Subject: NetBSD Security Advisory 2005-002: Local DoS via audio device with specific drivers
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 06/30/2005 18:12:42
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-002
		 =================================

Topic:		Local DoS via audio device with specific drivers

Version:	NetBSD-current:	source prior to June 13, 2005
		NetBSD 2.0.2:	affected
		NetBSD 2.0.1:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected

Severity:	local user with access to audio device can cause kernel trap

Fixed:		NetBSD-current:		June 12, 2005
		NetBSD-3.0 branch:	June 12, 2005 (3.0 will include the fix)
		NetBSD-2.0 branch:	June 13, 2005 (2.0.3 and 2.1 will
						       include the fix)
		NetBSD-1.6 branch:	June 17, 2005 (1.6.3 will include the
						       fix


Abstract
========

With CS4280/4281, or SB Live, or SB PC 512 audio hardware, a local user
of the audio device can crash the machine through the ioctl system call.


Technical Details
=================

The set-parameters ioctl() call of the audio subsystem allows programs
to set audio stream parameters as well as the pause state, the internal
ring buffer, and audio DMA block size used.

When pause state was set to "unpaused" in the same ioctl() call as
changing the block size information, playing/recording used to be
started without recomputing the buffering parameters. Some drivers would
use this information in a division by zero, thus crashing the kernel.

The clcs and emuxki drivers are affected. If you do not have Cirrus
Logic CS4280/CS4281, SB Live!, or SB PC 512 hardware installed in a
system, then this vulnerability does not affect that system.


Solutions and Workarounds
=========================

The common part of the audio subsystem has been changed to ensure that
the device parameters are not left in an uninitialized state. So, while
the vulnerability was exposed by certain drivers, the fix is in the
device-independent audio code.

As a temporary measure, system administrators of multi-user machines may
want to disable access to the audio device for all users until an
upgraded kernel can be booted. To do this, as the root user, execute:

chown root /dev/audio* /dev/audioctl* /dev/sound*
chmod 000  /dev/audio* /dev/audioctl* /dev/sound*

Single-user machines can be left as-is if the user can be trusted to
not crash the machine willingly or to not complain afterwards.


Solutions and Workarounds
=========================

*** Updating with a GENERIC or other kernel from the base distribution:

The NetBSD-daily source builds provide a set of kernels that can be used
on systems that run GENERIC, or one of the other distribution kernels.

Below, BRANCH, DATE, and ARCH are:

  BRANCH   with the appropriate CVS branch 
  ARCH     with your architecture (from uname -m), and
  DATE     Any date after the fixed dates, shown here:

		NetBSD-current:		June 12, 2005
		NetBSD-3.0 branch:	June 12, 2005 
		NetBSD-2.0 branch:	June 13, 2005 
		NetBSD-1.6 branch:	June 17, 2005
			 * Note, the latest 1-6 build at the
			   time of issuing this advisory does not
			   yet include the fix. (June 16)


	ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-daily/{BRANCH}/{DATE}/i386/binary/kernel/{ARCH}/binary/kernel/netbsd-GENERIC.gz

Retrieve the kernel from the appropriate location, then:

        cd / && cp /path/to/netbsd-GENERIC.gz /
        gzip -d netbsd-GENERIC.gz

        The tar file will extract a new copy of:
                netbsd-GENERIC

        Back up your old kernel:
        mv netbsd netbsd.old

        Then either rename:
        mv netbsd-GENERIC netbsd

        or link, as per local site policy:
        ln netbsd-GENERIC netbsd

        Then, reboot.


*** Patching from sources:

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new
version of the kernel.

For all NetBSD versions, you need to download the source patch, apply
it to your kernel source tree using the patch(1) command, and rebuild,
install the kernel, and reboot. For more information on how to do
this, see:

    http://www.netbsd.org/Documentation/kernel/#building_a_kernel

The fix for this issue is contained in one file, sys/dev/audio.c

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch	revision	date
  -------------	-----------	----------------
  HEAD		1.196		2005/06/11
  netbsd-3	1.192.4.2	2005/06/11
  netbsd-2-0	1.182.2.2	2005/06/12
  netbsd-2	1.182.2.1.2.2	2005/06/12
  netbsd-1-6	1.155.4.7	2005/06/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/dev/audio.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make; make install
        # reboot


Thanks To
=========

Ignatios Souvatzis	discovery, initial analysis, implementation of fix
YAMAMOTO Takashi	analysis, suggestion for fix

Revision History
================

	2005-06-30	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-002.txt,v 1.5 2005/06/30 09:22:48 wiz Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iQCVAwUBQsQFPT5Ru2/4N2IFAQJDfgQAnhPQpnUwxAqg4Xci5bAafb1T5WlDf+lB
o+aYn08gy9AUHwaw+T7rO1p6H+KSxB+4cCJ/rytRJefFgD60wbo8CuVHi/uT57Cy
lGO9GpVuRz2HAInVg0f3TT0z2Kz6X0cn+Z+vrLf1buzR8wsQxyNhZwYzZQ8s27mk
BBbuA26OoCI=
=KIPN
-----END PGP SIGNATURE-----