Simon L. B. Nielsen
2012-Jun-18 21:52 UTC
Update for FreeBSD Security Advisory FreeBSD-SA-12:04.sysret for 8.1
Hello, Just a quick heads up that it turned out that the patch for Update for FreeBSD-SA-12:04.sysret applied incorrectly to FreeBSD 8.1 (releng/8.1). The patch applied, but in the wrong location. Note that this is ONLY for FreeBSD 8.1. Other branches are OK. As this is public, and rather obvious if you really look at the code in 8.1, I decided to commit the fix as soon as possible, so it is in releng/8.1 now as r237241 + r237242. freebsd-update does not yet have the update, but builds are running. An advisory update will be sent out once freebsd-update will have the patch too. If you want to hand apply the patch you can get it from http://svnweb.freebsd.org/base/releng/8.1/sys/amd64/amd64/trap.c?view=patch&r1=237241&r2=237240&pathrev=237241 assuming you already have the original patch applied. PS. Sorry for the lack of PGP signature, but my mail program is not cooperating and I would rather fix the issue than battle with a mail program. -- Simon L. B. Nielsen FreeBSD Security Officer
Steven Chamberlain
2012-Jun-19 18:16 UTC
Update for FreeBSD Security Advisory FreeBSD-SA-12:04.sysret for 8.1
Hi, Thanks a lot of looking into this! On 18/06/12 22:37, Simon L. B. Nielsen wrote:> Note that this is ONLY for FreeBSD 8.1. Other branches are OK.Having seen the correct fix now, I'm starting to wonder if the commit to RELENG_7_4 was really okay too? http://svnweb.freebsd.org/base/releng/7.4/sys/amd64/amd64/trap.c?annotate=236953#l975 The inserted code does not appear at the end of the function, like it does now in all other versions including 8.1 which is the most similar. I expect this would at least trap if the exploit was attempted, but then it would omit the rest of the function, including userret(); would that have consequences? Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org