Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
Jon Passki
jon at passki.us
Fri Oct 2 21:04:12 UTC 2009
Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high
number such as 65536? This does not fix the vulnerability per se, but
one would hope it stops a user mapping code to 0x0.
Also, were these the issues Przemyslaw Frasunek discovered? If so, I
did not see an attribution to him in the advisory. (I could have
missed it.) Any reason why not?
Cheers,
Jon
Begin forwarded message:
> From: FreeBSD Security Advisories <security-advisories at freebsd.org>
> Date: October 2, 2009 20:11:56 CDT
> To: FreeBSD Security Advisories <security-advisories at freebsd.org>
> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
> Reply-To: freebsd-security at freebsd.org
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ===
> ===
> ===
> ====================================================================
> FreeBSD-SA-09:13.pipe Security
> Advisory
> The FreeBSD
> Project
>
> Topic: kqueue pipe race conditions
> Category: core
> Module: kern
> Announced: 2009-10-02
> Credits: Przemyslaw Frasunek
> Affects: FreeBSD 6.x
> Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> Pipes are a form of inter-process communication (IPC) provided by the
> FreeBSD kernel. kqueue is an event management API that applications
> can
> use to monitor pipes and other kernel services.
>
> II. Problem Description
>
> A race condition exists in the pipe close() code relating to kqueues,
> causing use-after-free for kernel memory, which may lead to an
> exploitable NULL pointer vulnerability in the kernel, kernel memory
> corruption, and other unpredictable results.
>
> III. Impact
>
> Successful exploitation of the race condition can lead to local kernel
> privilege escalation, kernel data corruption and/or crash.
>
> To exploit this vulnerability, an attacker must be able to run code on
> the target system.
>
> IV. Workaround
>
> An errata notice, FreeBSD-EN-09:05.null has been released
> simultaneously to
> this advisory, and contains a kernel patch implementing a workaround
> for a
> more broad class of vulnerabilities. However, prior to those
> changes, no
> workaround is available.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4,
> or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and
> 6.4.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch
> Revision
> Path
> -
> ---
> ----------------------------------------------------------------------
> RELENG_6
> src/sys/kern/kern_event.c
> 1.93.2.7
> src/sys/kern/kern_fork.c
> 1.252.2.8
> src/sys/kern/sys_pipe.c
> 1.184.2.6
> src/sys/sys/event.h
> 1.32.2.1
> src/sys/sys/pipe.h
> 1.29.2.1
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.11
> src/sys/conf/newvers.sh 1.69.2.18.2.13
> src/sys/kern/kern_event.c 1.93.2.6.6.2
> src/sys/kern/kern_fork.c 1.252.2.7.4.2
> src/sys/kern/sys_pipe.c 1.184.2.4.2.3
> src/sys/sys/event.h
> 1.32.12.2
> src/sys/sys/pipe.h
> 1.29.16.2
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.18
> src/sys/conf/newvers.sh 1.69.2.15.2.17
> src/sys/kern/kern_event.c 1.93.2.6.4.1
> src/sys/kern/kern_fork.c 1.252.2.7.2.1
> src/sys/kern/sys_pipe.c 1.184.2.2.6.3
> src/sys/sys/event.h
> 1.32.10.1
> src/sys/sys/pipe.h
> 1.29.12.1
> -
> ---
> ----------------------------------------------------------------------
>
> Subversion:
>
> Branch/path
> Revision
> -
> ---
> ----------------------------------------------------------------------
> stable/6/
> r197715
> releng/6.4/
> r197715
> releng/6.3/
> r197715
> -
> ---
> ----------------------------------------------------------------------
>
> VII. References
>
> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
> FKxrbF0G4v9P6SyyfAdVOFY=
> =TWhC
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org
> "
More information about the freebsd-security
mailing list