-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-003 ================================= Topic: Exhausting kernel memory from user controlled value Version: NetBSD-current: source prior to March 4th, 2011 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 5.1: affected NetBSD 4.0.*: affected NetBSD 4.0: affected Severity: local DOS Fixed: NetBSD-current: March 4th, 2011 NetBSD-5-0 branch: March 7th, 2011 NetBSD-5-1 branch: March 7th, 2011 NetBSD-5 branch: March 7th, 2011 NetBSD-4-0 branch: March 7th, 2011 NetBSD-4 branch: March 7th, 2011 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Kernel memory can be exhausted by a specially crafted program. This may cause a panic. Technical Details ================= The handler for the kern.proc sysctl tree doesn't sanitize the input and allocates kernel memory based on a user controllable value (the number of command arguments). Depending on the circumstances, this can either exhaust kernel memory or hit allocation assertions. The vulnerability was found while refactoring ps_strings access. Solutions and Workarounds ========================= Patch, recompile, and reinstall the kernel, then reboot. CVS branch file revision ------------- ---------------- -------- HEAD src/sys/kern/kern_proc.c 1.172 netbsd-5-0 src/sys/kern/init_sysctl.c 1.149.4.4.2.4 netbsd-5-1 src/sys/kern/init_sysctl.c 1.149.4.7.2.1 netbsd-5 src/sys/kern/init_sysctl.c 1.149.4.8 netbsd-4-0 src/sys/kern/init_sysctl.c 1.93.2.1.6.2 netbsd-4 src/sys/kern/init_sysctl.c 1.93.2.3 The following instructions briefly summarize how to update and recompile the kernel. In these instructions, replace: VERSION with the fixed version from the appropriate CVS branch (from the above table) FILE with the name of the file from the above table ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -r VERSION FILE # ./build.sh kernel=KERNCONF # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd.new # mv /netbsd /netbsd.old && mv /netbsd.new /netbsd then reboot: # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Thanks to Joerg Sonnenberger for finding the issue and providing a fix. Revision History ================ 2011-03-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-003.txt,v 1.1 2011/03/08 01:43:30 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJNdYnyAAoJEAZJc6xMSnBuNlsP/0yuYnwAdZm8VcJd4he+UK3O lARF0DzKpCixXMi8X3jiUqZReJCeLMAw0Y+SwdBRJz6s+ZZzI2D0Rq86R40A0ZmO ehhDfWezocrcZMw1rrApS++UBlOCeZ3lTlkwziYIUGfWHhy/1LT7YgwAUHVO9l5H M/eLEPvltkh/aoNizHAS/OSiEWlwOZ3hNq4TFir6DXVl8uOVOapusx2ca3keT2tw YX8OcMJX6mp+6o7ROLBijfgnTsgqSWYabLztLG+tsTfQiCKw032iB9OFig91G130 yuyd+vpNUm9delRxNiu7lTkYVllbGwS7iLvelxfVmn4/PuRuvogtjin+N8vEmjRE s5lILc8xEfbhjKWHQvQVCpa3gyBZf9sRWXdlGxiEBCcOrOzE31xscx18V2CJ5MS6 g037GhCYBSR+8x2fkuJPj/xyoyEqOK9bFCRc0zjIW4iMa0kIHLi93FlX916bhB1p AP8paZzRpYq26UE5nWbOIuc3E4wky29SxmS4diCTDJB+Pg17rfdyzPbZ4S6enlmE 9xzlEheUnroW9X5bdiNWAmTDdLfwUj7qFSLAZWBU7HIfyE9Qkua3TT5ieDPHhEX8 oi4hiEakNmpnpIIKBFi3V2F0H80Gq6mF25kqVZjO0ySIROaZ6HnBKy9s/qWIFgCA DDIuInrMt8YIHUeXzwXv =1xTH -----END PGP SIGNATURE-----