首页 -> 安全研究
安全研究
安全漏洞
NetBSD Super-H Port sigreturn()输入验证漏洞
发布日期:2001-05-30
更新日期:2001-06-06
受影响系统:
描述:
NetBSD NetBSD 1.5 sh3
NetBSD NetBSD 1.4.1 sh3
BUGTRAQ ID: 2810
CVE(CAN) ID: CAN-2001-0734
sh3平台上的NetBSD系统存在漏洞,它对用户提供的一个系统调用参数缺少适当的
检查,本地用户利用这个漏洞能以超级用户权限执行任意代码。
问题在于"sigreturn"系统调用和"process_write_regs"内核子程序对用户提供的
"Status Register"内容没做适当的检查造成的。
<*来源:Klaus Klein
NetBSD Security Advisory 2001-008
*>
建议:
正在运行2001/5/16以前版本的NetBSD-current用户应该升级到这个日期以后的版本。
正在运行2001/5/27以前版本的NetBSD-release 1.5用户应该升级到这个日期以后的版本。
NetBSD也提供了补丁程序:
Index: include/psl.h
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/sh3/include/psl.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
- --- include/psl.h 1999/09/13 10:31:21 1.1
+++ include/psl.h 2001/05/16 12:42:38 1.2
@@ -57,8 +57,8 @@
#define PSL_MBO 0x00000000 /* must be one bits */
#define PSL_MBZ 0x8ffffc0c /* must be zero bits */
- -#define PSL_USERSET 0
- -#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK)
+#define PSL_USERSET 0
+#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK|PSL_MBO|PSL_MBZ)
#ifdef _KERNEL
#include <machine/intr.h>
Index: sh3/compat_13_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/compat_13_machdep.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
- --- sh3/compat_13_machdep.c 2000/12/22 22:58:55 1.2
+++ sh3/compat_13_machdep.c 2001/05/16 12:42:38 1.3
@@ -71,16 +71,9 @@
/* Restore register context. */
tf = p->p_md.md_regs;
- - /*
- - * Check for security violations. If we're returning to
- - * protected mode, the CPU will validate the segment registers
- - * automatically and generate a trap on violations. We handle
- - * the trap, rather than doing all of the checking here.
- - */
- -#ifdef TODO
+ /* Check for security violations. */
if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0)
return (EINVAL);
- -#endif
tf->tf_ssr = context.sc_ssr;
Index: sh3/sh3_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/sh3_machdep.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
- --- sh3/sh3_machdep.c 2001/04/24 04:31:09 1.12
+++ sh3/sh3_machdep.c 2001/05/16 12:42:38 1.13
@@ -350,21 +350,13 @@
/* Restore signal context. */
tf = p->p_md.md_regs;
- - {
- - /*
- - * Check for security violations. If we're returning to
- - * protected mode, the CPU will validate the segment registers
- - * automatically and generate a trap on violations. We handle
- - * the trap, rather than doing all of the checking here.
- - */
- -#ifdef TODO
- - if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0) {
- - return (EINVAL);
- - }
- -#endif
- - tf->tf_ssr = context.sc_ssr;
- - }
+ /* Check for security violations. */
+ if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0)
+ return (EINVAL);
+
+ tf->tf_ssr = context.sc_ssr;
+
tf->tf_r0 = context.sc_r0;
tf->tf_r1 = context.sc_r1;
tf->tf_r2 = context.sc_r2;
浏览次数:3688
严重程度:0(网友投票)
绿盟科技给您安全的保障