Subject: NetBSD Security Advisory 2005-002: Local DoS via audio device with specific drivers
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 06/30/2005 18:12:42
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-002
=================================
Topic: Local DoS via audio device with specific drivers
Version: NetBSD-current: source prior to June 13, 2005
NetBSD 2.0.2: affected
NetBSD 2.0.1: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
Severity: local user with access to audio device can cause kernel trap
Fixed: NetBSD-current: June 12, 2005
NetBSD-3.0 branch: June 12, 2005 (3.0 will include the fix)
NetBSD-2.0 branch: June 13, 2005 (2.0.3 and 2.1 will
include the fix)
NetBSD-1.6 branch: June 17, 2005 (1.6.3 will include the
fix
Abstract
========
With CS4280/4281, or SB Live, or SB PC 512 audio hardware, a local user
of the audio device can crash the machine through the ioctl system call.
Technical Details
=================
The set-parameters ioctl() call of the audio subsystem allows programs
to set audio stream parameters as well as the pause state, the internal
ring buffer, and audio DMA block size used.
When pause state was set to "unpaused" in the same ioctl() call as
changing the block size information, playing/recording used to be
started without recomputing the buffering parameters. Some drivers would
use this information in a division by zero, thus crashing the kernel.
The clcs and emuxki drivers are affected. If you do not have Cirrus
Logic CS4280/CS4281, SB Live!, or SB PC 512 hardware installed in a
system, then this vulnerability does not affect that system.
Solutions and Workarounds
=========================
The common part of the audio subsystem has been changed to ensure that
the device parameters are not left in an uninitialized state. So, while
the vulnerability was exposed by certain drivers, the fix is in the
device-independent audio code.
As a temporary measure, system administrators of multi-user machines may
want to disable access to the audio device for all users until an
upgraded kernel can be booted. To do this, as the root user, execute:
chown root /dev/audio* /dev/audioctl* /dev/sound*
chmod 000 /dev/audio* /dev/audioctl* /dev/sound*
Single-user machines can be left as-is if the user can be trusted to
not crash the machine willingly or to not complain afterwards.
Solutions and Workarounds
=========================
*** Updating with a GENERIC or other kernel from the base distribution:
The NetBSD-daily source builds provide a set of kernels that can be used
on systems that run GENERIC, or one of the other distribution kernels.
Below, BRANCH, DATE, and ARCH are:
BRANCH with the appropriate CVS branch
ARCH with your architecture (from uname -m), and
DATE Any date after the fixed dates, shown here:
NetBSD-current: June 12, 2005
NetBSD-3.0 branch: June 12, 2005
NetBSD-2.0 branch: June 13, 2005
NetBSD-1.6 branch: June 17, 2005
* Note, the latest 1-6 build at the
time of issuing this advisory does not
yet include the fix. (June 16)
ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-daily/{BRANCH}/{DATE}/i386/binary/kernel/{ARCH}/binary/kernel/netbsd-GENERIC.gz
Retrieve the kernel from the appropriate location, then:
cd / && cp /path/to/netbsd-GENERIC.gz /
gzip -d netbsd-GENERIC.gz
The tar file will extract a new copy of:
netbsd-GENERIC
Back up your old kernel:
mv netbsd netbsd.old
Then either rename:
mv netbsd-GENERIC netbsd
or link, as per local site policy:
ln netbsd-GENERIC netbsd
Then, reboot.
*** Patching from sources:
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new
version of the kernel.
For all NetBSD versions, you need to download the source patch, apply
it to your kernel source tree using the patch(1) command, and rebuild,
install the kernel, and reboot. For more information on how to do
this, see:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
The fix for this issue is contained in one file, sys/dev/audio.c
The following table lists the fixed revisions and
dates of this file for each branch:
CVS branch revision date
------------- ----------- ----------------
HEAD 1.196 2005/06/11
netbsd-3 1.192.4.2 2005/06/11
netbsd-2-0 1.182.2.2 2005/06/12
netbsd-2 1.182.2.1.2.2 2005/06/12
netbsd-1-6 1.155.4.7 2005/06/17
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r BRANCH sys/dev/audio.c
# cd sys/arch/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make; make install
# reboot
Thanks To
=========
Ignatios Souvatzis discovery, initial analysis, implementation of fix
YAMAMOTO Takashi analysis, suggestion for fix
Revision History
================
2005-06-30 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-002.txt,v 1.5 2005/06/30 09:22:48 wiz Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
iQCVAwUBQsQFPT5Ru2/4N2IFAQJDfgQAnhPQpnUwxAqg4Xci5bAafb1T5WlDf+lB
o+aYn08gy9AUHwaw+T7rO1p6H+KSxB+4cCJ/rytRJefFgD60wbo8CuVHi/uT57Cy
lGO9GpVuRz2HAInVg0f3TT0z2Kz6X0cn+Z+vrLf1buzR8wsQxyNhZwYzZQ8s27mk
BBbuA26OoCI=
=KIPN
-----END PGP SIGNATURE-----