132 lines
4.7 KiB
Text
132 lines
4.7 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-18:10.syscall Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: NULL pointer dereference in freebsd4_getfsstat system call
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-09-27
|
|
Credits: Thomas Barabosch, Fraunhofer FKIE
|
|
Affects: FreeBSD 11.x
|
|
Corrected: 2018-09-27 18:54:41 UTC (stable/11, 11.1-STABLE)
|
|
2018-09-27 18:32:14 UTC (releng/11.2, 11.2-RELEASE-p4)
|
|
2018-09-27 18:32:14 UTC (releng/11.1, 11.1-RELEASE-p15)
|
|
CVE Name: CVE-2018-17154
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The freebsd4_getfsstat system call returns information about all mounted file
|
|
systems in a binary format compatible with FreeBSD 4.x. Part of the call
|
|
includes passing in a userland allocated buffer for the system call to fill
|
|
along with the size of the buffer.
|
|
|
|
II. Problem Description
|
|
|
|
Insufficient checking occurs on the buffer when a very large buffer size causes
|
|
memory allocation to fail. Resulting code attempts to free the NULL pointer.
|
|
|
|
III. Impact
|
|
|
|
A local unprivileged user may cause a denial of service using a specially
|
|
crafted binary.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.x]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch.asc
|
|
# gpg --verify syscall-11.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r338987
|
|
releng/11.1/ r338979
|
|
releng/11.2/ r338979
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17154>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:10.syscall.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKT9fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cJMqQ/4ycdylBNCX0cqFDYrtDU0OJO0mEi2LKqCM31YzOCLbKLtVSq06rxOj/E9
|
|
0okWag0NxaGIo2+7+b/hykDwL+1Rwpa5YNdODESRYQeW0OVdnmy/JSB/8q2I2BwX
|
|
PrqMc38sc9YuCz202B7tj4CQRKyhe2/qWRXANzh4jolC8zIuP7zAH6bMO+jc4XJS
|
|
9qe2YdvChWiwLJXOSXaqZf1xY1jY08+lRGDx03n13OLRN8PZdbIoDEmOd2/vxhcV
|
|
YRcDH0axLJSyngknPE9gU8iVZDunxpNBool5hJYDd8rBbAfypXWSDZ7wJGUn7tUZ
|
|
3Cj/NPmZ9auMTGLgpRJB/bhgCnn3mZQ5QjR1egonZf3uIlTWZ+0C9GhJjh5cw+2p
|
|
3hF+202uJicNm5TSkO6QpavVVvQNFcuCR54ZvXEICv3YNam3yDupGWsbjHloxoCw
|
|
7A/wmBBcbtAJ7ujzgPm4+yN5Vno4dcPmkIfW9bz0fwXzYF1VEaF5pZZu7a9bjdI0
|
|
xHBk2v77NIRBxC5i1KK5R5Guj0UY0EvkclBTF4Twh3TP0SAPN+5sqpmBRQwPGEdp
|
|
9v5TPQv5DJn0KTJwkdrrP+70WIYkfcUVJ9hJYbXAMXseN1q3mTggS/ypF9ckTP0Z
|
|
D1hQuUySz07GInHlJ+znS8CzVSj/iWqsxThBBbwgy1a4haxr5A==
|
|
=HCqG
|
|
-----END PGP SIGNATURE-----
|