diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-10:07.mbuf.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-10:07.mbuf.asc | 156 |
1 files changed, 0 insertions, 156 deletions
diff --git a/share/security/advisories/FreeBSD-SA-10:07.mbuf.asc b/share/security/advisories/FreeBSD-SA-10:07.mbuf.asc deleted file mode 100644 index ed29c55bbe..0000000000 --- a/share/security/advisories/FreeBSD-SA-10:07.mbuf.asc +++ /dev/null @@ -1,156 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-10:07.mbuf Security Advisory - The FreeBSD Project - -Topic: Lost mbuf flag resulting in data corruption - -Category: core -Module: kern -Announced: 2010-07-13 -Credits: Ming Fu -Affects: FreeBSD 7.x and later. -Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) - 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) - 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) - 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) - 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) - 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) -CVE Name: CVE-2010-2693 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:http://security.FreeBSD.org/>. - -I. Background - -An mbuf is a basic unit of memory management in the FreeBSD kernel -inter-process communication and networking subsystem. Network packets -and socket buffers are dependent on mbufs for their storage. - -Data can be embedded directly in mbufs, or mbufs can instead reference -external buffers. The sendfile(2) system call uses external mbuf storage -to directly map the contents of a file into a chain of mbufs for -transmission purposes. The mbuf object supports a read-only flag that -must be honored to prevent modification or writes to buffer data in -cases like these. - -II. Problem Description - -The read-only flag is not correctly copied when a mbuf buffer reference -is duplicated. When the sendfile(2) system call is used to transmit -data over the loopback interface, this can result in the backing pages -for the transmitted file being modified, causing data corruption. - -III. Impact - -This data corruption can be exploited by an local attacker to escalate -their privilege by carefully controlling the corruption of system files. -It should be noted that the attacker can corrupt any file they have read -access to. - -NOTE: While systems without untrusted local users are not affected by -the security aspects of this issue, the potential for data corruption -implies that this should still be treated as a critical erratum. - -IV. Workaround - -No workaround is available. - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the -RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated -after the correction date. - -2) To update your vulnerable system via a source code patch: - -The following patches have been verified to apply to FreeBSD 7.1, 7.3, -8.0 and 8.1 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch -# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc - -b) Apply the patch. - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the -system. - -3) To update your vulnerable system via a binary patch: - -Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or -amd64 platforms can be updated via the freebsd-update(8) utility: - -# freebsd-update fetch -# freebsd-update install - -Now reboot the system. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -CVS: - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_7 - src/sys/kern/uipc_mbuf.c 1.174.2.4 -RELENG_7_3 - src/UPDATING 1.507.2.34.2.4 - src/sys/conf/newvers.sh 1.72.2.16.2.6 - src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2 -RELENG_7_1 - src/UPDATING 1.507.2.13.2.16 - src/sys/conf/newvers.sh 1.72.2.9.2.17 - src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2 -RELENG_8 - src/sys/kern/uipc_mbuf.c 1.185.2.3 -RELENG_8_1 - src/UPDATING 1.632.2.14.2.2 - src/sys/conf/newvers.sh 1.83.2.10.2.4 - src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2 -RELENG_8_0 - src/UPDATING 1.632.2.7.2.7 - src/sys/conf/newvers.sh 1.83.2.6.2.7 - src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2 -- ------------------------------------------------------------------------- - -Subversion: - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/7/ r209964 -releng/7.3/ r209964 -releng/7.1/ r209964 -stable/8/ r209964 -releng/8.0/ r209964 -releng/8.1/ r209964 -- ------------------------------------------------------------------------- - -VII. References - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693 - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.10 (FreeBSD) - -iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB -JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI -=Reds ------END PGP SIGNATURE----- |