-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2014-003 ================================= Topic: posix_spawn unbounded kernel memory allocation Version: NetBSD-current: affected prior to 2014-02-02 NetBSD 6.1*: affected NetBSD 6.0*: affected NetBSD 5.2*: not affected NetBSD 5.1*: not affected Severity: Local Unprivileged Denial of Service Fixed: NetBSD-current: Feb 1st, 2014 NetBSD-6 branch: Feb 3rd, 2014 NetBSD-6-1 branch: Feb 3rd, 2014 NetBSD-6-0 branch: Feb 3rd, 2014 Abstract ======== Missing argument validation in the implementation of the posix_spawn system call could be abused to cause the kernel to try to allocate unlimited amounts of memory, causing a panic. Technical Details ================= The posix_spawn system call allows a userland process to pass a list of file handle changes, to be applied in the new created child process before running the target binary. The kernel needs to allocate kernel memory and copy the user process data to that. Missing argument validation failed to put a limit on the size of this list and allowed a malicious program to cause the kernel to run out of memory. Since the number of file handles is limited for the calling (and the to be created) process, and making multiple (repeated) changes to the same file handle does make only limited sense (assume a non-malicious program to maximally close and reopen each file handle once), the maximum list size will not exceed twice the number of allowed open file handles. The kernel will now enforce this limit upfront to the allocation and fail the posix_spawn system call otherwise. Libc was adjusted to deal with the new limit in a graceful manner. Additionally, a non-security bug in libc was fixed. Solutions and Workarounds ========================= Update your libc and your kernel. To do a binary update, download http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/comp.tgz and if you use a standard kernel http://nyftp.netbsd.org/pub/NetBSD-daily////binary/kernel/.gz Replace with the release you are running (look at the output of the "uname -r" command, e.g. 5.1.2 would be netbsd-5-1), with any date later than the fix dates, and with your machine arch (look at the output of the "uname -m" command, e.g. amd64 for modern PC machines). would be the name of the kernel configuration your system is running, which can be found in the output of "uname -v", e.g. "GENERIC" or "XEN3_DOMU". Install the new kernel and reboot, then install the userland fixes: cd / tar xzpf $path_to/comp.tgz ./usr/share/man/html3/posix_spawn\* tar xzpf $path_to/comp.tgz ./usr/share/man/man3/posix_spawn\* tar xzpf $path_to/base.tgz ./lib/libc.so\* ./usr/lib/libc.so* and reboot again. To update from source: Update kernel and libc source to a version newer than the fix date for your branch. The files in the fix are: FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 lib/libc/gen/posix_spawn.3 1.5 1.2.2.1 1.2.8.1 1.2.6.1 lib/libc/gen/posix_spawn_file_actions_addopen.3 1.4 1.1.2.1 1.1.8.1 1.1.6.1 lib/libc/gen/posix_spawn_file_actions_init.3 1.4 1.1.2.1 1.1.8.1 1.1.6.1 lib/libc/gen/posix_spawn_fileactions.c 1.3 1.1.2.2 1.1.2.1.6.1 1.1.2.1.4.1 sys/compat/netbsd32/netbsd32_execve.c 1.38 1.33.2.3 1.33.2.2.2.1 1.33.2.1.4.2 sys/kern/kern_exec.c 1.373 1.339.2.7 1.339.2.6.2.1 1.339.2.5.4.2 For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your system. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/compat/netbsd32/netbsd32_execve.c # cvs update -d -P sys/kern/kern_exec.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html The following instructions describe how to upgrade your libc binary by updating your source tree and rebuilding and installing a new version of libc. To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P lib/libc/gen/posix_spawn_fileactions.c # cvs update -d -P lib/libc/gen/posix_spawn.3 # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_addopen.3 # cvs update -d -P lib/libc/gen/posix_spawn_file_actions_init.3 # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # shutdown -r now Thanks To ========= Maxime Villard for pointing out the issue and preparing a patch. Matt Thomas for suggesting the limit enforced now. Revision History ================ 2014-03-05 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-003.txt,v 1.1 2014/03/05 21:29:46 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTF5dSAAoJEAZJc6xMSnBuAHEQAJT8RdnCVxGycm3N4qEC2Jd4 CM0jUcek/TzpkL2HnGJ33YjoFPeevC5wWJpvvd4InZgy6xg9zipYcnKXZaHB7o/k aGcQXrklcMypJLmMjNKDr8hQVjsj5iYBnyOyV/XBxNAON27uWGY9EgQMKE/l95D4 XPnmtup2AEAn74dLzHRG+GbErVveBhPORSQUrTk5jF2L92qvRpd9WM4A+z/kpoms 6qwi+jqt0EYTnSjCiUzmDgGOk5Gu2wDicNKexTi11u+Cxg5l/9pTwHGbwkyp/q3h mL6WB/xZa5R8nfCwgZJc/DuQjOoHU/5ogawL8LSAVBbBM6CKGrIGtJn2Y4n3zXuS 4VvNFBdkf/vRc7ata5VWUHKUkhTr+I7cxD0LuIf56CpduIiAFBcQ3gjaEOdGM+gR z8bH5oZ3pezJvwEbibrJ79ZHTZ1C8qiKOVq5+dI3zAH1nSEilsJKan1nXaqP/rH+ V4OEhBQAdPWu88/W86d2w0XNRX/YBIozNuOcved1m/FT15TblBLxfrbBkaiwlP7S MJmyvtpedfjYTBb4yTknLkVzxRSn4eeaNkReUmUN1SBDg1gEr+NClivpmPHDs7wB nDBqzH0dwGzP3trRCPcrn9zdR6MwGLN5aMWtGKQ+h99fSeHyHSDR6myDFYC3Zz9M +jwYYsntRPISkn+l/oZC =hlyQ -----END PGP SIGNATURE-----