From owner-doc-jp@jp.freebsd.org  Sat May 27 13:15:12 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id NAA89955;
	Sat, 27 May 2000 13:15:12 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from iris.dti.ne.jp (PPP43.sendai-ap2.dti.ne.jp [210.170.212.43])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id NAA89950
	for <doc-jp@jp.freebsd.org>; Sat, 27 May 2000 13:15:09 +0900 (JST)
	(envelope-from dais@iris.dti.ne.jp)
Received: (from dais@localhost)
	by iris.dti.ne.jp (8.9.3/8.8.8) id NAA10581;
	Sat, 27 May 2000 13:11:18 +0900 (JST)
	(envelope-from dais)
Date: Sat, 27 May 2000 13:11:18 +0900 (JST)
Message-Id: <200005270411.NAA10581@iris.dti.ne.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000526173223.4DB1C37BE94@hub.freebsd.org>
Refereneces: <20000526173223.4DB1C37BE94@hub.freebsd.org>
From: dais@iris.dti.ne.jp (Daisuke Higashi)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
X-Mailer: mnews [version 1.21PL5] 1999-04/04(Sun)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7412
Subject: [doc-jp 7412] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: dais@iris.dti.ne.jp

$B$O$8$a$^$7$F!"El$H?=$7$^$9!#(B
FreeBSD-SA-00:19.semconfig $B$G$9!#%R%^$@$C$?$N$G>!<j$KLu$7$^$7$?!#(B

$B$H$3$m$G!"$=$b$=$b;d$O(B doc-jp $B$N?M(B (?) $B$G$O$J$$$N$G$9$,!"(B
$B!VF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
$B$?$a$KDs6!$9$k$b$N$G!W(B $B$J$s$F=q$$$A$c$C$F$$$$$N$+$7$i!#(B
$B0l1~!":4F#$5$s!wEl5~M}2JBg3X(B $B$N%9%?%$%k$K9g$o$;$?$N$G$9$,!#(B

------------

$B$3$N%a!<%k$O!"(Bannounce-jp $B$KN.$l$?(B 

 Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig
 From: FreeBSD Security Officer <security-officer@freebsd.org>
 Date: Fri, 26 May 2000 10:32:23 -0700 (PDT)
 Message-Id: <20000526173223.4DB1C37BE94@hub.freebsd.org>
 X-Sequence: announce-jp 448

$B$rF|K\8lLu$7$?$b$N$G$9!#(B

$B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
$B9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$(B. 

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
$B$?$a$KDs6!$9$k$b$N$G!"(Bdoc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
$BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.


=============================================================================
FreeBSD-SA-00:19                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:        $B%m!<%+%k%f!<%6$,$9$Y$F$N%W%m%;%9$N=*N;$rAK;_$G$-$k(B
$BJ,N`(B:            core
$B%b%8%e!<%k(B:      kernel
$B9pCNF|(B:          2000-05-26
$B%/%l%8%C%H(B:      Peter Wemm <peter@FreeBSD.org>
$B1F6AHO0O(B:        $B$9$Y$F$N%P!<%8%g%s$N(B FreeBSD$B!"(BNetBSD $B$*$h$S(B OpenBSD $B$r4^$`(B
                 386BSD $BM3Mh$N(BOS 
$B=$@5F|(B:          2000-05-01
FreeBSD$B$K8GM-$+(B: NO
$B%Q%C%A(B:          ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:19/semconfig.patch


I.   $BGX7J(B - Background

System V IPC is a set of interfaces for providing inter-process
communication, in the form of shared memory segments, message queues
and semaphores. These are managed in user-space by ipcs(1) and
related utilities.

System V IPC $B$O!"%W%m%;%94VDL?.$r6&M-%a%b%j%;%0%a%s%H!"(B
$B%a%C%;!<%8%-%e!<!"%;%^%U%)$N7A$GDs6!$9$k%$%s%?%U%'%$%972$G$9!#(B
$B$3$l$i$O!"%f!<%66u4V$K$*$$$F$O(B ipcs(1) $B$*$h$S4XO"%f!<%F%#%j%F%#$G(B
$B@)8f$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

An undocumented system call is incorrectly exported from the kernel
without access-control checks. This operation causes the acquisition
in the kernel of a global semaphore which causes all processes on the
system to block during exit() handling, thereby preventing any process
from exiting until the corresponding "unblock" system call is issued.

$B%I%-%e%a%s%H2=$5$l$F$$$J$$%7%9%F%`%3!<%k$,!"%"%/%;%9@)8f$N(B
$B%A%'%C%/$rDL$5$:$KIT@5$K%(%/%9%]!<%H$5$l$F$$$^$9!#(B
$B$3$N%7%9%F%`%3!<%k$NA`:n$K$h$j!"(Bexit() $B$N%O%s%I%j%s%0;~$K(B
$B%7%9%F%`>e$NA4$F$N%W%m%;%9$r%V%m%C%/$9$k%0%m!<%P%k$J(B
$B%;%^%U%)$N<hF@$,2DG=$K$J$j!"$3$l$K$h$jBP1~$9$k(B
$B!V%"%s%V%m%C%/!W%7%9%F%`%3!<%k$,H/9T$5$l$k$^$G(B
$B$"$i$f$k%W%m%;%9$N=*N;$rAK;_$9$k$3$H$,2DG=$G$9!#(B

This operation was intended for use only by ipcs(1) to atomically
sample the state of System V IPC resources on the system (i.e., to
ensure that resources are not allocated or deallocated during the
process of sampling itself).

In the future, this functionality may be reimplemented as a sysctl()
node.

$B$3$N%7%9%F%`%3!<%k$NA`:n$O!"%7%9%F%`>e$N(B System V IPC $B%j%=!<%9$N(B
$B>uBV$r%"%H%_%C%/$K%5%s%W%j%s%0$9$k$?$a$K!"(Bipcs(1) $B$K$h$kMxMQ$@$1$,(B
$B0U?^$5$l$F$$$^$7$?!#(B
($B$9$J$o$A!"<+J,<+?H$N%5%s%W%j%s%0=hM}$N4V$K!"%j%=!<%9$,3d$jEv$F$i$l$?$j(B
$B2rJ|$5$l$?$j$7$J$$$h$&$KJ]>Z$9$k$?$a$G$9!#(B)

$B>-Mh!"$3$N5!G=$O(B sysctl() $B$N%N!<%I$H$7$F:F<BAu$5$l$k$G$7$g$&!#(B


III. $B1F6AHO0O(B - Impact

An unprivileged local user can cause every process on the system to
hang during exiting. In other words, after the system call is issued,
no process on the system will be able to exit completely until another
user issues the "unblock" call or the system is rebooted. This is a
denial-of-service attack.

$BHsFC8"%f!<%6$,%7%9%F%`>e$N$9$Y$F$N%W%m%;%9$KBP$7$F(B
$B$=$N=*N;=hM}Cf$K%O%s%0$5$;$k$3$H$,$G$-$^$9!#(B
$B8@$$BX$($l$P!"$=$N%7%9%F%`%3!<%k$,H/9T$5$l$?8e$K(B
$BB>$N%f!<%6$,!V%"%s%V%m%C%/!W$9$k%7%9%F%`%3!<%k$rH/9T$9$k$+(B
$B%7%9%F%`$r%j%V!<%H$9$k$^$G!"$9$Y$F$N%W%m%;%9$O=*N;$9$k$3$H$,(B
$B$G$-$J$/$J$k$G$7$g$&!#$3$l$O%5!<%S%9ITG=967b$G$9!#(B

IV.  $BBP1~:v(B - Workaround

None available.

$B$"$j$^$;$s!#(B

V.   $B=$@5=hCV(B - Solution  

Upgrade to FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE,
4.0-STABLE or 5.0-CURRENT after the correction date.

Alternatively, apply the following patch and rebuild the kernel and
the src/usr.bin/ipcs utility. This patch removes the semconfig()
syscall. It has been tested to apply cleanly against 3.4-RELEASE,
3.4-STABLE, 4.0-RELEASE and 4.0-STABLE systems.

$B=$@5F|0J9_$K(B FreeBSD 2.1.7.1-STABLE$B!"(B2.2.8-STABLE$B!"(B3.4-STABLE$B!"(B4.0-STABLE
$B$^$?$O(B 5.0-CURRENT $B$X%"%C%W%0%l!<%I$7$F$/$@$5$$!#(B

$B$"$k$$$O!"<!$N%Q%C%A$rE,MQ$7$F%+!<%M%k$H(B src/usr.bin/ipcs $B%f!<%F%#%j%F%#(B
$B$r%j%S%k%I$7$F$/$@$5$$!#$3$N%Q%C%A$O(B semconfig() $B%7%9%F%`%3!<%k$r(B
$B:o=|$7$^$9!#$3$N%Q%C%A$O!"(B3.4-RELEASE$B!"(B3.4-STABLE$B!"(B4.0-RELEASE $B$*$h$S(B
4.0-STABLE $B$KBP$7$F@5$7$/E,MQ$5$l$k$3$H$,3NG'$5$l$F$$$^$9!#(B

1) Save this advisory as a file, and run the following commands as root:

1) $B$3$N9pCN$r%U%!%$%k$K%;!<%V$7!"(Broot $B$G<!$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B:

# cd /usr/src
# patch -p < /path/to/advisory
# cd usr.bin/ipcs
# make all install

($BLuCm(B: /path/to/advisory $B$O%;!<%V$7$?4+9p%U%!%$%k(B)

2) Rebuild and reinstall the kernel and kernel modules as described in
the FreeBSD handbook (see:
http://www.freebsd.org/handbook/kernelconfig.html for more information)

2) FreeBSD $B%O%s%I%V%C%/(B
($B>\:Y$O(B http://www.freebsd.org/handbook/kernelconfig.html) $B$N@bL@$N(B
$BDL$j$K%+!<%M%k$H%+!<%M%k%b%8%e!<%k$r%j%S%k%I$7!"%$%s%9%H!<%k$7$F$/$@$5$$!#(B


3) Reboot the system

3) $B%7%9%F%`$r%j%V!<%H$7$F$/$@$5$$!#(B

Patches for FreeBSD systems before the resolution date:
$B=$@5F|0JA0$N(BFreeBSD $B%7%9%F%`$KBP$9$k%Q%C%A$O<!$NDL$j$G$9(B:

($B0J2<N,(B)

