NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-011 = Topic: User-controlled memory allocation in the modctl system call Version:NetBSD-current: source prior to Thu, Jul 10th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Thu, Jul 10th 2014 NetBSD-6-1 branch: Mon, Jul 14th 2014 NetBSD-6-0 branch: Mon, Jul 14th 2014 NetBSD-6 branch:Mon, Jul 14th 2014 NetBSD-5.2 branch: Mon, Jul 14th 2014 NetBSD-5.1 branch: Mon, Jul 14th 2014 NetBSD-5 branch:Mon, Jul 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to missing input validation checks, a local (un)privileged user could cause the kernel to perform a zero-sized or unbounded memory allocation, resulting in a crash. Technical Details = The modctl system call takes as second argument a buffer which is represented as a structure when loading a kernel module. This structure indicates special information on how to load a module, including a string pointer and the length of the string pointed to. A kernel buffer of the same size is allocated, but no check was performed to ensure the size is neither too low nor too high, thus allowing a local user to crash the system. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 - -- -- -- -- sys/kern/sys_module.c 1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 1.8.4.1.2.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/sys_module.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard, who found the issue and provided a fix. Revision History 2014-08-27 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-011.txt,v 1.1 2014/08/27 00:33:51 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJT/SeDAAoJEAZJc6xMSnBuBL4QAIW2I1UEwOmj5kWStYYl1Pxh AZLvbbi2u89q1Dw2OHqycsCTA4E2FNMCJI0Dqr4jHYvTFjQY52K33vTw/u5K5YxC etdYXa68W7u1rKedajx+H/BLBTKNHCwjL4uA7AsIs7XQTQqIYDKRr8SkPdH/j/kH 7Szd90WHWisDVzET+91sGbGmw7wFIiXm80Ovp+DI9/Aib13eQ9GlxEQ4cCRBBIwQ Smu86UI92BYarbPjKq+INwbYSc0uZDnuUPXq2UgJtp10VpKDdxmYZPrn4nvggJOf HCe95l9vo3L6Fs/5g5jU9TjiHd0X/SEfwSx0sN168U5+vyu2l87fCxSrFxM16aJW N0b7PhrO6WOL3LPzZXXNDjUh2LxOINcNvB3zO8PAMrf4XOzYQfRhXByQlZ2orcOf w6ly9sWBvSSgV39BkM8Lh+selVZ6z2mzlfL4nBa2Jb8CLTtiKfzPyDTmxIZcZuH5 SJ1P7nTFvwW5fk+8Ff7zo00gCikSa+vTfu29OdWgrdrwSyuIcP+ZO+gP7GHzcU5U QQl1qzqx8PurKuMY732aigPyosPPb8KLRebokXWVUuygnd3MzJFpDsJhn/QiIXce 4YA7IYMBMGT6+5R0l57m950lCdnoBIf5pTu7Y3/jaAQBfTQHIGyhYItHSgwUe97N gDnChdomglOFD4nWmOwp =g8zM -END PGP SIGNATURE-
NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NetBSD Security Advisory 2014-011
=
Topic: User-controlled memory allocation in the modctl system call
Version:NetBSD-current: source prior to Thu, Jul 10th 2014
NetBSD 6.1 - 6.1.4: affected
NetBSD 6.0 - 6.0.5: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
Severity: Local DoS
Fixed: NetBSD-current: Thu, Jul 10th 2014
NetBSD-6-1 branch: Mon, Jul 14th 2014
NetBSD-6-0 branch: Mon, Jul 14th 2014
NetBSD-6 branch:Mon, Jul 14th 2014
NetBSD-5.2 branch: Mon, Jul 14th 2014
NetBSD-5.1 branch: Mon, Jul 14th 2014
NetBSD-5 branch:Mon, Jul 14th 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
Due to missing input validation checks, a local (un)privileged user
could cause the kernel to perform a zero-sized or unbounded memory
allocation, resulting in a crash.
Technical Details
=
The modctl system call takes as second argument a buffer which is
represented as a structure when loading a kernel module. This structure
indicates special information on how to load a module, including a
string pointer and the length of the string pointed to. A kernel buffer
of the same size is allocated, but no check was performed to ensure the
size is neither too low nor too high, thus allowing a local user to
crash the system.
Solutions and Workarounds
=
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1
-- -- -- --
sys/kern/sys_module.c
1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 1.8.4.1.2.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/kern/sys_module.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/guide/en/chap-kernel.html
Thanks To
=
Thanks to Maxime Villard, who found the issue and provided a fix.
Revision History
2014-08-27 Initial release
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-011.txt,v 1.3 2014/08/30 07:00:29 maxv Exp $
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBAgAGBQJUDhArAAoJEAZJc6xMSnBuHygP/juhVWWrWtPQQzGbCE9Jksqn
SEvyoNvSNtjUdp+1gSqsZe8x7xYg2DNaGqvVORYVm9fpP7Kn5//7ub1GaI1PNbVP
+7Vn4jtNs+jeMrhLo5yAhSilb3DorRTIzvhkyNmU1P9zwAaHuV1PNIjBDkmXN3mL
JbxSf6/X5xcSl3gCmE6UE+sQ45bvLVMnKEv0cuNO6CLxf0YKuJCTyp6Wh55bzjPq
Vw64j2WLB1mU/EVhF7GHHQ1QhnpoGnZ1UwYxVlqeH1dR+9RPYj1Kjh784kDOVN6K
j2yulxDLrz07we1IEqmWW7slLK3qWRARLJgEDd6NEiB677GImuYDRYtEdUFI/wSV
NcoDXCAoFeFuvZUqjFCbKmcC0bBrfoBbRLvuLyogAZ51iAbUpJpUwn6BamftcRo/
2qKwdNDbaqXvXTGeaF98DKR+RsiG69Z1P9l2OmzSV29Jn2WC9Tz5Dbh2Dd5fsHQV
t0tCCApbI2UiLu4OFi9DhxhraiO0gBlPaTjtnc1fnyLapjw4lZFo2q6xnHmrtj4l
CYTQuVghHly4yeDHPMISpipmgzx9Z/lQadUejbv65j1Id4PLMPSezNKzSZJRy+D2
I7cv0rn0nT2PVDNRbmsVpZCiJjILKI4GXcwpXfKEma/dEeqJjuClwe5P/zZffYOx
4y8sbEeOXHwBqmF76e+d
=wcom
-END PGP SIGNATURE-
Re: NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
Salut, Please ignore this advisory for now as it contains errors. It will be re-published once these errors have been addressed. I am deeply sorry for my failure to handle these advisories in an appropriate way and to provide you with the level of service you deserve. On Wed, Aug 27, 2014 at 09:36:40AM +, NetBSD Security Officer wrote: > NetBSD Security Advisory 2014-011 > = > > Topic:User-controlled memory allocation in the modctl system > call > > > Version: NetBSD-current: source prior to Thu, Jul 10th 2014 > NetBSD 6.1 - 6.1.4: affected > NetBSD 6.0 - 6.0.5: affected > NetBSD 5.1 - 5.1.4: affected > NetBSD 5.2 - 5.2.2: affected > > Severity: Local DoS > > Fixed:NetBSD-current: Thu, Jul 10th 2014 > NetBSD-6-1 branch: Mon, Jul 14th 2014 > NetBSD-6-0 branch: Mon, Jul 14th 2014 > NetBSD-6 branch:Mon, Jul 14th 2014 > NetBSD-5.2 branch: Mon, Jul 14th 2014 > NetBSD-5.1 branch: Mon, Jul 14th 2014 > NetBSD-5 branch:Mon, Jul 14th 2014 > > Teeny versions released later than the fix date will contain the fix. > > Please note that NetBSD releases prior to 5.1 are no longer supported. > It is recommended that all users upgrade to a supported release. > > > Abstract > > > Due to missing input validation checks, a local (un)privileged user > could cause the kernel to perform a zero-sized or unbounded memory > allocation, resulting in a crash. > > > Technical Details > = > > The modctl system call takes as second argument a buffer which is > represented as a structure when loading a kernel module. This structure > indicates special information on how to load a module, including a > string pointer and the length of the string pointed to. A kernel buffer > of the same size is allocated, but no check was performed to ensure the > size is neither too low nor too high, thus allowing a local user to > crash the system. > > > Solutions and Workarounds > = > > For all NetBSD versions, you need to obtain fixed kernel sources, > rebuild and install the new kernel, and reboot the system. > > The fixed source may be obtained from the NetBSD CVS repository. > The following instructions briefly summarise how to upgrade your > kernel. In these instructions, replace: > > ARCH with your architecture (from uname -m), > KERNCONF with the name of your kernel configuration file and > VERSION with the file version below > > File versions containing the fixes: > > FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 > -- -- -- -- > sys/kern/sys_module.c > 1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 > 1.8.4.1.2.1 > > To update from CVS, re-build, and re-install the kernel: > > # cd src > # cvs update -d -P -r VERSION sys/kern/sys_module.c > # ./build.sh kernel=KERNCONF > # mv /netbsd /netbsd.old > # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd > # shutdown -r now > > For more information on how to do this, see: > >http://www.NetBSD.org/guide/en/chap-kernel.html > > > Thanks To > = > > Thanks to Maxime Villard, who found the issue and provided a fix. > > > Revision History > > > 2014-08-27 Initial release > > > More Information > > > Advisories may be updated as new information becomes available. > The most recent version of this advisory (PGP signed) can be found at > > http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . > > > Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. > Redistribution permitted only in full, unmodified form. > > $NetBSD: NetBSD-SA2014-011.txt,v 1.1 2014/08/27 00:33:51 tonnerre Exp $ > > Tonnerre pgp8Z97e2ymER.pgp Description: PGP signature
