Add SA-17:04.

svn path=/head/; revision=50208

share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc

@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:04.ipfilter                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ipfilter(4) fragment handling panic
+
+Category:       contrib
+Module:         ipfilter
+Announced:      2017-04-27
+Credits:        Cy Schubert
+Affects:        All supported versions of FreeBSD.
+Corrected:      2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE)
+                2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10)
+                2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE)
+                2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19)
+CVE Name:       CVE-2017-1081
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+IP Filter, also known as ipfilter(4), is a cross-platform, open source packet
+filter (firewall) originally written for BSD operating systems, including
+FreeBSD, NetBSD, and OpenBSD, and for Solaris.  ipfilter(4) is one of three
+firewalls included in FreeBSD (the others being ipfw(4) and pf(4)).  It
+performs firewall and NAT functions using the pfil(9) framework as do the
+other firewalls in FreeBSD in the kernel.
+
+II.  Problem Description
+
+ipfilter(4), capable of stateful packet inspection, using the "keep state"
+or "keep frags" rule options, will not only maintain the state of
+connections, such as TCP streams or UDP communication, it also maintains
+the state of fragmented packets.  When a packet fragments are received they
+are cached in a hash table (and linked list).  When a fragment is received it
+is compared with fragments already cached in the hash table for a match.  If
+it does not match the new entry is used to create a new entry in the hash
+table.  If on the other hand it does match, unfortunately the wrong entry is
+freed, the entry in the hash table.  This results in use after free panic
+(and for a brief moment prior to the panic a memory leak due to the wrong
+entry being freed).
+
+III. Impact
+
+Carefully feeding fragments that are allowed to pass by an ipfilter(4)
+firewall can be used to cause a panic followed by reboot loop denial of
+service attack.
+
+IV.  Workaround
+
+No workaround is available, but systems not using ipfilter(4) are not
+vulnerable.  A default installation doesn't enable ipfilter(4).
+ipfilter(4) configurations not using "keep state" pr "keep frags" are not
+vulnerable.  Users may be able to temporarily replace stateful inspection
+with stateless rules however this is not as secure as stateful inspection.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reload the ipl.ko kernel module or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reload the ipl.ko kernel module or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc
+# gpg --verify ipfilter.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system or reload the ipl.ko kernel module.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r317241
+releng/10.3/                                                      r317487
+stable/11/                                                        r317241
+releng/11.0/                                                      r317487
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1081>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:04.ipfilter.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.20 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlbAACgkQ7Wfs1l3P
+auejpBAAtsITE8qn04H5gT8EGq/ntkN8DQydmVHn0OpmwDGg/XD4Wrwye8jqHhFb
+XdOj5aMb0QbEK3WjDZwbvHNqTkyzl5QXc3PPs7V5mHdYGHsMRWvSyXutRmopgmsp
+ee59qLeKxvWGss0gqkUWZQQcbdIVN8hTXnumBZ8ncrpjluaYZuO8DvyZQ1Cy4f+f
+sd6PCZHemjs4MtSriV4AKOtM1QPuBQEkrQ6clA5j55Txk6fkcy1CUoyP0KmW20Iu
+VFY/UyrfvbVDgbsFMMFsSn/F9DlKVLLtgjpXqztuOu1QhLbAs7spMnUjRnilfOE6
+rsyOh26sjEIlQ3sNf7IrFsXdoqLWgn7CDToZEk5xfyv7MyEuEd5INfAkcLz9Mcp+
+AymVRmC29CDt8dIJlEaXPyYXDLx5PGPB+SUR2VghzPQkHM9X9EOnJcVEbAn3QnQ1
+sFkh4mlsh3cQ9iw2+RYzIybgBzv0OjxIasU3QtnbRNXgdNVnoV/yTeEUFSyVzvC2
+6JcjJCq7WZ3U9EBKbPoVzRBsHAal/3EWMnXMprcdNPuxjd+9357K5OnMXiP9ab9G
+KthAVRN1y+bZ/SNEtqE/T1vrxH9JV/BEqQjtx+DMp7v7TzGgK8rqSJT8H/bIu2h3
+IecRnQRkDipqITFQKSoPiqJZeuoVcXaYw8Cp5gUpL618m4DwZ3w=
+=C7OI
+-----END PGP SIGNATURE-----

share/security/patches/SA-17:04/ipfilter.patch

@@ -0,0 +1,11 @@
+--- sys/contrib/ipfilter/netinet/ip_frag.c.orig
++++ sys/contrib/ipfilter/netinet/ip_frag.c
+@@ -474,7 +474,7 @@
+ 			  IPFR_CMPSZ)) {
+ 			RWLOCK_EXIT(lock);
+ 			FBUMPD(ifs_exists);
+-			KFREE(fra);
++			KFREE(fran);
+ 			return NULL;
+ 		}
+ 

share/security/patches/SA-17:04/ipfilter.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.20 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlcIACgkQ7Wfs1l3P
+audqyBAAgRyBZtlZ8/VZ/nF+JG/aIutr2sQrgIrKT7/3Tnc3fU/+gN35T44A2pjD
+04mtVe1LsBxNnyeqjb5sxu/ppFgmT6JxhVpARAey7m8fJS0VPbk6K57RtbQUAOTZ
+B54VE15y+Eh8MAveJvnxd5gqjxZW69j3jpZ5aIKYOWoIWNs+OeOu8x4HAyVGPksA
+L93+AqbRRN56t++ief6SCTErukWjj6HYF1KSf+9CDncouMgKY2e4+Dr6I1fmNOUg
+tCZDtnyOM6dcxVI+dz4I88xl3RpGSPZFaXgVpkbeLw8NO+w6g8OV7wPqTPZ+WvdC
+pQ/A2MDUJgNWrLFHYUwdra/RENi6pYjixiTK4Qv7bN8QBGQcFdDU53HAco/yT3pe
+6G1nz+SVYtJRjUGPOeej1YtFxTFSI/I0ACo3S7ohDTy4BbAeTHb3s2OXaNUQGxE2
+KwvwCatsqX74FDkSXlk4bYaCFJNI/8mL3W+lkSxOkJX4d+lsxI/iBcBNmphzBM5A
+WGPtvBnXVNhLRe2o0KNFL7KGp/2es8EZjhf23G9bU3faUCoSgLEQADSz2UVfw7+O
+EjjtNHR0ZDKi7FTJhwLfokE3151mMjD04D8V0Tw68TeoUFJE1//AzElxEH/gxufi
+bjhA1kK7+Z6ML5uZke+nYpUvyolmYJitmmGFd+HObFDfUEn4Nks=
+=wUgH
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,14 @@
     <month>
       <name>4</name>
 
+      <day>
+        <name>27</name>
+
+        <advisory>
+          <name>FreeBSD-SA-17:04.ipfilter</name>
+        </advisory>
+      </day>
+
       <day>
         <name>12</name>