diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-EN-09:05.null.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-EN-09:05.null.asc | 185 |
1 files changed, 0 insertions, 185 deletions
diff --git a/share/security/advisories/FreeBSD-EN-09:05.null.asc b/share/security/advisories/FreeBSD-EN-09:05.null.asc deleted file mode 100644 index c2c388e988..0000000000 --- a/share/security/advisories/FreeBSD-EN-09:05.null.asc +++ /dev/null @@ -1,185 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-EN-09:05.null Errata Notice - The FreeBSD Project - -Topic: No zero mapping feature - -Category: core -Module: kern -Announced: 2009-10-02 -Credits: John Baldwin, Konstantin Belousov, Alan Cox, and Bjoern Zeeb -Affects: All supported versions of FreeBSD. -Corrected: 2009-10-02 18:09:56 UTC (RELENG_8, 8.0-RC2) - 2009-10-02 18:09:56 UTC (RELENG_7, 7.2-STABLE) - 2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4) - 2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8) - 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) - 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) - 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) - -For general information regarding FreeBSD Errata Notices and Security -Advisories, including descriptions of the fields above, security -branches, and the following sections, please visit -<URL:http://security.freebsd.org/>. - -I. Background - -In the C programming language, address 0 (NULL) is used to represent -unallocated memory. NULL pointer dereferences are a common class of C -programming bug in which pointers are not properly checked for NULL -before being used. Dereferencing a NULL pointer normally terminates -execution, via a segmentation fault for user processes, or a page -fault panic in the kernel. - -II. Problem Description - -On most architectures, the FreeBSD kernel splits the process virtual -memory address space into two portions: user and kernel. This -improves system call performance by avoiding a full address space -switch when a process enters the kernel, and improves performance for -kernel access to user memory. - -However, in this design, address 0 is part of the user-controlled -portion of the virtual address space. If the kernel dereferences a -NULL pointer due to a kernel bug, a malicious process that has mapped -code or data at address 0 may be able to manipulate kernel behavior. -For example, if a malicious user process maps code at address 0 and -then triggers a kernel bug in which a NULL function pointer is -invoked, the kernel may execute that code with kernel privilege rather -than panicking. - -III. Impact - -This errata patch introduces a mitigation feature in which user -mapping at address 0 is disallowed, limiting the attacker's ability to -convert a kernel NULL pointer dereference into a privilege escalation -attack. - -The feature is disabled by default in FreeBSD 7 and lower, and must be -enabled by setting the sysctl(8) variable security.bsd.map_at_zero to -0. In FreeBSD 8 and later feature is enabled by default. - -While extremely rare, certain applications may rely on mapping memory -at address 0. Careful testing is advised when enabling this feature -when using virtual machines, emulation technologies, and older a.out -format binaries. - -Changing the mentioned sysctl(8) variable only affects processes -started after the sysctl(8) variable was set. Processes started -before the sysctl(8) variable was changed will continue to run with -the setting of the sysctl(8) variable which existed when the processes -was started. - -Consequently, to ensure that the sysctl(8) variable affects all -processes, a reboot is required with the sysctl(8) variable configured -as mentioned below. - -IV. Workaround - -No workaround is available. - -V. Solution - -Perform one of the following: - -1) Upgrade your system to 6-STABLE, 7-STABLE, or 8-RC, or to the -RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch -dated after the correction date. - -Enable feature as mentioned below. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 6.3, 6.4, -7.1, and 7.2 systems. - -a) Download the relevant patch from the location below, and verify the - detached PGP signature using your PGP utility. - -[FreeBSD 7.x] -# fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch -# fetch http://security.FreeBSD.org/patches/EN-09:05/null.patch.asc - -[FreeBSD 6.x] -# fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch -# fetch http://security.FreeBSD.org/patches/EN-09:05/null6.patch.asc - -NOTE WELL: The patch for FreeBSD 7.x can be used on FreeBSD 8, but -does not enable the feature by default! - -b) Apply the patch. - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the -system. - -To actually enable the feature in FreeBSD 6.x and 7.x, add the -following to either /boot/loader.conf or /etc/sysctl.conf: - - security.bsd.map_at_zero="0" - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -CVS: - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_6 - src/sys/kern/kern_exec.c 1.275.2.9 -RELENG_6_4 - src/UPDATING 1.416.2.40.2.11 - src/sys/conf/newvers.sh 1.69.2.18.2.13 - src/sys/kern/kern_exec.c 1.275.2.8.4.2 -RELENG_6_3 - src/UPDATING 1.416.2.37.2.18 - src/sys/conf/newvers.sh 1.69.2.15.2.17 - src/sys/kern/kern_exec.c 1.275.2.8.2.1 -RELENG_7 - src/sys/kern/kern_exec.c 1.308.2.11 -RELENG_7_2 - src/UPDATING 1.507.2.23.2.7 - src/sys/conf/newvers.sh 1.72.2.11.2.8 - src/sys/kern/kern_exec.c 1.308.2.8.2.2 -RELENG_7_1 - src/UPDATING 1.507.2.13.2.11 - src/sys/conf/newvers.sh 1.72.2.9.2.12 - src/sys/kern/kern_exec.c 1.308.2.6.2.2 -RELENG_8 - src/sys/kern/kern_exec.c 1.337.2.3 - src/sys/kern/init_main.c 1.303.2.2 -- ------------------------------------------------------------------------- - -Subversion: - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/6/ r197715 -releng/6.4/ r197715 -releng/6.3/ r197715 -stable/7/ r197715 -releng/7.2/ r197715 -releng/7.1/ r197715 -stable/8/ r197714 -- ------------------------------------------------------------------------- - -VII. References - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-EN-09:05.null.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.10 (FreeBSD) - -iD8DBQFKxltpFdaIBMps37IRAoniAJ9ENWQ431doaje7gXrAfAov5l0FKwCdFRxh -rTmlD1oew/hZTMBuFKM/LSI= -=+ZZf ------END PGP SIGNATURE----- |