From owner-svn-doc-all@FreeBSD.ORG Tue Jun 18 07:17:55 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 09C1F5C7; Tue, 18 Jun 2013 07:17:55 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id EF9171D13; Tue, 18 Jun 2013 07:17:54 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r5I7HsLP042267; Tue, 18 Jun 2013 07:17:54 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r5I7HsQt042263; Tue, 18 Jun 2013 07:17:54 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201306180717.r5I7HsQt042263@svn.freebsd.org> From: Dag-Erling Smørgrav Date: Tue, 18 Jun 2013 07:17:54 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r41945 - in head/share: security/advisories security/patches/SA-13:06 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 07:17:55 -0000 Author: des Date: Tue Jun 18 07:17:53 2013 New Revision: 41945 URL: http://svnweb.freebsd.org/changeset/doc/41945 Log: Fix a bug that allowed a tracing process (e.g. gdb) to write to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so Added: head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc (contents, props changed) head/share/security/patches/SA-13:06/ head/share/security/patches/SA-13:06/mmap.patch (contents, props changed) head/share/security/patches/SA-13:06/mmap.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc Tue Jun 18 07:17:53 2013 (r41945) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:06.mmap Security Advisory + The FreeBSD Project + +Topic: Privilege escalation via mmap + +Category: core +Module: kernel +Announced: 2013-06-18 +Credits: Konstantin Belousov + Alan Cox +Affects: FreeBSD 9.0 and later +Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) + 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) +CVE Name: CVE-2013-2171 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The FreeBSD virtual memory system allows files to be memory-mapped. +All or parts of a file can be made available to a process via its +address space. The process can then access the file using memory +operations rather than filesystem I/O calls. + +The ptrace(2) system call provides tracing and debugging facilities by +allowing one process (the tracing process) to watch and control +another (the traced process). + +II. Problem Description + +Due to insufficient permission checks in the virtual memory system, a +tracing process (such as a debugger) may be able to modify portions of +the traced process's address space to which the traced process itself +does not have write access. + +III. Impact + +This error can be exploited to allow unauthorized modification of an +arbitrary file to which the attacker has read access, but not write +access. Depending on the file and the nature of the modifications, +this can result in privilege escalation. + +To exploit this vulnerability, an attacker must be able to run +arbitrary code with user privileges on the target system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch +# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc +# gpg --verify mmap.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r251902 +releng/9.1/ r251903 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing XXXXXX with the revision number, on a +machine with Subversion installed: + +# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing XXXXXX with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.13 (FreeBSD) + +iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF +X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP +=8309 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:06/mmap.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:06/mmap.patch Tue Jun 18 07:17:53 2013 (r41945) @@ -0,0 +1,17 @@ +Index: sys/vm/vm_map.c +=================================================================== +--- sys/vm/vm_map.c (revision 251636) ++++ sys/vm/vm_map.c (working copy) +@@ -3761,6 +3761,12 @@ RetryLookup:; + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } ++ if ((fault_typea & VM_PROT_COPY) != 0 && ++ (entry->max_protection & VM_PROT_WRITE) == 0 && ++ (entry->eflags & MAP_ENTRY_COW) == 0) { ++ vm_map_unlock_read(map); ++ return (KERN_PROTECTION_FAILURE); ++ } + + /* + * If this page is not pageable, we have to get it for all possible Added: head/share/security/patches/SA-13:06/mmap.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:06/mmap.patch.asc Tue Jun 18 07:17:53 2013 (r41945) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.13 (FreeBSD) + +iEYEABECAAYFAlG+/IYACgkQFdaIBMps37K+zQCfVnC++mrjdv3iPK2vxvAOlm5Y +eZ0An0JgUgEMViKydscbB4KPAD8y4X/h +=NzJg +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Jun 18 02:08:55 2013 (r41944) +++ head/share/xml/advisories.xml Tue Jun 18 07:17:53 2013 (r41945) @@ -8,6 +8,19 @@ 2013 + 6 + + + 18 + + + FreeBSD-SA-13:06.mmap + + + + + + 4