[Openindiana-announce] Fwd: NetBSD Security Advisory 2010-010: Buffer Length Handling Errors in netsmb

Gordon Ross gordon.w.ross at gmail.com
Thu Oct 21 18:53:41 UTC 2010 

In case anyone is concerned about the Security Advisory below, don't be.

The OpenIndiana smbfs support does NOT have the vulnerability
described below.  The operation described in Techincal Details
below is removed in build 119 and later. (CR 6587713).

best regards,
Gordon Ross

---------- Forwarded message ----------
From: NetBSD Security Officer <security-officer at netbsd.org>
Date: Thu, Oct 21, 2010 at 10:01 AM
Subject: NetBSD Security Advisory 2010-010: Buffer Length Handling
Errors in netsmb
To: NetBSD Announcements <netbsd-announce at netbsd.org>



                NetBSD Security Advisory 2010-010
                =================================

Topic:          Buffer Length Handling Errors in netsmb

Version:        NetBSD-current: source prior to July 13, 2010
               NetBSD 5.0.2:           affected
               NetBSD 5.0:             affected
               NetBSD 4.0.1:           affected
               NetBSD 4.0:             affected

Severity:       Local Kernel Memory Exhaustion DoS Attack

Fixed:          NetBSD-current:         July 13, 2010
               NetBSD-5-0 branch       July 17, 2010
               NetBSD-5 branch         July 17, 2010
               NetBSD-4-0 branch       July 23, 2010
               NetBSD-4 branch         July 23, 2010

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

The netsmb filesystem kernel module was incorrectly checking buffer
limits, thus enabling a regular user to cause the kernel to allocate large
internal buffers to handle the request, which leads to memory exhaustion.


Technical Details
=================

The length parameters in ioctl SMBIOC_OPENSESSION were signed, and not
checked for being negative.


Solutions and Workarounds
=========================

Kernels that do not contain 'file-system SMBFS' and 'pseudo-device nsmb'
in their config are not affected.

- - Don't mount netsmb volumes.
- - Recompile and re-install the kernel.

 CVS branch    file                                    revision
 ------------- ----------------                        -----------
 HEAD          src/sys/netsmb/mchain.h                 1.9
 HEAD          src/sys/netsmb/smb_dev.h                1.7
 HEAD          src/sys/netsmb/smb_subr.c               1.35
 HEAD          src/sys/netsmb/smb_subr.h               1.19
 HEAD          src/sys/netsmb/subr_mchain.c            1.19

 netbsd-5-0    src/sys/netsmb/mchain.h                 1.7.58.1
 netbsd-5-0    src/sys/netsmb/smb_dev.h                1.6.80.1
 netbsd-5-0    src/sys/netsmb/smb_subr.c               1.32.12.1
 netbsd-5-0    src/sys/netsmb/smb_subr.h               1.18.12.1
 netbsd-5-0    src/sys/netsmb/subr_mchain.c            1.15.12.1

 netbsd-5      src/sys/netsmb/mchain.h                 1.7.52.1
 netbsd-5      src/sys/netsmb/smb_dev.h                1.6.74.1
 netbsd-5      src/sys/netsmb/smb_subr.c               1.32.6.1
 netbsd-5      src/sys/netsmb/smb_subr.h               1.18.6.1
 netbsd-5      src/sys/netsmb/subr_mchain.c            1.15.6.1

 netbsd-4-0    src/sys/netsmb/mchain.h                 1.6.34.1
 netbsd-4-0    src/sys/netsmb/smb_dev.h                1.6.52.1
 netbsd-4-0    src/sys/netsmb/smb_subr.c               1.29.8.1
 netbsd-4-0    src/sys/netsmb/smb_subr.h               1.16.46.1
 netbsd-4-0    src/sys/netsmb/subr_mchain.c            1.13.28.1

 netbsd-4      src/sys/netsmb/mchain.h                 1.6.24.1
 netbsd-4      src/sys/netsmb/smb_dev.h                1.6.12.1
 netbsd-4      src/sys/netsmb/smb_subr.c               1.29.2.1
 netbsd-4      src/sys/netsmb/smb_subr.h               1.16.6.1
 netbsd-4      src/sys/netsmb/subr_mchain.c            1.13.18.1

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

 ARCH     with your architecture (from uname -m), and
 BRANCH   with the appropriate CVS branch (from the above table)
 FILES    with the file names for that branch (from the above table)
 KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

       # cd src
       # cvs update -d -P -r BRANCH FILES
       # ./build.sh tools kernel=KERNCONF
       # mv /netbsd /netbsd.old
       # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
       # shutdown -r now

For more information on how to do this, see:

  http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Dan J. Rosenberg for discovering the bug and notifying us about it.
Christos Zoulas for fixing the problem.


Revision History
================

       2010-10-21      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
 http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-010.txt,v 1.1 2010/10/21 09:06:11 tonnerre Exp $

More information about the OpenIndiana-announce mailing list