Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2287
Vnode reference leak in the openat system call and buffer
overflow via cmap for 4 graphics drivers
11 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
Publisher: NetBSD
Operating System: NetBSD
Impact/Access: Root Compromise -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-006.txt.asc
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc
Comment: This bulletin contains two (2) NetBSD security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2017-006
=================================
Topic: Vnode reference leak in the openat system call
Version: NetBSD-current: source prior to Sun, July 9th 2017
NetBSD 8.0 beta: affected
NetBSD 7.1: affected
NetBSD 7.0 - 7.0.2: affected
NetBSD 6.1 - 6.1.4: not affected
NetBSD 6.0 - 6.0.5: not affected
Severity: Local privilege escalation
Fixed: NetBSD-current: Sun, July 9th 2017
NetBSD-8 branch: Mon, July 10th 2017
NetBSD-7-1 branch: Mon, July 10th 2017
NetBSD-7-0 branch: Mon, July 10th 2017
NetBSD-7 branch: Mon, July 10th 2017
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An easily exercisable error path in the kernel leaves behind an
unreclaimed reference to a vnode. This prevents unmounting the
affected volume, allowing local denial of service. It is likely that
tickling the weakness repeatedly can be used to corrupt the kernel
heap and thus gain kernel-level privileges, even with securelevel
enabled.
Technical Details
=================
When calling the openat system call using a file descriptor that does
not name a directory as the starting point for path lookup, a
reference to the underlying vnode is taken temporarily and then not
released when the error is discovered. Performing such a call often
enough results in overflowing the internal reference count and
corrupting the kernel heap.
Solutions and Workarounds
=========================
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0
---- ---- -------- -------- ---------- ----------
sys/kern/vfs_lookup.c
1.208 1.207.2.1 1.201.4.1 1.201.12.1 1.201.8.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/kern/vfs_lookup.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/guide/en/chap-kernel.html
Thanks To
=========
Mateusz Guzik for noticing the issue, and David A. Holland for
deploying the fix.
Revision History
================
2017-09-08 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-00N.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2017, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJZsqisAAoJEAZJc6xMSnBuu4AP/0ytQhuSMf1hjvg5Gdg9TT5N
4anruzy9VY6P4PqkPVjJTv7YYlOCTtP7Svg4+CbwIjRoNNyKycUhEmBzUWpmLQL1
UaKE44lJExbD1qIL4aU5LweD+RnGQbdo9LwMC31rK8dUSKCpkc6K7yt+TnA2SMw/
a2IlJtqkX5lk+HAQ3TF32STPz+oijtEJBFjTCzWw4uLpAbvvdephuzQRR4H3d324
3iD0pcLRblpOAZ7qeOG6iCcpemMxu33T2IphsNL1Sx2JyKmqObtyRoNU8O6V7ldP
L1VGIAU5cNW6+zCbvKLyTKLbze5eRuGx5x/fLbHnjlodGrdshxzIqEUVUGyD+hJJ
JP1pYo3Mj/BJwnjLhv8hNWyuX6VtnEgl0B5C2U7X2K5c05DZnRvSrSHrIiGjIEoV
p7LvbgLXtIEdzpOrx4kZ5DoHAVAjBm0gLrVwK1r8nSgOPmEzLpzaC3fCCL/x4cfZ
JfMJvA3QbQJOpNdOexDcr1eD7VUFpZE7mE6kI8UUCpF71446A3cGpMkftSt/i6vn
htDCqnmYJ10w2NtRc99VGIdgUZUM7d3as83HGKrHcTous0qKyutrB+WlEpGHIRY5
mq7gCoRqikbxBKhnYlADGJRXTk9FBw2ai08SIOsRW7SSlVNwtPq09xhT0X6NsKA0
IsQfy4QZa1g+ecssqDHg
=5ckQ
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2017-004
=================================
Topic: buffer overflow via cmap for 4 graphics drivers
Version: NetBSD-current: source prior to June 13th
NetBSD 8.0_BETA: affected
NetBSD 7.1: affected
NetBSD 7.0 - 7.0.2: affected
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
Severity: information leak and potential root compromise
for authenticated user on affected graphics console
Fixed: NetBSD-current: June 13th
NetBSD-8 branch: June 15th
NetBSD-7-1 branch: June 15th
NetBSD-7-0 branch: June 15th
NetBSD-7 branch: June 15th
NetBSD-6-0 branch: June 15th
NetBSD-6-1 branch: June 15th
NetBSD-6 branch: June 15th
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An authenticated user on a wscons terminal with the following graphics
drivers:
sbd (ews4800mips)
bivideo (hpcsh)
sti (hppa and hp300)
pm (pmax)
could cause a buffer overflow when reading or writing the color map.
Technical Details
=================
Due to overflowable bounds checking when reading or writing the
color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP
ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it)
could read kernel memory, or for all but bivideo, which doesn't have
a writable color map, write kernel memory.
Solutions and Workarounds
=========================
Solution: update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.
Affected source files fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1
sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1
sys/dev/hpc/bivideo.c 1.34 1.33.30.1
sys/dev/ic/sti.c 1.19 1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1
sys/dev/hpc/bivideo.c1 1.33.12.1 1.33.24.1 1.33.16.1
sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1
sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1
sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1
sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1
Thanks To
=========
Thanks to CTurt for reporting this set of issues.
Revision History
================
2017-09-08 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7
mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9
f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ
6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk
RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU
dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C
76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl
6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E
bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE
GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP
etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k
WwGwp4kZJGaJPRNplTkB
=m2H9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWbYAWox+lLeg9Ub1AQjsPA//aG50wzZ3wE0gxxOEddIBfc7QC/Rm/Ztk
H3yTuHgKGKwvw6wGuq1wQnxxlegO6HUM0GL8GhNsx9XH6qhpQXuOfog3q3qPY2PX
X8kcIygxcw6Kjk2zqj4EWsz+SXNBZyyHNpMUIVDsjcXW2IWZEUypcsMPetKJM64a
Sy5rHfII+8EFqkMmVFmeEaK2XkO/QiEjNGPR7LcPzbPEFajnrm78bk3a/w9l+vmX
jipgD1/jgSvgM/+4f8FA19N8rS70sabkCd+KsFHmjLBQelJl796EZfVMU2R9atHj
jWTMoa8ZmqjQXwBnhuHeILiaSkCb6opym9858k5l3VAlsltv6QLUS6ty77Crt+Eo
qNib/QsKQeDuF9mBlMoM0Z23k7LD1fMynunNppE4cp8U2bKQH8I0XCE0xN039BI8
xfB6uCSFcOxJagLY/RNXjGpH5rOh7CNrV9RpUBEiaFriIxIDwrqHLGtNNtjJKhSs
HHhN6cKl9EQU5LJX05VrtG6GtZt9zNmcS5N08yknmop15l5KKV9U7msJSBzL4NyL
ECAetdzyCRd7+5MZwu75jYL0fEqk9KJpSO6VXI/rlQCUynLECewH5z/7bsgF6Kkc
dp/xQ3Q2mjQFZu+sxf5vRngyKUvfkK6hptoeJNSr4+hdggKwGp+yFkOT8iZatabP
JbgssgxHR7U=
=i1Vh
-----END PGP SIGNATURE-----