalled. Please be careful
> when using this feature.
>
> It is recommended that you move the PHKL_10406.text file to
> /var/adm/sw/patch for future reference.
>
> To put this patch on a magnetic tape and install from the
> tape drive, use the command:
>
> dd if=/tmp/PHKL_10406.depot of=/dev/rmt/0m bs=2k
>
> Special Installation Instructions: None
