Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2014-009: Multiple vulnerabilities in the execve system call



Salut,

Please ignore this advisory for now as it contains errors. I was falsely
under the impression that it did not. It will be released again once these
errors have been taken care of.

I am deeply sorry for my failure to provide a good service on this matter.

On Wed, Aug 27, 2014 at 09:35:42AM +0000, NetBSD Security Officer wrote:
>               NetBSD Security Advisory 2014-009
>               =================================
> 
> Topic:                Multiple vulnerabilities in the execve system call
> 
> 
> Version:      NetBSD-current:         source prior to Fri, Feb 14th 2014
>               NetBSD 6.1 - 6.1.3:     affected
>               NetBSD 6.1.4:           not affected
>               NetBSD 6.0 - 6.0.4:     affected
>               NetBSD 6.0.5:           not affected
>               NetBSD 5.1 - 5.1.4:     not affected
>               NetBSD 5.2 - 5.2.2:     not affected
> 
> Severity:     Local DoS
> 
> Fixed:                NetBSD-current:         Fri, Feb 14th 2014
>               NetBSD-6-0 branch:      Fri, Feb 14th 2014
>               NetBSD-6-1 branch:      Fri, Feb 14th 2014
>               NetBSD-6 branch:        Fri, Feb 14th 2014
> 
> Teeny versions released later than the fix date will contain the fix.
> 
> Please note that NetBSD releases prior to 5.1 are no longer supported.
> It is recommended that all users upgrade to a supported release.
> 
> 
> Abstract
> ========
> 
> The execve system call is affected by two vulnerabilities:
>  1) A memory leak in the kernel could cause a local (un)privileged user
> to use up kernel memory via a bogus ELF binary, and thus to freeze - or
> eventually panic - the system.
>  2) A bug in the kernel could lead to a use-after-free condition when
> loading a binary or a script, which would allow a local (un)privileged
> user to crash the system.
> 
> 
> Technical Details
> =================
> 
>  1) When trying to execute an ELF binary, the kernel looks up the
> corresponding "interpreter" (in case of native dynamic ELF binaries: the
> dynamic linker ld.elf_so). If this interpreter cannot be accessed
> appropriately, or if it is bogus, a structure allocated to hold special
> information on this interpreter was not freed.
>     If a standard toolchain is installed, a local user can easily create
> such broken binaries by passing the -dynamic-linker switch to the linker.
> 
>  2) When executing a binary via execve(), the kernel computes the new
> user stack size, and returns an error if this size exceeds the maximum
> architecture-defined stack size or the maximum stack size allowed by the
> calling process through rlimit. However, the variable in charge of hold-
> ing the error code returned was not properly initialised, causing the
> kernel to keep setting up the new process environment and use data that
> was already freed.
>     Both the new stack size and the rlimit stack size are approximately
> user-controllable, which makes it easy to trigger from a local user.
> 
> 
> Solutions and Workarounds
> =========================
> 
> For all NetBSD versions, you need to obtain fixed kernel sources,
> rebuild and install the new kernel, and reboot the system.
>                                       
> The fixed source may be obtained from the NetBSD CVS repository.        
> The following instructions briefly summarise how to upgrade your        
> kernel.  In these instructions, replace:
> 
>   ARCH     with your architecture (from uname -m),               
>   KERNCONF with the name of your kernel configuration file and  
>   VERSION  with the file version below
> 
> File versions containing the fixes:
> 
> FILE    HEAD            netbsd-6        netbsd-6-1      netbsd-6-0
> ----    ----            --------        ----------      ----------
> sys/kern/exec_elf.c
>         1.55            1.37.2.2        1.37.2.1.6.1    1.37.2.1.4.1
> sys/kern/kern_exec.c
>         1.403           1.339.2.9       1.339.2.6.2.2   1.339.2.5.4.3
> 
> To update from CVS, re-build, and re-install the kernel:
> 
>       # cd src
>       # cvs update -d -P -r VERSION sys/kern/exec_elf.c
>       # cvs update -d -P -r VERSION sys/kern/kern_exec.c
>       # ./build.sh kernel=KERNCONF
>       # mv /netbsd /netbsd.old
>       # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
>       # shutdown -r now
> 
> For more information on how to do this, see:    
> 
>    http://www.NetBSD.org/guide/en/chap-kernel.html
> 
> 
> Thanks To
> =========
> 
> Thanks to Maxime Villard, who found the issues and provided fixes.
> 
> 
> Revision History
> ================
> 
>       2014-08-27      Initial release
> 
> 
> More Information
> ================
> 
> Advisories may be updated as new information becomes available.
> The most recent version of this advisory (PGP signed) can be found at 
>   
> http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc
> 
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
> 
> 
> Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
> Redistribution permitted only in full, unmodified form.
> 
> $NetBSD: NetBSD-SA2014-009.txt,v 1.1 2014/08/27 00:19:19 tonnerre Exp $
> 
> 

                                Tonnerre

Attachment: pgp7aLZRixa2N.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index