Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Oct 2016 08:15:05 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Xin LI <delphij@gmail.com>
Cc:        rwatson@FreeBSD.org, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED]
Message-ID:  <20161026061504.GH60006@garage.freebsd.pl>
In-Reply-To: <CAGMYy3v8KxuQfou0SmUNikghH-9NWfneoMPP_15F85WkDaUhKg@mail.gmail.com>
References:  <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <CAGMYy3v8KxuQfou0SmUNikghH-9NWfneoMPP_15F85WkDaUhKg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Mjqg7Yu+0hL22rav
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm pretty sure we didn't for unprivileged local DoS.

Robert, can you help me here? Do I recall correctly?

I remember one time when Colin did security advisory for unprivileged
local DoS and we had a discussion back then that this is dangerous
precedent, as users may start depending on it.

On Tue, Oct 25, 2016 at 10:47:44PM -0700, Xin LI wrote:
> It's unprivileged local DoS (if it's root DoS then we normally don't).
>=20
> On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek <pjd@freebsd.org> wr=
ote:
> > Hi guys,
> >
> > since when do we publish security advisories for local DoSes?
> >
> > On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories w=
rote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> >> FreeBSD-SA-16:15.sysarch [REVISED]                          Security A=
dvisory
> >>                                                           The FreeBSD =
Project
> >>
> >> Topic:          Incorrect argument validation in sysarch(2)
> >>
> >> Category:       core
> >> Module:         kernel
> >> Announced:      2016-10-25
> >> Credits:        Core Security, ahaha from Chaitin Tech
> >> Affects:        All supported versions of FreeBSD.
> >> Corrected:      2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE)
> >>                 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2)
> >>                 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE)
> >>                 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11)
> >>                 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24)
> >>                 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41)
> >>                 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE)
> >>                 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49)
> >> CVE Name:       CVE-2016-1885
> >>
> >> For general information regarding FreeBSD Security Advisories,
> >> including descriptions of the fields above, security branches, and the
> >> following sections, please visit <URL:https://security.FreeBSD.org/>.
> >>
> >> 0.   Revision history
> >>
> >> v1.0  2016-03-16 Initial release.
> >> v1.1  2016-10-25 Revised patch to address a problem pointed out by
> >>                  ahaha from Chaitin Tech.
> >>
> >> I.   Background
> >>
> >> The IA-32 architecture allows programs to define segments, which provi=
des
> >> based and size-limited view into the program address space.  The
> >> memory-resident processor structure, called Local Descriptor Table,
> >> usually abbreviated LDT, contains definitions of the segments.  Since
> >> incorrect or malicious segments would breach system integrity, operati=
ng
> >> systems do not provide processes direct access to the LDT, instead
> >> they provide system calls which allow controlled installation and remo=
val
> >> of segments.
> >>
> >> II.  Problem Description
> >>
> >> A special combination of sysarch(2) arguments, specify a request to
> >> uninstall a set of descriptors from the LDT.  The start descriptor
> >> is cleared and the number of descriptors are provided.  Due to lack
> >> of sufficient bounds checking during argument validity verification,
> >> unbound zero'ing of the process LDT and adjacent memory can be initiat=
ed
> >> from usermode.
> >>
> >> III. Impact
> >>
> >> This vulnerability could cause the kernel to panic. In addition it is
> >> possible to perform a local Denial of Service against the system by
> >> unprivileged processes.
> >>
> >> IV.  Workaround
> >>
> >> No workaround is available, but only the amd64 architecture is affecte=
d.
> >>
> >> V.   Solution
> >>
> >> Perform one of the following:
> >>
> >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> >> release / security branch (releng) dated after the correction date.
> >>
> >> Reboot is required.
> >>
> >> 2) To update your vulnerable system via a binary patch:
> >>
> >> Systems running a RELEASE version of FreeBSD platforms can be updated
> >> via the freebsd-update(8) utility:
> >>
> >> # freebsd-update fetch
> >> # freebsd-update install
> >>
> >> Reboot is required.
> >>
> >> 3) To update your vulnerable system via a source code patch:
> >>
> >> The following patches have been verified to apply to the applicable
> >> FreeBSD release branches.
> >>
> >> [*** v1.1 NOTE ***] If your sources are not yet patched using the init=
ially
> >> published advisory patches, then you need to apply both sysarch.patch =
and
> >> sysarch-01.patch.  If your sources are already updated, or patched with
> >> patches from the initial advisory, then you need to apply sysarch-01.p=
atch
> >> only.
> >>
> >> a) Download the relevant patch from the location below, and verify the
> >> detached PGP signature using your PGP utility.
> >>
> >> [ FreeBSD system not patched with original SA-16:15 patch]
> >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
> >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
> >> # gpg --verify sysarch.patch.asc
> >>
> >> [ FreeBSD system that has been patched with original SA-16:15 patch]
> >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch
> >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch=
=2Easc
> >> # gpg --verify sysarch-01.patch.asc
> >>
> >> b) Apply the patch(es).  Execute the following commands as root for
> >> every patch file downloaded:
> >>
> >> # cd /usr/src
> >> # patch < /path/to/patch
> >>
> >> c) Recompile your kernel as described in
> >> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
> >> system.
> >>
> >> VI.  Correction details
> >>
> >> The following list contains the correction revision numbers for each
> >> affected branch.
> >>
> >> Branch/path                                                      Revis=
ion
> >> - --------------------------------------------------------------------=
-----
> >> stable/9/                                                         r307=
941
> >> releng/9.3/                                                       r307=
931
> >> stable/10/                                                        r307=
940
> >> releng/10.1/                                                      r307=
932
> >> releng/10.2/                                                      r307=
933
> >> releng/10.3/                                                      r307=
934
> >> stable/11/                                                        r307=
938
> >> releng/11.0/                                                      r307=
935
> >> - --------------------------------------------------------------------=
-----
> >>
> >> To see which files were modified by a particular revision, run the
> >> following command, replacing NNNNNN with the revision number, on a
> >> machine with Subversion installed:
> >>
> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
> >>
> >> Or visit the following URL, replacing NNNNNN with the revision number:
> >>
> >> <URL:https://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN>;
> >>
> >> VII. References
> >>
> >> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-1885>;
> >>
> >> The latest revision of this advisory is available at
> >> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.=
asc>
> >> -----BEGIN PGP SIGNATURE-----
> >>
> >> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H
> >> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2
> >> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa
> >> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p
> >> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO
> >> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp
> >> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5
> >> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH
> >> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3
> >> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf
> >> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G
> >> YHOkZydbLPaXOXimZfut
> >> =3DNWuL
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> freebsd-security-notifications@freebsd.org mailing list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notificati=
ons
> >> To unsubscribe, send any mail to "freebsd-security-notifications-unsub=
scribe@freebsd.org"
> >
> > --
> > Pawel Jakub Dawidek                       http://www.wheelsystems.com
> > FreeBSD committer                         http://www.FreeBSD.org
> > Am I Evil? Yes, I Am!                     http://mobter.com

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--Mjqg7Yu+0hL22rav
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYEEnoAAoJEJVLhSuxKFt1yicP/17P5g+imYFMySqraAEN9Y/x
Tom4hzttQ0hDpwdtMk/JxYxlC9sL5ZGZCIyXIhepfzB8WosKNBXPoelMFeYPE9pM
XU9ixvkXnrFcF2vXEOifRSy/EmUKyQKF0+7AVUrl/6dsmXwiBeTWffVsjpbmiu9C
NP4lqg0yI4fRIWUjb63PyW/fbhwDNW4fA/wGb7FbM+ZD+Ry/8+rkOj5OuD3uRaB7
DdYb47uBxouSCTdnu8WupbDmwJOKn6lIaqJeUIODeEyi5e7NjPdbA2Lwc7Kn0L8b
qmzNPbR5EdGSiH6FrjxhF2nbLMe8pVViWvQn4T05uY/qPI+AqveH0d2DEnB+Z7KH
jswyeQ7CWsyChSJuwMLeQSUYEh7Fb80iEIbW0hLeBIB5q0azrf1Fhd2cTeuBG9I+
8ejlIMIRf9IdWQII2xEj/CQ8JY4jr8riecOJlu6QfISnnfA9EB0A8+0vI+IXPKDT
vlNZDvhFGH/hSyk1qA1HhaXYc4hWMxk+bwjqY33DZyoN3h5SEyT4sfhF3IRoR55u
czuhbyOfbcFc0Fbn4ZeguUUBveu9YLAcwfw1LubiJZOWWqF5L2mnMb9/7uvoVFOP
SMOYjw0IypkdzY8O28ItsXNTXksjMFu+30wDcGK41c2PLmws2GZI2yqditxbrhVS
8BcIRgorKs1dbSyqHT72
=F7qd
-----END PGP SIGNATURE-----

--Mjqg7Yu+0hL22rav--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161026061504.GH60006>