3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
94 lines
3.1 KiB
Text
94 lines
3.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-99:02 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: Profiling Across Exec Calls
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 1999-09-04
|
|
Affects: FreeBSD 3.2 (and earlier)
|
|
FreeBSD-current before the correction date.
|
|
Corrected: FreeBSD-3.3 RELEASE
|
|
FreeBSD-current as of August 11, 1999
|
|
FreeBSD-3.2-stable as of August 22, 1999
|
|
FreeBSD only: No
|
|
|
|
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:02/
|
|
|
|
I. Background
|
|
|
|
FreeBSD provides a mechanism to profile a running executable to aid in
|
|
performance tuning. This can be accomplished via a kernel mechanism
|
|
to statistically sample the program counter of the program under
|
|
profile.
|
|
|
|
II. Problem Description
|
|
|
|
A flaw exists in the implementation which allows an attacker to cause
|
|
arbitrary locations in program executed by the attacker.
|
|
|
|
III. Impact
|
|
|
|
No attacks against using this vulnerability this are known at this
|
|
time. An attacker could theoretically gain root access from a
|
|
carefully crafted attack.
|
|
|
|
IV. Workaround
|
|
|
|
Since profiling is done in the kernel via the profil(2) system call,
|
|
one must patch the kernel so no workaround is possible.
|
|
|
|
V. Solution
|
|
|
|
Apply the following patch. It will apply to both FreeBSD-current before
|
|
the resolution date and to 3.2-stable before the resolution date.
|
|
|
|
Index: kern_exec.c
|
|
===================================================================
|
|
RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_exec.c,v
|
|
retrieving revision 1.99
|
|
retrieving revision 1.100
|
|
diff -u -r1.99 -r1.100
|
|
--- kern_exec.c 1999/04/27 11:15:55 1.99
|
|
+++ kern_exec.c 1999/08/11 20:35:38 1.100
|
|
@@ -228,6 +228,9 @@
|
|
fdfree(p);
|
|
p->p_fd = tmp;
|
|
}
|
|
+
|
|
+ /* Stop profiling */
|
|
+ stopprofclock(p);
|
|
|
|
/* close files on exec */
|
|
fdcloseexec(p);
|
|
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: freebsd-security@freebsd.org
|
|
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.3ia
|
|
Charset: noconv
|
|
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
|
|
|
|
iQCVAwUBN9P1W1UuHi5z0oilAQFlZAQAmlNRAyLLiS1u22U/2+KeljeXqlkOtKUy
|
|
iao/qY4Gp8cnzU3cTt0kEoBKi3htfo8LbW0xJwfdAn62+j9m7av8vv35QpayQnVN
|
|
Z8RuLFHiSgF9ZSWUHY63hzKgGyImYyaTadg8Y0yURuULOUt6K0C8e5iLW6jFAXbn
|
|
aNvXOImEY5Q=
|
|
=IxuE
|
|
-----END PGP SIGNATURE-----
|