NetBSD Security Advisory 2023-002: Various compatibility syscall memory access issues
29 June, 2023 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2023-002 ================================= Topic: Various compatibility syscall memory access issues Version: NetBSD-current: affected before 2020-05-15 NetBSD 10.0_BETA: not affected NetBSD 9.3: not affected NetBSD 9.2: not affected NetBSD 9.1: not affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Local users can crash the machine Fixed: NetBSD-current: 2020-05-15 NetBSD-10 branch: N/A NetBSD-9 branch: 2020-05-15 NetBSD-8 branch: 2020-05-25 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Fix various info leaks, out of bound access, usage of uninitialized values and direct access to userland variables from kernel space and memory leaks in system calls implemented for the compatibility subsystems. These bugs affect: - compat_netbsd32 - compat_linux - compat_linux32 Technical Details ================= The following bugs were discovered using memory and address sanitizers: - - Index out of bounds (kernel crash) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108420.html - - Incorrect buffer handling (memory corruption) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108454.html https://mail-index.netbsd.org/source-changes/2020/03/14/msg115069.html [*] - - Missing free of temporary buffer (memory leak) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108455.html - - Bugs in the implementation of linux32_sys_get_robust_list (missing functionality) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108428.html - - Direct user data access (not working with SMAP) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108449.html - - Incorrect error code returned (diagnostic) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108425.html - - Insufficient zero initialization of arguments to compatibility syscalls (information leak) https://mail-index.netbsd.org/source-changes/2020/01/01/msg112486.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108407.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108408.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108409.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108414.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108415.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108417.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108427.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108429.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108430.html https://mail-index.netbsd.org/source-changes/2020/02/22/msg114240.html [*] https://mail-index.netbsd.org/source-changes/2020/02/26/msg114478.html [*] https://mail-index.netbsd.org/source-changes/2020/05/15/msg117350.html [**] - - Debug printing fixes (cosmetic) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108421.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108426.html https://mail-index.netbsd.org/source-changes/2019/08/24/msg108456.html - - Uninitialized memory access (harmless) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108423.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108424.html https://mail-index.netbsd.org/source-changes/2019/09/08/msg108869.html https://mail-index.netbsd.org/source-changes/2020/04/19/msg116378.html [*] https://mail-index.netbsd.org/source-changes/2020/05/14/msg117328.html [*] - - Incorrect size passed to copyin (harmless stack buffer overflow) https://mail-index.netbsd.org/source-changes/2020/01/01/msg112456.html Solutions and Workarounds ========================= Update the kernel to a fixed version and reboot. There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html The patches can be obtained from NetBSD-current with the following commands: cvs rdiff -u -r1.35 -r1.36 src/sys/compat/common/kern_sig_43.c cvs rdiff -u -r1.58 -r1.59 src/sys/compat/linux/arch/amd64/linux_machdep.c cvs rdiff -u -r1.17 -r1.18 src/sys/compat/linux/common/linux_fcntl.h cvs rdiff -u -r1.60 -r1.62 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.56 -r1.57 src/sys/compat/linux/common/linux_ipc.c cvs rdiff -u -r1.240 -r1.243 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.80 -r1.81 src/sys/compat/linux/common/linux_signal.c cvs rdiff -u -r1.145 -r1.149 src/sys/compat/linux/common/linux_socket.c cvs rdiff -u -r1.23 -r1.24 src/sys/compat/linux/common/linux_socket.h cvs rdiff -u -r1.6 -r1.7 src/sys/compat/linux/common/linux_statfs.h cvs rdiff -u -r1.37 -r1.38 src/sys/compat/linux/common/linux_termios.c cvs rdiff -u -r1.21 -r1.22 src/sys/compat/linux/common/linux_termios.h cvs rdiff -u -r1.19 -r1.20 src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.13 -r1.14 src/sys/compat/linux32/common/linux32_ioctl.c cvs rdiff -u -r1.26 -r1.27 src/sys/compat/linux32/common/linux32_misc.c cvs rdiff -u -r1.19 -r1.20 src/sys/compat/linux32/common/linux32_signal.c cvs rdiff -u -r1.7 -r1.8 src/sys/compat/linux32/common/linux32_sysinfo.c cvs rdiff -u -r1.14 -r1.15 src/sys/compat/linux32/common/linux32_termios.c cvs rdiff -u -r1.9 -r1.10 src/sys/compat/linux32/common/linux32_utsname.c cvs rdiff -u -r1.38 -r1.39 src/sys/compat/netbsd32/netbsd32_compat_20.c cvs rdiff -u -r1.57 -r1.59 src/sys/compat/netbsd32/netbsd32_compat_43.c cvs rdiff -u -r1.43 -r1.44 src/sys/compat/netbsd32/netbsd32_compat_50.c cvs rdiff -u -r1.74 -r1.75 src/sys/compat/ossaudio/ossaudio.c cvs rdiff -u -r1.82 -r1.83 src/sys/compat/ossaudio/ossaudio.c cvs rdiff -u -r1.137 -r1.138 src/sys/kern/sysv_shm.c cvs rdiff -u -r1.74 -r1.75 src/sys/miscfs/procfs/procfs_linux.c cvs rdiff -u -r1.53 -r1.54 src/sys/sys/shm.h Thanks To ========= Maxime Villard for finding and fixing these vulnerabilities. Revision History ================ 2023-06-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-002.txt,v 1.1 2023/06/28 15:29:21 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUdIcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/wc+EACOqu3GjiSZHS6Z1Y11 Sqgzl85RNT6dRC9bARd1M/4nJZl2B1uqO6QYkPenqfcVtVV+K6w2ioB2gg+G8puh TqrLY168avqDN4sdAUD+PO4+bQ8DL46+Wt/nkZ2LarmXRbe1b2bUzNIA5wNhaDBu xFA3nWLNg50vXVTMBkNUVky4sy4gPlBcY9nf+2POewwTwt+cR4K4MGA9XWvO9rEt onr1Lt38Yd3I3Kaa4QsBJOmbTaOtGo0hki86zl0WJCT8c2tesSBMk5aqN/rVt9HD yoasCe+k/grm/LY9Cr0Eeyp9v803D7LKC8Lb3zlm3LgQq2tQqZcplVOe6qGK+7AE Ml/z1XcYeKksKxfC/LVsLzfWmXZrSecjbYIWgTCTt30XOBq+US5fsL+WVcakyy/I L/DUPLErpBnFM8vdbGiQqQSo2yIOvT+f0KS0WdLMSOp7+ogCfJAVN0CPk+IHgUgR DyAwMbJgiWgSFXX78aSqFhBNYCfTozXo6h4+NT/JxJ0owd/bdm/QFCMZJxH+6xvt YhcuMlJ1iQ3GiV2E2CiT87AVbScW7n0RNBsFsJVXJMcGAARBscmK3z8bdiV51i7c mvdxlul/eRPMpJR6RQDVXff8S1HVFRhHXsm9Vwilt5xNNDx70x490GuOfYG3rh5A VL5pBeVRW4Kyw1ZiEi9Hghjpcg== =ZCoo -----END PGP SIGNATURE-----