NetBSD Signed Integer Overflow in Cryptodev Operations Leading to NULL Pointer Dereference

A signed integer overflow vulnerability has been identified in NetBSD versions prior to commit ec8451e. The issue resides in the cryptodev_op() function within sys/opencrypto/cryptodev.c. The vulnerability occurs because the local variable iov_len is declared as a signed integer but is assigned from an unsigned cop->dst_len value. This discrepancy creates undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value that exceeds INT_MAX. This exploitation triggers a kernel panic by causing a NULL pointer dereference, particularly when CONFIG_SVS is disabled, leading to corrupted UIO pointer arithmetic.

Impact

Exploitation of this vulnerability causes a kernel panic, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by opening a handle to /dev/crypto and creating a compression session. Once the session is established, a cryptographic operation can be initiated by sending a request that includes a destination length value exceeding INT_MAX. This will cause the iov_len variable to overflow, resulting in a NULL pointer dereference when the operation is processed, especially if the system is not using the SVS configuration.

Remediation

Users should update to a version of NetBSD that includes the patch for this vulnerability, available in the NetBSD GitHub repository.