NetBSD Graphics Driver Buffer Overflow Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID: 1039310|
SecurityTracker URL: http://securitytracker.com/id/1039310
(Links to External Site)
Date: Sep 11 2017
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.0 - 6.0.6, 6.1 - 6.1.5, 7.0 - 7.0.2, 7.1, 8.0_BETA|
A vulnerability was reported in NetBSD. A local user can obtain elevated privileges on the target system.|
A local user on a wscons terminal (/dev/ttyE*) can send specially crafted data to certain graphics drivers via the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP IOCTLs to trigger a buffer overflow and execute arbitrary code with kernel-level privileges on the target system.
The following drivers are affected:
sti (hppa and hp300)
On the 'bivideo (hpcsh)' driver, a local user can read kernel memory.
CTurt reported this vulnerability.
A local user can obtain elevated privileges on the target system.|
The vendor has issued a fix.|
The vendor advisory is available at:
Vendor URL: ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc (Links to External Site)
Source Message Contents
Subject: NetBSD Security Advisory 2017-004: buffer overflow via cmap for 4 graphics drivers|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2017-004
Topic: buffer overflow via cmap for 4 graphics drivers
Version: NetBSD-current: source prior to June 13th
NetBSD 8.0_BETA: affected
NetBSD 7.1: affected
NetBSD 7.0 - 7.0.2: affected
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
Severity: information leak and potential root compromise
for authenticated user on affected graphics console
Fixed: NetBSD-current: June 13th
NetBSD-8 branch: June 15th
NetBSD-7-1 branch: June 15th
NetBSD-7-0 branch: June 15th
NetBSD-7 branch: June 15th
NetBSD-6-0 branch: June 15th
NetBSD-6-1 branch: June 15th
NetBSD-6 branch: June 15th
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
An authenticated user on a wscons terminal with the following graphics
sti (hppa and hp300)
could cause a buffer overflow when reading or writing the color map.
Due to overflowable bounds checking when reading or writing the
color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP
ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it)
could read kernel memory, or for all but bivideo, which doesn't have
a writable color map, write kernel memory.
Solutions and Workarounds
Solution: update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.
Affected source files fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 220.127.116.11
sys/arch/pmax/ibus/pm.c 1.13 18.104.22.168
sys/dev/hpc/bivideo.c 1.34 22.214.171.124
sys/dev/ic/sti.c 1.19 126.96.36.199
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 188.8.131.52 184.108.40.206.6.1 220.127.116.11.2.1
sys/arch/pmax/ibus/pm.c 18.104.22.168 22.214.171.124 126.96.36.199
sys/dev/hpc/bivideo.c1 188.8.131.52 184.108.40.206 220.127.116.11
sys/dev/ic/sti.c 18.104.22.168 22.214.171.124 126.96.36.199
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 188.8.131.52 184.108.40.206 220.127.116.11
sys/arch/pmax/ibus/pm.c 18.104.22.168 22.214.171.124 126.96.36.199
sys/dev/hpc/bivideo.c 188.8.131.52 184.108.40.206 220.127.116.11
sys/dev/ic/sti.c 18.104.22.168 22.214.171.124 126.96.36.199
Thanks to CTurt for reporting this set of issues.
2017-09-08 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----