===================================================================== CERT-Renater Note d'Information No. 2011/VULN208 _____________________________________________________________________ DATE : 09/03/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : NetBSD version current, 5.0, 5.1, 4.0. ====================================================================== http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-003.txt.asc ______________________________________________________________________ NetBSD Security Advisory 2011-003 ================================= Topic: Exhausting kernel memory from user controlled value Version: NetBSD-current: source prior to March 4th, 2011 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 5.1: affected NetBSD 4.0.*: affected NetBSD 4.0: affected Severity: local DOS Fixed: NetBSD-current: March 4th, 2011 NetBSD-5-0 branch: March 7th, 2011 NetBSD-5-1 branch: March 7th, 2011 NetBSD-5 branch: March 7th, 2011 NetBSD-4-0 branch: March 7th, 2011 NetBSD-4 branch: March 7th, 2011 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Kernel memory can be exhausted by a specially crafted program. This may cause a panic. Technical Details ================= The handler for the kern.proc sysctl tree doesn't sanitize the input and allocates kernel memory based on a user controllable value (the number of command arguments). Depending on the circumstances, this can either exhaust kernel memory or hit allocation assertions. The vulnerability was found while refactoring ps_strings access. Solutions and Workarounds ========================= Patch, recompile, and reinstall the kernel, then reboot. CVS branch file revision ------------- ---------------- -------- HEAD src/sys/kern/kern_proc.c 1.172 netbsd-5-0 src/sys/kern/init_sysctl.c 1.149.4.4.2.4 netbsd-5-1 src/sys/kern/init_sysctl.c 1.149.4.7.2.1 netbsd-5 src/sys/kern/init_sysctl.c 1.149.4.8 netbsd-4-0 src/sys/kern/init_sysctl.c 1.93.2.1.6.2 netbsd-4 src/sys/kern/init_sysctl.c 1.93.2.3 The following instructions briefly summarize how to update and recompile the kernel. In these instructions, replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -r VERSION FILE # ./build.sh kernel=KERNCONF # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd.new # mv /netbsd /netbsd.old && mv /netbsd.new /netbsd then reboot: # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Thanks to Joerg Sonnenberger for finding the issue and providing a fix. Revision History ================ 2011-03-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-003.txt.asc,v 1.1 2011/03/08 01:45:21 tonnerre Exp $ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================