Operating System:

[NetBSD]

Published:

24 July 2001

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2001.311 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

             ESB-2001.311 -- NetBSD Security Advisory 2000-011
            Insufficient msg_controllen checking for sendmsg(2)
                               25 July 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                kernel
Vendor:                 NetBSD
Operating System:       NetBSD
Impact:                 Denial of Service
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-011
                 =================================

Topic:		Insufficient msg_controllen checking for sendmsg(2)

Version:	All releases of NetBSD from 1.3 to 1.5, and -current

Severity:	Any local user can panic the system

Fixed:		NetBSD-current:		July 1, 2001
		NetBSD-1.5 branch:	July 2, 2001 (1.5.1 includes the fix)
		NetBSD-1.4 branch:	July 19, 2001

Abstract
========

Due to insufficient length checking in the kernel, sendmsg(2) can be
used by a local user to cause a kernel trap, or an 'out of space in
kmem_map' panic.

As of the release date of this advisory, NetBSD releases from 1.3
up to any later release, are vulnerable.

Technical Details
=================

sendmsg(2) can be used to send data through a socket, optionally
specifying destination address and control information.

sendmsg(2) accepts a pointer to struct msghdr, which holds further
information for the call. The pointer to control information is passed
via msg_control, msg_controllen helds the length of the control
information. This is used to read the control information into kernel
space and put it in an mbuf for further processing. However, the kernel
attempts to allocate mbuf storage as specified in msg_controllen without
further checks. This behaviour can be abused to cause a kernel page
fault trap if the value is higher than INT_MAX, or to cause an 'out of
space in kmem_map' panic for lower values. The exact size to cause the
latter is port dependant, though INT_MAX is commonly enough to trigger
the panic.

Solutions and Workarounds
=========================

All NetBSD official releases from 1.3 are vulnerable.

Kernel sources must be updated and a new kernel built and installed.
The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-07-01
	should be upgraded to NetBSD-current dated 2001-07-01 or later.

	The following source directories need to be updated from
	the netbsd-current CVS branch (aka HEAD):
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch


* NetBSD 1.5:

	Systems running NetBSD 1.5 dated from before 2001-07-02 should be
	upgraded from NetBSD 1.5 sources dated 2001-07-02 or later.

	The following source directory needs to be updated from the
	netbsd-1-5 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch
		
	NetBSD 1.5.1 is not vulnerable.


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	Systems running NetBSD 1.4 dated from before 2001-07-19 should be
	upgraded from NetBSD 1.4 sources dated 2001-07-19 or later.

	The following source directory needs to be updated from the
	netbsd-1-4 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


* NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3:

	Apply the following patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


Once the kernel sources have been updated, rebuild the kernel,
install it, and reboot.  For more information on how to do this,
see:

    http://www.netbsd.org/Documentation/kernel/#building_a_kernel



Thanks To
=========

Jaromir Dolecek <jdolecek@NetBSD.org> for finding the problem, and
supplying a test program showing the problem.

Matt Thomas <matt@NetBSD.org> for a fix.


Revision History
================

	2001-07-20	Initial revision


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk
uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc
q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS
Ou2Pb8drDlY=
=89Oe
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO16mrSh9+71yA2DNAQEMNAP/V0XdjcTYm3UTbd4wOQBlV8imFUJwXp5+
D9N0H/1fazzYNmDM70k5/1rgz/nL2HhG/VZqBJBvqGEgo0xs3bnt0OTYhezkOGm2
t5B0iSLeMVgwTHGqhAxj9ced4EKcrFBNcixalJX3SK821bDKAU6LrmY884bl8Mcv
bMk9MKR/pzE=
=S4Pd
-----END PGP SIGNATURE-----