-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 1998-005 --------------------------------- Topic: Problem with mmap(2) and many drivers. Version: NetBSD 1.3.2 and prior; NetBSD-current to 19981120. Severity: Local users may be able to access physical and device memory or cause system instability. Abstract - -------- Many character device drivers that provide mmap access do not properly bounds check their arguments. The impact of this varies widely across each affected driver. Some drivers allow access to portions of physical or device memory or may cause the system to panic or act unreliably. Technical Details - ----------------- The NetBSD character device d_mmap driver-provided service entry is called by the device page fault routine to check for valid access and return a machine dependent value (normally a physically address or a page frame number) used to create a virtual to physical address mapping. One of the arguments to the d_mmap() routine is `int offset;' which is a signed value. Many of the device drivers which implement mmap access do not properly check for negative values, each having different failure modes. For example, on NetBSD/i386 the text console drivers can be fooled into allowing the console user access to physical memory from 0 to 640KB, but on NetBSD/macppc, the console driver may allow the console user access to any memory location. The NetBSD d_mmap interface was inherited by NetBSD from 4.4BSD, and there may be problems in other 4.4BSD derived operating systems. Solutions and Workarounds - ------------------------- NetBSD 1.3.2 users should upgrade to NetBSD 1.3.3 when it becomes available, or apply the following patch to their kernel source and rebuild their kernel. ftp://ftp.netbsd.org/pub/NetBSD/misc/security/patches/19981120-d_mmap NetBSD-current users should update to a source tree newer than 19981120 and rebuild their kernel. If these actions can not be taken, the following section can be used to remove access to devices at the file system level, on a per-port and per-device basis. Port and Device Specific Details - -------------------------------- Below are the NetBSD port and device specific details for each of the affected drivers. These do not list `attacks' possible for someone who is already root, or do not elevate current access. This list may be incomplete or even incorrect; the best efforts have been made to ensure its accuracy in the time permitted. NetBSD/arm32 and NetBSD/i386 specific problems: The pccons and pcvt console drivers allow access from 0 to the base address of video memory (640KB). These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console. Device: /dev/ttyv? NetBSD/arm32 specific problems: On the RISCPC and RC7500 models the physical console driver allows access from 0 to the base address of video memory. These drivers must be associated with the system console and the device nodes for these may not even exist. Device: no default device. NetBSD/mac68k specific problems: The grf console driver allows access from 0 to the base address of video memory. This driver must be associated with the system console and is normally only exploitable to the user logged in on the console. The Apple Sound Chip (asc) driver which provides access to Apple Sound and console bell support may allow access to page 0 to anyone. Both of these drivers may also cause unpredictable system activity. Devices: /dev/grf* & /dev/asc* NetBSD/macppc (not available in NetBSD 1.3.2) specific problems: The nvram d_mmap routine incorrectly returns EOPNOTSUPP instead of -1 to indicate error, possibly causing the system to panic. This is exploitable by anyone. The ofb driver allows console users access to any memory location. Devices: /dev/nvram and no default device for ofb. NetBSD/sparc specific problems: The cgeight and cgfour console drivers allow access from 0 to the base address of video memory (0x500000), or may cause unpredictable system activity. These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console. Devices: /dev/fb, /dev/cgfour* & /dev/cgeight* NetBSD/vax specific problems: The smg console driver may allow the console user access to memory from 0 to 128KB and may cause the unpredictable system activity. Note that this not a problem in NetBSD/vax 1.3.2. Device: /dev/vt* PCI device specific problems: The tga console driver allow access from 0 to the base address of video memory. This drivers must be associated with the system console and is normally only exploitable to the user logged in on the console. Device: /dev/ttyE? Turbo Channel (pmax & alpha) device specific problems: The cfb, sfb, mfb and xcfb console drivers allow access from 0 to the base address of video memory, or may cause unpredictable system activity. These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console. Note that these devices are only available in the TurboChannel Alpha models. Device: /dev/fb? (pmax) & /dev/ttyE? (alpha) Thanks To - --------- Many thanks to Chris G. Demetriou and Ted Lemon for finding the original problem. Chris also provided an initial investigation & analysis of the problem. Matthew Green found, analysed and fixed the system as a whole. Tsubai Masanari provided technical input for the NetBSD/macppc port and Kazuki Sakamoto provided technical input for the NetBSD/bebox port. More Information - ---------------- Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1998, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA1998-005.txt,v 1.4 1998/11/20 04:40:15 mrg Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNlTxdD5Ru2/4N2IFAQEBpQP+KdSAoBh/GAxt/7Jv8f/O6gPTd/oX2hS3 KBqSbeo1n8Ud/m7SH01aBBuI6UsVQWRAaBiWWkM7nXBNj4nliDGi+Le/iKzCPq6g deg3h19R3SiAvaWs/ySm0ttUNYYfOVsQyyMfg+bsxbSDbRpDykhmVhDu2lW4r541 7GI7AjvbQCQ= =q5Ki -----END PGP SIGNATURE-----