ESB-2019.0406 - [NetBSD] kernel: Access privileged data - Existing account 2019-02-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0406
                     NetBSD Security Advisory 2019-001
                              8 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

		NetBSD Security Advisory 2019-001
		=================================

Topic:		Several kernel memory disclosure bugs


Version:	NetBSD-current:		source prior to Thu, Jan 31st 2019
		NetBSD 8.0:		affected
		NetBSD 7.2:		affected
		NetBSD 7.1:		affected
		NetBSD 7.0:		affected

Severity:	Kernel memory disclosure

Fixed:		NetBSD-current:		Thu, Jan 31st 2019
		NetBSD-8 branch:	Fri, Feb 1st 2019
		NetBSD-7-1 branch:	Fri, Feb 1st 2019
		NetBSD-7-0 branch:	Fri, Feb 1st 2019

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 7.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract & Technical Details
============================

Several kernel memory disclosure bugs were discovered:

  1) Four bytes of kernel stack were leaked in the ntp_gettime system
     call.

  2) Eight bytes of kernel stack were leaked when executing execve.

  3) Many bytes of kernel stack were leaked when processing signals on
     several architectures.

  4) Four bytes of kernel stack were leaked in several system calls
     related to time.

  5) An inverted logic in netbsd32 caused some kernel memory bytes to
     wrongfully be copied to userland.

  6) A missing sanity check in a sysctl caused a severe kernel memory
     disclosure.

  7) Four bytes of kernel stack were leaked in the kevent system call.

  8) Eight bytes of kernel stack were leaked in the gettimer system call.

  9) Two bytes of kernel heap were leaked in the net.rtable sysctl.

 10) Many bytes of kernel stack were leaked in the swapctl system call.

 11) Sixteen bytes of kernel heap were leaked in the settime system call.

 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp
     system call.

 13) Many bytes of kernel stack were leaked in the ptrace system call.

 14) Four bytes of kernel stack were leaked in the wait6 system call.

 15) Four bytes of kernel stack were leaked in the sigtimedwait system
     call.

 16) Many bytes of kernel stack were leaked in the msgctl system call
     implemented in the compatibility layers.


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel.

The patches can be obtained from NetBSD-current with the following
commands:

 ISSUE   COMMAND
 -----   -------
 1)      cvs rdiff -u -r1.59  -r1.60  src/sys/kern/kern_ntptime.c
 2)      cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c
 3)      cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c
 3)      cvs rdiff -u -r1.2   -r1.3   src/sys/arch/aarch64/aarch64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c
 3)      cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.50  -r1.51  src/sys/arch/arm/arm/sig_machdep.c
 3)      cvs rdiff -u -r1.25  -r1.26  src/sys/arch/hppa/hppa/sig_machdep.c
 3)      cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c
 3)      cvs rdiff -u -r1.49  -r1.50  src/sys/arch/m68k/m68k/sig_machdep.c
 3)      cvs rdiff -u -r1.15  -r1.16  src/sys/arch/mips/mips/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.23  -r1.24  src/sys/arch/mips/mips/sig_machdep.c
 3)      cvs rdiff -u -r1.45  -r1.46  src/sys/arch/powerpc/powerpc/sig_machdep.c
 3)      cvs rdiff -u -r1.1   -r1.2   src/sys/arch/riscv/riscv/sig_machdep.c
 3)      cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c
 3)      cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c
 3)      cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.7   -r1.8   src/sys/arch/usermode/target/i386/cpu_i386.c
 3)      cvs rdiff -u -r1.6   -r1.7   src/sys/arch/usermode/target/x86_64/cpu_x86_64.c
 3)      cvs rdiff -u -r1.22  -r1.23  src/sys/arch/vax/vax/sig_machdep.c
 4)      cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c
 4)      cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c
 5)      cvs rdiff -u -r1.47  -r1.48  src/sys/compat/netbsd32/netbsd32_socket.c
 6)      cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c
 7)      cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c
 8)      cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c
 9)      cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c
 10)     cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c
 11)     cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c
 11)     cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c
 11)     cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c
 12)     cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c
 13)     cvs rdiff -u -r1.45  -r1.46  src/sys/kern/sys_ptrace_common.c
 14)     cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c
 15)     cvs rdiff -u -r1.46  -r1.47  src/sys/kern/sys_sig.c
 16)     cvs rdiff -u -r1.26  -r1.27  src/sys/compat/netbsd32/netbsd32_compat_14.c
 16)     cvs rdiff -u -r1.36  -r1.37  src/sys/compat/netbsd32/netbsd32_conv.h
 16)     cvs rdiff -u -r1.4   -r1.5   src/sys/compat/sys/msg.h

These patches were applied to the affected branches.


Thanks To
=========

Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1).

Maxime Villard for developing KASAN which discovered issues 5) and 6).

Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that
discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16).


Revision History
================

	2019-02-06	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2019, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXF0OVGaOgq3Tt24GAQiidBAAgzAv057gxp/675N7TAWDRdDeOuUdd2mJ
AEtEzaB4zcEoWHeB5CUgnrRgXMFUw0lpW8FAoQvlJPakBWu1r8o3s1gx84c+TxcB
tefTeqZtoZIGko6bmjjYuEXIKjWTsg/G5CZ+B49ndMtEz8VPjAXt6rdXOBTq7S4C
9ixRXXLE+m1ZVad6ms7FbP6qBiziKOqElEwoT3WhBEKYNNu8f7eqlNxR5hlJRwoJ
vHJXqhu6LWtKwkJ8CxnMMaGEIj/zZymPW+0En8bmDvAe3XyNUSBgfnwEOyxDgD78
Sxi0aBxNEJ/htbjpiyX00gsfwc94SEAUTgy2x9PMPwrpW0Wn57gxhKZtNl308kGD
w27zbmSlIkfRVvU7bsG+IMstLvqNAxmlztS6zPqEQEfEWwU2ZKyda2K+xva8aVhG
tilXqnhId55YXWCmSswVZC7pkLiiz3Bb4jdidClDgwp+nOV3r538FqK28Xwv39KN
qK1hNZmzwnd2ypZZ9CjIm6M5QvjIW6dXJNCnq+2unjuyUTyeyirj/k1afd0pMO6u
ZBdirwdAqKanItjpdxTmUQwjbwrnPahYXu+pkOFAJDZFyAYhAVM+rWIpjIt0+KDX
8azEn8Ko7sHuGPpJxtyIUZOiQBQi7z9ZbQTpUvg9dfTQRyaPLnO3g30c47MG2uKk
HrmewRnlP0c=
=1r0S
-----END PGP SIGNATURE-----

« Back to bulletins