NetBSD Security Advisory 2020-003: USB network interface jumbo packets
13 October, 2020 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2020-003 ================================= Topic: USB network interface jumbo packets Version: NetBSD-current: affected prior to 2020-08-28 NetBSD 9*: affected NetBSD 8*: affected Severity: Devices on LAN can corrupt kernel memory Fixed: NetBSD-current: 2020-08-28 NetBSD-9 branch: 2020-08-28 NetBSD-8 branch: 2020-08-28 Please note that NetBSD releases prior to 8.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Some USB network interface drivers are missing a bounds check, without which data from the network may be copied past the end of an array allocated in a kernel mbuf cluster. This enables a network device on the same LAN to corrupt kernel memory. The affected USB network interfaces are: - - atu(4) - - axe(4) - - axen(4) - - otus(4) - - run(4) - - ure(4) Technical Details ================= Not all USB network interface drivers are affected: some don't handle USB transfers larger than the kernel mbuf cluster size (MCLBYTES, usually 2048). * netbsd-8 The following drivers are vulnerable in netbsd-8: - - atu(4) [fixed in netbsd-8 if_atu.c 1.55.8.4 2020-08-28] - - axe(4) [fixed in netbsd-8 if_axe.c 1.82.6.5 2020-08-28] - - axen(4) [fixed in netbsd-8 if_axen.c 1.11.8.9 2020-08-28] - - otus(4) [fixed in netbsd-8 if_otus.c 1.31.2.3 2020-06-16] - - run(4) [fixed in netbsd-8 if_run.c 1.22.2.3 2020-06-16] The following drivers were audited and do not appear to be affected in netbsd-8: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ36 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ00 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ42 bytes - - cue(4) - transfers only up to CUE_BUFSZ36 bytes - - kue(4) - transfers only up to KUE_BUFSZ36 bytes - - rum(4) - transfers only up to MCLBYTES - - smsc(4) - drops packets larger than MCLBYTES - - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes - - upgt(4) - transfers only up to MCLBYTES - - upl(4) - transfers only up to UPL_BUFSZ24 bytes - - ural(4) - transfers only up to MCLBYTES - - ure(4) - no ure(4) in netbsd-8; only added in netbsd-9 - - url(4) - transfers only up to URL_BUFSIZ35 bytes - - urndis(4) - transfers only up to RNDIS_BUFSZ62 bytes - - urtw(4) - transfers only up to MCLBYTES - - urtwn(4) - drops packets larger than MCLBYTES - - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf) * netbsd-9 The following drivers are vulnerable in netbsd-9: - - atu(4) [fixed in netbsd-9 if_atu.c 1.65.2.1 2020-08-28] - - axe(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] - - axen(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] - - otus(4) [fixed in netbsd-9 if_otus.c 1.38.2.1 2020-06-11] - - run(4) [fixed in netbsd-9 if_run.c 1.32.4.1 2020-06-11] - - ure(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] The following drivers were audited and do not appear to be affected in netbsd-9: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ36 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ00 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ42 bytes - - cue(4) - transfers only up to CUE_BUFSZ36 bytes - - kue(4) - transfers only up to KUE_BUFSZ36 bytes - - mue(4) - drops packets larger than MCLBYTES - - rum(4) - transfers only up to MCLBYTES - - smsc(4) - drops packets larger than MCLBYTES - - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes - - umb(4) - uses m_devget rather than just MCLGET - - upgt(4) - transfers only up to MCLBYTES - - upl(4) - transfers only up to UPL_BUFSZ24 bytes - - ural(4) - transfers only up to MCLBYTES - - url(4) - transfers only up to URL_BUFSIZ35 bytes - - urndis(4) - transfers only up to RNDIS_BUFSZ62 bytes - - urtw(4) - transfers only up to MCLBYTES - - urtwn(4) - drops packets larger than MCLBYTES - - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf) * HEAD The following drivers are vulnerable in HEAD: - - atu(4) [fixed in if_atu.c 1.73 2020-08-28] - - axe(4) [fixed in usbnet.c 1.39 2020-08-28] - - axen(4) [fixed in usbnet.c 1.39 2020-08-28] - - otus(4) [fixed in if_otus.c 1.45 2020-06-11] - - run(4) [fixed in if_run.c 1.41 2020-06-11] - - ure(4) [fixed in usbnet.c 1.39 2020-08-28] The following drivers were audited and do not appear to be affected in HEAD: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ36 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ00 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ42 bytes - - cue(4) - transfers only up to CUE_BUFSZ36 bytes - - kue(4) - transfers only up to KUE_BUFSZ36 bytes - - mue(4) - drops packets larger than MCLBYTES - - rum(4) - transfers only up to MCLBYTES - - smsc(4) - drops packets larger than MCLBYTES - - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes - - umb(4) - uses m_devget rather than just MCLGET - - upgt(4) - transfers only up to MCLBYTES - - upl(4) - transfers only up to UPL_BUFSZ24 bytes - - ural(4) - transfers only up to MCLBYTES - - url(4) - transfers only up to URL_BUFSIZ35 bytes - - urndis(4) - transfers only up to RNDIS_BUFSZ62 bytes - - urtw(4) - transfers only up to MCLBYTES - - urtwn(4) - drops packets larger than MCLBYTES - - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf) Solutions and Workarounds ========================= Workaround: Avoid USB devices with affected drivers on untrusted networks. To apply a fixed version from a releng build, fetch kern-GENERIC.tgz (or kern-GENERIC.tar.xz) from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz netbsd with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20200829* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your NetBSD kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/dev/usb # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Ilja Van Sprundel for reporting this issue in otus(4) and run(4). Revision History ================ 2020-10-13 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-003.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2020, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2020-003.txt,v 1.1 2020/10/13 20:26:44 christos Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJfhg2FAAoJEIkmHhf170n/0F4P+wav6Jg+qjwEKvHQ5VIVFFlr VsA3Ycg7z5hSU8TkxzngsDC/vr4iMFADB7P37t/4NJp+wcq8fR9ItCF4cqyc2v61 LvKyxNtu1y0fccg1k0elymFcpviYKivSRfXUezbRijKmal3rSdzQFqtdeZGvTbN6 zIk4xhDgDCWA9pDo1bD1k0/+rbHZkGpuGhDP4j4F3qE/kzXpdm0/uk+NfzTtlJea 94PT8JPWOmzAb51q/tQ3sJxigGnZwVlQJ7/AozXZLsjQ7paGjHE7BGqx3llesBHl MYkwnwO0MXENAWoUiMvh5eiyMQWz65lpz0S/gaTN1CosIMBrLazAHPWt3nUbmH3H 3X956tVyRP3REa0DIA/h1ujdSp297HJa785mGlXUq123rjrnG9m9WC/x7lICEpD5 w0p8q25cJ1iEya82mcotttzTmtQ74Ab09GciTCqb1qPMv8akOBWfcSRm5g2taC0u J4ZcHEPCDICVB+h7dz0k45xIr2OPQ9+vPkB3J9+2BiINykdth6L/zeaH8tAGhkt5 5PN1mdVpQ55KB4+kIMvgY1tpmyzWk+8zNzTZDStAIy4ZJiBNX/o6uCBByvN1FfvS vd74e/nM6PxrLbfAfDn2lGVZXREzmGUC47VXevusMIs9jFXuYbbiR3lkVOwlQiri kXxYubpCU0WmuZidXbjw =BTGe -----END PGP SIGNATURE-----