OpenBSD: kernel Protected memory violation
Posted by LinuxSecurity.com Team   
OpenBSD A reference counting bug in the shmat(2) system call could be used to write to kernel memory under certain circumstances.

A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain
circumstances.

The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.

Patches for OpenBSD 3.4 and 3.3 respectively are also available:
 
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch 
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch

The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.

For more information on the bug, see Joost Pol's description at:
     http://www.pine.nl/press/pine-cert-20040201.txt