Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 26 Jul 2016 15:22:45 -0400 (EDT)
Subject: Re: CVE Request: Any User Can Panic Kernel Through Sysctl on OpenBSD

Hash: SHA256

> Any user can panic the kernel by using the sysctl call. If a
> user can manage to map a page at address zero, they may be able
> to gain kernel code execution and escalate privileges (OpenBSD fortunately prevents this by default).
> Description:
> When processing sysctl calls, OpenBSD dispatches through a number
> of intermediate helper functions. For example, if the first integer
> in the path is 10, sys_sysctl() will call through vfs_sysctl() for
> further processing. vfs_sysctl() performs a table lookup based on
> the second byte, and if the byte is 19, it selects the tmpfs_vfsops
> table and dispatches further processing through the vfs_sysctl method:
>     if (name[0] != VFS_GENERIC) {
>         for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
>             if (vfsp->vfc_typenum == name[0])
>                 break;
>         if (vfsp == NULL)
>             return (EOPNOTSUPP);
>         return ((*vfsp->vfc_vfsops->vfs_sysctl)(&name[1], namelen - 1,
>             oldp, oldlenp, newp, newlen, p));
>     }
> Unfortunately, the definition for tmpfs_vfsops leaves this method NULL:

> struct vfsops tmpfs_vfsops = {
>     NULL,               /* vfs_sysctl */

> Trying to read or write a sysctl path starting with (10,19) results
> in a NULL pointer access and a panic of
> "attempt to execute user address 0x0 in supervisor mode".
> Since any user can perform a sysctl read, this issue can be abused
> by any logged in user to panic the system.
> Fortunately, OpenBSD intentionally prevents users from attempting to map a page
> at the NULL address. If an attacker is able to get such a mapping,
> they may be able to cause the kernel to jump to code mapped at this
> address (if other security protections such as SMAP/SMEP aren't in place).
> This would allow an attacker to gain kernel code execution and
> escalate their privileges.
> Reproduction:
> Run the PoC sysctl_tmpfs_panic.c program. It will pccess
> the (10,19,0) sysctl path and trigger a panic of
> "attempt to execute user address 0x0 in supervisor mode".
> NCC Group was able to reproduce this issue on OpenBSD 5.9 release
> running amd64.
> Recommendation:
> Include a NULL-pointer check in vfs_sysctl() before dispatching to
> the vfs_sysctl method. Alternately, include a vfs_sysctl method
> in the tmpfs_vfsops table.
> Fixed:

>     int name[] = { 10, 19, 0 }; // vfs.tmpfs.0
>     char buf[16];
>     size_t sz = sizeof buf;
>     int x;
>     x = sysctl(name, 3, buf, &sz, 0, 0);

Use CVE-2016-6350.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.