Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Oct 2009 16:03:51 -0500
From:      Jon Passki <jon@passki.us>
To:        FreeBSD-Security <freebsd-security@freebsd.org>
Subject:   Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
Message-ID:  <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us>

next in thread | raw e-mail | index | archive | help
Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high  
number such as 65536? This does not fix the vulnerability per se, but  
one would hope it stops a user mapping code to 0x0.

Also, were these the issues Przemyslaw Frasunek discovered? If so, I  
did not see an attribution to him in the advisory. (I could have  
missed it.)  Any reason why not?

Cheers,

Jon

Begin forwarded message:

> From: FreeBSD Security Advisories <security-advisories@freebsd.org>
> Date: October 2, 2009 20:11:56 CDT
> To: FreeBSD Security Advisories <security-advisories@freebsd.org>
> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
> Reply-To: freebsd-security@freebsd.org
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> === 
> === 
> === 
> ====================================================================
> FreeBSD-SA-09:13.pipe                                       Security  
> Advisory
>                                                          The FreeBSD  
> Project
>
> Topic:          kqueue pipe race conditions
> Category:       core
> Module:         kern
> Announced:      2009-10-02
> Credits:        Przemyslaw Frasunek
> Affects:        FreeBSD 6.x
> Corrected:      2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
>                2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
>                2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> Pipes are a form of inter-process communication (IPC) provided by the
> FreeBSD kernel.  kqueue is an event management API that applications  
> can
> use to monitor pipes and other kernel services.
>
> II.  Problem Description
>
> A race condition exists in the pipe close() code relating to kqueues,
> causing use-after-free for kernel memory, which may lead to an
> exploitable NULL pointer vulnerability in the kernel, kernel memory
> corruption, and other unpredictable results.
>
> III. Impact
>
> Successful exploitation of the race condition can lead to local kernel
> privilege escalation, kernel data corruption and/or crash.
>
> To exploit this vulnerability, an attacker must be able to run code on
> the target system.
>
> IV.  Workaround
>
> An errata notice, FreeBSD-EN-09:05.null has been released  
> simultaneously to
> this advisory, and contains a kernel patch implementing a workaround  
> for a
> more broad class of vulnerabilities.  However, prior to those  
> changes, no
> workaround is available.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4,  
> or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and  
> 6.4.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
> system.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch                                                            
> Revision
>  Path
> -  
> --- 
> ----------------------------------------------------------------------
> RELENG_6
>  src/sys/kern/kern_event.c                                       
> 1.93.2.7
>  src/sys/kern/kern_fork.c                                       
> 1.252.2.8
>  src/sys/kern/sys_pipe.c                                        
> 1.184.2.6
>  src/sys/sys/event.h                                             
> 1.32.2.1
>  src/sys/sys/pipe.h                                              
> 1.29.2.1
> RELENG_6_4
>  src/UPDATING                                            1.416.2.40.2.11
>  src/sys/conf/newvers.sh                                  1.69.2.18.2.13
>  src/sys/kern/kern_event.c                                  1.93.2.6.6.2
>  src/sys/kern/kern_fork.c                                  1.252.2.7.4.2
>  src/sys/kern/sys_pipe.c                                   1.184.2.4.2.3
>  src/sys/sys/event.h                                            
> 1.32.12.2
>  src/sys/sys/pipe.h                                             
> 1.29.16.2
> RELENG_6_3
>  src/UPDATING                                            1.416.2.37.2.18
>  src/sys/conf/newvers.sh                                  1.69.2.15.2.17
>  src/sys/kern/kern_event.c                                  1.93.2.6.4.1
>  src/sys/kern/kern_fork.c                                  1.252.2.7.2.1
>  src/sys/kern/sys_pipe.c                                   1.184.2.2.6.3
>  src/sys/sys/event.h                                            
> 1.32.10.1
>  src/sys/sys/pipe.h                                             
> 1.29.12.1
> -  
> --- 
> ----------------------------------------------------------------------
>
> Subversion:
>
> Branch/path                                                       
> Revision
> -  
> --- 
> ----------------------------------------------------------------------
> stable/6/                                                          
> r197715
> releng/6.4/                                                        
> r197715
> releng/6.3/                                                        
> r197715
> -  
> --- 
> ----------------------------------------------------------------------
>
> VII. References
>
> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
> FKxrbF0G4v9P6SyyfAdVOFY=
> =TWhC
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org 
> "




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B399692-1D5A-49C3-BDE7-7FAAA9C63910>