From owner-freebsd-security-notifications@FreeBSD.ORG Sun May 8 05:18:28 2005 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76DFF16A4E1; Sun, 8 May 2005 05:18:28 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C7CD43D5E; Sun, 8 May 2005 05:18:28 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j485ISxt011496; Sun, 8 May 2005 05:18:28 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j485IS2L011494; Sun, 8 May 2005 05:18:28 GMT (envelope-from security-advisories@freebsd.org) Date: Sun, 8 May 2005 05:18:28 GMT Message-Id: <200505080518.j485IS2L011494@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:06.iir [REVISED] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Moderated Security Notifications [moderated, low volume] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 05:18:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:06.iir Security Advisory The FreeBSD Project Topic: Incorrect permissions on /dev/iir Category: core Module: sys_dev Announced: 2005-05-06 Credits: Christian S.J. Peron Andre Guibert de Bruet Affects: All FreeBSD 4.x releases since 4.6-RELEASE All FreeBSD 5.x releases prior to 5.4-RELEASE Corrected: 2005-05-06 02:33:46 UTC (RELENG_5, 5.4-STABLE) 2005-05-06 02:34:18 UTC (RELENG_5_4, 5.4-RELEASE) 2005-05-06 02:34:01 UTC (RELENG_5_3, 5.3-RELEASE-p11) 2005-05-06 02:32:54 UTC (RELENG_4, 4.11-STABLE) 2005-05-06 02:33:28 UTC (RELENG_4_11, 4.11-RELEASE-p5) 2005-05-06 02:33:12 UTC (RELENG_4_10, 4.10-RELEASE-p10) CVE Name: CAN-2005-1399 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-06 Initial release. v1.1 2005-05-07 Updated credits to include Andre Guibert de Bruet, who was inadvertantly omitted from the original advisory. I. Background The iir(4) driver provides support for the Intel Integrated RAID controllers and ICP Vortex RAID controllers. II. Problem Description The default permissions on the /dev/iir device node allow unprivileged local users to open the device and execute ioctl calls. III. Impact Unprivileged local users can send commands to the hardware supported by the iir(4) driver, allowing destruction of data and possible disclosure of data. IV. Workaround Systems without hardware supported by the iir(4) driver are not affected by this issue. On systems which are affected, as a workaround, the permissions on /dev/iir can be changed manually. As root, execute the following command: # chmod 0600 /dev/iir* On 5.x, the following commands are also needed to ensure that the correct permissions are used after rebooting. # echo 'perm iir* 0600' >> /etc/devfs.conf # echo 'devfs_enable="YES"' >> /etc/rc.conf If the administrator has created additional device nodes, or mounted additional instances of devfs(5) elsewhere in the file system name space, attention should be paid to ensure that either the iir device node is not visible in those name spaces, or is similarly protected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/dev/iir/iir_ctrl.c 1.2.2.5 RELENG_4_11 src/UPDATING 1.73.2.91.2.6 src/sys/conf/newvers.sh 1.44.2.39.2.9 src/sys/dev/iir/iir_ctrl.c 1.2.2.4.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.11 src/sys/conf/newvers.sh 1.44.2.34.2.12 src/sys/dev/iir/iir_ctrl.c 1.2.2.4.10.1 RELENG_5 src/sys/dev/iir/iir_ctrl.c 1.15.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.5 src/sys/dev/iir/iir_ctrl.c 1.15.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.14 src/sys/conf/newvers.sh 1.62.2.15.2.16 src/sys/dev/iir/iir_ctrl.c 1.15.4.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:06.iir.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCfEXyFdaIBMps37IRAu6WAJ9qBjsIfH7GGPRiHsvXwlkuau5kswCfXhan YhoUBZ4gHuIXJFM1gOEAyVk= =zRAR -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Sun May 8 22:28:33 2005 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA02616A4E6; Sun, 8 May 2005 22:28:33 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92F3843DB4; Sun, 8 May 2005 22:28:33 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j48MSXbF067435; Sun, 8 May 2005 22:28:33 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j48MSXIV067433; Sun, 8 May 2005 22:28:33 GMT (envelope-from security-advisories@freebsd.org) Date: Sun, 8 May 2005 22:28:33 GMT Message-Id: <200505082228.j48MSXIV067433@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:08.kmem [REVISED] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Moderated Security Notifications [moderated, low volume] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 22:28:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:08.kmem Security Advisory The FreeBSD Project Topic: Local kernel memory disclosure Category: core Module: sys Announced: 2005-05-06 Credits: Christian S.J. Peron Uwe Doering Affects: All FreeBSD releases prior to 5.4-RELEASE Corrected: 2005-05-08 10:19:37 UTC (RELENG_5, 5.4-STABLE) 2005-05-07 03:58:26 UTC (RELENG_5_4, 5.4-RELEASE) 2005-05-08 10:23:52 UTC (RELENG_5_3, 5.3-RELEASE-p14) 2005-05-08 10:26:42 UTC (RELENG_4, 4.11-STABLE) 2005-05-08 10:29:54 UTC (RELENG_4_11, 4.11-RELEASE-p8) 2005-05-08 10:35:56 UTC (RELENG_4_10, 4.10-RELEASE-p13) CVE Name: CAN-2005-1406 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-06 Initial release. v1.1 2005-05-07 Updated patch to include related issues reported by Uwe Doering. I. Background In many parts of the FreeBSD kernel, names (of mount points, devices, files, etc.) are manipulated as NULL-terminated strings, but are provided to applications within fixed-length buffers. II. Problem Description In several places, variable-length strings were copied into fixed-length buffers without zeroing the unused portion of the buffer. III. Impact The previous contents of part of the fixed-length buffers will be disclosed to applications. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/kern/uipc_usrreq.c 1.54.2.11 src/sys/kern/vfs_subr.c 1.249.2.32 src/sys/net/if_mib.c 1.8.2.3 src/sys/netinet/ip_divert.c 1.42.2.8 src/sys/netinet/raw_ip.c 1.64.2.20 src/sys/netinet/tcp_subr.c 1.73.2.34 src/sys/netinet/udp_usrreq.c 1.64.2.20 RELENG_4_11 src/UPDATING 1.72.2.91.2.9 src/sys/conf/newvers.sh 1.44.2.39.2.12 src/sys/kern/uipc_usrreq.c 1.54.2.10.8.1 src/sys/kern/vfs_subr.c 1.249.2.31.6.1 src/sys/net/if_mib.c 1.8.2.2.2.1 src/sys/netinet/ip_divert.c 1.42.2.7.2.1 src/sys/netinet/raw_ip.c 1.64.2.19.2.1 src/sys/netinet/tcp_subr.c 1.73.2.33.4.1 src/sys/netinet/udp_usrreq.c 1.64.2.19.6.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.14 src/sys/conf/newvers.sh 1.44.2.34.2.15 src/sys/kern/uipc_usrreq.c 1.54.2.10.6.1 src/sys/kern/vfs_subr.c 1.249.2.31.4.1 src/sys/net/if_mib.c 1.8.2.1.16.2 src/sys/netinet/ip_divert.c 1.42.2.6.6.1 src/sys/netinet/raw_ip.c 1.64.2.18.4.1 src/sys/netinet/tcp_subr.c 1.73.2.33.2.1 src/sys/netinet/udp_usrreq.c 1.64.2.19.4.1 RELENG_5 src/sys/kern/subr_bus.c 1.156.2.7 src/sys/kern/uipc_usrreq.c 1.138.2.14 src/sys/kern/vfs_subr.c 1.522.2.5 src/sys/net/if_mib.c 1.13.4.2 src/sys/netinet/ip_divert.c 1.98.2.3 src/sys/netinet/raw_ip.c 1.142.2.5 src/sys/netinet/tcp_subr.c 1.201.2.18 src/sys/netinet/udp_usrreq.c 1.162.2.8 RELENG_5_4 src/UPDATING 1.342.2.24.2.9 src/sys/kern/subr_bus.c 1.156.2.5.2.1 src/sys/kern/uipc_usrreq.c 1.138.2.13.2.1 src/sys/kern/vfs_subr.c 1.522.2.4.2.1 src/sys/net/if_mib.c 1.13.4.1.2.1 src/sys/netinet/ip_divert.c 1.98.2.2.2.1 src/sys/netinet/raw_ip.c 1.142.2.4.2.1 src/sys/netinet/tcp_subr.c 1.201.2.15.2.1 src/sys/netinet/udp_usrreq.c 1.162.2.7.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.17 src/sys/conf/newvers.sh 1.62.2.15.2.19 src/sys/kern/subr_bus.c 1.156.2.2.2.1 src/sys/kern/uipc_usrreq.c 1.138.2.2.2.2 src/sys/kern/vfs_subr.c 1.522.2.1.2.1 src/sys/net/if_mib.c 1.13.6.1 src/sys/netinet/ip_divert.c 1.98.4.1 src/sys/netinet/raw_ip.c 1.142.2.2.2.1 src/sys/netinet/tcp_subr.c 1.201.2.1.2.2 src/sys/netinet/udp_usrreq.c 1.162.2.3.2.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:08.kmem.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCfe9TFdaIBMps37IRAoANAJ9SvXgbD8c2Pw4akOWba95PklG1NgCeOPce Ib7DiBQuu7LR2ZG70BP+eKQ= =8wrv -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri May 13 00:38:35 2005 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBBA716A4D0; Fri, 13 May 2005 00:38:35 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D21D43D7E; Fri, 13 May 2005 00:38:35 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4D0cZPW085991; Fri, 13 May 2005 00:38:35 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4D0cZCU085989; Fri, 13 May 2005 00:38:35 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 13 May 2005 00:38:35 GMT Message-Id: <200505130038.j4D0cZCU085989@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:09.htt X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Moderated Security Notifications [moderated, low volume] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 00:38:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced: 2005-05-13 Revised: 2005-05-13 Credits: Colin Percival Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE) 2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1) 2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15) 2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE) 2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9) 2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14) CVE Name: CAN-2005-0109 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background "Hyper-Threading Technology" is the name used for the implementation of simultaneous multithreading on Intel Pentium 4, Mobile Pentium 4, and Xeon processors. II. Problem Description A security flaw involving operating systems running on Hyper-Threading Technology processors was has been reported. Complete details are not available at the time of this writing. However, a workaround has been issued. It is expected that more details will be available tomorrow, at which time a revised version of this advisory will be published. III. Impact Information may be disclosed to local users, allowing in many cases for privilege escalation. IV. Workaround Systems not using processors with Hyper-Threading support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable: # echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf The system must be rebooted in order for tunables to take effect. Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc [FreeBSD 4.11] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. NOTE: For users that are certain that their environment is not affected by this vulnerability, such as single-user systems, Hyper-Threading Technology may be re-enabled by setting the tunable "machdep.hyperthreading_allowed". VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/i386/mp_machdep.c 1.115.2.23 src/sys/i386/include/cpufunc.h 1.96.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.10 src/sys/conf/newvers.sh 1.44.2.39.2.13 src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.15 src/sys/conf/newvers.sh 1.44.2.34.2.16 src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.10.1 RELENG_5 src/sys/amd64/amd64/mp_machdep.c 1.242.2.11 src/sys/amd64/include/cpufunc.h 1.145.2.1 src/sys/i386/i386/mp_machdep.c 1.235.2.10 src/sys/i386/include/cpufunc.h 1.142.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.10 src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4 src/sys/amd64/include/cpufunc.h 1.145.6.1 src/sys/conf/newvers.sh 1.62.2.18.2.6 src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3 src/sys/i386/include/cpufunc.h 1.142.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.18 src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2 src/sys/amd64/include/cpufunc.h 1.145.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.20 src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2 src/sys/i386/include/cpufunc.h 1.142.4.1 - ------------------------------------------------------------------------- VII. References http://www.daemonology.net/hyperthreading-considered-harmful/ The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc -----BEGIN PGP SIGNATURE----- iD8DBQFCg/RTFdaIBMps37IRAsPSAJ4tjVMklYy1N4QOWlDyVEAORkz+hACgmwMB vDnIfC+nobvQbb6onu7XkBc= =Yawq -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri May 13 15:25:01 2005 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9110416A4D1; Fri, 13 May 2005 15:25:01 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5665C43D83; Fri, 13 May 2005 15:25:01 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4DFP12k029331; Fri, 13 May 2005 15:25:01 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4DFP1mU029329; Fri, 13 May 2005 15:25:01 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 13 May 2005 15:25:01 GMT Message-Id: <200505131525.j4DFP1mU029329@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:09.htt [REVISED] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Moderated Security Notifications [moderated, low volume] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 15:25:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced: 2005-05-13 Revised: 2005-05-13 Credits: Colin Percival Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE) 2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1) 2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15) 2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE) 2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9) 2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14) CVE Name: CAN-2005-0109 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-13 Initial release. v1.1 2005-05-13 Additional details. I. Background Sharing the execution resources of a superscalar processor between multiple execution threads is referred to as "simultaneous multithreading". "Hyper-Threading Technology" or HTT is the name used for the implementation of simultaneous multithreading on Intel Pentium 4, Mobile Pentium 4, and Xeon processors. HTT involves sharing certain CPU resources between multiple threads, including memory caches. FreeBSD supports HTT when using a kernel compiled with the SMP option. II. Problem Description When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread. NOTE: Similar problems may exist in other simultaneous multithreading implementations, or even some systems in the absence of simultaneous multithreading. However, current research has only demonstrated this flaw in Hyper-Threading Technology, where shared memory caches are used. III. Impact Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a multi-user system, it may be possible to steal cryptographic keys used in applications such as OpenSSH or SSL-enabled web servers. IV. Workaround Systems not using processors with Hyper-Threading Technology support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable: # echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf The system must be rebooted in order for tunables to take effect. Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores. V. Solution Disable Hyper-Threading Technology on processors that support it. NOTE: It is expected that future work in cryptographic libraries and operating system schedulers may remedy this problem for many or most users, without necessitating the disabling of Hyper-Threading Technology. Future advisories will address individual cases. Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc [FreeBSD 4.11] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. NOTE: For users that are certain that their environment is not affected by this vulnerability, such as single-user systems, Hyper-Threading Technology may be re-enabled by setting the tunable "machdep.hyperthreading_allowed". VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/i386/mp_machdep.c 1.115.2.23 src/sys/i386/include/cpufunc.h 1.96.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.10 src/sys/conf/newvers.sh 1.44.2.39.2.13 src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.15 src/sys/conf/newvers.sh 1.44.2.34.2.16 src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.10.1 RELENG_5 src/sys/amd64/amd64/mp_machdep.c 1.242.2.11 src/sys/amd64/include/cpufunc.h 1.145.2.1 src/sys/i386/i386/mp_machdep.c 1.235.2.10 src/sys/i386/include/cpufunc.h 1.142.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.10 src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4 src/sys/amd64/include/cpufunc.h 1.145.6.1 src/sys/conf/newvers.sh 1.62.2.18.2.6 src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3 src/sys/i386/include/cpufunc.h 1.142.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.18 src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2 src/sys/amd64/include/cpufunc.h 1.145.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.20 src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2 src/sys/i386/include/cpufunc.h 1.142.4.1 - ------------------------------------------------------------------------- VII. References http://www.daemonology.net/hyperthreading-considered-harmful/ The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc -----BEGIN PGP SIGNATURE----- iD8DBQFChJA4FdaIBMps37IRAo8nAJ9w7xtIF0atnxiKDhFOpBXEZQDtZQCghWdM qc5lGST7l+iJEYN/7zTNUPY= =WqEa -----END PGP SIGNATURE-----