FreeBSD Security Advisory FreeBSD-SA-03:10.ibcs2

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 08/11/03

  • Next message: Jason Dambrosio: "Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal" 
    Date: Sun, 10 Aug 2003 19:57:13 -0700 (PDT)
To: FreeBSD Security Advisories <security-advisories@freebsd.org>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-03:10.ibcs2 Security Advisory
                                                              The FreeBSD Project

    Topic: Kernel memory disclosure via ibcs2

    Category: core
    Module: sys
    Announced: 2003-08-10
    Credits: David Rhodus <drhodus@catpa.com>
    Affects: All FreeBSD releases up to and including 4.8-RELEASE-p2,
                    5.1-RELEASE-p1
    Corrected: 2003-08-10 23:30:18 UTC (RELENG_4)
                    2003-08-10 23:28:16 UTC (RELENG_5_1)
                    2003-08-10 23:29:10 UTC (RELENG_5_0)
                    2003-08-10 23:31:11 UTC (RELENG_4_8)
                    2003-08-10 23:31:51 UTC (RELENG_4_7)
                    2003-08-10 23:32:22 UTC (RELENG_4_6)
                    2003-08-10 23:32:44 UTC (RELENG_4_5)
                    2003-08-10 23:33:18 UTC (RELENG_4_4)
                    2003-08-10 23:33:50 UTC (RELENG_4_3)
                    2003-08-10 23:35:21 UTC (RELENG_3)
    FreeBSD only: YES

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit
    <URL:http://www.freebsd.org/security/>.

    I. Background

    FreeBSD contains a kernel option (IBCS2) and kernel loadable module
    (ibcs2.ko) that provide system call translation for running Intel
    Binary Compatibility Specification 2 (iBCS2) compliant programs.
    It is not enabled in FreeBSD by default.

    II. Problem Description

    The iBCS2 system call translator for statfs(2) erroneously used the
    user-supplied length parameter when copying a kernel data structure
    into userland. If the length parameter were larger than required,
    then instead of copying only the statfs-related data structure,
    additional kernel memory would also be made available to the user.

    III. Impact

    If iBCS2 support were enabled, a malicious user could call the iBCS2
    version of statfs(2) with an arbitrarily large length parameter,
    causing the kernel to return a large portion of kernel memory. Such
    memory might contain sensitive information, such as portions of the
    file cache or terminal buffers. This information might be directly
    useful, or it might be leveraged to obtain elevated privileges in some
    way. For example, a terminal buffer might include a user-entered
    password.

    iBCS2 support is only present if the system administrator has enabled
    it by including `option IBCS2' in the kernel configuration file, or
    loaded it dynamically using kldload(8) or by setting `ibcs2_enable' in
    rc.conf(5).

    IV. Workaround

    Disable iBCS2 support if it is enabled.

    V. Solution

    1) Upgrade your vulnerable system to 4.8-STABLE, or to any of the
    RELENG_4_8 (4.8-RELEASE-p3), RELENG_4_7 (4.7-RELEASE-p13), or
    RELENG_5_1 (5.1-RELEASE-p2) security branches dated after the
    respective correction dates.

    2) To patch your present system:

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility. The following patch
    has been tested to apply to all FreeBSD 3.x, 4.x, and 5.x releases.

    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:10/ibcs2.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:10/ibcs2.patch.asc

    b) Apply the patch.

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in
    <URL:http://www.freebsd.org/handbook/kernelconfig.html>
    and reboot the system.

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Path Revision
      Branch
    - -------------------------------------------------------------------------
    src/UPDATING
      RELENG_5_1 1.251.2.3
      RELENG_5_0 1.229.2.16
      RELENG_4_8 1.73.2.80.2.5
      RELENG_4_7 1.73.2.74.2.16
      RELENG_4_6 1.73.2.68.2.44
      RELENG_4_5 1.73.2.50.2.46
      RELENG_4_4 1.73.2.43.2.47
      RELENG_4_3 1.73.2.28.2.34
    src/sys/conf/newvers.sh
      RELENG_5_1 1.50.2.4
      RELENG_5_0 1.48.2.11
      RELENG_4_8 1.44.2.29.2.4
      RELENG_4_7 1.44.2.26.2.15
      RELENG_4_6 1.44.2.23.2.33
      RELENG_4_5 1.44.2.20.2.30
      RELENG_4_4 1.44.2.17.2.38
      RELENG_4_3 1.44.2.14.2.24
    src/sys/i386/ibcs2/ibcs2_stat.c
      RELENG_4 1.10.2.1
      RELENG_5_1 1.21.2.1
      RELENG_5_0 1.16.2.2
      RELENG_4_8 1.10.14.1
      RELENG_4_7 1.10.12.1
      RELENG_4_6 1.10.10.1
      RELENG_4_5 1.10.8.1
      RELENG_4_4 1.10.6.1
      RELENG_4_3 1.10.4.1
      RELENG_3 1.8.2.1
    - -------------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (FreeBSD)

    iD8DBQE/Nt6YFdaIBMps37IRAtuMAJ4r2aUyHWiYDuUvrVyRlh0n7mF6FQCgmDiw
    GOMr9asJmVzpRozE11KvtaE=
    =cLnc
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jason Dambrosio: "Re: FreeBSD Security Advisory FreeBSD-SA-03:09.signal"

    Relevant Pages