Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation

To: Steven Chamberlain <steven@pyro.eu.org>, 712664@bugs.debian.org
Cc: Christoph Egger <christoph@debian.org>
Subject: Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Sun, 23 Jun 2013 14:35:53 +0100
Message-id: <[🔎] 51C6F9B9.8010604@pyro.eu.org>
Reply-to: Steven Chamberlain <steven@pyro.eu.org>, 712664@bugs.debian.org
In-reply-to: <[🔎] 51C40D2E.8040704@pyro.eu.org>
References: <rt-4.0.7-25172-1371794398-1865.4503-6-0@debian.org> <[🔎] 51C40D2E.8040704@pyro.eu.org>

Hi Christoph,

Did you have chance to build this yet or upload it to security-master?
If you did I may need to let the security team know it is in their queue.

Or otherwise, and if you are busy, I could maybe ask Robert to do it.  I
think we should hurry as has already been 5 days since the disclosure
and it was a pretty serious bug.

On 21/06/13 09:22, Steven Chamberlain wrote:
> Please could you upload 9.0-10+deb70.2 to security-master to match the
> attached debdiff.
> 
> [...]
> 
> -------- Original Message --------
> Subject: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9:
> CVE-2013-2171: Privilege escalation
> Date: Fri, 21 Jun 2013 05:59:59 +0000
> From: Salvatore Bonaccorso via RT <rt@rt.debian.org>
> Reply-To: rt@rt.debian.org
> To: steven@pyro.eu.org
> 
> Hi Steven
> 
> On Thu, Jun 20, 2013 at 02:56:57PM +0000, Steven Chamberlain via RT wrote:
>> Thu Jun 20 14:56:57 2013: Request 4503 was acted upon.
>> Transaction: Ticket created by steven@pyro.eu.org
>>        Queue: Security - Incoming
>>      Subject: Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
>>        Owner: Nobody
>>   Requestors: steven@pyro.eu.org
>>       Status: new
>>  Ticket <URL: https://rt.debian.org/Ticket/Display.html?id=4503 >
>>
>>
>> Dear Security Team,
>>
>> Please could we upload to wheezy-security with the attached debdiff.
>>
>> A bug allows local privilege escalation, from any non-privileged user to
>> root.  I've verified it myself on Debian GNU/kFreeBSD (and that the fix
>> works) with a test procedure in [1], but already a more 'weaponised' PoC
>> was posted to a public forum on 2013-06-18.
>>
>> [1]: http://bugs.debian.org/712664#24
> 
> Thanks for your work! With the above, please upload to
> security-master.
> 
> Regards,
> Salvatore

-- 
Steven Chamberlain
steven@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog	2013-05-01 13:59:20.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog	2013-06-20 15:29:54.000000000 +0100
@@ -1,3 +1,12 @@
+kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
+
+  * Team upload.
+  * Upload for wheezy-security
+  * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
+    Privilege escalation via mmap (Closes: #712664)
+
+ -- Steven Chamberlain <steven@pyro.eu.org>  Wed, 19 Jun 2013 20:36:54 +0100
+
 kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
 
   * Upload for wheezy-security
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch	1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch	2013-06-19 20:49:15.000000000 +0100
@@ -0,0 +1,28 @@
+Description:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file. [13:06]
+ (CVE-2013-2171)
+Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc
+Bug-Debian: http://bugs.debian.org/712664
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=251902
+
+Index: kfreebsd-9-9.0/sys/vm/vm_map.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c	2011-07-06 21:06:44.000000000 +0100
++++ kfreebsd-9-9.0/sys/vm/vm_map.c	2013-06-18 13:39:13.104790989 +0100
+@@ -3704,6 +3704,12 @@
+ 		vm_map_unlock_read(map);
+ 		return (KERN_PROTECTION_FAILURE);
+ 	}
++	if ((fault_typea & VM_PROT_COPY) != 0 &&
++	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
++	    (entry->eflags & MAP_ENTRY_COW) == 0) {
++		vm_map_unlock_read(map);
++		return (KERN_PROTECTION_FAILURE);
++	}
+ 
+ 	/*
+ 	 * If this page is not pageable, we have to get it for all possible
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series	2013-05-01 13:21:35.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/series	2013-06-19 20:49:15.000000000 +0100
@@ -9,6 +9,7 @@
 svn239447_SCTP_DoS.patch
 SA-12_08.linux.patch
 SA-13_05.nfsserver.patch
+SA-13_06.mmap.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Reply to:

Follow-Ups:
- Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
  - From: Christoph Egger <christoph@debian.org>

References:
- Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Fwd: cxgbe
Next by Date: Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
Previous by thread: Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
Next by thread: Bug#712664: Fwd: Re: [rt.debian.org #4503] Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation
Index(es):
- Date
- Thread