From owner-freebsd-security@freebsd.org Thu May 27 17:35:58 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6445641A83 for ; Thu, 27 May 2021 17:35:58 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FrZjT37h5z4bNX for ; Thu, 27 May 2021 17:35:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pj1-x1036.google.com with SMTP id v13-20020a17090abb8db029015f9f7d7290so5814299pjr.0 for ; Thu, 27 May 2021 10:35:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=XUhP/9G1VxurnD73FjAFex630mvXWH1H/OQmgqSQ6X4=; b=NuZmDgjoSpDmBDJenW6kcp8IZFJyuaH4c3m1ZwFsoy2r44+vxCvGQc9agnYhE1H03v 7WIoAMDKYf9pdUyjKPkm8ThSDGuy94mD1UVM7J7ySy0lVesvm8wEK9Y8yQgwUSqXwD3o TIt66p+4fy0yiwoPSiTqxpvo61S74V4bYOfQj3nRK1nqnDZBDAyN3eL+KI0KuWM2sAf2 sPT2cMX5BDGyxR8j+/3/8ka1pBwW5Y/eaQAx272sT1UFjhfh5p4bKYONBAKkn19h+7UP Zo9OmkkDYdvfutYJbFnjGx9H6DdNcDpEvZ5HR8c+Of8VdrTlHOml0+H/rnsoaM2BViJx fY/g== X-Gm-Message-State: AOAM531ocxjreyO6iggoZLhjNyaFviUn71sCjz0VpwDl+RFaEbsGmt52 N5DcvFr+eAnsE3RVPPLw568frVOVf7xL X-Google-Smtp-Source: ABdhPJzw/sem4pQeWm/ryBCag8yTRB6fZ4GTVhEhjwMY6cdyS5H0yRhf26QoSfYn4ZTL/e9G/I6Jhw== X-Received: by 2002:a17:90b:1003:: with SMTP id gm3mr4985198pjb.126.1622136955372; Thu, 27 May 2021 10:35:55 -0700 (PDT) Received: from smtpclient.apple (2603-8001-5e40-d300-1ddd-d3cc-4ff3-3377.res6.spectrum.com. [2603:8001:5e40:d300:1ddd:d3cc:4ff3:3377]) by smtp.gmail.com with ESMTPSA id b1sm2809481pgf.84.2021.05.27.10.35.54 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 May 2021 10:35:54 -0700 (PDT) From: Gordon Tetlow Content-Type: multipart/signed; boundary="Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-21:11.smap Date: Thu, 27 May 2021 10:35:52 -0700 References: <20210527005453.A12B017B88@freefall.freebsd.org> To: freebsd-security In-Reply-To: <20210527005453.A12B017B88@freefall.freebsd.org> Message-Id: <0FAFDFB3-84AA-4E30-82F5-61236EC0B3F7@tetlows.org> X-Mailer: Apple Mail (2.3654.100.0.2.22) X-Rspamd-Queue-Id: 4FrZjT37h5z4bNX X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; NEURAL_HAM_SHORT(-1.00)[-0.999]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::1036:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::1036:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1036:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 17:35:58 -0000 --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Since I had a question on this in another forum, I figure I'll copy it = to the public list as well. The credit line below was specifically = requested by the reporter. It wasn't a typo or a lack of proof-reading = on our part. Best, Gordon Hat: security-officer > On May 26, 2021, at 5:54 PM, FreeBSD Security Advisories = wrote: >=20 > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-21:11.smap Security = Advisory > The FreeBSD = Project >=20 > Topic: SMAP bypass >=20 > Category: core > Module: amd64 > Announced: 2021-05-26 > Credits: I lost my dog if you see him please contact me at = @m00nbsd. > Affects: FreeBSD 12.2 and later. > Corrected: 2021-05-26 19:18:54 UTC (stable/13, 13.0-STABLE) > 2021-05-26 19:31:50 UTC (releng/13.0, 13.0-RELEASE-p1) > 2021-05-26 19:30:31 UTC (stable/12, 12.2-STABLE) > 2021-05-26 20:40:20 UTC (releng/12.2, 12.2-RELEASE-p7) > CVE Name: CVE-2021-29628 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > Supervisor Mode Access Prevention (SMAP) is a security feature > implemented by contemporary Intel and AMD CPUs. When enabled, it > ensures that accesses to user memory by the kernel trigger a page = fault > and a subsequent kernel panic. This helps mitigate the security > implications of kernel bugs that permit an attacker to read from or > write to user memory from the kernel. >=20 > The kernel may legitimately need to copy data between userspace and = the > kernel. To enable this, SMAP is temporarily disabled in the = subroutines > which handle this copying, so only small, specially designated = portions > of the kernel should be executed with SMAP disabled. >=20 > II. Problem Description >=20 > The FreeBSD kernel enables SMAP during boot when the CPU reports that > the SMAP capability is present. Subroutines such as copyin() and > copyout() are responsible for disabling SMAP around the sections of = code > that perform user memory accesses. >=20 > Such subroutines must handle page faults triggered when user memory is > not mapped. The kernel's page fault handler checks the validity of = the > fault, and if it is indeed valid it will map a page and resume = copying. > If the fault is invalid, the fault handler returns control to a > trampoline which aborts the operation and causes an error to be > returned. In this second scenario, a bug in the implementation of = SMAP > support meant that SMAP would remain disabled until the thread returns > to user mode. >=20 > III. Impact >=20 > This bug may be used to bypass the protections provided by SMAP for = the > duration of a system call. It could thus be combined with other = kernel > bugs to craft an exploit. >=20 > IV. Workaround >=20 > No workaround is available. On hardware that does not implement SMAP, > the bug is inconsequential as the mitigation does not exist in the = first > place. >=20 > V. Solution >=20 > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date > and reboot. >=20 > Perform one of the following: >=20 > 1) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" >=20 > 2) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch > # fetch https://security.FreeBSD.org/patches/SA-21:11/smap.patch.asc > # gpg --verify smap.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile your kernel as described in > and reboot = the > system. >=20 > VI. Correction details >=20 > This issue is corrected by the corresponding Git commit hash or = Subversion > revision number in the following stable and release branches: >=20 > Branch/path Hash = Revision > = ------------------------------------------------------------------------- > stable/13/ 876ffe28796c = stable/13-n245764 > releng/13.0/ f32130a1955e = releng/13.0-n244739 > stable/12/ = r369857 > releng/12.2/ = r369863 > = ------------------------------------------------------------------------- >=20 > For FreeBSD 13 and later: >=20 > Run the following command to see which files were modified by a > particular commit: >=20 > # git show --stat >=20 > Or visit the following URL, replacing NNNNNN with the hash: >=20 > >=20 > To determine the commit count in a working tree (for comparison = against > nNNNNNN in the table above), run: >=20 > # git rev-list --count --first-parent HEAD >=20 > For FreeBSD 12 and earlier: >=20 > Run the following command to see which files were modified by a = particular > revision, replacing NNNNNN with the revision number: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > >=20 > The latest revision of this advisory is available at > = >=20 >=20 --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmCv2HgACgkQ5fe8y6O9 3fjdowf+LJxpbSt2x2VHTltKQubULy8IReWQCggJh5sfr1BwvbyXgdJTx0OGWjDc xzXvtUzzwL7Q1LVj/rFpMpLTSITakPZq25wgkWZaL3P3k/Wksox8/1dT87yCJ4sG uEE3Ta1PvE08EHhQdPL0qRd1IcJXj9sBAnaH0W33Ngy5wMsY71s8dIdrezT2ouMK IUNgu+r76RW8uPa9eKP6gm2CPGLhz22TN04Lu5Vsf+t4NvHzE7XgRs0wUqFV4XDB n3uAMWNv57yUAZLRQB794rI4GwjCcbCHEej1xJIACNz1LD/cs2qz0HS1Rp1BOJz5 H7Y8qOpwDxwPnt0snSjTQQqAAf/Ebg== =FaTD -----END PGP SIGNATURE----- --Apple-Mail=_EDF37FD6-82EF-4DF7-A339-136F68EE2A75--