NetBSD Security Advisory 2023-003: Structure padding memory disclosures
29 June, 2023 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2023-003 ================================= Topic: Structure padding memory disclosures Version: NetBSD-current: affected prior to 2021-09-09 NetBSD 10.0_BETA: unaffected NetBSD 9.3: unaffected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Kernel memory disclosure Fixed: NetBSD-current: 2021-09-09 NetBSD-10 branch: N/A NetBSD-9 branch: 2022-08-03 NetBSD-8 branch: 2023-06-21 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Many system calls can disclose kernel memory due to structure padding. Technical Details ================= Many system that return structured data only initialized the fields of those structures resulting in uninitialized memory bytes where padding was added by the compiler for alignment purposes. These uninitialized bytes contain random kernel memory data from the stack, which was copied to userland. Solutions and Workarounds ========================= There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -dP src/sys # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Trend Micro for reporting the bug for the stat conversion functions and Taylor Campbell for auditing the kernel for more instances. Revision History ================ 2023-06-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-003.txt,v 1.1 2023/06/28 15:32:44 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUp0cHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/zbMD/9+qgIOswCLofrvCtz3 DpRrJEPM01TN1ZDZKVdRlV8Y9v3xKsrm6usiDmNzb238L8c++xbGSeDJD8zJB8LF zrecGdSLUl+ztPs7tnEm7JNx6EEFAXAWQ5Sbdd7bN66R0M+1+ohhVQkWZHtGIvjU EiNiMDLN2PYVUQpfVihXZUNk8AcerBfvFKOZ5vfrhiqFWokWv+9SeyrF5zJt6hyT wUuoS7PqJAUZ7eIw21jh9R7ijOQm83sdKe50JeXlia5Djdigzq6vqMk4d1JHm4xi CBBHadachCVBUPzO0xURaSe5+3pvD0+8ZnqqjUwqrfQQa/QkfYaA8u+nFgqhC0PZ Se5Jzm4BKLVBMWIEEf60LGpN+J/CRgu9OFwIAEtZFhH8aUsUjkYBQkGO6nrZdmtf HfyH6UKcOBYrT+FWVpjH2P+ZpHTaeZPadZMQHfZeNCIoQlHkuq4NKVxBVQM0e+18 A1sO14tMY2GQi3nds2reEnNuru4kPlhSQnm1H4rjA3Bg+3hwFCGOB5kSZRRg9oZS KxfLsehh0VDllXPKlQvrhdL+62KYPJWPq+u3w5f0YJUhdMApvURRmZuAMFpARFRG k8cC51cMEKzvHpBEoN6DV22GT/fRZ/j6gvU6u/q1eC6OsFnsKXO5JhcvkU+MCysH YbcR2Ko3ZcrFLimSv6FxfeEkGQ== =gG7S -----END PGP SIGNATURE-----