NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2014-003: posix_spawn unbounded kernel memory allocation

Hash: SHA1

                 NetBSD Security Advisory 2014-003

Topic:          posix_spawn unbounded kernel memory allocation

Version:        NetBSD-current:         affected prior to 2014-02-02
                NetBSD 6.1*:            affected
                NetBSD 6.0*:            affected
                NetBSD 5.2*:            not affected
                NetBSD 5.1*:            not affected

Severity:       Local Unprivileged Denial of Service

Fixed:          NetBSD-current:         Feb 1st, 2014
                NetBSD-6 branch:        Feb 3rd, 2014
                NetBSD-6-1 branch:      Feb 3rd, 2014
                NetBSD-6-0 branch:      Feb 3rd, 2014


Missing argument validation in the implementation of the posix_spawn
system call could be abused to cause the kernel to try to allocate
unlimited amounts of memory, causing a panic.

Technical Details

The posix_spawn system call allows a userland process to pass a list of
file handle changes, to be applied in the new created child process before
running the target binary. The kernel needs to allocate kernel memory
and copy the user process data to that. Missing argument validation 
failed to put a limit on the size of this list and allowed a malicious
program to cause the kernel to run out of memory.

Since the number of file handles is limited for the calling (and the to
be created) process, and making multiple (repeated) changes to the same
file handle does make only limited sense (assume a non-malicious program
to maximally close and reopen each file handle once), the maximum list
size will not exceed twice the number of allowed open file handles.

The kernel will now enforce this limit upfront to the allocation and fail
the posix_spawn system call otherwise. Libc was adjusted to deal with the
new limit in a graceful manner. Additionally, a non-security bug in libc
was fixed.

Solutions and Workarounds

Update your libc and your kernel.

To do a binary update, download<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/base.tgz<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/comp.tgz

and if you use a standard kernel<YOUR_RELEASE>/<DATE>/<ARCH>/binary/kernel/<YOURKERNEL>.gz

Replace <YOUR_RELEASE> with the release you are running (look at the
output of the "uname -r" command, e.g. 5.1.2 would be netbsd-5-1),
<DATE> with any date later than the fix dates, and <ARCH> with your
machine arch (look at the output of the "uname -m" command, e.g. amd64
for modern PC machines). <YOURKERNEL> would be the name of the kernel
configuration your system is running, which can be found in the output
of "uname -v", e.g. "GENERIC" or "XEN3_DOMU".

Install the new kernel and reboot, then install the userland fixes:
cd /
tar xzpf $path_to/comp.tgz ./usr/share/man/html3/posix_spawn\*
tar xzpf $path_to/comp.tgz ./usr/share/man/man3/posix_spawn\*
tar xzpf $path_to/base.tgz ./lib/\* ./usr/lib/*
and reboot again.

To update from source:
Update kernel and libc source to a version newer than the fix date for your
branch. The files in the fix are:

FILE    HEAD            netbsd-6        netbsd-6-1      netbsd-6-0
        1.373           1.339.2.7       1.339.   1.339.

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.        
The following instructions briefly summarise how to upgrade your        
system.  In these instructions, replace:

  ARCH          with your architecture (from uname -m), and                  
  KERNCONF      with the name of your kernel configuration file.    

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/compat/netbsd32/netbsd32_execve.c 
        # cvs update -d -P sys/kern/kern_exec.c
        # ./ kernel=KERNCONF
        # mv /netbsd /netbsd.old
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
        # shutdown -r now

For more information on how to do this, see:

The following instructions describe how to upgrade your libc
binary by updating your source tree and rebuilding and installing
a new version of libc.

To update from CVS, re-build, and re-install libc:

        # cd src
        # cvs update -d -P lib/libc/gen/posix_spawn_fileactions.c
        # cvs update -d -P lib/libc/gen/posix_spawn.3
        # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_addopen.3
        # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_init.3
        # cd lib/libc
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # shutdown -r now

Thanks To

Maxime Villard for pointing out the issue and preparing a patch.
Matt Thomas for suggesting the limit enforced now.

Revision History

        2014-03-05      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-003.txt,v 1.1 2014/03/05 21:29:46 tonnerre Exp $

Version: GnuPG v1


Home | Main Index | Thread Index | Old Index