3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
201 lines
6.5 KiB
Text
201 lines
6.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-98:04 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: security compromise via mmap
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 1998-06-02
|
|
Affects: FreeBSD 2.2.*, FreeBSD-stable before 1998/05/24
|
|
and FreeBSD-current before 1998/05/19 suffer from
|
|
this problem.
|
|
Corrected: FreeBSD-current as of 1998/05/19
|
|
FreeBSD-stable as of 1998/05/24
|
|
FreeBSD only: no (also other 4.4BSD based systems may be affected)
|
|
|
|
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:04/
|
|
|
|
=============================================================================
|
|
IMPORTANT MESSAGE: The FreeBSD security officer now uses the policy
|
|
ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/FreeBSD/POLICY
|
|
for sending out advisories.
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
The 4.4BSD VM system allows files to be "memory mapped", which
|
|
causes the specified contents of a file to be made available
|
|
to a process via its address space. Manipulations of that file
|
|
can then be performed simply by manipulating memory, rather
|
|
than using filesystem I/O calls. This technique is used to
|
|
simplify code, speed up access to files, and provide interprocess
|
|
communication.
|
|
|
|
In 4.4BSD, 4 new FFS flags were added that give the possibility
|
|
to mark files as append-only or immutable.
|
|
|
|
II. Problem Description
|
|
|
|
It is possible for a process to open an append-only file
|
|
according to the limitations of the flags, and then mmap the
|
|
file shared with write permission even when the file is marked
|
|
as append-only or immutable. This circumvents the concept of
|
|
the the append-only flag.
|
|
|
|
III. Impact
|
|
|
|
It is possible to change the contents of append-only files.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is known.
|
|
|
|
V. Solution
|
|
|
|
|
|
Apply one of the following patches, rebuild your kernel,
|
|
install it and reboot your system.
|
|
|
|
The patches below can be found on
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:04/
|
|
|
|
NOTE: Users of FreeBSD 2.2.5 or FreeBSD-current or FreeBSD-stable
|
|
dated before 1998/03/12 will need to apply the patch mentioned in
|
|
FreeBSD advisory SA-98:02.
|
|
|
|
|
|
Patch for 3.0-current systems:
|
|
|
|
Index: vm_mmap.c
|
|
===================================================================
|
|
RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v
|
|
retrieving revision 1.75
|
|
retrieving revision 1.77
|
|
diff -u -r1.75 -r1.77
|
|
--- vm_mmap.c 1998/03/12 19:36:18 1.75
|
|
+++ vm_mmap.c 1998/05/19 07:13:21 1.77
|
|
@@ -58,6 +58,7 @@
|
|
#include <sys/file.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/conf.h>
|
|
+#include <sys/stat.h>
|
|
#include <sys/vmmeter.h>
|
|
|
|
#include <miscfs/specfs/specdev.h>
|
|
@@ -295,12 +296,25 @@
|
|
* we're at securelevel < 1, to allow the XIG X server
|
|
* to continue to work.
|
|
*/
|
|
- if (((flags & MAP_SHARED) != 0 ||
|
|
- (vp->v_type == VCHR && disablexworkaround)) &&
|
|
- (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0)
|
|
- return (EACCES);
|
|
- else
|
|
+
|
|
+ if ((flags & MAP_SHARED) != 0 ||
|
|
+ (vp->v_type == VCHR && disablexworkaround)) {
|
|
+ if ((fp->f_flag & FWRITE) != 0) {
|
|
+ struct vattr va;
|
|
+ if ((error =
|
|
+ VOP_GETATTR(vp, &va,
|
|
+ p->p_ucred, p)))
|
|
+ return (error);
|
|
+ if ((va.va_flags &
|
|
+ (IMMUTABLE|APPEND)) == 0)
|
|
+ maxprot |= VM_PROT_WRITE;
|
|
+ else if (prot & PROT_WRITE)
|
|
+ return (EPERM);
|
|
+ } else if ((prot & PROT_WRITE) != 0)
|
|
+ return (EACCES);
|
|
+ } else
|
|
maxprot |= VM_PROT_WRITE;
|
|
+
|
|
handle = (void *)vp;
|
|
}
|
|
}
|
|
|
|
Patch for 2.2 systems:
|
|
|
|
Index: vm_mmap.c
|
|
===================================================================
|
|
RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v
|
|
retrieving revision 1.53.2.3
|
|
retrieving revision 1.53.2.4
|
|
diff -u -r1.53.2.3 -r1.53.2.4
|
|
--- vm_mmap.c 1998/03/12 19:36:50 1.53.2.3
|
|
+++ vm_mmap.c 1998/05/24 19:47:02 1.53.2.4
|
|
@@ -57,6 +57,7 @@
|
|
#include <sys/file.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/conf.h>
|
|
+#include <sys/stat.h>
|
|
#include <sys/vmmeter.h>
|
|
|
|
#include <miscfs/specfs/specdev.h>
|
|
@@ -275,12 +276,26 @@
|
|
* we're at securelevel < 1, to allow the XIG X server
|
|
* to continue to work.
|
|
*/
|
|
- if (((flags & MAP_SHARED) != 0 ||
|
|
- (vp->v_type == VCHR && disablexworkaround)) &&
|
|
- (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0)
|
|
- return (EACCES);
|
|
- else
|
|
+
|
|
+ if ((flags & MAP_SHARED) != 0 ||
|
|
+ (vp->v_type == VCHR && disablexworkaround)) {
|
|
+ if ((fp->f_flag & FWRITE) != 0) {
|
|
+ struct vattr va;
|
|
+
|
|
+ if ((error =
|
|
+ VOP_GETATTR(vp, &va,
|
|
+ p->p_ucred, p)))
|
|
+ return (error);
|
|
+ if ((va.va_flags &
|
|
+ (IMMUTABLE|APPEND)) == 0)
|
|
+ maxprot |= VM_PROT_WRITE;
|
|
+ else if (prot & PROT_WRITE)
|
|
+ return (EPERM);
|
|
+ } else if ((prot & PROT_WRITE) != 0)
|
|
+ return (EACCES);
|
|
+ } else
|
|
maxprot |= VM_PROT_WRITE;
|
|
+
|
|
handle = (caddr_t) vp;
|
|
}
|
|
}
|
|
|
|
VI. Thanks
|
|
|
|
This advisory is based on NetBSD Security Advisory 1998-003.
|
|
In porting the NetBSD patch, we accidentally mentioned that we
|
|
obtained the patch from OpenBSD, which was evidently wrong.
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: freebsd-security@freebsd.org
|
|
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.3ia
|
|
Charset: noconv
|
|
|
|
iQCVAwUBNXWJC1UuHi5z0oilAQG3nAP9GjmOtlc1WxPJjcbRwvXmKzhRInCfuVTL
|
|
f5k7dAyFmUmo6wnyQwsBoQUsa7d/kS0YCnfTIkFYrGkFvBa8hnw/i9VVdMFaUFFV
|
|
kTo6YLQfgG35znTxftACAs4uzjeRbh/6dr1YsERYxWNW0PabKbYfjMQapmY5GUVm
|
|
px3WF/jRI5k=
|
|
=Umgx
|
|
-----END PGP SIGNATURE-----
|