From nobody Tue Dec 12 19:51:42 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqTlX5lZcz537fR for ; Tue, 12 Dec 2023 19:51:52 +0000 (UTC) (envelope-from bag@zurbagan.org) Received: from zurbagan.org (host-176-37-99-111.b025.la.net.ua [176.37.99.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.zurbagan.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SqTlX3SWVz4Ph1; Tue, 12 Dec 2023 19:51:52 +0000 (UTC) (envelope-from bag@zurbagan.org) Authentication-Results: mx1.freebsd.org; none Received: from [192.168.111.5] ([192.168.111.5]) by zurbagan.org (8.17.1/8.17.1) with ESMTP id 3BCJpg67007840; Tue, 12 Dec 2023 21:51:43 +0200 (EET) (envelope-from bag@zurbagan.org) Message-ID: <2f99ee85-a5ad-432f-9f48-8062a461afcb@zurbagan.org> Date: Tue, 12 Dec 2023 21:51:42 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: FreeBSD Security Advisory FreeBSD-SA-23:18.nfsclient To: freebsd-security@freebsd.org, FreeBSD Security Advisories References: <20231212194629.B040A17550@freefall.freebsd.org> Content-Language: ru From: Andrey Blochintsev In-Reply-To: <20231212194629.B040A17550@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:39608, ipnet:176.37.0.0/16, country:UA] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4SqTlX3SWVz4Ph1 Меняется в том числе kernel Мы nfs не используем, так что fetch install сделаю, а reboot-ить не буду 12.12.2023 21:46, FreeBSD Security Advisories пишет: > ============================================================================= > FreeBSD-SA-23:18.nfsclient Security Advisory >                                                           The FreeBSD > Project > > Topic:          NFS client data corruption and kernel memory disclosure > > Category:       core > Module:         nfsclient > Announced:      2023-12-12 > Credits:        Hostpoint AG > Affects:        FreeBSD 13.2 and 14.0 > Corrected:      2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE) >                 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3) >                 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE) >                 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8) > CVE Name:       CVE-2023-6660 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I.   Background > > The Network File System (NFS) is a distributed file system that allows > remote > systems to access files and directories over a network as if they were > local. > FreeBSD includes both server and client implementations of NFS. > > II.  Problem Description > > In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the > performance of IO_APPEND writes, that is, writes which add data to the > end of > a file and so extend its size.  This uncovered an old bug in some routines > which copy userspace data into the kernel.  The bug also affects the NFS > client's implementation of direct I/O; however, this implementation is > disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only > used to handle synchronous writes. > > III. Impact > > When a program running on an affected system appends data to a file via an > NFS client mount, the bug can cause the NFS client to fail to copy in the > data to be written but proceed as though the copy operation had succeeded. > This means that the data to be written is instead replaced with > whatever data > had been in the packet buffer previously.  Thus, an unprivileged user with > access to an affected system may abuse the bug to trigger disclosure of > sensitive information.  In particular, the leak is limited to data > previously > stored in mbufs, which are used for network transmission and > reception, and > for certain types of inter-process communication. > > The bug can also be triggered unintentionally by system applications, in > which case the data written by the application to an NFS mount may be > corrupted.  Corrupted data is written over the network to the NFS > server, and > thus also susceptible to being snooped by other hosts on the network. > > Note that the bug exists only in the NFS client; the version and > implementation of the server has no effect on whether a given system is > affected by the problem. > > IV.  Workaround > > No workaround is available. > > V.   Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date > and reboot. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 > platforms, > or the i386 platfrom on FreeBSD 13 and earlier, can be updated via > the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch > # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc > # gpg --verify nfsclient.patch.asc > > b) Apply the patch.  Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI.  Correction details > > This issue is corrected as of the corresponding Git commit hash or > Subversion > revision number in the following stable and release branches: > > Branch/path                             Hash Revision > ------------------------------------------------------------------------- > stable/14/                              8d42f85d9d7b stable/14-n265954 > releng/14.0/                            ab60666a00c9 releng/14.0-n265397 > stable/13/                              f1d1d50e1d08 stable/13-n256860 > releng/13.2/                            3f079b3f2f33 releng/13.2-n254649 > ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > The latest revision of this advisory is available at >