From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 21:27:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA9651065694 for ; Fri, 2 Oct 2009 21:27:56 +0000 (UTC) (envelope-from jon@passki.us) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153]) by mx1.freebsd.org (Postfix) with ESMTP id DDF3E8FC1A for ; Fri, 2 Oct 2009 21:27:55 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so17228fga.13 for ; Fri, 02 Oct 2009 14:27:54 -0700 (PDT) Received: by 10.86.22.12 with SMTP id 12mr2713966fgv.69.1254518874639; Fri, 02 Oct 2009 14:27:54 -0700 (PDT) Received: from ?10.22.8.162? ([166.205.6.157]) by mx.google.com with ESMTPS id l12sm210998fgb.0.2009.10.02.14.27.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 14:27:53 -0700 (PDT) Message-Id: From: Jon Passki To: FreeBSD-Security In-Reply-To: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> X-Mailer: iPhone Mail (7C144) Mime-Version: 1.0 (iPhone Mail 7C144) Date: Fri, 2 Oct 2009 16:27:28 -0500 References: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:27:56 -0000 I'm an idiot re: credits. Sorry. Jon On Oct 2, 2009, at 16:03, Jon Passki wrote: > Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high > number such as 65536? This does not fix the vulnerability per se, > but one would hope it stops a user mapping code to 0x0. > > Also, were these the issues Przemyslaw Frasunek discovered? If so, I > did not see an attribution to him in the advisory. (I could have > missed it.) Any reason why not? > > Cheers, > > Jon > > Begin forwarded message: > >> From: FreeBSD Security Advisories >> Date: October 2, 2009 20:11:56 CDT >> To: FreeBSD Security Advisories >> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe >> Reply-To: freebsd-security@freebsd.org >> > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> === >> === >> === >> ==================================================================== >> FreeBSD-SA-09:13.pipe >> Security Advisory >> The >> FreeBSD Project >> >> Topic: kqueue pipe race conditions >> Category: core >> Module: kern >> Announced: 2009-10-02 >> Credits: Przemyslaw Frasunek >> Affects: FreeBSD 6.x >> Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) >> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) >> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and >> the >> following sections, please visit . >> >> I. Background >> >> Pipes are a form of inter-process communication (IPC) provided by the >> FreeBSD kernel. kqueue is an event management API that >> applications can >> use to monitor pipes and other kernel services. >> >> II. Problem Description >> >> A race condition exists in the pipe close() code relating to kqueues, >> causing use-after-free for kernel memory, which may lead to an >> exploitable NULL pointer vulnerability in the kernel, kernel memory >> corruption, and other unpredictable results. >> >> III. Impact >> >> Successful exploitation of the race condition can lead to local >> kernel >> privilege escalation, kernel data corruption and/or crash. >> >> To exploit this vulnerability, an attacker must be able to run code >> on >> the target system. >> >> IV. Workaround >> >> An errata notice, FreeBSD-EN-09:05.null has been released >> simultaneously to >> this advisory, and contains a kernel patch implementing a >> workaround for a >> more broad class of vulnerabilities. However, prior to those >> changes, no >> workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to 6-STABLE, or to the >> RELENG_6_4, or >> RELENG_6_3 security branch dated after the correction date. >> >> 2) To patch your present system: >> >> The following patches have been verified to apply to FreeBSD 6.3 >> and 6.4. >> >> a) Download the relevant patch from the location below, and verify >> the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc >> >> b) Apply the patch. >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> and reboot >> the >> system. >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that >> was >> corrected in FreeBSD. >> >> CVS: >> >> Branch >> Revision >> Path >> - >> --- >> --- >> ------------------------------------------------------------------- >> RELENG_6 >> src/sys/kern/kern_event.c >> 1.93.2.7 >> src/sys/kern/kern_fork.c >> 1.252.2.8 >> src/sys/kern/sys_pipe.c >> 1.184.2.6 >> src/sys/sys/event.h >> 1.32.2.1 >> src/sys/sys/pipe.h >> 1.29.2.1 >> RELENG_6_4 >> src/UPDATING 1.416.2.40.2.11 >> src/sys/conf/newvers.sh 1.69.2.18.2.13 >> src/sys/kern/kern_event.c 1.93.2.6.6.2 >> src/sys/kern/kern_fork.c 1.252.2.7.4.2 >> src/sys/kern/sys_pipe.c 1.184.2.4.2.3 >> src/sys/sys/event.h >> 1.32.12.2 >> src/sys/sys/pipe.h >> 1.29.16.2 >> RELENG_6_3 >> src/UPDATING 1.416.2.37.2.18 >> src/sys/conf/newvers.sh 1.69.2.15.2.17 >> src/sys/kern/kern_event.c 1.93.2.6.4.1 >> src/sys/kern/kern_fork.c 1.252.2.7.2.1 >> src/sys/kern/sys_pipe.c 1.184.2.2.6.3 >> src/sys/sys/event.h >> 1.32.10.1 >> src/sys/sys/pipe.h >> 1.29.12.1 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> Subversion: >> >> Branch/path >> Revision >> - >> --- >> --- >> ------------------------------------------------------------------- >> stable/6/ >> r197715 >> releng/6.4/ >> r197715 >> releng/6.3/ >> r197715 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> VII. References >> >> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 >> >> The latest revision of this advisory is available at >> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (FreeBSD) >> >> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l >> FKxrbF0G4v9P6SyyfAdVOFY= >> =TWhC >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >