139 lines
5.3 KiB
Text
139 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:01.syscall Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: System call kernel data register leak
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2019-02-05
|
|
Credits: Konstantin Belousov
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE)
|
|
2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3)
|
|
2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE)
|
|
2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9)
|
|
CVE Name: CVE-2019-5595
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls,
|
|
and uses registers calling conventions for passing syscalls arguments and
|
|
return values in addition to the registers usage imposed by the SYSCALL and
|
|
SYSRET instructions in long mode. In particular, the arguments are passed in
|
|
registers specified by the C ABI, and the content of the registers specified
|
|
as caller-save, is undefined after the return from syscall.
|
|
|
|
II. Problem Description
|
|
|
|
The callee-save registers are used by kernel and for some of them (%r8, %r10,
|
|
and for non-PTI configurations, %r9) the content is not sanitized before
|
|
return from syscalls, potentially leaking sensitive information.
|
|
|
|
III. Impact
|
|
|
|
Typically an address of some kernel data structure used in the syscall
|
|
implementation, is exposed.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10m "Rebooting for security update"
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.0]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc
|
|
# gpg --verify syscall.patch.asc
|
|
|
|
[FreeBSD 11.2]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc
|
|
# gpg --verify syscall.patch.11.2.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r343781
|
|
releng/12.0/ r343788
|
|
stable/11/ r343782
|
|
releng/11.2/ r343789
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0
|
|
EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs
|
|
DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD
|
|
GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i
|
|
0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftmxPLuonXyP0PiO3WA0h
|
|
XQck1BbM5ENNm/0SOExctcqS+APXLf/VPhd2JwUPszRcYBV40pdqchkihoRXAKHs
|
|
Dthv+9k9KrgwUO0wsrOvIzK8vjnVC2unUCXnFNX3OD2pfxCjKvl1grKQ2lAsP4Pu
|
|
aP2VgPZyHbFKWQdOGaqOtM94CzXseXyYN3hgkNq+gPgDjkd7Xw8q5vu8d2QY/aYj
|
|
Re4aEfUOzf9S22SQT9g4kx2QfEnUuJnnae3BMeBqWGngtQ7TnTHWrw3wGhxxC2S8
|
|
iou+BzeCv9MRn74Fpzr/xnGRUwT+0wFJVd9N9QdpErRA59oo6X4TXNl6AvKHvxY7
|
|
1UurBJ5MqUGUUIeJg8Qv5HpgJML3BiotDbk+LwmMx7T2IL1dJdk=
|
|
=Aktj
|
|
-----END PGP SIGNATURE-----
|