127 lines
4.4 KiB
Text
127 lines
4.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-17:08.pf Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: pf(4) housekeeping thread causes kernel panic
|
|
|
|
Category: core
|
|
Module: pf
|
|
Announced: 2017-08-10
|
|
Credits: Kristof Provost, Vinícius Zavam, Paul Herman
|
|
Affects: FreeBSD 11.x
|
|
Corrected: 2017-07-20 17:15:18 UTC (stable/11, 11.1-STABLE)
|
|
2017-08-10 06:59:07 UTC (releng/11.1, 11.1-RELEASE-p1)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
pf(4) is one of several packet filter available in FreeBSD, originally
|
|
written for OpenBSD. In addition to filtering packets, it also has packet
|
|
normalization capabilities.
|
|
|
|
II. Problem Description
|
|
|
|
A pf housekeeping thread (pf_purge_thread) could potentially use an
|
|
uninitialized variable, leading to a division by zero and a kernel panic.
|
|
|
|
III. Impact
|
|
|
|
Affected systems panic during startup.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems not loading the pf kernel module are
|
|
not affected. Once a system has started successfully it will not be at risk
|
|
of this problem until it is restarted.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/EN-17:08/pf.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-17:08/pf.patch.asc
|
|
# gpg --verify pf.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r321296
|
|
releng/11.1/ r322342
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220830>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:08.pf.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.21 (FreeBSD)
|
|
|
|
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlmMBgEACgkQ7Wfs1l3P
|
|
aufndRAA3TYyp6qZzZ+m9Tp5pvDVLPwizN/k/6EkazC2nz1H9vlqG5l6Ho/N+QJ1
|
|
6rDfRw/K/+ijOoy0C/3WfUFeiu38DUnsbxE4LrBb+HterEOdLU1hZmmI5hTZqsoE
|
|
8wyV4kcEpapUn1cgb0FWKBaujTYhGc/+z62p3IrPC1mN+P8B5mkzTryYfXvaxA4E
|
|
3xBW/abjRIOh3bxQ9BPqGJBX/6Y+sle5XoHDDIvkmfzZU8sYjLFGXgeuxIfsh61h
|
|
iBl1q4Tq35EDCK6cOr0s+ksg3q2mTrFNQF2Be4jMX47n1M3d+VeqZpgoa7jqrVY5
|
|
Kv3nrhOaz4Wc/OdN1uxQW5Wxm2BS1/470/ghuOY4wVy59k/4n+esenzJyIeuG4vg
|
|
GUBa1ZPrsf9fR3PQgr9E047dPdc8WU7UEwHZfXuXjU6ywGd95siHVY4XB9aPYYYk
|
|
ZtzIHAuyOa8GANXjVvEsghSJ9nMleIGO7Tzn9zJ9W/gSxkMDy9EAP3Gaez9OVJko
|
|
zGq2TwhnSMdZjmnBpCuF9uZqyeAqDtyj77RYzV8RmhmT1e6dt+EU7Wf4KU3/3Zcr
|
|
mWq3wjBvbUJjDy2q9kpnGwnPmTDpXFFIXirgcxdj0QmyejVCRhM44d3UwFZQbxfj
|
|
5vL2WwnpytB2+RiNDjhpWVc1FAldM7B+M+vhwsFHcbKKT5S9ciA=
|
|
=cBQm
|
|
-----END PGP SIGNATURE-----
|