OPENBSD 3.2 - \3.2\sys\kern\kern_kthread.c

Ohk, here is the function:

int
kthread_create(void (*func)(void *), void *arg,
    struct proc **newpp, const char *fmt, ...) <---- where the data is
{
	struct proc *p2; <--------- New proc struct
	register_t rv[2];
	int error;
	va_list ap;

	/*
	 * First, create the new process.  Share the memory, file
	 * descriptors and don't leave the exit status around for the
	 * parent to wait for.
	 */
	error = fork1(&proc0, 0,
	    FORK_SHAREVM|FORK_NOZOMBIE|FORK_SIGHAND, NULL, 0, func, arg, 
rv);
	if (error)
		return (error);

	p2 = pfind(rv[0]);

	/*
	 * Mark it as a system process and not a candidate for
	 * swapping.
	 */
	p2->p_flag |= P_INMEM | P_SYSTEM;	/* XXX */

	/* Name it as specified. */
	va_start(ap, fmt);
	vsprintf(p2->p_comm, fmt, ap); <--- HELLO!
	va_end(ap);

	/* All done! */
	if (newpp != NULL)
		*newpp = p2;
	return (0);
} 

some notes:
- proc.h defines p_comm for a size of MAXCOMLEN+1
- MAXCOMLEN is defined in param.h as 16.
- This gives use 17 bytes to overflow.

but how? you wont be able to do it from user-land (i presume) and the only 
way i can imagine this being done is via a LKM. but then i realise that 
you need root to do anything associated with lkm's. so the chances of 
actually exploiting it, comes down to modifying a call in init_main.c and 
watvhing your system not power up!

for patch wise..is there a vslprintf i can stick in there?
 - nd

-- 
http://felinemenace.org/~nd