• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: NetBSD Swapctl() Local Denial Of Service Vulnerability

Severity: MODERATE

Description:

NetBSD's swapctl system call is reported susceptible to a local denial of service vulnerability.

swapctl() is used to modify the system swapping configuration. It is used to add, and delete swap regions, modify their configuration, and to retrieve status about the different swap regions.

It manifests itself as an integer overflow condition in the swapctl() system call.

The swapctl() system call is called as:
swapctl(int cmd, const void *arg, int misc);

When cmd == SWAP_STATS, the kernel attempts to allocate misc * sizeof(struct swapent). Just before the allocation occurs, misc is reassigned:
misc = MIN(uvmexp.nswapdev, misc);

If an attacker passes a negative value to misc in the system call, the MIN() macro evaluates misc as being smaller, and misc remains at the attacker supplied value.

The 'misc' value is a signed integer, but it is promoted to unsigned when it is used in malloc(). A negative signed integer when promoted to unsigned results in a very large value (0xffffffff).

When the kernel then proceeds to malloc() memory to store the swapent structs, it attempts to allocate 4 GB, crashing the kernel.

This issue may be exploited by local users to trigger a kernel panic, effectively denying service to legitimate users.

This has been fixed in NetBSD-current, and the NetBSD-2-0 branch of CVS.

Affected Products:

• NetBSD NetBSD 1.0.0
• NetBSD NetBSD 1.1.0
• NetBSD NetBSD 1.2.0
• NetBSD NetBSD 1.2.1
• NetBSD NetBSD 1.3.0
• NetBSD NetBSD 1.3.1
• NetBSD NetBSD 1.3.2
• NetBSD NetBSD 1.3.3
• NetBSD NetBSD 1.4.0
• NetBSD NetBSD 1.4.0 Alpha
• NetBSD NetBSD 1.4.0 SPARC
• NetBSD NetBSD 1.4.0 arm32
• NetBSD NetBSD 1.4.0 x86
• NetBSD NetBSD 1.4.1
• NetBSD NetBSD 1.4.1 Alpha
• NetBSD NetBSD 1.4.1 SPARC
• NetBSD NetBSD 1.4.1 arm32
• NetBSD NetBSD 1.4.1 sh3
• NetBSD NetBSD 1.4.1 x86
• NetBSD NetBSD 1.4.2
• NetBSD NetBSD 1.4.2 Alpha
• NetBSD NetBSD 1.4.2 SPARC
• NetBSD NetBSD 1.4.2 arm32
• NetBSD NetBSD 1.4.2 x86
• NetBSD NetBSD 1.4.3
• NetBSD NetBSD 1.5.0
• NetBSD NetBSD 1.5.0 sh3
• NetBSD NetBSD 1.5.0 x86
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6.0
• NetBSD NetBSD 1.6.0 Beta
• NetBSD NetBSD 1.6.1
• NetBSD NetBSD 1.6.2
• NetBSD NetBSD 2.0.0
• NetBSD NetBSD current pre20010701
• NetBSD NetBSD current pre20010805

References:

• NetBSD: NetBSD Homepage
• NetBSD: NetBSD Security Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.