From owner-announce-jp@jp.freebsd.org  Mon May 29 08:28:30 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id IAA53109;
	Mon, 29 May 2000 08:28:30 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Date: Mon, 29 May 2000 06:42:38 +0900 (JST)
Message-Id: <200005282142.GAA01046@iris.dti.ne.jp>
To: announce-jp@jp.FreeBSD.org
From: dais@iris.dti.ne.jp (Daisuke Higashi)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
X-Mailer: mnews [version 1.21PL5] 1999-04/04(Sun)
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: announce-jp 451
Subject: Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig
Errors-To: owner-announce-jp@jp.freebsd.org
Sender: owner-announce-jp@jp.freebsd.org


$B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B 

 Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig
 From: FreeBSD Security Officer <security-officer@freebsd.org>
 Date: Fri, 26 May 2000 10:32:23 -0700 (PDT)
 Message-Id: <20000526173223.4DB1C37BE94@hub.freebsd.org>
 X-Sequence: announce-jp 448

$B$rF|K\8lLu$7$?$b$N$G$9(B.

$B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
$B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
$B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
$BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.


=============================================================================
FreeBSD-SA-00:19                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:        $B%m!<%+%k%f!<%6$,$9$Y$F$N%W%m%;%9$N=*N;$rAK;_$G$-$k(B
$BJ,N`(B:            core
$B%b%8%e!<%k(B:      kernel
$B9pCNF|(B:          2000-05-26
$B%/%l%8%C%H(B:      Peter Wemm <peter@FreeBSD.org>
$B1F6AHO0O(B:        $B$9$Y$F$N%P!<%8%g%s$N(B FreeBSD, NetBSD $B$*$h$S(B OpenBSD $B$r4^$`(B
                 386BSD $BM3Mh$N(BOS
                 ($BLuCm(B: NetBSD $B$H(B OpenBSD $B$O$3$NLdBj$,$9$G$K=$@5$5$l$F(B
                        $B$$$k$H$$$&Js9p$,$"$j$^$9(B.
                http://mail-index.netbsd.org/current-users/2000/05/26/0029.html
                http://www.openbsd.org/errata26.html#semconfig
                        $B$r;2>H$7$F$/$@$5$$(B.)
$B=$@5F|(B:          2000-05-01
FreeBSD$B$K8GM-$+(B: NO
$B%Q%C%A(B:          ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:19/semconfig.patch


I.   $BGX7J(B - Background

System V IPC $B$O(B, $B%W%m%;%94VDL?.$r6&M-%a%b%j%;%0%a%s%H(B,
$B%a%C%;!<%8%-%e!<(B, $B%;%^%U%)$N7A$GDs6!$9$k%$%s%?%U%'%$%972$G$9(B.
$B$3$l$i$O(B, $B%f!<%66u4V$K$*$$$F$O(B ipcs(1) $B$*$h$S4XO"%f!<%F%#%j%F%#$G(B
$B@)8f$5$l$^$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

$B$"$kJ8=q2=$5$l$F$$$J$$%7%9%F%`%3!<%k$,(B, $B%"%/%;%9@)8f$N%A%'%C%/$J$7$K(B
$B%+!<%M%k$N30$KIT@5$K%(%/%9%]!<%H$5$l$F$$$^$9(B.
$B$3$N%7%9%F%`%3!<%k$O(B, $B%7%9%F%`>e$K$"$k$9$Y$F$N%W%m%;%9$r(B
exit() $B$N=hM}$N:]$K%V%m%C%/$5$;$k$h$&$J(B, $B%0%m!<%P%k$J(B
$B%;%^%U%)$r%+!<%M%kFb$G<hF@$7$^$9(B.  $B$=$N7k2L(B,
$BBP1~$9$k!V%"%s%V%m%C%/!W%7%9%F%`%3!<%k$,H/9T$5$l$k$^$G(B,
$B$9$Y$F$N%W%m%;%9$O=*N;$G$-$J$$>uBV$K4Y$j$^$9(B.

$B$3$N%7%9%F%`%3!<%k$NF0:n$O(B, $B%7%9%F%`>e$K$"$k(B System V IPC $B%j%=!<%9$N(B
$B>uBV$r%"%H%_%C%/$KD4::$9$k$?$a$K(B, ipcs(1) $B$K$h$C$F$N$_MxMQ$5$l$k$h$&$K(B
$B@_7W$5$l$?$b$N$G$9(B. ($B$9$J$o$A(B, $BD4::=hM}$N4V$K(B, $B%j%=!<%9$,3d$jEv$F$i$l$?$j(B
$B2rJ|$5$l$?$j$7$J$$$3$H$rJ]>Z$9$k$?$a$G$9(B.)

$B>-Mh(B, $B$3$N5!G=$O(B sysctl() $B$N%N!<%I$H$7$F:F<BAu$5$l$k$G$7$g$&(B.

III. $B1F6AHO0O(B - Impact

$B%m!<%+%k$NHsFC8"%f!<%6$O(B, $B%7%9%F%`>e$N$9$Y$F$N%W%m%;%9$KBP$7$F(B
$B$=$N=*N;=hM}Cf$K(B, $B=hM}$rDd;_$5$;$k$3$H$,$G$-$^$9(B.
$B8@$$BX$($l$P(B, $B$9$Y$F$N%W%m%;%9$O(B, $B$=$N%7%9%F%`%3!<%k$,H/9T$5$l$?8e$K(B
$BB>$N%f!<%6$,!V%"%s%V%m%C%/!W$9$k%7%9%F%`%3!<%k$rH/9T$9$k$+(B
$B%7%9%F%`$r:F5/F0$9$k$^$G=*N;$G$-$J$/$J$j$^$9(B.  
$B$3$l$O%5!<%S%9ITG=967b$G$9(B.

IV.  $BBP1~:v(B - Workaround

$B$"$j$^$;$s(B.

V.   $B=$@5=hCV(B - Solution  

$B=$@5F|0J9_$N(B FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE, 4.0-STABLE
$B$^$?$O(B 5.0-CURRENT $B$X%"%C%W%0%l!<%I$7$F$/$@$5$$(B.

$B$"$k$$$O(B, $B<!$N%Q%C%A$rE,MQ$7$F%+!<%M%k$H(B src/usr.bin/ipcs $B%f!<%F%#%j%F%#(B
$B$r:F9=C[$7$F$/$@$5$$(B. $B$3$N%Q%C%A$O(B semconfig() $B%7%9%F%`%3!<%k$r(B
$B:o=|$7$^$9(B. $B$3$N%Q%C%A$O(B, 3.4-RELEASE, 3.4-STABLE, 4.0-RELEASE $B$*$h$S(B
4.0-STABLE $B$KBP$7$F@5$7$/E,MQ$5$l$k$3$H$,3NG'$5$l$F$$$^$9(B.

1) $B$3$N9pCN$r%U%!%$%k$K%;!<%V$7(B, root $B$G<!$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B:

# cd /usr/src
# patch -p < /path/to/advisory
# cd usr.bin/ipcs
# make all install

($BLuCm(B: /path/to/advisory $B$O%;!<%V$7$?%U%!%$%k(B)

2) FreeBSD $B%O%s%I%V%C%/(B
($B>\:Y$O(B http://www.freebsd.org/handbook/kernelconfig.html) $B$N@bL@$N(B
$BDL$j$K%+!<%M%k$H%+!<%M%k%b%8%e!<%k$r:F9=C[$7(B, $B%$%s%9%H!<%k$7$F$/$@$5$$(B.

3) $B%7%9%F%`$r:F5/F0$7$F$/$@$5$$(B.

$B=$@5F|0JA0$N(BFreeBSD $B%7%9%F%`$KBP$9$k%Q%C%A$O<!$NDL$j$G$9(B:

    --- sys/kern/syscalls.master	2000/01/19 06:01:07	1.72
    +++ sys/kern/syscalls.master	2000/05/01 11:15:10	1.72.2.1
    @@ -342,7 +342,7 @@
     221	STD	BSD	{ int semget(key_t key, int nsems, int semflg); }
     222	STD	BSD	{ int semop(int semid, struct sembuf *sops, \
     			    u_int nsops); }
    -223	STD	BSD	{ int semconfig(int flag); }
    +223	UNIMPL	NOHIDE	semconfig
     224	STD	BSD	{ int msgctl(int msqid, int cmd, \
     			    struct msqid_ds *buf); }
     225	STD	BSD	{ int msgget(key_t key, int msgflg); }
    --- sys/kern/init_sysent.c	2000/01/19 06:02:29	1.79
    +++ sys/kern/init_sysent.c	2000/05/01 11:15:56	1.79.2.1
    @@ -243,7 +243,7 @@
     	{ 4, (sy_call_t *)__semctl },			/* 220 = __semctl */
     	{ 3, (sy_call_t *)semget },			/* 221 = semget */
     	{ 3, (sy_call_t *)semop },			/* 222 = semop */
    -	{ 1, (sy_call_t *)semconfig },			/* 223 = semconfig */
    +	{ 0, (sy_call_t *)nosys },			/* 223 = semconfig */
     	{ 3, (sy_call_t *)msgctl },			/* 224 = msgctl */
     	{ 2, (sy_call_t *)msgget },			/* 225 = msgget */
     	{ 4, (sy_call_t *)msgsnd },			/* 226 = msgsnd */
    --- sys/kern/syscalls.c	2000/01/19 06:02:29	1.71
    +++ sys/kern/syscalls.c	2000/05/01 11:15:56	1.71.2.1
    @@ -230,7 +230,7 @@
     	"__semctl",			/* 220 = __semctl */
     	"semget",			/* 221 = semget */
     	"semop",			/* 222 = semop */
    -	"semconfig",			/* 223 = semconfig */
    +	"#223",			/* 223 = semconfig */
     	"msgctl",			/* 224 = msgctl */
     	"msgget",			/* 225 = msgget */
     	"msgsnd",			/* 226 = msgsnd */
    --- sys/kern/sysv_ipc.c	2000/02/29 22:58:59	1.13
    +++ sys/kern/sysv_ipc.c	2000/05/01 11:15:56	1.13.2.1
    @@ -107,15 +107,6 @@
     semsys(p, uap)
     	struct proc *p;
     	struct semsys_args *uap;
    -{
    -	sysv_nosys(p, "SYSVSEM");
    -	return nosys(p, (struct nosys_args *)uap);
    -};
    -
    -int
    -semconfig(p, uap)
    -	struct proc *p;
    -	struct semconfig_args *uap;
     {
     	sysv_nosys(p, "SYSVSEM");
     	return nosys(p, (struct nosys_args *)uap);
    --- sys/kern/sysv_sem.c	2000/04/02 08:47:08	1.24.2.1
    +++ sys/kern/sysv_sem.c	2000/05/01 11:15:56	1.24.2.2
    @@ -26,8 +26,6 @@
     int semget __P((struct proc *p, struct semget_args *uap));
     struct semop_args;
     int semop __P((struct proc *p, struct semop_args *uap));
    -struct semconfig_args;
    -int semconfig __P((struct proc *p, struct semconfig_args *uap));
     #endif
     
     static struct sem_undo *semu_alloc __P((struct proc *p));
    @@ -38,7 +36,7 @@
     /* XXX casting to (sy_call_t *) is bogus, as usual. */
     static sy_call_t *semcalls[] = {
     	(sy_call_t *)__semctl, (sy_call_t *)semget,
    -	(sy_call_t *)semop, (sy_call_t *)semconfig
    +	(sy_call_t *)semop
     };
     
     static int	semtot = 0;
    @@ -47,8 +45,6 @@
     static struct sem_undo *semu_list; 	/* list of active undo structures */
     int	*semu;			/* undo structure pool */
     
    -static struct proc *semlock_holder = NULL;
    -
     void
     seminit(dummy)
     	void *dummy;
    @@ -87,64 +83,12 @@
     	} */ *uap;
     {
     
    -	while (semlock_holder != NULL && semlock_holder != p)
    -		(void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semsys", 0);
    -
     	if (uap->which >= sizeof(semcalls)/sizeof(semcalls[0]))
     		return (EINVAL);
     	return ((*semcalls[uap->which])(p, &uap->a2));
     }
     
     /*
    - * Lock or unlock the entire semaphore facility.
    - *
    - * This will probably eventually evolve into a general purpose semaphore
    - * facility status enquiry mechanism (I don't like the "read /dev/kmem"
    - * approach currently taken by ipcs and the amount of info that we want
    - * to be able to extract for ipcs is probably beyond what the capability
    - * of the getkerninfo facility.
    - *
    - * At the time that the current version of semconfig was written, ipcs is
    - * the only user of the semconfig facility.  It uses it to ensure that the
    - * semaphore facility data structures remain static while it fishes around
    - * in /dev/kmem.
    - */
    -
    -#ifndef _SYS_SYSPROTO_H_
    -struct semconfig_args {
    -	semconfig_ctl_t	flag;
    -};
    -#endif
    -
    -int
    -semconfig(p, uap)
    -	struct proc *p;
    -	struct semconfig_args *uap;
    -{
    -	int eval = 0;
    -
    -	switch (uap->flag) {
    -	case SEM_CONFIG_FREEZE:
    -		semlock_holder = p;
    -		break;
    -
    -	case SEM_CONFIG_THAW:
    -		semlock_holder = NULL;
    -		wakeup((caddr_t)&semlock_holder);
    -		break;
    -
    -	default:
    -		printf("semconfig: unknown flag parameter value (%d) - ignored\n",
    -		    uap->flag);
    -		eval = EINVAL;
    -		break;
    -	}
    -
    -	p->p_retval[0] = 0;
    -	return(eval);
    -}
    -
    -/*
      * Allocate a new sem_undo structure for a process
      * (returns ptr to structure or NULL if no more room)
      */
    @@ -873,17 +817,6 @@
     	register struct sem_undo **supptr;
     	int did_something;
     
    -	/*
    -	 * If somebody else is holding the global semaphore facility lock
    -	 * then sleep until it is released.
    -	 */
    -	while (semlock_holder != NULL && semlock_holder != p) {
    -#ifdef SEM_DEBUG
    -		printf("semaphore facility locked - sleeping ...\n");
    -#endif
    -		(void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semext", 0);
    -	}
    -
     	did_something = 0;
     
     	/*
    @@ -898,7 +831,7 @@
     	}
     
     	if (suptr == NULL)
    -		goto unlock;
    +		return;
     
     #ifdef SEM_DEBUG
     	printf("proc @%08x has undo structure with %d entries\n", p,
    @@ -955,14 +888,4 @@
     #endif
     	suptr->un_proc = NULL;
     	*supptr = suptr->un_next;
    -
    -unlock:
    -	/*
    -	 * If the exiting process is holding the global semaphore facility
    -	 * lock then release it.
    -	 */
    -	if (semlock_holder == p) {
    -		semlock_holder = NULL;
    -		wakeup((caddr_t)&semlock_holder);
    -	}
     }

    --- sys/sys/sem.h	1999/12/29 04:24:46	1.20
    +++ sys/sys/sem.h	2000/05/01 11:15:58	1.20.2.1
    @@ -163,13 +163,5 @@
      * Process sem_undo vectors at proc exit.
      */
     void	semexit __P((struct proc *p));
    -
    -/*
    - * Parameters to the semconfig system call
    - */
    -typedef enum {
    -	SEM_CONFIG_FREEZE,	/* Freeze the semaphore facility. */
    -	SEM_CONFIG_THAW		/* Thaw the semaphore facility. */
    -} semconfig_ctl_t;
     #endif /* _KERNEL */
     
    --- sys/sys/syscall-hide.h	2000/01/19 06:02:31	1.65
    +++ sys/sys/syscall-hide.h	2000/05/01 11:15:58	1.65.2.1
    @@ -191,7 +191,6 @@
     HIDE_BSD(__semctl)
     HIDE_BSD(semget)
     HIDE_BSD(semop)
    -HIDE_BSD(semconfig)
     HIDE_BSD(msgctl)
     HIDE_BSD(msgget)
     HIDE_BSD(msgsnd)
    --- sys/sys/syscall.h	2000/01/19 06:02:31	1.69
    +++ sys/sys/syscall.h	2000/05/01 11:15:59	1.69.2.1
    @@ -196,7 +196,6 @@
     #define	SYS___semctl	220
     #define	SYS_semget	221
     #define	SYS_semop	222
    -#define	SYS_semconfig	223
     #define	SYS_msgctl	224
     #define	SYS_msgget	225
     #define	SYS_msgsnd	226
    --- sys/sys/syscall.mk	2000/01/19 06:07:34	1.23
    +++ sys/sys/syscall.mk	2000/05/01 11:15:59	1.23.2.1
    @@ -148,7 +148,6 @@
     	__semctl.o \
     	semget.o \
     	semop.o \
    -	semconfig.o \
     	msgctl.o \
     	msgget.o \
     	msgsnd.o \
    --- sys/sys/sysproto.h	2000/01/19 06:02:31	1.59
    +++ sys/sys/sysproto.h	2000/05/01 11:16:00	1.59.2.1
    @@ -662,9 +662,6 @@
     	struct sembuf *	sops;	char sops_[PAD_(struct sembuf *)];
     	u_int	nsops;	char nsops_[PAD_(u_int)];
     };
    -struct	semconfig_args {
    -	int	flag;	char flag_[PAD_(int)];
    -};
     struct	msgctl_args {
     	int	msqid;	char msqid_[PAD_(int)];
     	int	cmd;	char cmd_[PAD_(int)];
    @@ -1158,7 +1155,6 @@
     int	__semctl __P((struct proc *, struct __semctl_args *));
     int	semget __P((struct proc *, struct semget_args *));
     int	semop __P((struct proc *, struct semop_args *));
    -int	semconfig __P((struct proc *, struct semconfig_args *));
     int	msgctl __P((struct proc *, struct msgctl_args *));
     int	msgget __P((struct proc *, struct msgget_args *));
     int	msgsnd __P((struct proc *, struct msgsnd_args *));
    --- usr.bin/ipcs/ipcs.c	1999/12/29 05:05:32	1.12
    +++ usr.bin/ipcs/ipcs.c	2000/05/01 10:51:37	1.12.2.1
    @@ -56,7 +56,6 @@
     struct shminfo	shminfo;
     struct shmid_ds	*shmsegs;
     
    -int	semconfig __P((int,...));
     void	usage __P((void));
     
     static struct nlist symbols[] = {
    @@ -420,11 +419,6 @@
     			    seminfo.semaem);
     		}
     		if (display & SEMINFO) {
    -			if (semconfig(SEM_CONFIG_FREEZE) != 0) {
    -				perror("semconfig");
    -				fprintf(stderr,
    -				    "Can't lock semaphore facility - winging it...\n");
    -			}
     			kvm_read(kd, symbols[X_SEMA].n_value, &sema, sizeof(sema));
     			xsema = malloc(sizeof(struct semid_ds) * seminfo.semmni);
     			kvm_read(kd, (u_long) sema, xsema, sizeof(struct semid_ds) * seminfo.semmni);
    @@ -470,8 +464,6 @@
     					printf("\n");
     				}
     			}
    -
    -			(void) semconfig(SEM_CONFIG_THAW);
     
     			printf("\n");
     		}
