netbsd.symlink-DoS.txt

1999-08-17T00:00:00
ID PACKETSTORM:12047
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 13 Apr 1999 13:09:53 +1000  
From: matthew green <mrg@ETERNA.COM.AU>  
To: BUGTRAQ@netspace.org  
Subject: NetBSD Security Advisory 1999-008  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
NetBSD Security Advisory 1999-008  
=================================  
  
Topic: Kernel hang or panic in name lookup under certain circumstances  
Version: NetBSD 1.3.X, NetBSD-current to 19990409, and  
early versions of NetBSD-1.4_ALPHA  
Severity: In later versions of -current and in 1.4_ALPHA, unprivileged  
users can panic the system.  
  
  
Abstract  
========  
  
Unprivileged users can trigger a file-system locking error, causing the  
system to panic or hang. The following command sequence will trigger  
the vulnerability:  
  
% ln -s ./ test  
% ln -s ./ test  
  
  
Technical Details  
=================  
  
Certain kernel operations, such as creating a symbolic link, request that  
the namei() path name resolution routine not unlock the node of the  
directory containing the found file, instead returning it to the caller  
locked.  
  
When the found file is a symbolic link, this parent must be unlocked  
before the symbolic link is looked up. This problem results from the test  
to unlock the parent differing from the test to lock the parent. The  
difference only manifests itself in the case of a path name which ends  
with a symbolic link ending with one or more "/" characters.  
  
NetBSD 1.3.3 and prior hang when this bug is exercised. NetBSD-current  
was enhanced to notice locking problems and thus panics instead of  
hanging.  
  
  
Solutions and Workarounds  
=========================  
  
There are no workarounds for this problem. A patched kernel must be  
installed to fix this problem.  
  
A patch is available for NetBSD 1.3.3 which fixes this problem. You  
may find this patch on the NetBSD ftp server:  
  
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990412-vfs_lookup  
  
NetBSD-current since 19990409 is not vulnerable. Users of NetBSD-current  
should upgrade to a source tree later than 19990409.  
  
  
Thanks To  
=========  
  
The NetBSD Project would like to thank Antti Kantee <pooka@iki.fi> and  
Matthew Orgass <darkstar@pgh.net> for providing information about this  
problem, and William Studenmund <wrstuden@netbsd.org> for providing a  
solution.  
  
  
Revision History  
================  
  
1999/04/12 - initial version  
  
  
More Information  
================  
  
Information about NetBSD and NetBSD security can be found at  
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.  
  
  
Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved.  
  
$NetBSD: NetBSD-SA1999-008.txt,v 1.3 1999/04/12 18:58:18 mrg Exp $  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3ia  
Charset: noconv  
  
iQCVAwUBNxJEUz5Ru2/4N2IFAQGjOwP/TQe7ydvPf2nMAVMoKGC9phVRylXEBF4Y  
uRarfRXHtnQXAX5HRk9CDhjrEOSk+qAqLoRS81XCsRA4wRKDRUsPpmWd8NiW5v3W  
WHrE3Iww4hn2SHGmuqtDVlb5uNRwZsq8xflL6O07xrxbTgmhYd9nSOvOKALlJw7M  
PMXTR62g7SI=  
=FAOF  
-----END PGP SIGNATURE-----  
  
`