Monday, December 14, 2009

OpenBSD phunz² !

Hi,

Here is a new OpenBSD fun. This time is not a new fucking NULL pointer dereference but a tiny kernel stack memory disclosure. It has been found in getsockopt(IP_IPSEC_*_AUTH).

Code can be found in netinet/ip_output.c :


u_int16_t opt16val;
(...)
ipr = NULL;
(...)
case IP_IPSEC_REMOTE_CRED:
ipr = inp->inp_ipsec_remotecred;
opt16val = IPSP_CRED_NONE;
break;
case IP_IPSEC_LOCAL_AUTH:
if (inp->inp_ipo != NULL)
ipr = inp->inp_ipo->ipo_local_auth;
break;
case IP_IPSEC_REMOTE_AUTH:
ipr = inp->inp_ipsec_remoteauth;
break;
(...)
if (ipr == NULL)
*mtod(m, u_int16_t *) = opt16val;



As you can see, in cases IP_IPSEC_LOCAL_AUTH and IP_IPSEC_REMOTE_AUTH, there are no value assigned to opt16val whereas ipr can be NULL. In this case, when ipr is NULL, opt16val is returned to userland and 2 bytes of the kernel stack are leaked. :-)

Fix is very simple, it just initializes opt16val in both cases.

@@ -1593,9 +1593,11 @@ ip_ctloutput(op, so, level, optname, mp)
case IP_IPSEC_LOCAL_AUTH:
if (inp->inp_ipo != NULL)
ipr = inp->inp_ipo->ipo_local_auth;
+ opt16val = IPSP_AUTH_NONE;
break;
case IP_IPSEC_REMOTE_AUTH:
ipr = inp->inp_ipsec_remoteauth;
+ opt16val = IPSP_AUTH_NONE;
break;



Well, it's not a big issue but it prooves that OpenBSD is also affected by the same fucking issues found in Linux kernel few months ago...

Labels: , ,

0 Comments:

Post a Comment

<< Home