-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2001-015 =================================
Topic: Insufficient checking of lengths passed from userland to kernel
Version: NetBSD-current: source prior to August 5, 2001 NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected
Severity: Any local user can panic the system, and/or execute arbitrary code and gain root privileges.
Fixed: NetBSD-current: August 5, 2001 NetBSD-1.5 branch: August 16, 2001 (1.5.2 includes the fix)
The problem for which NetBSD SA2001-011 was issued (``Insufficient msg_controllen checking for sendmsg(2)'') urged an audit of NetBSD code to look for similar issues in other parts of kernel.
A number of issues were found. In a number of places lengths or sizes passed from userland were used by the kernel without sufficient checks.
Most of the problems involved errors handling signed versus unsigned values, in some cases the code was not checking for negative values.
The actual severity of these problems varies, and three different problem severity groups have been identified:
semop(2) - exploitable by any user for denial of service or to execute arbitrary kernel code
mount args - exploitable by any user for denial of service if user mounts are enabled (it's disabled by default on NetBSD 1.5 and later)
some device ioctls - exploitable by any user with write access to appropriate device files (by default only root has write access on most device files)
The kernel function sys_semop() (which is the entry point for the semop(2) syscall) stores an unsigned argument 'nsops' in a local signed variable. If a user passes a sufficiently big 'nsops' value (>INT_MAX), the local signed variable ends up negative and passes the bound check. The value is then used for copyin() data from user memory to local array on the process's kernel stack. Since the number of bytes to copyin is computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an almost arbitrary number of bytes from userland to the caller process's kernel stack due to int overflow. This can be exploited to cause a kernel trap, or call arbitrary kernel code. This can also be exploited to execute arbitrary code on architectures where stack memory is executable.
NFS did not check the nfs file handle size. This could be exploited in a way similar to the semop(2) issue. Furthermore, NFS did not check the size of authenticator and verifier strings sufficiently. UMAPFS did not check the nentries and gnentries mount arguments. Generic code in kern/nfs_subr.c:vfs_hand_addrlist() did not properly bound check the specified size of export addresses; this code is used by all filesystems to handle exports. All these problems could be exploited to cause a panic.
The following drivers had potentially exploitable weak checking in their ioctl(9) routines. These should be exploitable to cause a kernel panic. Some of these drivers are new on -current and don't exist in NetBSD/1.5.
amiga: majority of graphic grf-like device drivers arm32: vidcvideo hpcmips: plumvideo macppc: ofb sparc: cgtwo, fb sun3: cg2, fb hpcsh: hd64461video machine-independant: coda, bt, mlx, pci/tga, tc/cfb, tc/mfb, tc/sfb, tc/tfb, tc/xcfb, tc/sfbplus, tc/stic, wsdisplay, wskbd, ccd, ppp, isdn
The lfs_markv(2) system call did not check the blkcnt argument. This problem is exploitable to cause a panic. This system call is restricted to root only.
NetBSD official releases up to and including 1.5.1 are vulnerable. NetBSD 1.5.2 is NOT vulnerable.
Kernel sources must be updated and a new kernel built and installed. Once the kernel sources have been updated, rebuild the kernel, install it, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
The instructions for updating your kernel sources depend upon which particular NetBSD release you are running.
Systems running NetBSD-current dated from before 2001-08-05 should be upgraded to NetBSD-current dated 2001-08-06 or later. The following source directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/kern src/sys/miscfs/umapfs src/sys/ufs/lfs src/sys/nfs src/sys/dev src/sys/arch Alternatively, apply the following patch (with potential offset differences):
To patch: # cd src/sys # patch < /path/to/SA2001-015-kernlen-current.patch
Systems running NetBSD 1.5 dated from before 2001-08-16 should be upgraded from NetBSD 1.5 sources dated 2001-08-17 or later. The following source directory needs to be updated from the netbsd-1-5 CVS branch: src/sys/kern src/sys/miscfs/umapfs src/sys/nfs src/sys/dev src/sys/arch Alternatively, apply the following patch (with potential offset differences):
To patch: # cd src/sys # patch < /path/to/SA2001-015-kernlen-1.5.patch
At this time there are no fixes or patches available for the NetBSD 1.4 branch.
Jaromir Dolecek for copyin/malloc audit work.
Konrad Schroder for review of LFS fix.
Ken Ashcraft @ Stanford, Constantine Sapuntzakis and Frank van den Linden for finding and fixing the NFS file handle length problem.
Andrew Doran for review of the mlx fix.
Steve Woodford for review of sun3/vme and xd/xy driver changes, which turned out to not be necessary.
Christos Zoulas for general feedback.
2001-09-06 Initial release
An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc
Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2001-015.txt,v 1.9 2001/09/06 13:52:31 lukem Exp $
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org
iQCVAwUBO5d/Gj5Ru2/4N2IFAQF9YAP/ckqmwEHQcuqaOiJ/XJw7zREJ6luIgp5j CLz0ahgcpFgbDe6QGUQBdouK4FlD6/uTAc4euJ9Dyiq0tVRty2U5yAbJPjOznv8r T72DjjK+HN4UDvnz+DRniC7upWzDjfEgdi/tb74sWKF/RA9e+3mk0Ecd4UzpmMrl CxH4j9XcqTI= =exNB -----END PGP SIGNATURE-----