Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» FreeBSD » Security compromise via procfs

Security compromise via procfs

A problem exists in the procfs kernel code that allows processes to write memory of other processes where it should have been prohibited.

  • Vendor: FreeBSD
  • Vendor ID: SA-97:04
  • Date: August 19, 1997


-----BEGIN PGP SIGNED MESSAGE-----


=====================================================================
FreeBSD-SA-97:04 Security Advisory
FreeBSD, Inc.

Topic: security compromise via procfs

Category: core
Module: procfs
Announced: 1997-08-19
Affects: FreeBSD 2.1.*, FreeBSD 2.2.*,
FreeBSD-stable and FreeBSD-current
before 1997/08/12 suffer from this problem.
Corrected: FreeBSD-current as of 1997/08/12
FreeBSD-stable as of 1997/08/12
FreeBSD 2.1-stable as of 1997/08/25
FreeBSD only: no (also other BSD systems may be affected)

Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:04/

=====================================================================

I. Background

Procfs provides a filesystem interface to processes on a system.
Among others it is used by ps(1) and gdb(1).

II. Problem Description

A problem exists in the procfs kernel code that allows processes
to write memory of other processes where it should have been prohibited.

III. Impact

The hole can be used by any user on the system to gain root privileges.

IV. Workaround

A workaround is to disable the mounting of procfs. To achieve this,
edit the file /etc/fstab and put a '#' in front of the line
proc /proc procfs rw 0 0
Note that when you do that, some utilities may either not work anymore
or have a limited functionality.

V. Solution

Apply one of the following patches in /usr/src/sys/miscfs/procfs,
rebuild your kernel, install it and reboot your system.

For 2.1 and 2.2 systems:

Index: procfs_regs.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_regs.c,v
retrieving revision 1.3
retrieving revision 1.3.4.1
diff -u -r1.3 -r1.3.4.1
--- procfs_regs.c 1996/01/24 18:41:25 1.3
+++ procfs_regs.c 1997/08/12 04:45:25 1.3.4.1
@@ -36,7 +36,7 @@
*
* @(#)procfs_regs.c 8.3 (Berkeley) 1/27/94
*
- * $Id: procfs_regs.c,v 1.3 1996/01/24 18:41:25 peter Exp $
+ * $Id: procfs_regs.c,v 1.3.4.1 1997/08/12 04:45:25 sef Exp $
*/

#include
@@ -62,6 +62,8 @@
char *kv;
int kl;

+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;

Index: procfs.h
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs.h,v
retrieving revision 1.12
retrieving revision 1.12.2.1
diff -u -r1.12 -r1.12.2.1
--- procfs.h 1996/07/02 13:38:07 1.12
+++ procfs.h 1997/08/12 04:45:20 1.12.2.1
@@ -36,7 +36,7 @@
*
* @(#)procfs.h 8.6 (Berkeley) 2/3/94
*
- * $Id: procfs.h,v 1.12 1996/07/02 13:38:07 dyson Exp $
+ * $Id: procfs.h,v 1.12.2.1 1997/08/12 04:45:20 sef Exp $
*/

/*
@@ -83,6 +83,18 @@
(bcmp((s), (cnp)->cn_nameptr, (len)) == 0))

#define KMEM_GROUP 2
+
+/*
+ * Check to see whether access to target process is allowed
+ * Evaluates to 1 if access is allowed.
+ */
+#define CHECKIO(p1, p2) \
+ ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \
+ ((p2)->p_flag & P_SUGID) == 0) || \
+ (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0))
+
/*
* Format of a directory entry in /proc, ...
* This must map onto struct dirent (see )
Index: procfs_mem.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.20
retrieving revision 1.20.2.1
diff -u -r1.20 -r1.20.2.1
--- procfs_mem.c 1996/10/24 02:47:05 1.20
+++ procfs_mem.c 1997/08/12 04:45:23 1.20.2.1
@@ -37,7 +37,7 @@
*
* @(#)procfs_mem.c 8.4 (Berkeley) 1/21/94
*
- * $Id: procfs_mem.c,v 1.20 1996/10/24 02:47:05 dyson Exp $
+ * $Id: procfs_mem.c,v 1.20.2.1 1997/08/12 04:45:23 sef Exp $
*/

/*
@@ -300,6 +300,23 @@
if (uio->uio_resid == 0)
return (0);

+ /*
+ * XXX
+ * We need to check for KMEM_GROUP because ps is sgid kmem;
+ * not allowing it here causes ps to not work properly. Arguably,
+ * this is a bug with what ps does. We only need to do this
+ * for Pmem nodes, and only if it's reading. This is still not
+ * good, as it may still be possible to grab illicit data if
+ * a process somehow gets to be KMEM_GROUP. Note that this also
+ * means that KMEM_GROUP can't change without editing procfs.h!
+ * All in all, quite yucky.
+ */
+
+ if (!CHECKIO(curp, p) &&
+ !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
+ uio->uio_rw == UIO_READ))
+ return EPERM;
+
error = procfs_rwmem(p, uio);

return (error);
Index: procfs_vnops.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_vnops.c,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -u -r1.24 -r1.24.2.1
--- procfs_vnops.c 1996/09/03 14:23:10 1.24
+++ procfs_vnops.c 1997/08/12 04:45:27 1.24.2.1
@@ -36,7 +36,7 @@
*
* @(#)procfs_vnops.c 8.6 (Berkeley) 2/7/94
*
- * $Id: procfs_vnops.c,v 1.24 1996/09/03 14:23:10 bde Exp $
+ * $Id: procfs_vnops.c,v 1.24.2.1 1997/08/12 04:45:27 sef Exp $
*/

/*
@@ -120,16 +120,21 @@
struct vop_open_args *ap;
{
struct pfsnode *pfs = VTOPFS(ap->a_vp);
+ struct proc *p1 = ap->a_p, *p2 = PFIND(pfs->pfs_pid);
+
+ if (p2 == NULL)
+ return ENOENT;

switch (pfs->pfs_type) {
case Pmem:
- if (PFIND(pfs->pfs_pid) == 0)
- return (ENOENT); /* was ESRCH, jsp */
-
if (((pfs->pfs_flags & FWRITE) && (ap->a_mode & O_EXCL)) ||
((pfs->pfs_flags & O_EXCL) && (ap->a_mode & FWRITE)))
return (EBUSY);

+ if (!CHECKIO(p1, p2) &&
+ (p1->p_cred->pc_ucred->cr_gid != KMEM_GROUP))
+ return EPERM;
+

if (ap->a_mode & FWRITE)
pfs->pfs_flags = ap->a_mode & (FWRITE|O_EXCL);
@@ -176,7 +181,6 @@
procfs_ioctl(ap)
struct vop_ioctl_args *ap;
{
-
return (ENOTTY);
}

Index: procfs_fpregs.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_fpregs.c,v
retrieving revision 1.3
retrieving revision 1.3.4.1
diff -u -r1.3 -r1.3.4.1
--- procfs_fpregs.c 1996/01/24 18:40:56 1.3
+++ procfs_fpregs.c 1997/08/12 05:24:20 1.3.4.1
@@ -36,7 +36,7 @@
*
* @(#)procfs_fpregs.c 8.1 (Berkeley) 1/27/94
*
- * $Id: procfs_fpregs.c,v 1.3 1996/01/24 18:40:56 peter Exp $
+ * $Id: procfs_fpregs.c,v 1.3.4.1 1997/08/12 05:24:20 sef Exp $
*/

#include
@@ -62,6 +62,8 @@
char *kv;
int kl;

+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;

For FreeBSd-current systems:

Index: procfs_regs.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_regs.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- procfs_regs.c 1997/08/02 14:32:16 1.7
+++ procfs_regs.c 1997/08/12 04:34:29 1.8
@@ -37,7 +37,7 @@
* @(#)procfs_regs.c 8.4 (Berkeley) 6/15/94
*
* From:
- * $Id: procfs_regs.c,v 1.7 1997/08/02 14:32:16 bde Exp $
+ * $Id: procfs_regs.c,v 1.8 1997/08/12 04:34:29 sef Exp $
*/

#include
@@ -60,6 +60,8 @@
char *kv;
int kl;

+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;

Index: procfs.h
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- procfs.h 1997/02/22 09:40:26 1.15
+++ procfs.h 1997/08/12 04:34:27 1.16
@@ -37,7 +37,7 @@
* @(#)procfs.h 8.9 (Berkeley) 5/14/95
*
* From:
- * $Id: procfs.h,v 1.15 1997/02/22 09:40:26 peter Exp $
+ * $Id: procfs.h,v 1.16 1997/08/12 04:34:27 sef Exp $
*/

/*
@@ -85,6 +85,18 @@
(bcmp((s), (cnp)->cn_nameptr, (len)) == 0))

#define KMEM_GROUP 2
+
+/*
+ * Check to see whether access to target process is allowed
+ * Evaluates to 1 if access is allowed.
+ */
+#define CHECKIO(p1, p2) \
+ ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \
+ ((p2)->p_flag & P_SUGID) == 0) || \
+ (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0))
+
/*
* Format of a directory entry in /proc, ...
* This must map onto struct dirent (see )
Index: procfs_mem.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- procfs_mem.c 1997/08/02 14:32:14 1.26
+++ procfs_mem.c 1997/08/12 04:34:28 1.27
@@ -37,7 +37,7 @@
*
* @(#)procfs_mem.c 8.5 (Berkeley) 6/15/94
*
- * $Id: procfs_mem.c,v 1.26 1997/08/02 14:32:14 bde Exp $
+ * $Id: procfs_mem.c,v 1.27 1997/08/12 04:34:28 sef Exp $
*/

/*
@@ -276,6 +276,23 @@

if (uio->uio_resid == 0)
return (0);
+
+ /*
+ * XXX
+ * We need to check for KMEM_GROUP because ps is sgid kmem;
+ * not allowing it here causes ps to not work properly. Arguably,
+ * this is a bug with what ps does. We only need to do this
+ * for Pmem nodes, and only if it's reading. This is still not
+ * good, as it may still be possible to grab illicit data if
+ * a process somehow gets to be KMEM_GROUP. Note that this also
+ * means that KMEM_GROUP can't change without editing procfs.h!
+ * All in all, quite yucky.
+ */
+
+ if (!CHECKIO(curp, p) &&
+ !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
+ uio->uio_rw == UIO_READ))
+ return EPERM;

return (procfs_rwmem(p, uio));
}
Index: procfs_vnops.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_vnops.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- procfs_vnops.c 1997/08/02 14:32:20 1.30
+++ procfs_vnops.c 1997/08/12 04:34:30 1.31
@@ -36,7 +36,7 @@
*
* @(#)procfs_vnops.c 8.18 (Berkeley) 5/21/95
*
- * $Id: procfs_vnops.c,v 1.30 1997/08/02 14:32:20 bde Exp $
+ * $Id: procfs_vnops.c,v 1.31 1997/08/12 04:34:30 sef Exp $
*/

/*
@@ -127,16 +127,21 @@
} */ *ap;
{
struct pfsnode *pfs = VTOPFS(ap->a_vp);
+ struct proc *p1 = ap->a_p, *p2 = PFIND(pfs->pfs_pid);
+
+ if (p2 == NULL)
+ return ENOENT;

switch (pfs->pfs_type) {
case Pmem:
- if (PFIND(pfs->pfs_pid) == 0)
- return (ENOENT); /* was ESRCH, jsp */
-
if ((pfs->pfs_flags & FWRITE) && (ap->a_mode & O_EXCL) ||
(pfs->pfs_flags & O_EXCL) && (ap->a_mode & FWRITE))
return (EBUSY);

+ if (!CHECKIO(p1, p2) &&
+ (p1->p_cred->pc_ucred->cr_gid != KMEM_GROUP))
+ return EPERM;
+
if (ap->a_mode & FWRITE)
pfs->pfs_flags = ap->a_mode & (FWRITE|O_EXCL);

@@ -194,7 +199,6 @@
struct proc *a_p;
} */ *ap;
{
-
return (ENOTTY);
}

Index: procfs_fpregs.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/miscfs/procfs/procfs_fpregs.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- procfs_fpregs.c 1997/08/02 14:32:11 1.7
+++ procfs_fpregs.c 1997/08/12 05:23:51 1.8
@@ -37,7 +37,7 @@
* @(#)procfs_fpregs.c 8.2 (Berkeley) 6/15/94
*
* From:
- * $Id: procfs_fpregs.c,v 1.7 1997/08/02 14:32:11 bde Exp $
+ * $Id: procfs_fpregs.c,v 1.8 1997/08/12 05:23:51 sef Exp $
*/

#include
@@ -60,6 +60,8 @@
char *kv;
int kl;

+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;

(These patches can also be found on
ftp://freebsd.org/pub/CERT/patches/SA-97:04/)

VI. Thanks

This problem was brought to light by Brian Mitchell


=====================================================================
FreeBSD, Inc.

Web Site: http://www.freebsd.org/
Confidential contacts: [email protected]
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: [email protected]
Security public discussion: [email protected]

Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=====================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNAMWLFUuHi5z0oilAQHmrQQAoXR/BUliLCJgtDx/tG4lSNMpY2+wYWtw
PNiPjLfHHbA2yOXoJxv5ANw0Z6zeovCP1rHTKbG0vGNQe45d34kC+qY1hSKhYxjV
BGeEKzCUyfGn0ovrfWjmW6FL3n2Kq76yJbhR5tiev5vaM9+kvWKs8aK5c1maAEOv
PxYm/nzJg04=
=aC0v
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »