[4216] in bugtraq
Re: buffer over in hp-ux 10.20 kernel
daemon@ATHENA.MIT.EDU (Security Alert)
Wed Mar 26 21:19:03 1997
Date: Wed, 26 Mar 1997 17:26:49 PST
Reply-To: Security Alert <secure@HPCUGSYA.CUP.HP.COM>
From: Security Alert <secure@HPCUGSYA.CUP.HP.COM>
To: BUGTRAQ@NETSPACE.ORG
On 24 March '97 Darren Reed <darrenr@CYBER.COM.AU> wrote:
>Subject: buffer over in hp-ux 10.20 kernel
>To: BUGTRAQ@NETSPACE.ORG
>
>This is from the latest HP bug reports (i.e. there is a patch)....does anyone
>know if this can be used to get root or crash the box ?
>
>Darren
>
>> Document ID: PHKL_10406
<snip>
This is to clarify and summarize
* which systems are affected.
* what the problem was that is corrected by our patch PHKL_1040[6,7]
* what the problem isn't
The only operating systems affected are HP-UX 10.24 and HP-UX 10.16.
This means the Virtual Vault Operating System (VVOS) on HP 9000 Series 7/800
and the Trusted Operating System (CMW) on the Series 700. This is _not_ the
same as the main stream releases of HP-UX -- releases 10.01, 10.10, or 10.20.
Summarization of Problem Targeted by Patch PHKL_10406
Under certain conditions, the limit on the amount of audit data that
the kernel will gather from applications submitting audit records can
exceed the configured limit for a period of time.
The configured limit is a value, for example, 32K bytes, against which
applications are measured before they submit audit records. When the
limit is reached, applications will be suspended briefly by the kernel
until the system's audit daemon has extracted the audit records already
submitted by other applications and brought the amount of space audit
records under the configured limit.
Under periods of excessive load, the configured limit can be ignored
resulting in the amount of audit data held by the kernel for delivery
to the audit daemon to exceed the configured limit. The kernel does
*not* use a buffer to store data so there is not a chance of overflowing
a fixed-size memory area. Instead, memory is dynamically allocated for
each audit record. Thus, the result of exceeding the configured limit
is that more memory is used by the kernel for audit record storage --
this memory is eventually returned to the kernel as a side effect of
the audit daemon extracting the audit information.
The audit system in the affected releases is governed partially by
audit configuration parameters established by the system's administrative
staff. The programs that affect the audit configuration can only
be executed by authorized individuals. The audit configuration is stored
in each system's filesystem -- the files are protected both with
Discretionary Access Control (i.e., the permission/mode bits of a file)
and Mandatory Access Control (MAC). Together, these mechanisms are
sufficient to protect the information from being compromised.
--
