COMMAND
mmap
SYSTEMS AFFECTED
NetBSD 1.3.2 and prior; NetBSD-current to 19981120.
PROBLEM
Following is based on NetBSD Security Advisory. Many character
device drivers that provide mmap access do not properly bounds
check their arguments. The impact of this varies widely across
each affected driver. Some drivers allow access to portions of
physical or device memory or may cause the system to panic or act
unreliably.
The NetBSD character device d_mmap driver-provided service entry
is called by the device page fault routine to check for valid
access and return a machine dependant value (normally a physicaly
address or a page frame number) used to create a virtual to
physical address mapping. One of the arguments to the d_mmap()
routine is `int offset;' which is a signed value. Many of the
device drivers which implement mmap access do not properly check
for negative values, each having different failure modes. For
example, on NetBSD/i386 the text console drivers can be fooled
into allowing the console user access to physical memory from 0 to
640KB, but on NetBSD/macppc, the console driver may allow the
console user access to any memory location. The NetBSD d_mmap
interface was inherited by NetBSD from 4.4BSD, and there may be
problems in other 4.4BSD derived operating systems.
Below are the NetBSD port and device specific details for each of
the affected drivers. These do not list `attacks' possible for
someone who is already root, or do not elevate current access.
This list may be incomplete or even incorrect; the best efforts
have been made to ensure its accuracy in the time permitted.
NetBSD/arm32 and NetBSD/i386 specific problems:
===============================================
The base address of video memory (640KB). These drivers must
be associated with the system console and are normally only
exploitable to the user logged in on the console.
Device: /dev/ttyv?
NetBSD/arm32 specific problems:
===============================
On the RISCPC and RC7500 models the physical console driver
allows access from 0 to the base address of video memory.
These drivers must be associated with the system console and
the device nodes for these may not even exist.
Device: no default device.
NetBSD/mac68k specific problems:
================================
The grf console driver allows access from 0 to the base
address of video memory. This driver must be associated with
the system console and is normally only exploitable to the
user logged in on the console. The Apple Sound Chip (asc)
driver which provides access to Apple Sound and console bell
support may allow access to page 0 to anyone. Both of these
drivers may also cause unpredictable system activity.
Devices: /dev/grf* & /dev/asc*
NetBSD/macppc (not available in NetBSD 1.3.2) specific problems:
================================================================
The nvram d_mmap routine incorrectly returns EOPNOTSUPP
instead of -1 to indicate error, possibly causing the system
to panic. This is exploitable by anyone. The ofb driver
allows console users access to any memory location.
Devices: /dev/nvram and no default device for ofb.
NetBSD/sparc specific problems:
===============================
The cgeight and cgfour console drivers allow access from 0 to
the base address of video memory (0x500000), or may cause
unpredictable system activity. These drivers must be
associated with the system console and are normally only
exploitable to the user logged in on the console.
Devices: /dev/fb, /dev/cgfour* & /dev/cgeight*
NetBSD/vax specific problems:
=============================
The smg console driver may allow the console user access to
memory from 0 to 128KB and may cause the unpredictable system
activity. Note that this not a problem in NetBSD/vax 1.3.2.
Device: /dev/vt*
PCI device specific problems:
=============================
The tga console driver allow access from 0 to the base address
of video memory. This drivers must be associated with the
system console and is normally only exploitable to the user
logged in on the console.
Device: /dev/ttyE?
Turbo Channel (pmax & alpha) device specific problems:
======================================================
The cfb, sfb, mfb and xcfb console drivers allow access from 0
to the base address of video memory, or may cause
unpredictable system activity. These drivers must be
associated with the system console and are normally only
exploitable to the user logged in on the console. Note that
these devices are only available in the TurboChannel Alpha
models.
Device: /dev/fb? (pmax) & /dev/ttyE? (alpha)
This problem was found by Chris G. Demetriou and Ted Lemon.
SOLUTION
NetBSD 1.3.2 users should upgrade to NetBSD 1.3.3 when it becomes
available, or apply the following patch to their kernel source and
rebuild their kernel:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/patches/19981120-d_mmap