Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <35D91F81-1E00-4305-8DED-848D88C8CD58@nccgroup.trust>
Date: Thu, 14 Jul 2016 21:09:34 +0000
From: Jesse Hertz <Jesse.Hertz@...group.trust>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: #NA-Disclosure <na-disclosure@...group.trust>
Subject: Multiple Bugs in OpenBSD Kernel 

Hi All,

As part of NCC Group’s Project Triforce, a generic syscall fuzzing effort by
myself and Tim Newsham, several new vulnerabilities were discovered in the
OpenBSD kernel. These have all been fixed now.

Attached are source files for each issue that include a full writeup of the
issue, links to the patches, as well as a PoC to demonstrate the issue. We are
requesting CVEs for all but the last issue (which is root-only). The following list contains brief
description of each issue, ordered from highest to lowest severity.

mmap_panic: Malicious calls to mmap() can trigger an allocation panic or trigger memory corruption.
kevent_panic: Any user can panic the kernel with the kevent system call.
thrsleep_panic: Any user can panic the kernel with the __thrsleep system call.
thrsigdivert_panic: Any user can panic the kernel with the __thrsigdivert system call.
ufs_getdents_panic: Any user can panic the kernel with the getdents system call.
mount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when mounting a tmpfs filesystem.
unmount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when unmounting a filesystem.
tmpfs_mknod_panic: Root can panic kernel with mknod on a tmpfs filesystem.

Errata have been issued which cover some of these issues on http://www.openbsd.org/errata59.html <http://www.openbsd.org/errata59.html> and http://www.openbsd.org/errata58.html <http://www.openbsd.org/errata58.html>.

NCC Group would like to thank the OpenBSD development team for clear
communication and a quick turnaround on these issues.

Best,
-jh



Content of type "text/html" skipped

Download attachment "kevent_panic.c" of type "application/octet-stream" (2894 bytes)

Content of type "text/html" skipped

Download attachment "mmap_panic.c" of type "application/octet-stream" (6944 bytes)

Content of type "text/html" skipped

Download attachment "mount_panic.c" of type "application/octet-stream" (2220 bytes)

Content of type "text/html" skipped

Download attachment "thrsigdivert_panic.c" of type "application/octet-stream" (2741 bytes)

Content of type "text/html" skipped

Download attachment "thrsleep_panic.c" of type "application/octet-stream" (2507 bytes)

Content of type "text/html" skipped

Download attachment "tmpfs_mknod_panic.c" of type "application/octet-stream" (1906 bytes)

Content of type "text/html" skipped

Download attachment "ufs_getdents_panic.c" of type "application/octet-stream" (2744 bytes)

Content of type "text/html" skipped

Download attachment "unmount_panic.c" of type "application/octet-stream" (2122 bytes)

Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (497 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.