发布日期:2003-08-20
更新日期:2003-08-26
受影响系统:
OpenBSD OpenBSD 3.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 8464
OpenBSD是一款开放源代码的Unix操作系统。
OpenBSD包含的semget()系统调用不充分过滤用户传递的参数,本地攻击者可以利用这个漏洞使内存资源耗竭,内核变的不稳定。
OpenBSD semget()系统调用在分配内存前没有充分检查用户提供的nsems值作为参数的数据,结果可导致攻击者消耗系统内存,造成内核崩溃。目前没有详细漏洞细节提供。
<*来源:OpenBSD
链接
http://www.openbsd.org/errata.html
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
OpenBSD
-------
采用如下补丁程序:
Index: sys/kern/sysv_sem.c
diff -u sys/kern/sysv_sem.c:1.16 sys/kern/sysv_sem.c:1.16.2.1
--- sys/kern/sysv_sem.c:1.16 Mon Jan 6 17:34:41 2003
+++ sys/kern/sysv_sem.c Wed Aug 20 14:16:41 2003
@@ -431,10 +431,20 @@
/*
* Preallocate space for the new semaphore. If we are going
- * to sleep, we want to sleep now to elliminate any race
+ * to sleep, we want to sleep now to eliminate any race
* condition in allocating a semaphore with a specific key.
*/
if (key == IPC_PRIVATE (semflg & IPC_CREAT)) {
+ if (nsems <= 0 nsems > seminfo.semmsl) {
+ DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
+ seminfo.semmsl));
+ return (EINVAL);
+ }
+ if (nsems > seminfo.semmns - semtot) {
+ DPRINTF(("not enough semaphores left (need %d, got %d)\n",
+ nsems, seminfo.semmns - semtot));
+ return (ENOSPC);
+ }
semaptr_new = pool_get(&sema_pool, PR_WAITOK);
