Operating System:

[NetBSD]

Published:

28 February 2013

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2013.0295 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0295
            kqueue related kernel panic triggered from userland
                             28 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2013-002.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2013-002
		 =================================

Topic:		kqueue related kernel panic triggered from userland

Version:	NetBSD-current:		affected prior to Nov 24th, 2012
		NetBSD 6.0:		affected
		NetBSD 6.0.1:		not affected
		NetBSD 5.1.*:		not affected
		NetBSD 5.0.*:		not affected
		NetBSD 5.0:		not affected

Severity:	Local system crash

Fixed:		NetBSD-current:		Nov 24th, 2012
		NetBSD-6-0 branch:	Nov 24th, 2012
		NetBSD-6 branch:	Nov 24th, 2012

Please note that NetBSD releases prior to 5.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A user can panic the machine by calling kevent(2) on an unsupported
file descriptor.


Technical Details
=================

A file descriptor that does not support kqueue(2) uses fnullop_kqfilter(9)
to indicate that this operation is not supported. Unfortunately
fnullop_kqfilter(9) returned 0 instead of an error, so the kernel
crashed in the next kevent(2) trying to call a null event handler.
fnullop_kqfilter(9) has been changed to return EOPNOTSUPP when the
file descriptor does not support kqueue.

Solutions and Workarounds
=========================

The following versions contain the fix:

src/sys/kern/kern_event.c
	HEAD		1.78
	netbsd-6	1.75.2.1
	netbsd-6-0	1.75.6.1
src/sys/kern/kern_descrip.c
	HEAD		1.219
	netbsd-6	1.218.2.1
	netbsd-6-0	1.218.8.1

For all affected NetBSD versions, you need to obtain fixed kernel
sources, rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P src/sys/kern/kern_event.c
	# cvs update -d -P src/sys/kern/kern_descrip.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
	# shutdown -r now

For more information on how to do this, see:    

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Thanks to Christos Zoulas for fixing this problem.


Revision History
================

	2013-02-26	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2013, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2013-002.txt,v 1.1 2013/02/26 18:58:13 tonnerre Exp $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (NetBSD)

iQIcBAEBAgAGBQJRLRHwAAoJEAZJc6xMSnBukmUQAJ/JxHKIy3Mc05korW03dKzo
Zt/f3SaAHDXu00mEOjsbCbX92G0+eY9G5QetmpFPeu+GjdkKOoexD94Nck7JWVWU
0iIHlJnunnPcvXszqvQLUoOx4Iej0VvW6JynVhbHO9asCWyS6yqeuXka4IJoMrXb
A1hySfXqmvvOyrRpp8+6mrmv2sl0Vzne8X7sJUwBt35Z6EB7uLd3Pw6+uyRpPWkN
DPg7I/B1ey/MRof/CKfTlvnkSoiSzo/utrOiaqseBici6QxXxDOfmlo4Vd9GjCS4
GJ3C9ushHgW6+6VwrpkX/ku0WYRbpS9Sf/Uem0CMONZpwOxOQgpvviHaxobCTrCf
GxyZahkuWM3HTcg3Ht+y65wROC7ruHbBrFxS6iAYnjMJA8/PtvNAP1+N08cDbdB+
qXdXrKxY1dnEVqDa6YRCVb2+FccpXp7etTRfxVv3yyiZu9Dr1IlywpqLhpzshs9c
wFkgD3/sIy7WV05/DrWXi0GHXqkUkpWtRgzHH5zYFi3Buu4FuOYC/2U0YaoLM6KE
ddUr5zawlTzOdrXB2ztYHra0y26M7ntiyNyDF5Laj5yUzlBBxXR1y2XMhHH7o/v4
vUrkavrmTXj0Y8bj+LiqRfcnBUR2hKXcRKqekM/RKNJuJ/kkKwPl25f4jGXeY/ng
nDDi2DtzYyBucGqqSPwr
=7s47
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUS7FI+4yVqjM2NGpAQJg5w//dfQYy+YP+WgJ/RWZ1QCaJtb0nx+ECvfi
r6exT8q44tW52fyBUrymmah5yXpp1gRTnm0DFlQ0U6fR8Vu3oY/KyPKzHkuErXt5
prNaEU6dN0GxWLQzzu7j0wngteYqEdEL7wYFuIhuzL3g4ZnJoZWAfaLUN1tehSSn
ld6f7odUsj58JLLo3oek9fjDuq69AkNH0ExbG8H1A1i00IJq2wOSOXSjzbigZyiZ
vjuVsQqRupdvBETz9726lWPQUJnfumMg24MZ2v4VwZColxN+o+2oDxarPSFU3G7d
9plo0yPYamwce3QQmhtL4fgOq2oSC5g7Qfji/7dJ7L2uj5cj51ainUKNp64SoisA
/s+48Zh1phutGFn5AX8gOp3M77NVTqlzTPA5GlQl+zmKXFlmk3CRaKkZJqTko5tE
LGbTQjwjYPUIJWaoIocZYDkcqPR0QNcKWZhgKM/pR/5ndzGCQ3Fim3eDLmKECTAi
LSi7HKEghLjdOlKTcSAnknF4BhdOB2X6gUQcGWt4urgSI86ho/YxNf8C9kDItaKz
yyMZGI0mfL76XdWGbuCtZPN6AzLG2RF8j6uOWbR43Hl4ig0H1J1pi5BVK4jLc87S
FPyjdpfIOtQMgZOQevBwYyEV+tCwVPt68+gzjv6LWrPedTUj2K9jBt68sPlWQsiI
zlLWId8VX2U=
=EgRA
-----END PGP SIGNATURE-----