diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-EN-22:27.loader.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-EN-22:27.loader.asc | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc b/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc new file mode 100644 index 0000000000..bfbb585e38 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:27.loader.asc @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:27.loader Errata Notice + The FreeBSD Project + +Topic: UEFI loader failing to boot older amd64 kernels + +Category: core +Module: loader +Announced: 2022-11-01 +Affects: FreeBSD 13.1 +Corrected: 2022-10-14 03:06:13 UTC (stable/13, 13.1-STABLE) + 2022-11-01 18:03:25 UTC (releng/13.1, 13.1-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The UEFI loader is the first stage of the FreeBSD boot process on UEFI systems. +Loader is responsible for loading the boot configuration, kernel and modules, +and handing control off to the kernel. + +II. Problem Description + +As of FreeBSD 13.1, the UEFI loader on amd64 systems will detect if the kernel +it loaded is capable of being relocated to a different physical address than the +historical load address. This detection relied on an ELF symbol lookup that was +not correctly filtering symbols based on their type, which caused a false +positive result for older amd64 kernels. + +III. Impact + +The UEFI loader would relocate the kernel to a different physical address than +expected, and the resulting kernel would fail to boot. + +IV. Workaround + +This problem can be worked around by entering the loader prompt and issuing the +command: `copy_staging enable`. Non-amd64 systems are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. The UEFI system partition will +need to be updated with the new loader.efi. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:27/loader.patch +# fetch https://security.FreeBSD.org/patches/EN-22:27/loader.patch.asc +# gpg --verify loader.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 2b31059ea701 stable/13-n252746 +releng/13.1/ 1ee7e4ba70e1 releng/13.1-n250166 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:27.loader.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmNhmMsACgkQ05eS9J6n +5cIuFQ/+LdOLKHA1cCH70lEAIwbDjP3S+WPRcv/jdXl8h8447ZzKMcavy8/sTPRF +k91YVngHozGASdFfF4RrYf0kx1/hNhNMOaBQbZKdsEniKAOroiT+gjLCid5ZDoMJ +AQ8P3FohL+53Au8u96F4Shoq8y6zNx61twbZU4dh2rQh3pXjqcEa9fs21dcopmwQ +ssozddGqZeFhqYzvq47ZnBeny/M2vHtxkckbNZd616zCKTUuOGsdNb0kDqcxybZj +tQYQ9dZGbb96LFf2U/3lyhkrk9HK3zl/vdtbJYPvmN/6paCQYzjAxNgbYHJy3ABY +52+BbIeVqjHUffve+Jj0F3RWUGYmXeQ3nNPHCVQR801y0p39bH0nQAN03asHPzMb +wzIzDHXNMcs2qps3ZEBRarOgUOTVzaa90oZXQibp5xqqHyprf4LLOtjXFHSBui7f +AaK7NtEdlM8SbQ2+rSYPj4BTkn2b7wSBUcMA5dJMyqXmFUWx/K8OSnUwz+3ZCCPX +gx6zJxkfCmU9/DI/fN3w6SZvBDATleH6KJEsp8lCIw73ODhpYZgLNdMp8QqPRBoz +mT/j5zYDmONswHlgJ1Er9hivTGsW3H/vftn5Ct2kJgOkViFspUaVTcLgxhc5xKAC +PE2/JaHgfndyi8MdJY0WIylnVzquid+RkOPYaSAMaGA37Ios/XI= +=yeiP +-----END PGP SIGNATURE----- |