deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2023-002: Various compatibility syscall memory access issues

Hash: SHA256

		NetBSD Security Advisory 2023-002

Topic:		Various compatibility syscall memory access issues

Version:	NetBSD-current:		affected before 2020-05-15
		NetBSD 10.0_BETA:	not affected
		NetBSD 9.3:		not affected
		NetBSD 9.2:		not affected
		NetBSD 9.1:		not affected
		NetBSD 9.0:		affected
		NetBSD 8.2:		affected
		NetBSD 8.1:		affected
		NetBSD 8.0:		affected

Severity:	Local users can crash the machine

Fixed:		NetBSD-current:		2020-05-15
		NetBSD-10 branch:	N/A
		NetBSD-9 branch:	2020-05-15
		NetBSD-8 branch:	2020-05-25

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.


Fix various info leaks, out of bound access, usage of uninitialized
values and direct access to userland variables from kernel space
and memory leaks in system calls implemented for the compatibility
subsystems. These bugs affect:

	- compat_netbsd32
	- compat_linux
	- compat_linux32

Technical Details

The following bugs were discovered using memory and address sanitizers:

- - Index out of bounds
  (kernel crash)

- - Incorrect buffer handling
  (memory corruption) [*]

- - Missing free of temporary buffer
  (memory leak)

- - Bugs in the implementation of linux32_sys_get_robust_list
  (missing functionality)

- - Direct user data access
  (not working with SMAP)

- - Incorrect error code returned

- - Insufficient zero initialization of arguments to compatibility syscalls
  (information leak) [*] [*] [**]

- - Debug printing fixes

- - Uninitialized memory access
  (harmless) [*] [*]

- - Incorrect size passed to copyin
  (harmless stack buffer overflow)

Solutions and Workarounds

Update the kernel to a fixed version and reboot.

There are pre-built binaries for all architectures and NetBSD versions at:

For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at:

Alternatively to build from source for all NetBSD versions, you
need to obtain fixed kernel sources, rebuild and install the new
kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P sys
	# ./ kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

The patches can be obtained from NetBSD-current with the following

    cvs rdiff -u -r1.35 -r1.36 src/sys/compat/common/kern_sig_43.c
    cvs rdiff -u -r1.58 -r1.59 src/sys/compat/linux/arch/amd64/linux_machdep.c
    cvs rdiff -u -r1.17 -r1.18 src/sys/compat/linux/common/linux_fcntl.h
    cvs rdiff -u -r1.60 -r1.62 src/sys/compat/linux/common/linux_file64.c
    cvs rdiff -u -r1.56 -r1.57 src/sys/compat/linux/common/linux_ipc.c
    cvs rdiff -u -r1.240 -r1.243 src/sys/compat/linux/common/linux_misc.c
    cvs rdiff -u -r1.80 -r1.81 src/sys/compat/linux/common/linux_signal.c
    cvs rdiff -u -r1.145 -r1.149 src/sys/compat/linux/common/linux_socket.c
    cvs rdiff -u -r1.23 -r1.24 src/sys/compat/linux/common/linux_socket.h
    cvs rdiff -u -r1.6 -r1.7 src/sys/compat/linux/common/linux_statfs.h
    cvs rdiff -u -r1.37 -r1.38 src/sys/compat/linux/common/linux_termios.c
    cvs rdiff -u -r1.21 -r1.22 src/sys/compat/linux/common/linux_termios.h
    cvs rdiff -u -r1.19 -r1.20 src/sys/compat/linux32/common/linux32_dirent.c
    cvs rdiff -u -r1.13 -r1.14 src/sys/compat/linux32/common/linux32_ioctl.c
    cvs rdiff -u -r1.26 -r1.27 src/sys/compat/linux32/common/linux32_misc.c
    cvs rdiff -u -r1.19 -r1.20 src/sys/compat/linux32/common/linux32_signal.c
    cvs rdiff -u -r1.7 -r1.8 src/sys/compat/linux32/common/linux32_sysinfo.c
    cvs rdiff -u -r1.14 -r1.15 src/sys/compat/linux32/common/linux32_termios.c
    cvs rdiff -u -r1.9 -r1.10 src/sys/compat/linux32/common/linux32_utsname.c
    cvs rdiff -u -r1.38 -r1.39 src/sys/compat/netbsd32/netbsd32_compat_20.c
    cvs rdiff -u -r1.57 -r1.59 src/sys/compat/netbsd32/netbsd32_compat_43.c
    cvs rdiff -u -r1.43 -r1.44 src/sys/compat/netbsd32/netbsd32_compat_50.c
    cvs rdiff -u -r1.74 -r1.75 src/sys/compat/ossaudio/ossaudio.c
    cvs rdiff -u -r1.82 -r1.83 src/sys/compat/ossaudio/ossaudio.c
    cvs rdiff -u -r1.137 -r1.138 src/sys/kern/sysv_shm.c
    cvs rdiff -u -r1.74 -r1.75 src/sys/miscfs/procfs/procfs_linux.c
    cvs rdiff -u -r1.53 -r1.54 src/sys/sys/shm.h

Thanks To

Maxime Villard for finding and fixing these vulnerabilities.

Revision History

        2023-06-28      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at

Copyright 2023, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2023-002.txt,v 1.1 2023/06/28 15:29:21 christos Exp $