ESB-2017.2287 - [NetBSD] kernel: Multiple vulnerabilities 2017-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2287
         Vnode reference leak in the openat system call and buffer
                 overflow via cmap for 4 graphics drivers
                             11 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Root Compromise        -- Existing Account
                   Modify Arbitrary Files -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-006.txt.asc
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Comment: This bulletin contains two (2) NetBSD security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2017-006
		=================================

Topic:		Vnode reference leak in the openat system call


Version:	NetBSD-current:		source prior to Sun, July 9th 2017
		NetBSD 8.0 beta:	affected
		NetBSD 7.1:		affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.4:	not affected
		NetBSD 6.0 - 6.0.5:	not affected

Severity:	Local privilege escalation

Fixed:		NetBSD-current:		Sun, July 9th 2017
		NetBSD-8 branch:	Mon, July 10th 2017
		NetBSD-7-1 branch:	Mon, July 10th 2017
		NetBSD-7-0 branch:	Mon, July 10th 2017
		NetBSD-7 branch:	Mon, July 10th 2017

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An easily exercisable error path in the kernel leaves behind an
unreclaimed reference to a vnode. This prevents unmounting the
affected volume, allowing local denial of service. It is likely that
tickling the weakness repeatedly can be used to corrupt the kernel
heap and thus gain kernel-level privileges, even with securelevel
enabled.


Technical Details
=================

When calling the openat system call using a file descriptor that does
not name a directory as the starting point for path lookup, a
reference to the underlying vnode is taken temporarily and then not
released when the error is discovered. Performing such a call often
enough results in overflowing the internal reference count and
corrupting the kernel heap.


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:

  ARCH     with your architecture (from uname -m),
  KERNCONF with the name of your kernel configuration file and
  VERSION  with the file version below

File versions containing the fixes:

 FILE  HEAD   netbsd-8   netbsd-7   netbsd-7-1   netbsd-7-0
 ----  ----   --------   --------   ----------   ----------
 sys/kern/vfs_lookup.c
       1.208  1.207.2.1  1.201.4.1  1.201.12.1   1.201.8.1

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r VERSION sys/kern/vfs_lookup.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Mateusz Guzik for noticing the issue, and David A. Holland for
deploying the fix.


Revision History
================

	2017-09-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-00N.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2017, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJZsqisAAoJEAZJc6xMSnBuu4AP/0ytQhuSMf1hjvg5Gdg9TT5N
4anruzy9VY6P4PqkPVjJTv7YYlOCTtP7Svg4+CbwIjRoNNyKycUhEmBzUWpmLQL1
UaKE44lJExbD1qIL4aU5LweD+RnGQbdo9LwMC31rK8dUSKCpkc6K7yt+TnA2SMw/
a2IlJtqkX5lk+HAQ3TF32STPz+oijtEJBFjTCzWw4uLpAbvvdephuzQRR4H3d324
3iD0pcLRblpOAZ7qeOG6iCcpemMxu33T2IphsNL1Sx2JyKmqObtyRoNU8O6V7ldP
L1VGIAU5cNW6+zCbvKLyTKLbze5eRuGx5x/fLbHnjlodGrdshxzIqEUVUGyD+hJJ
JP1pYo3Mj/BJwnjLhv8hNWyuX6VtnEgl0B5C2U7X2K5c05DZnRvSrSHrIiGjIEoV
p7LvbgLXtIEdzpOrx4kZ5DoHAVAjBm0gLrVwK1r8nSgOPmEzLpzaC3fCCL/x4cfZ
JfMJvA3QbQJOpNdOexDcr1eD7VUFpZE7mE6kI8UUCpF71446A3cGpMkftSt/i6vn
htDCqnmYJ10w2NtRc99VGIdgUZUM7d3as83HGKrHcTous0qKyutrB+WlEpGHIRY5
mq7gCoRqikbxBKhnYlADGJRXTk9FBw2ai08SIOsRW7SSlVNwtPq09xhT0X6NsKA0
IsQfy4QZa1g+ecssqDHg
=5ckQ
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2017-004
		=================================

Topic:		buffer overflow via cmap for 4 graphics drivers


Version:	NetBSD-current:		source prior to June 13th
		NetBSD 8.0_BETA:	affected
		NetBSD 7.1:		affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	information leak and potential root compromise
		for authenticated user on affected graphics console

Fixed:		NetBSD-current:		June 13th
		NetBSD-8 branch:	June 15th
		NetBSD-7-1 branch:	June 15th
		NetBSD-7-0 branch:	June 15th
		NetBSD-7 branch:	June 15th
		NetBSD-6-0 branch:	June 15th
		NetBSD-6-1 branch:	June 15th
		NetBSD-6 branch:	June 15th

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An authenticated user on a wscons terminal with the following graphics
drivers:
sbd (ews4800mips)
bivideo (hpcsh)
sti (hppa and hp300)
pm (pmax)
could cause a buffer overflow when reading or writing the color map.



Technical Details
=================

Due to overflowable bounds checking when reading or writing the
color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP
ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it)
could read kernel memory, or for all but bivideo, which doesn't have
a writable color map, write kernel memory.


Solutions and Workarounds
=========================

Solution: update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.

Affected source files			fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.16   1.15.10.1
sys/arch/pmax/ibus/pm.c               1.13   1.12.22.1
sys/dev/hpc/bivideo.c                 1.34   1.33.30.1
sys/dev/ic/sti.c                      1.19   1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.13.4.2   1.13.4.1.6.1  1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c               1.12.4.1   1.12.16.1  1.12.8.1
sys/dev/hpc/bivideo.c1                1.33.12.1  1.33.24.1  1.33.16.1
sys/dev/ic/sti.c                      1.18.2.1   1.18.14.1  1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.12.2.1   1.12.16.1  1.12.8.1
sys/arch/pmax/ibus/pm.c               1.11.2.1   1.11.16.1  1.11.8.1
sys/dev/hpc/bivideo.c                 1.32.14.1  1.32.22.1  1.32.20.1
sys/dev/ic/sti.c                      1.16.8.2   1.16.22.1  1.16.14.1


Thanks To
=========

Thanks to CTurt for reporting this set of issues.


Revision History
================

	2017-09-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $

- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7
mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9
f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ
6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk
RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU
dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C
76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl
6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E
bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE
GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP
etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k
WwGwp4kZJGaJPRNplTkB
=m2H9
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbYAWox+lLeg9Ub1AQjsPA//aG50wzZ3wE0gxxOEddIBfc7QC/Rm/Ztk
H3yTuHgKGKwvw6wGuq1wQnxxlegO6HUM0GL8GhNsx9XH6qhpQXuOfog3q3qPY2PX
X8kcIygxcw6Kjk2zqj4EWsz+SXNBZyyHNpMUIVDsjcXW2IWZEUypcsMPetKJM64a
Sy5rHfII+8EFqkMmVFmeEaK2XkO/QiEjNGPR7LcPzbPEFajnrm78bk3a/w9l+vmX
jipgD1/jgSvgM/+4f8FA19N8rS70sabkCd+KsFHmjLBQelJl796EZfVMU2R9atHj
jWTMoa8ZmqjQXwBnhuHeILiaSkCb6opym9858k5l3VAlsltv6QLUS6ty77Crt+Eo
qNib/QsKQeDuF9mBlMoM0Z23k7LD1fMynunNppE4cp8U2bKQH8I0XCE0xN039BI8
xfB6uCSFcOxJagLY/RNXjGpH5rOh7CNrV9RpUBEiaFriIxIDwrqHLGtNNtjJKhSs
HHhN6cKl9EQU5LJX05VrtG6GtZt9zNmcS5N08yknmop15l5KKV9U7msJSBzL4NyL
ECAetdzyCRd7+5MZwu75jYL0fEqk9KJpSO6VXI/rlQCUynLECewH5z/7bsgF6Kkc
dp/xQ3Q2mjQFZu+sxf5vRngyKUvfkK6hptoeJNSr4+hdggKwGp+yFkOT8iZatabP
JbgssgxHR7U=
=i1Vh
-----END PGP SIGNATURE-----

« Back to bulletins