--- SecurityLab Technologies, Inc. --- Security Advisory --- http://www.securitylab.net Advisory Name: NetBSD / OpenBSD kernfs_xread patch evasion Release Date: February 02, 2006 Application: kernfs Platform: NetBSD / OpenBSD Severity: Severe Author: SLAB Research Vendor Status: Patched Reference: http://www.securitylab.net/research/ <http://www.securitylab.net/research/> Overview: Due to a flaw in the original patch implemented by the NetBSD team in release 2.0.3 the kernfs_xread function was still vulnerable to exploitation. The original patch failed to manage the truncation of 64bit integers. Prior to the 2.0.3 patch kernfs_read neglected to test for a negative file offset value. The 2.0.3 patch enforced the testing of negative offsets but failed to test for negative 32bit values. Since the kernfs_xread function truncates the 64bit offset to a 32bit value it was possible to have a negative 32bit offset bypass the security employed. This negative offset flaw made continued disclosure of kernel memory possibly. OpenBSD's 3.8 kernel release contained the same vulnerability and the same type of patch as NetBSD 2.0.3. It checked for the negative value in a 64bit read offset. However, kernfs is no longer included in the current OpenBSD generic kernel. Vendor response: OpenBSD: OpenBSD believes this issue is not a vulnerability, because kernfs was not linked into the GENERIC kernel by default. The OpenBSD team has chosen to remove the kernfs tree from the current kernel code, rather than implementing a patch. NetBSD: In response to this advisory the NetBSD team patched kernfs_vnops.c version 1.114. The fix is available in the current source tree. NetBSD 3.0 recently released is not affected by this flaw. The NetBSD team has issued an advisory: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.tx t.asc Site of the day: FON http://www.fon.com A wireless movement Copyright 2006 SecurityLab Technologies, Inc. You may distribute freely without modification.