From nobody Tue Dec 3 09:39:22 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y2bG84ysxz5g9hR for ; Tue, 03 Dec 2024 09:39:28 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y2bG76NRwz4ZcN; Tue, 3 Dec 2024 09:39:27 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733218767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=duut2qZo+jw2rK26FdYAFOZwxzXip8gSDFcx2Z5GWDs=; b=Uovz+vfboiqI5xCnOzsMZESdeypsUV2eEFC6kAVueFlXhF4UQ57rbMSis5zB8bIh4SM3Jx nWsmNZ37fTCZDzQZQ3gm5qvfBdPIEg8m8uHjokv/v1oz9B2AftN6rRPOCrc/4GdwlwOV3u 7Sc4wyaYLSdhjkOizsF5kYbZG+Cnqp40fTdG1QxG88p8QME1vxqagaLnqfhygEYd9ADn0A u0jcCWJPXvKFsUqGKdRcnr0FAtwsD0CnIvqjxl6T4uPM9e0I2zS7qv/m7i/RebWbfWoNuQ E+BjbZyvrth07bY0SUVP68m2Duh++k1zEs84rRwcfU1aG6qlVjn1lscnLyDwXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733218767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=duut2qZo+jw2rK26FdYAFOZwxzXip8gSDFcx2Z5GWDs=; b=L+mmUZ+kgUp5VZslFhReX5Vmk5LBedMSpyW4r0YIk1Y9TW6rLJgW106C8BB4bf+T616gMW 1Vdi24sO1HxdP3Da11OVsR0V393CwmLkS9y/excMT2H7MVJJ2xp6UEDNth493CPj57l0u6 h18OWTbvl6Rn6ZyHEIicmo2r+4xMIsjIKm2v+GQCv3eRG4Kd5XBmNpSFcklU/Nkx01OFHS VlMcsvi8VnnBCRppkySJfZRrgGeL4W0Bzwq1+MtyWKkEZs806zwxfYTKbEMvMz1QdWpCp7 qQWkH2EMa7hLWcPDWGOVxNQWjMWmgFaOVA1QatrvSGK8Cf+2ssH0wBHxJVDaIw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1733218767; a=rsa-sha256; cv=none; b=V1vMQ4AfoG6dwZIrn/EzJt+EopezX4sycFfO9Vq+P9gC74dLtQeHff8R42FTG2JsKOTA3M XE/XjvIFczsGGJPdgL5jiqEEsLVJVaSOGkpDz415nmfZ0vemdQwrGMcppQVHZdOCpxcHMV 4UICO/RaWviLyIQ67pntL/leLeBoB+zhoccZ1WPrG46/gwlgKpEb8Sr5lv3YjEakcaiFiH j/75ufm+HYfMj6M3YqjqpwZXhxo88MypuNJcIgaXyAaEcjqppS+/+YuoPGSKimxTgS3Vhz KGnBGEMe+CXMBvvXhqoEpOLzC3bvREVsP/tH2LCK7YOQGyQALLx6uFmLAQl1QA== Received: from fauth-a2-smtp.messagingengine.com (fauth-a2-smtp.messagingengine.com [103.168.172.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Y2bG75NrfzH93; Tue, 3 Dec 2024 09:39:27 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48]) by mailfauth.phl.internal (Postfix) with ESMTP id 129D01200084; Tue, 3 Dec 2024 04:39:27 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-08.internal (MEProxy); Tue, 03 Dec 2024 04:39:27 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddriedvgddtjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpefhvfevufffoffkjghfgggtsehttdhmtdertddtnecu hfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhrvggvsghsugdroh hrgheqnecuggftrfgrthhtvghrnhepvdehheekgffhieetheetudduuefhvdegtedtiefh ffelueetgeegtedutddtudefnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhp odhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfe ehudektddtkedqphhhihhlihhppeepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdr ihhspdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhope gurghnsehlrghnghhilhhlvgdrohhrghdprhgtphhtthhopehjohhstgestghlohhuugii vggvlhgrnhgurdhnlhdprhgtphhtthhopehfrhgvvggsshguqdhquhgvshhtihhonhhsse hfrhgvvggsshgurdhorhhgpdhrtghpthhtohepshgvtghtvggrmhesfhhrvggvsghsugdr ohhrgh X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 3 Dec 2024 04:39:25 -0500 (EST) From: Philip Paeps To: Dan Langille Cc: Jos Chrispijn , FreeBSD Mailing List Subject: Re: FreeBSD-kernel-13.4_1 is vulnerable Date: Tue, 03 Dec 2024 17:39:22 +0800 X-Mailer: MailMate (1.14r6065) Message-ID: In-Reply-To: <798fddc5-c2e9-4c2a-a64d-3627a9bc36f7@app.fastmail.com> References: <798fddc5-c2e9-4c2a-a64d-3627a9bc36f7@app.fastmail.com> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2024-12-03 00:29:22 (+0800), Dan Langille wrote: > In this reply, I have cc'd philip@ - we have discussed this issue over > the years. > > On Fri, Nov 29, 2024, at 4:05 AM, Jos Chrispijn wrote: >> Not sure if I oversee an update, but still get this message >> >> Checking for security vulnerabilities in base (userland & kernel): >> Database fetched: 2024-11-27T23:30+01:00 >> FreeBSD-kernel-13.4_1 is vulnerable: >> FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer >> CVE: CVE-2024-39281 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html >> >> Understand that for FreeBSD 14 this issue has been solved. >> Can you tell me when a fix will be released for 13.4? > > I have the same issue with FreeBSD 14.1-RELEASE-p5 - the problem is > not (in this case) an unpatched system. It is a false positive. The > vuxml database seems to relate only to kernel vulns, and is not aware > that sometimes a vuln affects userland. In this case, the userland is > vuln (and patched) - pkg-base-audit is unaware of that. > > To me, it is important to fix the problem because false positives > develop into alert fatigue and cause unnecessary work. > > [16:16 r730-01 dvl ~] % sudo > /usr/local/etc/periodic/security/405.pkg-base-audit > > Checking for security vulnerabilities in base (userland & kernel): > Host system: > vulnxml file up-to-date > FreeBSD-kernel-14.1_5 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: > https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html > > > [16:17 r730-01 dvl ~] % pkg which > /usr/local/etc/periodic/security/405.pkg-base-audit > /usr/local/etc/periodic/security/405.pkg-base-audit was installed by > package pkg-1.21.3 > > The problem is the kernel version and user version differ: > > [16:17 r730-01 dvl ~] % freebsd-version -u > 14.1-RELEASE-p6 > [16:17 r730-01 dvl ~] % > > I believe the problem is with the 405.pkg-base-audit which is looking > only at the kernel version: > > [16:18 r730-01 dvl ~] % freebsd-version -k > 14.1-RELEASE-p5 > > ... not knowing that the vuln is in the userland, not the kernel. > > My wild idea here: > > * indicate with each vuln: userland or kernel? > * when checking for a vuln, consult the above new flag and check the > appropriate value > > Phillip: is my idea wildly offbase? You're not wrong. But the reasoning is incomplete. The issue at hand is a vulnerability in a kernel module that is not part of GENERIC. The freebsd-update build machinery only rebuilds the bits that are actually vulnerable. In this case: only the vulnerable kernel module. Nothing changed in the kernel, so freebsd-update doesn't ship a new kernel. 405.pkg-base-audit can't know if you've unloaded/reloaded the vulnerable module because modules are not versioned -- at least not in a way that is useful to userland. There is nothing that 405.pkg-base-audit to look at. We discussed this issue again during yesterday's secteam fortnightly call. Very long-term, freebsd-update will go away and be replaced by pkgbase. Meanwhile, we do need a long-term solution because freebsd-update will still be with us until the end of stable/15's support lifetime (i.e. several years). We plan to remove the witchcraft in the freebsd-update build system that prevents shipping a new kernel binary when only a module is updated. The downside is that freebsd-update will ship a new kernel even if only a module not included in GENERIC is vulnerable. We'll make a note of that in the workarounds / mitigations section of the advisory texts. On the whole, false negatives are a lot better than false positives here. We'd rather people boot into a new kernel even if their old one wasn't strictly vulnerable, than people get alert fatigue from false positives they can't silence except in their monitoring. Unfortunately, we won't be able to get a freebsd-update build patch working before the end of the year. We don't want to release something just before the upcoming end-of-year holidays in many parts of the world. We'll try to have this done early in January. Philip