-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2017-004 ================================= Topic: buffer overflow via cmap for 4 graphics drivers Version: NetBSD-current: source prior to June 13th NetBSD 8.0_BETA: affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: information leak and potential root compromise for authenticated user on affected graphics console Fixed: NetBSD-current: June 13th NetBSD-8 branch: June 15th NetBSD-7-1 branch: June 15th NetBSD-7-0 branch: June 15th NetBSD-7 branch: June 15th NetBSD-6-0 branch: June 15th NetBSD-6-1 branch: June 15th NetBSD-6 branch: June 15th Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An authenticated user on a wscons terminal with the following graphics drivers: sbd (ews4800mips) bivideo (hpcsh) sti (hppa and hp300) pm (pmax) could cause a buffer overflow when reading or writing the color map. Technical Details ================= Due to overflowable bounds checking when reading or writing the color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it) could read kernel memory, or for all but bivideo, which doesn't have a writable color map, write kernel memory. Solutions and Workarounds ========================= Solution: update the kernel with one built from source past the fix date. There are no workarounds besides the obvious not allowing untrusted users at the console. Affected source files fix versions +++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1 sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1 sys/dev/hpc/bivideo.c 1.34 1.33.30.1 sys/dev/ic/sti.c 1.19 1.18.20.1 ++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1 sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1 sys/dev/hpc/bivideo.c 1.33.12.1 1.33.24.1 1.33.16.1 sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1 ++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1 sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1 sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1 sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1 Thanks To ========= Thanks to CTurt for reporting this set of issues. Revision History ================ 2017-09-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2017-004.txt,v 1.2 2017/09/08 17:14:15 christos Exp $ -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJZstAMAAoJEAZJc6xMSnBuc6EP/igsO7jutPBd0DGMvarlsWks r6Ba8a4v7yZpZzkRJjZT6LrlV/3w1cr9fjeiC7yJHVPO2mjP8baZSkSiU5PNBbVi mlxOeWQx07KqaOPms5HaMNhlf+OH74rOnlM2K5YEoTL0e+2Tuij66rkavS6nN6MJ S+0o/tzCSRIDMdL01BrYrVoCxObZCOB1xCbpk4ZPkB0tC8fm0alkQX9P30ncOnp9 UxVMyKbEghf//7PlAzJn8X9TFYFZrJKgwKkUCeSLofCw1kI+seoSfBleFjQs9JaD 95IwSBPfdmwkWrjiJHtHWZTq41DJezHM4J0lXCLljAq071HX1jfFLBA/U4i8REDa WMPwQcJWn0FQk3nANIZ13J6Y/z6vjVHZoO0sPlq6UEjITv23ZxLwtCtktOQ44ld1 xDA1/kc7W9XF9uqkk2ioS539Zy1LOLlpe89Y8Pb+CK9omuYhSlLVA/ugd22EIsna ca2VWMpr7oK7mULeHfPoRqnGe99UEgXugWd/1FoSsnqBkSnVl5XHVoVNKYjWTTkQ 5m4UY6TjjyrXdnkmenuanypCDyuhwGAT5G4LZc5KKuFaBzqHjEiGCMNAkAST98bS 2kVx4RYvqf1KWUj3F2mq9yAjIw9nvrgC4O+X0OnUMUGho1Y7sul5cXPdfJ9AVOhS Aetc6cGYt0uQPT+t2Qtu =FqU7 -----END PGP SIGNATURE-----