Fix a bug that allowed a tracing process (e.g. gdb) to write
to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so
This commit is contained in:
parent
b648b634f6
commit
037314c9bc
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=41945
4 changed files with 164 additions and 0 deletions
127
share/security/advisories/FreeBSD-SA-13:06.mmap.asc
Normal file
127
share/security/advisories/FreeBSD-SA-13:06.mmap.asc
Normal file
|
@ -0,0 +1,127 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA1
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-13:06.mmap Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Privilege escalation via mmap
|
||||
|
||||
Category: core
|
||||
Module: kernel
|
||||
Announced: 2013-06-18
|
||||
Credits: Konstantin Belousov
|
||||
Alan Cox
|
||||
Affects: FreeBSD 9.0 and later
|
||||
Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE)
|
||||
2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
|
||||
CVE Name: CVE-2013-2171
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The FreeBSD virtual memory system allows files to be memory-mapped.
|
||||
All or parts of a file can be made available to a process via its
|
||||
address space. The process can then access the file using memory
|
||||
operations rather than filesystem I/O calls.
|
||||
|
||||
The ptrace(2) system call provides tracing and debugging facilities by
|
||||
allowing one process (the tracing process) to watch and control
|
||||
another (the traced process).
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Due to insufficient permission checks in the virtual memory system, a
|
||||
tracing process (such as a debugger) may be able to modify portions of
|
||||
the traced process's address space to which the traced process itself
|
||||
does not have write access.
|
||||
|
||||
III. Impact
|
||||
|
||||
This error can be exploited to allow unauthorized modification of an
|
||||
arbitrary file to which the attacker has read access, but not write
|
||||
access. Depending on the file and the nature of the modifications,
|
||||
this can result in privilege escalation.
|
||||
|
||||
To exploit this vulnerability, an attacker must be able to run
|
||||
arbitrary code with user privileges on the target system.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc
|
||||
# gpg --verify mmap.patch.asc
|
||||
|
||||
b) Apply the patch.
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
3) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/9/ r251902
|
||||
releng/9.1/ r251903
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing XXXXXX with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing XXXXXX with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>
|
||||
|
||||
VII. References
|
||||
|
||||
<other info on vulnerability>
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.13 (FreeBSD)
|
||||
|
||||
iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF
|
||||
X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP
|
||||
=8309
|
||||
-----END PGP SIGNATURE-----
|
17
share/security/patches/SA-13:06/mmap.patch
Normal file
17
share/security/patches/SA-13:06/mmap.patch
Normal file
|
@ -0,0 +1,17 @@
|
|||
Index: sys/vm/vm_map.c
|
||||
===================================================================
|
||||
--- sys/vm/vm_map.c (revision 251636)
|
||||
+++ sys/vm/vm_map.c (working copy)
|
||||
@@ -3761,6 +3761,12 @@ RetryLookup:;
|
||||
vm_map_unlock_read(map);
|
||||
return (KERN_PROTECTION_FAILURE);
|
||||
}
|
||||
+ if ((fault_typea & VM_PROT_COPY) != 0 &&
|
||||
+ (entry->max_protection & VM_PROT_WRITE) == 0 &&
|
||||
+ (entry->eflags & MAP_ENTRY_COW) == 0) {
|
||||
+ vm_map_unlock_read(map);
|
||||
+ return (KERN_PROTECTION_FAILURE);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* If this page is not pageable, we have to get it for all possible
|
7
share/security/patches/SA-13:06/mmap.patch.asc
Normal file
7
share/security/patches/SA-13:06/mmap.patch.asc
Normal file
|
@ -0,0 +1,7 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.13 (FreeBSD)
|
||||
|
||||
iEYEABECAAYFAlG+/IYACgkQFdaIBMps37K+zQCfVnC++mrjdv3iPK2vxvAOlm5Y
|
||||
eZ0An0JgUgEMViKydscbB4KPAD8y4X/h
|
||||
=NzJg
|
||||
-----END PGP SIGNATURE-----
|
|
@ -7,6 +7,19 @@
|
|||
<year>
|
||||
<name>2013</name>
|
||||
|
||||
<month>
|
||||
<name>6</name>
|
||||
|
||||
<day>
|
||||
<name>18</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-13:06.mmap</name>
|
||||
</advisory>
|
||||
</day>
|
||||
|
||||
</month>
|
||||
|
||||
<month>
|
||||
<name>4</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue