NetBSD Security Advisory 1999-012: ptrace | Linux Today

NetBSD Security Advisory 1999-012: ptrace

Written By
Web Webster
Web Webster
Feb 17, 2000

Date: Wed, 16 Feb 2000 07:58:57 +1100
From: Daniel Carosone security-officer@NETBSD.ORG

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: NetBSD Security Advisory 1999-012

NetBSD Security Advisory 1999-012


Topic: ptrace(2)’d processes can gain “kernel” privileges on
vax.
Version: NetBSD/vax 1.4.1 and earlier; -current prior to
19991212
Severity: Theoretical problem only, no known exploits

Abstract


As part of an ongoing effort to construct a secure kernel and
application environment, the NetBSD project has identified and
corrected a possible security issue.

A wrapper program can be constructed by a local user that can
modify the hardware privileges of a ptrace(2)’d process.

It might be possible to write a security-related exploit via
this mechanism.

Technical Details


NetBSD uses the ptrace(2) system call to trace and debug other
processes. The debugging process can also modify the internal
registers, including the status (PSL) register, for the process
being debugged.

Besides the normal user-accessible flags, the VAX hardware also
stores information about privilege levels and used stacks in the
PSL. Those flags are only altered via the instruction REI (return
from interrupt) or LDPCTX (load process context) and cannot be
modified while running in “user” mode.

When the PSL contents are altered by the debugging process, the
debugged process is in the kernel, and will get the privileges
defined by the PSL when it REI to userspace to continue
execution.

Solutions and Workarounds


Upgrade to NetBSD-current, or apply the following patch to 1.4.1:

Index: machdep.c

RCS file: /cvsroot/syssrc/sys/arch/vax/vax/machdep.c,v
retrieving revision 1.76.2.1
diff -c -r1.76.2.1 machdep.c
*** machdep.c   1999/04/16 16:26:01     1.76.2.1
- --- machdep.c   1999/12/12 11:08:46
***************
*** 770,776 ****
        tf->fp = regs->fp;
        tf->sp = regs->sp;
        tf->pc = regs->pc;
!       tf->psl = regs->psl;
        return 0;
  }

- --- 770,777 ----
        tf->fp = regs->fp;
        tf->sp = regs->sp;
        tf->pc = regs->pc;
!       tf->psl = (regs->psl|PSL_U|PSL_PREVU) &
!           ~(PSL_MBZ|PSL_IS|PSL_IPL1F|PSL_CM); /* Allow compat mode? */
        return 0;
  }

Thanks To


Discovery of the problem by Klaus Klein (kleink@netbsd.org)

Revision History


1999/12/12 – initial version

More Information


Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and
http://www.NetBSD.ORG/Security/.

Copyright 1999, The NetBSD Foundation, Inc. All Rights
Reserved.

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.