From owner-doc-jp-work@jp.FreeBSD.org Thu Jan  9 03:32:11 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id h08IWBg07469;
	Thu, 9 Jan 2003 03:32:11 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from mail4.nec.com (dns4.nec.com [131.241.15.4])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id h08IW9J07464
	for <doc-jp-work@jp.FreeBSD.org>; Thu, 9 Jan 2003 03:32:10 +0900 (JST)
	(envelope-from hino@ccrl.sj.nec.com)
Received: from netkeeper.sj.nec.com (netkeeper.sj.nec.com [131.241.31.2])
	by mail4.nec.com (/) with ESMTP id h08IW2v29782
	for <doc-jp-work@jp.FreeBSD.org>; Wed, 8 Jan 2003 10:32:02 -0800 (PST)
Received: from renoir.ccrl.sj.nec.com (localhost [127.0.0.1])
	by netkeeper.sj.nec.com (8.9.1a/8.9.1) with ESMTP id KAA10300
	for <doc-jp-work@jp.FreeBSD.org>; Wed, 8 Jan 2003 10:31:36 -0800 (PST)
Received: from localhost (alfa.ccrl.sj.nec.com [131.241.79.205])
	by renoir.ccrl.sj.nec.com (8.9.3+Sun/8.9.3) with ESMTP id KAA26415
	for <doc-jp-work@jp.FreeBSD.org>; Wed, 8 Jan 2003 10:31:33 -0800 (PST)
Message-Id: <20030108.103133.104034783.hino@ccrl.sj.nec.com>
To: doc-jp-work@jp.FreeBSD.org
From: Koji Hino <hino@ccrl.sj.nec.com>
In-Reply-To: <20030109.012510.76994119.hrs@eos.ocn.ne.jp>
References: <200301071749.h07Hn85x058198@freefall.freebsd.org>
	<20030109.012510.76994119.hrs@eos.ocn.ne.jp>
Organization: Silicon Valley Office, NEC Laboratories America, Inc.
X-Mailer: Mew version 3.1 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Wed, 08 Jan 2003 10:31:33 -0800
X-Sequence: doc-jp-work 575
Subject: [doc-jp-work 575] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:44.filedesc
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hino@ccrl.sj.nec.com
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030107

From: Hiroki Sato <hrs@eos.ocn.ne.jp>
 Date: Thu, 09 Jan 2003 01:25:10 +0900
:> FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
:> =============================================================================
:> FreeBSD-SA-02:44.filedesc (2003-01-07)
:>  * file descriptor leak in fpathconf

$BLkCY$/$^$G$46lO+MM$G$9!#(B

:> I.   $BGX7J(B - Background
:> 
:> The fpathconf system call provides a method for applications to
:> determine the current value of a configurable system limit or option
:> variable associated with a pathname or file descriptor.
:> 
:> fpathconf $B%7%9%F%`%3!<%k$O!"JQ992DG=$J%7%9%F%`@)8BCM$d(B
                               ~~~~$B!V@_Dj!W$N$[$&$,$7$C$/$j$/$k$h$&$J!D(B
                                    $BLu8lE}0l$7$F$^$7$?$C$1(B?
:> $B%*%W%7%g%sJQ?t$N8=:_$NCM$r!"%"%W%j%1!<%7%g%s$+$i%Q%9L>$d(B
:> $B%U%!%$%k5-=R;R$r;H$C$F;2>H$G$-$k$h$&$K$9$k$?$a$N$b$N$G$9!#(B

fpathconf $B%7%9%F%`%3!<%k$O!"%Q%9L>$d%U%!%$%k5-=R;R$KBP1~$9$k!"@_Dj2DG=(B
$B$J%7%9%F%`@)8BCM$d%*%W%7%g%sJQ?t$N8=:_$NCM$r!"%"%W%j%1!<%7%g%s$+$i;2>H(B
$B$G$-$k$h$&$K$9$k$?$a$N$b$N$G$9!#(B

$B$G$O$$$+$,!)(B

:> III. $B1F6AHO0O(B - Impact
:> 
:> A local attacker may cause the operating system to crash by repeatedly
:> calling fpathconf on a file descriptor until the reference count wraps
:> to a negative value, and then calling close on that file descriptor.
:> 
:> $B%m!<%+%k$N967b<T$O!"0l$D$N%U%!%$%k5-=R;R$KBP$7$F7+$jJV$7(B fpatchconf $B$r(B 
:> $B8F$S=P$7$F;2>H%+%&%s%H$rIi$NCM$K%i%C%W%"%i%&%s%I$5$;!"$=$N8e$K(B
:> $B$=$N%U%!%$%k5-=R;R$KBP$7$F(B close $B$r8F$S=P$9$H$$$&A`:n$r9T$J$&$3$H$G!"(B
:> $B%*%Z%l!<%F%#%s%0%7%9%F%`$r%/%i%C%7%e$5$;$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B

$B!V7e$"$U$l!W$N$[$&$,NI$$$h$&$J!#(B

:> Similarly, it may be possible to cause a file descriptor to reference
:> unallocated kernel memory, but remain valid.  If a new file is later
:> opened and the kernel allocates the new file structure at the same
:> memory location, then an attacker may be able to gain read or write
:> access to that file.  This may in turn lead to privilege escalation.
:> 
:> $B$^$?!"$3$l$OL$3d$jEv$F$N%+!<%M%k%a%b%j$r;2>H$9$kM-8z$J%U%!%$%k5-=R;R$r(B
:> $B$D$/$j$@$92DG=@-$,$"$j$^$9!#$=$N$h$&$J5-=R;R$r:n@.$7$?8e$K(B
:> $B?7$7$$%U%!%$%k$r(B open $B$9$k$H!"%+!<%M%k$OF1$8%a%b%j0LCV$K(B
:> $B?7$7$$%U%!%$%k9=B$BN$r3d$jEv$F$k$?$a!"967b<T$O$=$N%U%!%$%k$K(B
:> $BBP$7$FFI$_=q$-%"%/%;%9$,$G$-$k2DG=@-$,$"$j$^$9!#(B
:> $B$3$l$O9b$$8"8B$rIT@5$K3MF@$9$k$?$a$N>pJs8;$K$J$k$+$bCN$l$^$;$s!#(B

if$B$O(Band$B$N8e$m$^$G$+$+$C$F$$$k$h$&$K;W$$$^$9!#$h$C$F!"(B

$B$^$?!"$3$l$OL$3d$jEv$F$N%+!<%M%k%a%b%j$r;2>H$9$kM-8z$J%U%!%$%k5-=R;R$r(B
$B$D$/$j$@$92DG=@-$,$"$j$^$9!#$=$N$h$&$J5-=R;R$r:n@.$7$?8e$K!"%+!<%M%k$,(B
$B?7$7$$%U%!%$%k$N(B open $B$KH<$&?7$7$$%U%!%$%k9=B$BN$N3d$jEv$F$r$=$N%a%b%j(B
$B0LCV$K9T$C$F$7$^$C$?>l9g$K!"967b<T$O$=$N%U%!%$%k$KBP$7$FFI$_=q$-%"%/%;(B
$B%9$,$G$-$k2DG=@-$,$"$j$^$9!#$3$l$O9b$$8"8B$rIT@5$K3MF@$9$k$?$a$N>pJs8;(B
$B$K$J$k$+$bCN$l$^$;$s!#(B

$B$J$s$F$I$&$G$7$g$&$+(B

$BF|Ln(B
