NetBSD Security Advisory 2017-004: buffer overflow via cmap for 4 graphics drivers
9 September, 2017 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2017-004 ================================= Topic: buffer overflow via cmap for 4 graphics drivers Version: NetBSD-current: source prior to June 13th NetBSD 8.0_BETA: affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: information leak and potential root compromise for authenticated user on affected graphics console Fixed: NetBSD-current: June 13th NetBSD-8 branch: June 15th NetBSD-7-1 branch: June 15th NetBSD-7-0 branch: June 15th NetBSD-7 branch: June 15th NetBSD-6-0 branch: June 15th NetBSD-6-1 branch: June 15th NetBSD-6 branch: June 15th Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An authenticated user on a wscons terminal with the following graphics drivers: sbd (ews4800mips) bivideo (hpcsh) sti (hppa and hp300) pm (pmax) could cause a buffer overflow when reading or writing the color map. Technical Details ================= Due to overflowable bounds checking when reading or writing the color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it) could read kernel memory, or for all but bivideo, which doesn't have a writable color map, write kernel memory. Solutions and Workarounds ========================= Solution: update the kernel with one built from source past the fix date. There are no workarounds besides the obvious not allowing untrusted users at the console. Affected source files fix versions +++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1 sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1 sys/dev/hpc/bivideo.c 1.34 1.33.30.1 sys/dev/ic/sti.c 1.19 1.18.20.1 ++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1 sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1 sys/dev/hpc/bivideo.c1 1.33.12.1 1.33.24.1 1.33.16.1 sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1 ++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1 sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1 sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1 sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1 Thanks To ========= Thanks to CTurt for reporting this set of issues. Revision History ================ 2017-09-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7 mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9 f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ 6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C 76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl 6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k WwGwp4kZJGaJPRNplTkB =m2H9 -----END PGP SIGNATURE-----