Subject: NetBSD Security Advisory 2005-003: F_CLOSEM local denial of service
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/08/2005 09:54:56
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-003
		 =================================

Topic:		F_CLOSEM local denial of service

Version:	NetBSD-current:	source prior to January 12, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.2:	not affected
		NetBSD 2.0:	affected
		NetBSD 1.6.*:	not affected

Severity:	Local Denial-of-Service

Fixed:		NetBSD-current:		January 12, 2005
		NetBSD-2-0 branch:	March 16, 2005
						(2.0.2 includes the fix)
		NetBSD-2 branch:	March 16, 2005 
						(2.1 includes the fix)


Abstract
========

A bug in the way the file descriptor table of a process is manipulated
can be triggered by calling the F_CLOSEM fnctl() with the parameter 0,
which means "close all opened file descriptors".

The result of the bug is that the kernel will loop endlessly,
effectively locking up the computer.

Any local user can trigger the bug.


Technical Details
=================

The F_CLOSEM fnctl() call takes a parameter and makes the kernel close
all file descriptors of the process whose number is greater or equal to
the parameter.

fd_lastfile in the process's descriptor table keeps track of the last file
descriptor index used by the process, and its value is maintained by
find_last_set(). A change in find_last_set() that made it return 0 and not
- -1 (like it used to) when no files were used caused an infinite loop in
the kernel, leading to local denial-of-service triggerable by any user.


Solutions and Workarounds
=========================

There is no workaround for this issue. It is recommended that users of
affected NetBSD versions upgrade their kernel.

The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of the
kernel.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-01-12
	should be upgraded to NetBSD-current dated 2005-01-13 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/kern/kern_descrip.c

	To update from CVS, re-build, and re-install the kernel:

		# cd src
		# cvs update -d -P sys/kern/kern_descrip.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


* NetBSD 2.0:

	The binary distribution of NetBSD 2.0 is vulnerable.

	NetBSD 2.1 includes the fix.

	Systems running NetBSD 2.0 sources dated from before
	2005-01-12 should be upgraded from NetBSD 2.0 sources dated
	2005-01-13 or later.

	The following files need to be updated from the
	netbsd-2-0 CVS branch:
		sys/kern/kern_descrip.c

	To update from CVS, re-build, and re-install the kernel:

		# cd src
		# cvs update -d -P -r netbsd-2-0 sys/kern/kern_descrip.c
		# ./build.sh kernel=GENERIC
		# mv /netbsd /netbsd.old
		# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
		# shutdown -r now


Thanks To
=========

Brian Marcotte, for discovering and reporting the issue.

Greg Oster and Quentin Garnier, for analysis and fixes.


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-003.txt,v 1.10 2005/10/31 19:11:45 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKRj5Ru2/4N2IFAQKyJQP/cF9a8IM4ayqS2nNv0HPgL4uPvbmnHPDW
F76FTxFDfrImmkMNrdIBaj/1B/LS41+iMWTJJFGWNkqZjzXKVLuD7/rLDKGjI1Aa
WfmS7gHoZcI5p5A0x+RFtOM399sQX2/cC5a0hcGamKncBChKMNEdn3u//q/HC+4e
rpQReunJrFU=
=SfoJ
-----END PGP SIGNATURE-----