A race condition between the ptrace(2) and execve(2) system calls allowed
an attacker to modify the memory contents of suid/sgid processes which
could lead to compromise of the super-user account.

Apply by doing:
       cd /usr/src
       patch -p0 < 012_ptrace.patch
And then rebuild your kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.57
diff -u -u -r1.57 kern_exec.c
--- sys/kern/kern_exec.c        19 Sep 2001 20:50:58 -0000      1.57
+++ sys/kern/kern_exec.c        21 Jan 2002 18:03:16 -0000
@@ -251,6 +251,12 @@
       extern struct emul emul_native;

       /*
+        * Cheap solution to complicated problems.
+        * Mark this process as "leave me alone, I'm execing".
+        */
+       p->p_flag |= P_INEXEC;
+
+       /*
        * figure out the maximum size of an exec header, if necessary.
        * XXX should be able to keep LKM code from modifying exec switch
        * when we're still using it, but...
@@ -611,6 +617,7 @@
       if (KTRPOINT(p, KTR_EMUL))
               ktremul(p, p->p_emul->e_name);
#endif
+       p->p_flag &= ~P_INEXEC;
       return (0);

bad:
@@ -629,6 +636,7 @@

freehdr:
       free(pack.ep_hdr, M_EXEC);
+       p->p_flag &= ~P_INEXEC;
       return (error);

exec_abort:
@@ -652,6 +660,7 @@
       exit1(p, -1);

       /* NOTREACHED */
+       p->p_flag &= ~P_INEXEC;
       return (0);
}

Index: sys/kern/sys_process.c
===================================================================
RCS file: /cvs/src/sys/kern/sys_process.c,v
retrieving revision 1.13
diff -u -u -r1.13 sys_process.c
--- sys/kern/sys_process.c      27 Jun 2001 04:49:47 -0000      1.13
+++ sys/kern/sys_process.c      21 Jan 2002 18:03:16 -0000
@@ -107,6 +107,9 @@
                       return (ESRCH);
       }

+       if ((t->p_flag & P_INEXEC) != 0)
+               return (EAGAIN);
+
       /* Make sure we can operate on it. */
       switch (SCARG(uap, req)) {
       case  PT_TRACE_ME:
Index: sys/miscfs/procfs/procfs_mem.c
===================================================================
RCS file: /cvs/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.14
diff -u -u -r1.14 procfs_mem.c
--- sys/miscfs/procfs/procfs_mem.c      19 Sep 2001 18:06:17 -0000      1.14
+++ sys/miscfs/procfs/procfs_mem.c      21 Jan 2002 18:03:16 -0000
@@ -106,6 +106,8 @@
 *         of the entire system, and the system was not
 *         compiled with permanently insecure mode turned
 *         on.
+ *
+ *      (3) It's currently execing.
 */
int
procfs_checkioperm(p, t)
@@ -120,6 +122,9 @@

       if ((t->p_pid == 1) && (securelevel > -1))
               return (EPERM);
+
+       if (t->p_flag & P_INEXEC)
+               return (EAGAIN);

       return (0);
}
Index: sys/sys/proc.h
===================================================================
RCS file: /cvs/src/sys/sys/proc.h,v
retrieving revision 1.48
diff -u -u -r1.48 proc.h
--- sys/sys/proc.h      22 Aug 2001 10:29:42 -0000      1.48
+++ sys/sys/proc.h      21 Jan 2002 18:03:16 -0000
@@ -246,6 +246,7 @@

#define        P_NOCLDWAIT     0x080000        /* Let pid 1 wait for my children */
#define        P_NOZOMBIE      0x100000        /* Pid 1 waits for me instead of dad */
+#define P_INEXEC       0x200000        /* Process is doing an exec right now */

/* Macro to compute the exit signal to be delivered. */
#define P_EXITSIG(p) \

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.