From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 23:14:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A15106567B for ; Wed, 3 Sep 2008 23:14:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 795228FC16 for ; Wed, 3 Sep 2008 23:14:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9FEB746BC4 for ; Wed, 3 Sep 2008 19:14:25 -0400 (EDT) Date: Thu, 4 Sep 2008 00:14:26 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-security@freebsd.org In-Reply-To: <200809032013.m83KDDMv043940@freefall.freebsd.org> Message-ID: References: <200809032013.m83KDDMv043940@freefall.freebsd.org> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 23:14:27 -0000 On Wed, 3 Sep 2008, FreeBSD Security Advisories wrote: > The mount(2) and nmount(2) system calls are used by various utilities in the > base system to graft a file system object on to the file system tree to a > given mount point. It is possible to allow unprivileged users to utililize > these system calls by setting the vfs.usermount sysctl(8) variable. Note that as-shipped by the FreeBSD Project, vfs.usermount is *disabled* in FreeBSD. This may not be the case in rebundled or derived systems, however. You can check whether it is enabled using "sysctl vfs.usermount" -- if the result is "0" then you should be fine. Robert N M Watson Computer Laboratory University of Cambridge > > II. Problem Description > > Various user defined input such as mount points, devices, and mount > options are prepared and passed as arguments to nmount(2) into the > kernel. Under certain error conditions, user defined data will be > copied into a stack allocated buffer stored in the kernel without > sufficient bounds checking. > > III. Impact > > If the system is configured to allow unprivileged users to mount file > systems, it is possible for a local adversary to exploit this > vulnerability and execute code in the context of the kernel. > > IV. Workaround > > It is possible to work around this issue by allowing only privileged > users to mount file systems by running the following sysctl(8) > command: > > # sysctl vfs.usermount=0 > > V. Solution > > NOTE WELL: Even with this fix allowing users to mount arbitrary media > should not be considered safe. Most of the file systems in FreeBSD > was not built to protect safeguard against malicious devices. While > such bugs in file systems are fixed when found, a complete audit has > not been perfomed on the file system code. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_7 > src/sys/kern/vfs_mount.c 1.265.2.10 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.8 > src/sys/conf/newvers.sh 1.72.2.5.2.8 > src/sys/kern/vfs_mount.c 1.265.2.1.2.2 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX > yvNI1gVmhAQ7MXOUvPoLcLk= > =EsCn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >