Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ===
> ===
> ===
> ====================================================================
> FreeBSD-SA-09:13.pipe                                       Security  
> Advisory
>                                                          The FreeBSD  
> Project
>
> Topic:          kqueue pipe race conditions
> Category:       core
> Module:         kern
> Announced:      2009-10-02
> Credits:        Przemyslaw Frasunek
> Affects:        FreeBSD 6.x
> Corrected:      2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
>                2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
>                2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> Pipes are a form of inter-process communication (IPC) provided by the
> FreeBSD kernel.  kqueue is an event management API that applications  
> can
> use to monitor pipes and other kernel services.
>
> II.  Problem Description
>
> A race condition exists in the pipe close() code relating to kqueues,
> causing use-after-free for kernel memory, which may lead to an
> exploitable NULL pointer vulnerability in the kernel, kernel memory
> corruption, and other unpredictable results.
>
> III. Impact
>
> Successful exploitation of the race condition can lead to local kernel
> privilege escalation, kernel data corruption and/or crash.
>
> To exploit this vulnerability, an attacker must be able to run code on
> the target system.
>
> IV.  Workaround
>
> An errata notice, FreeBSD-EN-09:05.null has been released  
> simultaneously to
> this advisory, and contains a kernel patch implementing a workaround  
> for a
> more broad class of vulnerabilities.  However, prior to those  
> changes, no
> workaround is available.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4,  
> or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3 and  
> 6.4.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch                                                            
> Revision
>  Path
> -  
> ---
> ----------------------------------------------------------------------
> RELENG_6
>  src/sys/kern/kern_event.c                                      
> 1.93.2.7
>  src/sys/kern/kern_fork.c                                      
> 1.252.2.8
>  src/sys/kern/sys_pipe.c                                        
> 1.184.2.6
>  src/sys/sys/event.h                                            
> 1.32.2.1
>  src/sys/sys/pipe.h                                              
> 1.29.2.1
> RELENG_6_4
>  src/UPDATING                                            1.416.2.40.2.11
>  src/sys/conf/newvers.sh                                  1.69.2.18.2.13
>  src/sys/kern/kern_event.c                                  1.93.2.6.6.2
>  src/sys/kern/kern_fork.c                                  1.252.2.7.4.2
>  src/sys/kern/sys_pipe.c                                   1.184.2.4.2.3
>  src/sys/sys/event.h                                            
> 1.32.12.2
>  src/sys/sys/pipe.h                                            
> 1.29.16.2
> RELENG_6_3
>  src/UPDATING                                            1.416.2.37.2.18
>  src/sys/conf/newvers.sh                                  1.69.2.15.2.17
>  src/sys/kern/kern_event.c                                  1.93.2.6.4.1
>  src/sys/kern/kern_fork.c                                  1.252.2.7.2.1
>  src/sys/kern/sys_pipe.c                                   1.184.2.2.6.3
>  src/sys/sys/event.h                                            
> 1.32.10.1
>  src/sys/sys/pipe.h                                            
> 1.29.12.1
> -  
> ---
> ----------------------------------------------------------------------
>
> Subversion:
>
> Branch/path                                                      
> Revision
> -  
> ---
> ----------------------------------------------------------------------
> stable/6/                                                          
> r197715
> releng/6.4/                                                        
> r197715
> releng/6.3/                                                        
> r197715
> -  
> ---
> ----------------------------------------------------------------------
>
> VII. References
>
> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
> FKxrbF0G4v9P6SyyfAdVOFY=
> =TWhC
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@...
> "

> Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high  
> number such as 65536? This does not fix the vulnerability per se,  
> but one would hope it stops a user mapping code to 0x0.
>
> Also, were these the issues Przemyslaw Frasunek discovered? If so, I  
> did not see an attribution to him in the advisory. (I could have  
> missed it.)  Any reason why not?
>
> Cheers,
>
> Jon
>
> Begin forwarded message:
>
>> From: FreeBSD Security Advisories <security-advisories@...>
>> Date: October 2, 2009 20:11:56 CDT
>> To: FreeBSD Security Advisories <security-advisories@...>
>> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
>> Reply-To: freebsd-security@...
>>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> ===
>> ===
>> ===
>> ====================================================================
>> FreeBSD-SA-09:13.pipe                                        
>> Security Advisory
>>                                                          The  
>> FreeBSD Project
>>
>> Topic:          kqueue pipe race conditions
>> Category:       core
>> Module:         kern
>> Announced:      2009-10-02
>> Credits:        Przemyslaw Frasunek
>> Affects:        FreeBSD 6.x
>> Corrected:      2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
>>                2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
>>                2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>>
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and  
>> the
>> following sections, please visit <URL:http://security.FreeBSD.org/>.
>>
>> I.   Background
>>
>> Pipes are a form of inter-process communication (IPC) provided by the
>> FreeBSD kernel.  kqueue is an event management API that  
>> applications can
>> use to monitor pipes and other kernel services.
>>
>> II.  Problem Description
>>
>> A race condition exists in the pipe close() code relating to kqueues,
>> causing use-after-free for kernel memory, which may lead to an
>> exploitable NULL pointer vulnerability in the kernel, kernel memory
>> corruption, and other unpredictable results.
>>
>> III. Impact
>>
>> Successful exploitation of the race condition can lead to local  
>> kernel
>> privilege escalation, kernel data corruption and/or crash.
>>
>> To exploit this vulnerability, an attacker must be able to run code  
>> on
>> the target system.
>>
>> IV.  Workaround
>>
>> An errata notice, FreeBSD-EN-09:05.null has been released  
>> simultaneously to
>> this advisory, and contains a kernel patch implementing a  
>> workaround for a
>> more broad class of vulnerabilities.  However, prior to those  
>> changes, no
>> workaround is available.
>>
>> V.   Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your vulnerable system to 6-STABLE, or to the  
>> RELENG_6_4, or
>> RELENG_6_3 security branch dated after the correction date.
>>
>> 2) To patch your present system:
>>
>> The following patches have been verified to apply to FreeBSD 6.3  
>> and 6.4.
>>
>> a) Download the relevant patch from the location below, and verify  
>> the
>> detached PGP signature using your PGP utility.
>>
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>>
>> b) Apply the patch.
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile your kernel as described in
>> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot  
>> the
>> system.
>>
>> VI.  Correction details
>>
>> The following list contains the revision numbers of each file that  
>> was
>> corrected in FreeBSD.
>>
>> CVS:
>>
>> Branch                                                            
>> Revision
>>  Path
>> -  
>> ---
>> ---
>> -------------------------------------------------------------------
>> RELENG_6
>>  src/sys/kern/kern_event.c                                      
>> 1.93.2.7
>>  src/sys/kern/kern_fork.c                                      
>> 1.252.2.8
>>  src/sys/kern/sys_pipe.c                                        
>> 1.184.2.6
>>  src/sys/sys/event.h                                            
>> 1.32.2.1
>>  src/sys/sys/pipe.h                                              
>> 1.29.2.1
>> RELENG_6_4
>>  src/UPDATING                                            1.416.2.40.2.11
>>  src/sys/conf/newvers.sh                                  1.69.2.18.2.13
>>  src/sys/kern/kern_event.c                                  1.93.2.6.6.2
>>  src/sys/kern/kern_fork.c                                  1.252.2.7.4.2
>>  src/sys/kern/sys_pipe.c                                   1.184.2.4.2.3
>>  src/sys/sys/event.h                                            
>> 1.32.12.2
>>  src/sys/sys/pipe.h                                            
>> 1.29.16.2
>> RELENG_6_3
>>  src/UPDATING                                            1.416.2.37.2.18
>>  src/sys/conf/newvers.sh                                  1.69.2.15.2.17
>>  src/sys/kern/kern_event.c                                  1.93.2.6.4.1
>>  src/sys/kern/kern_fork.c                                  1.252.2.7.2.1
>>  src/sys/kern/sys_pipe.c                                   1.184.2.2.6.3
>>  src/sys/sys/event.h                                            
>> 1.32.10.1
>>  src/sys/sys/pipe.h                                            
>> 1.29.12.1
>> -  
>> ---
>> ---
>> -------------------------------------------------------------------
>>
>> Subversion:
>>
>> Branch/path                                                      
>> Revision
>> -  
>> ---
>> ---
>> -------------------------------------------------------------------
>> stable/6/                                                          
>> r197715
>> releng/6.4/                                                        
>> r197715
>> releng/6.3/                                                        
>> r197715
>> -  
>> ---
>> ---
>> -------------------------------------------------------------------
>>
>> VII. References
>>
>> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>>
>> The latest revision of this advisory is available at
>> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (FreeBSD)
>>
>> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
>> FKxrbF0G4v9P6SyyfAdVOFY=
>> =TWhC
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> freebsd-security@... mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@...
>> "
>