-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                                    
               ESB-98.181 -- NetBSD Security Advisory 1998-005
                   Problem with mmap(2) and many drivers.
                                    
                              23 November 1998

===========================================================================

The NetBSD Foundation, Inc. has released the following advisory concerning a
a vulnerability with mmap(2) and many drivers.  This vulnerability may allow 
local users to access physical and device memory or cause system instability.


- ---------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1998-005
                 ---------------------------------

Topic:		Problem with mmap(2) and many drivers.
Version:	NetBSD 1.3.2 and prior; NetBSD-current to 19981120.
Severity:	Local users may be able to access physical and device
		memory or cause system instability.


Abstract
- - --------

Many character device drivers that provide mmap access do not properly
bounds check their arguments.  The impact of this varies widely across
each affected driver.  Some drivers allow access to portions of physical
or device memory or may cause the system to panic or act unreliably.


Technical Details
- - -----------------

The NetBSD character device d_mmap driver-provided service entry is
called by the device page fault routine to check for valid access and
return a machine dependant value (normally a physicaly address or a page
frame number) used to create a virtual to physical address mapping.  One
of the arguments to the d_mmap() routine is `int offset;' which is a
signed value.  Many of the device drivers which implement mmap access
do not properly check for negative values, each having different
failure modes.

For example, on NetBSD/i386 the text console drivers can be fooled
into allowing the console user access to physical memory from 0 to
640KB, but on NetBSD/macppc, the console driver may allow the console
user access to any memory location.

The NetBSD d_mmap interface was inherited by NetBSD from 4.4BSD, and
there may be problems in other 4.4BSD derived operating systems.


Solutions and Workarounds
- - -------------------------

NetBSD 1.3.2 users should upgrade to NetBSD 1.3.3 when it becomes
available, or apply the following patch to their kernel source and
rebuild their kernel.

  ftp://ftp.netbsd.org/pub/NetBSD/misc/security/patches/19981120-d_mmap

NetBSD-current users should update to a source tree newer than
19981120 and rebuild their kernel.

If these actions can not be taken, the following section can be used to
remove access to devices at the file system level, on a per-port and
per-device basis.


Port and Device Specific Details
- - --------------------------------

Below are the NetBSD port and device specific details for each of the
affected drivers.  These do not list `attacks' possible for someone who
is already root, or do not elevate current access.  This list may be
incomplete or even incorrect; the best efforts have been made to ensure
its accuracy in the time permitted.


NetBSD/arm32 and NetBSD/i386 specific problems:
	The pccons and pcvt console drivers allow access from 0 to
	the base address of video memory (640KB).  These drivers must
	be associated with the system console and are normally only
	exploitable to the user logged in on the console.

	Device: /dev/ttyv?

NetBSD/arm32 specific problems:
	On the RISCPC and RC7500 models the physical console driver
	allows access from 0 to the base address of video memory. 
	These drivers must be associated with the system console and
	the device nodes for these may not even exist.

	Device: no default device.

NetBSD/mac68k specific problems:
	The grf console driver allows access from 0 to the base address of
	video memory.  This driver must be associated with the system
	console and is normally only exploitable to the user logged in on
	the console.  The Apple Sound Chip (asc) driver which provides
	access to Apple Sound and console bell support may allow access to
	page 0 to anyone.  Both of these drivers may also cause
	unpredictable system activity.

	Devices: /dev/grf* & /dev/asc*

NetBSD/macppc (not available in NetBSD 1.3.2) specific problems:
	The nvram d_mmap routine incorrectly returns EOPNOTSUPP instead
	of -1 to indicate error, possibly causing the system to panic.
	This is exploitable by anyone.
	The ofb driver allows console users access to any memory location.

	Devices: /dev/nvram and no default device for ofb.

NetBSD/sparc specific problems:
	The cgeight and cgfour console drivers allow access from 0 to
	the base address of video memory (0x500000), or may cause
	unpredictable system activity.  These drivers must be associated
	with the system console and are normally only exploitable to the
	user logged in on the console.

	Devices: /dev/fb, /dev/cgfour* & /dev/cgeight*

NetBSD/vax specific problems:
	The smg console driver may allow the console user access to memory
	from 0 to 128KB and may cause the unpredictable system activity.
	Note that this not a problem in NetBSD/vax 1.3.2.

	Device: /dev/vt*

PCI device specific problems:
	The tga console driver allow access from 0 to the base address of
	video memory.  This drivers must be associated with the system
	console and is normally only exploitable to the user logged in on
	the console.

	Device: /dev/ttyE?

Turbo Channel (pmax & alpha) device specific problems:
	The cfb, sfb, mfb and xcfb console drivers allow access from 0
	to the base address of video memory, or may cause unpredictable
	system activity.  These drivers must be associated with the system
	console and are normally only exploitable to the user logged in on
	the console.  Note that these devices are only available in the
	TurboChannel Alpha models.

	Device: /dev/fb? (pmax) & /dev/ttyE? (alpha)


Thanks To
- - ---------

Many thanks to Chris G. Demetriou <cgd@NetBSD.ORG> and Ted Lemon
<mellon@NetBSD.ORG> for finding the original problem.  Chris also
provided an initial investigation & analysis of the problem.
Matthew Green <mrg@eterna.com.au> found, analysed and fixed the
system as a whole.  Tsubai Masanari <tsubai@NetBSD.ORG> provided
technical input for the NetBSD/macppc port and Kazuki Sakamoto
<sakamoto@NetBSD.ORG> provided technical input for the NetBSD/bebox
port.


More Information
- - ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1998, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA1998-005.txt,v 1.3 1998/11/20 04:06:27 mrg Exp $

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNlTp7D5Ru2/4N2IFAQGVrAQApqIKBLZ+7xHpz7k1ZM5pD/WH66B5a1EI
B6Oj8u8De14GApHSwzv69Trh8b5NfztiIXbTn1JKHPrTNDuWsHP/Vox6HZkJ6G/F
Gf7Wb524zyeLZAARJB/z5G9NnsxESsckgldH+WHvcNrg/Osrt74EKaxr2tBh9+OT
9Hl6B2KWP2I=
=7Yke
- -----END PGP SIGNATURE-----

- ----------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNmVgjyh9+71yA2DNAQEEWwP/cza32mEee9MCc4wXpjh4owNqHVxGfbNy
3r/6GWA0y5E+S2XqLJvtplfFnp/Hr5ELg9qQxo780AnW1LYL3O/FLxg8SnXsqAiF
qqoBPCZhtyLAe8IcZz4yKKjtmxpV2JzLjS1FeNYX3fspGXCLSDhuqL2joqCjo1Qn
kZrKwIsvb2g=
=LXXp
-----END PGP SIGNATURE-----