I'm an idiot re: credits. Sorry.
Jon
On Oct 2, 2009, at 16:03, Jon Passki <jon@passki.us> wrote:
> Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high
> number such as 65536? This does not fix the vulnerability per se,
> but one would hope it stops a user mapping code to 0x0.
>
> Also, were these the issues Przemyslaw Frasunek discovered? If so, I
> did not see an attribution to him in the advisory. (I could have
> missed it.) Any reason why not?
>
> Cheers,
>
> Jon
>
> Begin forwarded message:
>
>> From: FreeBSD Security Advisories
<security-advisories@freebsd.org>
>> Date: October 2, 2009 20:11:56 CDT
>> To: FreeBSD Security Advisories <security-advisories@freebsd.org>
>> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
>> Reply-To: freebsd-security@freebsd.org
>>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> ===
>> ===
>> ===
>>
===================================================================>>
FreeBSD-SA-09:13.pipe
>> Security Advisory
>> The
>> FreeBSD Project
>>
>> Topic: kqueue pipe race conditions
>> Category: core
>> Module: kern
>> Announced: 2009-10-02
>> Credits: Przemyslaw Frasunek
>> Affects: FreeBSD 6.x
>> Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
>> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
>> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)
>>
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and
>> the
>> following sections, please visit
<URL:http://security.FreeBSD.org/>.
>>
>> I. Background
>>
>> Pipes are a form of inter-process communication (IPC) provided by the
>> FreeBSD kernel. kqueue is an event management API that
>> applications can
>> use to monitor pipes and other kernel services.
>>
>> II. Problem Description
>>
>> A race condition exists in the pipe close() code relating to kqueues,
>> causing use-after-free for kernel memory, which may lead to an
>> exploitable NULL pointer vulnerability in the kernel, kernel memory
>> corruption, and other unpredictable results.
>>
>> III. Impact
>>
>> Successful exploitation of the race condition can lead to local
>> kernel
>> privilege escalation, kernel data corruption and/or crash.
>>
>> To exploit this vulnerability, an attacker must be able to run code
>> on
>> the target system.
>>
>> IV. Workaround
>>
>> An errata notice, FreeBSD-EN-09:05.null has been released
>> simultaneously to
>> this advisory, and contains a kernel patch implementing a
>> workaround for a
>> more broad class of vulnerabilities. However, prior to those
>> changes, no
>> workaround is available.
>>
>> V. Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your vulnerable system to 6-STABLE, or to the
>> RELENG_6_4, or
>> RELENG_6_3 security branch dated after the correction date.
>>
>> 2) To patch your present system:
>>
>> The following patches have been verified to apply to FreeBSD 6.3
>> and 6.4.
>>
>> a) Download the relevant patch from the location below, and verify
>> the
>> detached PGP signature using your PGP utility.
>>
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
>> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc
>>
>> b) Apply the patch.
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile your kernel as described in
>> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and
reboot
>> the
>> system.
>>
>> VI. Correction details
>>
>> The following list contains the revision numbers of each file that
>> was
>> corrected in FreeBSD.
>>
>> CVS:
>>
>> Branch
>> Revision
>> Path
>> -
>> ---
>> ---
>> -------------------------------------------------------------------
>> RELENG_6
>> src/sys/kern/kern_event.c
>> 1.93.2.7
>> src/sys/kern/kern_fork.c
>> 1.252.2.8
>> src/sys/kern/sys_pipe.c
>> 1.184.2.6
>> src/sys/sys/event.h
>> 1.32.2.1
>> src/sys/sys/pipe.h
>> 1.29.2.1
>> RELENG_6_4
>> src/UPDATING
1.416.2.40.2.11
>> src/sys/conf/newvers.sh
1.69.2.18.2.13
>> src/sys/kern/kern_event.c
1.93.2.6.6.2
>> src/sys/kern/kern_fork.c
1.252.2.7.4.2
>> src/sys/kern/sys_pipe.c
1.184.2.4.2.3
>> src/sys/sys/event.h
>> 1.32.12.2
>> src/sys/sys/pipe.h
>> 1.29.16.2
>> RELENG_6_3
>> src/UPDATING
1.416.2.37.2.18
>> src/sys/conf/newvers.sh
1.69.2.15.2.17
>> src/sys/kern/kern_event.c
1.93.2.6.4.1
>> src/sys/kern/kern_fork.c
1.252.2.7.2.1
>> src/sys/kern/sys_pipe.c
1.184.2.2.6.3
>> src/sys/sys/event.h
>> 1.32.10.1
>> src/sys/sys/pipe.h
>> 1.29.12.1
>> -
>> ---
>> ---
>> -------------------------------------------------------------------
>>
>> Subversion:
>>
>> Branch/path
>> Revision
>> -
>> ---
>> ---
>> -------------------------------------------------------------------
>> stable/6/
>> r197715
>> releng/6.4/
>> r197715
>> releng/6.3/
>> r197715
>> -
>> ---
>> ---
>> -------------------------------------------------------------------
>>
>> VII. References
>>
>> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243
>>
>> The latest revision of this advisory is available at
>> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (FreeBSD)
>>
>> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
>> FKxrbF0G4v9P6SyyfAdVOFY>> =TWhC
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org
>> "
>