NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs
7 February, 2019 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2019-001 ================================= Topic: Several kernel memory disclosure bugs Version: NetBSD-current: source prior to Thu, Jan 31st 2019 NetBSD 8.0: affected NetBSD 7.2: affected NetBSD 7.1: affected NetBSD 7.0: affected Severity: Kernel memory disclosure Fixed: NetBSD-current: Thu, Jan 31st 2019 NetBSD-8 branch: Fri, Feb 1st 2019 NetBSD-7-1 branch: Fri, Feb 1st 2019 NetBSD-7-0 branch: Fri, Feb 1st 2019 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 7.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract & Technical Details ============================ Several kernel memory disclosure bugs were discovered: 1) Four bytes of kernel stack were leaked in the ntp_gettime system call. 2) Eight bytes of kernel stack were leaked when executing execve. 3) Many bytes of kernel stack were leaked when processing signals on several architectures. 4) Four bytes of kernel stack were leaked in several system calls related to time. 5) An inverted logic in netbsd32 caused some kernel memory bytes to wrongfully be copied to userland. 6) A missing sanity check in a sysctl caused a severe kernel memory disclosure. 7) Four bytes of kernel stack were leaked in the kevent system call. 8) Eight bytes of kernel stack were leaked in the gettimer system call. 9) Two bytes of kernel heap were leaked in the net.rtable sysctl. 10) Many bytes of kernel stack were leaked in the swapctl system call. 11) Sixteen bytes of kernel heap were leaked in the settime system call. 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp system call. 13) Many bytes of kernel stack were leaked in the ptrace system call. 14) Four bytes of kernel stack were leaked in the wait6 system call. 15) Four bytes of kernel stack were leaked in the sigtimedwait system call. 16) Many bytes of kernel stack were leaked in the msgctl system call implemented in the compatibility layers. Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. The patches can be obtained from NetBSD-current with the following commands: ISSUE COMMAND ----- ------- 1) cvs rdiff -u -r1.59 -r1.60 src/sys/kern/kern_ntptime.c 2) cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c 3) cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c 3) cvs rdiff -u -r1.2 -r1.3 src/sys/arch/aarch64/aarch64/netbsd32_machdep.c 3) cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c 3) cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c 3) cvs rdiff -u -r1.50 -r1.51 src/sys/arch/arm/arm/sig_machdep.c 3) cvs rdiff -u -r1.25 -r1.26 src/sys/arch/hppa/hppa/sig_machdep.c 3) cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c 3) cvs rdiff -u -r1.49 -r1.50 src/sys/arch/m68k/m68k/sig_machdep.c 3) cvs rdiff -u -r1.15 -r1.16 src/sys/arch/mips/mips/netbsd32_machdep.c 3) cvs rdiff -u -r1.23 -r1.24 src/sys/arch/mips/mips/sig_machdep.c 3) cvs rdiff -u -r1.45 -r1.46 src/sys/arch/powerpc/powerpc/sig_machdep.c 3) cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/riscv/sig_machdep.c 3) cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c 3) cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c 3) cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c 3) cvs rdiff -u -r1.7 -r1.8 src/sys/arch/usermode/target/i386/cpu_i386.c 3) cvs rdiff -u -r1.6 -r1.7 src/sys/arch/usermode/target/x86_64/cpu_x86_64.c 3) cvs rdiff -u -r1.22 -r1.23 src/sys/arch/vax/vax/sig_machdep.c 4) cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c 4) cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c 5) cvs rdiff -u -r1.47 -r1.48 src/sys/compat/netbsd32/netbsd32_socket.c 6) cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c 7) cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c 8) cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c 9) cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c 10) cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c 11) cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c 11) cvs rdiff -u -r1.109 -r1.110 src/sys/compat/linux/common/linux_misc_notalpha.c 11) cvs rdiff -u -r1.192 -r1.193 src/sys/kern/kern_time.c 12) cvs rdiff -u -r1.349 -r1.350 src/sys/kern/kern_sig.c 13) cvs rdiff -u -r1.45 -r1.46 src/sys/kern/sys_ptrace_common.c 14) cvs rdiff -u -r1.272 -r1.273 src/sys/kern/kern_exit.c 15) cvs rdiff -u -r1.46 -r1.47 src/sys/kern/sys_sig.c 16) cvs rdiff -u -r1.26 -r1.27 src/sys/compat/netbsd32/netbsd32_compat_14.c 16) cvs rdiff -u -r1.36 -r1.37 src/sys/compat/netbsd32/netbsd32_conv.h 16) cvs rdiff -u -r1.4 -r1.5 src/sys/compat/sys/msg.h These patches were applied to the affected branches. Thanks To ========= Thomas Barabosch (of Fraunhofer FKIE) for discovering issue 1). Maxime Villard for developing KASAN which discovered issues 5) and 6). Thomas Barabosch and Maxime Villard for designing KLEAK, a feature that discovered issues 2), 3), 4), 7), 8), 9), 10), 11), 12), 13), 14), 15), 16). Revision History ================ 2019-02-06 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-001.txt.asc,v 1.1 2019/02/06 15:09:16 christos Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJcWviLAAoJEAZJc6xMSnBu5o8QALmeenfcYV1N1SLztoa0daLb /Fe8SznOutwB7TmIUafJJRAukciGPQJbuBwGJsPpVffzexOB3o/pKK+jYBb3o2OS 5AcVvtcu4JgFDN72/CxuORr1LmYLT0Ru75RW0KvRrm9tJz3XDPsxjFm+ykNLDXWh elHi4p7off36R+W0KyHncEnH+8kEIIiYusprhqNb97HkD3cTm1ok+LmZqUAqXMrJ zmTbsd0xhCat4qX9EFHLo8rFc5znBdiTdrFVM8ZxgKS1sI4OSkLLpKQ9KS3wGOCE gKpzdFsKF7G3oNJh+LQzubDWLjG4YNc0HQWMPKpLqdxKi8HdChLbfsAHeOAUenzP EebT+JERtuuSYrFZ4UAg/SMJX5CxSUuSucZYWebyCk9K5NyLdjoGth6EEyGT7up5 RitlQ8K2K2mCm9fOTArFw+HNtpNLekvm6HJGR9sB+wQW9jpW2v35CdLovvTFXX99 fVP74Yqnz5p569kUan6CVCJ0Jsk5Xu/UQlECtLZVQrEkKNnutj++c1fydclxRBj+ BhEUZFSJ/9KcO3LUkpbg3h8ALaWElD9U2PwA5ZNiLevsb/1x/a8CLJ/w0HLB+AHZ bTvGVpm58qfJefxSFVfy1hKe1LDm+8uB/DP+gH2Yzai5RHCUfWaSiF3nF33OLQt5 1EVQtq0F+IjyfZJ+B/8h ý0D -----END PGP SIGNATURE-----