From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 21:04:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6E2C106568B for ; Fri, 2 Oct 2009 21:04:11 +0000 (UTC) (envelope-from jon@passki.us) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 259BB8FC17 for ; Fri, 2 Oct 2009 21:04:10 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so11638fga.13 for ; Fri, 02 Oct 2009 14:04:10 -0700 (PDT) Received: by 10.86.170.4 with SMTP id s4mr1221273fge.9.1254517449929; Fri, 02 Oct 2009 14:04:09 -0700 (PDT) Received: from ?10.22.8.162? ([166.205.6.157]) by mx.google.com with ESMTPS id l12sm88573fgb.10.2009.10.02.14.04.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 14:04:08 -0700 (PDT) Message-Id: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> From: Jon Passki To: FreeBSD-Security X-Mailer: iPhone Mail (7C144) Mime-Version: 1.0 (iPhone Mail 7C144) Date: Fri, 2 Oct 2009 16:03:51 -0500 Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:04:12 -0000 Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high number such as 65536? This does not fix the vulnerability per se, but one would hope it stops a user mapping code to 0x0. Also, were these the issues Przemyslaw Frasunek discovered? If so, I did not see an attribution to him in the advisory. (I could have missed it.) Any reason why not? Cheers, Jon Begin forwarded message: > From: FreeBSD Security Advisories > Date: October 2, 2009 20:11:56 CDT > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe > Reply-To: freebsd-security@freebsd.org > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > === > === > === > ==================================================================== > FreeBSD-SA-09:13.pipe Security > Advisory > The FreeBSD > Project > > Topic: kqueue pipe race conditions > Category: core > Module: kern > Announced: 2009-10-02 > Credits: Przemyslaw Frasunek > Affects: FreeBSD 6.x > Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) > 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) > 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > Pipes are a form of inter-process communication (IPC) provided by the > FreeBSD kernel. kqueue is an event management API that applications > can > use to monitor pipes and other kernel services. > > II. Problem Description > > A race condition exists in the pipe close() code relating to kqueues, > causing use-after-free for kernel memory, which may lead to an > exploitable NULL pointer vulnerability in the kernel, kernel memory > corruption, and other unpredictable results. > > III. Impact > > Successful exploitation of the race condition can lead to local kernel > privilege escalation, kernel data corruption and/or crash. > > To exploit this vulnerability, an attacker must be able to run code on > the target system. > > IV. Workaround > > An errata notice, FreeBSD-EN-09:05.null has been released > simultaneously to > this advisory, and contains a kernel patch implementing a workaround > for a > more broad class of vulnerabilities. However, prior to those > changes, no > workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, > or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3 and > 6.4. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch > Revision > Path > - > --- > ---------------------------------------------------------------------- > RELENG_6 > src/sys/kern/kern_event.c > 1.93.2.7 > src/sys/kern/kern_fork.c > 1.252.2.8 > src/sys/kern/sys_pipe.c > 1.184.2.6 > src/sys/sys/event.h > 1.32.2.1 > src/sys/sys/pipe.h > 1.29.2.1 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.11 > src/sys/conf/newvers.sh 1.69.2.18.2.13 > src/sys/kern/kern_event.c 1.93.2.6.6.2 > src/sys/kern/kern_fork.c 1.252.2.7.4.2 > src/sys/kern/sys_pipe.c 1.184.2.4.2.3 > src/sys/sys/event.h > 1.32.12.2 > src/sys/sys/pipe.h > 1.29.16.2 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.18 > src/sys/conf/newvers.sh 1.69.2.15.2.17 > src/sys/kern/kern_event.c 1.93.2.6.4.1 > src/sys/kern/kern_fork.c 1.252.2.7.2.1 > src/sys/kern/sys_pipe.c 1.184.2.2.6.3 > src/sys/sys/event.h > 1.32.10.1 > src/sys/sys/pipe.h > 1.29.12.1 > - > --- > ---------------------------------------------------------------------- > > Subversion: > > Branch/path > Revision > - > --- > ---------------------------------------------------------------------- > stable/6/ > r197715 > releng/6.4/ > r197715 > releng/6.3/ > r197715 > - > --- > ---------------------------------------------------------------------- > > VII. References > > http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l > FKxrbF0G4v9P6SyyfAdVOFY= > =TWhC > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > "