-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-004 ================================= Topic: amd64 per-page No-execute (NX) bit disabled Version: NetBSD-current: affected prior to April 19, 2010 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 4.0.*: not affected NetBSD 4.0: not affected Severity: Possible execution of arbitrary code without memory protection Fixed: NetBSD-current: April 19, 2010 NetBSD-5-0 branch: April 22, 2010 NetBSD-5 branch: April 22, 2010 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An issue in the x86 CPU features detection code disables the use of the per-page NX bit under amd64, making it impossible to mark certain pages of memory as not being executable. Technical Details ================= The NX bit from AMD (equivalent to the XD bit for Intel) indicates if the processor supports the NX bit feature (execution right enforced on a per-page basis). This bit is obtained through the "extended feature flags" cpuid instruction, inside %edx. All amd64 code, especially pmap(9), checks for this feature through the cpu_feature variable. It is set in src/sys/arch/amd64/amd64/locore.S: - - first with the "feature flags" cpuid instruction (cpuid + %eax = 1), - - then ORed with the "extended feature flags" cpuid (cpuid + %eax = 0x8000_0001) When entering init_x86_64(), the value is erased by the cpu_probe() call. Summary: beginning of cpu_probe(): - - cpuid instruction (%eax == 1) flags gets stored in cpu_info_primary->ci_feature_flags in x86_cpu_topology(): - - cpuid instruction (%eax == 0x8000_0001) flags get stored in cpu_info_primary->ci_feature3_flags end of cpu_probe(): - - cpu_feature_flags is then set (or ANDed) with cpu_info_primary->ci_feature_flags, losing the CPUID_NOX bit in the process (which is expected to be found in ci_feature3_flags) Following this, the MSR enabling the NX feature (EFER_NXE) is never set. As a consequence, the NX bit support is deactivated, and no exception will be raised even if an instruction is fetched from a page marked as not being executable. Solutions and Workarounds ========================= No workaround to the problem is currently known. Users are advised to restrict access to the system to trusted users only, both locally and remotely. When considered individually, this issue is not directly exploitable. Only programs depending on execution's right enforcement in memory may be affected, as well as badly written ones where stack, heap and/or data sections could be used to inject and execute a specifically crafted payload. The following instructions describe how to upgrade your kernel binaries by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/arch/x86 # cvs update -d -P sys/arch/amd64 # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Jeremy Morse and Jean-Yves Migeon for independently finding and reporting the issue, and Jean-Yves Migeon for providing a patch. Revision History ================ 2010-04-26 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-004.txt,v 1.1 2010/04/25 21:37:39 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJL1fldAAoJEAZJc6xMSnBuvagQAIHAzQbYQgHMBIIubZR7jGPJ DmcYkFB+Z/iaDrwm0IcU3LYq19aeb8VqD/++isVde+R9OEUNS3lU30+RY2NPg98h 3U51EEB1dM3D093LPxLMm8pDxyBVim3dCewhjkQtdMF7bkWUo1j29Nc8VKHyaL+9 PkOWOJ/ge9k/4MOJgruNA72RfRQ5uXW5PS4MgQEOu3AL5gHvIJV4M/0veO9bmu5a fUF9KSNmT8SX+pBLOK2b/xw99JGUHe7U++GiCd2QPEORgq7HM72/xeXiwxDwcOTd DHO/iCBebZvWnpmhdjBYHzLnnT4YJL2n1nZafjYIUrsO+Hsikc9GxKZAHUblyTHN Ld5URmFBAtfsc47IRLgNTwSREctMxPKlQJPh9x4e9W6pB/qo4TIcVGBQX7wE8O5X T1INq5fIvs8FbnxpdBnAxzyO74xjm8/UePtQRJDQ5e8uXoTzOnX5dVi6zaYBkPLP oZRADt9phmnR6+YcGcEDuqCnPBaWN7A8QtuOU2EnYkAoUA6gfRRQu7qr3o83fI1h 5XAwo5ZAA/ZOoB1MeVAKn6cryfeu619rbgaOMJUmGoqP6/UpLY/0uQaafP65cOqz 3PkbWW9kjJSz2ULdJ84pQTH4FsKF50GqnvbhgvygULWNIznxMduNCW+FYVlQ44qd H6+bGffE/PlPaLNWP5iO =+sZF -----END PGP SIGNATURE-----