-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
NetBSD Security Advisory 2019-001
8 February 2019
AusCERT Security Bulletin Summary
Operating System: NetBSD
Impact/Access: Access Privileged Data -- Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
NetBSD Security Advisory 2019-001
Topic: Several kernel memory disclosure bugs
Version: NetBSD-current: source prior to Thu, Jan 31st 2019
NetBSD 8.0: affected
NetBSD 7.2: affected
NetBSD 7.1: affected
NetBSD 7.0: affected
Severity: Kernel memory disclosure
Fixed: NetBSD-current: Thu, Jan 31st 2019
NetBSD-8 branch: Fri, Feb 1st 2019
NetBSD-7-1 branch: Fri, Feb 1st 2019
NetBSD-7-0 branch: Fri, Feb 1st 2019
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 7.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract & Technical Details
Several kernel memory disclosure bugs were discovered:
1) Four bytes of kernel stack were leaked in the ntp_gettime system
2) Eight bytes of kernel stack were leaked when executing execve.
3) Many bytes of kernel stack were leaked when processing signals on
4) Four bytes of kernel stack were leaked in several system calls
related to time.
5) An inverted logic in netbsd32 caused some kernel memory bytes to
wrongfully be copied to userland.
6) A missing sanity check in a sysctl caused a severe kernel memory
7) Four bytes of kernel stack were leaked in the kevent system call.
8) Eight bytes of kernel stack were leaked in the gettimer system call.
9) Two bytes of kernel heap were leaked in the net.rtable sysctl.
10) Many bytes of kernel stack were leaked in the swapctl system call.
11) Sixteen bytes of kernel heap were leaked in the settime system call.
12) Four bytes of kernel heap were leaked in the sigaction_sigtramp
13) Many bytes of kernel stack were leaked in the ptrace system call.
14) Four bytes of kernel stack were leaked in the wait6 system call.
15) Four bytes of kernel stack were leaked in the sigtimedwait system
16) Many bytes of kernel stack were leaked in the msgctl system call
implemented in the compatibility layers.
Solutions and Workarounds
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
The patches can be obtained from NetBSD-current with the following
1) cvs rdiff -u -r1.59 -r1.60 src/sys/kern/kern_ntptime.c
2) cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c
3) cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c
3) cvs rdiff -u -r1.2 -r1.3 src/sys/arch/aarch64/aarch64/netbsd32_machdep.c
3) cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c
3) cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c
3) cvs rdiff -u -r1.50 -r1.51 src/sys/arch/arm/arm/sig_machdep.c
3) cvs rdiff -u -r1.25 -r1.26 src/sys/arch/hppa/hppa/sig_machdep.c
3) cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c
3) cvs rdiff -u -r1.49 -r1.50 src/sys/arch/m68k/m68k/sig_machdep.c
3) cvs rdiff -u -r1.15 -r1.16 src/sys/arch/mips/mips/netbsd32_machdep.c
3) cvs rdiff -u -r1.23 -r1.24 src/sys/arch/mips/mips/sig_machdep.c
3) cvs rdiff -u -r1.45 -r1.46 src/sys/arch/powerpc/powerpc/sig_machdep.c
3) cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/riscv/sig_machdep.c
3) cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c
3) cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c
3) cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
3) cvs rdiff -u -r1.7 -r1.8 src/sys/arch/usermode/target/i386/cpu_i386.c
3) cvs rdiff -u -r1.6 -r1.7 src/sys/arch/usermode/target/x86_64/cpu_x86_64.c
3) cvs rdiff -u -r1.22 -r1.23 src/sys/arch/vax/vax/sig_machdep.c
4) cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c
4) cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c
5) cvs rdiff -u -r1.47 -r1.48 src/sys/compat/netbsd32/netbsd32_socket.c
6) cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c
7) cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c
8) cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c
9) cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c
10) cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c
11) cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c
11) cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c
11) cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c
12) cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c
13) cvs rdiff -u -r1.45 -r1.46 src/sys/kern/sys_ptrace_common.c
14) cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c
15) cvs rdiff -u -r1.46 -r1.47 src/sys/kern/sys_sig.c
16) cvs rdiff -u -r1.26 -r1.27 src/sys/compat/netbsd32/netbsd32_compat_14.c
16) cvs rdiff -u -r1.36 -r1.37 src/sys/compat/netbsd32/netbsd32_conv.h
16) cvs rdiff -u -r1.4 -r1.5 src/sys/compat/sys/msg.h
These patches were applied to the affected branches.
Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1).
Maxime Villard for developing KASAN which discovered issues 5) and 6).
Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that
discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16).
2019-02-06 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----