Re: NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers

To: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Subject: Re: NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
From: Tonnerre LOMBARD <tonnerre%netbsd.ch@localhost>
Date: Wed, 27 Aug 2014 13:53:06 +0200

Salut,

Please ignore this advisory for now as it contains errors. It will be
published again after these errors have been addressed.

I am deeply sorry for my failure to provide you a good service on this
matter.

On Wed, Aug 27, 2014 at 09:36:07AM +0000, NetBSD Security Officer wrote:
>               NetBSD Security Advisory 2014-010
>               =================================
> 
> Topic:                Multiple vulnerabilities in the compatibility layers
> 
> 
> Version:      NetBSD-current:         source prior to Tue, Apr 15th 2014
>               NetBSD 6.1 - 6.1.4:     affected
>               NetBSD 6.0 - 6.0.5:     affected
>               NetBSD 5.1 - 5.1.4:     affected
>               NetBSD 5.2 - 5.2.2:     affected
> 
> Severity:     Local DoS
> 
> Fixed:                NetBSD-current:         Tue, Apr 15th 2014
>               NetBSD-6-0 branch:      Mon, Apr 21th 2014
>               NetBSD-6-1 branch:      Mon, Apr 21th 2014
>               NetBSD-6 branch:        Mon, Apr 21th 2014
>               NetBSD-5-2 branch:      Wed, May 14th 2014
>               NetBSD-5-1 branch:      Wed, May 14th 2014
>               NetBSD-5 branch:        Wed, May 14th 2014
> 
> Teeny versions released later than the fix date will contain the fix.
> 
> Please note that NetBSD releases prior to 5.1 are no longer supported.
> It is recommended that all users upgrade to a supported release.
> 
> 
> Abstract
> ========
> 
> Four compatibility layers are affected by several vulnerabilities:
> 
>       1) FreeBSD compatibility: NULL pointer dereference
>       2) NetBSD 32-bit compatibility: Zero-sized memory allocation
>       3) Digital UNIX (formerly OSF/1) compatibility: Zero-sized
>          memory allocation
>       4) Linux and Linux 32-bit compatibility: User-controllable
>          kernel memory array index.
> 
> Each of them allows a local user to crash the system.
> 
> 
> Technical Details
> =================
> 
> For more clarity the four layers affected will be referred to as
> COMPAT_xx, where xx is the emulated system.
> 
>  1) Due to a programming mistake in COMPAT_FREEBSD, a simple call to the
>     sched_getparam system call would cause the kernel to dereference a
>     NULL pointer, and thus to crash.
>  2) Due to a missing input validation check in COMPAT_NETBSD32's kevent
>     system call, a user could cause the kernel to perform a zero-sized
>     memory allocation, resulting in a crash.
>  3) Due to a missing input validation check in COMPAT_OSF1's
>     getdirentries system call, a user could cause the kernel to perform
>     a zero-sized memory allocation, resulting in a crash.
>  4) Due to missing input validation checks in the COMPAT_LINUX and
>     COMPAT_LINUX32 ELF binary loader, a specially-crafted binary could
>     control a kernel memory array index - address from which data is
>     read. Attempting to read at an unmapped memory page will cause the
>     kernel to crash.
> 
> 
> Solutions and Workarounds
> =========================
> 
> - Disable the compability modules
> ---------------------------------
> You can achieve this with the modunload(8) tool. Please read the
> appropriate manual page. For example, you can disable the Linux modules
> by moving the kernel object files out of the way. These are located in:
> 
>       
> /stand/${MACHINE_ARCH}/${KERNEL_VERSION}/modules/compat_${NAME}/compat_${NAME}.kmod
> 
> And running the following command to unload them:
> 
>       # modunload compat_${NAME}
> 
> The modules have dependencies, so you need to unload them in the proper
> order.
> 
> You can also disable these modules by rebuilding your kernel without the
> COMPAT_${NAME} options.
> 
> Note however that it is to be considered as a temporary workaround, and
> you are strongly advised to fix your system from source.
> 
> - Fix from source
> -----------------
> For all NetBSD versions, you need to obtain fixed kernel sources,
> rebuild and install the new kernel, and reboot the system.
>                                       
> The fixed source may be obtained from the NetBSD CVS repository.        
> The following instructions briefly summarise how to upgrade your        
> kernel.  In these instructions, replace:
> 
>   ARCH     with your architecture (from uname -m),               
>   KERNCONF with the name of your kernel configuration file and  
>   VERSION  with the file version below
> 
> File versions containing the fixes:
> 
> FILE  HEAD  netbsd-6  netbsd-6-1  netbsd-6-0  netbsd-5  netbsd-5-2  netbsd-5-1
> ----  ----  --------  ----------  ----------  --------  ----------  ----------
> src/sys/compat/freebsd/freebsd_sched.c
>       1.20  1.19.40.1 1.19.56.1   1.19.46.1   1.19.10.1 1.19.48.1   1.19.24.1
> src/sys/compat/netbsd32/netbsd32_compat_50.c
>       1.24  1.20.6.1  1.20.14.1   1.20.12.1   XXXXXXXX  XXXXXXXXXX  XXXXXXXXXX
> src/sys/compat/netbsd32/netbsd32_event.c
>       1.11  1.9.10.2  1.9.24.1    1.9.16.1    XXXXXXXX  XXXXXXXXXX  XXXXXXXXXX
> src/sys/compat/osf1/osf1_file.c
>       1.42  %         %           %           XXXXXXXX  XXXXXXXXXX  XXXXXXXXXX
> src/sys/compat/linux/common/linux_exec_elf32.c
>       1.91  1.86.2.1  1.86.16.1   1.86.8.1    1.81.10.1 1.81.20.1   1.81.16.1
> 
> 
> To update from CVS, re-build, and re-install the kernel:
> 
>       # cd src
>       # cvs update -d -P -r VERSION sys/compat/freebsd/freebsd_sched.c
>       # cvs update -d -P -r VERSION sys/compat/netbsd32/netbsd32_compat_50.c
>       # cvs update -d -P -r VERSION sys/compat/netbsd32/netbsd32_event.c
>       # cvs update -d -P -r VERSION sys/compat/osf1/osf1_file.c
>       # cvs update -d -P -r VERSION sys/compat/linux/common/linux_exec_elf32.c
>       # ./build.sh kernel=KERNCONF
>       # mv /netbsd /netbsd.old
>       # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
>       # shutdown -r now
> 
> For more information on how to do this, see:    
> 
>    http://www.NetBSD.org/guide/en/chap-kernel.html
> 
> 
> Thanks To
> =========
> 
> Thanks to Maxime Villard, Christos Zoulas, Martin Husemann, Chuck
> Silvers, Enami Tsugutomo and Matt Thomas for finding, fixing and
> helping in fixing these issues.
> 
> 
> Revision History
> ================
> 
>       2014-08-27      Initial release
> 
> 
> More Information
> ================
> 
> Advisories may be updated as new information becomes available.
> The most recent version of this advisory (PGP signed) can be found at 
>   
> http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-010.txt.asc
> 
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
> 
> 
> Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
> Redistribution permitted only in full, unmodified form.
> 
> $NetBSD: NetBSD-SA2014-010.txt,v 1.1 2014/08/27 00:26:00 tonnerre Exp $
> 

                                Tonnerre

Attachment: pgpNV8bsZG97s.pgp
Description: PGP signature

Prev by Date: Re: NetBSD Security Advisory 2014-009: Multiple vulnerabilities in the execve system call
Next by Date: Re: NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
Previous by Thread: NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
Next by Thread: NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
Indexes:

Home | Main Index | Thread Index | Old Index