16th Feb 2000 [SBWID-126]
COMMAND
ptrace(2)
SYSTEMS AFFECTED
NetBSD/vax 1.4.1 and earlier; -current prior to 19991212
PROBLEM
Following is based on NetBSD Security Advisory 1999-012. As part
of an ongoing effort to construct a secure kernel and application
environment, the NetBSD project has identified and corrected a
possible security issue. A wrapper program can be constructed by
a local user that can modify the hardware privileges of a
ptrace(2)'d process. It might be possible to write a
security-related exploit via this mechanism.
NetBSD uses the ptrace(2) system call to trace and debug other
processes. The debugging process can also modify the internal
registers, including the status (PSL) register, for the process
being debugged. Besides the normal user-accessible flags, the
VAX hardware also stores information about privilege levels and
used stacks in the PSL. Those flags are only altered via the
instruction REI (return from interrupt) or LDPCTX (load process
context) and cannot be modified while running in "user" mode.
When the PSL contents are altered by the debugging process, the
debugged process is in the kernel, and will get the privileges
defined by the PSL when it REI to userspace to continue execution.
Discovery of the problem by Klaus Klein.
SOLUTION
Upgrade to NetBSD-current, or apply the following patch to 1.4.1:
Index: machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/vax/vax/machdep.c,v
retrieving revision 1.76.2.1
diff -c -r1.76.2.1 machdep.c
*** machdep.c 1999/04/16 16:26:01 1.76.2.1
- --- machdep.c 1999/12/12 11:08:46
***************
*** 770,776 ****
tf->fp = regs->fp;
tf->sp = regs->sp;
tf->pc = regs->pc;
! tf->psl = regs->psl;
return 0;
}
- --- 770,777 ----
tf->fp = regs->fp;
tf->sp = regs->sp;
tf->pc = regs->pc;
! tf->psl = (regs->psl|PSL_U|PSL_PREVU) &
! ~(PSL_MBZ|PSL_IS|PSL_IPL1F|PSL_CM); /* Allow compat mode? */
return 0;
}