Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                     NetBSD Security Advisory 2019-001
                              8 February 2019


        AusCERT Security Bulletin Summary

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

		NetBSD Security Advisory 2019-001

Topic:		Several kernel memory disclosure bugs

Version:	NetBSD-current:		source prior to Thu, Jan 31st 2019
		NetBSD 8.0:		affected
		NetBSD 7.2:		affected
		NetBSD 7.1:		affected
		NetBSD 7.0:		affected

Severity:	Kernel memory disclosure

Fixed:		NetBSD-current:		Thu, Jan 31st 2019
		NetBSD-8 branch:	Fri, Feb 1st 2019
		NetBSD-7-1 branch:	Fri, Feb 1st 2019
		NetBSD-7-0 branch:	Fri, Feb 1st 2019

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 7.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract & Technical Details

Several kernel memory disclosure bugs were discovered:

  1) Four bytes of kernel stack were leaked in the ntp_gettime system

  2) Eight bytes of kernel stack were leaked when executing execve.

  3) Many bytes of kernel stack were leaked when processing signals on
     several architectures.

  4) Four bytes of kernel stack were leaked in several system calls
     related to time.

  5) An inverted logic in netbsd32 caused some kernel memory bytes to
     wrongfully be copied to userland.

  6) A missing sanity check in a sysctl caused a severe kernel memory

  7) Four bytes of kernel stack were leaked in the kevent system call.

  8) Eight bytes of kernel stack were leaked in the gettimer system call.

  9) Two bytes of kernel heap were leaked in the net.rtable sysctl.

 10) Many bytes of kernel stack were leaked in the swapctl system call.

 11) Sixteen bytes of kernel heap were leaked in the settime system call.

 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp
     system call.

 13) Many bytes of kernel stack were leaked in the ptrace system call.

 14) Four bytes of kernel stack were leaked in the wait6 system call.

 15) Four bytes of kernel stack were leaked in the sigtimedwait system

 16) Many bytes of kernel stack were leaked in the msgctl system call
     implemented in the compatibility layers.

Solutions and Workarounds

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your

The patches can be obtained from NetBSD-current with the following

 -----   -------
 1)      cvs rdiff -u -r1.59  -r1.60  src/sys/kern/kern_ntptime.c
 2)      cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c
 3)      cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c
 3)      cvs rdiff -u -r1.2   -r1.3   src/sys/arch/aarch64/aarch64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c
 3)      cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.50  -r1.51  src/sys/arch/arm/arm/sig_machdep.c
 3)      cvs rdiff -u -r1.25  -r1.26  src/sys/arch/hppa/hppa/sig_machdep.c
 3)      cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c
 3)      cvs rdiff -u -r1.49  -r1.50  src/sys/arch/m68k/m68k/sig_machdep.c
 3)      cvs rdiff -u -r1.15  -r1.16  src/sys/arch/mips/mips/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.23  -r1.24  src/sys/arch/mips/mips/sig_machdep.c
 3)      cvs rdiff -u -r1.45  -r1.46  src/sys/arch/powerpc/powerpc/sig_machdep.c
 3)      cvs rdiff -u -r1.1   -r1.2   src/sys/arch/riscv/riscv/sig_machdep.c
 3)      cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c
 3)      cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c
 3)      cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.7   -r1.8   src/sys/arch/usermode/target/i386/cpu_i386.c
 3)      cvs rdiff -u -r1.6   -r1.7   src/sys/arch/usermode/target/x86_64/cpu_x86_64.c
 3)      cvs rdiff -u -r1.22  -r1.23  src/sys/arch/vax/vax/sig_machdep.c
 4)      cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c
 4)      cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c
 5)      cvs rdiff -u -r1.47  -r1.48  src/sys/compat/netbsd32/netbsd32_socket.c
 6)      cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c
 7)      cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c
 8)      cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c
 9)      cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c
 10)     cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c
 11)     cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c
 11)     cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c
 11)     cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c
 12)     cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c
 13)     cvs rdiff -u -r1.45  -r1.46  src/sys/kern/sys_ptrace_common.c
 14)     cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c
 15)     cvs rdiff -u -r1.46  -r1.47  src/sys/kern/sys_sig.c
 16)     cvs rdiff -u -r1.26  -r1.27  src/sys/compat/netbsd32/netbsd32_compat_14.c
 16)     cvs rdiff -u -r1.36  -r1.37  src/sys/compat/netbsd32/netbsd32_conv.h
 16)     cvs rdiff -u -r1.4   -r1.5   src/sys/compat/sys/msg.h

These patches were applied to the affected branches.

Thanks To

Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1).

Maxime Villard for developing KASAN which discovered issues 5) and 6).

Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that
discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16).

Revision History

	2019-02-06	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2019, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967