144 lines
5.4 KiB
Text
144 lines
5.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:15.cryptodev Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Use after free in cryptodev module
|
|
|
|
Category: core
|
|
Module: cryptodev
|
|
Announced: 2020-05-12
|
|
Credits: Yuval Kanarenstein
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-01-20 11:19:55 UTC (stable/12, 12.1-STABLE)
|
|
2020-05-12 16:57:47 UTC (releng/12.1, 12.1-RELEASE-p5)
|
|
2020-01-20 11:19:55 UTC (stable/11, 11.3-STABLE)
|
|
2020-05-12 16:57:47 UTC (releng/11.3, 11.3-RELEASE-p9)
|
|
CVE Name: CVE-2019-15879
|
|
|
|
Note: The upcoming release of FreeBSD 11.4 was branched after the original
|
|
commit to the stable branch and already includes the fix for this advisory.
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The cryptodev module permits userland applications to offload
|
|
cryptographic requests to device drivers in the kernel. Applications
|
|
create sessions via file descriptors opened from /dev/crypto.
|
|
|
|
II. Problem Description
|
|
|
|
A race condition permitted a data structure in the kernel to be used
|
|
after it was freed by the cryptodev module.
|
|
|
|
III. Impact
|
|
|
|
An unprivileged process can overwrite arbitrary kernel memory.
|
|
|
|
IV. Workaround
|
|
|
|
Unload the cryptodev kernel module if it is loaded:
|
|
|
|
# kldunload cryptodev
|
|
|
|
Note that the cryptodev module is not loaded by default and is not
|
|
used by most applications. Specificially, use of accelerated software
|
|
cryptography, such as AES-NI, in userland applications via libraries such
|
|
as OpenSSL do not make use of the cryptodev module.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date, and
|
|
reboot the system.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.1]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch.asc
|
|
# gpg --verify cryptodev.12.patch.asc
|
|
|
|
[FreeBSD 11.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch.asc
|
|
# gpg --verify cryptodev.11.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r356908
|
|
releng/12.1/ r360976
|
|
stable/11/ r356908
|
|
releng/11.3/ r360976
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15879>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:15.cryptodev.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLW2A//VW8iJqNaBHhMnCrpl+oDTadzGM3gYVxnM+EEQYzru2Ze0z0tShiAkXrQ
|
|
NryjwBpMA3r1nyWDYaWMgbHjcG+jQdsIvoiA+fSU9hXEUbpxwX9ZKlaSZUBDX48X
|
|
YScJMewgHCXNpgkTnIckaIyIadOXX+zWhi5T0LN2tS5M5oejTLndAKo9mQm1Ni50
|
|
PYiHFkLzO7v4H6K0cKuJRuHF8+kU1IhvOinZuXwZXoGqmPGTVsA0+T27dWhosaWv
|
|
Yqh3Pbp5oS1y3NbbOadLPhY146pT2Qrb2mQOEiHvsXMFRgjIEQzH1MYXx5gvpa4K
|
|
CkMwCV/MuNotscVZ00qhVQEGEVlrhgi2IXinzxde5HYCc3mD/KdcYnYz9zOCeIfb
|
|
9RfdvKk8uzUITLyz8ZinZBqIHghnSG3M9/cNj2o/97yRfFJazXF/SI41YoV3hcyE
|
|
Gb1ncYfaAJ4rL9U6xHMw7V+1LSlMrVsIcWxCM2PS4NTwWcZ8K7mEX51ARjx4k7lx
|
|
IBEsJ+ExSfZHNkS6/DLZiuLEQKFxIOKlRyZQTALnzNaNTp763idW7zA+9k8ceBRH
|
|
VO7x3EGNqNPhIss+JHOxDUaXTFfJTcd7XGv291unkZwBJuFhJBfH3S+ZCcF38xVK
|
|
aweHOoJW5V+D9GKygb9oLjOxOupRkFuRrHFQcvj57FYqs9/GDVc=
|
|
=8E1l
|
|
-----END PGP SIGNATURE-----
|