-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-003 ================================= Topic: F_CLOSEM local denial of service Version: NetBSD-current: source prior to January 12, 2005 NetBSD 2.1: not affected NetBSD 2.0.2: not affected NetBSD 2.0: affected NetBSD 1.6.*: not affected Severity: Local Denial-of-Service Fixed: NetBSD-current: January 12, 2005 NetBSD-2-0 branch: March 16, 2005 (2.0.2 includes the fix) NetBSD-2 branch: March 16, 2005 (2.1 includes the fix) Abstract ======== A bug in the way the file descriptor table of a process is manipulated can be triggered by calling the F_CLOSEM fnctl() with the parameter 0, which means "close all opened file descriptors". The result of the bug is that the kernel will loop endlessly, effectively locking up the computer. Any local user can trigger the bug. Technical Details ================= The F_CLOSEM fnctl() call takes a parameter and makes the kernel close all file descriptors of the process whose number is greater or equal to the parameter. fd_lastfile in the process's descriptor table keeps track of the last file descriptor index used by the process, and its value is maintained by find_last_set(). A change in find_last_set() that made it return 0 and not - -1 (like it used to) when no files were used caused an infinite loop in the kernel, leading to local denial-of-service triggerable by any user. Solutions and Workarounds ========================= There is no workaround for this issue. It is recommended that users of affected NetBSD versions upgrade their kernel. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. * NetBSD-current: Systems running NetBSD-current dated from before 2005-01-12 should be upgraded to NetBSD-current dated 2005-01-13 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): sys/kern/kern_descrip.c To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/kern/kern_descrip.c # ./build.sh kernel=GENERIC # mv /netbsd /netbsd.old # cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd # shutdown -r now * NetBSD 2.0: The binary distribution of NetBSD 2.0 is vulnerable. NetBSD 2.1 includes the fix. Systems running NetBSD 2.0 sources dated from before 2005-01-12 should be upgraded from NetBSD 2.0 sources dated 2005-01-13 or later. The following files need to be updated from the netbsd-2-0 CVS branch: sys/kern/kern_descrip.c To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r netbsd-2-0 sys/kern/kern_descrip.c # ./build.sh kernel=GENERIC # mv /netbsd /netbsd.old # cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd # shutdown -r now Thanks To ========= Brian Marcotte, for discovering and reporting the issue. Greg Oster and Quentin Garnier, for analysis and fixes. Revision History ================ 2005-10-31 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-003.txt,v 1.10 2005/10/31 19:11:45 gendalia Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ2fKRj5Ru2/4N2IFAQKyJQP/cF9a8IM4ayqS2nNv0HPgL4uPvbmnHPDW F76FTxFDfrImmkMNrdIBaj/1B/LS41+iMWTJJFGWNkqZjzXKVLuD7/rLDKGjI1Aa WfmS7gHoZcI5p5A0x+RFtOM399sQX2/cC5a0hcGamKncBChKMNEdn3u//q/HC+4e rpQReunJrFU= =SfoJ -----END PGP SIGNATURE-----