Re: kfreebsd-9: multiple issues

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: kfreebsd-9: multiple issues
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 03 Jun 2014 22:26:39 +0100
Message-id: <[🔎] 538E3D8F.1020902@pyro.eu.org>
In-reply-to: <20140602125123.GA25696@inutil.org>
References: <53448CA9.8070505@pyro.eu.org> <5344A346.7040408@pyro.eu.org> <538C7531.4030600@pyro.eu.org> <20140602125123.GA25696@inutil.org>

Hi,

> On Mon, Jun 02, 2014 at 01:59:29PM +0100, Steven Chamberlain wrote:
>> This debdiff would backport the patches to kfreebsd-9 for
>> wheezy-security.  kfreebsd-9 is due for removal from sid/jessie any time
>> now so we don't plan to fix it there.

Upstream publicly announced CVE-2014-3880 today.  Attached debdiff adds
a link to their advisory, and renames the patch file to
EN-14_06.exec.patch, to exactly match the upstream name for this bug.

Upstream announced another kernel security bug today but it didn't
affect us.

On 02/06/14 13:51, Moritz Muehlenhoff wrote:
> Aurelien is usually taking care of kfreebsd security updates.

I'm glad he is on the security team now, but we can't be completely
dependent on just one person in case we want to patch a kfreebsd
vulnerability quickly.  (I didn't get a reply from him at all to my last
request for a security upload on 2014-04-09).

In case we don't hear from him by tomorrow, would some other person on
the team be able to check/approve this please?  Is there any more work I
could do myself to make it easier for a non-kfreebsd person?  e.g. I've
provided text to use for the DSA.

At least one other kfreebsd porter will be checking the upload anyway
because I don't have DM/DD status to dput this myself.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog	2014-01-28 21:09:41.000000000 +0000
+++ kfreebsd-9-9.0/debian/changelog	2014-06-02 11:52:28.000000000 +0000
@@ -1,3 +1,17 @@
+kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high
+
+  * Team upload.
+  * Upload for wheezy-security
+  * Pick SVN 264285 from FreeBSD 9-STABLE to fix SA-14:05 / CVE-2014-1453:
+    Deadlock in the NFS server (Closes: #743984)
+  * Pick SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
+    TCP reassembly vulnerability (Closes: #746951)
+  * Pick SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
+    Triple fault on execve from 64-bit thread to 32-bit process
+    (Closes: 743141)
+
+ -- Steven Chamberlain <steven@pyro.eu.org>  Tue, 08 Apr 2014 23:41:22 +0000
+
 kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low
 
   * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
diff -Nru kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch
--- kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/EN-14_06.exec.patch	2014-06-03 20:38:17.000000000 +0000
@@ -0,0 +1,70 @@
+Description:
+ Fix triple fault on execve from 64-bit thread to 32-bit process. [EN-14:06]
+ (CVE-2014-3880)
+Origin: backport, commit:266585
+Bug: http://security.freebsd.org/advisories/FreeBSD-EN-14:06.exec.asc
+Bug-Debian: http://bugs.debian.org/743141
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=266585
+
+--- kfreebsd-9-9.0.orig/sys/sys/proc.h
++++ kfreebsd-9-9.0/sys/sys/proc.h
+@@ -412,6 +412,7 @@
+ #define	TDP_CALLCHAIN	0x00400000 /* Capture thread's callchain */
+ #define	TDP_IGNSUSP	0x00800000 /* Permission to ignore the MNTK_SUSPEND* */
+ #define	TDP_AUDITREC	0x01000000 /* Audit record pending on thread */
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ 
+ /*
+  * Reasons that the current thread can not be run yet.
+--- kfreebsd-9-9.0.orig/sys/kern/kern_exec.c
++++ kfreebsd-9-9.0/sys/kern/kern_exec.c
+@@ -279,6 +279,7 @@
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -295,6 +296,8 @@
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -309,6 +312,12 @@
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c
++++ kfreebsd-9-9.0/sys/vm/vm_map.c
+@@ -3574,6 +3574,8 @@
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3590,7 +3592,7 @@
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_05.nfsserver.patch	2014-04-09 00:00:31.000000000 +0000
@@ -0,0 +1,75 @@
+Description:
+ Fix NFS deadlock vulnerability. [SA-14:05] (CVE-2014-1453)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:05.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/743984
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=264285
+
+--- kfreebsd-9-9.0.orig/sys/fs/nfsserver/nfs_nfsdserv.c
++++ kfreebsd-9-9.0/sys/fs/nfsserver/nfs_nfsdserv.c
+@@ -1446,10 +1446,23 @@
+ 		nfsvno_relpathbuf(&fromnd);
+ 		goto out;
+ 	}
++	/*
++	 * Unlock dp in this code section, so it is unlocked before
++	 * tdp gets locked. This avoids a potential LOR if tdp is the
++	 * parent directory of dp.
++	 */
+ 	if (nd->nd_flag & ND_NFSV4) {
+ 		tdp = todp;
+ 		tnes = *toexp;
+-		tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred, p, 0);
++		if (dp != tdp) {
++			NFSVOPUNLOCK(dp, 0);
++			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++			    p, 0);	/* Might lock tdp. */
++		} else {
++			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
++			    p, 1);
++			NFSVOPUNLOCK(dp, 0);
++		}
+ 	} else {
+ 		tfh.nfsrvfh_len = 0;
+ 		error = nfsrv_mtofh(nd, &tfh);
+@@ -1470,10 +1483,12 @@
+ 			tnes = *exp;
+ 			tdirfor_ret = nfsvno_getattr(tdp, &tdirfor, nd->nd_cred,
+ 			    p, 1);
++			NFSVOPUNLOCK(dp, 0);
+ 		} else {
++			NFSVOPUNLOCK(dp, 0);
+ 			nd->nd_cred->cr_uid = nd->nd_saveduid;
+ 			nfsd_fhtovp(nd, &tfh, LK_EXCLUSIVE, &tdp, &tnes, NULL,
+-			    0, p);
++			    0, p);	/* Locks tdp. */
+ 			if (tdp) {
+ 				tdirfor_ret = nfsvno_getattr(tdp, &tdirfor,
+ 				    nd->nd_cred, p, 1);
+@@ -1488,7 +1503,7 @@
+ 		if (error) {
+ 			if (tdp)
+ 				vrele(tdp);
+-			vput(dp);
++			vrele(dp);
+ 			nfsvno_relpathbuf(&fromnd);
+ 			nfsvno_relpathbuf(&tond);
+ 			goto out;
+@@ -1503,7 +1518,7 @@
+ 		}
+ 		if (tdp)
+ 			vrele(tdp);
+-		vput(dp);
++		vrele(dp);
+ 		nfsvno_relpathbuf(&fromnd);
+ 		nfsvno_relpathbuf(&tond);
+ 		goto out;
+@@ -1512,7 +1527,7 @@
+ 	/*
+ 	 * Done parsing, now down to business.
+ 	 */
+-	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 1, exp, p, &fdirp);
++	nd->nd_repstat = nfsvno_namei(nd, &fromnd, dp, 0, exp, p, &fdirp);
+ 	if (nd->nd_repstat) {
+ 		if (nd->nd_flag & ND_NFSV3) {
+ 			nfsrv_wcc(nd, fdirfor_ret, &fdirfor, fdiraft_ret,
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_08.tcp.patch	2014-06-02 11:49:59.000000000 +0000
@@ -0,0 +1,37 @@
+Description:
+ Fix TCP reassembly vulnerability. [SA-14:08] (CVE-2014-3000)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc
+Bug-Debian: http://bugs.debian.org/746951
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=265123
+
+--- kfreebsd-9-9.0.orig/sys/netinet/tcp_reass.c
++++ kfreebsd-9-9.0/sys/netinet/tcp_reass.c
+@@ -211,7 +211,7 @@
+ 	 * Investigate why and re-evaluate the below limit after the behaviour
+ 	 * is understood.
+ 	 */
+-	if (th->th_seq != tp->rcv_nxt &&
++	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ 		V_tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@
+ 	 */
+ 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+-		if (th->th_seq != tp->rcv_nxt) {
++		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+ 			m_freem(m);
+ 			*tlenp = 0;
+@@ -282,7 +282,8 @@
+ 				TCPSTAT_INC(tcps_rcvduppack);
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+-				uma_zfree(V_tcp_reass_zone, te);
++				if (te != &tqs)
++					uma_zfree(V_tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series	2014-01-22 22:15:54.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/series	2014-06-03 20:38:17.000000000 +0000
@@ -18,6 +18,9 @@
 disable_via_rng.diff
 EN-14_02.mmap.patch
 fix_lseek_zfs.diff
+SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
+EN-14_06.exec.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Package        : kfreebsd-9
CVE ID         : CVE-2014-1453 CVE-2014-3000 CVE-2014-3880

Several vulnerabilities have been discovered in the FreeBSD kernel that may
lead to a denial of service or possible disclosure of kernel memory. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2014-1453

    An attacker on a trusted client could cause the NFS server become
    deadlocked, resulting in a denial of service.

CVE-2014-3000:

    An attacker who can send a series of specifically crafted packets with a
    connection could cause a denial of service situation by causing the kernel
    to crash.

    Additionally, because the undefined on stack memory may be overwritten by
    other kernel threads, while extremely difficult, it may be possible for
    an attacker to construct a carefully crafted attack to obtain portion of
    kernel memory via a connected socket.  This may result in the disclosure of
    sensitive information such as login credentials, etc. before or even
    without crashing the system.

CVE-2014-3880

    A local attacker can trigger a kernel crash (triple fault) with potential
    data loss, related to the execve system call.  Reported by Ivo De Decker.

For the stable distribution (wheezy), these problems have been fixed in
version 9.0-10+deb70.7.

For the unstable distribution (sid), these problems have been fixed in
the kfreebsd-10 package version 10.0-6.

We recommend that you upgrade your kfreebsd-9 packages, or upgrade jessie/sid
systems to kfreebsd-10.

Reply to:

Follow-Ups:
- Re: kfreebsd-9: multiple issues
  - From: Nico Golde <nico@ngolde.de>

Prev by Date: Re: MATE 1.8 has now fully arrived in Debian
Next by Date: Re: kfreebsd-9: multiple issues
Previous by thread: Re: MATE 1.8 has now fully arrived in Debian
Next by thread: Re: kfreebsd-9: multiple issues
Index(es):
- Date
- Thread