TUCoPS :: BSD :: bt969.txt

OpenBSD 3.2 Kthread Madness

OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c

Ohk, here is the function:

kthread_create(void (*func)(void *), void *arg,
    struct proc **newpp, const char *fmt, ...) <---- where the data is
	struct proc *p2; <--------- New proc struct
	register_t rv[2];
	int error;
	va_list ap;

	 * First, create the new process.  Share the memory, file
	 * descriptors and don't leave the exit status around for the
	 * parent to wait for.
	error = fork1(&proc0, 0,
	if (error)
		return (error);

	p2 = pfind(rv[0]);

	 * Mark it as a system process and not a candidate for
	 * swapping.
	p2->p_flag |= P_INMEM | P_SYSTEM;	/* XXX */

	/* Name it as specified. */
	va_start(ap, fmt);
	vsprintf(p2->p_comm, fmt, ap); <--- HELLO!

	/* All done! */
	if (newpp != NULL)
		*newpp = p2;
	return (0);

some notes:
- proc.h defines p_comm for a size of MAXCOMLEN+1
- MAXCOMLEN is defined in param.h as 16.
- This gives use 17 bytes to overflow.

but how? you wont be able to do it from user-land (i presume) and the only 
way i can imagine this being done is via a LKM. but then i realise that 
you need root to do anything associated with lkm's. so the chances of 
actually exploiting it, comes down to modifying a call in init_main.c and 
watvhing your system not power up!

for patch wise..is there a vslprintf i can stick in there?
 - nd


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH