BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2020-003: USB network interface jumbo packets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2020-003
		 =================================

Topic:		USB network interface jumbo packets

Version:	NetBSD-current:		affected prior to 2020-08-28
		NetBSD 9*:		affected
		NetBSD 8*:		affected

Severity:	Devices on LAN can corrupt kernel memory

Fixed:		NetBSD-current:		2020-08-28
		NetBSD-9 branch:	2020-08-28
		NetBSD-8 branch:	2020-08-28

Please note that NetBSD releases prior to 8.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Some USB network interface drivers are missing a bounds check, without
which data from the network may be copied past the end of an array
allocated in a kernel mbuf cluster.  This enables a network device on
the same LAN to corrupt kernel memory.

The affected USB network interfaces are:

- - atu(4)
- - axe(4)
- - axen(4)
- - otus(4)
- - run(4)
- - ure(4)


Technical Details
=================

Not all USB network interface drivers are affected: some don't handle
USB transfers larger than the kernel mbuf cluster size (MCLBYTES,
usually 2048).

* netbsd-8

The following drivers are vulnerable in netbsd-8:

- - atu(4) [fixed in netbsd-8 if_atu.c 1.55.8.4 2020-08-28]
- - axe(4) [fixed in netbsd-8 if_axe.c 1.82.6.5 2020-08-28]
- - axen(4) [fixed in netbsd-8 if_axen.c 1.11.8.9 2020-08-28]
- - otus(4) [fixed in netbsd-8 if_otus.c 1.31.2.3 2020-06-16]
- - run(4) [fixed in netbsd-8 if_run.c 1.22.2.3 2020-06-16]

The following drivers were audited and do not appear to be affected in
netbsd-8:

- - athn(4) - drops packets larger than MCLBYTES
- - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes
- - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes
- - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes
- - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes
- - kue(4) - transfers only up to KUE_BUFSZ=1536 bytes
- - rum(4) - transfers only up to MCLBYTES
- - smsc(4) - drops packets larger than MCLBYTES
- - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes
- - upgt(4) - transfers only up to MCLBYTES
- - upl(4) - transfers only up to UPL_BUFSZ=1024 bytes
- - ural(4) - transfers only up to MCLBYTES
- - ure(4) - no ure(4) in netbsd-8; only added in netbsd-9
- - url(4) - transfers only up to URL_BUFSIZ=1535 bytes
- - urndis(4) - transfers only up to RNDIS_BUFSZ=1562 bytes
- - urtw(4) - transfers only up to MCLBYTES
- - urtwn(4) - drops packets larger than MCLBYTES
- - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf)

* netbsd-9

The following drivers are vulnerable in netbsd-9:

- - atu(4) [fixed in netbsd-9 if_atu.c 1.65.2.1 2020-08-28]
- - axe(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28]
- - axen(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28]
- - otus(4) [fixed in netbsd-9 if_otus.c 1.38.2.1 2020-06-11]
- - run(4) [fixed in netbsd-9 if_run.c 1.32.4.1 2020-06-11]
- - ure(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28]

The following drivers were audited and do not appear to be affected in
netbsd-9:

- - athn(4) - drops packets larger than MCLBYTES
- - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes
- - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes
- - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes
- - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes
- - kue(4) - transfers only up to KUE_BUFSZ=1536 bytes
- - mue(4) - drops packets larger than MCLBYTES
- - rum(4) - transfers only up to MCLBYTES
- - smsc(4) - drops packets larger than MCLBYTES
- - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes
- - umb(4) - uses m_devget rather than just MCLGET
- - upgt(4) - transfers only up to MCLBYTES
- - upl(4) - transfers only up to UPL_BUFSZ=1024 bytes
- - ural(4) - transfers only up to MCLBYTES
- - url(4) - transfers only up to URL_BUFSIZ=1535 bytes
- - urndis(4) - transfers only up to RNDIS_BUFSZ=1562 bytes
- - urtw(4) - transfers only up to MCLBYTES
- - urtwn(4) - drops packets larger than MCLBYTES
- - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf)

* HEAD

The following drivers are vulnerable in HEAD:

- - atu(4) [fixed in if_atu.c 1.73 2020-08-28]
- - axe(4) [fixed in usbnet.c 1.39 2020-08-28]
- - axen(4) [fixed in usbnet.c 1.39 2020-08-28]
- - otus(4) [fixed in if_otus.c 1.45 2020-06-11]
- - run(4) [fixed in if_run.c 1.41 2020-06-11]
- - ure(4) [fixed in usbnet.c 1.39 2020-08-28]

The following drivers were audited and do not appear to be affected in
HEAD:

- - athn(4) - drops packets larger than MCLBYTES
- - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes
- - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes
- - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes
- - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes
- - kue(4) - transfers only up to KUE_BUFSZ=1536 bytes
- - mue(4) - drops packets larger than MCLBYTES
- - rum(4) - transfers only up to MCLBYTES
- - smsc(4) - drops packets larger than MCLBYTES
- - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes
- - umb(4) - uses m_devget rather than just MCLGET
- - upgt(4) - transfers only up to MCLBYTES
- - upl(4) - transfers only up to UPL_BUFSZ=1024 bytes
- - ural(4) - transfers only up to MCLBYTES
- - url(4) - transfers only up to URL_BUFSIZ=1535 bytes
- - urndis(4) - transfers only up to RNDIS_BUFSZ=1562 bytes
- - urtw(4) - transfers only up to MCLBYTES
- - urtwn(4) - drops packets larger than MCLBYTES
- - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf)


Solutions and Workarounds
=========================

Workaround: Avoid USB devices with affected drivers on untrusted
networks.


To apply a fixed version from a releng build, fetch kern-GENERIC.tgz
(or kern-GENERIC.tar.xz) from nycdn.NetBSD.org and extract the fixed
binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz
cd /
tar xzpf /var/tmp/kern-GENERIC.tgz netbsd

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. 20200829* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your NetBSD kernel
by updating your source tree and rebuilding and installing a new
version.


For all NetBSD versions, you need to obtain fixed kernel sources, rebuild
and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository. The
following instructions briefly summarise how to upgrade your kernel.
In these instructions, replace:

	ARCH     with your architecture (from uname -m), and
	KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P sys/dev/usb
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

	https://www.NetBSD.org/docs/guide/en/chap-kernel.html


Thanks To
=========

Ilja Van Sprundel for reporting this issue in otus(4) and run(4).


Revision History
================

	2020-10-13	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-003.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2020, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2020-003.txt,v 1.1 2020/10/13 20:26:44 christos Exp $
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJfhg2FAAoJEIkmHhf170n/0F4P+wav6Jg+qjwEKvHQ5VIVFFlr
VsA3Ycg7z5hSU8TkxzngsDC/vr4iMFADB7P37t/4NJp+wcq8fR9ItCF4cqyc2v61
LvKyxNtu1y0fccg1k0elymFcpviYKivSRfXUezbRijKmal3rSdzQFqtdeZGvTbN6
zIk4xhDgDCWA9pDo1bD1k0/+rbHZkGpuGhDP4j4F3qE/kzXpdm0/uk+NfzTtlJea
94PT8JPWOmzAb51q/tQ3sJxigGnZwVlQJ7/AozXZLsjQ7paGjHE7BGqx3llesBHl
MYkwnwO0MXENAWoUiMvh5eiyMQWz65lpz0S/gaTN1CosIMBrLazAHPWt3nUbmH3H
3X956tVyRP3REa0DIA/h1ujdSp297HJa785mGlXUq123rjrnG9m9WC/x7lICEpD5
w0p8q25cJ1iEya82mcotttzTmtQ74Ab09GciTCqb1qPMv8akOBWfcSRm5g2taC0u
J4ZcHEPCDICVB+h7dz0k45xIr2OPQ9+vPkB3J9+2BiINykdth6L/zeaH8tAGhkt5
5PN1mdVpQ55KB4+kIMvgY1tpmyzWk+8zNzTZDStAIy4ZJiBNX/o6uCBByvN1FfvS
vd74e/nM6PxrLbfAfDn2lGVZXREzmGUC47VXevusMIs9jFXuYbbiR3lkVOwlQiri
kXxYubpCU0WmuZidXbjw
=BTGe
-----END PGP SIGNATURE-----