This advisory has been sent to: comp.security.unix =========================================================================== [8lgm]-Advisory-18.UNIX.SunOS-kernel.4-Dec-1994 PROGRAM: SunOS 4.1.x kernel VULNERABLE OS's: SunOS 4.1.x DESCRIPTION: A problem was reported to bugtraq showing that unprivileged users can panic the SunOS 4.1.x kernel if an HSFS cdrom is mounted. The purpose of this advisory is to provide a workaround for this problem. This patch has been successfully tested by a number of people. IMPACT: Any user can crash the system. REPEAT BY: Assuming /cdrom is an hsfs filesystem, execute the following program: main() { pathconf("/cdrom", 0); } Obviously do not do this, unless you have the authority to install the fix below. DISCUSSION: Two vnodeops in the hsfs_vnodeops struct appear to be left undefined. This fix points them to a real function which then fails the operation in the correct way. WORKAROUND & FIX: 1. Contact your vendor for a patch. 2. In the meantime either install the workaround given below, or avoid using HSFS mounted filesystems. 8<------------------------- cut here ------------------------- /* * 8lgm_hsfs.c - SunOS 4.1.x HSFS bugfix. * Copyright (C) 1994 by [8LGM]. * * To use: * cc -c -O -DKERNEL -D 8lgm_hsfs.c * modload 8lgm_hsfs.o */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern struct vnodeops hsfs_vnodeops; struct vdldrv vd; int (*old_hsfs_cntl)() = NULL; int (*old_hsfs_realvp)() = NULL; int loaded_8lgm_hsfs = 0; int hsfs_invalid() { return (EINVAL); } int load_8lgm_hsfsfix() { int x; x = splhigh(); old_hsfs_cntl = hsfs_vnodeops.vn_cntl; old_hsfs_realvp = hsfs_vnodeops.vn_realvp; hsfs_vnodeops.vn_cntl = hsfs_invalid; hsfs_vnodeops.vn_realvp = hsfs_invalid; splx(x); return(0); } int unload_8lgm_hsfsfix() { int x; x = splhigh(); hsfs_vnodeops.vn_cntl = old_hsfs_cntl; hsfs_vnodeops.vn_realvp = old_hsfs_realvp; splx(x); return(0); } int xxxinit(function_code, vdp, vdi, vds) unsigned int function_code; struct vddrv *vdp; addr_t vdi; struct vdstat *vds; { bzero(&vd, sizeof(vd)); vd.Drv_magic = VDMAGIC_PSEUDO; vd.Drv_name = "8lgm-hsfs"; switch(function_code) { case VDLOAD: if (loaded_8lgm_hsfs) { log(LOG_INFO, "8lgm: hsfs fix module loaded\n") ; return(EEXIST); } vdp->vdd_vdtab = (struct vdlinkage*)&vd; load_8lgm_hsfsfix(); loaded_8lgm_hsfs++; log(LOG_INFO, "8lgm: hsfs fix module loaded\n"); return(0); case VDUNLOAD: return (unload(vdp, vdi)); case VDSTAT: return(0); default: return(EIO); } } static int unload(vdp, vdi) struct vddrv *vdp; struct vdioctl_unload *vdi; { if (loaded_8lgm_hsfs == 0) { log(LOG_INFO, "8lgm: hsfs fix module not loaded!\n"); return(0); } unload_8lgm_hsfsfix(); loaded_8lgm_hsfs = 0; log(LOG_INFO, "8lgm: hsfs fix module unloaded\n"); return(0); } 8<------------------------- cut here ------------------------- ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. ===========================================================================