FreeBSD Security Advisory FreeBSD-SA-09:14.devfs
budsz
budiyt at gmail.com
Mon Oct 5 11:48:14 UTC 2009
On Sat, Oct 3, 2009 at 3:12 AM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-09:14.devfs Security Advisory
> The FreeBSD Project
>
> Topic: Devfs / VFS NULL pointer race condition
>
> Category: core
> Module: kern
> Announced: 2009-10-02
> Credits: Przemyslaw Frasunek
> Affects: FreeBSD 6.x and 7.x
> Corrected: 2009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE)
> 2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4)
> 2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8)
> 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The device file system (devfs) provides access to system devices, such as
> storage devices and serial ports, via the file system namespace.
>
> VFS is the Virtual File System, which abstracts file system operations in
> the kernel from the actual underlying file system.
>
> II. Problem Description
>
> Due to the interaction between devfs and VFS, a race condition exists
> where the kernel might dereference a NULL pointer.
>
> III. Impact
>
> Successful exploitation of the race condition can lead to local kernel
> privilege escalation, kernel data corruption and/or crash.
>
> To exploit this vulnerability, an attacker must be able to run code with user
> privileges on the target system.
>
> IV. Workaround
>
> An errata note, FreeBSD-EN-09:05.null has been released simultaneously to
> this advisory, and contains a kernel patch implementing a workaround for a
> more broad class of vulnerabilities. However, prior to those changes, no
> workaround is available.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
> RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
> dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.1, and 7.2 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.x]
> # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc
>
> [FreeBSD 7.x]
> # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_6
> src/sys/fs/devfs/devfs_vnops.c 1.114.2.17
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.11
> src/sys/conf/newvers.sh 1.69.2.18.2.13
> src/sys/fs/devfs/devfs_vnops.c 1.114.2.16.2.2
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.18
> src/sys/conf/newvers.sh 1.69.2.15.2.17
> src/sys/fs/devfs/devfs_vnops.c 1.114.2.15.2.1
> RELENG_7
> src/sys/fs/devfs/devfs_vnops.c 1.149.2.9
> RELENG_7_2
> src/UPDATING 1.507.2.23.2.7
> src/sys/conf/newvers.sh 1.72.2.11.2.8
> src/sys/fs/devfs/devfs_vnops.c 1.149.2.8.2.2
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.11
> src/sys/conf/newvers.sh 1.72.2.9.2.12
> src/sys/fs/devfs/devfs_vnops.c 1.149.2.4.2.2
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/6/ r197715
> releng/6.4/ r197715
> releng/6.3/ r197715
> stable/7/ r192301
> releng/7.2/ r197715
> releng/7.1/ r197715
> - -------------------------------------------------------------------------
>
> VII. References
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO
> Syds53GSM0YbsMNUVMGsLaU=
> =exPZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
Hi folks,
I just got some problem when compling my kerne. Here we go:
rm -f hack.c
MAKE=make sh /usr/src/sys/conf/newvers.sh WILLSZPROXY
cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline
-Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc
-I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL
-DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common
-finline-limit=8000 --param inline-unit-growth=100 --param
large-function-growth=1000 -mno-align-long-strings
-mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2
-mno-sse3 -ffreestanding -Werror vers.c
linking kernel.debug
kern_fork.o(.text+0x1d18): In function `fork1':
/usr/src/sys/kern/kern_fork.c:737: undefined reference to `knote_fork'
*** Error code 1
Stop in /usr/obj/usr/src/sys/WILLSZPROXY.
*** Error code 1
Stop in /usr/src.
*** Error code 1
Stop in /usr/src.
My box running FreeBSD 7.2-STABLE. Thanks in advance.
--
budsz
More information about the freebsd-security
mailing list