|
|
Info |
Last Modified |
| 10 months ago |
|
|
|
|
Description |
NetBSD contains a flaw that may allow a local denial of service. The issue is triggered when a malicious user sets the msg_controllen variable of the msghdr struct in the sendmsg function to a value that exceeds bounds, which will cause a page fault trap or kernel panic, and will result in loss of availability for the platform.
|
|
Classification |
Location:
Local Access Required
Attack Type:
Denial of Service,
Input Manipulation
Impact:
Loss of Availability
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified
|
|
Technical |
sendmsg(2) accepts a pointer to struct msghdr, which holds further
information for the call. The pointer to control information is passed
via msg_control, msg_controllen helds the length of the control
information. This is used to read the control information into kernel
space and put it in an mbuf for further processing. However, the kernel
attempts to allocate mbuf storage as specified in msg_controllen without
further checks. This behaviour can be abused to cause a kernel page
fault trap if the value is higher than INT_MAX, or to cause an 'out of
space in kmem_map' panic for lower values. The exact size to cause the
latter is port dependant, though INT_MAX is commonly enough to trigger
the panic.
|
|
Solution |
Currently, there are no known workarounds or upgrades to correct this issue. However, NetBSD has released a patch to address this vulnerability.
|
|
Products |
|
NetBSD
 |
1.3 |
1.3.1 |
1.3.2 |
1.3.3 |
1.4 |
1.4.1 |
1.4.2 |
1.4.3 |
1.5 |
|
|
|
|
Credit |
- Jaromir Dolecek - jdolecek
 netbsd.org -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
