NetBSD Security Advisory 2000-011: Insufficient msg_controllen checking for sendmsg(2)

From: NetBSD Security Officer (security-officerat_private)
Date: Mon Jul 23 2001 - 21:57:58 PDT

Next message: Nsfocus Security Team: "NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability"

Previous message: BoloTron: "Yet another UNICODE exploit code and vulnerability test for IIS 4.0/5.0."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-011
                 =================================

Topic:		Insufficient msg_controllen checking for sendmsg(2)

Version:	All releases of NetBSD from 1.3 to 1.5, and -current

Severity:	Any local user can panic the system

Fixed:		NetBSD-current:		July 1, 2001
		NetBSD-1.5 branch:	July 2, 2001 (1.5.1 includes the fix)
		NetBSD-1.4 branch:	July 19, 2001

Abstract
========

Due to insufficient length checking in the kernel, sendmsg(2) can be
used by a local user to cause a kernel trap, or an 'out of space in
kmem_map' panic.

As of the release date of this advisory, NetBSD releases from 1.3
up to any later release, are vulnerable.

Technical Details
=================

sendmsg(2) can be used to send data through a socket, optionally
specifying destination address and control information.

sendmsg(2) accepts a pointer to struct msghdr, which holds further
information for the call. The pointer to control information is passed
via msg_control, msg_controllen helds the length of the control
information. This is used to read the control information into kernel
space and put it in an mbuf for further processing. However, the kernel
attempts to allocate mbuf storage as specified in msg_controllen without
further checks. This behaviour can be abused to cause a kernel page
fault trap if the value is higher than INT_MAX, or to cause an 'out of
space in kmem_map' panic for lower values. The exact size to cause the
latter is port dependant, though INT_MAX is commonly enough to trigger
the panic.

Solutions and Workarounds
=========================

All NetBSD official releases from 1.3 are vulnerable.

Kernel sources must be updated and a new kernel built and installed.
The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-07-01
	should be upgraded to NetBSD-current dated 2001-07-01 or later.

	The following source directories need to be updated from
	the netbsd-current CVS branch (aka HEAD):
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch


* NetBSD 1.5:

	Systems running NetBSD 1.5 dated from before 2001-07-02 should be
	upgraded from NetBSD 1.5 sources dated 2001-07-02 or later.

	The following source directory needs to be updated from the
	netbsd-1-5 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch
		
	NetBSD 1.5.1 is not vulnerable.


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	Systems running NetBSD 1.4 dated from before 2001-07-19 should be
	upgraded from NetBSD 1.4 sources dated 2001-07-19 or later.

	The following source directory needs to be updated from the
	netbsd-1-4 CVS branch:
		src/sys/kern

	Alternatively, apply the following patch (with potential offset
	differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


* NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3:

	Apply the following patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch


Once the kernel sources have been updated, rebuild the kernel,
install it, and reboot.  For more information on how to do this,
see:

    http://www.netbsd.org/Documentation/kernel/#building_a_kernel



Thanks To
=========

Jaromir Dolecek <jdolecekat_private> for finding the problem, and
supplying a test program showing the problem.

Matt Thomas <mattat_private> for a fix.


Revision History
================

	2001-07-20	Initial revision


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk
uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc
q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS
Ou2Pb8drDlY=
=89Oe
-----END PGP SIGNATURE-----

Next message: Nsfocus Security Team: "NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability"
Previous message: BoloTron: "Yet another UNICODE exploit code and vulnerability test for IIS 4.0/5.0."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:29:42 PDT