Date: Mon, 5 Oct 2009 18:23:25 +0700 From: budsz <budiyt@gmail.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:14.devfs Message-ID: <4d4dc3640910050423i24d9ee19q967152458b449df6@mail.gmail.com> In-Reply-To: <200910022012.n92KC4Tb003955@freefall.freebsd.org> References: <200910022012.n92KC4Tb003955@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 3, 2009 at 3:12 AM, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-09:14.devfs =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Devfs / VFS NULL pointer race condition > > Category: =A0 =A0 =A0 core > Module: =A0 =A0 =A0 =A0 kern > Announced: =A0 =A0 =A02009-10-02 > Credits: =A0 =A0 =A0 =A0Przemyslaw Frasunek > Affects: =A0 =A0 =A0 =A0FreeBSD 6.x and 7.x > Corrected: =A0 =A0 =A02009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-R= ELEASE-p4) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-R= ELEASE-p8) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6, 6.4-STA= BLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-R= ELEASE-p7) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-R= ELEASE-p13) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. =A0 Background > > The device file system (devfs) provides access to system devices, such as > storage devices and serial ports, via the file system namespace. > > VFS is the Virtual File System, which abstracts file system operations in > the kernel from the actual underlying file system. > > II. =A0Problem Description > > Due to the interaction between devfs and VFS, a race condition exists > where the kernel might dereference a NULL pointer. > > III. Impact > > Successful exploitation of the race condition can lead to local kernel > privilege escalation, kernel data corruption and/or crash. > > To exploit this vulnerability, an attacker must be able to run code with = user > privileges on the target system. > > IV. =A0Workaround > > An errata note, FreeBSD-EN-09:05.null has been released simultaneously to > this advisory, and contains a kernel patch implementing a workaround for = a > more broad class of vulnerabilities. =A0However, prior to those changes, = no > workaround is available. > > V. =A0 Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the > RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch > dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, and 7.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.x] > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the > system. > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_6 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 1.114.2.17 > RELENG_6_4 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.416.2.40.2.11 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A01.69.2.18.2.13 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 1.114.2.16.2.2 > RELENG_6_3 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.416.2.37.2.18 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A01.69.2.15.2.17 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 1.114.2.15.2.1 > RELENG_7 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A01.149.2.9 > RELENG_7_2 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.507.2.23.2.7 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.11.2.8 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A01.149.2.8.2.2 > RELENG_7_1 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.507.2.13.2.11 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.9.2.12 > =A0src/sys/fs/devfs/devfs_vnops.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A01.149.2.4.2.2 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Revision > - -----------------------------------------------------------------------= -- > stable/6/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/6.4/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/6.3/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > stable/7/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r192301 > releng/7.2/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > releng/7.1/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r197715 > - -----------------------------------------------------------------------= -- > > VII. References > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO > Syds53GSM0YbsMNUVMGsLaU=3D > =3DexPZ > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > Hi folks, I just got some problem when compling my kerne. Here we go: rm -f hack.c MAKE=3Dmake sh /usr/src/sys/conf/newvers.sh WILLSZPROXY cc -c -O -pipe -std=3Dc99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=3D8000 --param inline-unit-growth=3D100 --param large-function-growth=3D1000 -mno-align-long-strings -mpreferred-stack-boundary=3D2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Werror vers.c linking kernel.debug kern_fork.o(.text+0x1d18): In function `fork1': /usr/src/sys/kern/kern_fork.c:737: undefined reference to `knote_fork' *** Error code 1 Stop in /usr/obj/usr/src/sys/WILLSZPROXY. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. My box running FreeBSD 7.2-STABLE. Thanks in advance. --=20 budsz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4d4dc3640910050423i24d9ee19q967152458b449df6>