From owner-doc-jp@jp.freebsd.org  Sat May 27 22:38:55 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id WAA21995;
	Sat, 27 May 2000 22:38:55 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id WAA21990
	for <doc-jp@jp.freebsd.org>; Sat, 27 May 2000 22:38:54 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id WAA14891 for <doc-jp@jp.freebsd.org>; Sat, 27 May 2000 22:38:54 +0900 (JST)
Received: from mail.hrs.jp (sutnmax2-ppp29.ed.noda.sut.ac.jp [133.31.173.99]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id WAA23170 for <doc-jp@jp.freebsd.org>; Sat, 27 May 2000 22:38:52 +0900 (JST)
Message-Id: <200005271338.WAA23170@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id WAA36568
	for <doc-jp@jp.freebsd.org>; Sat, 27 May 2000 22:05:23 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <200005270411.NAA10581@iris.dti.ne.jp>
References: <20000526173223.4DB1C37BE94@hub.freebsd.org>
	<200005270411.NAA10581@iris.dti.ne.jp>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 27 May 2000 22:05:22 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 88
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7416
Subject: [doc-jp 7416] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:19.semconfig
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

dais@iris.dti.ne.jp (Daisuke Higashi) wrote
 in <200005270411.NAA10581@iris.dti.ne.jp>:

> $B$O$8$a$^$7$F!"El$H?=$7$^$9!#(B
> FreeBSD-SA-00:19.semconfig $B$G$9!#%R%^$@$C$?$N$G>!<j$KLu$7$^$7$?!#(B

 $B$*Hh$l$5$^$G$9!#<qL#E*$JItJ,$,B?$$$G$9$,!"4JC1$K::FI$7$^$7$?!#(B

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> An undocumented system call is incorrectly exported from the kernel
> without access-control checks. This operation causes the acquisition
> in the kernel of a global semaphore which causes all processes on the
> system to block during exit() handling, thereby preventing any process
> from exiting until the corresponding "unblock" system call is issued.
> 
> $B%I%-%e%a%s%H2=$5$l$F$$$J$$%7%9%F%`%3!<%k$,!"%"%/%;%9@)8f$N(B
> $B%A%'%C%/$rDL$5$:$KIT@5$K%(%/%9%]!<%H$5$l$F$$$^$9!#(B
> $B$3$N%7%9%F%`%3!<%k$NA`:n$K$h$j!"(Bexit() $B$N%O%s%I%j%s%0;~$K(B
> $B%7%9%F%`>e$NA4$F$N%W%m%;%9$r%V%m%C%/$9$k%0%m!<%P%k$J(B
> $B%;%^%U%)$N<hF@$,2DG=$K$J$j!"$3$l$K$h$jBP1~$9$k(B
> $B!V%"%s%V%m%C%/!W%7%9%F%`%3!<%k$,H/9T$5$l$k$^$G(B
> $B$"$i$f$k%W%m%;%9$N=*N;$rAK;_$9$k$3$H$,2DG=$G$9!#(B

 |$B$"$kJ8=q2=$5$l$F$$$J$$%7%9%F%`%3!<%k$,(B, $B%"%/%;%9@)8f$N%A%'%C%/$J$7$K(B
 |$B%+!<%M%k$N30$KIT@5$K%(%/%9%]!<%H$5$l$F$$$^$9(B.
 |$B$3$N%7%9%F%`%3!<%k$O(B, $B%7%9%F%`>e$K$"$k$9$Y$F$N%W%m%;%9$r(B
 |exit() $B$N%O%s%I%j%s%0;~$K%V%m%C%/$5$;$k$h$&$J(B, $B%0%m!<%P%k$J(B
 |$B%;%^%U%)$r%+!<%M%kFb$G<hF@$7$^$9(B.  $B$=$N7k2L(B,
 |$BBP1~$9$k!V%"%s%V%m%C%/!W%7%9%F%`%3!<%k$,H/9T$5$l$k$^$G(B,
 |$B$9$Y$F$N%W%m%;%9$O=*N;$G$-$J$$>uBV$K4Y$j$^$9(B.

> This operation was intended for use only by ipcs(1) to atomically
> sample the state of System V IPC resources on the system (i.e., to
> ensure that resources are not allocated or deallocated during the
> process of sampling itself).
> 
> In the future, this functionality may be reimplemented as a sysctl()
> node.
> 
> $B$3$N%7%9%F%`%3!<%k$NA`:n$O!"%7%9%F%`>e$N(B System V IPC $B%j%=!<%9$N(B
> $B>uBV$r%"%H%_%C%/$K%5%s%W%j%s%0$9$k$?$a$K!"(Bipcs(1) $B$K$h$kMxMQ$@$1$,(B
> $B0U?^$5$l$F$$$^$7$?!#(B
> ($B$9$J$o$A!"<+J,<+?H$N%5%s%W%j%s%0=hM}$N4V$K!"%j%=!<%9$,3d$jEv$F$i$l$?$j(B
> $B2rJ|$5$l$?$j$7$J$$$h$&$KJ]>Z$9$k$?$a$G$9!#(B)

 itself $B$O(B the process $B$r;X$9$H;W$$$^$9!#(B
 $B%5%s%W%j%s%0$O0UL#$,$o$+$j$K$/$$$N$GJQ$($F$$$^$9!#(B

 |$B$3$N%7%9%F%`%3!<%k$NF0:n$O(B, $B%7%9%F%`>e$K$"$k(B System V IPC $B%j%=!<%9$N(B
 |$B>uBV$r%"%H%_%C%/$KD4::$9$k$?$a$K(B, ipcs(1) $B$K$h$C$F$N$_MxMQ$5$l$k$h$&$K(B
 |$B@_7W$5$l$?$b$N$G$9(B. ($B$9$J$o$A(B, $BD4::=hM}$N4V$K(B, $B%j%=!<%9$,3d$jEv$F$i$l$?$j(B
 |$B2rJ|$5$l$?$j$7$J$$$3$H$rJ]>Z$9$k$?$a$G$9(B.)

> III. $B1F6AHO0O(B - Impact
> 
> An unprivileged local user can cause every process on the system to
> hang during exiting. In other words, after the system call is issued,
> no process on the system will be able to exit completely until another
> user issues the "unblock" call or the system is rebooted. This is a
> denial-of-service attack.
> 
> $BHsFC8"%f!<%6$,%7%9%F%`>e$N$9$Y$F$N%W%m%;%9$KBP$7$F(B
> $B$=$N=*N;=hM}Cf$K%O%s%0$5$;$k$3$H$,$G$-$^$9!#(B
> $B8@$$BX$($l$P!"$=$N%7%9%F%`%3!<%k$,H/9T$5$l$?8e$K(B
> $BB>$N%f!<%6$,!V%"%s%V%m%C%/!W$9$k%7%9%F%`%3!<%k$rH/9T$9$k$+(B
> $B%7%9%F%`$r%j%V!<%H$9$k$^$G!"$9$Y$F$N%W%m%;%9$O=*N;$9$k$3$H$,(B
> $B$G$-$J$/$J$k$G$7$g$&!#$3$l$O%5!<%S%9ITG=967b$G$9!#(B

 $BF1MM$K!"%O%s%0$H%j%V!<%H$rJQ99$7$F$$$^$9!#(B

 |$BHsFC8"%f!<%6$O(B, $B%7%9%F%`>e$N$9$Y$F$N%W%m%;%9$KBP$7$F(B
 |$B$=$N=*N;=hM}Cf$K(B, $B=hM}$rDd;_$5$;$k$3$H$,$G$-$^$9(B.
 |$B8@$$BX$($l$P!"$9$Y$F$N%W%m%;%9$O(B, $B$=$N%7%9%F%`%3!<%k$,H/9T$5$l$?8e$K(B
 |$BB>$N%f!<%6$,!V%"%s%V%m%C%/!W$9$k%7%9%F%`%3!<%k$rH/9T$9$k$+(B
 |$B%7%9%F%`$r:F5/F0$9$k$^$G!"=*N;$G$-$J$/$J$j$^$9(B.  
 |$B$3$l$O%5!<%S%9ITG=967b$G$9(B.

 $B$"$H$O!"6gFIE@$,%P%i%P%i$J$N$G!"$3$l$rE}0l$9$l$P(B
 OK $B$@$H;W$$$^$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)
