信息提供: | 安全公告(或线索)提供热线:51cto.editor@gmail.com |
漏洞类别: | 有效性检查错误 |
攻击类型: | 其它 |
发布日期: | 2003-08-20 |
更新日期: | 2003-08-26 |
受影响系统: | OpenBSD OpenBSD 3.3 |
安全系统: | 无 |
漏洞报告人: | OpenBSD |
漏洞描述: | BUGTRAQ ID: 8464 OpenBSD是一款开放源代码的UNIX操作系统。 OpenBSD包含的semget()系统调用不充分过滤用户传递的参数,本地攻击者可以利用这个漏洞使内存资源耗竭,内核变的不稳定。 OpenBSD semget()系统调用在分配内存前没有充分检查用户提供的nsems值作为参数的数据,结果可导致攻击者消耗系统内存,造成内核崩溃。目前没有详细漏洞细节提供。 |
测试方法: | 无 |
解决方法: | 厂商补丁: OpenBSD ------- 采用如下补丁程序: Index: sys/kern/sysv_sem.c diff -u sys/kern/sysv_sem.c:1.16 sys/kern/sysv_sem.c:1.16.2.1 --- sys/kern/sysv_sem.c:1.16 Mon Jan 6 17:34:41 2003 +++ sys/kern/sysv_sem.c Wed Aug 20 14:16:41 2003 @@ -431,10 +431,20 @@ /* * Preallocate space for the new semaphore. If we are going - * to sleep, we want to sleep now to elliminate any race + * to sleep, we want to sleep now to eliminate any race * condition in allocating a semaphore with a specific key. */ if (key == IPC_PRIVATE || (semflg & IPC_CREAT)) { + if (nsems <= 0 || nsems > seminfo.semmsl) { + DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems, + seminfo.semmsl)); + return (EINVAL); + } + if (nsems > seminfo.semmns - semtot) { + DPRINTF(("not enough semaphores left (need %d, got %d)\n", + nsems, seminfo.semmns - semtot)); + return (ENOSPC); + } semaptr_new = pool_get(&sema_pool, PR_WAITOK); semaptr_new->sem_base = malloc(nsems * sizeof(struct sem), M_SEM, M_WAITOK); @@ -468,18 +478,6 @@ DPRINTF(("need to allocate the semid_ds\n")); if (key == IPC_PRIVATE || (semflg & IPC_CREAT)) { - if (nsems <= 0 || nsems > seminfo.semmsl) { - DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems, - seminfo.semmsl)); - error = EINVAL; - goto error; - } - if (nsems > seminfo.semmns - semtot) { - DPRINTF(("not enough semaphores left (need %d, got %d)\n", - nsems, seminfo.semmns - semtot)); - error = ENOSPC; - goto error; - } for (semid = 0; semid < seminfo.semmni; semid++) { if ((semaptr = sema[semid]) == NULL) break; |
相关文章
