-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-10:07.mbuf Security Advisory
The FreeBSD Project
Topic: Lost mbuf flag resulting in data corruption
Category: core
Module: kern
Announced: 2010-07-13
Credits: Ming Fu
Affects: FreeBSD 7.x and later.
Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE)
2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE)
2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4)
2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE)
2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2)
2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13)
CVE Name: CVE-2010-2693
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
An mbuf is a basic unit of memory management in the FreeBSD kernel
inter-process communication and networking subsystem. Network packets
and socket buffers are dependent on mbufs for their storage.
Data can be embedded directly in mbufs, or mbufs can instead reference
external buffers. The sendfile(2) system call uses external mbuf storage
to directly map the contents of a file into a chain of mbufs for
transmission purposes. The mbuf object supports a read-only flag that
must be honored to prevent modification or writes to buffer data in
cases like these.
II. Problem Description
The read-only flag is not correctly copied when a mbuf buffer reference
is duplicated. When the sendfile(2) system call is used to transmit
data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.
III. Impact
This data corruption can be exploited by an local attacker to escalate
their privilege by carefully controlling the corruption of system files.
It should be noted that the attacker can corrupt any file they have read
access to.
NOTE: While systems without untrusted local users are not affected by
the security aspects of this issue, the potential for data corruption
implies that this should still be treated as a critical erratum.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated
after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch
# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Now reboot the system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/uipc_mbuf.c 1.174.2.4
RELENG_7_3
src/UPDATING 1.507.2.34.2.4
src/sys/conf/newvers.sh 1.72.2.16.2.6
src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.16
src/sys/conf/newvers.sh 1.72.2.9.2.17
src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2
RELENG_8
src/sys/kern/uipc_mbuf.c 1.185.2.3
RELENG_8_1
src/UPDATING 1.632.2.14.2.2
src/sys/conf/newvers.sh 1.83.2.10.2.4
src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2
RELENG_8_0
src/UPDATING 1.632.2.7.2.7
src/sys/conf/newvers.sh 1.83.2.6.2.7
src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r209964
releng/7.3/ r209964
releng/7.1/ r209964
stable/8/ r209964
releng/8.0/ r209964
releng/8.1/ r209964
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)
iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB
JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI
=Reds
-----END PGP SIGNATURE-----