BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2017-004: buffer overflow via cmap for 4 graphics drivers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2017-004
		=================================

Topic:		buffer overflow via cmap for 4 graphics drivers


Version:	NetBSD-current:		source prior to June 13th
		NetBSD 8.0_BETA:	affected
		NetBSD 7.1:		affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	information leak and potential root compromise
		for authenticated user on affected graphics console

Fixed:		NetBSD-current:		June 13th
		NetBSD-8 branch:	June 15th
		NetBSD-7-1 branch:	June 15th
		NetBSD-7-0 branch:	June 15th
		NetBSD-7 branch:	June 15th
		NetBSD-6-0 branch:	June 15th
		NetBSD-6-1 branch:	June 15th
		NetBSD-6 branch:	June 15th

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An authenticated user on a wscons terminal with the following graphics
drivers:
sbd (ews4800mips)
bivideo (hpcsh)
sti (hppa and hp300)
pm (pmax)
could cause a buffer overflow when reading or writing the color map.



Technical Details
=================

Due to overflowable bounds checking when reading or writing the
color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP
ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it)
could read kernel memory, or for all but bivideo, which doesn't have
a writable color map, write kernel memory.


Solutions and Workarounds
=========================

Solution: update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.

Affected source files			fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.16   1.15.10.1
sys/arch/pmax/ibus/pm.c               1.13   1.12.22.1
sys/dev/hpc/bivideo.c                 1.34   1.33.30.1
sys/dev/ic/sti.c                      1.19   1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.13.4.2   1.13.4.1.6.1  1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c               1.12.4.1   1.12.16.1  1.12.8.1
sys/dev/hpc/bivideo.c1                1.33.12.1  1.33.24.1  1.33.16.1
sys/dev/ic/sti.c                      1.18.2.1   1.18.14.1  1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.12.2.1   1.12.16.1  1.12.8.1
sys/arch/pmax/ibus/pm.c               1.11.2.1   1.11.16.1  1.11.8.1
sys/dev/hpc/bivideo.c                 1.32.14.1  1.32.22.1  1.32.20.1
sys/dev/ic/sti.c                      1.16.8.2   1.16.22.1  1.16.14.1


Thanks To
=========

Thanks to CTurt for reporting this set of issues.


Revision History
================

	2017-09-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7
mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9
f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ
6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk
RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU
dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C
76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl
6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E
bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE
GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP
etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k
WwGwp4kZJGaJPRNplTkB
=m2H9
-----END PGP SIGNATURE-----