Date: 27 April 2010
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0399
amd64 per-page No-execute (NX) bit disabled
27 April 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: NetBSD
Publisher: NetBSD
Operating System: NetBSD
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-004.txt.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-004
=================================
Topic: amd64 per-page No-execute (NX) bit disabled
Version: NetBSD-current: affected prior to April 19, 2010
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: not affected
Severity: Possible execution of arbitrary code without memory protection
Fixed: NetBSD-current: April 19, 2010
NetBSD-5-0 branch: April 22, 2010
NetBSD-5 branch: April 22, 2010
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An issue in the x86 CPU features detection code disables the use of the
per-page NX bit under amd64, making it impossible to mark certain pages
of memory as not being executable.
Technical Details
=================
The NX bit from AMD (equivalent to the XD bit for Intel) indicates if
the processor supports the NX bit feature (execution right enforced
on a per-page basis). This bit is obtained through the "extended
feature flags" cpuid instruction, inside %edx.
All amd64 code, especially pmap(9), checks for this feature through the
cpu_feature variable. It is set in src/sys/arch/amd64/amd64/locore.S:
- - - first with the "feature flags" cpuid instruction (cpuid + %eax = 1),
- - - then ORed with the "extended feature flags" cpuid (cpuid + %eax =
0x8000_0001)
When entering init_x86_64(), the value is erased by the cpu_probe() call.
Summary:
beginning of cpu_probe():
- - - cpuid instruction (%eax == 1) flags gets stored in
cpu_info_primary->ci_feature_flags
in x86_cpu_topology():
- - - cpuid instruction (%eax == 0x8000_0001) flags get stored in
cpu_info_primary->ci_feature3_flags
end of cpu_probe():
- - - cpu_feature_flags is then set (or ANDed) with
cpu_info_primary->ci_feature_flags, losing the CPUID_NOX bit in the process
(which is expected to be found in ci_feature3_flags)
Following this, the MSR enabling the NX feature (EFER_NXE) is never set. As
a consequence, the NX bit support is deactivated, and no exception will
be raised even if an instruction is fetched from a page marked as not being
executable.
Solutions and Workarounds
=========================
No workaround to the problem is currently known. Users are advised to
restrict access to the system to trusted users only, both locally and
remotely.
When considered individually, this issue is not directly exploitable.
Only programs depending on execution's right enforcement in memory
may be affected, as well as badly written ones where stack, heap
and/or data sections could be used to inject and execute a
specifically crafted payload.
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and
installing a new version of the kernel.
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/arch/x86
# cvs update -d -P sys/arch/amd64
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/guide/en/chap-kernel.html
Thanks To
=========
Jeremy Morse and Jean-Yves Migeon for independently finding and reporting
the issue, and Jean-Yves Migeon for providing a patch.
Revision History
================
2010-04-26 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-004.txt,v 1.1 2010/04/25 21:37:39 tonnerre Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJL1fldAAoJEAZJc6xMSnBuvagQAIHAzQbYQgHMBIIubZR7jGPJ
DmcYkFB+Z/iaDrwm0IcU3LYq19aeb8VqD/++isVde+R9OEUNS3lU30+RY2NPg98h
3U51EEB1dM3D093LPxLMm8pDxyBVim3dCewhjkQtdMF7bkWUo1j29Nc8VKHyaL+9
PkOWOJ/ge9k/4MOJgruNA72RfRQ5uXW5PS4MgQEOu3AL5gHvIJV4M/0veO9bmu5a
fUF9KSNmT8SX+pBLOK2b/xw99JGUHe7U++GiCd2QPEORgq7HM72/xeXiwxDwcOTd
DHO/iCBebZvWnpmhdjBYHzLnnT4YJL2n1nZafjYIUrsO+Hsikc9GxKZAHUblyTHN
Ld5URmFBAtfsc47IRLgNTwSREctMxPKlQJPh9x4e9W6pB/qo4TIcVGBQX7wE8O5X
T1INq5fIvs8FbnxpdBnAxzyO74xjm8/UePtQRJDQ5e8uXoTzOnX5dVi6zaYBkPLP
oZRADt9phmnR6+YcGcEDuqCnPBaWN7A8QtuOU2EnYkAoUA6gfRRQu7qr3o83fI1h
5XAwo5ZAA/ZOoB1MeVAKn6cryfeu619rbgaOMJUmGoqP6/UpLY/0uQaafP65cOqz
3PkbWW9kjJSz2ULdJ84pQTH4FsKF50GqnvbhgvygULWNIznxMduNCW+FYVlQ44qd
H6+bGffE/PlPaLNWP5iO
=+sZF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFL1hu3/iFOrG6YcBERAsGLAKCdkSYEuwHqBAy+rZNQuV2MFa2zkACfVC+1
Hf9bt2UQCRRidi8PVF5sPNY=
=S0ni
-----END PGP SIGNATURE-----
|