NetBSD BPF Buffer Size Processing Lets Local Users Deny Service
SecurityTracker Alert ID: 1029021|
SecurityTracker URL: http://securitytracker.com/id/1029021
(Links to External Site)
Date: Sep 11 2013
Denial of service via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.1, 5.2, 6.0, 6.1|
A vulnerability was reported in NetBSD. A local user can cause denial of service conditions.|
A local user can set the bpf buffer size manually to be less than the required number of bytes to store the bpf header to trigger a kernel panic.
Peter Bex reported this vulnerability.
A local user can trigger a kernel panic.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-009.txt.asc (Links to External Site)
Access control error|
Source Message Contents
Subject: NetBSD Security Advisory 2013-009: user settable small BPF buffer can cause a panic|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2013-009
Topic: user settable small BPF buffer can cause a panic
Version: NetBSD-current: source prior to Sept 10th, 2013
NetBSD 6.1: affected
NetBSD 6.0: affected
NetBSD 5.1: affected
NetBSD 5.2: affected
Severity: Local DoS
Fixed: NetBSD-current: Sept 9th, 2013
NetBSD-6-0 branch: Sept 11th, 2013
NetBSD-6-1 branch: Sept 11th, 2013
NetBSD-6 branch: Sept 11th, 2013
NetBSD-5-1 branch: Sept 11th, 2013
NetBSD-5-2 branch: Sept 11th, 2013
NetBSD-5 branch: Sept 11th, 2013
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Setting the bpf buffer size manually to be less than the required
number of bytes to store the bpf header will crash the system.
On NetBSD with 64-bit bpf_timeval, the minimum allowed BPF buffer size
is the same size as the size of struct bpf_hdr. When BPF reports a
packet, it will add the link-layer-type header and the bpf_hdr to the
buffer it was supplied, and then add captured data in the remaining
Setting the buffer size via ioctl BIOCSBLEN checks against
BPF_MINBUFSIZE, but this test is not adequate since it does not
include the size of the link layer header. As the link layer header
size can change, no check there would be adequate.
When calculating the size left for captured data (buffer size minus
the sum of the size of the two headers) it may thus get a negative
It will proceed to use this length e.g. to copy data into the buffer,
but the copying routine will use an unsigned variable for the size of
the buffer to copy to, and thus get a very large number. When the copy
routine copies captured data to the buffer, it will leave the bounds
of the buffer, and a panic will result.
Solutions and Workarounds
/dev/bpf* usually can only be read by root. If you have not changed
this default: avoid running bpf programs that try to use a buffer size
smaller than 36 on ethernet and 120 on wifi.
Install a kernel containing the fix.
The fastest way to do that, if you are running or can run a standard
kernel built as part of the NetBSD release process, is to obtain the
corresponding kernel from the daily NetBSD autobuild output and
install it on your system.
You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/
where they are sorted by NetBSD branch, date, and architecture. To
fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch,
the most appropriate kernel will be the "netbsd-6-0" kernel.
To fix a system running NetBSD-current, the "HEAD" kernel should be
used. In all cases, a kernel from an autobuild dated newer than the
fix date for the branch you are using must be used to fix the problem.
If you cannot use the autobuilt kernels, then for all affected NetBSD
versions, you need to obtain fixed kernel sources, rebuild and install
the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
NEWVERSION with the CVS version of the fix
Versions of src/sys/net/bpf.c:
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -rNEWVERSION sys/net/bpf.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
Thanks to Peter Bex, who found and analyzed the problem,
and Christos Zoulas, who created the fix.
2013-09-11 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2013-009.txt,v 1.1 2013/09/11 10:36:59 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (NetBSD)
-----END PGP SIGNATURE-----
Go to the Top of This SecurityTracker Archive Page