Date: Sat, 30 Aug 2003 19:07:46 -0700 (PDT)
From: ned <nd@felinemenace.org.>
To: [email protected], [email protected]Subject: OpenBSD 3.2 Kthread Madness
Cc: [email protected], [email protected]
OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c
Ohk, here is the function:
int
kthread_create(void (*func)(void *), void *arg,
struct proc **newpp, const char *fmt, ...) <---- where the data is
{
struct proc *p2; <--------- New proc struct
register_t rv[2];
int error;
va_list ap;
/*
* First, create the new process. Share the memory, file
* descriptors and don't leave the exit status around for the
* parent to wait for.
*/
error = fork1(&proc0, 0,
FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg,
rv);
if (error)
return (error);
p2 = pfind(rv[0]);
/*
* Mark it as a system process and not a candidate for
* swapping.
*/
p2->p_flag |= P_INMEM | P_SYSTEM; /* XXX */
/* Name it as specified. */
va_start(ap, fmt);
vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
va_end(ap);
/* All done! */
if (newpp != NULL)
*newpp = p2;
return (0);
}
some notes:
- proc.h defines p_comm for a size of MAXCOMLEN+1
- MAXCOMLEN is defined in param.h as 16.
- This gives use 17 bytes to overflow.
but how? you wont be able to do it from user-land (i presume) and the only
way i can imagine this being done is via a LKM. but then i realise that
you need root to do anything associated with lkm's. so the chances of
actually exploiting it, comes down to modifying a call in init_main.c and
watvhing your system not power up!
for patch wise..is there a vslprintf i can stick in there?
- nd
--
http://felinemenace.org/~nd