Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   shmat Vendors:   OpenBSD
(OpenBSD Issues Fix) BSD shmat() Integer Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1008960
SecurityTracker URL:
CVE Reference:   CVE-2004-0114   (Links to External Site)
Date:  Feb 6 2004
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.3, 3.4
Description:   An integer overflow was reported in the shmat() function in FreeBSD, NetBSD, and OpenBSD. A local user can gain elevated privileges on the target system.

Pine Digital Security reported that the flaw resides in 'sysv_shm.c', where the function fails to decrement a reference count when the vm_map_find function returns an error. A local user can call shmat(2) and specify an address that can trigger the flaw.

A local user can reportedly create a shared memory segment using shmget(2) and then create two seperate mappings at two different locations using shmat(2). The local user can then make a large number of invalid calls to shmat(2) and then delete one of the mappings using shmdt(2) to trigger the exception. Then, to gain elevated privileges, a binary with set user id (setuid) privileges can be run to reuse the incorrectly freed memory and write arbitrary code onto the stack.

The vendor was reportedly notified on February 1, 2004.

Impact:   A local user can execute arbitrary code with elevated privileges.
Solution:   OpenBSD has released patches for OpenBSD 3.4 and 3.3, available at:

The fix is also available in OpenBSD-current and 3.3 and 3.4 -stable branches.

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Feb 5 2004 BSD shmat() Integer Overflow Lets Local Users Gain Elevated Privileges

 Source Message Contents

Subject:  Reference counting bug in shmat(2)

A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain

The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.

Patches for OpenBSD 3.4 and 3.3 respectively are also available:

The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.

For more information on the bug, see Joost Pol's description at:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC