Date: Fri, 2 Oct 2009 16:03:51 -0500 From: Jon Passki <jon@passki.us> To: FreeBSD-Security <freebsd-security@freebsd.org> Subject: Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe Message-ID: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us>
next in thread | raw e-mail | index | archive | help
Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high number such as 65536? This does not fix the vulnerability per se, but one would hope it stops a user mapping code to 0x0. Also, were these the issues Przemyslaw Frasunek discovered? If so, I did not see an attribution to him in the advisory. (I could have missed it.) Any reason why not? Cheers, Jon Begin forwarded message: > From: FreeBSD Security Advisories <security-advisories@freebsd.org> > Date: October 2, 2009 20:11:56 CDT > To: FreeBSD Security Advisories <security-advisories@freebsd.org> > Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe > Reply-To: freebsd-security@freebsd.org > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > === > === > === > ==================================================================== > FreeBSD-SA-09:13.pipe Security > Advisory > The FreeBSD > Project > > Topic: kqueue pipe race conditions > Category: core > Module: kern > Announced: 2009-10-02 > Credits: Przemyslaw Frasunek > Affects: FreeBSD 6.x > Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) > 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) > 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > Pipes are a form of inter-process communication (IPC) provided by the > FreeBSD kernel. kqueue is an event management API that applications > can > use to monitor pipes and other kernel services. > > II. Problem Description > > A race condition exists in the pipe close() code relating to kqueues, > causing use-after-free for kernel memory, which may lead to an > exploitable NULL pointer vulnerability in the kernel, kernel memory > corruption, and other unpredictable results. > > III. Impact > > Successful exploitation of the race condition can lead to local kernel > privilege escalation, kernel data corruption and/or crash. > > To exploit this vulnerability, an attacker must be able to run code on > the target system. > > IV. Workaround > > An errata notice, FreeBSD-EN-09:05.null has been released > simultaneously to > this advisory, and contains a kernel patch implementing a workaround > for a > more broad class of vulnerabilities. However, prior to those > changes, no > workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, > or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3 and > 6.4. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch > Revision > Path > - > --- > ---------------------------------------------------------------------- > RELENG_6 > src/sys/kern/kern_event.c > 1.93.2.7 > src/sys/kern/kern_fork.c > 1.252.2.8 > src/sys/kern/sys_pipe.c > 1.184.2.6 > src/sys/sys/event.h > 1.32.2.1 > src/sys/sys/pipe.h > 1.29.2.1 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.11 > src/sys/conf/newvers.sh 1.69.2.18.2.13 > src/sys/kern/kern_event.c 1.93.2.6.6.2 > src/sys/kern/kern_fork.c 1.252.2.7.4.2 > src/sys/kern/sys_pipe.c 1.184.2.4.2.3 > src/sys/sys/event.h > 1.32.12.2 > src/sys/sys/pipe.h > 1.29.16.2 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.18 > src/sys/conf/newvers.sh 1.69.2.15.2.17 > src/sys/kern/kern_event.c 1.93.2.6.4.1 > src/sys/kern/kern_fork.c 1.252.2.7.2.1 > src/sys/kern/sys_pipe.c 1.184.2.2.6.3 > src/sys/sys/event.h > 1.32.10.1 > src/sys/sys/pipe.h > 1.29.12.1 > - > --- > ---------------------------------------------------------------------- > > Subversion: > > Branch/path > Revision > - > --- > ---------------------------------------------------------------------- > stable/6/ > r197715 > releng/6.4/ > r197715 > releng/6.3/ > r197715 > - > --- > ---------------------------------------------------------------------- > > VII. References > > http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l > FKxrbF0G4v9P6SyyfAdVOFY= > =TWhC > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B399692-1D5A-49C3-BDE7-7FAAA9C63910>