From owner-freebsd-announce@freebsd.org Tue Nov 12 19:11:32 2019 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 66B8A1B5F89 for ; Tue, 12 Nov 2019 19:11:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CHR826Vrz3RGV; Tue, 12 Nov 2019 19:11:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 40D4110B1; Tue, 12 Nov 2019 19:11:32 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20191112191132.40D4110B1@freefall.freebsd.org> Date: Tue, 12 Nov 2019 19:11:32 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-19:19.loader X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 19:11:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-19:19.loader Errata Notice The FreeBSD Project Topic: UEFI Loader Memory Fragmentation Category: core Module: loader Announced: 2019-11-12 Credits: Rebecca Cran Affects: FreeBSD 12.0 and later Corrected: 2019-09-27 05:12:28 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:10:26 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:10:26 UTC (releng/12.0, 12.0-RELEASE-p12) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Prior to executing the kernel, the UEFI loader must obtain the final memory map from the firmware and pass it to the kernel for consumption. II. Problem Description Allocating memory to retrieve the memory map may cause further fragmentation in the memory map. This fragmentation may cause the memory map to grow enough for the previously allocated memory to no longer be sufficient to hold the memory map. In this case, the UEFI loader would simply fail to boot the kernel instead of reallocating and attempting to fetch the memory map again. III. Impact Some systems may intermittently fail to boot due to this fragmentation, and require a restart. IV. Workaround No workaround is available. Systems that are not configured to boot via the UEFI loader are not affected, and not all systems that are configured to boot via the UEFI loader will exhibit this behavior. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/EN-19:19/loader.patch # fetch https://security.FreeBSD.org/patches/EN-19:19/loader.patch.asc # gpg --verify loader.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . If the system was first installed with FreeBSD 12.0 or later a copy of the EFI loader is installed as \EFI\freebsd\loader.efi on the EFI System Partition (ESP). In that case mount the ESP and copy /boot/loader.efi to \EFI\freebsd\loader.efi. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r352788 releng/12.1/ r354652 releng/12.0/ r354652 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+jlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKo6hAAlrPVQSTQ+PGu9YtAdLG/0NZlIRdFNyjqKekkQDSEQnh35MKzVrZW4mmu 12pM2ELRU3e4HZbZEXi0B98HAqGrbSrlXHKAwosMMmhrkNBXU+fUQcjbxHfEiRoE oXPhYNTQD+7ph3A2CO0mGi5d5aSdMeZqr6ayJvmlEzg/Btd0v/SnB5XWRw0c3xP2 bCfXqS8ne2Nc0LCMzAoC69b/HQr/hi45ukbkexON+vUH0wB8N3QzwtjtZYXNMCoD T7w5FsW6ZnPqTFVNfQfIT9DUZCE0TJ4HD3D2GNX9rs8tvetgWpE7sXbRbRb87MIR zt85nwyriVjovbi24oyMgmjFgIqteRqDBG96XEWWB6YhHrOPoXd76RaOStX2r4yj q01i+lNNb5P0mqTvHQWx7XyDlhzVJsZEK6UyeFKT8WWarrFQ5FzLU3Fdr3G9pRAb 1VZJCW6GgEYlOxMBVHANtUJi3JTCWSG7vw2GNLkpwHfhpPDSV8wSKNVcpTjzHS5K 9u5iLsfNl3RtA1qD2/PPVyz12au045+WjAzlWzR8ioivRF8KwqKuwFdSUpVGcIDm +y5YOanAgT2LxpNLf0ZbHmAZaR5kCtBDGuDFW6+z2zPHaea9opIprutgqERzc9Es XHh3M29OeO457JiU/yTliLraObpf0rEFUG7d30TDO1wywR/ehlM= =ayk8 -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Nov 12 19:12:06 2019 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2E4CF1B6072 for ; Tue, 12 Nov 2019 19:12:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CHRp0Gt2z3wh2; Tue, 12 Nov 2019 19:12:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 023CE1174; Tue, 12 Nov 2019 19:12:06 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20191112191206.023CE1174@freefall.freebsd.org> Date: Tue, 12 Nov 2019 19:12:05 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:25.mcepsc X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 19:12:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:25.mcepsc Security Advisory The FreeBSD Project Topic: Machine Check Exception on Page Size Change Category: core Module: kernel Announced: 2019-11-12 Credits: Intel Affects: All supported versions of FreeBSD. Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12) 2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE) 2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5) CVE Name: CVE-2018-12207 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Intel machine check architecture is a mechanism to detect and report hardware errors, such as system bus errors, ECC errors, parity errors, and others. This allows the processor to signal the detection of a machine check error to the operating system. II. Problem Description Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. III. Impact Malicious guest operating systems may be able to crash the host. IV. Workaround No workaround is available. Systems not running untrusted guest virtual machines are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc # gpg --verify mcepsc.12.1.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc # gpg --verify mcepsc.12.0.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc # gpg --verify mcepsc.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r354650 releng/12.1/ r354653 releng/12.0/ r354653 stable/11/ r354651 releng/11.3/ r354653 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+khfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWdA//dTBwRIejd8vkgB/6wCLfXARU2Nw9je69JwfvpC/3BzkV+oD9rwoL7ltk NtOIu6otRmGnGHvC19WQ/JdlHUgtoxaxB26ROoU5BCYPJL7dU48T6l6RLbNXdMC4 MxU3mgbiDrVw9hhh42qKNVQ+ZzpMjgUPN1WRCyKQNlG7jNm5a8BvBaK0mFYkLdEw 9u+kNpXdaC9Ip45JI4QVS+jyK5JqFYWZw4SlB6AggcMO93QySzWWx4ZjXafw+0EK VoS8ByQ5nTlCVqq+hok+yVEz42mZ9AFSE1E1n3pe5TFZZmxF+NcDVMw324eLWUY3 pVX3S6Y0dCtKKvpyy2WIMrBV4Ro5BX3nQXJINdwCo2IlBRvJgK7u0wK3P0ionsJk Hc4x3sjZQm9Rhb8qqOh01wb7MjmGMWX/nlyishF6MAmnIV3dXctMaG00CSsIMbv9 jtx5v8uSGUHXb8bGYa6QLxaNN1gV6ZLMne1HLunkP7sCX9NYfibjkBXSIfNAkQTn MFrz9LLgy1K+8s2D1yFJZeyAZMWZ82yc14FSbux21pZS8MURpFt0OBYymAlzn0/J fhFEKg7rjKBuIBKjDycu9K8+s8h5TIGDROmgQojeqHm6wmlqyGVIPsREyBcCEvwM 16pasZC9s5C7aoSvzDExekR+LQOc8jVZ80KjNGmMga41tSANKTQ= =9nRn -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Tue Nov 12 19:17:22 2019 Return-Path: Delivered-To: freebsd-announce@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 571411B7248 for ; Tue, 12 Nov 2019 19:17:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CHYt1W74z3yJn; Tue, 12 Nov 2019 19:17:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 2C6CF148F; Tue, 12 Nov 2019 19:17:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20191112191722.2C6CF148F@freefall.freebsd.org> Date: Tue, 12 Nov 2019 19:17:22 +0000 (UTC) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:26.mcu X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 19:17:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:26.mcu Security Advisory The FreeBSD Project Topic: Intel CPU Microcode Update Category: 3rd party Module: Intel CPU microcode Announced: 2019-11-12 Credits: Intel Affects: All supported versions of FreeBSD running on certain Intel CPUs. CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2018-11091, CVE-2017-5715 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package. II. Problem Description Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation Vulnerability CVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. III. Impact Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information. IV. Workaround To determine if TSX is present in your system, run the following: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX), TSX is present. In the absence of updated microcode, TAA can be mitigated by enabling the MDS mitigation: 3. sysctl hw.mds_disable=1 Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to work. *IMPORTANT* If your use case can tolerate leaving the CPU issues unmitigated and cannot tolerate a performance regression, ensure that the devcpu-data package is not installed or is locked at 1.25 or earlier. # pkg delete devcpu-data or # pkg lock devcpu-data Later versions of the LLVM and GCC compilers will include changes that partially relieve the peformance impact. V. Solution Install the latest Intel Microcode Update via the devcpu-data port/package, version 1.26 or later. Updated microcode adds the ability to disable TSX. With updated microcode the issue can still be mitigated by enabling the MDS mitigation as described in the workaround section, or by disabling TSX instead: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bit 29 (0x20000000) is set in the fourth response word (EDX), then the 0x10a MSR is present. 3. cpucontrol -m 0x10a /dev/cpuctl0 If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to TAA and no further action is required. If bit 7 (0x80) is cleared, then your CPU does not have updated microcode that facilitates TSX to be disabled. The only remedy available is to enable the MDS mitigation, as documented above. 4. cpucontrol -m 0x122=3 /dev/cpuctl0 Repeat step 4 for each numbered CPU that is present. A future kernel change to FreeBSD will provide automatic detection and mitigation for TAA. LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC peformance impact. Updates to prior versions of LLVM are currently being evaluated. VI. Correction details There are currently no changes in FreeBSD to address this issue. VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3LArVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJGQQ//ad41YWDAdgBMTWiF56qeySqElIOHt/mLt06s2WW9ceUoJpKW8rKwA4hi sjuDlj4vg8ohdiFaZhTxX/smQi3BS+M0xi40fFFgMRR7HuVh11l6bPr+DoUH/Zi+ E5aiAilOlv/WUAxIrdx0ZlHPkjZ9vfSIPbiqmIkdlFEl4QCuusMRqXKNxaIzzk/K rzabCN4NsQPk0SYIZ9l+tZ6JxOOeRaYn+aCjzlbkiYR+wttIaH9nTECx2Rj7XvSw 9Ng/Mq0M6QsTV/jKfQDRMxRnNfnzF7865uBQYxZNFY9VP5Z21CcqMT54ia5NgcG8 8Bn2fnM3HcK5LUW3DRnsLhAi6XX0EuX5VMdYvx20aQUj/k8f6a0cPmtSqUVkpU/K ZcmLd4X+YS/o3UZnRY9OZOEb+kmZE/Yr8f/hR8tmle6FCPS1YLtkwDn3qg/oQA03 B5rLmzc+x32XZC0dn/HRZTLc4TXQLij0kZpuxiDmbEJmdARDWsl+e0VdBuQdD3Hr Q2QvhSVvQgwue8vclfIQVElSZpW93HuyyR8O8ugofwcOt7XwI7k+8ZfrjkjHMPGZ QW/i0FQJx4Kup70bzOubb3VEQ7cwAJtE1dvY55oaulDexq3RVMW7oEsvd84X2K8O G3+YOZLMrvM1kFskRt067rttbJfMXvstMSHCCfGSqA7fdth6VNQ= =KAsu -----END PGP SIGNATURE-----