Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Oct 2016 06:27:49 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED]
Message-ID:  <20161026042748.GG60006@garage.freebsd.pl>
In-Reply-To: <20161025173641.BCDFD1911@freefall.freebsd.org>
References:  <20161025173641.BCDFD1911@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--orO6xySwJI16pVnm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi guys,

since when do we publish security advisories for local DoSes?

On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> FreeBSD-SA-16:15.sysarch [REVISED]                          Security Advi=
sory
>                                                           The FreeBSD Pro=
ject
>=20
> Topic:          Incorrect argument validation in sysarch(2)
>=20
> Category:       core
> Module:         kernel
> Announced:      2016-10-25
> Credits:        Core Security, ahaha from Chaitin Tech
> Affects:        All supported versions of FreeBSD.
> Corrected:      2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE)
>                 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2)
>                 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE)
>                 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11)
>                 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24)
>                 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41)
>                 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE)
>                 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49)
> CVE Name:       CVE-2016-1885
>=20
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>=20
> 0.   Revision history
>=20
> v1.0  2016-03-16 Initial release.
> v1.1  2016-10-25 Revised patch to address a problem pointed out by
>                  ahaha from Chaitin Tech.
>=20
> I.   Background
>=20
> The IA-32 architecture allows programs to define segments, which provides
> based and size-limited view into the program address space.  The
> memory-resident processor structure, called Local Descriptor Table,
> usually abbreviated LDT, contains definitions of the segments.  Since
> incorrect or malicious segments would breach system integrity, operating
> systems do not provide processes direct access to the LDT, instead
> they provide system calls which allow controlled installation and removal=
=20
> of segments.
>=20
> II.  Problem Description
>=20
> A special combination of sysarch(2) arguments, specify a request to
> uninstall a set of descriptors from the LDT.  The start descriptor
> is cleared and the number of descriptors are provided.  Due to lack
> of sufficient bounds checking during argument validity verification,
> unbound zero'ing of the process LDT and adjacent memory can be initiated
> from usermode.
>=20
> III. Impact
>=20
> This vulnerability could cause the kernel to panic. In addition it is
> possible to perform a local Denial of Service against the system by
> unprivileged processes.=20
>=20
> IV.  Workaround
>=20
> No workaround is available, but only the amd64 architecture is affected.
>=20
> V.   Solution
>=20
> Perform one of the following:
>=20
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>=20
> Reboot is required.
>=20
> 2) To update your vulnerable system via a binary patch:
>=20
> Systems running a RELEASE version of FreeBSD platforms can be updated
> via the freebsd-update(8) utility:
>=20
> # freebsd-update fetch
> # freebsd-update install
>=20
> Reboot is required.
>=20
> 3) To update your vulnerable system via a source code patch:
>=20
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>=20
> [*** v1.1 NOTE ***] If your sources are not yet patched using the initial=
ly
> published advisory patches, then you need to apply both sysarch.patch and
> sysarch-01.patch.  If your sources are already updated, or patched with
> patches from the initial advisory, then you need to apply sysarch-01.patch
> only.
>=20
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>=20
> [ FreeBSD system not patched with original SA-16:15 patch]
> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
> # gpg --verify sysarch.patch.asc
>=20
> [ FreeBSD system that has been patched with original SA-16:15 patch]
> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch
> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc
> # gpg --verify sysarch-01.patch.asc
>=20
> b) Apply the patch(es).  Execute the following commands as root for
> every patch file downloaded:
>=20
> # cd /usr/src
> # patch < /path/to/patch
>=20
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
> system.
>=20
> VI.  Correction details
>=20
> The following list contains the correction revision numbers for each
> affected branch.
>=20
> Branch/path                                                      Revision
> - -----------------------------------------------------------------------=
--
> stable/9/                                                         r307941
> releng/9.3/                                                       r307931
> stable/10/                                                        r307940
> releng/10.1/                                                      r307932
> releng/10.2/                                                      r307933
> releng/10.3/                                                      r307934
> stable/11/                                                        r307938
> releng/11.0/                                                      r307935
> - -----------------------------------------------------------------------=
--
>=20
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>=20
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>=20
> Or visit the following URL, replacing NNNNNN with the revision number:
>=20
> <URL:https://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN>;
>=20
> VII. References
>=20
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-1885>;
>=20
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc>;
> -----BEGIN PGP SIGNATURE-----
>=20
> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H
> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2
> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa
> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p
> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO
> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp
> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5
> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH
> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3
> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf
> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G
> YHOkZydbLPaXOXimZfut
> =3DNWuL
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscr=
ibe@freebsd.org"

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--orO6xySwJI16pVnm
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYEDDEAAoJEJVLhSuxKFt180kQAMv8ah16hXs8DTmZVoSaYBaP
rSrIeCgieUcdYYuj5j/fCU3KYbChOF5o5lvaYRwxByDqmdst/xJjMUtRug1SQlsP
y9IJ55jD4dH9zisWWRbOM+WWgb2dL9M7d5QO3ZyRhe5FbeHp7mViJsgveDd0ZFPy
iG3sl/UXe3Vp16CSkLKBPO0HHcPy9Hz1P2jwsT5yaD1cYgofy41wyIe2U9PYlkB2
qz46DzERqft04P745KGWbj5A8vi38nnYyDmicSaf7ILv39dXlGTE54MW09bj1/sM
fI076sm22/P30u1NEzWjh2vIzRFsaKByAH+lG/cjn0H3wleCrVF+d5Zl0j0V3Ysc
F0QLwtJDJF/xuESKROqNVzhNdNweulRw9XJmgcz0WjqBqztJB67YauHZtyDxbgLh
jCt8Nee8ieEporWYQcHRPKRv5OoFtsGNZnd78SMcxBFOSSR10xgiKqvEadZWo5S0
wkTHE974KTprD8PhYZVe3Wy6ZHVO0LhWIh2lOLxKbQoLAooOBENpNeblQloaKTFJ
RIPrDRAjD3rL7IeVlEUG65eOe07DMPVmhestsUmYxKtqeOoR1PionH1PB1UqW8w3
zPP6wgy1NwJA1mExtvhdxHneRYzsoqma3yhYqtcGS9PZihEtnhdssAr1C5DQl2xj
hI+G0I+NhRlawKXL8GDm
=IQv9
-----END PGP SIGNATURE-----

--orO6xySwJI16pVnm--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161026042748.GG60006>