Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
OpenBSD Semaphore Integer Overflow Lets Local Root Users Bypass 'securelevel()' Access Controls
SecurityTracker Alert ID:  1007671
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 10 2003
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3 and prior versions
Description:   An integer overflow vulnerability was reported in the OpenBSD kernel. A local user with root privileges may be able to bypass 'securelevel(7)' access controls and write to kernel memory.

It is reported that there is an integer overflow in the semget(2) system call (src/sys/kern/sysv_sem.c). A local user with root privileges can write to certain kernel memory locations regardless of the securelevel(7) controls.

A local user with root privileges can reportedly set the 'seminfo.semmns' and 'seminfo.semmsl' variables to arbitrary values via sysctl(), causing a buffer to be incorrectly malloc'd.

Impact:   A local user with root privileges may be able to bypass securelevel() access controls and write to kernel memory locations.
Solution:   The vendor has released a fix in the -STABLE and -CURRENT versions (available via CVS).

Also, the following patch for the 3.3 kernel is available:

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

Subject:  Integer overflow in OpenBSD kernel

Hash: SHA1

Local security bug in OpenBSD semaphore handling

Product:         OpenBSD kernel (3.3-release, -current before 10/09/2003)
Impact:          Root may bypass securelevel
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes

An integer overflow condition exists in the OpenBSD 3.3-release kernel
and all previous versions.  It is possible for root to write to semi-
arbitrary kernel memory irrespective of securelevel(7). This potentially
bypasses securelevel as root may modify the running kernel, introducing
kernel level backdoors etc. The mechanism used to achieve this is an
integer overflow in the semget(2) syscall, described below:

sys_semget() allocates a buffer here:

  semaptr_new->sem_base = malloc(nsems * sizeof(struct sem),
      M_SEM, M_WAITOK);

provided the following checks are passed:

  if (nsems <= 0 || nsems > seminfo.semmsl) {
      DPRINTF(("nsems out of range (0<%d<=%d)\n", nsems,
      return (EINVAL);
  if (nsems > seminfo.semmns - semtot) {
      DPRINTF(("not enough semaphores left (need %d, got %d)\n",
        nsems, seminfo.semmns - semtot));
      return (ENOSPC);

If these checks are passed and the buffer is successfully allocated,

the nsems (number of semaphores) value associated with the semaphore

set is set here:

  semaptr_new->sem_nsems = nsems;

Please also note that an int is being assigned to a short here, which

is a potential source of another bug. Since root is able to raise the

values of seminfo.semmns and seminfo.semmsl to arbitrary values via sysctl,
 it is possible to mis-size the malloc'd buffer, allowing memory to be
read and written via the semctl(2) syscall.

This condition may be reproduced using the attached programs, allowing
root to inspect and modify kernel memory.

None, don't trust securelevel(7) to protect your kernel.

Upgrade to -current or apply the following patch:

RCS file: /usr/OpenBSD/cvs/src/sys/kern/sysv_sem.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
- --- src/sys/kern/sysv_sem.c	2003/08/20 18:02:20	1.20
+++ src/sys/kern/sysv_sem.c	2003/09/09 18:57:36	1.21
@@ -1,4 +1,4 @@
- -/*	$OpenBSD: sysv_sem.c,v 1.20 2003/08/20 18:02:20 millert Exp $	*/
+/*	$OpenBSD: sysv_sem.c,v 1.21 2003/09/09 18:57:36 tedu Exp $	*/
 /*	$NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $	*/

@@ -884,7 +884,7 @@
 		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
 		    val == seminfo.semmns)
 			return (error);
- -		if (val < seminfo.semmns)
+		if (val < seminfo.semmns || val > 0xffff)
 			return (EINVAL);	/* can't decrease semmns */
 		seminfo.semmns = val;
 		return (0);
@@ -902,7 +902,7 @@
 		if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)) ||
 		    val == seminfo.semmsl)
 			return (error);
- -		if (val < seminfo.semmsl)
+		if (val < seminfo.semmsl || val > 0xffff)
 			return (EINVAL);	/* can't decrease semmsl */
 		seminfo.semmsl = val;
 		return (0);

Discovered by: of isen

Thanks go to the OpenBSD team for an extremely fast response and fix.
Note: This signature can be verified at
Version: Hush 2.3


Concerned about your privacy? Follow this link to get
FREE encrypted email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC