SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sendmsg Vendors:   NetBSD
NetBSD sendmsg Utility Allows Local Users to Cause a System Panic
SecurityTracker Alert ID:  1002080
SecurityTracker URL:  http://securitytracker.com/id/1002080
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2001
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All releases of NetBSD from 1.3 to 1.5, and -current
Description:   NetBSD reported a vulnerability in the sendmsg utility. This security hole allows a local user to cause a system panic denial of service condition.

The vulnerability is reportedly due to the lack of length checking in the kernel. This allows a local user to cause a kernel trap or an 'out of space in kmem_map' panic.

sendmsg(2), a utility designed to send data through a socket, accepts a pointer to struct msghdr, which holds additional information for the call. The pointer to the control information is passed via msg_control. The msg_controllen variable contains the length of the control information. The kernel attempts to allocate mbuf storage as specified in msg_controllen without checking the actual length of the control information. As a result, a local user can cause a kernel page fault trap if the value is higher than INT_MAX or can cause an 'out of space in kmem_map' panic for lower values. The exact size required to cause the 'out of space in kmem_map' panic is port dependant.

Impact:   A local user can cause a kenel page fault trap or an 'out of space in kmem_map' panic.
Solution:   The vendor has released patches. To obtain the appropriate patch for your system, refer to the vendor advisory (in the Source Message).
Vendor URL:  www.netbsd.org/Security (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2000-011: Insufficient msg_controllen checking for sendmsg(2)


-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-011
                 =================================

Topic:		Insufficient msg_controllen checking for sendmsg(2)

Version:	All releases of NetBSD from 1.3 to 1.5, and -current

Severity:	Any local user can panic the system

Fixed:		NetBSD-current:		July 1, 2001
		NetBSD-1.5 branch:	July 2, 2001 (1.5.1 includes the fix)
		NetBSD-1.4 branch:	July 19, 2001

Abstract
========

Due to insufficient length checking in the kernel, sendmsg(2) can be
used by a local user to cause a kernel trap, or an 'out of space in
kmem_map' panic.

As of the release date of this advisory, NetBSD releases from 1.3
up to any later release, are vulnerable.

Technical Details
=================

sendmsg(2) can be used to send data through a socket, optionally
specifying destination address and control information.

sendmsg(2) accepts a pointer to struct msghdr, which holds further
information for the call. The pointer to control information is passed
via msg_control, msg_controllen helds the length of the control
information. This is used to read the control information into kernel
space and put it in an mbuf for further processing. However, the kernel
attempts to allocate mbuf storage as specified in msg_controllen without
further checks. This behaviour can be abused to cause a kernel page
fault trap if the value is higher than INT_MAX, or to cause an 'out of
space in kmem_map' panic for lower values. The exact size to cause the
latter is port dependant, though INT_MAX is commonly enough to trigger
the panic.

Solutions and Workarounds
=========================

All NetBSD official releases from 1.3 are vulnerable.

Kernel sources must be updated and a new kernel built and installed.
The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-07-01
	should be upgraded to NetBSD-current dated 2001-07-01 or later.

	The following source directories need to be updated from
	the netbsd-current CVS branch (aka HEAD):
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch


* NetBSD 1.5:

	Systems running NetBSD 1.5 dated from before 2001-07-02 should be
	upgraded from NetBSD 1.5 sources dated 2001-07-02 or later.

	The following source directory needs to be updated from the
	netbsd-1-5 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch
		
	NetBSD 1.5.1 is not vulnerable.


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	Systems running NetBSD 1.4 dated from before 2001-07-19 should be
	upgraded from NetBSD 1.4 sources dated 2001-07-19 or later.

	The following source directory needs to be updated from the
	netbsd-1-4 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


* NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3:

	Apply the following patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


Once the kernel sources have been updated, rebuild the kernel,
install it, and reboot.  For more information on how to do this,
see:

    http://www.netbsd.org/Documentation/kernel/#building_a_kernel



Thanks To
=========

Jaromir Dolecek <jdolecek@NetBSD.org> for finding the problem, and
supplying a test program showing the problem.

Matt Thomas <matt@NetBSD.org> for a fix.


Revision History
================

	2001-07-20	Initial revision


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk
uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc
q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS
Ou2Pb8drDlY=
=89Oe
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC