SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   NetBSD Vendors:   NetBSD
NetBSD Graphics Driver Buffer Overflow Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1039310
SecurityTracker URL:  http://securitytracker.com/id/1039310
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 11 2017
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0 - 6.0.6, 6.1 - 6.1.5, 7.0 - 7.0.2, 7.1, 8.0_BETA
Description:   A vulnerability was reported in NetBSD. A local user can obtain elevated privileges on the target system.

A local user on a wscons terminal (/dev/ttyE*) can send specially crafted data to certain graphics drivers via the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP IOCTLs to trigger a buffer overflow and execute arbitrary code with kernel-level privileges on the target system.

The following drivers are affected:

sbd (ews4800mips)
sti (hppa and hp300)
pm (pmax)

On the 'bivideo (hpcsh)' driver, a local user can read kernel memory.

CTurt reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix.

The vendor advisory is available at:

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Vendor URL:  ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2017-004: buffer overflow via cmap for 4 graphics drivers


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2017-004
		=================================

Topic:		buffer overflow via cmap for 4 graphics drivers


Version:	NetBSD-current:		source prior to June 13th
		NetBSD 8.0_BETA:	affected
		NetBSD 7.1:		affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	information leak and potential root compromise
		for authenticated user on affected graphics console

Fixed:		NetBSD-current:		June 13th
		NetBSD-8 branch:	June 15th
		NetBSD-7-1 branch:	June 15th
		NetBSD-7-0 branch:	June 15th
		NetBSD-7 branch:	June 15th
		NetBSD-6-0 branch:	June 15th
		NetBSD-6-1 branch:	June 15th
		NetBSD-6 branch:	June 15th

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An authenticated user on a wscons terminal with the following graphics
drivers:
sbd (ews4800mips)
bivideo (hpcsh)
sti (hppa and hp300)
pm (pmax)
could cause a buffer overflow when reading or writing the color map.



Technical Details
=================

Due to overflowable bounds checking when reading or writing the
color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP
ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it)
could read kernel memory, or for all but bivideo, which doesn't have
a writable color map, write kernel memory.


Solutions and Workarounds
=========================

Solution: update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.

Affected source files			fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.16   1.15.10.1
sys/arch/pmax/ibus/pm.c               1.13   1.12.22.1
sys/dev/hpc/bivideo.c                 1.34   1.33.30.1
sys/dev/ic/sti.c                      1.19   1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.13.4.2   1.13.4.1.6.1  1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c               1.12.4.1   1.12.16.1  1.12.8.1
sys/dev/hpc/bivideo.c1                1.33.12.1  1.33.24.1  1.33.16.1
sys/dev/ic/sti.c                      1.18.2.1   1.18.14.1  1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.12.2.1   1.12.16.1  1.12.8.1
sys/arch/pmax/ibus/pm.c               1.11.2.1   1.11.16.1  1.11.8.1
sys/dev/hpc/bivideo.c                 1.32.14.1  1.32.22.1  1.32.20.1
sys/dev/ic/sti.c                      1.16.8.2   1.16.22.1  1.16.14.1


Thanks To
=========

Thanks to CTurt for reporting this set of issues.


Revision History
================

	2017-09-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7
mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9
f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ
6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk
RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU
dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C
76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl
6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E
bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE
GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP
etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k
WwGwp4kZJGaJPRNplTkB
=m2H9
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC