NetBSD-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2014-003: posix_spawn unbounded kernel memory allocation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2014-003
=================================
Topic: posix_spawn unbounded kernel memory allocation
Version: NetBSD-current: affected prior to 2014-02-02
NetBSD 6.1*: affected
NetBSD 6.0*: affected
NetBSD 5.2*: not affected
NetBSD 5.1*: not affected
Severity: Local Unprivileged Denial of Service
Fixed: NetBSD-current: Feb 1st, 2014
NetBSD-6 branch: Feb 3rd, 2014
NetBSD-6-1 branch: Feb 3rd, 2014
NetBSD-6-0 branch: Feb 3rd, 2014
Abstract
========
Missing argument validation in the implementation of the posix_spawn
system call could be abused to cause the kernel to try to allocate
unlimited amounts of memory, causing a panic.
Technical Details
=================
The posix_spawn system call allows a userland process to pass a list of
file handle changes, to be applied in the new created child process before
running the target binary. The kernel needs to allocate kernel memory
and copy the user process data to that. Missing argument validation
failed to put a limit on the size of this list and allowed a malicious
program to cause the kernel to run out of memory.
Since the number of file handles is limited for the calling (and the to
be created) process, and making multiple (repeated) changes to the same
file handle does make only limited sense (assume a non-malicious program
to maximally close and reopen each file handle once), the maximum list
size will not exceed twice the number of allowed open file handles.
The kernel will now enforce this limit upfront to the allocation and fail
the posix_spawn system call otherwise. Libc was adjusted to deal with the
new limit in a graceful manner. Additionally, a non-security bug in libc
was fixed.
Solutions and Workarounds
=========================
Update your libc and your kernel.
To do a binary update, download
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/base.tgz
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/sets/comp.tgz
and if you use a standard kernel
http://nyftp.netbsd.org/pub/NetBSD-daily/<YOUR_RELEASE>/<DATE>/<ARCH>/binary/kernel/<YOURKERNEL>.gz
Replace <YOUR_RELEASE> with the release you are running (look at the
output of the "uname -r" command, e.g. 5.1.2 would be netbsd-5-1),
<DATE> with any date later than the fix dates, and <ARCH> with your
machine arch (look at the output of the "uname -m" command, e.g. amd64
for modern PC machines). <YOURKERNEL> would be the name of the kernel
configuration your system is running, which can be found in the output
of "uname -v", e.g. "GENERIC" or "XEN3_DOMU".
Install the new kernel and reboot, then install the userland fixes:
cd /
tar xzpf $path_to/comp.tgz ./usr/share/man/html3/posix_spawn\*
tar xzpf $path_to/comp.tgz ./usr/share/man/man3/posix_spawn\*
tar xzpf $path_to/base.tgz ./lib/libc.so\* ./usr/lib/libc.so*
and reboot again.
To update from source:
Update kernel and libc source to a version newer than the fix date for your
branch. The files in the fix are:
FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0
lib/libc/gen/posix_spawn.3
1.5 1.2.2.1 1.2.8.1 1.2.6.1
lib/libc/gen/posix_spawn_file_actions_addopen.3
1.4 1.1.2.1 1.1.8.1 1.1.6.1
lib/libc/gen/posix_spawn_file_actions_init.3
1.4 1.1.2.1 1.1.8.1 1.1.6.1
lib/libc/gen/posix_spawn_fileactions.c
1.3 1.1.2.2 1.1.2.1.6.1 1.1.2.1.4.1
sys/compat/netbsd32/netbsd32_execve.c
1.38 1.33.2.3 1.33.2.2.2.1 1.33.2.1.4.2
sys/kern/kern_exec.c
1.373 1.339.2.7 1.339.2.6.2.1 1.339.2.5.4.2
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
system. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/compat/netbsd32/netbsd32_execve.c
# cvs update -d -P sys/kern/kern_exec.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/docs/guide/en/chap-kernel.html
The following instructions describe how to upgrade your libc
binary by updating your source tree and rebuilding and installing
a new version of libc.
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P lib/libc/gen/posix_spawn_fileactions.c
# cvs update -d -P lib/libc/gen/posix_spawn.3
# cvs update -d -P lib/libc/gen/posix_spawn_file_actions_addopen.3
# cvs update -d -P lib/libc/gen/posix_spawn_file_actions_init.3
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# shutdown -r now
Thanks To
=========
Maxime Villard for pointing out the issue and preparing a patch.
Matt Thomas for suggesting the limit enforced now.
Revision History
================
2014-03-05 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-003.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-003.txt,v 1.1 2014/03/05 21:29:46 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTF5dSAAoJEAZJc6xMSnBuAHEQAJT8RdnCVxGycm3N4qEC2Jd4
CM0jUcek/TzpkL2HnGJ33YjoFPeevC5wWJpvvd4InZgy6xg9zipYcnKXZaHB7o/k
aGcQXrklcMypJLmMjNKDr8hQVjsj5iYBnyOyV/XBxNAON27uWGY9EgQMKE/l95D4
XPnmtup2AEAn74dLzHRG+GbErVveBhPORSQUrTk5jF2L92qvRpd9WM4A+z/kpoms
6qwi+jqt0EYTnSjCiUzmDgGOk5Gu2wDicNKexTi11u+Cxg5l/9pTwHGbwkyp/q3h
mL6WB/xZa5R8nfCwgZJc/DuQjOoHU/5ogawL8LSAVBbBM6CKGrIGtJn2Y4n3zXuS
4VvNFBdkf/vRc7ata5VWUHKUkhTr+I7cxD0LuIf56CpduIiAFBcQ3gjaEOdGM+gR
z8bH5oZ3pezJvwEbibrJ79ZHTZ1C8qiKOVq5+dI3zAH1nSEilsJKan1nXaqP/rH+
V4OEhBQAdPWu88/W86d2w0XNRX/YBIozNuOcved1m/FT15TblBLxfrbBkaiwlP7S
MJmyvtpedfjYTBb4yTknLkVzxRSn4eeaNkReUmUN1SBDg1gEr+NClivpmPHDs7wB
nDBqzH0dwGzP3trRCPcrn9zdR6MwGLN5aMWtGKQ+h99fSeHyHSDR6myDFYC3Zz9M
+jwYYsntRPISkn+l/oZC
=hlyQ
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index