NetBSD's character device drivers enable direct access to memory and disks.
20 Nov. 1998
Summary
NetBSD 1.3.2 and prior was found vulnerable to a bug which enables Local users to gain physical access to hard drives and memory, making it possible to read thoguh the hard drives and memory space.
The function NetBSD uses to gain access to the memory space is d_mmap(), this function receives a few arguments one of which is 'int offset', which is a signed offset. Many devices use this function but incorrectly check the value passed through the 'offset' argument. This causes the function to incorrectly return the machine's dependant value (normally a physicaly address or a page
frame number), allowing access to extended parts of the memory.
Below are listed devices which are suspected to be vulnerable to such an attack:
1) NetBSD/i386.
2) NetBSD/arm32.
3) NetBSD/mac68k.
4) NetBSD/macppc.
5) NetBSD/sparc.
6) NetBSD/vax.
7) NetBSD/PCI.
8) NetBSD/ Turbo Channel (pmax & alpha).
Each of the devices mentioned reacts differently to such an attack. The reactions of each of the devices is written below:
1) NetBSD/i386.
The pccons and pcvt console drivers allow access from 0 to the base address of video memory (640KB). These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console.
Affected device(s): /dev/ttyv?
2) NetBSD/arm32.
On the RISCPC and RC7500 models the physical console driver allows access from 0 to the base address of video memory. These drivers must be associated with the system console and the device nodes for these may not even exist.
Affected device(s): no default device.
3) NetBSD/mac68k.
The grf console driver allows access from 0 to the base address of video memory. This driver must be associated with the system console and is normally only exploitable to the user logged in on the console. The Apple Sound Chip (asc) driver which provides access to Apple Sound and console bell support may allow access to page 0 to anyone. Both of these drivers may also cause unpredictable system activity.
Affected device(s): /dev/grf* & /dev/asc*
4) NetBSD/macppc.
The nvram d_mmap routine incorrectly returns EOPNOTSUPP instead
of -1 to indicate error, possibly causing the system to panic. This is exploitable by anyone. The ofb driver allows console users access to any memory location.
Affected device(s): /dev/nvram and no default device for ofb.
5) NetBSD/sparc.
The cgeight and cgfour console drivers allow access from 0 to the base address of video memory (0x500000), or may cause unpredictable system activity. These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console.
Affected device(s): /dev/fb, /dev/cgfour* & /dev/cgeight*
6) NetBSD/vax.
The smg console driver may allow the console user access to memory from 0 to 128KB and may cause the unpredictable system activity. Note that this not a problem in NetBSD/vax 1.3.2.
Affected device(s): /dev/vt*
7) NetBSD/PCI.
The tga console driver allow access from 0 to the base address of video memory. This drivers must be associated with the system console and is normally only exploitable to the user logged in on the console.
Affected device(s): /dev/ttyE?
8) NetBSD/ Turbo Channel (pmax & alpha).
The cfb, sfb, mfb and xcfb console drivers allow access from 0 to the base address of video memory, or may cause unpredictable system activity. These drivers must be associated with the system console and are normally only exploitable to the user logged in on the console. Note that these devices are only available in the TurboChannel Alpha models.
Affected device(s): /dev/fb? (pmax) & /dev/ttyE? (alpha)
