Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Oct 2009 16:27:28 -0500
From:      Jon Passki <jon@passki.us>
To:        FreeBSD-Security <freebsd-security@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
Message-ID:  <CEC9B8CB-5EBC-4444-A057-A729A2607604@passki.us>
In-Reply-To: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us>
References:  <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us>

next in thread | previous in thread | raw e-mail | index | archive | help
I'm an idiot re: credits. Sorry.

Jon

On Oct 2, 2009, at 16:03, Jon Passki <jon@passki.us> wrote:

> Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high  
> number such as 65536? This does not fix the vulnerability per se,  
> but one would hope it stops a user mapping code to 0x0.
>
> Also, were these the issues Przemyslaw Frasunek discovered? If so, I  
> did not see an attribution to him in the advisory. (I could have  
> missed it.)  Any reason why not?
>
> Cheers,
>
> Jon
>
> Begin forwarded message:
>
>> From: FreeBSD Security Advisories <security-advisories@freebsd.org>
>> Date: October 2, 2009 20:11:56 CDT
>> To: FreeBSD Security Advisories <security-advisories@freebsd.org>
>> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
>> Reply-To: freebsd-security@freebsd.org
>>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> === 
>> === 
>> === 
>> ====================================================================
>> FreeBSD-SA-09:13.pipe                                        
>> Security Advisory
>>                                                          The  
>> FreeBSD Project
>>
>> Topic:          kqueue pipe race conditions
>> Category:       core
>> Module:         kern
>> Announced:      2009-10-02
>> Credits:        Przemyslaw Frasunek
>> Affects:        FreeBSD 6.x
>> Corrected:      2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
>>                2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
>>                2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>>
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and  
>> the
>> following sections, please visit <URL:http://security.FreeBSD.org/>.
>>
>> I.   Background
>>
>> Pipes are a form of inter-process communication (IPC) provided by the
>> FreeBSD kernel.  kqueue is an event management API that  
>> applications can
>> use to monitor pipes and other kernel services.
>>
>> II.  Problem Description
>>
>> A race condition exists in the pipe close() code relating to kqueues,
>> causing use-after-free for kernel memory, which may lead to an
>> exploitable NULL pointer vulnerability in the kernel, kernel memory
>> corruption, and other unpredictable results.
>>
>> III. Impact
>>
>> Successful exploitation of the race condition can lead to local  
>> kernel
>> privilege escalation, kernel data corruption and/or crash.
>>
>> To exploit this vulnerability, an attacker must be able to run code  
>> on
>> the target system.
>>
>> IV.  Workaround
>>
>> An errata notice, FreeBSD-EN-09:05.null has been released  
>> simultaneously to
>> this advisory, and contains a kernel patch implementing a  
>> workaround for a
>> more broad class of vulnerabilities.  However, prior to those  
>> changes, no
>> workaround is available.
>>
>> V.   Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your vulnerable system to 6-STABLE, or to the  
>> RELENG_6_4, or
>> RELENG_6_3 security branch dated after the correction date.
>>
>> 2) To patch your present system:
>>
>> The following patches have been verified to apply to FreeBSD 6.3  
>> and 6.4.
>>
>> a) Download the relevant patch from the location below, and verify  
>> the
>> detached PGP signature using your PGP utility.
>>
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>>
>> b) Apply the patch.
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile your kernel as described in
>> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot  
>> the
>> system.
>>
>> VI.  Correction details
>>
>> The following list contains the revision numbers of each file that  
>> was
>> corrected in FreeBSD.
>>
>> CVS:
>>
>> Branch                                                            
>> Revision
>>  Path
>> -  
>> --- 
>> --- 
>> -------------------------------------------------------------------
>> RELENG_6
>>  src/sys/kern/kern_event.c                                       
>> 1.93.2.7
>>  src/sys/kern/kern_fork.c                                       
>> 1.252.2.8
>>  src/sys/kern/sys_pipe.c                                        
>> 1.184.2.6
>>  src/sys/sys/event.h                                             
>> 1.32.2.1
>>  src/sys/sys/pipe.h                                              
>> 1.29.2.1
>> RELENG_6_4
>>  src/UPDATING                                            1.416.2.40.2.11
>>  src/sys/conf/newvers.sh                                  1.69.2.18.2.13
>>  src/sys/kern/kern_event.c                                  1.93.2.6.6.2
>>  src/sys/kern/kern_fork.c                                  1.252.2.7.4.2
>>  src/sys/kern/sys_pipe.c                                   1.184.2.4.2.3
>>  src/sys/sys/event.h                                            
>> 1.32.12.2
>>  src/sys/sys/pipe.h                                             
>> 1.29.16.2
>> RELENG_6_3
>>  src/UPDATING                                            1.416.2.37.2.18
>>  src/sys/conf/newvers.sh                                  1.69.2.15.2.17
>>  src/sys/kern/kern_event.c                                  1.93.2.6.4.1
>>  src/sys/kern/kern_fork.c                                  1.252.2.7.2.1
>>  src/sys/kern/sys_pipe.c                                   1.184.2.2.6.3
>>  src/sys/sys/event.h                                            
>> 1.32.10.1
>>  src/sys/sys/pipe.h                                             
>> 1.29.12.1
>> -  
>> --- 
>> --- 
>> -------------------------------------------------------------------
>>
>> Subversion:
>>
>> Branch/path                                                       
>> Revision
>> -  
>> --- 
>> --- 
>> -------------------------------------------------------------------
>> stable/6/                                                          
>> r197715
>> releng/6.4/                                                        
>> r197715
>> releng/6.3/                                                        
>> r197715
>> -  
>> --- 
>> --- 
>> -------------------------------------------------------------------
>>
>> VII. References
>>
>> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>>
>> The latest revision of this advisory is available at
>> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (FreeBSD)
>>
>> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
>> FKxrbF0G4v9P6SyyfAdVOFY=
>> =TWhC
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org 
>> "
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CEC9B8CB-5EBC-4444-A057-A729A2607604>