From owner-doc-jp-work@jp.FreeBSD.org Thu Jan  9 12:49:06 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id h093n6h39742;
	Thu, 9 Jan 2003 12:49:06 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from hiiro.mesh.ad.jp ([2001:260:0:b0:210:5aff:fe77:fb0f])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id h093n1J39737;
	Thu, 9 Jan 2003 12:49:01 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from localhost (localhost [IPv6:::1])
	by hiiro.mesh.ad.jp (8.12.7/8.12.7) with ESMTP id h093muv0009881;
	Thu, 9 Jan 2003 12:48:56 +0900 (JST)
Message-Id: <20030109.124856.115493440.y-koga@jp.FreeBSD.org>
To: doc-jp-work@jp.FreeBSD.org
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
In-Reply-To: <20030109.012510.76994119.hrs@eos.ocn.ne.jp>
	<20030108.103133.104034783.hino@ccrl.sj.nec.com>
References: <200301071749.h07Hn85x058198@freefall.freebsd.org>
	<20030109.012510.76994119.hrs@eos.ocn.ne.jp>
X-Mailer: Mew version 3.1.50 on Emacs 21.2 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Thu, 09 Jan 2003 12:48:56 +0900
X-Sequence: doc-jp-work 576
Subject: [doc-jp-work 576] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:44.filedesc
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: y-koga@jp.FreeBSD.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030107

Hiroki Sato <hrs@eos.ocn.ne.jp>:
>  02:44 $B$G$9!#GX7J$,$A$g$C$HJ,$+$j$K$/$$46$8$+$b!#(B

$B$Q$A$Q$A$Q$A!y(B

> FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
> =============================================================================
> FreeBSD-SA-02:44.filedesc (2003-01-07)
>  * file descriptor leak in fpathconf
> =============================================================================
- snip -
> I.   $BGX7J(B - Background
> 
> The fpathconf system call provides a method for applications to
> determine the current value of a configurable system limit or option
> variable associated with a pathname or file descriptor.
> 
> fpathconf $B%7%9%F%`%3!<%k$O!"JQ992DG=$J%7%9%F%`@)8BCM$d(B
> $B%*%W%7%g%sJQ?t$N8=:_$NCM$r!"%"%W%j%1!<%7%g%s$+$i%Q%9L>$d(B
> $B%U%!%$%k5-=R;R$r;H$C$F;2>H$G$-$k$h$&$K$9$k$?$a$N$b$N$G$9!#(B

$B86J8$O%^%K%e%"%k$+$i0z$CD%$C$F$$$k$+$i$3$&$J$C$F$$$^$9$,!"(Bfpathconf
$B$O%Q%9L>$r$H$j$^$;$s!#%Q%9L>$r$H$k$N$O(B pathconf() $B$G$9!#(B

> III. $B1F6AHO0O(B - Impact
> 
> A local attacker may cause the operating system to crash by repeatedly
> calling fpathconf on a file descriptor until the reference count wraps
> to a negative value, and then calling close on that file descriptor.
> 
> $B%m!<%+%k$N967b<T$O!"0l$D$N%U%!%$%k5-=R;R$KBP$7$F7+$jJV$7(B fpatchconf $B$r(B 
> $B8F$S=P$7$F;2>H%+%&%s%H$rIi$NCM$K%i%C%W%"%i%&%s%I$5$;!"$=$N8e$K(B
> $B$=$N%U%!%$%k5-=R;R$KBP$7$F(B close $B$r8F$S=P$9$H$$$&A`:n$r9T$J$&$3$H$G!"(B
> $B%*%Z%l!<%F%#%s%0%7%9%F%`$r%/%i%C%7%e$5$;$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B

Koji Hino <hino@ccrl.sj.nec.com>:
> $B!V7e$"$U$l!W$N$[$&$,NI$$$h$&$J!#(B

$B!V7e$"$U$l$5$;$k$3$H$GIi$NCM$K$7!"!D!W(B
$B$+$J!#(B

> IV.  $B2sHrJ}K!(B - Workaround
> 
> There is no workaround.
> $B2sHrJ}K!$OH=L@$7$F$$$^$;$s!#(B

$B!V$"$j$^$;$s!W$@$H;W$$$^$9!#(B
----
$B$3$,$h$&$$$A$m$&(B
