OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NetBSD Security Officer (security-officernetbsd.org)
Date: Mon Jul 23 2001 - 23:57:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2000-011
                     =================================

    Topic: Insufficient msg_controllen checking for sendmsg(2)

    Version: All releases of NetBSD from 1.3 to 1.5, and -current

    Severity: Any local user can panic the system

    Fixed: NetBSD-current: July 1, 2001
                    NetBSD-1.5 branch: July 2, 2001 (1.5.1 includes the fix)
                    NetBSD-1.4 branch: July 19, 2001

    Abstract
    ========

    Due to insufficient length checking in the kernel, sendmsg(2) can be
    used by a local user to cause a kernel trap, or an 'out of space in
    kmem_map' panic.

    As of the release date of this advisory, NetBSD releases from 1.3
    up to any later release, are vulnerable.

    Technical Details
    =================

    sendmsg(2) can be used to send data through a socket, optionally
    specifying destination address and control information.

    sendmsg(2) accepts a pointer to struct msghdr, which holds further
    information for the call. The pointer to control information is passed
    via msg_control, msg_controllen helds the length of the control
    information. This is used to read the control information into kernel
    space and put it in an mbuf for further processing. However, the kernel
    attempts to allocate mbuf storage as specified in msg_controllen without
    further checks. This behaviour can be abused to cause a kernel page
    fault trap if the value is higher than INT_MAX, or to cause an 'out of
    space in kmem_map' panic for lower values. The exact size to cause the
    latter is port dependant, though INT_MAX is commonly enough to trigger
    the panic.

    Solutions and Workarounds
    =========================

    All NetBSD official releases from 1.3 are vulnerable.

    Kernel sources must be updated and a new kernel built and installed.
    The instructions for updating your kernel sources depend upon which
    particular NetBSD release you are running.

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2001-07-01
            should be upgraded to NetBSD-current dated 2001-07-01 or later.

            The following source directories need to be updated from
            the netbsd-current CVS branch (aka HEAD):
                    src/sys/kern

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch

    * NetBSD 1.5:

            Systems running NetBSD 1.5 dated from before 2001-07-02 should be
            upgraded from NetBSD 1.5 sources dated 2001-07-02 or later.

            The following source directory needs to be updated from the
            netbsd-1-5 CVS branch:
                    src/sys/kern

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch
                    
            NetBSD 1.5.1 is not vulnerable.

    * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

            Systems running NetBSD 1.4 dated from before 2001-07-19 should be
            upgraded from NetBSD 1.4 sources dated 2001-07-19 or later.

            The following source directory needs to be updated from the
            netbsd-1-4 CVS branch:
                    src/sys/kern

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch

    * NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3:

            Apply the following patch (with potential offset differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch

    Once the kernel sources have been updated, rebuild the kernel,
    install it, and reboot. For more information on how to do this,
    see:

        http://www.netbsd.org/Documentation/kernel/#building_a_kernel

    Thanks To
    =========

    Jaromir Dolecek <jdolecekNetBSD.org> for finding the problem, and
    supplying a test program showing the problem.

    Matt Thomas <mattNetBSD.org> for a fix.

    Revision History
    ================

            2001-07-20 Initial revision

    More Information
    ================

    An up-to-date PGP signed copy of this release will be maintained at
      ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (NetBSD)
    Comment: For info see http://www.gnupg.org

    iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk
    uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc
    q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS
    Ou2Pb8drDlY=
    =89Oe
    -----END PGP SIGNATURE-----