Re: Simple kernel attack using socketpair.

Fri, 26 Nov 2010 03:32:14 -0800 

I run it on 8.0 and CURRENT and got fatal double fault on both systems:

========================================================
Unread portion of the kernel message buffer:
kern.maxfiles limit exceeded by uid 1001, please see tuning(7).

Fatal double fault
rip = 0xffffffff80615f54
rsp = 0xffffff803c1fa000
rbp = 0xffffff803c1fa000
cpuid = 0; apic id = 00
panic: double fault
cpuid = 0
KDB: enter: panic
Uptime: 8d21h9m48s
Physical memory: 983 MB
Dumping 244 MB: 229 213 197 181 165 149 133 117 101 85 69 53 37 21 5

Reading symbols from /boot/modules/bwn_v4_lp_ucode.ko...done.
Loaded symbols for /boot/modules/bwn_v4_lp_ucode.ko
#0  0xffffffff805cc90a in kproc_shutdown (arg=0x0, howto=Variable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
639             printf("Waiting (max %d seconds) for system process
`%s' to stop...",
(kgdb) bt
#0  0xffffffff805cc90a in kproc_shutdown (arg=0x0, howto=Variable
"howto" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:639
#1  0xffffffff805cce37 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:216
#2  0xffffffff805cd2c1 in panic (fmt=0x1 <Address 0x1 out of bounds>)
at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xffffffff808c7586 in user_ldt_free (td=0xffffff800021a300) at cpufunc.h:524
#4  0xffffffff808b24dd in Xtss () at /usr/src/sys/amd64/amd64/exception.S:151
#5  0xffffffff80615f54 in db_witness_list_all (addr=-2137114768,
have_addr=1, count=-2137114768, modif=0x1 <Address 0x1 out of bounds>)
    at /usr/src/sys/kern/subr_witness.c:2352
Previous frame inner to this frame (corrupt stack?)
========================================================


On Fri, Nov 26, 2010 at 1:49 PM, Ivan Klymenko <fi...@ukr.net> wrote:
> В Fri, 26 Nov 2010 12:26:39 +0200
> Ivan Klymenko <fi...@ukr.net> пишет:
>
>> Hello!
>> Rumor has it that this vulnerability applies to FreeBSD too, with the
>> replacement SOCK_SEQPACKET on SOCK_DGRAM...
> and add:
>
> #include <sys/mount.h>
> #include <sys/wait.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
>
>>
>> http://lkml.org/lkml/2010/11/25/8
>>
>> What do you think about this?
>>
>> Thank you!
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
>



-- 
Sincerely yours, Dmitry V. Krivenok
e-mail: krivenok.dmi...@gmail.com
skype: krivenok_dmitry
jabber: krivenok_dmi...@jabber.ru
icq: 242-526-443
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"

Reply via email to