Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2016 21:09:34 +0000
From: Jesse Hertz <Jesse.Hertz@...group.trust>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: #NA-Disclosure <na-disclosure@...group.trust>
Subject: Multiple Bugs in OpenBSD Kernel 

Hi All,

As part of NCC Group’s Project Triforce, a generic syscall fuzzing effort by
myself and Tim Newsham, several new vulnerabilities were discovered in the
OpenBSD kernel. These have all been fixed now.

Attached are source files for each issue that include a full writeup of the
issue, links to the patches, as well as a PoC to demonstrate the issue. We are
requesting CVEs for all but the last issue (which is root-only). The following list contains brief
description of each issue, ordered from highest to lowest severity.

mmap_panic: Malicious calls to mmap() can trigger an allocation panic or trigger memory corruption.
kevent_panic: Any user can panic the kernel with the kevent system call.
thrsleep_panic: Any user can panic the kernel with the __thrsleep system call.
thrsigdivert_panic: Any user can panic the kernel with the __thrsigdivert system call.
ufs_getdents_panic: Any user can panic the kernel with the getdents system call.
mount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when mounting a tmpfs filesystem.
unmount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when unmounting a filesystem.
tmpfs_mknod_panic: Root can panic kernel with mknod on a tmpfs filesystem.

Errata have been issued which cover some of these issues on http://www.openbsd.org/errata59.html <http://www.openbsd.org/errata59.html> and http://www.openbsd.org/errata58.html <http://www.openbsd.org/errata58.html>.

NCC Group would like to thank the OpenBSD development team for clear
communication and a quick turnaround on these issues.

Best,
-jh



[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ