144 lines
5.4 KiB
Text
144 lines
5.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-17:10.kldstat Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Information leak in kldstat(2)
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2017-11-15
|
|
Credits: Ilja van Sprundel
|
|
TJ Corley
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE)
|
|
2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4)
|
|
2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15)
|
|
2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE)
|
|
2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3)
|
|
2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24)
|
|
CVE Name: CVE-2017-1088
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
0. Revision history
|
|
|
|
v1.0 2017-11-15 Initial release.
|
|
v1.1 2017-11-20 Corrected credit. Ilja van Sprundel first reported the
|
|
issue to the project, but wasn't cited. The FreeBSD
|
|
Security Team apologizes to Ilja for this oversight.
|
|
|
|
I. Background
|
|
|
|
The kldstat(2) syscall provides information about loaded kld files. The
|
|
syscall takes a userland argument of struct kld_file_stat which is then
|
|
filled with data about the kld file requested.
|
|
|
|
II. Problem Description
|
|
|
|
The kernel does not properly clear the memory of the kld_file_stat
|
|
structure before filling the data. Since the structure filled by the
|
|
kernel is allocated on the kernel stack and copied to userspace, a leak
|
|
of information from the kernel stack is possible.
|
|
|
|
III. Impact
|
|
|
|
Some bytes from the kernel stack can be observed in userspace.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc
|
|
# gpg --verify kldstat.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r325867
|
|
releng/10.3/ r325878
|
|
releng/10.4/ r325877
|
|
stable/11/ r325866
|
|
releng/11.0/ r325876
|
|
releng/11.1/ r325875
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloToOxfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
|
|
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
|
|
audl/RAAkPqcGvCMAHucBtZH2sySvM/1L1NTl0I61eJaDqgnjooo3hRq5J/dlNlt
|
|
zo48o2W0EOnr8QWJhVg1oADY5qxBVm8RldpAH1Y7lU1Pk1gw6buTvmlat9Y0TaRm
|
|
i3WCYe/yzC9X50x12dSu2QCeir+HDHrHB72KQDxPJak21e8BKq8vSq4cV3+K32IF
|
|
MmC0yTkwXM7JJti1wkztiNSwvcCT5cI0EOZrHxDOJk57zhmuUw3t+42mr4uZhLpd
|
|
Um/Hmqt3TS1LlL/swCcayeJGI5lrnfnIMZEUJj9aJZcRry6xrtaeppvgm3rP8Bym
|
|
IYBipTU16MGVU6PEdpxXZCkmhzrb5XkAHNnRbod/Ye4g5a+3tWeaivjxbrNRsJyc
|
|
7HkuvW41LX1+hJ2DJ/IJGKhz0yP+7//pXNJIkcF1iKOVnVIxz+49KPjj3ZHYhGu2
|
|
oI/w4EMTd4ODXmE+bZkwGGm3nbxlH3AIZmBL2x1MdmfO/NjUlB3tYupZ7K/wR/PD
|
|
V0OdrZTua7EpYSUDg04xuNkkxRwFMIVQ3XtE1HNCuV0BtQqZOcecKh9Alci5ZT6n
|
|
r+F3HhFthNsafwdXLka5zDev/qtSSxggZ75fj+BxPfCoQZSlYkegFg/9K1hXlE+c
|
|
H22TsCXMpLokZUKj2XKJQ8RsEZQ5Yr6wEFjsWHoeK5CPh/DyAYE=
|
|
=dgLX
|
|
-----END PGP SIGNATURE-----
|