LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD-SA1998-005 mmap(2) device driver vulnerabilties Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD Problem with mmap(2) and many drivers
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1998-005
                 ---------------------------------

Topic:          Problem with mmap(2) and many drivers.
Version:        NetBSD 1.3.2 and prior; NetBSD-current to 19981120.
Severity:       Local users may be able to access physical and device
                memory or cause system instability.


Abstract
- --------

Many character device drivers that provide mmap access do not properly
bounds check their arguments.  The impact of this varies widely across
each affected driver.  Some drivers allow access to portions of physical
or device memory or may cause the system to panic or act unreliably.


Technical Details
- -----------------

The NetBSD character device d_mmap driver-provided service entry is
called by the device page fault routine to check for valid access and
return a machine dependent value (normally a physically address or a page
frame number) used to create a virtual to physical address mapping.  One
of the arguments to the d_mmap() routine is `int offset;' which is a
signed value.  Many of the device drivers which implement mmap access
do not properly check for negative values, each having different
failure modes.

For example, on NetBSD/i386 the text console drivers can be fooled
into allowing the console user access to physical memory from 0 to
640KB, but on NetBSD/macppc, the console driver may allow the console
user access to any memory location.

The NetBSD d_mmap interface was inherited by NetBSD from 4.4BSD, and
there may be problems in other 4.4BSD derived operating systems.


Solutions and Workarounds
- -------------------------

NetBSD 1.3.2 users should upgrade to NetBSD 1.3.3 when it becomes
available, or apply the following patch to their kernel source and
rebuild their kernel.

  ftp://ftp.netbsd.org/pub/NetBSD/misc/security/patches/19981120-d_mmap

NetBSD-current users should update to a source tree newer than
19981120 and rebuild their kernel.

If these actions can not be taken, the following section can be used to
remove access to devices at the file system level, on a per-port and
per-device basis.


Port and Device Specific Details
- --------------------------------

Below are the NetBSD port and device specific details for each of the
affected drivers.  These do not list `attacks' possible for someone who
is already root, or do not elevate current access.  This list may be
incomplete or even incorrect; the best efforts have been made to ensure
its accuracy in the time permitted.


NetBSD/arm32 and NetBSD/i386 specific problems:
        The pccons and pcvt console drivers allow access from 0 to
        the base address of video memory (640KB).  These drivers must
        be associated with the system console and are normally only
        exploitable to the user logged in on the console.

        Device: /dev/ttyv?

NetBSD/arm32 specific problems:
        On the RISCPC and RC7500 models the physical console driver
        allows access from 0 to the base address of video memory. 
        These drivers must be associated with the system console and
        the device nodes for these may not even exist.

        Device: no default device.

NetBSD/mac68k specific problems:
        The grf console driver allows access from 0 to the base address of
        video memory.  This driver must be associated with the system
        console and is normally only exploitable to the user logged in on
        the console.  The Apple Sound Chip (asc) driver which provides
        access to Apple Sound and console bell support may allow access to
        page 0 to anyone.  Both of these drivers may also cause
        unpredictable system activity.

        Devices: /dev/grf* & /dev/asc*

NetBSD/macppc (not available in NetBSD 1.3.2) specific problems:
        The nvram d_mmap routine incorrectly returns EOPNOTSUPP instead
        of -1 to indicate error, possibly causing the system to panic.
        This is exploitable by anyone.
        The ofb driver allows console users access to any memory location.

        Devices: /dev/nvram and no default device for ofb.

NetBSD/sparc specific problems:
        The cgeight and cgfour console drivers allow access from 0 to
        the base address of video memory (0x500000), or may cause
        unpredictable system activity.  These drivers must be associated
        with the system console and are normally only exploitable to the
        user logged in on the console.

        Devices: /dev/fb, /dev/cgfour* & /dev/cgeight*

NetBSD/vax specific problems:
        The smg console driver may allow the console user access to memory
        from 0 to 128KB and may cause the unpredictable system activity.
        Note that this not a problem in NetBSD/vax 1.3.2.

        Device: /dev/vt*

PCI device specific problems:
        The tga console driver allow access from 0 to the base address of
        video memory.  This drivers must be associated with the system
        console and is normally only exploitable to the user logged in on
        the console.

        Device: /dev/ttyE?

Turbo Channel (pmax & alpha) device specific problems:
        The cfb, sfb, mfb and xcfb console drivers allow access from 0
        to the base address of video memory, or may cause unpredictable
        system activity.  These drivers must be associated with the system
        console and are normally only exploitable to the user logged in on
        the console.  Note that these devices are only available in the
        TurboChannel Alpha models.

        Device: /dev/fb? (pmax) & /dev/ttyE? (alpha)


Thanks To
- ---------

Many thanks to Chris G. Demetriou  and Ted Lemon
 for finding the original problem.  Chris also
provided an initial investigation & analysis of the problem.
Matthew Green  found, analysed and fixed the
system as a whole.  Tsubai Masanari  provided
technical input for the NetBSD/macppc port and Kazuki Sakamoto
 provided technical input for the NetBSD/bebox
port.


More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1998, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA1998-005.txt,v 1.4 1998/11/20 04:40:15 mrg Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNlTxdD5Ru2/4N2IFAQEBpQP+KdSAoBh/GAxt/7Jv8f/O6gPTd/oX2hS3
KBqSbeo1n8Ud/m7SH01aBBuI6UsVQWRAaBiWWkM7nXBNj4nliDGi+Le/iKzCPq6g
deg3h19R3SiAvaWs/ySm0ttUNYYfOVsQyyMfg+bsxbSDbRpDykhmVhDu2lW4r541
7GI7AjvbQCQ=
=q5Ki
-----END PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
'Snowden effect' has changed cloud data security assumption, survey claims
Galaxy S5 fingerprint scanner hacked with glue mould
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.