-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2013-009 ================================= Topic: user settable small BPF buffer can cause a panic Version: NetBSD-current: source prior to Sept 10th, 2013 NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.1: affected NetBSD 5.2: affected Severity: Local DoS Fixed: NetBSD-current: Sept 9th, 2013 NetBSD-6-0 branch: Sept 11th, 2013 NetBSD-6-1 branch: Sept 11th, 2013 NetBSD-6 branch: Sept 11th, 2013 NetBSD-5-1 branch: Sept 11th, 2013 NetBSD-5-2 branch: Sept 11th, 2013 NetBSD-5 branch: Sept 11th, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Setting the bpf buffer size manually to be less than the required number of bytes to store the bpf header will crash the system. Technical Details ================= On NetBSD with 64-bit bpf_timeval, the minimum allowed BPF buffer size is the same size as the size of struct bpf_hdr. When BPF reports a packet, it will add the link-layer-type header and the bpf_hdr to the buffer it was supplied, and then add captured data in the remaining bytes. Setting the buffer size via ioctl BIOCSBLEN checks against BPF_MINBUFSIZE, but this test is not adequate since it does not include the size of the link layer header. As the link layer header size can change, no check there would be adequate. When calculating the size left for captured data (buffer size minus the sum of the size of the two headers) it may thus get a negative size. It will proceed to use this length e.g. to copy data into the buffer, but the copying routine will use an unsigned variable for the size of the buffer to copy to, and thus get a very large number. When the copy routine copies captured data to the buffer, it will leave the bounds of the buffer, and a panic will result. Solutions and Workarounds ========================= Workaround: /dev/bpf* usually can only be read by root. If you have not changed this default: avoid running bpf programs that try to use a buffer size smaller than 36 on ethernet and 120 on wifi. Fix: Install a kernel containing the fix. The fastest way to do that, if you are running or can run a standard kernel built as part of the NetBSD release process, is to obtain the corresponding kernel from the daily NetBSD autobuild output and install it on your system. You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/ where they are sorted by NetBSD branch, date, and architecture. To fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch, the most appropriate kernel will be the "netbsd-6-0" kernel. To fix a system running NetBSD-current, the "HEAD" kernel should be used. In all cases, a kernel from an autobuild dated newer than the fix date for the branch you are using must be used to fix the problem. If you cannot use the autobuilt kernels, then for all affected NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. NEWVERSION with the CVS version of the fix Versions of src/sys/net/bpf.c: Branch NEWVERSION --------------------------- HEAD 1.176 netbsd-6 1.168.2.1 netbsd-6-1 1.168.8.1 netbsd-6-0 1.168.6.1 netbsd-5 1.141.6.3 netbsd-5-2 1.141.6.2.2.1 netbsd-5-1 1.141.6.1.6.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -rNEWVERSION sys/net/bpf.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Thanks to Peter Bex, who found and analyzed the problem, and Christos Zoulas, who created the fix. Revision History ================ 2013-09-11 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-009.txt,v 1.1 2013/09/11 10:36:59 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (NetBSD) iQIcBAEBAgAGBQJSMEgOAAoJEAZJc6xMSnBuMsgP/R7CC04vTs8zwUYUFuxIooxQ oCJxa2qS3cIkAhO+uC6SErj9it0X8jaMqXT9XvLLnZJCTG+fP36Plu+UHDpisaE9 xzN7s6SxTK3xvco15ufaoKmucSskmLEW+aJZuNKO8ua9HMVe71vAAPplVW0pl5p5 QmzXyRR6iYFtkopWvfWU0TTKgofwSo3nc4sktGHDMs4F6288EIa5X7ulwlbaC0VF Ats0toXGhAOt3/bjusDylONBU5ubS13C6maZrbSDyKsOrffZEGOkWbH+jBEM1mXG xrKh2n8Y7EDyWYSooA0Sc8gixQmZQdKBB0/LC9PgxTj4oeNaivMvw1lt6QgMWeG7 AJPLbXVPtzdEJozQ6jC7eDuXLlyE7b/Kk8oexOnn59UCJEgtzmDR6GmIfVtWZ0NQ 2971sfz/yKKKwOun2dFe8b3VXE27zuvbQX5AA5fytSUV4328GZqdT7f0q4SaPM63 aaz5HoGcTYSucR8z08FmD7+4I5CtN5oJkgyFXfB54lRZE/W3afYzvpSxE10c1VHi nQ8T+gU0JkOJXBiUe2yH8PRpkQxNeDJZIpB8rH6AK8FJ8MBYzvVrbuJvDm6BDjtv DmQC+1ighhxTIiZ76E7e268WqTpfltEYHVvH8VUUZk8jUmRzd/qme7CZZLXQfcfs +mvbxWQlRvEURNihrPkB =M2Na -----END PGP SIGNATURE-----