-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:03.linux Security Advisory The FreeBSD Project
Topic: Linux compatibility layer incorrect futex handling Category: core Module: kernel Announced: 2016-01-14 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1880 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided on amd64 and i386 machines. II. Problem Description A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed. III. Impact It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system or unload and reload the linux.ko kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch # fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch # cd /usr/src/amd64/linux32 # make sysent # cd /usr/src/i386/linux # make sysent c) Recompile your kernel and modules as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>. Reboot the system or unload and reload the linux.ko kernel module. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - --------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - --------------------------------------------------------------------------- VII. References <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1880> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-16:03.linux.asc> -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rngkcQAJ8yxlxYd+qZPf+pbP+0Kj6w +Sy8BrSUrYLMFynrs4vRPTJobLnVGpwkp6I6ZCDL/yoI/7Xkl3ld7HWfH7MAJ6WP x0j5/bC+AlWGpKfL6wqeddxjHgmaAlDznN1MyO+3byVfP1Y8VVppbzqPNw9AW17Q kNqNAMsVuk3OMpoE7CYEsaH6rzHzbMGAPuR+KN5J55Mth6dNkIYSIFJ0sCae5cnv P6SoMKjn7ffcHymmX/Yj7K0FTOrJOePR0eLbTITivJT1uZ3bYbbYyK1bYslE6bwF EQ3Ij+LhZdM5D7GBOpILBZ9ojvVMq8PiW9yY3zo7DRrwWajBy8pe/3ow0u7igoOK /0XUFmRT0Q0iCxlGhXPxEGcc40g6oE6oVz1m3Ewgqc2+iZm+w6N/w88dRqiBHNgL AiCqleI10eRNgP1uq7XT/5PEslmQLxSCrDPFDOgmSZc3uY7H5LBb6O9fb7YTpn6J bfL7yyJFei/lAlY1s2b+4/DW9PE1OwxNw/R85mSUpbP5my5wwZR+s3mGTLI2JAlk 74Nw/OR9HLLHoEO5JlagfEclKp7O+JzhHYkAcBm7yRMRr1LV+7JZQEaTCeWTkm6L YvL8Ca1PAL6qNLZbxQ26Gjka7KCrFhhNfR22c3Lz4pLtkg9YmDRb4sy6i+q3ellG 0mLi0OqTu2gn+25xhidf =OQft -----END PGP SIGNATURE-----