From owner-freebsd-security@freebsd.org Wed Oct 26 06:15:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88149C22191 for ; Wed, 26 Oct 2016 06:15:11 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id DC7F07F9; Wed, 26 Oct 2016 06:15:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from localhost (unknown [24.6.107.161]) by mail.dawidek.net (Postfix) with ESMTPSA id C6244EC3; Wed, 26 Oct 2016 08:15:08 +0200 (CEST) Date: Wed, 26 Oct 2016 08:15:05 +0200 From: Pawel Jakub Dawidek To: Xin LI Cc: rwatson@FreeBSD.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <20161026061504.GH60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Mjqg7Yu+0hL22rav" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 06:15:11 -0000 --Mjqg7Yu+0hL22rav Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm pretty sure we didn't for unprivileged local DoS. Robert, can you help me here? Do I recall correctly? I remember one time when Colin did security advisory for unprivileged local DoS and we had a discussion back then that this is dangerous precedent, as users may start depending on it. On Tue, Oct 25, 2016 at 10:47:44PM -0700, Xin LI wrote: > It's unprivileged local DoS (if it's root DoS then we normally don't). >=20 > On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek wr= ote: > > Hi guys, > > > > since when do we publish security advisories for local DoSes? > > > > On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories w= rote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA512 > >> > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > >> FreeBSD-SA-16:15.sysarch [REVISED] Security A= dvisory > >> The FreeBSD = Project > >> > >> Topic: Incorrect argument validation in sysarch(2) > >> > >> Category: core > >> Module: kernel > >> Announced: 2016-10-25 > >> Credits: Core Security, ahaha from Chaitin Tech > >> Affects: All supported versions of FreeBSD. > >> Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) > >> 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) > >> 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) > >> 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) > >> 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) > >> 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) > >> 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) > >> 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) > >> CVE Name: CVE-2016-1885 > >> > >> For general information regarding FreeBSD Security Advisories, > >> including descriptions of the fields above, security branches, and the > >> following sections, please visit . > >> > >> 0. Revision history > >> > >> v1.0 2016-03-16 Initial release. > >> v1.1 2016-10-25 Revised patch to address a problem pointed out by > >> ahaha from Chaitin Tech. > >> > >> I. Background > >> > >> The IA-32 architecture allows programs to define segments, which provi= des > >> based and size-limited view into the program address space. The > >> memory-resident processor structure, called Local Descriptor Table, > >> usually abbreviated LDT, contains definitions of the segments. Since > >> incorrect or malicious segments would breach system integrity, operati= ng > >> systems do not provide processes direct access to the LDT, instead > >> they provide system calls which allow controlled installation and remo= val > >> of segments. > >> > >> II. Problem Description > >> > >> A special combination of sysarch(2) arguments, specify a request to > >> uninstall a set of descriptors from the LDT. The start descriptor > >> is cleared and the number of descriptors are provided. Due to lack > >> of sufficient bounds checking during argument validity verification, > >> unbound zero'ing of the process LDT and adjacent memory can be initiat= ed > >> from usermode. > >> > >> III. Impact > >> > >> This vulnerability could cause the kernel to panic. In addition it is > >> possible to perform a local Denial of Service against the system by > >> unprivileged processes. > >> > >> IV. Workaround > >> > >> No workaround is available, but only the amd64 architecture is affecte= d. > >> > >> V. Solution > >> > >> Perform one of the following: > >> > >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or > >> release / security branch (releng) dated after the correction date. > >> > >> Reboot is required. > >> > >> 2) To update your vulnerable system via a binary patch: > >> > >> Systems running a RELEASE version of FreeBSD platforms can be updated > >> via the freebsd-update(8) utility: > >> > >> # freebsd-update fetch > >> # freebsd-update install > >> > >> Reboot is required. > >> > >> 3) To update your vulnerable system via a source code patch: > >> > >> The following patches have been verified to apply to the applicable > >> FreeBSD release branches. > >> > >> [*** v1.1 NOTE ***] If your sources are not yet patched using the init= ially > >> published advisory patches, then you need to apply both sysarch.patch = and > >> sysarch-01.patch. If your sources are already updated, or patched with > >> patches from the initial advisory, then you need to apply sysarch-01.p= atch > >> only. > >> > >> a) Download the relevant patch from the location below, and verify the > >> detached PGP signature using your PGP utility. > >> > >> [ FreeBSD system not patched with original SA-16:15 patch] > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc > >> # gpg --verify sysarch.patch.asc > >> > >> [ FreeBSD system that has been patched with original SA-16:15 patch] > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch > >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch= =2Easc > >> # gpg --verify sysarch-01.patch.asc > >> > >> b) Apply the patch(es). Execute the following commands as root for > >> every patch file downloaded: > >> > >> # cd /usr/src > >> # patch < /path/to/patch > >> > >> c) Recompile your kernel as described in > >> and reboot the > >> system. > >> > >> VI. Correction details > >> > >> The following list contains the correction revision numbers for each > >> affected branch. > >> > >> Branch/path Revis= ion > >> - --------------------------------------------------------------------= ----- > >> stable/9/ r307= 941 > >> releng/9.3/ r307= 931 > >> stable/10/ r307= 940 > >> releng/10.1/ r307= 932 > >> releng/10.2/ r307= 933 > >> releng/10.3/ r307= 934 > >> stable/11/ r307= 938 > >> releng/11.0/ r307= 935 > >> - --------------------------------------------------------------------= ----- > >> > >> To see which files were modified by a particular revision, run the > >> following command, replacing NNNNNN with the revision number, on a > >> machine with Subversion installed: > >> > >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > >> > >> Or visit the following URL, replacing NNNNNN with the revision number: > >> > >> > >> > >> VII. References > >> > >> > >> > >> The latest revision of this advisory is available at > >> > >> -----BEGIN PGP SIGNATURE----- > >> > >> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H > >> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 > >> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa > >> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p > >> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO > >> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp > >> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 > >> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH > >> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 > >> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf > >> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G > >> YHOkZydbLPaXOXimZfut > >> =3DNWuL > >> -----END PGP SIGNATURE----- > >> _______________________________________________ > >> freebsd-security-notifications@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notificati= ons > >> To unsubscribe, send any mail to "freebsd-security-notifications-unsub= scribe@freebsd.org" > > > > -- > > Pawel Jakub Dawidek http://www.wheelsystems.com > > FreeBSD committer http://www.FreeBSD.org > > Am I Evil? Yes, I Am! http://mobter.com --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --Mjqg7Yu+0hL22rav Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYEEnoAAoJEJVLhSuxKFt1yicP/17P5g+imYFMySqraAEN9Y/x Tom4hzttQ0hDpwdtMk/JxYxlC9sL5ZGZCIyXIhepfzB8WosKNBXPoelMFeYPE9pM XU9ixvkXnrFcF2vXEOifRSy/EmUKyQKF0+7AVUrl/6dsmXwiBeTWffVsjpbmiu9C NP4lqg0yI4fRIWUjb63PyW/fbhwDNW4fA/wGb7FbM+ZD+Ry/8+rkOj5OuD3uRaB7 DdYb47uBxouSCTdnu8WupbDmwJOKn6lIaqJeUIODeEyi5e7NjPdbA2Lwc7Kn0L8b qmzNPbR5EdGSiH6FrjxhF2nbLMe8pVViWvQn4T05uY/qPI+AqveH0d2DEnB+Z7KH jswyeQ7CWsyChSJuwMLeQSUYEh7Fb80iEIbW0hLeBIB5q0azrf1Fhd2cTeuBG9I+ 8ejlIMIRf9IdWQII2xEj/CQ8JY4jr8riecOJlu6QfISnnfA9EB0A8+0vI+IXPKDT vlNZDvhFGH/hSyk1qA1HhaXYc4hWMxk+bwjqY33DZyoN3h5SEyT4sfhF3IRoR55u czuhbyOfbcFc0Fbn4ZeguUUBveu9YLAcwfw1LubiJZOWWqF5L2mnMb9/7uvoVFOP SMOYjw0IypkdzY8O28ItsXNTXksjMFu+30wDcGK41c2PLmws2GZI2yqditxbrhVS 8BcIRgorKs1dbSyqHT72 =F7qd -----END PGP SIGNATURE----- --Mjqg7Yu+0hL22rav--