漏洞信息详情
NetBSD Super-H Port sigreturn()输入验证漏洞
- CNNVD编号:CNNVD-200110-053 <!--
- 危害等级: 高危-->
- 危害等级: 高危
- CVE编号: CVE-2001-0734
- 漏洞类型: 输入验证
- 发布时间: 2001-05-30
- 威胁类型: 本地
- 更新时间: 2005-10-20
- 厂 商: netbsd
- 漏洞来源:
-
漏洞简介
CVE(CAN) ID: CAN-2001-0734 sh3平台上的NetBSD系统存在漏洞,它对用户提供的一个系统调用参数缺少适当的 检查,本地用户利用这个漏洞能以超级用户权限执行任意代码。 问题在于\"sigreturn\"系统调用和\"process_write_regs\"内核子程序对用户提供的 \"Status Register\"内容没做适当的检查造成的。
漏洞公告
正在运行2001/5/16以前版本的NetBSD-current用户应该升级到这个日期以后的版本。 正在运行2001/5/27以前版本的NetBSD-release 1.5用户应该升级到这个日期以后的版本。 NetBSD也提供了补丁程序: Index: include/psl.h =================================================================== RCS file: /cvsroot/syssrc/sys/arch/sh3/include/psl.h,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 - --- include/psl.h 1999/09/13 10:31:21 1.1 +++ include/psl.h 2001/05/16 12:42:38 1.2 @@ -57,8 +57,8 @@ #define PSL_MBO 0x00000000 /* must be one bits */ #define PSL_MBZ 0x8ffffc0c /* must be zero bits */ - -#define PSL_USERSET 0 - -#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK) +#define PSL_USERSET 0 +#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK|PSL_MBO|PSL_MBZ) #ifdef _KERNEL #include Index: sh3/compat_13_machdep.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/compat_13_machdep.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 - --- sh3/compat_13_machdep.c 2000/12/22 22:58:55 1.2 +++ sh3/compat_13_machdep.c 2001/05/16 12:42:38 1.3 @@ -71,16 +71,9 @@ /* Restore register context. */ tf = p->p_md.md_regs; - - /* - - * Check for security violations. If we're returning to - - * protected mode, the CPU will validate the segment registers - - * automatically and generate a trap on violations. We handle - - * the trap, rather than doing all of the checking here. - - */ - -#ifdef TODO + /* Check for security violations. */ if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0) return (EINVAL); - -#endif tf->tf_ssr = context.sc_ssr; Index: sh3/sh3_machdep.c =================================================================== RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/sh3_machdep.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 - --- sh3/sh3_machdep.c 2001/04/24 04:31:09 1.12 +++ sh3/sh3_machdep.c 2001/05/16 12:42:38 1.13 @@ -350,21 +350,13 @@ /* Restore signal context. */ tf = p->p_md.md_regs; - - { - - /* - - * Check for security violations. If we're returning to - - * protected mode, the CPU will validate the segment registers - - * automatically and generate a trap on violations. We handle - - * the trap, rather than doing all of the checking here. - - */ - -#ifdef TODO - - if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0) { - - return (EINVAL); - - } - -#endif - - tf->tf_ssr = context.sc_ssr; - - } + /* Check for security violations. */ + if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0) + return (EINVAL); + + tf->tf_ssr = context.sc_ssr; + tf->tf_r0 = context.sc_r0; tf->tf_r1 = context.sc_r1; tf->tf_r2 = context.sc_r2;
参考网址
来源: XF 名称: bsd-sh3-sigreturn-privileges(6637) 链接:http://xforce.iss.net/static/6637.php 来源: BID 名称: 2810 链接:http://www.securityfocus.com/bid/2810 来源: NETBSD 名称: NetBSD-SA2001-008 链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-008.txt.asc
受影响实体
- Netbsd Netbsd:1.4.1:Sh3<!--2000-1-1-->
- Netbsd Netbsd:1.5:Sh3<!--2000-1-1-->
补丁
暂无
还没有评论,来说两句吧...