Date: Tue, 20 Aug 2019 18:45:05 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53312 - in head/share: security/advisories security/patches/EN-19:16 security/patches/EN-19:17 security/patches/SA-19:22 security/patches/SA-19:23 security/patches/SA-19:24 xml Message-ID: <201908201845.x7KIj5em097945@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Tue Aug 20 18:45:04 2019 New Revision: 53312 URL: https://svnweb.freebsd.org/changeset/doc/53312 Log: Add EN-19:16, EN-19:17, and SA-19:22 to SA-19:24. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:23.midi.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc (contents, props changed) head/share/security/patches/EN-19:16/ head/share/security/patches/EN-19:16/bhyve.patch (contents, props changed) head/share/security/patches/EN-19:16/bhyve.patch.asc (contents, props changed) head/share/security/patches/EN-19:17/ head/share/security/patches/EN-19:17/ipfw.patch (contents, props changed) head/share/security/patches/EN-19:17/ipfw.patch.asc (contents, props changed) head/share/security/patches/SA-19:22/ head/share/security/patches/SA-19:22/mbuf.patch (contents, props changed) head/share/security/patches/SA-19:22/mbuf.patch.asc (contents, props changed) head/share/security/patches/SA-19:23/ head/share/security/patches/SA-19:23/midi.patch (contents, props changed) head/share/security/patches/SA-19:23/midi.patch.asc (contents, props changed) head/share/security/patches/SA-19:24/ head/share/security/patches/SA-19:24/mqueuefs.patch (contents, props changed) head/share/security/patches/SA-19:24/mqueuefs.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,134 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:16.bhyve Errata Notice + The FreeBSD Project + +Topic: Bhyve instruction emulation improvements (opcode 03H and F7H) + +Category: core +Module: bhyve +Announced: 2019-08-20 +Credits: John Baldwin, Jason Tubnor +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-07 17:30:23 UTC (stable/12, 12.0-STABLE) + 2019-08-20 17:45:44 UTC (releng/12.0, 12.0-RELEASE-p10) + 2019-07-07 17:31:13 UTC (stable/11, 11.3-STABLE) + 2019-08-20 17:45:44 UTC (releng/11.3, 11.3-RELEASE-p3) + +Note: This errata notice does not update FreeBSD 11.2. FreeBSD 11.2 +users affected by this update should upgrade to FreeBSD 11.3. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest operating +systems in virtual machines, using hardware virtualization in Intel and AMD +CPUs. Some instructions are not handled by hardware virtualization and must +be emulated by the hypervisor. + +II. Problem Description + +Some newer software uses instructions previously not handled by bhyve's +instruction emulation. This errata notice adds emulation for two instruction +opcodes, to enable flash variable storage in OVMF and to support guest +operating systems compiled with Clang 8.0.0 that use the TEST instruction +against local APIC registers (such as OpenBSD 6.6). + +III. Impact + +Guest firmware or operating systems using unsupported instructions caused +bhyve to exit with a "Failed to emulate instruction" error. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.3, FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch +# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Start the applicable virtual machines. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349808 +releng/12.0/ r351256 +stable/11/ r349809 +releng/11.3/ r351256 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238794>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:16.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPfFfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJzqA//XiWRn/psT+I8r7MSiS6K2bJASZlFGUDnVqLsFAnj2XoZlSp265dZw0R7 +t++kBPu0Q9vm3FphkE/J3e4fR9PyCsa5QpEvTeXE9v1RixrkmmLT56ukR3BgivKa +rmCTjkwLikmRb8qrRMly9ERjwySKlUZmOMHX1xte33WTi2eVwZUfNg9xNq1c4YGi +QvIABOa1xTZHr0oyeZfmuEyhSDRD+jzb+mOboX9TFQSfAUwC16VDCAHu5SwXNeQS +l4/FxrYf0yupf2bqwWmfeRlAE25nHGErsaXiQwqdPZB3SUTECpDcl5BCwPwA+pr3 +Jf7lxTPrp/NLi7sghgofOX5AwbiVacYxN45P4JNjBB5OpDut+e196VkzO1IAXVRb +spyc/zKE6BWYRT2KOeNlMzmQXmDIjZERuumV98DQQEAAw52p+RWdEU3IlfZ+plW7 +bF8P/OmJ5DDcdW1XeONIzFaal4VFjauDsmPt5QTyb/SpX/20hvTT3/QCbDJJiRu3 +5Lf7RPMK63r+uFwLz58XrGJwimYdKCn67nC+o1k/j9Izc63+At9h0tU2XR2u7V8c +iuQaGkeBT/OjtVg6/IjCs4SbT24wbmP1LecUtQyFzZkHdNkdw7+67Ty2Y3jGE3GG +sCpU88b0PIh2pJ+4oJ28WwH2M55VnxuId5N0uosrAGSo/C1kYWY= +=CkK1 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:17.ipfw Errata Notice + The FreeBSD Project + +Topic: ipfw(8) jail keyword broken prior to jail startup + +Category: core +Module: ipfw +Announced: 2019-08-20 +Affects: FreeBSD 11.3 +Corrected: 2019-08-15 17:40:48 UTC (stable/12, 12.0-STABLE) + 2019-08-15 17:40:48 UTC (stable/11, 11.3-STABLE) + 2019-08-20 17:46:40 UTC (releng/11.3, 11.3-RELEASE-p3) + +Note that this issue was introduced after the FreeBSD 11.2 and 12.0 releases. +FreeBSD 11.3 is the only affected release. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The ipfw(8) utility configures rules for the ipfw(4) firewall. The jail +keyword applies the rule for packets pertaining to the given jail, named by +the argument. + +II. Problem Description + +The jail argument no longer allowed jids to be specified before a jail was +created. Attempts to use the jail keyword in this scenario would result in +"jail <jid> not found" errors, when previously these rules would apply to +any jail with the given jid that was subsequently started. + +III. Impact + +The ipfw(4) firewall will reject rules that attempt to use the jail +keyword prior to jail startup, and these rules will not be applied. + +IV. Workaround + +The system administrator can apply jail-based firewall rules after jail +creation. + +Systems that do not use ipfw(4) are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch +# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch.asc +# gpg --verify ipfw.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. +Restart jails to apply firewall rules, if required. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r351094 +stable/11/ r351094 +releng/11.3/ r351258 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:17.ipfw.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPf5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIDTg//ca9BaMVV04yzSaIqgcuxCs5nM6eQMJehRKWP+Ibt6bUUnUYlS8V1HOBD +eUS0eW9GiO2QkrVmttxrC2IwJSutVzUXMP/zkLEyb91LJ13+YkuLKSaj14pucA+S +VNy1CH8Sry/PnA+bcFQxgpTAl8EGaTAzT0znRgdvooe26JbHw0y8941t88Mr3giN +vCPnfAdaT0MjKSdKgykA+xKKgY1+fwA1vUFOYybNzg+eN10gU2qRQfksFc4VpnNd +7J3j5I2n/1Y1KxsbEagGXK0JOztZa1PhqsAYuj4iAMhM8Nw+vdAtVX8DYyqHEe2m +hjJyGPu1Lrihrx2PUH5GVv0KXHbLVRnZ/N7Xs3hPsUZWBuSrcU2r3cdqe1nB055D +PQMr6m+Ydr0DXnySShd5Kow26IBDVJQ+YrGkK88CdMT2YGnarqcg/RaT/eIoJ654 +lKvl5XeOL/P9apU567HzYoAUVlvxMAD2pEd2+NGr9gi3bXfAg2Usjeekwo7BRRMo +Ddmec7Ql/wBU0RED67l+TYIM2IDNj5ofua6WrSrs8QCIeNXnYi8kBLTBwKBiz5Fw +scisoACv92zexrIpac1RoAT/+OdWUgwtCx7axyLybbEsAC2FDfSDVqlJfq0m+DFY +/R3Bezk1Ek+U4KUpQr6I1DSBU+1Uo8DljfwkwH8DVn+aWy3194Q= +=8VPw +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:22.mbuf Security Advisory + The FreeBSD Project + +Topic: IPv6 remote Denial-of-Service + +Category: kernel +Module: net +Announced: 2019-08-20 +Credits: Clement Lecigne +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE) + 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10) + 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE) + 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3) + 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14) +CVE Name: CVE-2019-5611 + +For general information regarding FreeBSD Security Advisories, including +descriptions of the fields above, security branches, and the following +sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +mbufs are a unit of memory management mostly used in the kernel for network +packets and socket buffers. m_pulldown(9) is a function to arrange the data +in a chain of mbufs. + +II. Problem Description + +Due do a missing check in the code of m_pulldown(9) data returned may not be +contiguous as requested by the caller. + +III. Impact + +Extra checks in the IPv6 code catch the error condition and trigger a kernel +panic leading to a remote DoS (denial-of-service) attack with certain +Ethernet interfaces. At this point it is unknown if any other than the IPv6 +code paths can trigger a similar condition. + +IV. Workaround + +For the currently known attack vector systems with IPv6 not enabled are not +vulnerable. + +On systems with IPv6 active, IPv6 fragmentation may be disabled, or +a firewall can be used to filter out packets with certain or excessive +amounts of extension headers in a first fragment. These rules may be +dependent on the operational needs of each site. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch +# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc +# gpg --verify mbuf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350828 +releng/12.0/ r351259 +stable/11/ r350829 +releng/11.3/ r351259 +releng/11.2/ r351259 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787>; +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o +VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U +Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr +6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB +jPbG7u23C3a2KcRImCWM2vJ5dZFoa0Mz5+vHzaSMwPT49KRRRRkcd7+azqUfbGg0 +k9Py6KuwGhclNmehpUth0NlvR89JV58Fbkh7TaCWHV51hAWoH/1EQdJNY9yb0eAZ +AgsvAiotWU1VNDcF2xWaf5m3VE87jl0/Bz9BgpVFI0kHuof4OwiG9PkdFI1q0Yl2 +TdkksZj1iRETN8/Qt5HGzY1pGQFRc7b+nE9GIfIUcEH1B7d7Gb58DVElZ95Og+EF +bGwR6/e7r39mBsqs0qloYgk/2c6B4vuFyt8b9Yhuw4ns0SpO4cP9XYXawUff7+p3 +oLo7dqPKn8fMRLhT0/QZfPRyluUshVvJW1Yg9HWdYMYm7wFAilemnMWMxJKIUOmt +pkQx3e6Tvk3VNkls4yv7GbApO5iMNXaBvC2JYMP0GUiQ1FOkB9M= +=ip7/ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:23.midi.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:23.midi.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:23.midi Security Advisory + The FreeBSD Project + +Topic: kernel memory disclosure from /dev/midistat + +Category: core +Module: sound +Announced: 2019-08-20 +Credits: Peter Holm, Mark Johnston +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) + 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) + 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) + 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) + 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) +CVE Name: CVE-2019-5612 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +/dev/midistat is a device file which can be read to obtain a +human-readable list of the available MIDI-capable devices in the system. + +II. Problem Description + +The kernel driver for /dev/midistat implements a handler for read(2). +This handler is not thread-safe, and a multi-threaded program can +exploit races in the handler to cause it to copy out kernel memory +outside the boundaries of midistat's data buffer. + +III. Impact + +The races allow a program to read kernel memory within a 4GB window +centered at midistat's data buffer. The buffer is allocated each +time the device is opened, so an attacker is not limited to a static +4GB region of memory. + +On 32-bit platforms, an attempt to trigger the race may cause a page +fault in kernel mode, leading to a panic. + +IV. Workaround + +No workaround is available. Custom kernels without "device sound" +are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch +# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc +# gpg --verify midi.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r351264 +releng/12.0/ r351260 +stable/11/ r351265 +releng/11.3/ r351260 +releng/11.2/ r351260 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<other info on vulnerability> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN +v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+ ++pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ +hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n +w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u +5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49BgqTb +sr6p5hO3ZB6gOfJIm3WeYIc9dXsqQcWC/Y8hp7zO/Ef29jBHaa76ZX3uGgKGgyoo +UcoEjIx4ZpiqQxUEigKdlpEQdUtCIOSZ1NjSYDRFuCURDI07o1Oi8/HSdb9tNRe4 +IxfmT7G+oBGbhjZ/bziC/tZX/whXzBdo6eNIBC8XW8hrTDIXVCyqls3igiSqxoFA +WMpQN2gEZ6Yug0zpRCn4fj+dvBobpAle7F/gwZdFeWU/wtDiLQHnBOxPaobR56Qy +fIoVVGufmnjbSReSGh1WtFhDt+uJ8zal/EqGWi3IBIFpxjhAuP0= +=I8mB +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:24.mqueuefs Security Advisory + The FreeBSD Project + +Topic: Reference count overflow in mqueue filesystem 32-bit compat + +Category: core +Module: kernel +Announced: 2019-08-20 +Credits: Karsten König, Secfault Security +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE) + 2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10) + 2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE) + 2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3) + 2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14) +CVE Name: CVE-2019-5603 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +Note: This issue is related to the previously disclosed SA-19:15.mqueuefs. +It is another instance of the same bug and as such shares the same CVE. + +I. Background + +mqueuefs(5) implements POSIX message queue file system which can be used +by processes as a communication mechanism. + +'struct file' represents open files, directories, sockets and other +entities. + +II. Problem Description + +System calls operating on file descriptors obtain a reference to +relevant struct file which due to a programming error was not always put +back, which in turn could be used to overflow the counter of affected +struct file. + +III. Impact + +A local user can use this flaw to obtain access to files, directories, +sockets, etc., opened by processes owned by other users. If obtained +struct file represents a directory from outside of user's jail, it can +be used to access files outside of the jail. If the user in question is +a jailed root they can obtain root privileges on the host system. + +IV. Workaround + +No workaround is available. Note that the mqueuefs file system is not +enabled by default. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch +# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc +# gpg --verify mqueuefs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r351255 +releng/12.0/ r351261 +stable/11/ r351257 +releng/11.3/ r351261 +releng/11.2/ r351261 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<other info on vulnerability> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:24.mqueuefs.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs +Ec4zOXvE5MzYfA+E9jyRa6c4h7OY7uSSym15wCjLLi+DWPJ1lcCPAv01JuAgSw9E +GkLOprdk2aETTe1jc3DjXv0q56JZM79vegL2Nn/AJd7GZqSI4Qxf0M+87eWFMxd6 +dFlvZtnh4QGuSC8w+ls5LpcGHfr8T6w4WwNv6hfvxu//Bg/6BRYKEIAnAu/P+udd +LrZO5lY9IwdaLQckk44nCr02lHVG/G3JgyW2iWAn5tm0CPkQmbawbc6V2WN+lwYf +ynn0ORfKWZpeLN6hd1QedlBhyEblUdjveVy9vaJI2KieHdRMlb56/HsPQqwZLdgV +QrpambGJ4J+48gYcgOXsOn52kIG7iKLfyEsiH4mrQtlZEjfluWt0cGcNuMLNqgPc +WZC1Kqpx3OI00u2M+85xnM8V4VL7iQnX7WWoe8qICZDksAsm4LDTwOP4HdfXkCgs +iSibovwF9ZcKwZjB8AZ+smjRyHGb2KEs+WlGI+ASE5UF8jYshCEZWKfJFd59BJZx +uw/lngCium0OgQ0Bzt0NnqR663kzSE1f7ZGLJtoc5+xaWbnTbifykYsM88hO/+/v +LH/fYRdgXkDTtShiMgppx/YrfTF33+hea18CdNdtdPJmH99lPmE= +=1dwe +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:16/bhyve.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:16/bhyve.patch Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,239 @@ +--- sys/amd64/vmm/vmm_instruction_emul.c.orig ++++ sys/amd64/vmm/vmm_instruction_emul.c +@@ -77,6 +77,8 @@ + VIE_OP_TYPE_STOS, + VIE_OP_TYPE_BITTEST, + VIE_OP_TYPE_TWOB_GRP15, ++ VIE_OP_TYPE_ADD, ++ VIE_OP_TYPE_TEST, + VIE_OP_TYPE_LAST + }; + +@@ -112,6 +114,10 @@ + }; + + static const struct vie_op one_byte_opcodes[256] = { ++ [0x03] = { ++ .op_byte = 0x03, ++ .op_type = VIE_OP_TYPE_ADD, ++ }, + [0x0F] = { + .op_byte = 0x0F, + .op_type = VIE_OP_TYPE_TWO_BYTE +@@ -216,6 +222,12 @@ + .op_byte = 0x8F, + .op_type = VIE_OP_TYPE_POP, + }, ++ [0xF7] = { ++ /* XXX Group 3 extended opcode - not just TEST */ ++ .op_byte = 0xF7, ++ .op_type = VIE_OP_TYPE_TEST, ++ .op_flags = VIE_OP_F_IMM, ++ }, + [0xFF] = { + /* XXX Group 5 extended opcode - not just PUSH */ + .op_byte = 0xFF, +@@ -410,6 +422,76 @@ + return (getcc64(x, y)); + } + ++/* ++ * Macro creation of functions getaddflags{8,16,32,64} ++ */ ++#define GETADDFLAGS(sz) \ ++static u_long \ ++getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \ ++{ \ ++ u_long rflags; \ ++ \ ++ __asm __volatile("add %2,%1; pushfq; popq %0" : \ ++ "=r" (rflags), "+r" (x) : "m" (y)); \ ++ return (rflags); \ ++} struct __hack ++ ++GETADDFLAGS(8); ++GETADDFLAGS(16); ++GETADDFLAGS(32); ++GETADDFLAGS(64); ++ ++static u_long ++getaddflags(int opsize, uint64_t x, uint64_t y) ++{ ++ KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, ++ ("getaddflags: invalid operand size %d", opsize)); ++ ++ if (opsize == 1) ++ return (getaddflags8(x, y)); ++ else if (opsize == 2) ++ return (getaddflags16(x, y)); ++ else if (opsize == 4) ++ return (getaddflags32(x, y)); ++ else ++ return (getaddflags64(x, y)); ++} ++ ++/* ++ * Return the status flags that would result from doing (x & y). ++ */ ++#define GETANDFLAGS(sz) \ ++static u_long \ ++getandflags##sz(uint##sz##_t x, uint##sz##_t y) \ ++{ \ ++ u_long rflags; \ ++ \ ++ __asm __volatile("and %2,%1; pushfq; popq %0" : \ ++ "=r" (rflags), "+r" (x) : "m" (y)); \ ++ return (rflags); \ ++} struct __hack ++ ++GETANDFLAGS(8); ++GETANDFLAGS(16); ++GETANDFLAGS(32); ++GETANDFLAGS(64); ++ ++static u_long ++getandflags(int opsize, uint64_t x, uint64_t y) ++{ ++ KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, ++ ("getandflags: invalid operand size %d", opsize)); ++ ++ if (opsize == 1) ++ return (getandflags8(x, y)); ++ else if (opsize == 2) ++ return (getandflags16(x, y)); ++ else if (opsize == 4) ++ return (getandflags32(x, y)); ++ else ++ return (getandflags64(x, y)); ++} ++ + static int + emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) +@@ -1179,6 +1261,111 @@ + } + + static int ++emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, ++ mem_region_read_t memread, mem_region_write_t memwrite, void *arg) ++{ ++ int error, size; ++ uint64_t op1, rflags, rflags2; ++ ++ size = vie->opsize; ++ error = EINVAL; ++ ++ switch (vie->op.op_byte) { ++ case 0xF7: ++ /* ++ * F7 /0 test r/m16, imm16 ++ * F7 /0 test r/m32, imm32 ++ * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64 ++ * ++ * Test mem (ModRM:r/m) with immediate and set status ++ * flags according to the results. The comparison is ++ * performed by anding the immediate from the first ++ * operand and then setting the status flags. ++ */ ++ if ((vie->reg & 7) != 0) ++ return (EINVAL); ++ ++ error = memread(vm, vcpuid, gpa, &op1, size, arg); ++ if (error) ++ return (error); ++ ++ rflags2 = getandflags(size, op1, vie->immediate); ++ break; ++ default: ++ return (EINVAL); ++ } ++ error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags); ++ if (error) ++ return (error); ++ ++ /* ++ * OF and CF are cleared; the SF, ZF and PF flags are set according ++ * to the result; AF is undefined. ++ */ ++ rflags &= ~RFLAGS_STATUS_BITS; ++ rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N); ++ ++ error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8); ++ return (error); ++} ++ ++static int ++emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, ++ mem_region_read_t memread, mem_region_write_t memwrite, void *arg) ++{ ++ int error, size; ++ uint64_t nval, rflags, rflags2, val1, val2; ++ enum vm_reg_name reg; ++ ++ size = vie->opsize; ++ error = EINVAL; ++ ++ switch (vie->op.op_byte) { ++ case 0x03: ++ /* ++ * ADD r/m to r and store the result in r ++ * ++ * 03/r ADD r16, r/m16 ++ * 03/r ADD r32, r/m32 ++ * REX.W + 03/r ADD r64, r/m64 ++ */ ++ ++ /* get the first operand */ ++ reg = gpr_map[vie->reg]; ++ error = vie_read_register(vm, vcpuid, reg, &val1); ++ if (error) ++ break; ++ ++ /* get the second operand */ ++ error = memread(vm, vcpuid, gpa, &val2, size, arg); ++ if (error) ++ break; ++ ++ /* perform the operation and write the result */ ++ nval = val1 + val2; ++ error = vie_update_register(vm, vcpuid, reg, nval, size); ++ break; ++ default: ++ break; ++ } ++ ++ if (!error) { ++ rflags2 = getaddflags(size, val1, val2); ++ error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, ++ &rflags); ++ if (error) ++ return (error); ++ ++ rflags &= ~RFLAGS_STATUS_BITS; ++ rflags |= rflags2 & RFLAGS_STATUS_BITS; ++ error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, ++ rflags, 8); ++ } ++ ++ return (error); ++} ++ ++static int + emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) + { +@@ -1543,6 +1730,14 @@ + error = emulate_twob_group15(vm, vcpuid, gpa, vie, + memread, memwrite, memarg); + break; ++ case VIE_OP_TYPE_ADD: ++ error = emulate_add(vm, vcpuid, gpa, vie, memread, ++ memwrite, memarg); ++ break; ++ case VIE_OP_TYPE_TEST: ++ error = emulate_test(vm, vcpuid, gpa, vie, ++ memread, memwrite, memarg); ++ break; + default: + error = EINVAL; + break; Added: head/share/security/patches/EN-19:16/bhyve.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:16/bhyve.patch.asc Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJHuA//cW9cKXRVjNzTpfYVFy5yLbREVsE2nsGzTETuWXhx/aJNoEz6hPo0f169 +K2OQfz4rxhaFzA0BbwTRpFeYXRbV6e+iwgcWfNlYKiNpJi5RCMDsKQ4XsaH6gPKi +swqliOl4uHLcuJeGhzkQ1fYyXjGxMJvOqpTs9brOj1btimCF0MJ/j9EpuWVX+lKH +HVt8CyqX6HtixN8WF7ghs6D3hQUamhLNLJanoDicjuxE7uJr3P/ZVrc1ETI1uKO/ +LVFM94oXmRDzkMyEkRNFyoYyc0fCSS2FJrDY6EnfqcMs9IrtS2iC7Cjj8zWzEKtR +FEVyCiruDNbQftF7/cMquksqNIhdlifVKGRFT13WvFkm2iVDNypTtO6eXDCHaxZe +Z8KKEoPBoJDux9/VSnt038zLCNVOxrFGaDrupRL2xZTrgmCF56WN8lALNVzmrZlN +0u0RwGM21xgdzt/58zmFfdlMI9hGfbsDTE1Wwj38eZd+qRzR3o+VxMgnFu0vxAcD +R12fi8xOe9QoS13O5OCb3ouxK9mUrd0a56kSBO/rRHt4DD+u+FCN33u/0uBDgI06 +Av7p5Hjt0/C89fuFZzMOPD98a0PcSUhdmXOlMAQUotMvhXRbl4nKiGsOVDpmCYz6 +pow+Sf971OXGXEWyaf3UBIfhlANMrANAFTNljuhGOoLtQRrpw0w= +=Tmxy +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:17/ipfw.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:17/ipfw.patch Tue Aug 20 18:45:04 2019 (r53312) @@ -0,0 +1,33 @@ +--- sbin/ipfw/ipfw2.c.orig ++++ sbin/ipfw/ipfw2.c +@@ -4662,12 +4662,27 @@ + case TOK_JAIL: + NEED1("jail requires argument"); + { ++ char *end; + int jid; + + cmd->opcode = O_JAIL; +- jid = jail_getid(*av); +- if (jid < 0) +- errx(EX_DATAERR, "%s", jail_errmsg); ++ /* ++ * If av is a number, then we'll just pass it as-is. If ++ * it's a name, try to resolve that to a jid. ++ * ++ * We save the jail_getid(3) call for a fallback because ++ * it entails an unconditional trip to the kernel to ++ * either validate a jid or resolve a name to a jid. ++ * This specific token doesn't currently require a ++ * jid to be an active jail, so we save a transition ++ * by simply using a number that we're given. ++ */ ++ jid = strtoul(*av, &end, 10); ++ if (*end != '\0') { ++ jid = jail_getid(*av); ++ if (jid < 0) ++ errx(EX_DATAERR, "%s", jail_errmsg); ++ } + cmd32->d[0] = (uint32_t)jid; + cmd->len |= F_INSN_SIZE(ipfw_insn_u32); + av++; Added: head/share/security/patches/EN-19:17/ipfw.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:17/ipfw.patch.asc Tue Aug 20 18:45:04 2019 (r53312) *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908201845.x7KIj5em097945>