-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-006 ================================= Topic: Buffer length checking errors in CODA Version: NetBSD-current: affected prior to July 20, 2010 NetBSD 5.0.2: affected NetBSD 5.0.1: affected NetBSD 5.0: affected NetBSD 4.0.1: affected NetBSD 4.0: affected Severity: Local Kernel Memory Information Disclosure Fixed: NetBSD-current: Jul 20, 2010 NetBSD-5 branch Aug 26, 2010 NetBSD-5-0 branch Aug 26, 2010 NetBSD-4 branch Aug 4, 2010 NetBSD-4-0 branch Aug 4, 2010 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The CODA filesystem kernel module was incorrectly checking buffer limits enabling a regular user read access to kernel memory. Technical Details ================= The type of the size parameters in the vice ioctl was signed short, and by using negative values, the size checks where sometimes bypassed. Solutions and Workarounds ========================= - - Don't mount coda volumes. - - Recompile and re-install the kernel. CVS branch file revision ------------- ---------------- ----------- HEAD src/sys/coda/coda.h 1.16 HEAD src/sys/coda/coda_venus.c 1.28 HEAD src/sys/coda/coda_vnops.c 1.76 netbsd-4 src/sys/coda/coda.h 1.13.28.1 netbsd-4 src/sys/coda/coda_venus.c 1.24.0.12 netbsd-4 src/sys/coda/coda_vnops.c 1.50.0.8 netbsd-4-0 src/sys/coda/coda.h 1.13.0.28 netbsd-4-0 src/sys/coda/coda_venus.c 1.24.0.22 netbsd-4-0 src/sys/coda/coda_vnops.c 1.50.0.3.0.4 netbsd-5 src/sys/coda/coda.h 1.13.0.52 netbsd-5 src/sys/coda/coda_venus.c 1.25.0.52 netbsd-5 src/sys/coda/coda_vnops.c 1.68.0.22 netbsd-5-0 src/sys/coda/coda.h 1.13.0.58 netbsd-5-0 src/sys/coda/coda_venus.c 1.25.0.58 netbsd-5-0 src/sys/coda/coda_vnops.c 1.68.0.26 The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r BRANCH FILES # ./build.sh tools kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Dan J. Rosenberg for discovering and notifying us about the bug, and Christos Zoulas for fixing the problem. Revision History ================ 2010-08-25 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-006.txt,v 1.2 2010/08/25 21:54:36 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMdZFSAAoJEAZJc6xMSnBuQ4YP/AyEm4d8qnHbpT4i9BFS4TK1 czbEwA6SJj4510cpTaGOfbIzzzDo6KbHgxZkrfcfK8sPx5JLkRmvyP+92+jvOnFX d+F5iPjGD877lQREv2hN9jjxme59ftkhBpj0JY7oSBQaQnb7YiCPT08zobaOMGmR WF6XAQtlZA9wGYGzf0Pp6H+r7/XBHAVNh2tNyoSfFNu6JPN3zT7wZ9ewiuf9/3oE XNxZyVvZ4QzS2XA+TrQk4G29FUcf1LlwDwvl3J+wHM2Al9cIYN2yhYRK6c/igJJM ylhxPp8R7Z0gO5Smsz1T9QVM1VlKbxwugRf6g2nIBQsuT5uNRBGSX6WXuG12P9Y0 piB07nQensnJO6XsgSwScd4cwVfUHbrxk1YdhHzIKwtppeTJtLzwYuJIQa4BP6Xh RA/ju3Y/rDd28ReXLH6XG4gPbzC5vgv1qpdDNTf6ICxdXVpurYSCeZyXJmn1AQfo sfdzeasgI6gPPMStPavKpgDOijfaYUBnM9X35zBsE2uf8JiYZESKsKeh39jeBegX hVl3fJsTtjIYRyunb8Fpf0Fcly6T6byPTQBojI0c0OWKF5h1AxkPK7J1adXIMxya OZaZ1VztwkGb+gyS1S32Al/rUTx2D0+yT1zICCGrdY/9+NUkjZJBHsupYmLQwMt8 rxnEG/wkDKIGnmyu3kOB =vFMO -----END PGP SIGNATURE-----