From nobody Wed Jan 29 21:31:05 2025
X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwLy4Vy9z5m2ts
	for <freebsd-security-notifications@mlmmj.nyi.freebsd.org>; Wed, 29 Jan 2025 21:31:06 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwLx6xpZz3s8M;
	Wed, 29 Jan 2025 21:31:05 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc; bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=;
	b=PEJ1p7akVZPT+pZ+NkzfeOE6p4gfwZvFCNlZBTU1oc4yd5yN6Aj0oddsgt8gPi+yHzAaiF
	MbHR1EXVMbc6OSmRv/3mn//T/7PJyey9jstioeTlSlDE+rxbcGKKKJ9sL7PI5vFQhoPNl0
	hxmI5Gyw5fxDQO+8oAVTMSN5tDoPbdvIVRHzdjNsnPaat77flLBU9VSIcd8rHnQFpCLe0e
	H5/tgI0r737YmIjRTdumNlrc3vAew3z6v2LoRj8MQn6ehqdpdkGo2X87gJFzJKHp4oYqtr
	j45udMDBSWWBCCyB/Q4EmFb9PXlRJYNJe1Eb8WbFonG/bLv5BPJaHxoF51XBXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc;
	bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=;
	b=GX3ZMlt7jIATGgAUTK4mvho09Q4hMLRB+KqHcYdESVlm0S4XNnthmXdcYpsATLNSFOXbia
	r9e4Pgoe3sTC9xP6AcUKZAyDUCXMNncIljUc9escDemwooDlqX0zOFQhu4tSeVVrtqltcX
	BWIi8yCJhNM7zpv87w8dbZKqa06Gxs2GVVi06G2tPElREWSRkabAzhd6unvFWFFWtyNlUo
	6hO3XH1DwngWluWfzT4Qgttd89Ta/PyJ55M44ld2E/4fRxHDhLeYxyrvVpSiI2cO92zaJG
	gWbF0sEN3AYtOznhIlOPPjwbKvN4PLWe03Xuoa883GjpDqtxo/tJPIKIV9ecDw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186266; a=rsa-sha256; cv=none;
	b=lBKiMgiwTeLE2+kaLsI7RSvc/OwAVk3O+BGUNZUsGc8ZvzAeDjZtEkdFtfkNv8ZH3ryse6
	1MAvSHW46fKssJTNfgtNLzOaM8WSOnr5g08VwV21fHIzvyf/YgsiKTPxJjSJke4apqN9r0
	Gb8uYms4LhE90xcDaU325lLUip2aZKEt/iv8WP3dgPfBCFicbVnfuc+XNCeqXh1GIiLDKM
	GkENSNMemnr2nOxpL+uVyYkGnGDtlHiOy3QWE6yDXcFbqPScDD6PsyxeGNzrHeJErb8ShK
	WFv0XT2bqfo9R+bz0uTXNWWToDr3bq51jb8H68Q94GCDDj9tGJrFUqhtxVsJDg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: by freefall.freebsd.org (Postfix, from userid 945)
	id E3B3328A1; Wed, 29 Jan 2025 21:31:05 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-25:02.fs
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20250129213105.E3B3328A1@freefall.freebsd.org>
Date: Wed, 29 Jan 2025 21:31:05 +0000 (UTC)
List-Id: Moderated Security Notifications [moderated, low volume] <freebsd-security-notifications.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications
List-Help: <mailto:security-notifications+help@freebsd.org>
List-Post: <mailto:security-notifications@freebsd.org>
List-Subscribe: <mailto:security-notifications+subscribe@freebsd.org>
List-Unsubscribe: <mailto:security-notifications+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security-notifications@freebsd.org
Sender: owner-freebsd-security-notifications@FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-25:02.fs                                         Security Advisory
                                                          The FreeBSD Project

Topic:          Buffer overflow in some filesystems via NFS

Category:       core
Module:         fs
Announced:      2025-01-29
Credits:        Kevin Miller
Affects:        All supported versions of FreeBSD.
Corrected:      2025-01-17 13:53:10 UTC (stable/14, 14.2-STABLE)
                2025-01-29 18:54:56 UTC (releng/14.2, 14.2-RELEASE-p1)
                2025-01-29 18:55:22 UTC (releng/14.1, 14.1-RELEASE-p7)
                2025-01-17 14:00:40 UTC (stable/13, 13.4-STABLE)
                2025-01-29 18:55:29 UTC (releng/13.4, 13.4-RELEASE-p3)
CVE Name:       CVE-2025-0373

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

FreeBSD provides a number of filesystem implementations for different
purposes.  cd9660 is used to mount ISO 9660 images; tarfs is used to mount
POSIX tar archives; ext2fs is used to mount ext2, ext3, and ext4 filesystems.

II.  Problem Description

In order to export a file system via NFS, the file system must define a file
system identifier (FID) for all exported files.  Each FreeBSD file system
implements operations to translate between FIDs and vnodes, the kernel's
in-memory representation of files.  These operations are VOP_VPTOFH(9) and
VFS_FHTOVP(9).

On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and
ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack
buffer overflow.

III. Impact

A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made
to panic by mounting and accessing the export with an NFS client.  Further
exploitation (e.g., bypassing file permission checking or remote kernel code
execution) is potentially possible, though this has not been demonstrated.  In
particular, release kernels are compiled with stack protection enabled, and
some instances of the overflow are caught by this mechanism, causing a panic.

IV.  Workaround

No workaround is available, however, only systems which export a cd9660,
tarfs, or ext2fs filesystem via NFS are affected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch.asc
# gpg --verify fs-14.patch.asc

[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch.asc
# gpg --verify fs-13.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              7a3a0402aeb6    stable/14-n270143
releng/14.2/                            faa47d299a0e  releng/14.2-n269512
releng/14.1/                            c90866090517  releng/14.1-n267732
stable/13/                              ee931cf4a49c    stable/13-n259016
releng/13.4/                            0365b776f1b1  releng/13.4-n258273
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0373>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:02.fs.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKoACgkQbljekB8A
Gu8JFw/7Bq7C56cUeMwxb6I7BU3U2/DNjKLAR3bymrYqqJberyyyfUtgCcaTyz2q
uCOAlK8xSbOVwX4WYb4pygR/uxRCPBaooTLpIZBPTCT5TxyTeLqQWfedeVMgYHgd
zkuS4cG97IACiS9Zey6xFO5Rati0QoSuhEf36rvJXO/E7HQHARe954G7FDWvTi3W
Snn5MvWYFwCvcL7gtthaoXtxS/FFRv+ht+cv6u/k6BNQXU7QFhF5qfFxM5rFczhO
+TTFMoizAxLyirZNPy2n2jg9u+vrh2LKmfwiuMxX3zUeNI8/7yNZJ7ea+VGoRAxh
OEXXPLbNPVtJdi6qvZ+3D0HUw/3aRjg/i0/Qe+5KXFC7OLBxksM5vyOC+eAjoyQW
Y489eI7B5tV1td52wotZ1bIyt3GHmKtFxOt2kajPaR0vjuaYtdUb85PtT2QGjnRJ
XbzmwrCM1YsBKANUHdh7sP5Bx1UI6dlQS2dgRQdbz43378lM1XND3RidioAdbYe6
SyDyFnZPypHaQfZVdlepnYxActqvhKeeq0aWkgqymaeL78sqmF4AARFVSqep8MXL
boUkn3tMp1rojKH87Hk8saqRepZfX3DuwONsz++mgKEmqgnb8zKYI0Q4Gq6nYgcr
d8UxaWQz1mkiPfaqDvUOmAYWoWIiA+KsfIZIKj7+vrMEH32QzaA=
=vbcl
-----END PGP SIGNATURE-----