NetBSD Security Advisory 2011-003: Exhausting kernel memory from user controlled value

Kernel memory can be exhausted by a specially crafted program. This may cause a panic.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

         NetBSD Security Advisory 2011-003
         =================================

Topic:        Exhausting kernel memory from user controlled value


Version:    NetBSD-current:        source prior to March 4th, 2011
        NetBSD 5.0.*:        affected
        NetBSD 5.0:        affected
        NetBSD 5.1:        affected
        NetBSD 4.0.*:        affected
        NetBSD 4.0:        affected

Severity:    local DOS

Fixed:        NetBSD-current:        March 4th, 2011
        NetBSD-5-0 branch:    March 7th, 2011
        NetBSD-5-1 branch:    March 7th, 2011
        NetBSD-5 branch:    March 7th, 2011
        NetBSD-4-0 branch:    March 7th, 2011
        NetBSD-4 branch:    March 7th, 2011

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Kernel memory can be exhausted by a specially crafted program.
This may cause a panic.


Technical Details
=================

The handler for the kern.proc sysctl tree doesn't sanitize the input
and allocates kernel memory based on a user controllable value (the
number of command arguments).
Depending on the circumstances, this can either exhaust kernel memory
or hit allocation assertions.

The vulnerability was found while refactoring ps_strings access.


Solutions and Workarounds
=========================

Patch, recompile, and reinstall the kernel, then reboot.

  CVS branch    file                    revision
  -------------    ----------------            --------
  HEAD        src/sys/kern/kern_proc.c        1.172
  netbsd-5-0    src/sys/kern/init_sysctl.c        1.149.4.4.2.4
  netbsd-5-1    src/sys/kern/init_sysctl.c        1.149.4.7.2.1
  netbsd-5    src/sys/kern/init_sysctl.c        1.149.4.8
  netbsd-4-0    src/sys/kern/init_sysctl.c        1.93.2.1.6.2
  netbsd-4    src/sys/kern/init_sysctl.c        1.93.2.3


The following instructions briefly summarize how to update and
recompile the kernel. In these instructions, replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -r VERSION FILE
        # ./build.sh kernel=KERNCONF
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd.new
        # mv /netbsd /netbsd.old && mv /netbsd.new /netbsd

then reboot:

        # shutdown -r now

For more information on how to do this, see:    

   http://www.NetBSD.org/guide/en/chap-kernel.html

Thanks To
=========

Thanks to Joerg Sonnenberger for finding the issue and providing a fix.


Revision History
================

    2011-03-08    Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-003.txt.asc,v 1.1 2011/03/08 01:45:21 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJNdYnyAAoJEAZJc6xMSnBuNlsP/0yuYnwAdZm8VcJd4he+UK3O
lARF0DzKpCixXMi8X3jiUqZReJCeLMAw0Y+SwdBRJz6s+ZZzI2D0Rq86R40A0ZmO
ehhDfWezocrcZMw1rrApS++UBlOCeZ3lTlkwziYIUGfWHhy/1LT7YgwAUHVO9l5H
M/eLEPvltkh/aoNizHAS/OSiEWlwOZ3hNq4TFir6DXVl8uOVOapusx2ca3keT2tw
YX8OcMJX6mp+6o7ROLBijfgnTsgqSWYabLztLG+tsTfQiCKw032iB9OFig91G130
yuyd+vpNUm9delRxNiu7lTkYVllbGwS7iLvelxfVmn4/PuRuvogtjin+N8vEmjRE
s5lILc8xEfbhjKWHQvQVCpa3gyBZf9sRWXdlGxiEBCcOrOzE31xscx18V2CJ5MS6
g037GhCYBSR+8x2fkuJPj/xyoyEqOK9bFCRc0zjIW4iMa0kIHLi93FlX916bhB1p
AP8paZzRpYq26UE5nWbOIuc3E4wky29SxmS4diCTDJB+Pg17rfdyzPbZ4S6enlmE
9xzlEheUnroW9X5bdiNWAmTDdLfwUj7qFSLAZWBU7HIfyE9Qkua3TT5ieDPHhEX8
oi4hiEakNmpnpIIKBFi3V2F0H80Gq6mF25kqVZjO0ySIROaZ6HnBKy9s/qWIFgCA
DDIuInrMt8YIHUeXzwXv
=1xTH
-----END PGP SIGNATURE-----

Telegram Подписывайтесь на канал "SecurityLab" в Telegram, чтобы первыми узнавать о новостях и эксклюзивных материалах по информационной безопасности.