OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig
From: Theo de Raadt (deraadtCVS.OPENBSD.ORG)
Date: Fri May 26 2000 - 20:06:45 CDT

> If you examine the code in NetBSD (which FreeBSD should have done before
> claiming that NetBSD was vulnerable as claimed in the alert), you will
> note that if the exiting process is not using semaphores (i.e. has no
> `sem_undo' structure allocated for it), then the exiting process will
> not block, but rather semexit() will simply return.

Here in OpenBSD land, we have discovered the same thing:

    Only processes which are using semaphores get wedged and unable
    to exit. Once the wedging is undone, those processes exit
    normally.

    Processes not using semaphores are unaffected.

Our testing shows that FreeBSD complete wedges solid. It looks like
they missed a patch merged into NetBSD in 1994 (and which OpenBSD
inherited).

In any case, a patch is available which stops that behaviour in 2.6,
and 2.7 does not have this problem. (2.7 is out June 15, if I didn't
say that here, I would probably get 50 questions..)

    http://www.openbsd.org/errata26.html#semconfig

At the moment, we do not care too much that ipcs(1) cannot provide an
atomic snapshot of information; many other utilities do not claim atomic
information either.