From owner-doc-jp-work@jp.FreeBSD.org Mon May  6 11:46:26 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g462kQ635322;
	Mon, 6 May 2002 11:46:26 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp02.246.ne.jp (smtp02.246.ne.jp [210.253.192.36])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with SMTP/inet id g462kOf35315
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 6 May 2002 11:46:24 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 9401 invoked by alias); 6 May 2002 11:46:24 +0900
Received: (qmail 9375 invoked from network); 6 May 2002 11:46:22 +0900
Received: from unknown (HELO localhost) (210.253.196.180)
  by tpne002 with SMTP; 6 May 2002 11:46:22 +0900
Date: Mon, 06 May 2002 11:46:21 +0900 (JST)
Message-Id: <20020506.114621.18306082.y-koga@jp.FreeBSD.org>
To: doc-jp-work@jp.FreeBSD.org
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
In-Reply-To: <20020506.025406.123977084.hrs@eos.ocn.ne.jp>
References: <200204221801.g3MI1Z996493@freefall.freebsd.org>
	<20020506.025406.123977084.hrs@eos.ocn.ne.jp>
X-Mailer: Mew version 3.0.55 on Emacs 21.2 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020417
X-Sequence: doc-jp-work 341
Subject: [doc-jp-work 341] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:23.stdio
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: y-koga@jp.FreeBSD.org

Hiroki Sato <hrs@eos.ocn.ne.jp>:
>  $B$($i$/CY$/$J$j$^$7$?$,(B
>  02:18.re, 02:20,21,23 $B$G$9!#(B

$B%Q%A%Q%A%Q%A!y(B

>  $B!&(Brouting table $B$,CfESH>C<$J46$8$G$9!#(B
>    $BA4It%+%?%+%J$K$7$?J}$,NI$$$G$7$g$&$+(B?

$BA4ItJR2>L>$+!V7PO)I=!W$G$9$M!#(B

> FreeBSD-SA-02:20                                            Security Advisory
>                                                                 FreeBSD, Inc.
> 
> $B%H%T%C%/(B:	syncache/syncookies $B$K$*$1$k%5!<%S%9K832(B
>                 (syncache/syncookies denial of service)
- snip -
> Two related problems with syncache were triggered when syncookies were
> implemented.
> 
> syncookies $B$,<BAu$5$l$?;~!"(Bsyncache $B$K(B 2 $B<oN`$NLdBj$,H/@8$7$^$7$?!#(B

2 $B<oN`$N(B $B"*(B $BFs$D$N(B

> 1) When a SYN was accepted via a syncookie, it used an uninitialized
> pointer to find the TCP options for the new socket.  This pointer may
> be a null pointer, which will cause the machine to crash.
> 
> 1) syncookie $B7PM3$G(B SYN $B$r<uM}$7$?;~!"?75,%=%1%C%H$N(B TCP $B%*%W%7%g%s$r(B
> $BD4$Y$k$?$a$K;H$o$l$k%]%$%s%?$,=i4|2=$5$l$F$$$^$;$s!#$3$N%]%$%s%?$O(B
> $B%^%7%s%/%i%C%7%e$N860x$H$J$k!"(Bnull $B%]%$%s%?$G$"$k2DG=@-$,$"$j$^$9!#(B

$B<uM}$7$?(B $B"*(B $B<u$1<h$C$?(B
$B860x$H$J$k!"(B $B"*(B ($BFIE@:o=|(B)
$B$"$H!"(B(2) $B$G$O(B SYN $B"*(B SYN $B%Q%1%C%H(B $B$K$J$C$F$$$^$9!#(B
SYN $B%Q%1%C%H$K$9$k$J$i!"(BACK $B"*(B ACK $B%Q%1%C%H(B $B$G$9$M!#(B

> ($BLuCm(B: $B%+!<%M%kFbIt$G%=%1%C%H$N4IM}$K(B
> $B;HMQ$5$l$F$$$k(B Protocol Control Block, $B6qBNE*$K$O(B struct inpcb $B$N$3$H(B)

$B!V(B,$B!W"*!V!"!W(B

> Because syncache/syncookies support was added prior to the release of
> FreeBSD 4.5-RELEASE, no other releases are affected.
> 
> syncache $B$*$h$S(B syncookies $B5!G=$O(B FreeBSD 4.5-RELEASE $B$N8x3+$h$jA0$K(B
> $BDI2C$5$l$?$?$a!"B>$N%j%j!<%9$K$O1F6A$"$j$^$;$s!#(B

$B$^$"$=$&$J$s$G$9$1$I!"$3$&Lu$7$F$7$^$&$HJQ$G$9$h$M!#(B
$B8x3+$h$j(B $B"*(B $B8x3+$N(B
$B$H$9$k$H!">/$7$O$^$7$+$J!#(B

> IV.  $B2sHrJ}K!(B - Workaround
> 
> The first issue described may be worked around by disabling syncookies
> using sysctl.  Issue the following command as root:
> 
> $B:G=i$K@bL@$7$?LdBj$O(B sysctl $BJQ?t$r;H$C$F(B syncookies $B$rL58z2=$9$k$3$H$G(B
> $B2sHr$9$k$3$H$,2DG=$G$9!#$=$l$K$O(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

$B$3$N(B sysctl $B$C$FJQ?t$G$O$J$/%3%^%s%I$G$9$h$M!#(B

> FreeBSD-SA-02:21.tcpip                                      Security Advisory
>                                                                 FreeBSD, Inc.
> 
> $B%H%T%C%/(B:	$B7PO)@)8f%F!<%V%k$K$*$1$k%a%b%j%j!<%/LdBj(B
>                 (routing table memory leak)
- snip -
> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> A bug was introduced into ip_output() wherein the processing of an
> ICMP echo reply message would cause a reference count on a routing
> table entry to never be decremented.  Thus, memory allocated for the
> routing table entry was never deallocated.
> 
> ip_output() $B$K$*$$$F!"$"$k(B ICMP echo $B1~Ez%a%C%;!<%8$r=hM}$9$k:]!"(B
> $B7PO)@)8f%F!<%V%k$N;2>H%+%&%s%H$,A}2C$7$F$7$^$&%P%0$,4^$^$l$F$$$^$7$?!#(B
> $B$3$NA}2C$7$?;2>H%+%&%s%H$O@dBP$K8:>/$7$J$$$?$a!"$3$N%(%s%H%jMQ$K(B
> $B3NJ]$5$l$?%a%b%j$b2rJ|$5$l$^$;$s!#(B

ICMP echo reply $B$O!"8D?ME*$K$O$=$N$^$^$,$$$$$J$!(B ($B:#<j85$KE,Ev$J;29M=q(B
$B$,$J$$$N$G3NG'$G$-$J$$!D(B)$B!#(B

$B%a%b%j$b(B $B"*(B $B%a%b%j$O(B

> FreeBSD-SA-02:23.stdio                                      Security Advisory
>                                                           The FreeBSD Project
> 
> $B%H%T%C%/(B:	stdio $B%U%!%$%k5-=R;R$K$*$1$k%;%-%e%j%F%#E*$KITE,@Z$J=hM}LdBj(B
>                 (insecure handling of stdio file descriptors)
- snip -
> For example, if a
> newly exec'd process has file descriptors 0 and 1 open, but file
> descriptor 2 closed, and then opens a file, the new file descriptor is
> guaranteed to be 2 (standard error).
> 
> $B$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$,(B open $B>uBV$K$"$k(B
> 0 $B$H(B 1 $B$N%U%!%$%k5-=R;R$*$h$S!"(Bclose $B>uBV$K$"$k%U%!%$%k5-=R;R$r;}$C$F$$$?(B
> $B$H$9$k$H!"?7$7$$%U%!%$%k5-=R;R$OI,$:(B 2 ($BI8=`%(%i!<=PNO(B) $B$K$J$j$^$9!#(B

$B$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$K$*$$$F!"%U%!%$%k5-=R;R(B 0 $B$H(B 1 $B$,(B
$B%*!<%W%s$5$l$F$$$F!"%U%!%$%k5-=R;R(B 2 $B$,%/%m!<%:$5$l$F$$$k>l9g!"$=$N%W(B
$B%m%;%9$,%U%!%$%k$r%*!<%W%s$9$k$H!"$=$N?7$7$$%U%!%$%k5-=R;R$O(B 2 ($BI8(B
$B=`%(%i!<=PNO(B) $B$K$J$k$3$H$,J]>Z$5$l$F$$$^$9!#(B

$B0J2<!"(Bclose $B"*(B $B%/%m!<%:(B

> II.  $BLdBj$N>\:Y(B - Problem Description
- snip -
> If such a program is started with some of the
> stdio file descriptors closed, the program may open a file and
> inadvertently associate it with standard input, standard output, or
> standard error.
> $B$=$N$h$&$J%W%m%0%i%`$,(B stdio $B%U%!%$%k5-=R;R$N$$$/$D$+$,(B close $B$5$l$?(B
> $B>uBV$G<B9T$5$l$?>l9g!"%W%m%0%i%`$O%U%!%$%k$r!"I8=`F~NO$+I8=`=PNO!"(B
> $B$"$k$$$OI8=`%(%i!<=PNO$H$$$C$?0U?^$7$J$$%U%!%$%k5-=R;R$r;H$C$F(B open $B$7$F(B
> $B$7$^$&2DG=@-$,$"$j$^$9!#(B

$B!A<B9T$5$l$?>l9g!"$=$N%W%m%0%i%`$,%U%!%$%k$r%*!<%W%s$9$k$H!"$=$N%U%!%$(B
$B%k$,I8=`F~NO$dI8=`=PNO!"$"$k$$$OI8=`%(%i!<=PNO$K0U?^$;$:$K7k$S$D$$$F$7(B
$B$^$&2DG=@-$,$"$j$^$9!#(B

> The program may then read data from or write data to
> the file inappropriately.
> $B$^$?!"$=$N%W%m%0%i%`$O$=$N8e!"$=$N0U?^$7$J$$7A$G(B
> open $B$7$?%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@$j!"%U%!%$%k$K=q$-9~$s$@$j$9$k$+$b(B
> $BCN$l$^$;$s!#(B

$B$=$&$J$k$H!"$=$N%W%m%0%i%`$OITE,@Z$K$=$N%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@(B
$B$j!"%G!<%?$r%U%!%$%k$K=q$-9~$s$@$j$9$k$+$b$7$l$^$;$s!#(B
----
$B$3$,$h$&$$$A$m$&(B
