• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: NetBSD Super-H Port sigreturn() Input Validation Vulnerability

Severity: MODERATE

Description:

Ports of NetBSD for the Hitachi SuperH architecture contain a vulnerability in their implementation of sigreturn().

Sigreturn() is a system call that is used to resume process execution when the signal handler is finished executing.

It is possible for a process to call sigreturn() with arguments that cause the process to resume execution in 'supervisor' mode. What execution mode a process is executing in is specified by a property in the 'Status Register'. This vulnerability allows for a user to set this property when sigreturn() is being called. An attacker can use this vulnerability to cause the process to be in privileged 'supervisor' mode when a signal handler returns.

Once in 'supervisor' mode, the process may be able to execute privileged instructions.

The ability to execute privileged instructions could lead to a compromise of root access to the attacker. They may be able to modify kernel memory or kernel data structures, or the memory space of other processes.

Note: A very similar input validation vulnerability exists in the kernel function 'process_write_regs()'. This function is used internally by the ptrace()/procfs implementations, though it may be passed data that is originally user-supplied. If this is the case, then this vulnerability may be exploitable in the same manner as the sigreturn() vulnerability.

Affected Products:

• NetBSD NetBSD 1.4.1 sh3
• NetBSD NetBSD 1.5.0 sh3

References:

• NetBSD: NetBSD Security Page
• NetBSD: NetBSD SuperH Port Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.