-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:07.mbuf Security Advisory The FreeBSD Project
Topic: Lost mbuf flag resulting in data corruption Category: core Module: kern Announced: 2010-07-13 Credits: Ming Fu Affects: FreeBSD 7.x and later. Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) CVE Name: CVE-2010-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage. Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these. II. Problem Description The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. III. Impact This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to. NOTE: While systems without untrusted local users are not affected by the security aspects of this issue, the potential for data corruption implies that this should still be treated as a critical erratum. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Now reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/uipc_mbuf.c 1.174.2.4 RELENG_7_3 src/UPDATING 1.507.2.34.2.4 src/sys/conf/newvers.sh 1.72.2.16.2.6 src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.16 src/sys/conf/newvers.sh 1.72.2.9.2.17 src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2 RELENG_8 src/sys/kern/uipc_mbuf.c 1.185.2.3 RELENG_8_1 src/UPDATING 1.632.2.14.2.2 src/sys/conf/newvers.sh 1.83.2.10.2.4 src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.7 src/sys/conf/newvers.sh 1.83.2.6.2.7 src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r209964 releng/7.3/ r209964 releng/7.1/ r209964 stable/8/ r209964 releng/8.0/ r209964 releng/8.1/ r209964 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI =Reds -----END PGP SIGNATURE-----