-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2001-011 ================================= Topic: Insufficient msg_controllen checking for sendmsg(2) Version: All releases of NetBSD from 1.3 to 1.5, and -current Severity: Any local user can panic the system Fixed: NetBSD-current: July 1, 2001 NetBSD-1.5 branch: July 2, 2001 (1.5.1 includes the fix) NetBSD-1.4 branch: July 19, 2001 Abstract ======== Due to insufficient length checking in the kernel, sendmsg(2) can be used by a local user to cause a kernel trap, or an 'out of space in kmem_map' panic. As of the release date of this advisory, NetBSD releases from 1.3 up to any later release, are vulnerable. Technical Details ================= sendmsg(2) can be used to send data through a socket, optionally specifying destination address and control information. sendmsg(2) accepts a pointer to struct msghdr, which holds further information for the call. The pointer to control information is passed via msg_control, msg_controllen helds the length of the control information. This is used to read the control information into kernel space and put it in an mbuf for further processing. However, the kernel attempts to allocate mbuf storage as specified in msg_controllen without further checks. This behaviour can be abused to cause a kernel page fault trap if the value is higher than INT_MAX, or to cause an 'out of space in kmem_map' panic for lower values. The exact size to cause the latter is port dependant, though INT_MAX is commonly enough to trigger the panic. Solutions and Workarounds ========================= All NetBSD official releases from 1.3 are vulnerable. Kernel sources must be updated and a new kernel built and installed. The instructions for updating your kernel sources depend upon which particular NetBSD release you are running. * NetBSD-current: Systems running NetBSD-current dated from before 2001-07-01 should be upgraded to NetBSD-current dated 2001-07-01 or later. The following source directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch * NetBSD 1.5: Systems running NetBSD 1.5 dated from before 2001-07-02 should be upgraded from NetBSD 1.5 sources dated 2001-07-02 or later. The following source directory needs to be updated from the netbsd-1-5 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch NetBSD 1.5.1 is not vulnerable. * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: Systems running NetBSD 1.4 dated from before 2001-07-19 should be upgraded from NetBSD 1.4 sources dated 2001-07-19 or later. The following source directory needs to be updated from the netbsd-1-4 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch * NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3: Apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch Once the kernel sources have been updated, rebuild the kernel, install it, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Thanks To ========= Jaromir Dolecek for finding the problem, and supplying a test program showing the problem. Matt Thomas for a fix. Revision History ================ 2001-07-20 Initial revision. 2001-07-25 Correct year in advisory header. 2001-07-27 Update link to kernel build instructions. More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-011.txt,v 1.9 2001/07/26 23:39:43 lukem Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO2CqOz5Ru2/4N2IFAQE7lAP/Rn+RcoJ6+BfH/lcwULz4wRbzUaTgU3Q+ x8vL39NTap0kQJXXIg/ocT7/u3945hCC+/OEbBR4Qqkdd8jW9QfuawacluUd29pM ullHvTEXnbk1OcJfLzYWJVAm5xSOc/8FIH/5qONBMsh+IZh3hsRzJ+zhHsksCno+ BMmCu7wW3E4= =TIx4 -----END PGP SIGNATURE-----