141 lines
5.4 KiB
Text
141 lines
5.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-18:06.debugreg Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Mishandling of x86 debug exceptions
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-05-08
|
|
Credits: Nick Peterson, Everdox Tech LLC
|
|
https://www.linkedin.com/in/everdox
|
|
Andy Lutomirski
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE)
|
|
2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10)
|
|
2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE)
|
|
2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9)
|
|
CVE Name: CVE-2018-8897
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
On x86 architecture systems, the stack is represented by the combination of
|
|
a stack segment and a stack pointer, which must remain in sync for proper
|
|
operation. Instructions related to manipulating the stack segment have
|
|
special handling to facilitate consistency with changes to the stack pointer.
|
|
|
|
II. Problem Description
|
|
|
|
The MOV SS and POP SS instructions inhibit debug exceptions until the
|
|
instruction boundary following the next instruction. If that instruction is
|
|
a system call or similar instruction that transfers control to the operating
|
|
system, the debug exception will be handled in the kernel context instead of
|
|
the user context.
|
|
|
|
III. Impact
|
|
|
|
An authenticated local attacker may be able to read sensitive data in kernel
|
|
memory, control low-level operating system functions, or may panic the
|
|
system.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
using either a binary or source code patch, and then reboot.
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
And reboot.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.1]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc
|
|
# gpg --verify debugreg.11.1.patch.asc
|
|
|
|
[FreeBSD 10.4]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc
|
|
# gpg --verify debugreg.10.4.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile and install your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r333370
|
|
releng/10.4/ r333371
|
|
stable/11/ r333369
|
|
releng/11.1/ r333371
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:06.debugreg.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3HhfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cK/jhAAmPPCFZRMvbyG0VBCBqo5COFZ/32IMOWFDGMlsSi+CEgcGM51SzYZi97c
|
|
zsT/2RgMsvBdggk41wvXqp1gKxgIbJe22af7l+D18e6rDEesueJqSiizcHmfGQul
|
|
X+ZRUkFxTkCNz0Ajp4clqbavuHNiCmiKmH/0X8LMk31SXIVE3oH0Pphf0W8qJqxz
|
|
4k2nvc6NoPWEMVA0rsj3n6sB0NhvV1ddLLmGpoDgedSyz77PCDgWGMoh5ny5sY12
|
|
tHNB1r+gL624Y0l8xoyVJP0Snk0emzeQQ5HOTa8DRIwD/a0Uxy+xKcvDMorW9U6M
|
|
zsxrMs9EwSJYpwLxsQ/YVTgFvyQbkHXFXg56hxqUvnnEEahGfF47d/9x2lyzDr8r
|
|
H+ncl9a+PfOCJ5OcwkjzorQv+Pq65JFlc15bxLS+zyU4g6yJDnHdk7Azbc60Uwq/
|
|
chauKmosm1I1CVH60JG00rmvoiX7b5ZRdEGEzAFt4XIX+EuXPnI84C5DxiD1YG+3
|
|
n7IygNZNGtGfIrNhWEn2VK+VGzFEm2p4RkreWbGwrWQIxfd5gOJxvjAPSwjgy5rl
|
|
dwRW7bMzowIGnrlzCF18Qc2xnFD31JPYDdsI+Fa8d1YkCVWRZ79VX57Locw50/de
|
|
c5nZRJGk4AQ1lXxkNTkxWnstfb/q8fBVPkIEQKVHpVnGiI/pQpQ=
|
|
=Oyxs
|
|
-----END PGP SIGNATURE-----
|