Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » F_CLOSEM local denial of service

F_CLOSEM local denial of service

A bug in the way the file descriptor table of a process is manipulated can be triggered by calling the F_CLOSEM fnctl() with the parameter 0, which means "close all opened file descriptors".

  • Vendor: NetBSD
  • Vendor ID: 2005-003
  • Date: November 08, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2005-003
=================================

Topic: F_CLOSEM local denial of service

Version: NetBSD-current: source prior to January 12, 2005
NetBSD 2.1: not affected
NetBSD 2.0.2: not affected
NetBSD 2.0: affected
NetBSD 1.6.*: not affected

Severity: Local Denial-of-Service

Fixed: NetBSD-current: January 12, 2005
NetBSD-2-0 branch: March 16, 2005
(2.0.2 includes the fix)
NetBSD-2 branch: March 16, 2005
(2.1 includes the fix)


Abstract
========

A bug in the way the file descriptor table of a process is manipulated
can be triggered by calling the F_CLOSEM fnctl() with the parameter 0,
which means "close all opened file descriptors".

The result of the bug is that the kernel will loop endlessly,
effectively locking up the computer.

Any local user can trigger the bug.


Technical Details
=================

The F_CLOSEM fnctl() call takes a parameter and makes the kernel close
all file descriptors of the process whose number is greater or equal to
the parameter.

fd_lastfile in the process's descriptor table keeps track of the last file
descriptor index used by the process, and its value is maintained by
find_last_set(). A change in find_last_set() that made it return 0 and not
- -1 (like it used to) when no files were used caused an infinite loop in
the kernel, leading to local denial-of-service triggerable by any user.


Solutions and Workarounds
=========================

There is no workaround for this issue. It is recommended that users of
affected NetBSD versions upgrade their kernel.

The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of the
kernel.

* NetBSD-current:

Systems running NetBSD-current dated from before 2005-01-12
should be upgraded to NetBSD-current dated 2005-01-13 or later.

The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/kern/kern_descrip.c

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P sys/kern/kern_descrip.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now


* NetBSD 2.0:

The binary distribution of NetBSD 2.0 is vulnerable.

NetBSD 2.1 includes the fix.

Systems running NetBSD 2.0 sources dated from before
2005-01-12 should be upgraded from NetBSD 2.0 sources dated
2005-01-13 or later.

The following files need to be updated from the
netbsd-2-0 CVS branch:
sys/kern/kern_descrip.c

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P -r netbsd-2-0 sys/kern/kern_descrip.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now


Thanks To
=========

Brian Marcotte, for discovering and reporting the issue.

Greg Oster and Quentin Garnier, for analysis and fixes.


Revision History
================

2005-10-31 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-003.txt,v 1.10 2005/10/31 19:11:45 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKRj5Ru2/4N2IFAQKyJQP/cF9a8IM4ayqS2nNv0HPgL4uPvbmnHPDW
F76FTxFDfrImmkMNrdIBaj/1B/LS41+iMWTJJFGWNkqZjzXKVLuD7/rLDKGjI1Aa
WfmS7gHoZcI5p5A0x+RFtOM399sQX2/cC5a0hcGamKncBChKMNEdn3u//q/HC+4e
rpQReunJrFU=
=SfoJ
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »