COMMAND

    {proc,kern}fs

SYSTEMS AFFECTED

    FreeBSD 2.2.6-STABLE, 3.0-CURRENT

PROBLEM

    Brian Feldman found following. This is apparently a bug introduced
    in 4.4BSD-Lite2; this file's two id's reflect both that it is from
    4.4BSD-Lite2, and that it was fixed in the FreeBSD-CURRENT  source
    tree on 6/25/98,  after this bug  was reported, so  anyone running
    3.0-CURRENT  should  definitely  update  their  {kern,proc}fs   to
    prevent exploitation.

    The best way to look for this is to try the following:

        grep hungry < `locate procfs_vnops.c`

    And see if there is any  reference to the following panic (from  a
    crash core bt):

        #1  0xf0119367 in panic (fmt=0xf5740bc8 "kernfs_readdir: not hungry")
        at ../../kern/kern_shutdown.c:423

    Any  systems  using  4.4BSD-Lite2  code  should  be  interested in
    checking this out.  The problem  seems to be in the syscall  usage
    of Linux programs in the 'emulation', and so far the only  program
    tested this with is RealPlayer 5.0 for Linux/i386.  Attempting  to
    browse /proc or /kern will cause a crash on a vulnerable system:

        rvplayer /proc/curproc

    or

        rvplayer /kern/hostname

SOLUTION

    This  was  fixed  in  the  FreeBSD-CURRENT source tree on 6/25/98,
    after  bug  was  reported,  so  anyone  running 3.0-CURRENT should
    definitely update their {kern,proc}fs to prevent exploitation.