From owner-freebsd-security@freebsd.org Wed Oct 26 05:47:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98B6BC22C5A for ; Wed, 26 Oct 2016 05:47:46 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D420A50; Wed, 26 Oct 2016 05:47:46 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-it0-x22f.google.com with SMTP id m138so9493516itm.1; Tue, 25 Oct 2016 22:47:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xVudQyaduMpSACE3l0T159Ek3E1UzsgNzsTLnLAwbQg=; b=gSyuF6bk6O1wynTpPEK6+mQ5m0cSbmP/7O2HxcAVL98I9MfmFYGTVWkxMqKv7Pjx6T xPnRXgq51e4/i2F/9obcXShSqFXcfh62LFIDzOvCWPllqWc/Xh+2n4jbAxuk1PymFzUB LmIGzgzZlMftjbaK7WWPcpVLm17aRMCRAe+r01yPwSfB+n5yH+yfOvrdgs//RMVRKQ71 xCuGu2MSTgjicnLwYJptdJNcWTXKOV2/6IG/FUmPKEBLAIqFZDxK5Zxi059ipYaj626T 2Q4CZ0vuD8CCLkOGnp4E6ZAFqGhJCIwZ+ZN0cAyVY62WJhfb/cJ9K1S0H1iV/4YISvn/ TC4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xVudQyaduMpSACE3l0T159Ek3E1UzsgNzsTLnLAwbQg=; b=NS7kTsMhdj2A+L7rQg0ySwIq6CxU3ljlEg3X/sgjfwue7bDJnO6I3Gacfxt3fxZNBt T4ZN5CMGF1DsC5L6rlaujdxkAQfMF/HujitHGAxYDOWrTW7F05IFDMVptPMRFXVf9zOK pt/32mPxUp6S8Ed9CxEVMyAkGhbUFhYBDC8iJTln9QLX6sX8lWeIrJU4bYCgkO1IQVmO w0frn1qP0Ss3CoV29qiGnVDHmEY9Bl5P3XYUJbxS3mHqbUNaao67MJlBQu9QRVp3iCBB D3nrT9b+xTAdLaiP+B2F3C8QU2UmHztZ68b2aOCFuC3ny3vEPWfb1FN+7JZ9U/OQBLVj Lpuw== X-Gm-Message-State: ABUngveO42wwkaukVqJRU617/Zz/lY+M8Q9e30ZuFosQIP6qPB/9NINA59mUtEB/5GswVYncf/AO+Xz/bVhIaQ== X-Received: by 10.107.135.36 with SMTP id j36mr775364iod.143.1477460865137; Tue, 25 Oct 2016 22:47:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.41.4 with HTTP; Tue, 25 Oct 2016 22:47:44 -0700 (PDT) In-Reply-To: <20161026042748.GG60006@garage.freebsd.pl> References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> From: Xin LI Date: Tue, 25 Oct 2016 22:47:44 -0700 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] To: Pawel Jakub Dawidek Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2016 05:47:46 -0000 It's unprivileged local DoS (if it's root DoS then we normally don't). On Tue, Oct 25, 2016 at 9:27 PM, Pawel Jakub Dawidek wrote: > Hi guys, > > since when do we publish security advisories for local DoSes? > > On Tue, Oct 25, 2016 at 05:36:41PM +0000, FreeBSD Security Advisories wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> ============================================================================= >> FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory >> The FreeBSD Project >> >> Topic: Incorrect argument validation in sysarch(2) >> >> Category: core >> Module: kernel >> Announced: 2016-10-25 >> Credits: Core Security, ahaha from Chaitin Tech >> Affects: All supported versions of FreeBSD. >> Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) >> 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) >> 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) >> 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) >> 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) >> 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) >> 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) >> 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) >> CVE Name: CVE-2016-1885 >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit . >> >> 0. Revision history >> >> v1.0 2016-03-16 Initial release. >> v1.1 2016-10-25 Revised patch to address a problem pointed out by >> ahaha from Chaitin Tech. >> >> I. Background >> >> The IA-32 architecture allows programs to define segments, which provides >> based and size-limited view into the program address space. The >> memory-resident processor structure, called Local Descriptor Table, >> usually abbreviated LDT, contains definitions of the segments. Since >> incorrect or malicious segments would breach system integrity, operating >> systems do not provide processes direct access to the LDT, instead >> they provide system calls which allow controlled installation and removal >> of segments. >> >> II. Problem Description >> >> A special combination of sysarch(2) arguments, specify a request to >> uninstall a set of descriptors from the LDT. The start descriptor >> is cleared and the number of descriptors are provided. Due to lack >> of sufficient bounds checking during argument validity verification, >> unbound zero'ing of the process LDT and adjacent memory can be initiated >> from usermode. >> >> III. Impact >> >> This vulnerability could cause the kernel to panic. In addition it is >> possible to perform a local Denial of Service against the system by >> unprivileged processes. >> >> IV. Workaround >> >> No workaround is available, but only the amd64 architecture is affected. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >> >> Reboot is required. >> >> 2) To update your vulnerable system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD platforms can be updated >> via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> Reboot is required. >> >> 3) To update your vulnerable system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> [*** v1.1 NOTE ***] If your sources are not yet patched using the initially >> published advisory patches, then you need to apply both sysarch.patch and >> sysarch-01.patch. If your sources are already updated, or patched with >> patches from the initial advisory, then you need to apply sysarch-01.patch >> only. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> [ FreeBSD system not patched with original SA-16:15 patch] >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc >> # gpg --verify sysarch.patch.asc >> >> [ FreeBSD system that has been patched with original SA-16:15 patch] >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch >> # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc >> # gpg --verify sysarch-01.patch.asc >> >> b) Apply the patch(es). Execute the following commands as root for >> every patch file downloaded: >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> and reboot the >> system. >> >> VI. Correction details >> >> The following list contains the correction revision numbers for each >> affected branch. >> >> Branch/path Revision >> - ------------------------------------------------------------------------- >> stable/9/ r307941 >> releng/9.3/ r307931 >> stable/10/ r307940 >> releng/10.1/ r307932 >> releng/10.2/ r307933 >> releng/10.3/ r307934 >> stable/11/ r307938 >> releng/11.0/ r307935 >> - ------------------------------------------------------------------------- >> >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >> >> Or visit the following URL, replacing NNNNNN with the revision number: >> >> >> >> VII. References >> >> >> >> The latest revision of this advisory is available at >> >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H >> WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 >> qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa >> LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p >> a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO >> pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp >> la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 >> A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH >> H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 >> /cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf >> V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G >> YHOkZydbLPaXOXimZfut >> =NWuL >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security-notifications@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications >> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" > > -- > Pawel Jakub Dawidek http://www.wheelsystems.com > FreeBSD committer http://www.FreeBSD.org > Am I Evil? Yes, I Am! http://mobter.com