From owner-freebsd-security@freebsd.org Thu May 27 00:54:53 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D65F264A43F for ; Thu, 27 May 2021 00:54:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fr8VP5mmwz54d9; Thu, 27 May 2021 00:54:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1622076893; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rw0qFZY6GvPmaPXyyC6QcgPPqtNKS61Ener4ZvuKtmw=; b=guf9YYYnGYuMi7I0YTyH0Ij9/kX1ee4/73jZIOa8j+Fn1X0lXIqOcLU5nWclCeL+VuinLo nhSVDRATMAk6yOZDZm5xo1U/P8gNouj6b+ItLTE+GcmpbuJ8w/T6w/ff+fj2xt0SNg5hw9 DvKe4mROOIUTar/wss2ITdNFjwqHcpgfXD4rpMaJFLVfddpfxm4HcIhs4bYuiu9kXDQZuY MQdrTi1EnmzQukyud05k0SA0yqLguOqMTL9MoakhJed8QF/loavFlSoy9ha/BCgnKtF09V gmSNakdqrayWKIANlkgwLFAwgYvuTxw4BSEaJZbRzY5TIbFrlAQM9Vet8AEgUw== Received: by freefall.freebsd.org (Postfix, from userid 945) id A12B017B88; Thu, 27 May 2021 00:54:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:11.smap Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210527005453.A12B017B88@freefall.freebsd.org> Date: Thu, 27 May 2021 00:54:53 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1622076893; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rw0qFZY6GvPmaPXyyC6QcgPPqtNKS61Ener4ZvuKtmw=; b=PdzA+U/4Log0Vg6NVxQBgO7c6ed2bIdKHgH3ybijMqUtkhJsXTeBVzKgv4eJYuWC+XZ9Nd 2IpCjGwMf5+TiAioII+n1qkUPycfypfgdSBG8lTIB5DKq/6oXcmkNLzKo8434n1RsbOhf9 yWi3KkhqjFcarfg0Ao5JxnUm6UwLAQnQipDwDGei03PJ9StJ8Lb35M7Ax7VsQdI2VY2pTX NmNwrg6m3CshUgnd9CJC0R6qCUU/o46j3dWgOPwyVFWYMMkjK2VSo8Ea+/tTGShZ5S8lPa /RG/iGj+Pi27K7DCU3ifnqbmI3c5hSRq2jjcibKeayJEjWA+zPZL8cFZNlxsgg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1622076893; a=rsa-sha256; cv=none; b=Y2RbLpEccSMRIC/Z+p/wX/RhTo9p4EVRDXMIkQb/LHz7Pnq3ogGeof4edb7xHENzvH8LGo tRGSPXYu/li5LxkQJoMHynOaNvFk46/gBP6nA20fHPjPss5FOhgeogpu2tt4ryf2n43m6K D3ITSKE0KslzOazlOJ5JYakoHYo3wWfHNsGRWbhXa9LjHm88WBY3K85yCEfOi+SnzHxHms +RUAuiIdkrLY66r59wehYKm/PErT7vEEIBo8HUW+dUJsbcs31PU28gP4xaSERCkQBAerty npJSBDe7ykqacQaPbdh6RQMMnYMgZ9+FuKGIStRVbzJWTtk1nuTNvyo6nPIc5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 00:54:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:11.smap Security Advisory The FreeBSD Project Topic: SMAP bypass Category: core Module: amd64 Announced: 2021-05-26 Credits: I lost my dog if you see him please contact me at @m00nbsd. Affects: FreeBSD 12.2 and later. Corrected: 2021-05-26 19:18:54 UTC (stable/13, 13.0-STABLE) 2021-05-26 19:31:50 UTC (releng/13.0, 13.0-RELEASE-p1) 2021-05-26 19:30:31 UTC (stable/12, 12.2-STABLE) 2021-05-26 20:40:20 UTC (releng/12.2, 12.2-RELEASE-p7) CVE Name: CVE-2021-29628 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Supervisor Mode Access Prevention (SMAP) is a security feature implemented by contemporary Intel and AMD CPUs. When enabled, it ensures that accesses to user memory by the kernel trigger a page fault and a subsequent kernel panic. This helps mitigate the security implications of kernel bugs that permit an attacker to read from or write to user memory from the kernel. The kernel may legitimately need to copy data between userspace and the kernel. To enable this, SMAP is temporarily disabled in the subroutines which handle this copying, so only small, specially designated portions of the kernel should be executed with SMAP disabled. II. Problem Description The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. III. Impact This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit. IV. Workaround No workaround is available. On hardware that does not implement SMAP, the bug is inconsequential as the mitigation does not exist in the first place. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch.asc # gpg --verify smap.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 876ffe28796c stable/13-n245764 releng/13.0/ f32130a1955e releng/13.0-n244739 stable/12/ r369857 releng/12.2/ r369863 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmCu6vIACgkQ05eS9J6n 5cJagg//Yy30r/Dq2rgoY7p31CoF/jXDDqNEhqyJTcWoDY2M5THXBficHxWW68lE YLfndQRgz4oT7QNgxgnW0PYa0iHLiNFxZoI8lOcILpvHereXy0gEvLVPCstY7NY9 +jZnY7seLfSH+Y+VS5sjXbveMSMxovKzpp1rOrHVxJK7YeGY7YDqsK9pQ8Jk+4pE XlhOvhugL0qE4Fxj4qI5ClGmqDvyNXxlGWWwVtzZV2jYN1bdmZ0g88+HgJI1FcUr E2KIk1XwVidhQC8GJk9v7D/Bg4nYdq59Dozv4tu9IFfPkV+xl3qbgtXN5qJ0bp+u Y3NCEgq8Aoz60Xebulw1XBfvJFkLqUEthenYKtMSc9hN+QgAM9c9eQreRawTNezK aUSl+hUt9D6oVHh1Ki+OIhAgF+pAKN+7ARfcn2Ot57/TNbO1T9/C5mMd/hhQOkyj wJwj3nSLkUVQTNR9ntyyIj44XFRijtzG4foAJDuozfzC+hD82jSgXpCGnLwH6Gyx n0yIM1LbDZWrvAJ9W+uQmGJ1nv12Tzt24cDCSQ+zJjuTNfCso3bQ9b/IrXomBAwp waYpEOujzjaM7XdI9F4vb69XGX9mbKO67MoXgwlVowaRvVUBM0jAkaRo1gknF1sO CXLuogbOomTHcutlBsXtF0FBphLFx7YA8w4jtWnjnFW7wBzZ5dQ= =/4r7 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu May 27 00:55:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E350F64A625 for ; Thu, 27 May 2021 00:55:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fr8Vn62g1z54p7; Thu, 27 May 2021 00:55:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1622076913; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZfShh7GiY6iDjKHD5NInZh+Xeb/RH2qsIEjyDBn742Y=; b=egBueqmW6K+7rNMcV7ind893rpYFHd7462aXYgE+DZewm2zdeiW3Z3aIYGV0G4JcATInuz drchhpx79bW9j8hOld2QHAXufhKP0oKTEt5DUbTSdjLdwoi7ZswMaO9qSPOAG5+5oZ73TK HwjxNFI5jVKFSNh6Wlfc6IG+JW43v8S2APEvpuCloy4bDx4qqr/haVaQjXV2naKQrhP3hg nVDk9MVh+RPpeHxhJ9+D57N71hTKvQ+3LypWZLzfKloccZ5U90zsNuDyelyUfzk5UfiSF6 JePpmGkZwNt5uDYrUrZmEVotOeSMbQ30idEBbACAeH1MVarXk9EfgD6W+O+nHg== Received: by freefall.freebsd.org (Postfix, from userid 945) id C708F178EB; Thu, 27 May 2021 00:55:13 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:12.libradius Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210527005513.C708F178EB@freefall.freebsd.org> Date: Thu, 27 May 2021 00:55:13 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1622076913; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZfShh7GiY6iDjKHD5NInZh+Xeb/RH2qsIEjyDBn742Y=; b=W1KUERlWWhbp3aSneL+BVAYtsVbGYUIqesTRQBq7lVSHSg06hEjMRo7BL4+SsMcejKBM82 LJP5/JprHKLSfUPt1/8FbHg1cTCUPqinLPPg+Lr0iwi/W3yuGG9ctmXGv064X38ofE2hDC oBYUuAmZYqhJuys99h33IhQN7ci0/vCpBkl5ZxhR2C3k0x8u30F1ZcmuIYHa8unuTeIxKp +plhsHSa54D2FEzDCHCVET2lsQm6xduJhNWifflwQSSMj53Q0OzGNfPnzJYD3IG4hKUA0f bkHqqYFRsw1iSj78RyruAInKJHZm8qfysaf3WpZo1GHv8T/p0m4D8o1v0/H5MQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1622076913; a=rsa-sha256; cv=none; b=r/YkYYLaSuP+j8+zSaLaEPa/dgBbqgCms/QMgMciP7XCLOurCm+oF5FwCfWg/ZVy1/Q9PI SDuzgYBmdZDSl5wFNFKf8ROWq81vlPA/C/2xgvnCMWLE1Nl3O5ExcNgBRlk5W1WOjR3EB0 49+YDG5jCXHCkFLMfmOoCdIRPEVurXshhnMdSVONIlbfYkotr+m9E5ayl/4ae1s1+pIap8 Mx1lNlgdw1Q9Gr8DD8BgZdZozxCiUvaehvsaKnnV3YKDtx+p4VzGSO4aP6jS9RSuqsKdiO bBOeZT+4YRVr4R4Ah9vk671AdCR13tKkKGQhUgMkrcAheHaDFw/N2g7szGmoRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 00:55:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:12.libradius Security Advisory The FreeBSD Project Topic: Missing message validation in libradius(3) Category: core Module: libradius Announced: 2021-05-26 Credits: leommxj and Swings from Chaitin Security Research Lab Affects: All supported versions of FreeBSD. Corrected: 2021-05-26 19:45:31 UTC (stable/13, 13.0-STABLE) 2021-05-26 20:36:29 UTC (releng/13.0, 13.0-RELEASE-p1) 2021-05-26 20:39:35 UTC (stable/12, 12.2-STABLE) 2021-05-26 20:40:23 UTC (releng/12.2, 12.2-RELEASE-p7) 2021-05-26 20:41:31 UTC (stable/11, 11.4-STABLE) 2021-05-26 20:41:58 UTC (releng/11.4, 11.4-RELEASE-p10) CVE Name: CVE-2021-29629 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libradius(3) is a client and server library implementing the Remote Authentication Dial In User Service (RADIUS) protocol. It is used by pam_radius(8) and mpd5 (available in the ports tree as net/mpd5). II. Problem Description libradius did not perform sufficient validation of received messages. rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field. When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop. III. Impact A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem. The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages. IV. Workaround No workaround is available. Systems not making use of libradius(3) are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0, 12.2] # fetch https://security.FreeBSD.org/patches/SA-21:12/libradius.patch # fetch https://security.FreeBSD.org/patches/SA-21:12/libradius.patch.asc # gpg --verify libradius.patch.asc [FreeBSD 11.4] # fetch https://security.FreeBSD.org/patches/SA-21:12/libradius.11.patch # fetch https://security.FreeBSD.org/patches/SA-21:12/libradius.11.patch.asc # gpg --verify libradius.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ bec0d2c9c841 stable/13-n245765 releng/13.0/ 7d900abe6269 releng/13.0-n244743 stable/12/ r369859 releng/12.2/ r369864 stable/11/ r369866 releng/11.4/ r369867 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmCu6vMACgkQ05eS9J6n 5cLBUQ//aEsqwU/okABtOEAYbr87TSl0eHpmnNjfLS/OHgkQ7FPIBCpF2ThifBk3 t84F9q5ILOizrc916hT4RzFkTdHwVOGJCk7uEWwYCkHnDOIIzsbKD8Jzv+nKJf2P hyrm5aVmRyEgwImZFv3158dmaK+AvrrFoWOwZDW+A1zBDrf/EgCKCAFTn9I72wZI 1HoPkO8I4lJYTDKkr1AQ2Xh0fHYwcP5myvGZFwIJftmG6BbETgAzfPPiwiMC/dN4 ZUkyyZI9O+kfzRH+iIchEt+kls7m0eXIt5EQmVAyCj76Npa0zCPXa5pPLJ9no6N7 YT2nuuOGQUeriaMo1P9PeMhGECOcdW96DWuXGKsTjGei70634eADxmv8tjR0Vndm VPbi3f9O4d8Yqsr+ioNm1dwT8kgbChbTBob/r6NyIWqJVsinIVSI+u9U7aCAlxpK 6grc9FUZDHpGdP2DqdE5iZ4WSkjh7yZR9676sHmIvdnNkUT5LonxP8iDmGbexlLZ mGAiNNaI19hEeaf+1AyF0l8/VZdvgZsjoSYUtATqYH6aO4xF6MMzirKYtfbphrdj +BwVyZB4WRU0S71v2zkz7wAlErQnwRI+CYvZFxe7jyMkk5C70btxZllAs9dgYsHE DL7SugtvoKb/eBtIfSCSf6fe+MW1poIG0G7T26K5crHNiUxHYvY= =yqoJ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu May 27 17:35:58 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6445641A83 for ; Thu, 27 May 2021 17:35:58 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FrZjT37h5z4bNX for ; Thu, 27 May 2021 17:35:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pj1-x1036.google.com with SMTP id v13-20020a17090abb8db029015f9f7d7290so5814299pjr.0 for ; Thu, 27 May 2021 10:35:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=XUhP/9G1VxurnD73FjAFex630mvXWH1H/OQmgqSQ6X4=; b=NuZmDgjoSpDmBDJenW6kcp8IZFJyuaH4c3m1ZwFsoy2r44+vxCvGQc9agnYhE1H03v 7WIoAMDKYf9pdUyjKPkm8ThSDGuy94mD1UVM7J7ySy0lVesvm8wEK9Y8yQgwUSqXwD3o TIt66p+4fy0yiwoPSiTqxpvo61S74V4bYOfQj3nRK1nqnDZBDAyN3eL+KI0KuWM2sAf2 sPT2cMX5BDGyxR8j+/3/8ka1pBwW5Y/eaQAx272sT1UFjhfh5p4bKYONBAKkn19h+7UP Zo9OmkkDYdvfutYJbFnjGx9H6DdNcDpEvZ5HR8c+Of8VdrTlHOml0+H/rnsoaM2BViJx fY/g== X-Gm-Message-State: AOAM531ocxjreyO6iggoZLhjNyaFviUn71sCjz0VpwDl+RFaEbsGmt52 N5DcvFr+eAnsE3RVPPLw568frVOVf7xL X-Google-Smtp-Source: ABdhPJzw/sem4pQeWm/ryBCag8yTRB6fZ4GTVhEhjwMY6cdyS5H0yRhf26QoSfYn4ZTL/e9G/I6Jhw== X-Received: by 2002:a17:90b:1003:: with SMTP id gm3mr4985198pjb.126.1622136955372; Thu, 27 May 2021 10:35:55 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-1ddd-d3cc-4ff3-3377.res6.spectrum.com. [2603:8001:5e40:d300:1ddd:d3cc:4ff3:3377]) by smtp.gmail.com with ESMTPSA id b1sm2809481pgf.84.2021.05.27.10.35.54 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 May 2021 10:35:54 -0700 (PDT) From: Gordon Tetlow Content-Type: multipart/signed; boundary="Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:11.smap Date: Thu, 27 May 2021 10:35:52 -0700 References: <20210527005453.A12B017B88@freefall.freebsd.org> To: freebsd-security In-Reply-To: <20210527005453.A12B017B88@freefall.freebsd.org> Message-Id: <0FAFDFB3-84AA-4E30-82F5-61236EC0B3F7@tetlows.org> X-Mailer: Apple Mail (2.3654.100.0.2.22) X-Rspamd-Queue-Id: 4FrZjT37h5z4bNX X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-0.999]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::1036:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::1036:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1036:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 17:35:58 -0000 --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Since I had a question on this in another forum, I figure I'll copy it = to the public list as well. The credit line below was specifically = requested by the reporter. It wasn't a typo or a lack of proof-reading = on our part. Best, Gordon Hat: security-officer > On May 26, 2021, at 5:54 PM, FreeBSD Security Advisories = wrote: >=20 > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-21:11.smap Security = Advisory > The FreeBSD = Project >=20 > Topic: SMAP bypass >=20 > Category: core > Module: amd64 > Announced: 2021-05-26 > Credits: I lost my dog if you see him please contact me at = @m00nbsd. > Affects: FreeBSD 12.2 and later. > Corrected: 2021-05-26 19:18:54 UTC (stable/13, 13.0-STABLE) > 2021-05-26 19:31:50 UTC (releng/13.0, 13.0-RELEASE-p1) > 2021-05-26 19:30:31 UTC (stable/12, 12.2-STABLE) > 2021-05-26 20:40:20 UTC (releng/12.2, 12.2-RELEASE-p7) > CVE Name: CVE-2021-29628 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > Supervisor Mode Access Prevention (SMAP) is a security feature > implemented by contemporary Intel and AMD CPUs. When enabled, it > ensures that accesses to user memory by the kernel trigger a page = fault > and a subsequent kernel panic. This helps mitigate the security > implications of kernel bugs that permit an attacker to read from or > write to user memory from the kernel. >=20 > The kernel may legitimately need to copy data between userspace and = the > kernel. To enable this, SMAP is temporarily disabled in the = subroutines > which handle this copying, so only small, specially designated = portions > of the kernel should be executed with SMAP disabled. >=20 > II. Problem Description >=20 > The FreeBSD kernel enables SMAP during boot when the CPU reports that > the SMAP capability is present. Subroutines such as copyin() and > copyout() are responsible for disabling SMAP around the sections of = code > that perform user memory accesses. >=20 > Such subroutines must handle page faults triggered when user memory is > not mapped. The kernel's page fault handler checks the validity of = the > fault, and if it is indeed valid it will map a page and resume = copying. > If the fault is invalid, the fault handler returns control to a > trampoline which aborts the operation and causes an error to be > returned. In this second scenario, a bug in the implementation of = SMAP > support meant that SMAP would remain disabled until the thread returns > to user mode. >=20 > III. Impact >=20 > This bug may be used to bypass the protections provided by SMAP for = the > duration of a system call. It could thus be combined with other = kernel > bugs to craft an exploit. >=20 > IV. Workaround >=20 > No workaround is available. On hardware that does not implement SMAP, > the bug is inconsequential as the mitigation does not exist in the = first > place. >=20 > V. Solution >=20 > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date > and reboot. >=20 > Perform one of the following: >=20 > 1) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" >=20 > 2) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch > # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch.asc > # gpg --verify smap.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile your kernel as described in > and reboot = the > system. >=20 > VI. Correction details >=20 > This issue is corrected by the corresponding Git commit hash or = Subversion > revision number in the following stable and release branches: >=20 > Branch/path Hash = Revision > = ------------------------------------------------------------------------- > stable/13/ 876ffe28796c = stable/13-n245764 > releng/13.0/ f32130a1955e = releng/13.0-n244739 > stable/12/ = r369857 > releng/12.2/ = r369863 > = ------------------------------------------------------------------------- >=20 > For FreeBSD 13 and later: >=20 > Run the following command to see which files were modified by a > particular commit: >=20 > # git show --stat >=20 > Or visit the following URL, replacing NNNNNN with the hash: >=20 > >=20 > To determine the commit count in a working tree (for comparison = against > nNNNNNN in the table above), run: >=20 > # git rev-list --count --first-parent HEAD >=20 > For FreeBSD 12 and earlier: >=20 > Run the following command to see which files were modified by a = particular > revision, replacing NNNNNN with the revision number: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > >=20 > The latest revision of this advisory is available at > = >=20 >=20 --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmCv2HgACgkQ5fe8y6O9 3fjdowf+LJxpbSt2x2VHTltKQubULy8IReWQCggJh5sfr1BwvbyXgdJTx0OGWjDc xzXvtUzzwL7Q1LVj/rFpMpLTSITakPZq25wgkWZaL3P3k/Wksox8/1dT87yCJ4sG uEE3Ta1PvE08EHhQdPL0qRd1IcJXj9sBAnaH0W33Ngy5wMsY71s8dIdrezT2ouMK IUNgu+r76RW8uPa9eKP6gm2CPGLhz22TN04Lu5Vsf+t4NvHzE7XgRs0wUqFV4XDB n3uAMWNv57yUAZLRQB794rI4GwjCcbCHEej1xJIACNz1LD/cs2qz0HS1Rp1BOJz5 H7Y8qOpwDxwPnt0snSjTQQqAAf/Ebg== =FaTD -----END PGP SIGNATURE----- --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75--