BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2019-001
		=================================

Topic:		Several kernel memory disclosure bugs


Version:	NetBSD-current:		source prior to Thu, Jan 31st 2019
		NetBSD 8.0:		affected
		NetBSD 7.2:		affected
		NetBSD 7.1:		affected
		NetBSD 7.0:		affected

Severity:	Kernel memory disclosure

Fixed:		NetBSD-current:		Thu, Jan 31st 2019
		NetBSD-8 branch:	Fri, Feb 1st 2019
		NetBSD-7-1 branch:	Fri, Feb 1st 2019
		NetBSD-7-0 branch:	Fri, Feb 1st 2019

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 7.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract & Technical Details
============================

Several kernel memory disclosure bugs were discovered:

  1) Four bytes of kernel stack were leaked in the ntp_gettime system
     call.

  2) Eight bytes of kernel stack were leaked when executing execve.

  3) Many bytes of kernel stack were leaked when processing signals on
     several architectures.

  4) Four bytes of kernel stack were leaked in several system calls
     related to time.

  5) An inverted logic in netbsd32 caused some kernel memory bytes to
     wrongfully be copied to userland.

  6) A missing sanity check in a sysctl caused a severe kernel memory
     disclosure.

  7) Four bytes of kernel stack were leaked in the kevent system call.

  8) Eight bytes of kernel stack were leaked in the gettimer system call.

  9) Two bytes of kernel heap were leaked in the net.rtable sysctl.

 10) Many bytes of kernel stack were leaked in the swapctl system call.

 11) Sixteen bytes of kernel heap were leaked in the settime system call.

 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp
     system call.

 13) Many bytes of kernel stack were leaked in the ptrace system call.

 14) Four bytes of kernel stack were leaked in the wait6 system call.

 15) Four bytes of kernel stack were leaked in the sigtimedwait system
     call.

 16) Many bytes of kernel stack were leaked in the msgctl system call
     implemented in the compatibility layers.


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel.

The patches can be obtained from NetBSD-current with the following
commands:

 ISSUE   COMMAND
 -----   -------
 1)      cvs rdiff -u -r1.59  -r1.60  src/sys/kern/kern_ntptime.c
 2)      cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c
 3)      cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c
 3)      cvs rdiff -u -r1.2   -r1.3   src/sys/arch/aarch64/aarch64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c
 3)      cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.50  -r1.51  src/sys/arch/arm/arm/sig_machdep.c
 3)      cvs rdiff -u -r1.25  -r1.26  src/sys/arch/hppa/hppa/sig_machdep.c
 3)      cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c
 3)      cvs rdiff -u -r1.49  -r1.50  src/sys/arch/m68k/m68k/sig_machdep.c
 3)      cvs rdiff -u -r1.15  -r1.16  src/sys/arch/mips/mips/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.23  -r1.24  src/sys/arch/mips/mips/sig_machdep.c
 3)      cvs rdiff -u -r1.45  -r1.46  src/sys/arch/powerpc/powerpc/sig_machdep.c
 3)      cvs rdiff -u -r1.1   -r1.2   src/sys/arch/riscv/riscv/sig_machdep.c
 3)      cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c
 3)      cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c
 3)      cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c
 3)      cvs rdiff -u -r1.7   -r1.8   src/sys/arch/usermode/target/i386/cpu_i386.c
 3)      cvs rdiff -u -r1.6   -r1.7   src/sys/arch/usermode/target/x86_64/cpu_x86_64.c
 3)      cvs rdiff -u -r1.22  -r1.23  src/sys/arch/vax/vax/sig_machdep.c
 4)      cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c
 4)      cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c
 5)      cvs rdiff -u -r1.47  -r1.48  src/sys/compat/netbsd32/netbsd32_socket.c
 6)      cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c
 7)      cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c
 8)      cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c
 9)      cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c
 10)     cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c
 11)     cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c
 11)     cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c
 11)     cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c
 12)     cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c
 13)     cvs rdiff -u -r1.45  -r1.46  src/sys/kern/sys_ptrace_common.c
 14)     cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c
 15)     cvs rdiff -u -r1.46  -r1.47  src/sys/kern/sys_sig.c
 16)     cvs rdiff -u -r1.26  -r1.27  src/sys/compat/netbsd32/netbsd32_compat_14.c
 16)     cvs rdiff -u -r1.36  -r1.37  src/sys/compat/netbsd32/netbsd32_conv.h
 16)     cvs rdiff -u -r1.4   -r1.5   src/sys/compat/sys/msg.h

These patches were applied to the affected branches.


Thanks To
=========

Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1).

Maxime Villard for developing KASAN which discovered issues 5) and 6).

Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that
discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16).


Revision History
================

	2019-02-06	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2019, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2019-001.txt.asc,v 1.1 2019/02/06 15:09:16 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJcWviLAAoJEAZJc6xMSnBu5o8QALmeenfcYV1N1SLztoa0daLb
/Fe8SznOutwB7TmIUafJJRAukciGPQJbuBwGJsPpVffzexOB3o/pKK+jYBb3o2OS
5AcVvtcu4JgFDN72/CxuORr1LmYLT0Ru75RW0KvRrm9tJz3XDPsxjFm+ykNLDXWh
elHi4p7off36R+W0KyHncEnH+8kEIIiYusprhqNb97HkD3cTm1ok+LmZqUAqXMrJ
zmTbsd0xhCat4qX9EFHLo8rFc5znBdiTdrFVM8ZxgKS1sI4OSkLLpKQ9KS3wGOCE
gKpzdFsKF7G3oNJh+LQzubDWLjG4YNc0HQWMPKpLqdxKi8HdChLbfsAHeOAUenzP
EebT+JERtuuSYrFZ4UAg/SMJX5CxSUuSucZYWebyCk9K5NyLdjoGth6EEyGT7up5
RitlQ8K2K2mCm9fOTArFw+HNtpNLekvm6HJGR9sB+wQW9jpW2v35CdLovvTFXX99
fVP74Yqnz5p569kUan6CVCJ0Jsk5Xu/UQlECtLZVQrEkKNnutj++c1fydclxRBj+
BhEUZFSJ/9KcO3LUkpbg3h8ALaWElD9U2PwA5ZNiLevsb/1x/a8CLJ/w0HLB+AHZ
bTvGVpm58qfJefxSFVfy1hKe1LDm+8uB/DP+gH2Yzai5RHCUfWaSiF3nF33OLQt5
1EVQtq0F+IjyfZJ+B/8h
=fD0D
-----END PGP SIGNATURE-----