[patch] security problems in sunos syscall emulation

Kenneth Albanowski (nop@blue.netnation.com)
Thu, 8 Oct 1998 17:00:07 -0700 (PDT)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--0-2072118890-907891207=:26506
Content-Type: TEXT/PLAIN; charset=US-ASCII

There seem to be a few problems in arch/sparc/kernel/sys_sunos.c.. In
sunos_uname(), the address to write the results into was not checked with
verify_area(). This problem is not present in 2.0.36.. Also,
sunos_nfs_mount() was called from sunos_mount() without checking the processes
capabilities, ie it appears that anyone could mount nfs filesystems.
This problem is also present in 2.0.36. The attached patch is against 2.1.125 (vger).

--0-2072118890-907891207=:26506
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="sys_sunos.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.02A.9810081700070.26506@blue.netnation.com>
Content-Description:
Content-Disposition: attachment; filename="sys_sunos.diff"

LS0tIGxpbnV4L2FyY2gvc3BhcmMva2VybmVsL3N5c19zdW5vcy5jLm9sZAlX
ZWQgT2N0ICA3IDAxOjI5OjI5IDE5OTgNCisrKyBsaW51eC9hcmNoL3NwYXJj
L2tlcm5lbC9zeXNfc3Vub3MuYwlUaHUgT2N0ICA4IDE2OjEzOjU5IDE5OTgN
CkBAIC01NzksMjIgKzU3OSwxNyBAQA0KIA0KIGFzbWxpbmthZ2UgaW50IHN1
bm9zX3VuYW1lKHN0cnVjdCBzdW5vc191dHNuYW1lICpuYW1lKQ0KIHsNCi0J
aW50IHJldCA9IC1FRkFVTFQ7DQotDQorCWlmKHZlcmlmeV9hcmVhKFZFUklG
WV9XUklURSwgKHZvaWQgKiluYW1lLCBzaXplb2Yoc3RydWN0IHN1bm9zX3V0
c25hbWUpKSkNCisJCXJldHVybiAtRUZBVUxUOw0KIAlkb3duKCZ1dHNfc2Vt
KTsNCi0JaWYoIW5hbWUpDQotCQlnb3RvIG91dDsNCi0JaWYoY29weV90b191
c2VyKCZuYW1lLT5zbmFtZVswXSwgJnN5c3RlbV91dHNuYW1lLnN5c25hbWVb
MF0sIHNpemVvZihuYW1lLT5zbmFtZSkgLSAxKSkNCi0JCWdvdG8gb3V0Ow0K
Kwljb3B5X3RvX3VzZXIoJm5hbWUtPnNuYW1lWzBdLCAmc3lzdGVtX3V0c25h
bWUuc3lzbmFtZVswXSwgc2l6ZW9mKG5hbWUtPnNuYW1lKSAtIDEpKTsNCiAJ
Y29weV90b191c2VyKCZuYW1lLT5ubmFtZVswXSwgJnN5c3RlbV91dHNuYW1l
Lm5vZGVuYW1lWzBdLCBzaXplb2YobmFtZS0+bm5hbWUpIC0gMSk7DQogCXB1
dF91c2VyKCdcMCcsICZuYW1lLT5ubmFtZVs4XSk7DQogCWNvcHlfdG9fdXNl
cigmbmFtZS0+cmVsWzBdLCAmc3lzdGVtX3V0c25hbWUucmVsZWFzZVswXSwg
c2l6ZW9mKG5hbWUtPnJlbCkgLSAxKTsNCiAJY29weV90b191c2VyKCZuYW1l
LT52ZXJbMF0sICZzeXN0ZW1fdXRzbmFtZS52ZXJzaW9uWzBdLCBzaXplb2Yo
bmFtZS0+dmVyKSAtIDEpOw0KIAljb3B5X3RvX3VzZXIoJm5hbWUtPm1hY2hb
MF0sICZzeXN0ZW1fdXRzbmFtZS5tYWNoaW5lWzBdLCBzaXplb2YobmFtZS0+
bWFjaCkgLSAxKTsNCi0JcmV0ID0gMDsNCi1vdXQ6DQogCXVwKCZ1dHNfc2Vt
KTsNCi0JcmV0dXJuIHJldDsNCisJcmV0dXJuIDA7DQogfQ0KIA0KIGFzbWxp
bmthZ2UgaW50IHN1bm9zX25vc3lzKHZvaWQpDQpAQCAtNzk1LDcgKzc5MCw4
IEBADQogCXJldHVybiBkZWZfdmFsdWU7DQogfQ0KIA0KLWFzbWxpbmthZ2Ug
aW50IHN1bm9zX25mc19tb3VudChjaGFyICpkaXJfbmFtZSwgaW50IGxpbnV4
X2ZsYWdzLCB2b2lkICpkYXRhKQ0KK2FzbWxpbmthZ2UgaW50DQorc3Vub3Nf
bmZzX21vdW50KGNoYXIgKmRpcl9uYW1lLCBpbnQgbGludXhfZmxhZ3MsIHZv
aWQgKmRhdGEpDQogew0KIAlpbnQgIHJldCA9IC1FTk9ERVY7DQogCWludCAg
c2VydmVyX2ZkOw0KQEAgLTgwNCw2ICs4MDAsMTIgQEANCiAJc3RydWN0IHN1
bm9zX25mc19tb3VudF9hcmdzICpzdW5vc19tb3VudCA9IGRhdGE7DQogCWRl
dl90IGRldjsNCiANCisJLyogY2FwYWJpbGl0aWVzIGFyZSBjaGVja2VkIGlu
IHN1bm9zX21vdW50KCkgKi8NCisJaWYgKHZlcmlmeV9hcmVhKFZFUklGWV9S
RUFELGRhdGEsc2l6ZW9mKHN0cnVjdCBzdW5vc19uZnNfbW91bnRfYXJncykp
DQorCQlyZXR1cm4gLUVGQVVMVDsNCisJaWYgKHZlcmlmeV9hcmVhKFZFUklG
WV9SRUFELHN1bm9zX21vdW50LT5hZGRyLHNpemVvZihzdHJ1Y3Qgc29ja2Fk
ZHJfaW4pKQ0KKwkJcmV0dXJuIC1FRkFVTFQ7DQorDQogCS8qIE9rLCBoZXJl
IGNvbWVzIHRoZSBmdW4gcGFydDogTGludXgncyBuZnMgbW91bnQgbmVlZHMg
YQ0KIAkgKiBzb2NrZXQgY29ubmVjdGlvbiB0byB0aGUgc2VydmVyLCBidXQg
U3VuT1MgbW91bnQgZG9lcyBub3QNCiAJICogcmVxdWlyZSB0aGlzLCBzbyB3
ZSB1c2UgdGhlIGluZm9ybWF0aW9uIG9uIHRoZSBkZXN0aW5hdGlvbg0KQEAg
LTg1NywxMCArODU5LDEzIEBADQogc3Vub3NfbW91bnQoY2hhciAqdHlwZSwg
Y2hhciAqZGlyLCBpbnQgZmxhZ3MsIHZvaWQgKmRhdGEpDQogew0KIAlpbnQg
bGludXhfZmxhZ3MgPSBNU19NR0NfTVNLOyAvKiBuZXcgc2VtYW50aWNzICov
DQotCWludCByZXQgPSAtRUlOVkFMOw0KKwlpbnQgcmV0Ow0KIAljaGFyICpk
ZXZfZm5hbWUgPSAwOw0KIA0KKwlpZiAoIWNhcGFibGUoQ0FQX1NZU19BRE1J
TikpDQorCQlyZXR1cm4gLUVQRVJNOw0KIAlsb2NrX2tlcm5lbCgpOw0KKwly
ZXQgPSAtRUlOVkFMOw0KIAkvKiBXZSBkb24ndCBoYW5kbGUgdGhlIGludGVn
ZXIgZnMgdHlwZSAqLw0KIAlpZiAoKGZsYWdzICYgU01OVF9ORVdUWVBFKSA9
PSAwKQ0KIAkJZ290byBvdXQ7DQo=
--0-2072118890-907891207=:26506--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/