Oh, and we are vulnerable to this too. :-(
At least the semop() thing.

On Thu, Sep 06, 2001 at 09:57:42AM -0700, NetBSD Security Officer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> NetBSD Security Advisory 2001-015
> =================================
>
> Topic: Insufficient checking of lengths passed from userland to kernel
>
> Version: NetBSD-current: source prior to August 5, 2001
> NetBSD-1.5.1: affected
> NetBSD-1.5: affected
> NetBSD-1.4.*: affected
>
> Severity: Any local user can panic the system, and/or execute
> arbitrary code and gain root privileges.
>
> Fixed: NetBSD-current: August 5, 2001
> NetBSD-1.5 branch: August 16, 2001 (1.5.2 includes the fix)
>
>
> Abstract
> ========
>
> The problem for which NetBSD SA2001-011 was issued (``Insufficient
> msg_controllen checking for sendmsg(2)'') urged an audit of
> NetBSD code to look for similar issues in other parts of kernel.
>
> A number of issues were found. In a number of places lengths or
> sizes passed from userland were used by the kernel without sufficient
> checks.
>
> Most of the problems involved errors handling signed versus unsigned
> values, in some cases the code was not checking for negative values.
>
> The actual severity of these problems varies, and three different
> problem severity groups have been identified:
>
> 1. semop(2) - exploitable by any user for denial of service or
> to execute arbitrary kernel code
>
> 2. mount args - exploitable by any user for denial of service if
> user mounts are enabled (it's disabled by default on NetBSD 1.5
> and later)
>
> 3. some device ioctls - exploitable by any user with write access
> to appropriate device files (by default only root has write access
> on most device files)
>
> Technical Details
> =================
>
> The kernel function sys_semop() (which is the entry point for the
> semop(2) syscall) stores an unsigned argument 'nsops' in a local signed
> variable. If a user passes a sufficiently big 'nsops' value (>INT_MAX),
> the local signed variable ends up negative and passes the bound check.
> The value is then used for copyin() data from user memory to local array
> on the process's kernel stack. Since the number of bytes to copyin is
> computed as 'nsops * sizeof(struct sembuf)', this can be used to copy an
> almost arbitrary number of bytes from userland to the caller process's
> kernel stack due to int overflow. This can be exploited to cause a
> kernel trap, or call arbitrary kernel code. This can also be exploited
> to execute arbitrary code on architectures where stack memory is
> executable.
>
> NFS did not check the nfs file handle size. This could be exploited in
> a way similar to the semop(2) issue. Furthermore, NFS did not check the
> size of authenticator and verifier strings sufficiently. UMAPFS did not
> check the nentries and gnentries mount arguments.
> Generic code in kern/nfs_subr.c:vfs_hand_addrlist() did not properly
> bound check the specified size of export addresses; this code is
> used by all filesystems to handle exports. All these problems
> could be exploited to cause a panic.
>
> The following drivers had potentially exploitable weak checking in their
> ioctl(9) routines. These should be exploitable to cause a kernel
> panic. Some of these drivers are new on -current and don't exist
> in NetBSD/1.5.
>
> amiga: majority of graphic grf-like device drivers
> arm32: vidcvideo
> hpcmips: plumvideo
> macppc: ofb
> sparc: cgtwo, fb
> sun3: cg2, fb
> hpcsh: hd64461video
> machine-independant: coda, bt, mlx, pci/tga, tc/cfb, tc/mfb,
> tc/sfb, tc/tfb, tc/xcfb, tc/sfbplus, tc/stic,
> wsdisplay, wskbd, ccd, ppp, isdn
>
> The lfs_markv(2) system call did not check the blkcnt argument. This
> problem is exploitable to cause a panic. This system call is restricted
> to root only.
>
> Solutions and Workarounds
> =========================
>
> NetBSD official releases up to and including 1.5.1 are vulnerable.
> NetBSD 1.5.2 is NOT vulnerable.
>
> Kernel sources must be updated and a new kernel built and installed.
> Once the kernel sources have been updated, rebuild the kernel,
> install it, and reboot. For more information on how to do this,
> see:
> http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
> The instructions for updating your kernel sources depend upon which
> particular NetBSD release you are running.
>
>
> * NetBSD-current:
>
> Systems running NetBSD-current dated from before 2001-08-05
> should be upgraded to NetBSD-current dated 2001-08-06 or later.
>
> The following source directories need to be updated from
> the netbsd-current CVS branch (aka HEAD):
> src/sys/kern
> src/sys/miscfs/umapfs
> src/sys/ufs/lfs
> src/sys/nfs
> src/sys/dev
> src/sys/arch
>
>
> Alternatively, apply the following patch (with potential offset
> differences):
> ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-current.patch
>
> To patch:
> # cd src/sys
> # patch < /path/to/SA2001-015-kernlen-current.patch
>
>
> * NetBSD 1.5, 1.5.1:
>
> Systems running NetBSD 1.5 dated from before 2001-08-16 should be
> upgraded from NetBSD 1.5 sources dated 2001-08-17 or later.
>
> The following source directory needs to be updated from the
> netbsd-1-5 CVS branch:
> src/sys/kern
> src/sys/miscfs/umapfs
> src/sys/nfs
> src/sys/dev
> src/sys/arch
>
>
> Alternatively, apply the following patch (with potential offset
> differences):
> ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-015-kernlen-1.5.patch
>
> To patch:
> # cd src/sys
> # patch < /path/to/SA2001-015-kernlen-1.5.patch
>
>
> * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
>
> At this time there are no fixes or patches available for
> the NetBSD 1.4 branch.
>
>
> Thanks To
> =========
>
> Jaromir Dolecek for copyin/malloc audit work.
>
> Konrad Schroder for review of LFS fix.
>
> Ken Ashcraft Stanford, Constantine Sapuntzakis and
> Frank van den Linden for finding and fixing
> the NFS file handle length problem.
>
> Andrew Doran for review of the mlx fix.
>
> Steve Woodford for review of sun3/vme and xd/xy driver changes,
> which turned out to not be necessary.
>
> Christos Zoulas for general feedback.
>
>
> Revision History
> ================
>
> 2001-09-06 Initial release
>
>
> More Information
> ================
>
> An up-to-date PGP signed copy of this release will be maintained at
> ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc
>
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
>
>
> Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
>
> $NetBSD: NetBSD-SA2001-015.txt,v 1.9 2001/09/06 13:52:31 lukem Exp $
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (NetBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBO5d/Gj5Ru2/4N2IFAQF9YAP/ckqmwEHQcuqaOiJ/XJw7zREJ6luIgp5j
> CLz0ahgcpFgbDe6QGUQBdouK4FlD6/uTAc4euJ9Dyiq0tVRty2U5yAbJPjOznv8r
> T72DjjK+HN4UDvnz+DRniC7upWzDjfEgdi/tb74sWKF/RA9e+3mk0Ecd4UzpmMrl
> CxH4j9XcqTI=
> =exNB
> -----END PGP SIGNATURE-----

-- 
Ruslan Ermilov		Oracle Developer/DBA,
rusunbay.com		Sunbay Software AG,
ruFreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine
http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]