Date: Fri, 2 Oct 2009 16:27:28 -0500 From: Jon Passki <jon@passki.us> To: FreeBSD-Security <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe Message-ID: <CEC9B8CB-5EBC-4444-A057-A729A2607604@passki.us> In-Reply-To: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> References: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm an idiot re: credits. Sorry. Jon On Oct 2, 2009, at 16:03, Jon Passki <jon@passki.us> wrote: > Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high > number such as 65536? This does not fix the vulnerability per se, > but one would hope it stops a user mapping code to 0x0. > > Also, were these the issues Przemyslaw Frasunek discovered? If so, I > did not see an attribution to him in the advisory. (I could have > missed it.) Any reason why not? > > Cheers, > > Jon > > Begin forwarded message: > >> From: FreeBSD Security Advisories <security-advisories@freebsd.org> >> Date: October 2, 2009 20:11:56 CDT >> To: FreeBSD Security Advisories <security-advisories@freebsd.org> >> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe >> Reply-To: freebsd-security@freebsd.org >> > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> === >> === >> === >> ==================================================================== >> FreeBSD-SA-09:13.pipe >> Security Advisory >> The >> FreeBSD Project >> >> Topic: kqueue pipe race conditions >> Category: core >> Module: kern >> Announced: 2009-10-02 >> Credits: Przemyslaw Frasunek >> Affects: FreeBSD 6.x >> Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) >> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) >> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and >> the >> following sections, please visit <URL:http://security.FreeBSD.org/>. >> >> I. Background >> >> Pipes are a form of inter-process communication (IPC) provided by the >> FreeBSD kernel. kqueue is an event management API that >> applications can >> use to monitor pipes and other kernel services. >> >> II. Problem Description >> >> A race condition exists in the pipe close() code relating to kqueues, >> causing use-after-free for kernel memory, which may lead to an >> exploitable NULL pointer vulnerability in the kernel, kernel memory >> corruption, and other unpredictable results. >> >> III. Impact >> >> Successful exploitation of the race condition can lead to local >> kernel >> privilege escalation, kernel data corruption and/or crash. >> >> To exploit this vulnerability, an attacker must be able to run code >> on >> the target system. >> >> IV. Workaround >> >> An errata notice, FreeBSD-EN-09:05.null has been released >> simultaneously to >> this advisory, and contains a kernel patch implementing a >> workaround for a >> more broad class of vulnerabilities. However, prior to those >> changes, no >> workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to 6-STABLE, or to the >> RELENG_6_4, or >> RELENG_6_3 security branch dated after the correction date. >> >> 2) To patch your present system: >> >> The following patches have been verified to apply to FreeBSD 6.3 >> and 6.4. >> >> a) Download the relevant patch from the location below, and verify >> the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc >> >> b) Apply the patch. >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot >> the >> system. >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that >> was >> corrected in FreeBSD. >> >> CVS: >> >> Branch >> Revision >> Path >> - >> --- >> --- >> ------------------------------------------------------------------- >> RELENG_6 >> src/sys/kern/kern_event.c >> 1.93.2.7 >> src/sys/kern/kern_fork.c >> 1.252.2.8 >> src/sys/kern/sys_pipe.c >> 1.184.2.6 >> src/sys/sys/event.h >> 1.32.2.1 >> src/sys/sys/pipe.h >> 1.29.2.1 >> RELENG_6_4 >> src/UPDATING 1.416.2.40.2.11 >> src/sys/conf/newvers.sh 1.69.2.18.2.13 >> src/sys/kern/kern_event.c 1.93.2.6.6.2 >> src/sys/kern/kern_fork.c 1.252.2.7.4.2 >> src/sys/kern/sys_pipe.c 1.184.2.4.2.3 >> src/sys/sys/event.h >> 1.32.12.2 >> src/sys/sys/pipe.h >> 1.29.16.2 >> RELENG_6_3 >> src/UPDATING 1.416.2.37.2.18 >> src/sys/conf/newvers.sh 1.69.2.15.2.17 >> src/sys/kern/kern_event.c 1.93.2.6.4.1 >> src/sys/kern/kern_fork.c 1.252.2.7.2.1 >> src/sys/kern/sys_pipe.c 1.184.2.2.6.3 >> src/sys/sys/event.h >> 1.32.10.1 >> src/sys/sys/pipe.h >> 1.29.12.1 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> Subversion: >> >> Branch/path >> Revision >> - >> --- >> --- >> ------------------------------------------------------------------- >> stable/6/ >> r197715 >> releng/6.4/ >> r197715 >> releng/6.3/ >> r197715 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> VII. References >> >> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 >> >> The latest revision of this advisory is available at >> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (FreeBSD) >> >> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l >> FKxrbF0G4v9P6SyyfAdVOFY= >> =TWhC >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CEC9B8CB-5EBC-4444-A057-A729A2607604>