OpenBSD Journal

Large Batch of Kernel Errata Patches Released

Contributed by rueda on from the patch now! dept.

In response to the DEF CON presentation by Ilja van Sprundel, a large set of kernel patches have been released (for OpenBSD 6.0 and 6.1). These important patches should be applied ASAP!

From the announce@ mailing list:

Errata patches for a number of kernel issues have been released for
OpenBSD 6.1 and 6.0.
A SIGIO-related use-after-free can occur in two drivers.

A missing length check in sendsyslog() may result in a kernel panic.

An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE)
may result in a kernel panic or info leak.

An alignment issue in recv() may result in an info leak via ktrace().

With an invalid address family, tcp_usrreq() may take an unintended code
path.

Missing socket address validation from userland may result in an info leak.

An uninitialized variable in ptrace() may result in an info leak.

An uninitialized variable in fcntl() may result in an info leak.

An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bound
read.

A race condition in sosplice() may result in a kernel memory leak.

An out-of-bound read could occur during processing of EAPOL frames in
the wireless stack. Information from kernel memory could be leaked to
root in userland via an ieee80211(9) ioctl.

Binary updates for the amd64 and i386 platforms are available via the
syspatch utility. Source code patches can be found on the respective
errata pages:

 https://www.openbsd.org/errata60.html
 https://www.openbsd.org/errata61.html

As these affect the kernel, a reboot will be needed after patching.

(Comments are closed)


  1. By Chas (142.79.57.1) on

    What can be done to make OpenBSD even better? The lines below are from the conclusions page of the presentation.


    -Bugs are stll easy to find in [*BSD] kernels. Even OpenBSD.

    -Varying level of quality depending on age and who wrote it

    --Most consistent quality was observed with OpenBSD

    The maintainers of various BSDs should talk more among each other

    --Several bugs in one were fixed in the other

    --OpenBSD expired proc pointer in midiioctl() fixed in NetBSD

    --NetBSD signedness bug in ac97_query_devinfo() fixed in OpenBSD

    https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

    1. By Anonymous Coward (138.59.50.4) on

      > What can be done to make OpenBSD even better? The lines below are from the conclusions page of the presentation.
      >
      >
      > -Bugs are stll easy to find in [*BSD] kernels. Even OpenBSD.
      >
      > -Varying level of quality depending on age and who wrote it
      >
      > --Most consistent quality was observed with OpenBSD
      >
      > The maintainers of various BSDs should talk more among each other
      >
      > --Several bugs in one were fixed in the other
      >
      > --OpenBSD expired proc pointer in midiioctl() fixed in NetBSD
      >
      > --NetBSD signedness bug in ac97_query_devinfo() fixed in OpenBSD
      >

      What you can do is apply those patches ASAP! you slacker...

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]