Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.311 -- NetBSD Security Advisory 2000-011 Insufficient msg_controllen checking for sendmsg(2) 25 July 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Vendor: NetBSD Operating System: NetBSD Impact: Denial of Service Access Required: Existing Account - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-011 ================================= Topic: Insufficient msg_controllen checking for sendmsg(2) Version: All releases of NetBSD from 1.3 to 1.5, and -current Severity: Any local user can panic the system Fixed: NetBSD-current: July 1, 2001 NetBSD-1.5 branch: July 2, 2001 (1.5.1 includes the fix) NetBSD-1.4 branch: July 19, 2001 Abstract ======== Due to insufficient length checking in the kernel, sendmsg(2) can be used by a local user to cause a kernel trap, or an 'out of space in kmem_map' panic. As of the release date of this advisory, NetBSD releases from 1.3 up to any later release, are vulnerable. Technical Details ================= sendmsg(2) can be used to send data through a socket, optionally specifying destination address and control information. sendmsg(2) accepts a pointer to struct msghdr, which holds further information for the call. The pointer to control information is passed via msg_control, msg_controllen helds the length of the control information. This is used to read the control information into kernel space and put it in an mbuf for further processing. However, the kernel attempts to allocate mbuf storage as specified in msg_controllen without further checks. This behaviour can be abused to cause a kernel page fault trap if the value is higher than INT_MAX, or to cause an 'out of space in kmem_map' panic for lower values. The exact size to cause the latter is port dependant, though INT_MAX is commonly enough to trigger the panic. Solutions and Workarounds ========================= All NetBSD official releases from 1.3 are vulnerable. Kernel sources must be updated and a new kernel built and installed. The instructions for updating your kernel sources depend upon which particular NetBSD release you are running. * NetBSD-current: Systems running NetBSD-current dated from before 2001-07-01 should be upgraded to NetBSD-current dated 2001-07-01 or later. The following source directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch * NetBSD 1.5: Systems running NetBSD 1.5 dated from before 2001-07-02 should be upgraded from NetBSD 1.5 sources dated 2001-07-02 or later. The following source directory needs to be updated from the netbsd-1-5 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch NetBSD 1.5.1 is not vulnerable. * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: Systems running NetBSD 1.4 dated from before 2001-07-19 should be upgraded from NetBSD 1.4 sources dated 2001-07-19 or later. The following source directory needs to be updated from the netbsd-1-4 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch * NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3: Apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch Once the kernel sources have been updated, rebuild the kernel, install it, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#building_a_kernel Thanks To ========= Jaromir Dolecek <jdolecek@NetBSD.org> for finding the problem, and supplying a test program showing the problem. Matt Thomas <matt@NetBSD.org> for a fix. Revision History ================ 2001-07-20 Initial revision More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS Ou2Pb8drDlY= =89Oe - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO16mrSh9+71yA2DNAQEMNAP/V0XdjcTYm3UTbd4wOQBlV8imFUJwXp5+ D9N0H/1fazzYNmDM70k5/1rgz/nL2HhG/VZqBJBvqGEgo0xs3bnt0OTYhezkOGm2 t5B0iSLeMVgwTHGqhAxj9ced4EKcrFBNcixalJX3SK821bDKAU6LrmY884bl8Mcv bMk9MKR/pzE= =S4Pd -----END PGP SIGNATURE-----