Operating System:

[NetBSD]

Published:

06 July 2012

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2012.0554.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2012.0554.2
        Intel processors sysret to non-canonical address behaviour
                                6 July 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0217  

Reference:         ESB-2012.0546
                   ESB-2012.0542
                   ESB-2012.0541
                   ESB-2012.0538

Original Bulletin: 
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc

Revision History:  July  6 2012: Updated severity after an exploit could be produced
                   June 15 2012: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2012-003
		=================================

Topic:		Intel processors sysret to non-canonical address behaviour


Version:	NetBSD-current:		source prior to June 11, 2012
		NetBSD 6.0 Beta:	affected
		NetBSD 5.1.*:		affected
		NetBSD 5.1:		affected
		NetBSD 5.0.*:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected

Severity:	local DoS, local user privilege escalation

Fixed:		NetBSD-current:		June 12th, 2012
		NetBSD-6 branch:	June 12th, 2012
		NetBSD-5 branch:	June 12th, 2012
		NetBSD-5-1 branch:	June 12th, 2012
		NetBSD-5-0 branch:	June 12th, 2012
		NetBSD-4 branch:	June 12th, 2012
		NetBSD-4-0 branch:	June 12th, 2012

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

On Intel CPUs, the sysret instruction can be manipulated into returning 
to specific non-canonical addresses, which may yield a CPU reset.
It has been shown by the VUPEN team that this vulnerability can also be
used to execute code with kernel privilege instead of crashing the system.

This vulnerability has been assigned CVE-2012-0217.


Technical Details
=================

This is a vulnerability following from a difference of behaviour of
sysret in Intel's version of the amd64 architecture, em64t.

System calls may be implemented as using the em64t syscall/sysret
instruction pair.

syscall saves the context of the calling unprivileged process before
executing a system call in kernel mode; sysret restores it and resumes
ordinary operations in user mode.

In the Intel implementation of sysret, if you have invalid information
about the "next instruction" address in your saved context, the sysret
instruction will trigger a trap in kernel space. However the sysret
instruction is executed with the user stack pointer already loaded,
so the kernel fault frame is written to the user stack.
The kernel is unable to safely recover from this, so must ensure
that the trap doesn't happen.

If your invalid "next instruction" address is in kernel space or
in user space (and in the latter case, not where your program is)
the program will segfault or execute attacker controlled code.
If it is in the gap between user space and kernel space, the CPU
will reset, except if someone managed to seed the address location
with a valid instruction.


Solutions and Workarounds
=========================

The fix in the following versions will disallow sysret to
an invalid address.

src/sys/arch/amd64/amd64/machdep.c
HEAD		1.184
netbsd-6	1.175.2.6
netbsd-5	1.102.4.14
netbsd-5-1	1.102.4.13.2.1
netbsd-5-0	1.102.4.10.2.2
netbsd-4	1.44.2.7
netbsd-4-0	1.44.2.3.6.1

src/sys/arch/amd64/amd64/netbsd32_machdep.c
HEAD		1.77
netbsd-6	1.74.10.2
netbsd-5	1.55.4.4
netbsd-5-1	1.55.4.3.2.1
netbsd-5-0	1.55.6.3
netbsd-4	1.30.2.4
netbsd-4-0	1.30.2.1.6.1


Thanks To
=========

Thanks to Manuel Bouyer for providing the fix, and David Laight for
help with writing the advisory. Also, thanks to Rafal Wojtczuk for
bringing the issue to our attention.

Additional thanks to the VUPEN team for showing how to exploit this
vulnerability to execute code under NetBSD and to Sofian Brabez for
pointing it out.


Revision History
================

	2012-06-14	Initial release
	2012-07-06	Updated severity after an exploit could be produced


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2012, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJP9jJeAAoJEAZJc6xMSnBuPPAP/3bH6d1rpBi35FyN+apev4G2
j+eEtFIaSEHk2dpGXE5shsT04E8++YkYZxx2FYW6Ic5WRZj4msIpAKcyqYUnwex3
Z0F2eZql8YkULoHmqTgLHRvC5ukgDExAeBxnJJyqLuMTadEaZpR81kVEHo3gj77b
g/b1f04yk98AkJcb0uLE5WE22x8DGL5mdjwE+QqHoi8oQjOYEM3rJzlmZfP/I8Wt
Dl9THtJ2VixNTMgSYMxJXVjpNUaYDRHGsNK0mCX3gkmQrLC31CKqd760V28V8a8L
4m1IydbDRbnkSUPWk9fMVPW7zhN5Ayss8BL385wgZbjJxJ5cVg7HnFnwSYzKEAfr
kt2tuxVBusPF30H+dpHk1I2vCuXuqL+rUI1+E7MLdRZBPN5Ie1edEw2GQMQbTlIF
DFa6bF5GDq7RQ+xprYeVp6vOyp3fDRj8jpO8vDrkcXAVeMzuIhcmWO91OvU3nWjn
YQrK8gqszLIt5hWS63uUM49Fhz4tUY7QGJgMhPfMmQDWSyxpcs9N5jJDEwnQ9vET
Zk4KediM8FUh+KvIYv9t1yREzX+EMOyv7G5jgtcQYqKXjuaAw78PJH7amZKlljfc
P6VlQQJpEBya2qzrNNRYYK5q9nBy6xf3fNKvJ467tHX0Bl8YFLCj8sCHAdObkz9f
lFcsTnrBhj1/S7UvliOz
=6elS
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT/ZPSe4yVqjM2NGpAQJunA//ReYIh7ttsyuU/Mo/YaFGjzCOjR7xbJGX
D4m35/vgqH+BqmEz+4MTBqzOZGdLVo0lw+sC6FOhnFy3iqHsheJe25Vc0J84KC5L
RgtoSjRIb10HI8DFwBcC8wuaz+TMrJ4hCLCpy2BwthgsU6sS4KjAaDx5nucpI+Jt
d9pYsgap3/0NiQQzel9+ni4GSvqH+0WvHqxoBeqR3MZ2YAOE329nYDk4EaArIPP3
EPW6KBl+09Yx0ThpgO8u3nv5RxWfdvg9+AinoirduRC885XrXc2VxGfUjveJa02e
4EVYdAebxkKlHDEaF7YDX0T+cHWykxtW9a+r/QXQN4r/1/s+6DbK0/gBhy5BDW0B
o5uTdEKpLWEtmVoAzqquicsy5sKpNFKjpLSX0fBR+66EIBxwO16uvx6SqMybxENh
CjtonkGOJzfzpaJkZWU9nJpqP4Z6hIOi85YM4wHX4YldP8DCIKGtjB+gUkXCrwuL
KtVCw42HxTBIR2AYJeAvhLVVHpQHzQiw9lEvpS/bTaGuj7Jvm6rmsC4p/WnId3Tr
5bADH0AJ7mthhGo4oH9gYtfEbmwtryjU0ZTK5VGQHOX2fRsWis6uUZ/a6PEH39AF
rNHpwFOeIItUKacDknw1q3b3E9TJShGZf3G5BFs14LXjX8Ne50+uKlDfI0WafZzw
RJAHt+V3ee8=
=v9W8
-----END PGP SIGNATURE-----