Date: Fri, 7 Sep 2001 20:32:23 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: security@FreeBSD.org Cc: re@FreeBSD.org Subject: Re: NetBSD Security Advisory 2001-015: Insufficient checking of lengths passed to kernel Message-ID: <20010907203223.B20016@sunbay.com> In-Reply-To: <20010906095742.A8644@mail.netbsd.org>; from security-officer@netbsd.org on Thu, Sep 06, 2001 at 09:57:42AM -0700 References: <20010906095742.A8644@mail.netbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh, and we are vulnerable to this too. :-( At least the semop() thing. On Thu, Sep 06, 2001 at 09:57:42AM -0700, NetBSD Security Officer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > NetBSD Security Advisory 2001-015 > ================================= > > Topic: Insufficient checking of lengths passed from userland to kernel > > Version: NetBSD-current: source prior to August 5, 2001 > NetBSD-1.5.1: affected > NetBSD-1.5: affected > NetBSD-1.4.*: affected > > Severity: Any local user can panic the system, and/or execute > arbitrary code and gain root privileges. > > Fixed: NetBSD-current: August 5, 2001 > NetBSD-1.5 branch: August 16, 2001 (1.5.2 includes the fix) > > > Abstract > ======== > > The problem for which NetBSD SA2001-011 was issued (``Insufficient > msg_controllen checking for sendmsg(2)'') urged an audit of > NetBSD code to look for similar issues in other parts of kernel. > > A number of issues were found. In a number of places lengths or > sizes passed from userland were used by the kernel without sufficient > checks. > > Most of the problems involved errors handling signed versus unsigned > values, in some cases the code was not checking for negative values. > > The actual severity of these problems varies, and three different > problem severity groups have been identified: > > 1. semop(2) - exploitable by any user for denial of service or > to execute arbitrary kernel code > > 2. mount args - exploitable by any user for denial of service if > user mounts are enabled (it's disabled by default on NetBSD 1.5 > and later) > > 3. some device ioctls - exploitable by any user with write access > to appropriate device files (by default only root has write access > on most device files) > > Technical Details > ================= > > The kernel function sys_semop() (which is the entry point for the > semop(2) syscall) stores an unsigned argument 'nsops' in a local signed > variable. If a user passes a sufficiently big 'nsops' value (>INT_MAX), > the local signed variable ends up negative and passes the bound check. > The value is then used for copyin() data from user memory to local array > on the process's kernel stack. Since the number of bytes to copyin is > computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an > almost arbitrary number of bytes from userland to the caller process's > kernel stack due to int overflow. This can be exploited to cause a > kernel trap, or call arbitrary kernel code. This can also be exploited > to execute arbitrary code on architectures where stack memory is > executable. > > NFS did not check the nfs file handle size. This could be exploited in > a way similar to the semop(2) issue. Furthermore, NFS did not check the > size of authenticator and verifier strings sufficiently. UMAPFS did not > check the nentries and gnentries mount arguments. > Generic code in kern/nfs_subr.c:vfs_hand_addrlist() did not properly > bound check the specified size of export addresses; this code is > used by all filesystems to handle exports. All these problems > could be exploited to cause a panic. > > The following drivers had potentially exploitable weak checking in their > ioctl(9) routines. These should be exploitable to cause a kernel > panic. Some of these drivers are new on -current and don't exist > in NetBSD/1.5. > > amiga: majority of graphic grf-like device drivers > arm32: vidcvideo > hpcmips: plumvideo > macppc: ofb > sparc: cgtwo, fb > sun3: cg2, fb > hpcsh: hd64461video > machine-independant: coda, bt, mlx, pci/tga, tc/cfb, tc/mfb, > tc/sfb, tc/tfb, tc/xcfb, tc/sfbplus, tc/stic, > wsdisplay, wskbd, ccd, ppp, isdn > > The lfs_markv(2) system call did not check the blkcnt argument. This > problem is exploitable to cause a panic. This system call is restricted > to root only. > > Solutions and Workarounds > ========================= > > NetBSD official releases up to and including 1.5.1 are vulnerable. > NetBSD 1.5.2 is NOT vulnerable. > > Kernel sources must be updated and a new kernel built and installed. > Once the kernel sources have been updated, rebuild the kernel, > install it, and reboot. For more information on how to do this, > see: > http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > > The instructions for updating your kernel sources depend upon which > particular NetBSD release you are running. > > > * NetBSD-current: > > Systems running NetBSD-current dated from before 2001-08-05 > should be upgraded to NetBSD-current dated 2001-08-06 or later. > > The following source directories need to be updated from > the netbsd-current CVS branch (aka HEAD): > src/sys/kern > src/sys/miscfs/umapfs > src/sys/ufs/lfs > src/sys/nfs > src/sys/dev > src/sys/arch > > > Alternatively, apply the following patch (with potential offset > differences): > ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-current.patch > > To patch: > # cd src/sys > # patch < /path/to/SA2001-015-kernlen-current.patch > > > * NetBSD 1.5, 1.5.1: > > Systems running NetBSD 1.5 dated from before 2001-08-16 should be > upgraded from NetBSD 1.5 sources dated 2001-08-17 or later. > > The following source directory needs to be updated from the > netbsd-1-5 CVS branch: > src/sys/kern > src/sys/miscfs/umapfs > src/sys/nfs > src/sys/dev > src/sys/arch > > > Alternatively, apply the following patch (with potential offset > differences): > ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-1.5.patch > > To patch: > # cd src/sys > # patch < /path/to/SA2001-015-kernlen-1.5.patch > > > * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: > > At this time there are no fixes or patches available for > the NetBSD 1.4 branch. > > > Thanks To > ========= > > Jaromir Dolecek for copyin/malloc audit work. > > Konrad Schroder for review of LFS fix. > > Ken Ashcraft @ Stanford, Constantine Sapuntzakis and > Frank van den Linden for finding and fixing > the NFS file handle length problem. > > Andrew Doran for review of the mlx fix. > > Steve Woodford for review of sun3/vme and xd/xy driver changes, > which turned out to not be necessary. > > Christos Zoulas for general feedback. > > > Revision History > ================ > > 2001-09-06 Initial release > > > More Information > ================ > > An up-to-date PGP signed copy of this release will be maintained at > ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > > Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. > > $NetBSD: NetBSD-SA2001-015.txt,v 1.9 2001/09/06 13:52:31 lukem Exp $ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (NetBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBO5d/Gj5Ru2/4N2IFAQF9YAP/ckqmwEHQcuqaOiJ/XJw7zREJ6luIgp5j > CLz0ahgcpFgbDe6QGUQBdouK4FlD6/uTAc4euJ9Dyiq0tVRty2U5yAbJPjOznv8r > T72DjjK+HN4UDvnz+DRniC7upWzDjfEgdi/tb74sWKF/RA9e+3mk0Ecd4UzpmMrl > CxH4j9XcqTI= > =exNB > -----END PGP SIGNATURE----- -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010907203223.B20016>