7.5 Addendum

Note

Thursday, November 15, 2007

Since the vulnerability has been fixed and a new version of the XNU kernel of OS X is available, I released a detailed security advisory on my website today.[80] The bug was assigned CVE-2007-4686.

After I published the advisory, Theo de Raadt (the founder of OpenBSD and OpenSSH) hinted that this bug is older than 4.4BSD and was fixed roughly 15 years ago by everyone but Apple. In the initial revision of FreeBSD from 1994, the implementation of the TIOCSETD IOCTL looks like this:[81]

[..]
804       case TIOCSETD: {        /* set line discipline */
805           register int t = *(int *)data;
806           dev_t device = tp->t_dev;
807
808           if ((u_int)t >= nlinesw)
809               return (ENXIO);
810           if (t != tp->t_line) {
811               s = spltty();
812               (*linesw[tp->t_line].l_close)(tp, flag);
813               error = (*linesw[t].l_open)(device, tp);
814               if (error) {
815                   (void)(*linesw[tp->t_line].l_open)(device, tp);
816                   splx(s);
817                   return (error);
818               }
819               tp->t_line = t;
820               splx(s);
821           }
822           break;
823       }
[..]

Since t gets cast into an unsigned int in line 808, it can never become negative. If the user-derived data is greater than 0x80000000, the function returns with an error (see line 809). So Theo was right—the bug was indeed already fixed in 1994. Figure 7-4 shows the timeline of the bug’s fix.

Timeline from the time I notified Apple until I released a security advisory

Figure 7-4. Timeline from the time I notified Apple until I released a security advisory

Notes

[75]

[76]

[77]

[78]

[79]

[80]

[81]


[75] The vulnerable source code revision 792.13.8 of XNU can be downloaded at http://www.opensource.apple.com/tarballs/xnu/xnu-792.13.8.tar.gz.

[76] See “‘You need to restart your computer’ (kernel panic) message appears (Mac OS X v10.5, 10.6)” at http://support.apple.com/kb/TS3742.

[77] See “Kernel Extension Programming Topics: Debugging a Kernel Extension with GDB” in Mac OS X Developer Library at http://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/KEXTConcept/KEXTConceptDebugger/debug_tutorial.html and “Kernel Programming Guide: When Things Go Wrong; Debugging the Kernel” in Mac OS X Developer Library at http://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelProgramming/build/build.html#//apple_ref/doc/uid/TP30000905-CH221-CIHBJCGC.

[78] See http://www.trapkit.de/books/bhd/.

[79] The source code of the fixed XNU version 792.24.17 is available at http://www.opensource.apple.com/tarballs/xnu/xnu-792.24.17.tar.gz.

[80] My security advisory that describes the details of the Mac OS X kernel vulnerability can be found at http://www.trapkit.de/advisories/TKADV2007-001.txt.

[81] The initial FreeBSD version of tty.c from 1994 can be found at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/tty.c?rev=1.1;content-type=text/plain.