-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2013-012 ================================= Topic: Router Advertisement sysctl local Denial of Service Version: NetBSD-current: affected prior to 2013-12-18 NetBSD 6.2*: affected NetBSD 6.1*: affected NetBSD 5.2*: affected NetBSD 5.1*: affected Severity: Local user kernel crash Fixed: NetBSD-current: December 17, 2013 NetBSD-6 branch: December 17, 2013 NetBSD-6-1 branch: December 17, 2013 NetBSD-6-0 branch: December 17, 2013 NetBSD-5 branch: December 17, 2013 NetBSD-5-2 branch: December 17, 2013 NetBSD-5-1 branch: December 17, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== When delivering the list of IPv6 prefixes and router advising the prefixes to userland, the kernel could crash on architectures that have strict alignment requirements (for example sparc64). Technical Details ================= Programs (run by unprivileged users) may query the kernel for a list of active IPv6 routing prefixes using the sysctl ICMPV6CTL_ND6_PRLIST. The kernel compiles and returns the list of routers advertising the routing prefixes. The kernel packing code assumed that misaligned memory accesses work, so it could crash on architectures where this is not the case. A simple way to trigger this issue was running the "ndp -p" command on IPv6 enabled kernels that had received router advisories. Note that NetBSD default kernels are IPv6 enabled. Similarly the bug existed in the userland ndp(8) binary, which would dump core when unpacking the list sent by the kernel. Solutions and Workarounds ========================= For a workaround, disable the ndp binary and don't run other tools that request the prefix list from the kernel until you have fixed your kernel. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/path/to/file.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.netbsd.org/docs/guide/en/chap-kernel.html # cd path/to/files The following instructions describe how to upgrade your ndp(8) binary by updating your source tree and rebuilding and installing a new version of ndp(8) * NetBSD-current: Systems running NetBSD-current dated from before 2013-12-17 should be upgraded to NetBSD-current dated 2013-12-18 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/usr.sbin/ndp To update from CVS, re-build, and re-install npd(8): # cd src # cvs update -d -P src/usr.sbin/ndp # cd src/usr.sbin/ndp # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2013-12-17 should be upgraded from NetBSD 6.* sources dated 2013-12-18 or later. The following files/directories need to be updated from the netbsd-6, netbsd-6-1 or netbsd-6-0 branches: src/usr.sbin/ndp To update from CVS, re-build, and re-install ndp(8): # cd src # cvs update -r -d -P src/usr.sbin/ndp # cd src/usr.sbin/ndp # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*: Systems running NetBSD 5.* sources dated from before 2013-12-17 should be upgraded from NetBSD 5.* sources dated 2013-12-18 or later. The following files/directories need to be updated from the netbsd-5, netbsd-5-1 or netbsd-5-2 branches: src/usr.sbin/ndp To update from CVS, re-build, and re-install npd(8): # cd src # cvs update -r -d -P src/usr.sbin/ndp # cd src/usr.sbin/ndp # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Roy Marples for pointing out the issue. Revision History ================ 2013-12-19 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-012.txt,v 1.1 2013/12/19 20:33:56 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJSs1j1AAoJEAZJc6xMSnBuebsQAMd4Mr+qoHWFchzF4VXUPvl6 EeOZUAyAH+WQ5cDr7Vdt0Y+sYEPgwM2l6ZQ3CuvgYWk7OzFrgcSd7Khw/zxPyv1Z XVHXde9PlDi4BUyVpTQtRkKpe0s4/yjDFisTvxxsWYwehd628ncHujTZo7bhq28D 1nflTU/TQGRREhofAi8oMuLOcAeTOM1RzhdTNXS2W4VjZU97lLZwI3vgDltrFSdi uSat0AZcDOPPdYSJubw2nz4TvKRg+hsdELaLE0EPlX7lPMMn4pLJjmicxb0X0KVl GL7QuogGAby137Xns3eGMx+IxHjBx3FP0a3FBsxD22HoQx5ZaU1JoFV2CY1n2xQO sWxer/BUlgSo7LJbmJ7XqGEIDM3YlrxfCxGaeTTP+z9MEAR0AvhR9uwL9zh1Hoou 6M1GzOydChN8+kFrGCvFYhRwegKv11NfK8GSrBQozpDsQcxZtrxvjEBLpjIRcNb1 SUsSn03A3uOBSiPtMQxv/oOq6TOXxeINBkLtY5m3zmVGrOHHhlMPl1ToxNBeQxJV zKJqmflhqR/JCmdRvPOl+FQxzFP9NT6oOKOHzt5O4SASqpSMRoV7wJi/aLfwQZ3Q wXTAEmNd9ZV1rKJ+TsRpkDo3zX/kSwgwCd0Trl+NyNAr968kh7QWTPHNPMCKh8t0 euL2KIxwARoTfnG/cZEV =Kfll -----END PGP SIGNATURE-----