OpenBSD phunz² !
Hi,
Here is a new OpenBSD fun. This time is not a new fucking NULL pointer dereference but a tiny kernel stack memory disclosure. It has been found in getsockopt(IP_IPSEC_*_AUTH).
Code can be found in netinet/ip_output.c :
As you can see, in cases IP_IPSEC_LOCAL_AUTH and IP_IPSEC_REMOTE_AUTH, there are no value assigned to opt16val whereas ipr can be NULL. In this case, when ipr is NULL, opt16val is returned to userland and 2 bytes of the kernel stack are leaked. :-)
Fix is very simple, it just initializes opt16val in both cases.
Well, it's not a big issue but it prooves that OpenBSD is also affected by the same fucking issues found in Linux kernel few months ago...
Here is a new OpenBSD fun. This time is not a new fucking NULL pointer dereference but a tiny kernel stack memory disclosure. It has been found in getsockopt(IP_IPSEC_*_AUTH).
Code can be found in netinet/ip_output.c :
u_int16_t opt16val;
(...)
ipr = NULL;
(...)
case IP_IPSEC_REMOTE_CRED:
ipr = inp->inp_ipsec_remotecred;
opt16val = IPSP_CRED_NONE;
break;
case IP_IPSEC_LOCAL_AUTH:
if (inp->inp_ipo != NULL)
ipr = inp->inp_ipo->ipo_local_auth;
break;
case IP_IPSEC_REMOTE_AUTH:
ipr = inp->inp_ipsec_remoteauth;
break;
(...)
if (ipr == NULL)
*mtod(m, u_int16_t *) = opt16val;
As you can see, in cases IP_IPSEC_LOCAL_AUTH and IP_IPSEC_REMOTE_AUTH, there are no value assigned to opt16val whereas ipr can be NULL. In this case, when ipr is NULL, opt16val is returned to userland and 2 bytes of the kernel stack are leaked. :-)
Fix is very simple, it just initializes opt16val in both cases.
@@ -1593,9 +1593,11 @@ ip_ctloutput(op, so, level, optname, mp)
case IP_IPSEC_LOCAL_AUTH:
if (inp->inp_ipo != NULL)
ipr = inp->inp_ipo->ipo_local_auth;
+ opt16val = IPSP_AUTH_NONE;
break;
case IP_IPSEC_REMOTE_AUTH:
ipr = inp->inp_ipsec_remoteauth;
+ opt16val = IPSP_AUTH_NONE;
break;
Well, it's not a big issue but it prooves that OpenBSD is also affected by the same fucking issues found in Linux kernel few months ago...
0 Comments:
Post a Comment
<< Home