SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   NetBSD Vendors:   NetBSD
NetBSD Kernel Security Holes Let Local Users Panic the System and/or Execute Arbitrary Code to Gain Root Level Privileges
SecurityTracker Alert ID:  1002335
SecurityTracker URL:  http://securitytracker.com/id/1002335
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 7 2001
Impact:   Denial of service via local system, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): NetBSD-current source prior to August 5, 2001, NetBSD-1.5.1, NetBSD-1.5, NetBSD-1.4.*
Description:   NetBSD issued a security advisory warning of several kernel security issues that were discovered during a recent code audit. The security holes are due to insufficient length checking on variables passed to the kernel and can allow a local user to panic the system or obtain root level privileges.

The following issues have been reported:

semop(2) - Any local user can exploit this to deny service or to execute arbitrary kernel code. If a local user passes a large 'nsops' value (>INT_MAX) via the sempo(2) call, the kernel function sys_semop() will not check for an oversized value (negative value), allowing data from user memory space to be written to the process's kernel stack.

mount args - If user mounts are enabled, any local user can exploit this to deny service. User mounts are disabled by default on NetBSD 1.5 and later. It is reported that NFS does not check the nfs file handle size and the size of some other strings, allowing a local user to cause a kernel panic.

some device ioctls - Any local user with write access to the appropriate device files can exploit this. Note that, by default, only root has write access on most device files. Some device drivers (listed in the Source Message) performed checking in their ioctl(9) routines, allowing a local user to cause a kernel panic. In addition, the lfs_markv(2) system call (which is restricted to root users) does not check the blkcnt argument, allowing a local root-level user to cause a kernel panic.

Impact:   A local user can cause a kernel panic or can execute arbitrary code with root level privileges to gain root level access on the host.
Solution:   The vendor has issued a fix in the following branches:

NetBSD-current August 5, 2001
NetBSD-1.5 branch August 16, 2001 (1.5.2 includes the fix)

For further patch instructions, see the Source Message.

Vendor URL:  www.netbsd.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  UNIX (NetBSD)

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2001-015: Insufficient checking of lengths passed to kernel


-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2001-015
		 =================================

Topic:		Insufficient checking of lengths passed from userland to kernel

Version:	NetBSD-current:	source prior to August 5, 2001
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	Any local user can panic the system, and/or execute
		arbitrary code and gain root privileges.

Fixed:		NetBSD-current:		August 5, 2001
		NetBSD-1.5 branch:	August 16, 2001 (1.5.2 includes the fix)


Abstract
========

The problem for which NetBSD SA2001-011 was issued (``Insufficient
msg_controllen checking for sendmsg(2)'') urged an audit of
NetBSD code to look for similar issues in other parts of kernel.

A number of issues were found. In a number of places lengths or
sizes passed from userland were used by the kernel without sufficient
checks.

Most of the problems involved errors handling signed versus unsigned
values, in some cases the code was not checking for negative values.

The actual severity of these problems varies, and three different
problem severity groups have been identified:

1.	semop(2) - exploitable by any user for denial of service or
	to execute arbitrary kernel code

2.	mount args - exploitable by any user for denial of service if
	user mounts are enabled (it's disabled by default on NetBSD 1.5
	and later)

3.	some device ioctls - exploitable by any user with write access
	to appropriate device files (by default only root has write access
	on most device files)

Technical Details
=================

The kernel function sys_semop() (which is the entry point for the
semop(2) syscall) stores an unsigned argument 'nsops' in a local signed
variable.  If a user passes a sufficiently big 'nsops' value (>INT_MAX),
the local signed variable ends up negative and passes the bound check.
The value is then used for copyin() data from user memory to local array
on the process's kernel stack. Since the number of bytes to copyin is
computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an
almost arbitrary number of bytes from userland to the caller process's
kernel stack due to int overflow. This can be exploited to cause a
kernel trap, or call arbitrary kernel code. This can also be exploited
to execute arbitrary code on architectures where stack memory is
executable.

NFS did not check the nfs file handle size. This could be exploited in
a way similar to the semop(2) issue.  Furthermore, NFS did not check the
size of authenticator and verifier strings sufficiently.  UMAPFS did not
check the nentries and gnentries mount arguments.
Generic code in kern/nfs_subr.c:vfs_hand_addrlist() did not properly
bound check the specified size of export addresses; this code is
used by all filesystems to handle exports.  All these problems
could be exploited to cause a panic.

The following drivers had potentially exploitable weak checking in their
ioctl(9) routines. These should be exploitable to cause a kernel
panic. Some of these drivers are new on -current and don't exist
in NetBSD/1.5.

amiga:		majority of graphic grf-like device drivers
arm32:		vidcvideo
hpcmips:	plumvideo
macppc:		ofb
sparc:		cgtwo, fb
sun3:		cg2, fb
hpcsh:		hd64461video
machine-independant:	coda, bt, mlx, pci/tga, tc/cfb, tc/mfb,
		tc/sfb, tc/tfb, tc/xcfb, tc/sfbplus, tc/stic,
		wsdisplay, wskbd, ccd, ppp, isdn

The lfs_markv(2) system call did not check the blkcnt argument. This
problem is exploitable to cause a panic.  This system call is restricted
to root only.

Solutions and Workarounds
=========================

NetBSD official releases up to and including 1.5.1 are vulnerable.
NetBSD 1.5.2 is NOT vulnerable.

Kernel sources must be updated and a new kernel built and installed.
Once the kernel sources have been updated, rebuild the kernel,
install it, and reboot.  For more information on how to do this,
see:
	http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-08-05
	should be upgraded to NetBSD-current dated 2001-08-06 or later.

	The following source directories need to be updated from
	the netbsd-current CVS branch (aka HEAD):
		src/sys/kern
		src/sys/miscfs/umapfs
		src/sys/ufs/lfs
		src/sys/nfs
		src/sys/dev
		src/sys/arch


	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-current.patch

	To patch:
		# cd src/sys
		# patch < /path/to/SA2001-015-kernlen-current.patch


* NetBSD 1.5, 1.5.1:

	Systems running NetBSD 1.5 dated from before 2001-08-16 should be
	upgraded from NetBSD 1.5 sources dated 2001-08-17 or later.

	The following source directory needs to be updated from the
	netbsd-1-5 CVS branch:
		src/sys/kern
		src/sys/miscfs/umapfs
		src/sys/nfs
		src/sys/dev
		src/sys/arch


	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-1.5.patch

	To patch:
		# cd src/sys
		# patch < /path/to/SA2001-015-kernlen-1.5.patch


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	At this time there are no fixes or patches available for
	the NetBSD 1.4 branch.


Thanks To
=========

Jaromir Dolecek for copyin/malloc audit work.

Konrad Schroder for review of LFS fix.

Ken Ashcraft @ Stanford, Constantine Sapuntzakis and
Frank van den Linden for finding and fixing
the NFS file handle length problem.

Andrew Doran for review of the mlx fix.

Steve Woodford for review of sun3/vme and xd/xy driver changes,
which turned out to not be necessary.

Christos Zoulas for general feedback.


Revision History
================

	2001-09-06	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-015.txt,v 1.9 2001/09/06 13:52:31 lukem Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO5d/Gj5Ru2/4N2IFAQF9YAP/ckqmwEHQcuqaOiJ/XJw7zREJ6luIgp5j
CLz0ahgcpFgbDe6QGUQBdouK4FlD6/uTAc4euJ9Dyiq0tVRty2U5yAbJPjOznv8r
T72DjjK+HN4UDvnz+DRniC7upWzDjfEgdi/tb74sWKF/RA9e+3mk0Ecd4UzpmMrl
CxH4j9XcqTI=
=exNB
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC