Re: kfreebsd-9: multiple issues
Hi,
> On Mon, Jun 02, 2014 at 01:59:29PM +0100, Steven Chamberlain wrote:
>> This debdiff would backport the patches to kfreebsd-9 for
>> wheezy-security. kfreebsd-9 is due for removal from sid/jessie any time
>> now so we don't plan to fix it there.
Upstream publicly announced CVE-2014-3880 today. Attached debdiff adds
a link to their advisory, and renames the patch file to
EN-14_06.exec.patch, to exactly match the upstream name for this bug.
Upstream announced another kernel security bug today but it didn't
affect us.
On 02/06/14 13:51, Moritz Muehlenhoff wrote:
> Aurelien is usually taking care of kfreebsd security updates.
I'm glad he is on the security team now, but we can't be completely
dependent on just one person in case we want to patch a kfreebsd
vulnerability quickly. (I didn't get a reply from him at all to my last
request for a security upload on 2014-04-09).
In case we don't hear from him by tomorrow, would some other person on
the team be able to check/approve this please? Is there any more work I
could do myself to make it easier for a non-kfreebsd person? e.g. I've
provided text to use for the DSA.
At least one other kfreebsd porter will be checking the upload anyway
because I don't have DM/DD status to dput this myself.
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2014-01-28 21:09:41.000000000 +0000
+++ kfreebsd-9-9.0/debian/changelog 2014-06-02 11:52:28.000000000 +0000
@@ -1,3 +1,17 @@
+kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high
+
+ * Team upload.
+ * Upload for wheezy-security
+ * Pick SVN 264285 from FreeBSD 9-STABLE to fix SA-14:05 / CVE-2014-1453:
+ Deadlock in the NFS server (Closes: #743984)
+ * Pick SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
+ TCP reassembly vulnerability (Closes: #746951)
+ * Pick SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
+ Triple fault on execve from 64-bit thread to 32-bit process
+ (Closes: 743141)
+
+ -- Steven Chamberlain <steven@pyro.eu.org> Tue, 08 Apr 2014 23:41:22 +0000
+
kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low
* Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
diff -Nru kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch
--- kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch 2014-06-03 20:38:17.000000000 +0000
@@ -0,0 +1,70 @@
+Description:
+ Fix triple fault on execve from 64-bit thread to 32-bit process. [EN-14:06]
+ (CVE-2014-3880)
+Origin: backport, commit:266585
+Bug: http://security.freebsd.org/advisories/FreeBSD-EN-14:06.exec.asc
+Bug-Debian: http://bugs.debian.org/743141
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=266585
+
+--- kfreebsd-9-9.0.orig/sys/sys/proc.h
++++ kfreebsd-9-9.0/sys/sys/proc.h
+@@ -412,6 +412,7 @@
+ #define TDP_CALLCHAIN 0x00400000 /* Capture thread's callchain */
+ #define TDP_IGNSUSP 0x00800000 /* Permission to ignore the MNTK_SUSPEND* */
+ #define TDP_AUDITREC 0x01000000 /* Audit record pending on thread */
++#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
+
+ /*
+ * Reasons that the current thread can not be run yet.
+--- kfreebsd-9-9.0.orig/sys/kern/kern_exec.c
++++ kfreebsd-9-9.0/sys/kern/kern_exec.c
+@@ -279,6 +279,7 @@
+ struct mac *mac_p;
+ {
+ struct proc *p = td->td_proc;
++ struct vmspace *oldvmspace;
+ int error;
+
+ AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -295,6 +296,8 @@
+ PROC_UNLOCK(p);
+ }
+
++ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++ oldvmspace = td->td_proc->p_vmspace;
+ error = do_execve(td, args, mac_p);
+
+ if (p->p_flag & P_HADTHREADS) {
+@@ -309,6 +312,12 @@
+ thread_single_end();
+ PROC_UNLOCK(p);
+ }
++ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++ KASSERT(td->td_proc->p_vmspace != oldvmspace,
++ ("oldvmspace still used"));
++ vmspace_free(oldvmspace);
++ td->td_pflags &= ~TDP_EXECVMSPC;
++ }
+
+ return (error);
+ }
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c
++++ kfreebsd-9-9.0/sys/vm/vm_map.c
+@@ -3574,6 +3574,8 @@
+ struct vmspace *oldvmspace = p->p_vmspace;
+ struct vmspace *newvmspace;
+
++ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++ ("vmspace_exec recursed"));
+ newvmspace = vmspace_alloc(minuser, maxuser);
+ if (newvmspace == NULL)
+ return (ENOMEM);
+@@ -3590,7 +3592,7 @@
+ PROC_VMSPACE_UNLOCK(p);
+ if (p == curthread->td_proc)
+ pmap_activate(curthread);
+- vmspace_free(oldvmspace);
++ curthread->td_pflags |= TDP_EXECVMSPC;
+ return (0);
+ }
+
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch 2014-04-09 00:00:31.000000000 +0000
@@ -0,0 +1,75 @@
+Description:
+ Fix NFS deadlock vulnerability. [SA-14:05] (CVE-2014-1453)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:05.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/743984
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=264285
+
+--- kfreebsd-9-9.0.orig/sys/fs/nfsserver/nfs_nfsdserv.c
++++ kfreebsd-9-9.0/sys/fs/nfsserver/nfs_nfsdserv.c
+@@ -1446,10 +1446,23 @@
+ nfsvno_relpathbuf(&fromnd);
+ goto out;
+ }
++ /*
++ * Unlock dp in this code section, so it is unlocked before
++ * tdp gets locked. This avoids a potential LOR if tdp is the
++ * parent directory of dp.
++ */
+ if (nd->nd_flag & ND_NFSV4) {
+ tdp = todp;
+ tnes = *toexp;
+- tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred, p, 0);
++ if (dp != tdp) {
++ NFSVOPUNLOCK(dp, 0);
++ tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++ p, 0); /* Might lock tdp. */
++ } else {
++ tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++ p, 1);
++ NFSVOPUNLOCK(dp, 0);
++ }
+ } else {
+ tfh.nfsrvfh_len = 0;
+ error = nfsrv_mtofh(nd, &tfh);
+@@ -1470,10 +1483,12 @@
+ tnes = *exp;
+ tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+ p, 1);
++ NFSVOPUNLOCK(dp, 0);
+ } else {
++ NFSVOPUNLOCK(dp, 0);
+ nd->nd_cred->cr_uid = nd->nd_saveduid;
+ nfsd_fhtovp(nd, &tfh, LK_EXCLUSIVE, &tdp, &tnes, NULL,
+- 0, p);
++ 0, p); /* Locks tdp. */
+ if (tdp) {
+ tdirfor_ret = nfsvno_getattr(tdp, &tdirfor,
+ nd->nd_cred, p, 1);
+@@ -1488,7 +1503,7 @@
+ if (error) {
+ if (tdp)
+ vrele(tdp);
+- vput(dp);
++ vrele(dp);
+ nfsvno_relpathbuf(&fromnd);
+ nfsvno_relpathbuf(&tond);
+ goto out;
+@@ -1503,7 +1518,7 @@
+ }
+ if (tdp)
+ vrele(tdp);
+- vput(dp);
++ vrele(dp);
+ nfsvno_relpathbuf(&fromnd);
+ nfsvno_relpathbuf(&tond);
+ goto out;
+@@ -1512,7 +1527,7 @@
+ /*
+ * Done parsing, now down to business.
+ */
+- nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
++ nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 0, exp, p, &fdirp);
+ if (nd->nd_repstat) {
+ if (nd->nd_flag & ND_NFSV3) {
+ nfsrv_wcc(nd, fdirfor_ret, &fdirfor, fdiraft_ret,
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch 2014-06-02 11:49:59.000000000 +0000
@@ -0,0 +1,37 @@
+Description:
+ Fix TCP reassembly vulnerability. [SA-14:08] (CVE-2014-3000)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc
+Bug-Debian: http://bugs.debian.org/746951
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=265123
+
+--- kfreebsd-9-9.0.orig/sys/netinet/tcp_reass.c
++++ kfreebsd-9-9.0/sys/netinet/tcp_reass.c
+@@ -211,7 +211,7 @@
+ * Investigate why and re-evaluate the below limit after the behaviour
+ * is understood.
+ */
+- if (th->th_seq != tp->rcv_nxt &&
++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ V_tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@
+ */
+ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+- if (th->th_seq != tp->rcv_nxt) {
++ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -282,7 +282,8 @@
+ TCPSTAT_INC(tcps_rcvduppack);
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+- uma_zfree(V_tcp_reass_zone, te);
++ if (te != &tqs)
++ uma_zfree(V_tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series 2014-01-22 22:15:54.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/series 2014-06-03 20:38:17.000000000 +0000
@@ -18,6 +18,9 @@
disable_via_rng.diff
EN-14_02.mmap.patch
fix_lseek_zfs.diff
+SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
+EN-14_06.exec.patch
# Other patches that might or might not be mergeable
001_misc.diff
Package : kfreebsd-9
CVE ID : CVE-2014-1453 CVE-2014-3000 CVE-2014-3880
Several vulnerabilities have been discovered in the FreeBSD kernel that may
lead to a denial of service or possible disclosure of kernel memory. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2014-1453
An attacker on a trusted client could cause the NFS server become
deadlocked, resulting in a denial of service.
CVE-2014-3000:
An attacker who can send a series of specifically crafted packets with a
connection could cause a denial of service situation by causing the kernel
to crash.
Additionally, because the undefined on stack memory may be overwritten by
other kernel threads, while extremely difficult, it may be possible for
an attacker to construct a carefully crafted attack to obtain portion of
kernel memory via a connected socket. This may result in the disclosure of
sensitive information such as login credentials, etc. before or even
without crashing the system.
CVE-2014-3880
A local attacker can trigger a kernel crash (triple fault) with potential
data loss, related to the execve system call. Reported by Ivo De Decker.
For the stable distribution (wheezy), these problems have been fixed in
version 9.0-10+deb70.7.
For the unstable distribution (sid), these problems have been fixed in
the kfreebsd-10 package version 10.0-6.
We recommend that you upgrade your kfreebsd-9 packages, or upgrade jessie/sid
systems to kfreebsd-10.
Reply to: