Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0406 NetBSD Security Advisory 2019-001 8 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: NetBSD Operating System: NetBSD Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- NetBSD Security Advisory 2019-001 ================================= Topic: Several kernel memory disclosure bugs Version: NetBSD-current: source prior to Thu, Jan 31st 2019 NetBSD 8.0: affected NetBSD 7.2: affected NetBSD 7.1: affected NetBSD 7.0: affected Severity: Kernel memory disclosure Fixed: NetBSD-current: Thu, Jan 31st 2019 NetBSD-8 branch: Fri, Feb 1st 2019 NetBSD-7-1 branch: Fri, Feb 1st 2019 NetBSD-7-0 branch: Fri, Feb 1st 2019 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 7.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract & Technical Details ============================ Several kernel memory disclosure bugs were discovered: 1) Four bytes of kernel stack were leaked in the ntp_gettime system call. 2) Eight bytes of kernel stack were leaked when executing execve. 3) Many bytes of kernel stack were leaked when processing signals on several architectures. 4) Four bytes of kernel stack were leaked in several system calls related to time. 5) An inverted logic in netbsd32 caused some kernel memory bytes to wrongfully be copied to userland. 6) A missing sanity check in a sysctl caused a severe kernel memory disclosure. 7) Four bytes of kernel stack were leaked in the kevent system call. 8) Eight bytes of kernel stack were leaked in the gettimer system call. 9) Two bytes of kernel heap were leaked in the net.rtable sysctl. 10) Many bytes of kernel stack were leaked in the swapctl system call. 11) Sixteen bytes of kernel heap were leaked in the settime system call. 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp system call. 13) Many bytes of kernel stack were leaked in the ptrace system call. 14) Four bytes of kernel stack were leaked in the wait6 system call. 15) Four bytes of kernel stack were leaked in the sigtimedwait system call. 16) Many bytes of kernel stack were leaked in the msgctl system call implemented in the compatibility layers. Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. The patches can be obtained from NetBSD-current with the following commands: ISSUE COMMAND ----- ------- 1) cvs rdiff -u -r1.59 -r1.60 src/sys/kern/kern_ntptime.c 2) cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c 3) cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c 3) cvs rdiff -u -r1.2 -r1.3 src/sys/arch/aarch64/aarch64/netbsd32_machdep.c 3) cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c 3) cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c 3) cvs rdiff -u -r1.50 -r1.51 src/sys/arch/arm/arm/sig_machdep.c 3) cvs rdiff -u -r1.25 -r1.26 src/sys/arch/hppa/hppa/sig_machdep.c 3) cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c 3) cvs rdiff -u -r1.49 -r1.50 src/sys/arch/m68k/m68k/sig_machdep.c 3) cvs rdiff -u -r1.15 -r1.16 src/sys/arch/mips/mips/netbsd32_machdep.c 3) cvs rdiff -u -r1.23 -r1.24 src/sys/arch/mips/mips/sig_machdep.c 3) cvs rdiff -u -r1.45 -r1.46 src/sys/arch/powerpc/powerpc/sig_machdep.c 3) cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/riscv/sig_machdep.c 3) cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c 3) cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c 3) cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c 3) cvs rdiff -u -r1.7 -r1.8 src/sys/arch/usermode/target/i386/cpu_i386.c 3) cvs rdiff -u -r1.6 -r1.7 src/sys/arch/usermode/target/x86_64/cpu_x86_64.c 3) cvs rdiff -u -r1.22 -r1.23 src/sys/arch/vax/vax/sig_machdep.c 4) cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c 4) cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c 5) cvs rdiff -u -r1.47 -r1.48 src/sys/compat/netbsd32/netbsd32_socket.c 6) cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c 7) cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c 8) cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c 9) cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c 10) cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c 11) cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c 11) cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c 11) cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c 12) cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c 13) cvs rdiff -u -r1.45 -r1.46 src/sys/kern/sys_ptrace_common.c 14) cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c 15) cvs rdiff -u -r1.46 -r1.47 src/sys/kern/sys_sig.c 16) cvs rdiff -u -r1.26 -r1.27 src/sys/compat/netbsd32/netbsd32_compat_14.c 16) cvs rdiff -u -r1.36 -r1.37 src/sys/compat/netbsd32/netbsd32_conv.h 16) cvs rdiff -u -r1.4 -r1.5 src/sys/compat/sys/msg.h These patches were applied to the affected branches. Thanks To ========= Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1). Maxime Villard for developing KASAN which discovered issues 5) and 6). Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16). Revision History ================ 2019-02-06 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXF0OVGaOgq3Tt24GAQiidBAAgzAv057gxp/675N7TAWDRdDeOuUdd2mJ AEtEzaB4zcEoWHeB5CUgnrRgXMFUw0lpW8FAoQvlJPakBWu1r8o3s1gx84c+TxcB tefTeqZtoZIGko6bmjjYuEXIKjWTsg/G5CZ+B49ndMtEz8VPjAXt6rdXOBTq7S4C 9ixRXXLE+m1ZVad6ms7FbP6qBiziKOqElEwoT3WhBEKYNNu8f7eqlNxR5hlJRwoJ vHJXqhu6LWtKwkJ8CxnMMaGEIj/zZymPW+0En8bmDvAe3XyNUSBgfnwEOyxDgD78 Sxi0aBxNEJ/htbjpiyX00gsfwc94SEAUTgy2x9PMPwrpW0Wn57gxhKZtNl308kGD w27zbmSlIkfRVvU7bsG+IMstLvqNAxmlztS6zPqEQEfEWwU2ZKyda2K+xva8aVhG tilXqnhId55YXWCmSswVZC7pkLiiz3Bb4jdidClDgwp+nOV3r538FqK28Xwv39KN qK1hNZmzwnd2ypZZ9CjIm6M5QvjIW6dXJNCnq+2unjuyUTyeyirj/k1afd0pMO6u ZBdirwdAqKanItjpdxTmUQwjbwrnPahYXu+pkOFAJDZFyAYhAVM+rWIpjIt0+KDX 8azEn8Ko7sHuGPpJxtyIUZOiQBQi7z9ZbQTpUvg9dfTQRyaPLnO3g30c47MG2uKk HrmewRnlP0c= =1r0S -----END PGP SIGNATURE-----