NetBSD Security Advisory 2023-001: Multiple buffer overflows in USB drivers
29 June, 2023 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2023-001 ================================= Topic: Multiple buffer overflows in USB drivers Version: NetBSD-current: affected up to 9.99.32 NetBSD 10.0_BETA: not affected NetBSD 9.3: not affected NetBSD 9.2: not affected NetBSD 9.1: not affected NetBSD 9.0: not affected NetBSD 8.2: not affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: A malicious USB device can execute code in the kernel Fixed: NetBSD-current: 2020-01-01 NetBSD-10 branch: N/A NetBSD-9 branch: N/A NetBSD-8 branch: 2020-01-02 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A malicious USB device can execute code in the kernel. Technical Details ================= Multiple buffer overflows in src/sys/dev/usb/uthum.c were found: sc_{o,f}len are controlled by the USB device. By crafting the former, the device can leak stack data. By crafting the latter, the device can overwrite the stack. The combination of the two means the device can ROP the kernel and obtain code execution (demonstrated with an actual exploit over vHCI). Additionally, the lengths were not truncated to the size of the buffers. Multiple buffer overflows in src/sys/dev/usb/uhid.c were found: In several places, there was no check to see if size + extra fits into the buffer. src/sys/dev/usb/ucycom.c: The lengths at attach time were not validated. Solutions and Workarounds ========================= Update the kernel to a fixed version and reboot. There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/dev/usb # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Maxime Villard for finding and fixing the vulnerability. Revision History ================ 2023-06-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-001.txt,v 1.1 2023/06/28 15:28:57 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUbocHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/+5ND/0eVYPYyX9iNFXR5kso 8bpPUO/q07p4bJCloiDKfrhOLhzHjJFBvWKU6wDAvbCI228jkb/7KtCztFpaNnKD JzhNMlOO2+1u3bpQvtHAQGSFFKFFVLvfIbJAnTRsiZsksvs+xc0Gl+zVmXYln/xB +BFpeq0OKliCWFUqVCoDhqaBqdgGh3TB583HRefYlNuvurPKf4LWwkqqfLjNcUeo yUAve0MJ3P41Pn2BlyJuwslx7o17tBP3aFygSCWenAy676LVtn9tRds0fZgBkikz xYLAJVT52XnBSxbT7+eUPCb0lGkQSX/qwA+wQPeWsV2T3tPAd6gwzxwjl5AkA91b 0RRmC5MpfjKoqXBUTxXoRJCFQZOHZv3UzpdVS1JYSeLTIvMZS0+MYXn6XGwR/qSr aJZGVkdZhjYN58LSpihORBNWo77RcHuj8O5Siqi9nR3WS8Mi1uaCdytiv2UXwi5f ejoDTIAkV8I5ZstRyqBiWL2OaeNsf4XXXwWrpdt7ML+qBWprcm2ZYsPOAmufdMFN U8dadakXngtFdTvGJ8zYiIWT5trzseWXHJNEFshQJXelg9bJ8CBBtjOL3yypkC/L Nd0ulB79A7Q4gsr6FzeVNZsWB5HN8rnqslNXlUA77qaxUaYCPS+R/3a5UMB6xYdQ x5qHTCSqReHUlSZ0GIL4Fv9gnA== =PX3W -----END PGP SIGNATURE-----