The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


NetBSD Security Advisory 2000-011: Insufficient msg_controllen checking for sendmsg(2)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 24 Jul 2001 14:57:58 +1000
From: NetBSD Security Officer <security-officer@netbsd.org.>
To: [email protected]
Subject: NetBSD Security Advisory 2000-011: Insufficient msg_controllen checking for sendmsg(2)
Cc: [email protected], [email protected],
 [email protected], [email protected], [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-011

Topic: Insufficient msg_controllen checking for sendmsg(2) Version: All releases of NetBSD from 1.3 to 1.5, and -current Severity: Any local user can panic the system Fixed: NetBSD-current: July 1, 2001 NetBSD-1.5 branch: July 2, 2001 (1.5.1 includes the fix) NetBSD-1.4 branch: July 19, 2001 Abstract ======== Due to insufficient length checking in the kernel, sendmsg(2) can be used by a local user to cause a kernel trap, or an 'out of space in kmem_map' panic. As of the release date of this advisory, NetBSD releases from 1.3 up to any later release, are vulnerable. Technical Details ================= sendmsg(2) can be used to send data through a socket, optionally specifying destination address and control information. sendmsg(2) accepts a pointer to struct msghdr, which holds further information for the call. The pointer to control information is passed via msg_control, msg_controllen helds the length of the control information. This is used to read the control information into kernel space and put it in an mbuf for further processing. However, the kernel attempts to allocate mbuf storage as specified in msg_controllen without further checks. This behaviour can be abused to cause a kernel page fault trap if the value is higher than INT_MAX, or to cause an 'out of space in kmem_map' panic for lower values. The exact size to cause the latter is port dependant, though INT_MAX is commonly enough to trigger the panic. Solutions and Workarounds
All NetBSD official releases from 1.3 are vulnerable. Kernel sources must be updated and a new kernel built and installed. The instructions for updating your kernel sources depend upon which particular NetBSD release you are running. * NetBSD-current: Systems running NetBSD-current dated from before 2001-07-01 should be upgraded to NetBSD-current dated 2001-07-01 or later. The following source directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-current.patch * NetBSD 1.5: Systems running NetBSD 1.5 dated from before 2001-07-02 should be upgraded from NetBSD 1.5 sources dated 2001-07-02 or later. The following source directory needs to be updated from the netbsd-1-5 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch NetBSD 1.5.1 is not vulnerable. * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: Systems running NetBSD 1.4 dated from before 2001-07-19 should be upgraded from NetBSD 1.4 sources dated 2001-07-19 or later. The following source directory needs to be updated from the netbsd-1-4 CVS branch: src/sys/kern Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch * NetBSD 1.3, 1.3.1, 1.3.2, 1.3.3: Apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-011-sendmsg-1.3-1.5.patch Once the kernel sources have been updated, rebuild the kernel, install it, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#building_a_kernel Thanks To ========= Jaromir Dolecek <jdolecek@NetBSD.org.> for finding the problem, and supplying a test program showing the problem. Matt Thomas <matt@NetBSD.org.> for a fix. Revision History ================ 2001-07-20 Initial revision More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-011.txt,v 1.7 2001/07/20 01:16:54 lukem Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO1eSET5Ru2/4N2IFAQEYBgQAt2u+8kPIWZIGvTzb1m0R6bqdJTnE4xpk uxkGV8w4GmyhC+aUX4toAkdTgdI2cHejr0tOOVk7OHD3TZ5aKKuzG/ZVunpxPwJc q0ivUxDxv63OhXr2EVkPE/l9vrXs2BRuX3CjSHPWRt1knGVM9sYihjKqIDZyLuQS Ou2Pb8drDlY= =89Oe -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру