NetBSD Security Advisory 2014-003: posix_spawn unbounded kernel memory allocation

To: NetBSD current users <current-users%NetBSD.org@localhost>
Subject: NetBSD Security Advisory 2014-003: posix_spawn unbounded kernel memory allocation
From: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Date: Thu, 6 Mar 2014 00:51:18 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2014-003
                 =================================

Topic:          posix_spawn unbounded kernel memory allocation

Version:        NetBSD-current:         affected prior to 2014-02-02
                NetBSD 6.1*:            affected
                NetBSD 6.0*:            affected
                NetBSD 5.2*:            not affected
                NetBSD 5.1*:            not affected


Severity:       Local Unprivileged Denial of Service


Fixed:          NetBSD-current:         Feb 1st, 2014
                NetBSD-6 branch:        Feb 3rd, 2014
                NetBSD-6-1 branch:      Feb 3rd, 2014
                NetBSD-6-0 branch:      Feb 3rd, 2014


Abstract
========

Missing argument validation in the implementation of the posix_spawn
system call could be abused to cause the kernel to try to allocate
unlimited amounts of memory, causing a panic.


Technical Details
=================

The posix_spawn system call allows a userland process to pass a list of
file handle changes, to be applied in the new created child process before
running the target binary. The kernel needs to allocate kernel memory
and copy the user process data to that. Missing argument validation 
failed to put a limit on the size of this list and allowed a malicious
program to cause the kernel to run out of memory.

Since the number of file handles is limited for the calling (and the to
be created) process, and making multiple (repeated) changes to the same
file handle does make only limited sense (assume a non-malicious program
to maximally close and reopen each file handle once), the maximum list
size will not exceed twice the number of allowed open file handles.

The kernel will now enforce this limit upfront to the allocation and fail
the posix_spawn system call otherwise. Libc was adjusted to deal with the
new limit in a graceful manner. Additionally, a non-security bug in libc
was fixed.


Solutions and Workarounds
=========================

Update your libc and your kernel.

To do a binary update, download
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/base.tgz
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/comp.tgz

and if you use a standard kernel
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/kernel/<YOURKERNEL>.gz

Replace <YOUR_RELEASE> with the release you are running (look at the
output of the "uname -r" command, e.g. 5.1.2 would be netbsd-5-1),
<DATE> with any date later than the fix dates, and <ARCH> with your
machine arch (look at the output of the "uname -m" command, e.g. amd64
for modern PC machines). <YOURKERNEL> would be the name of the kernel
configuration your system is running, which can be found in the output
of "uname -v", e.g. "GENERIC" or "XEN3_DOMU".

Install the new kernel and reboot, then install the userland fixes:
cd /
tar xzpf $path_to/comp.tgz ./usr/share/man/html3/posix_spawn\*
tar xzpf $path_to/comp.tgz ./usr/share/man/man3/posix_spawn\*
tar xzpf $path_to/base.tgz ./lib/libc.so\* ./usr/lib/libc.so*
and reboot again.

To update from source:
Update kernel and libc source to a version newer than the fix date for your
branch. The files in the fix are:

FILE    HEAD            netbsd-6        netbsd-6-1      netbsd-6-0
lib/libc/gen/posix_spawn.3
        1.5             1.2.2.1         1.2.8.1         1.2.6.1
lib/libc/gen/posix_spawn_file_actions_addopen.3
        1.4             1.1.2.1         1.1.8.1         1.1.6.1
lib/libc/gen/posix_spawn_file_actions_init.3
        1.4             1.1.2.1         1.1.8.1         1.1.6.1
lib/libc/gen/posix_spawn_fileactions.c
        1.3             1.1.2.2         1.1.2.1.6.1     1.1.2.1.4.1
sys/compat/netbsd32/netbsd32_execve.c
        1.38            1.33.2.3        1.33.2.2.2.1    1.33.2.1.4.2
sys/kern/kern_exec.c
        1.373           1.339.2.7       1.339.2.6.2.1   1.339.2.5.4.2


For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
                                      
The fixed source may be obtained from the NetBSD CVS repository.        
The following instructions briefly summarise how to upgrade your        
system.  In these instructions, replace:

  ARCH          with your architecture (from uname -m), and                  
  KERNCONF      with the name of your kernel configuration file.    

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/compat/netbsd32/netbsd32_execve.c 
        # cvs update -d -P sys/kern/kern_exec.c
        # ./build.sh kernel=KERNCONF
        # mv /netbsd /netbsd.old
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
        # shutdown -r now

For more information on how to do this, see:    

   http://www.NetBSD.org/docs/guide/en/chap-kernel.html


The following instructions describe how to upgrade your libc
binary by updating your source tree and rebuilding and installing
a new version of libc.

To update from CVS, re-build, and re-install libc:

        # cd src
        # cvs update -d -P lib/libc/gen/posix_spawn_fileactions.c
        # cvs update -d -P lib/libc/gen/posix_spawn.3
        # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_addopen.3
        # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_init.3
        # cd lib/libc
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # shutdown -r now


Thanks To
=========

Maxime Villard for pointing out the issue and preparing a patch.
Matt Thomas for suggesting the limit enforced now.


Revision History
================

        2014-03-05      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-003.txt,v 1.1 2014/03/05 21:29:46 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTF5dSAAoJEAZJc6xMSnBuAHEQAJT8RdnCVxGycm3N4qEC2Jd4
CM0jUcek/TzpkL2HnGJ33YjoFPeevC5wWJpvvd4InZgy6xg9zipYcnKXZaHB7o/k
aGcQXrklcMypJLmMjNKDr8hQVjsj5iYBnyOyV/XBxNAON27uWGY9EgQMKE/l95D4
XPnmtup2AEAn74dLzHRG+GbErVveBhPORSQUrTk5jF2L92qvRpd9WM4A+z/kpoms
6qwi+jqt0EYTnSjCiUzmDgGOk5Gu2wDicNKexTi11u+Cxg5l/9pTwHGbwkyp/q3h
mL6WB/xZa5R8nfCwgZJc/DuQjOoHU/5ogawL8LSAVBbBM6CKGrIGtJn2Y4n3zXuS
4VvNFBdkf/vRc7ata5VWUHKUkhTr+I7cxD0LuIf56CpduIiAFBcQ3gjaEOdGM+gR
z8bH5oZ3pezJvwEbibrJ79ZHTZ1C8qiKOVq5+dI3zAH1nSEilsJKan1nXaqP/rH+
V4OEhBQAdPWu88/W86d2w0XNRX/YBIozNuOcved1m/FT15TblBLxfrbBkaiwlP7S
MJmyvtpedfjYTBb4yTknLkVzxRSn4eeaNkReUmUN1SBDg1gEr+NClivpmPHDs7wB
nDBqzH0dwGzP3trRCPcrn9zdR6MwGLN5aMWtGKQ+h99fSeHyHSDR6myDFYC3Zz9M
+jwYYsntRPISkn+l/oZC
=hlyQ
-----END PGP SIGNATURE-----
Prev by Date: Re: Porting DTrace to ARM
Next by Date: Re: Porting DTrace to ARM
Previous by Thread: pic.h
Next by Thread: daily CVS update output
Indexes:
Home | Main Index | Thread Index | Old Index