Fix a bug that allowed a tracing process (e.g. gdb) to write

to a memory-mapped file in the traced process's address space
even if neither the traced process nor the tracing process had
write access to that file.

Security:	CVE-2013-2171
Security:	FreeBSD-SA-13:06.mmap
Approved by:	so

share/security/advisories/FreeBSD-SA-13:06.mmap.asc

@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:06.mmap                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Privilege escalation via mmap
+
+Category:       core
+Module:         kernel
+Announced:      2013-06-18
+Credits:        Konstantin Belousov
+                Alan Cox
+Affects:        FreeBSD 9.0 and later
+Corrected:      2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE)
+                2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
+CVE Name:       CVE-2013-2171
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The FreeBSD virtual memory system allows files to be memory-mapped.
+All or parts of a file can be made available to a process via its
+address space.  The process can then access the file using memory
+operations rather than filesystem I/O calls.
+
+The ptrace(2) system call provides tracing and debugging facilities by
+allowing one process (the tracing process) to watch and control
+another (the traced process).
+
+II.  Problem Description
+
+Due to insufficient permission checks in the virtual memory system, a
+tracing process (such as a debugger) may be able to modify portions of
+the traced process's address space to which the traced process itself
+does not have write access.
+
+III. Impact
+
+This error can be exploited to allow unauthorized modification of an
+arbitrary file to which the attacker has read access, but not write
+access.  Depending on the file and the nature of the modifications,
+this can result in privilege escalation.
+
+To exploit this vulnerability, an attacker must be able to run
+arbitrary code with user privileges on the target system.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc
+# gpg --verify mmap.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r251902
+releng/9.1/                                                       r251903
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing XXXXXX with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing XXXXXX with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (FreeBSD)
+
+iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF
+X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP
+=8309
+-----END PGP SIGNATURE-----

share/security/patches/SA-13:06/mmap.patch

@@ -0,0 +1,17 @@
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 251636)
++++ sys/vm/vm_map.c	(working copy)
+@@ -3761,6 +3761,12 @@ RetryLookup:;
+ 		vm_map_unlock_read(map);
+ 		return (KERN_PROTECTION_FAILURE);
+ 	}
++	if ((fault_typea & VM_PROT_COPY) != 0 &&
++	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
++	    (entry->eflags & MAP_ENTRY_COW) == 0) {
++		vm_map_unlock_read(map);
++		return (KERN_PROTECTION_FAILURE);
++	}
+ 
+ 	/*
+ 	 * If this page is not pageable, we have to get it for all possible

share/security/patches/SA-13:06/mmap.patch.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.13 (FreeBSD)
+
+iEYEABECAAYFAlG+/IYACgkQFdaIBMps37K+zQCfVnC++mrjdv3iPK2vxvAOlm5Y
+eZ0An0JgUgEMViKydscbB4KPAD8y4X/h
+=NzJg
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -7,6 +7,19 @@
   <year>
     <name>2013</name>
 
+    <month>
+      <name>6</name>
+
+      <day>
+	<name>18</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:06.mmap</name>
+	</advisory>
+      </day>
+
+    </month>
+
     <month>
       <name>4</name>