tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2019-001
=================================
Topic: Several kernel memory disclosure bugs
Version: NetBSD-current: source prior to Thu, Jan 31st 2019
NetBSD 8.0: affected
NetBSD 7.2: affected
NetBSD 7.1: affected
NetBSD 7.0: affected
Severity: Kernel memory disclosure
Fixed: NetBSD-current: Thu, Jan 31st 2019
NetBSD-8 branch: Fri, Feb 1st 2019
NetBSD-7-1 branch: Fri, Feb 1st 2019
NetBSD-7-0 branch: Fri, Feb 1st 2019
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 7.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract & Technical Details
============================
Several kernel memory disclosure bugs were discovered:
1) Four bytes of kernel stack were leaked in the ntp_gettime system
call.
2) Eight bytes of kernel stack were leaked when executing execve.
3) Many bytes of kernel stack were leaked when processing signals on
several architectures.
4) Four bytes of kernel stack were leaked in several system calls
related to time.
5) An inverted logic in netbsd32 caused some kernel memory bytes to
wrongfully be copied to userland.
6) A missing sanity check in a sysctl caused a severe kernel memory
disclosure.
7) Four bytes of kernel stack were leaked in the kevent system call.
8) Eight bytes of kernel stack were leaked in the gettimer system call.
9) Two bytes of kernel heap were leaked in the net.rtable sysctl.
10) Many bytes of kernel stack were leaked in the swapctl system call.
11) Sixteen bytes of kernel heap were leaked in the settime system call.
12) Four bytes of kernel heap were leaked in the sigaction_sigtramp
system call.
13) Many bytes of kernel stack were leaked in the ptrace system call.
14) Four bytes of kernel stack were leaked in the wait6 system call.
15) Four bytes of kernel stack were leaked in the sigtimedwait system
call.
16) Many bytes of kernel stack were leaked in the msgctl system call
implemented in the compatibility layers.
Solutions and Workarounds
=========================
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel.
The patches can be obtained from NetBSD-current with the following
commands:
ISSUE COMMAND
----- -------
1) cvs rdiff -u -r1.59 -r1.60 src/sys/kern/kern_ntptime.c
2) cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c
3) cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c
3) cvs rdiff -u -r1.2 -r1.3 src/sys/arch/aarch64/aarch64/netbsd32_machdep.c
3) cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c
3) cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c
3) cvs rdiff -u -r1.50 -r1.51 src/sys/arch/arm/arm/sig_machdep.c
3) cvs rdiff -u -r1.25 -r1.26 src/sys/arch/hppa/hppa/sig_machdep.c
3) cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c
3) cvs rdiff -u -r1.49 -r1.50 src/sys/arch/m68k/m68k/sig_machdep.c
3) cvs rdiff -u -r1.15 -r1.16 src/sys/arch/mips/mips/netbsd32_machdep.c
3) cvs rdiff -u -r1.23 -r1.24 src/sys/arch/mips/mips/sig_machdep.c
3) cvs rdiff -u -r1.45 -r1.46 src/sys/arch/powerpc/powerpc/sig_machdep.c
3) cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/riscv/sig_machdep.c
3) cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c
3) cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c
3) cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
3) cvs rdiff -u -r1.7 -r1.8 src/sys/arch/usermode/target/i386/cpu_i386.c
3) cvs rdiff -u -r1.6 -r1.7 src/sys/arch/usermode/target/x86_64/cpu_x86_64.c
3) cvs rdiff -u -r1.22 -r1.23 src/sys/arch/vax/vax/sig_machdep.c
4) cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c
4) cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c
5) cvs rdiff -u -r1.47 -r1.48 src/sys/compat/netbsd32/netbsd32_socket.c
6) cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c
7) cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c
8) cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c
9) cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c
10) cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c
11) cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c
11) cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c
11) cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c
12) cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c
13) cvs rdiff -u -r1.45 -r1.46 src/sys/kern/sys_ptrace_common.c
14) cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c
15) cvs rdiff -u -r1.46 -r1.47 src/sys/kern/sys_sig.c
16) cvs rdiff -u -r1.26 -r1.27 src/sys/compat/netbsd32/netbsd32_compat_14.c
16) cvs rdiff -u -r1.36 -r1.37 src/sys/compat/netbsd32/netbsd32_conv.h
16) cvs rdiff -u -r1.4 -r1.5 src/sys/compat/sys/msg.h
These patches were applied to the affected branches.
Thanks To
=========
Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1).
Maxime Villard for developing KASAN which discovered issues 5) and 6).
Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that
discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16).
Revision History
================
2019-02-06 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2019-001.txt.asc,v 1.1 2019/02/06 15:09:16 christos Exp $
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJcWviLAAoJEAZJc6xMSnBu5o8QALmeenfcYV1N1SLztoa0daLb
/Fe8SznOutwB7TmIUafJJRAukciGPQJbuBwGJsPpVffzexOB3o/pKK+jYBb3o2OS
5AcVvtcu4JgFDN72/CxuORr1LmYLT0Ru75RW0KvRrm9tJz3XDPsxjFm+ykNLDXWh
elHi4p7off36R+W0KyHncEnH+8kEIIiYusprhqNb97HkD3cTm1ok+LmZqUAqXMrJ
zmTbsd0xhCat4qX9EFHLo8rFc5znBdiTdrFVM8ZxgKS1sI4OSkLLpKQ9KS3wGOCE
gKpzdFsKF7G3oNJh+LQzubDWLjG4YNc0HQWMPKpLqdxKi8HdChLbfsAHeOAUenzP
EebT+JERtuuSYrFZ4UAg/SMJX5CxSUuSucZYWebyCk9K5NyLdjoGth6EEyGT7up5
RitlQ8K2K2mCm9fOTArFw+HNtpNLekvm6HJGR9sB+wQW9jpW2v35CdLovvTFXX99
fVP74Yqnz5p569kUan6CVCJ0Jsk5Xu/UQlECtLZVQrEkKNnutj++c1fydclxRBj+
BhEUZFSJ/9KcO3LUkpbg3h8ALaWElD9U2PwA5ZNiLevsb/1x/a8CLJ/w0HLB+AHZ
bTvGVpm58qfJefxSFVfy1hKe1LDm+8uB/DP+gH2Yzai5RHCUfWaSiF3nF33OLQt5
1EVQtq0F+IjyfZJ+B/8h
=fD0D
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index