OpenBSD semget()本地内存耗竭内核崩溃漏洞
发布日期:2003-08-20
更新日期:2003-08-26
受影响系统:OpenBSD OpenBSD 3.3
描述:
BUGTRAQ ID:
8464
OpenBSD是一款开放源代码的UNIX操作系统。
OpenBSD包含的semget()系统调用不充分过滤用户传递的参数,本地攻击者可以利用这个漏洞使内存资源耗竭,内核变的不稳定。
OpenBSD semget()系统调用在分配内存前没有充分检查用户提供的nsems值作为参数的数据,结果可导致攻击者消耗系统内存,造成内核崩溃。目前没有详细漏洞细节提供。
<*来源:OpenBSD
链接:
http://www.openbsd.org/errata33.html#semget
*>
建议:
厂商补丁:
OpenBSD
-------
采用如下补丁程序:
Index: sys/kern/sysv_sem.c
diff -u sys/kern/sysv_sem.c:1.16 sys/kern/sysv_sem.c:1.16.2.1
--- sys/kern/sysv_sem.c:1.16 Mon Jan 6 17:34:41 2003
+++ sys/kern/sysv_sem.c Wed Aug 20 14:16:41 2003
@@ -431,10 +431,20 @@
/*
* Preallocate space for the new semaphore. If we are going
- * to sleep, we want to sleep now to elliminate any race
+ * to sleep, we want to sleep now to eliminate any race
* condition in allocating a semaphore with a specific key.
*/
if (key == IPC_PRIVATE || (semflg & IPC_CREAT)) {
+ if (nsems <= 0 || nsems > seminfo.semmsl) {
+ DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
+ seminfo.semmsl));
+ return (EINVAL);
+ }
+ if (nsems > seminfo.semmns - semtot) {
+ DPRINTF(("not enough semaphores left (need %d, got %d)\n",
+ nsems, seminfo.semmns - semtot));
+ return (ENOSPC);
+ }
semaptr_new = pool_get(&sema_pool, PR_WAITOK);
semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
M_SEM, M_WAITOK);
@@ -468,18 +478,6 @@
DPRINTF(("need to allocate the semid_ds\n"));
if (key == IPC_PRIVATE || (semflg & IPC_CREAT)) {
- if (nsems <= 0 || nsems > seminfo.semmsl) {
- DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
- seminfo.semmsl));
- error = EINVAL;
- goto error;
- }
- if (nsems > seminfo.semmns - semtot) {
- DPRINTF(("not enough semaphores left (need %d, got %d)\n",
- nsems, seminfo.semmns - semtot));
- error = ENOSPC;
- goto error;
- }
for (semid = 0; semid < seminfo.semmni; semid++) {
if ((semaptr = sema[semid]) == NULL)
break;
浏览次数:3202
严重程度:0(网友投票)