NetBSD modctl() Memory Allocation Error Lets Local Users Deny Service
SecurityTracker Alert ID: 1030766|
SecurityTracker URL: http://securitytracker.com/id/1030766
(Links to External Site)
Date: Aug 27 2014
Denial of service via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.1 - 5.1.4, 5.2 - 5.2.2, 6.0 - 6.0.5, 6.1 - 6.1.4|
A vulnerability was reported in NetBSD. A local user can cause denial of service conditions.|
A local user can trigger an input validation flaw in the modctl() system call to cause a memory allocation error, leading to a system crash.
Maxime Villard reported this vulnerability.
A local user can cause the target system to crash.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc (Links to External Site)
Input validation error|
Source Message Contents
Subject: NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2014-011
Topic: User-controlled memory allocation in the modctl system call
Version: NetBSD-current: source prior to Thu, Jul 10th 2014
NetBSD 6.1 - 6.1.4: affected
NetBSD 6.0 - 6.0.5: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
Severity: Local DoS
Fixed: NetBSD-current: Thu, Jul 10th 2014
NetBSD-6-1 branch: Mon, Jul 14th 2014
NetBSD-6-0 branch: Mon, Jul 14th 2014
NetBSD-6 branch: Mon, Jul 14th 2014
NetBSD-5.2 branch: Mon, Jul 14th 2014
NetBSD-5.1 branch: Mon, Jul 14th 2014
NetBSD-5 branch: Mon, Jul 14th 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Due to missing input validation checks, a local (un)privileged user
could cause the kernel to perform a zero-sized or unbounded memory
allocation, resulting in a crash.
The modctl system call takes as second argument a buffer which is
represented as a structure when loading a kernel module. This structure
indicates special information on how to load a module, including a
string pointer and the length of the string pointed to. A kernel buffer
of the same size is allocated, but no check was performed to ensure the
size is neither too low nor too high, thus allowing a local user to
crash the system.
Solutions and Workarounds
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1
- ---- ---- -------- ---------- ---------- -------- ---------- ----------
1.15 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52.6.1 184.108.40.206.2.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/kern/sys_module.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
Thanks to Maxime Villard, who found the issue and provided a fix.
2014-08-27 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-011.txt,v 1.1 2014/08/27 00:33:51 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----