127 lines
4.6 KiB
Text
127 lines
4.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-16:18 Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Loader may hang during boot
|
|
|
|
Category: core
|
|
Module: loader
|
|
Announced: 2016-10-25
|
|
Affects: FreeBSD 11.0
|
|
Corrected: 2016-10-08 00:01:07 UTC (stable/11, 11.0-STABLE)
|
|
2016-10-25 16:50:10 UTC (releng/11.0, 11.0-RELEASE-p2)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The loader is the final stage (boot3) of the boot process and is responsible
|
|
for loading the kernel and starting the operating system. GELIBoot is a
|
|
feature present in the loader that allows it to boot the system from an
|
|
encrypted disks.
|
|
|
|
II. Problem Description
|
|
|
|
A programming error in GELIBoot causes the loader to attempt to read past
|
|
the end of the disk if the size of the final partition is not a multiple of
|
|
4 kB.
|
|
|
|
III. Impact
|
|
|
|
On most systems, reading past the end of the disk will result in the read
|
|
failing, and the boot process will continue normally. On some systems, the
|
|
read past the end of the disk will be retried a number of times and will
|
|
result in the boot process being slower than usual. On Amazon EC2 instances,
|
|
and possibly other virtualization platforms, this issue causes the boot
|
|
process to hang and never complete.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems with 4 kB aligned partitions will not
|
|
result in an attempt to read past the end of the disk.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.0]
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch.asc
|
|
# gpg --verify loader.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r306834
|
|
releng/11.0/ r307930
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213196>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:18.loader.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJYD5UZAAoJEO1n7NZdz2rnNNEQAL+Rdn8eEtmUU4AVfa1pnIrc
|
|
/+owfHzB6NS5N+qcsFJmWGyrP6X3HAgNTfiJuNdJBV8HgcAtCQCPie/jork9A/q1
|
|
U0ur8FDr91Y6Cr2H8BINmf7Oe3vwY6S7pPbwbHaHCzAAI/JyDtjGlN4VlEr7lKh/
|
|
3J6xizMDHTBj198SopMIDUWl+qFeLxEMb60WV0Z8NDRyQzV0yXbveUkg35FZhqaW
|
|
w/aAH0hTh3qhxjQCyh34GrJ/peuvPtWxZLfPP7zowIKKAGQR+PfFnN9PrGQFAzht
|
|
yQVk8WrvTrlzZbay6U5BGFcwaxVSgW8PLIHET01BAyd//HBGdfofEMcVXoiQqf5x
|
|
1kX0fdiop02JZX49rzknAGtLlUivniBSCZTnPZrFCjhOHE+TZhhhnqB/jT+RBazx
|
|
m5xFScvfcZZ8ZXK1e68Jn1/SpIOtX+lXmKpoFwE4HoPtJkZV3SDIRYgAsxuWRlMy
|
|
R0I7HuGc7RgJNSJWFhGWcUkyq0yZhy7+x0vVzV3tDZClYrv82ZbVxzTCSCH2se3L
|
|
TLnIruK3nPt4KPWPka7H0jaVzICjqJHzy30IsNMHYHZg8dQ0/CR7pYm2zgCu9B84
|
|
qbemY0YKlhsccM0/R/P9OMNDTcxP6l/Yhqb9A/upBhn2Vlw9OGamvuKfgX4WOTIE
|
|
gOcI7hQW4U/U3ioTTS1T
|
|
=vmGn
|
|
-----END PGP SIGNATURE-----
|