Exploit the possiblities

FreeBSD Security Advisory - FreeBSD-SA-16:20.linux

FreeBSD Security Advisory - FreeBSD-SA-16:20.linux
Posted Jun 1, 2016
Authored by CTurt | Site security.freebsd.org

FreeBSD Security Advisory - The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland. The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland. An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.

tags | advisory, kernel
systems | linux, freebsd
MD5 | 1e15711ef418910a989c906474f5221c

FreeBSD Security Advisory - FreeBSD-SA-16:20.linux

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-16:20.linux Security Advisory
The FreeBSD Project

Topic: Kernel stack disclosure in Linux compatibility layer

Category: core
Module: linux(4)
Announced: 2016-05-31
Credits: CTurt
Affects: All supported versions of FreeBSD.
Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE)
2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4)
2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18)
2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35)
2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE)
2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component. The support is provided
for amd64 and i386 machines.

II. Problem Description

The implementation of the TIOCGSERIAL ioctl(2) does not clear the output
struct before copying it out to userland.

The implementation of the Linux sysinfo() system call does not clear the
output struct before copying it out to userland.

III. Impact

An unprivileged user can read a portion of uninitialised kernel stack data,
which may contain sensitive information, such as the stack guard, portions
of the file cache or terminal buffers, which an attacker might leverage to
obtain elevated privileges.

IV. Workaround

No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.

The Linux compatibility layer is not included in the default GENERIC kernel.

The following command can be used to test if the Linux binary compatibility
layer is loaded:

# kldstat -m linuxelf

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Reboot is required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Reboot is required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch
# fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch.asc
# gpg --verify linux.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r301055
releng/9.3/ r301049
stable/10/ r301054
releng/10.1/ r301050
releng/10.2/ r301051
releng/10.3/ r301052
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:http://cturt.github.io/compat-info-leaks.html>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:20.linux.asc>
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTcSOAAoJEO1n7NZdz2rnjSMP/AsGK5jda/QlrRrpvKyd3HGr
qVsTzro+a2ed2ZlUCamM/JICXfbAit+dOioui+CIN1IKai/mxNPMpIWcPRx1AhDr
3y52MmSzkCqK6QT3tvwYYaG4uOZ3/wbWAJ8EKz2qqYlZ4hkmy24BdvTCGB2SGDgo
Nz1P60NWxaqafCwFyb0xz7Lful52txSLIr9mWZzTcSgwNNEscGiMgzXiY64GlWfQ
r20udpFrPG5+OOwpFAdR4IImQA7B0AYD064NbzN9A+mJlbhtGguDS3oTkbVBVIbF
ldLgDkrFeIv/Jyhvij1q85xfuOxT6eaVJe7qGUaV8v6qQx17VhH8j0sVzn6nh0w9
kly4FB0osyZRQJ7bV7c+FVGECUWRyzSpeo7lx6ICXECuyzcX9U4IxC0oxPcokD3o
CEOJkQEjLtMSfKdE143lbyPCtZUMSXtp/CLEUxW7eDCbW89O7p7pv6xTiNLdopVT
cpUcF+Y0KepwMrg+jXH8i07yF6QgqRWVziA16821OJ4ThD0RN4MRrWUizl/1J2iD
LFGxK8l2U3hP5dhXpYpEHsI2xkU94Lojp0SfngFoylo4Z8UjpQeaR9NG+F3+uR45
Q8aGB3CQe84JZUzFfVN6292AE/4ZMg13iRzKUawV8JBUEWG+MnrtU6a7zwIRVM2F
zT2f1EP7488fCSxbmicf
=bohu
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    1 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close