| Topic: |
Local DoS via audio device with specific
drivers |
|
|
| Version: |
NetBSD-current: source prior to June 13, 2005
NetBSD 2.0.2: affected
NetBSD 2.0.1: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected |
| Severity: |
local user with access to audio device can cause
kernel trap |
| Fixed: |
NetBSD-current: June 12, 2005
NetBSD-3.0 branch: June 12, 2005 (3.0 will include the fix)
NetBSD-2.0 branch: June 13, 2005 (2.0.3 and 2.1 will include the fix)
NetBSD-1.6 branch: June 17, 2005 (1.6.3 will include the fix) |
Abstract
With CS4280/4281, or SB Live, or SB PC 512 audio hardware, a local user
of the audio device can crash the machine through the ioctl system call.
Technical Details
The set-parameters ioctl() call of the audio subsystem allows programs
to set audio stream parameters as well as the pause state, the internal
ring buffer, and audio DMA block size used.
When pause state was set to "unpaused" in the same ioctl() call as
changing the block size information, playing/recording used to be
started without recomputing the buffering parameters. Some drivers would
use this information in a division by zero, thus crashing the kernel.
The clcs and emuxki drivers are affected. If you do not have Cirrus
Logic CS4280/CS4281, SB Live!, or SB PC 512 hardware installed in a
system, then this vulnerability does not affect that system.
Solutions and Workarounds
The common part of the audio subsystem has been changed to ensure that
the device parameters are not left in an uninitialized state. So, while
the vulnerability was exposed by certain drivers, the fix is in the
device-independent audio code.
As a temporary measure, system administrators of multi-user machines may
want to disable access to the audio device for all users until an
upgraded kernel can be booted. To do this, as the root user, execute:
chown root /dev/audio* /dev/audioctl* /dev/sound*
chmod 000 /dev/audio* /dev/audioctl* /dev/sound*
Single-user machines can be left as-is if the user can be trusted to
not crash the machine willingly or to not complain afterwards.
*** Updating with a GENERIC or other kernel from the base distribution:
The NetBSD-daily source builds provide a set of kernels that can be used
on systems that run GENERIC, or one of the other distribution kernels.
Below, BRANCH, DATE, and ARCH are:
BRANCH with the appropriate CVS branch
ARCH with your architecture (from uname -m), and
DATE Any date after the fixed dates, shown here:
NetBSD-current: June 12, 2005
NetBSD-3.0 branch: June 12, 2005
NetBSD-2.0 branch: June 13, 2005
NetBSD-1.6 branch: June 17, 2005
* Note, the latest 1-6 build at the
time of issuing this advisory does not
yet include the fix. (June 16)
ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-daily/{BRANCH}/{DATE}/i386/binary/kernel/{ARCH}/binary/kernel/netbsd-GENERIC.gz
Retrieve the kernel from the appropriate location, then:
cd / && cp /path/to/netbsd-GENERIC.gz /
gzip -d netbsd-GENERIC.gz
The tar file will extract a new copy of:
netbsd-GENERIC
Back up your old kernel:
mv netbsd netbsd.old
Then either rename:
mv netbsd-GENERIC netbsd
or link, as per local site policy:
ln netbsd-GENERIC netbsd
Then, reboot.
*** Patching from sources:
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new
version of the kernel.
For all NetBSD versions, you need to download the source patch, apply
it to your kernel source tree using the patch(1) command, and rebuild,
install the kernel, and reboot. For more information on how to do
this, see:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
The fix for this issue is contained in one file, sys/dev/audio.c
The following table lists the fixed revisions and
dates of this file for each branch:
CVS branch revision
date
------------- ----------- ----------------
HEAD
1.196 2005/06/11
netbsd-3 1.192.4.2
2005/06/11
netbsd-2-0 1.182.2.2
2005/06/12
netbsd-2 1.182.2.1.2.2
2005/06/12
netbsd-1-6 1.155.4.7
2005/06/17
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r BRANCH sys/dev/audio.c
# cd sys/arch/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make; make install
# reboot
Thanks To
Ignatios Souvatzis discovery, initial analysis, implementation of fix
YAMAMOTO Takashi analysis, suggestion for fix
Revision History
2005-06-30 Initial release
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/
and
http://www.NetBSD.org/Security/ .
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form. |
Security Advisory 
Postfix - "Krok po kroku" v1.1
sdi.sh
uEagle 1.0p1
