132 lines
4.9 KiB
Text
132 lines
4.9 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-20:04.pfctl Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Missing pfctl(8) tunable
|
|
|
|
Category: core
|
|
Module: pfctl(8)
|
|
Announced: 2020-03-19
|
|
Credits: Rubicon Communications, LLC (netgate.com)
|
|
Affects: FreeBSD 11.3-RELEASE
|
|
Corrected: 2020-02-12 14:50:13 UTC (stable/11, 11.3-STABLE)
|
|
2020-03-19 16:35:15 UTC (releng/11.3, 11.3-RELEASE-p7)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
Packet filtering takes place in the kernel. A pseudo-device, /dev/pf, allows
|
|
userland processes to control the behavior of the packet filter through an
|
|
ioctl(2) interface. Commands include enabling and disabling the filter,
|
|
loading rulesets, adding and removing individual rules or state table entries,
|
|
and retrieving statistics. The most commonly used functions are covered by
|
|
the pfctl(8) utility.
|
|
|
|
II. Problem Description
|
|
|
|
pf(4) ioctls frequently take a variable number of elements as argument.
|
|
This can potentially allow users to request very large allocations.
|
|
|
|
A failing non-blocking pf(4) allocation can tie up resources resulting in
|
|
concurrent blocking allocations entering vm_wait() and inducing reclamation
|
|
of caches.
|
|
|
|
III. Impact
|
|
|
|
The kernel will reject very large tables to avoid resource exhaustion
|
|
attacks. Some users run into this limit with legitimate table
|
|
configurations.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, however systems that do not employ pf(4) nor
|
|
use pf(4) table definitions larger than 65535 entries are unaffected.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date, and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for an errata update"
|
|
|
|
2) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.3]
|
|
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-20:04/pfctl.patch.asc
|
|
# gpg --verify pfctl.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r357822
|
|
releng/11.3/ r359135
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:04.pfctl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zpldfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cL4Aw/9GhPqyMcVMROjoX2xepwOubsM+C9lMCTQtxOOhYLtt9IIt5KTgSefAcyt
|
|
DMcqE78R6wgaxf08XAQyD/iN3udhCFT4YRElB1o5XMEhYUcCIsatKcb8hIVJuRD3
|
|
Ap2goT7zHlicFxpKuWblg/qenU0A9PgaCjsRaVePHS2nzOW+d9DJSg3yxz6xwGCZ
|
|
Nuv03Y2OBVm/KdW4awk50FdzR2L04U0D0ZATh+5yr25aH99dVpUQMmRc+qjRtXzh
|
|
4j34Qj8mWteAkD5690zcE1nGwu7lGDFoRjwhiP5RP9Gn3o2Sv5SJwHNwB5W1WQDr
|
|
GAormcXgUwuWwd9ijtKfWNmJm7MhZhCjvq9l0tt54e+j4Nmz39/ZijFfa1Ug7XKJ
|
|
4yp1ey2ri3W3bGrv2nRHMzY6d3EaQq/96vupt/dWxlufoIHbUvUQ0l8KWNmQ8kK1
|
|
dplsoMS6x/AeFjjF4I62Cp429vBbpRDRCJk4mZ6itJ8CWbNXIv2xCj7aKzRcrwpx
|
|
kmcblpkFpm7edVkTGjtv/MMhUPXdlskQStOCjSkHoo/cofcAOUovJ8755AvYNkwl
|
|
P0e49iOxvFFMA3jZSuxCrQksHq295VwjImEUSJKYyARGdDiPR4q8AdUy+CPyDoLs
|
|
zMrzZz5HiNSNdoh4mX3OFIkjtuk/fXR5LQnMBuzHfmfhLtsmHAQ=
|
|
=upRR
|
|
-----END PGP SIGNATURE-----
|