Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: NetBSD Security Officer (security-officernetbsd.org)
Date: Mon Jul 23 2001 - 23:57:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


                     NetBSD Security Advisory 2000-011

    Topic: Insufficient msg_controllen checking for sendmsg(2)

    Version: All releases of NetBSD from 1.3 to 1.5, and -current

    Severity: Any local user can panic the system

    Fixed: NetBSD-current: July 1, 2001
                    NetBSD-1.5 branch: July 2, 2001 (1.5.1 includes the fix)
                    NetBSD-1.4 branch: July 19, 2001


    Due to insufficient length checking in the kernel, sendmsg(2) can be
    used by a local user to cause a kernel trap, or an 'out of space in
    kmem_map' panic.

    As of the release date of this advisory, NetBSD releases from 1.3
    up to any later release, are vulnerable.

    Technical Details

    sendmsg(2) can be used to send data through a socket, optionally
    specifying destination address and control information.

    sendmsg(2) accepts a pointer to struct msghdr, which holds further
    information for the call. The pointer to control information is passed
    via msg_control, msg_controllen helds the length of the control
    information. This is used to read the control information into kernel
    space and put it in an mbuf for further processing. However, the kernel
    attempts to allocate mbuf storage as specified in msg_controllen without
    further checks. This behaviour can be abused to cause a kernel page
    fault trap if the value is higher than INT_MAX, or to cause an 'out of
    space in kmem_map' panic for lower values. The exact size to cause the
    latter is port dependant, though INT_MAX is commonly enough to trigger
    the panic.

    Solutions and Workarounds

    All NetBSD official releases from 1.3 are vulnerable.

    Kernel sources must be updated and a new kernel built and installed.
    The instructions for updating your kernel sources depend upon which
    particular NetBSD release you are running.

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2001-07-01
            should be upgraded to NetBSD-current dated 2001-07-01 or later.

            The following source directories need to be updated from
            the netbsd-current CVS branch (aka HEAD):

            Alternatively, apply the following patch (with potential offset

    * NetBSD 1.5:

            Systems running NetBSD 1.5 dated from before 2001-07-02 should be
            upgraded from NetBSD 1.5 sources dated 2001-07-02 or later.

            The following source directory needs to be updated from the
            netbsd-1-5 CVS branch:

            Alternatively, apply the following patch (with potential offset
            NetBSD 1.5.1 is not vulnerable.

    * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

            Systems running NetBSD 1.4 dated from before 2001-07-19 should be
            upgraded from NetBSD 1.4 sources dated 2001-07-19 or later.

            The following source directory needs to be updated from the
            netbsd-1-4 CVS branch:

            Alternatively, apply the following patch (with potential offset

    * NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3:

            Apply the following patch (with potential offset differences):

    Once the kernel sources have been updated, rebuild the kernel,
    install it, and reboot. For more information on how to do this,


    Thanks To

    Jaromir Dolecek <jdolecekNetBSD.org> for finding the problem, and
    supplying a test program showing the problem.

    Matt Thomas <mattNetBSD.org> for a fix.

    Revision History

            2001-07-20 Initial revision

    More Information

    An up-to-date PGP signed copy of this release will be maintained at

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $
    Version: GnuPG v1.0.6 (NetBSD)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----