139 lines
5.1 KiB
Text
139 lines
5.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:21.amd64 Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Local privilege escalation in IRET handler
|
|
|
|
Category: core
|
|
Module: sys_amd64
|
|
Announced: 2015-08-25
|
|
Credits: Konstantin Belousov, Andrew Lutomirski
|
|
Affects: FreeBSD 9.3 and FreeBSD 10.1
|
|
Corrected: 2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE)
|
|
2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19)
|
|
2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE)
|
|
2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24)
|
|
CVE Name: CVE-2015-5675
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
|
|
CPU's.
|
|
|
|
The GS segment CPU register is used by both user processes and the
|
|
kernel to conveniently access state data: 32-bit user processes use the
|
|
register to manage per-thread data, while the kernel uses it to access
|
|
per-processor data.
|
|
|
|
The return from interrupt (IRET) instruction returns program control
|
|
from an interrupt handler to the interrupted context.
|
|
|
|
II. Problem Description
|
|
|
|
If the kernel-mode IRET instruction generates an #SS or #NP exception,
|
|
but the exception handler does not properly ensure that the right GS
|
|
register base for kernel is reloaded, the userland GS segment may be
|
|
used in the context of the kernel exception handler.
|
|
|
|
III. Impact
|
|
|
|
By causing an IRET with #SS or #NP exceptions, a local attacker can
|
|
cause the kernel to use an arbitrary GS base, which may allow escalated
|
|
privileges or panic the system.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
And reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc
|
|
# gpg --verify amd64.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r280877
|
|
releng/9.3/ r287147
|
|
stable/10/ r280875
|
|
releng/10.1/ r287146
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5675>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:21.amd64.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.7 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y
|
|
eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH
|
|
ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt
|
|
U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD
|
|
L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8
|
|
IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ
|
|
L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A
|
|
RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv
|
|
6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO
|
|
mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB
|
|
9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876
|
|
WYT9/yPSsyU1z/AkHJU7
|
|
=nHGY
|
|
-----END PGP SIGNATURE-----
|