tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2013-009: user settable small BPF buffer can cause a panic



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2013-009
                =================================

Topic:          user settable small BPF buffer can cause a panic


Version:        NetBSD-current:         source prior to Sept 10th, 2013
                NetBSD 6.1:             affected
                NetBSD 6.0:             affected
                NetBSD 5.1:             affected
                NetBSD 5.2:             affected

Severity:       Local DoS

Fixed:          NetBSD-current:         Sept 9th, 2013
                NetBSD-6-0 branch:      Sept 11th, 2013
                NetBSD-6-1 branch:      Sept 11th, 2013
                NetBSD-6 branch:        Sept 11th, 2013
                NetBSD-5-1 branch:      Sept 11th, 2013
                NetBSD-5-2 branch:      Sept 11th, 2013
                NetBSD-5 branch:        Sept 11th, 2013

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Setting the bpf buffer size manually to be less than the required
number of bytes to store the bpf header will crash the system.


Technical Details
=================

On NetBSD with 64-bit bpf_timeval, the minimum allowed BPF buffer size
is the same size as the size of struct bpf_hdr. When BPF reports a
packet, it will add the link-layer-type header and the bpf_hdr to the
buffer it was supplied, and then add captured data in the remaining
bytes.

Setting the buffer size via ioctl BIOCSBLEN checks against
BPF_MINBUFSIZE, but this test is not adequate since it does not
include the size of the link layer header. As the link layer header
size can change, no check there would be adequate.

When calculating the size left for captured data (buffer size minus
the sum of the size of the two headers) it may thus get a negative
size.

It will proceed to use this length e.g. to copy data into the buffer,
but the copying routine will use an unsigned variable for the size of
the buffer to copy to, and thus get a very large number. When the copy
routine copies captured data to the buffer, it will leave the bounds
of the buffer, and a panic will result.


Solutions and Workarounds
=========================

Workaround:
/dev/bpf* usually can only be read by root. If you have not changed
this default: avoid running bpf programs that try to use a buffer size
smaller than 36 on ethernet and 120 on wifi.

Fix:
Install a kernel containing the fix.

The fastest way to do that, if you are running or can run a standard
kernel built as part of the NetBSD release process, is to obtain the
corresponding kernel from the daily NetBSD autobuild output and
install it on your system.

You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/
where they are sorted by NetBSD branch, date, and architecture.  To
fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch,
the most appropriate kernel will be the "netbsd-6-0" kernel.

To fix a system running NetBSD-current, the "HEAD" kernel should be
used.  In all cases, a kernel from an autobuild dated newer than the
fix date for the branch you are using must be used to fix the problem.

If you cannot use the autobuilt kernels, then for all affected NetBSD
versions, you need to obtain fixed kernel sources, rebuild and install
the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH        with your architecture (from uname -m), and
  KERNCONF    with the name of your kernel configuration file.
  NEWVERSION  with the CVS version of the fix

Versions of src/sys/net/bpf.c:
        Branch          NEWVERSION
        ---------------------------
        HEAD            1.176
        netbsd-6        1.168.2.1
        netbsd-6-1      1.168.8.1
        netbsd-6-0      1.168.6.1
        netbsd-5        1.141.6.3
        netbsd-5-2      1.141.6.2.2.1
        netbsd-5-1      1.141.6.1.6.1

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -rNEWVERSION sys/net/bpf.c
        # ./build.sh kernel=KERNCONF
        # mv /netbsd /netbsd.old
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
        # shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Thanks to Peter Bex, who found and analyzed the problem,
and Christos Zoulas, who created the fix.


Revision History
================

        2013-09-11      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2013, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2013-009.txt,v 1.1 2013/09/11 10:36:59 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (NetBSD)

iQIcBAEBAgAGBQJSMEgOAAoJEAZJc6xMSnBuMsgP/R7CC04vTs8zwUYUFuxIooxQ
oCJxa2qS3cIkAhO+uC6SErj9it0X8jaMqXT9XvLLnZJCTG+fP36Plu+UHDpisaE9
xzN7s6SxTK3xvco15ufaoKmucSskmLEW+aJZuNKO8ua9HMVe71vAAPplVW0pl5p5
QmzXyRR6iYFtkopWvfWU0TTKgofwSo3nc4sktGHDMs4F6288EIa5X7ulwlbaC0VF
Ats0toXGhAOt3/bjusDylONBU5ubS13C6maZrbSDyKsOrffZEGOkWbH+jBEM1mXG
xrKh2n8Y7EDyWYSooA0Sc8gixQmZQdKBB0/LC9PgxTj4oeNaivMvw1lt6QgMWeG7
AJPLbXVPtzdEJozQ6jC7eDuXLlyE7b/Kk8oexOnn59UCJEgtzmDR6GmIfVtWZ0NQ
2971sfz/yKKKwOun2dFe8b3VXE27zuvbQX5AA5fytSUV4328GZqdT7f0q4SaPM63
aaz5HoGcTYSucR8z08FmD7+4I5CtN5oJkgyFXfB54lRZE/W3afYzvpSxE10c1VHi
nQ8T+gU0JkOJXBiUe2yH8PRpkQxNeDJZIpB8rH6AK8FJ8MBYzvVrbuJvDm6BDjtv
DmQC+1ighhxTIiZ76E7e268WqTpfltEYHVvH8VUUZk8jUmRzd/qme7CZZLXQfcfs
+mvbxWQlRvEURNihrPkB
=M2Na
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index