-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:17.devfs                                      Security Advisory
                                                          The FreeBSD Project

Topic:          devfs ruleset bypass

Category:       core
Module:         devfs
Announced:      2005-07-20
Credits:        Robert Watson
Affects:        All FreeBSD 5.x releases
Corrected:      2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE)
                2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5)
                2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19)
CVE Name:       CAN-2005-2218

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace.  This includes access to
to system devices such as storage devices, kernel and system memory
devices, BPF devices, and serial port devices.  Devfs is is generally
mounted as /dev.  Devfs rulesets allow an administrator to hide
certain device nodes; this is most commonly applied to a devfs mounted
for use inside a jail, in order to make devices inaccessible to
processes within that jail.

II.  Problem Description

Due to insufficient parameter checking of the node type during device
creation, any user can expose hidden device nodes on devfs mounted
file systems within their jail.  Device nodes will be created in the
jail with their normal default access permissions.

III. Impact

Jailed processes can get access to restricted resources on the host
system.  For jailed processes running with superuser privileges this
implies access to all devices on the system.  This level of access
can lead to information leakage and privilege escalation.

IV.  Workaround

Unmount device file systems mounted inside jails.  Note that certain
device nodes, such as /dev/null, may be required for some software to
function correctly.

This can be done by executing the following command as root:

  umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference
`devfs' and has a mount point within a jail, so that they will not be
re-mounted at next reboot.

Some device file systems might be busy, including the host's main /dev
file system, and processes accessing these must be shut down before
the device file system can be unmounted.  The hosts main device file
system, mounted as /dev, should not be unmounted since it is required
for normal system operation.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4,
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.2.2
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.14
  src/sys/conf/newvers.sh                                  1.62.2.18.2.10
  src/sys/fs/devfs/devfs_vnops.c                             1.73.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.22
  src/sys/conf/newvers.sh                                  1.62.2.15.2.24
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2218

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFC3lYgFdaIBMps37IRAldmAJ458s06z3gkHNjn04R2Rq8XXwRKiQCffeJP
m9n3bmuoX0WJvckcdR8EhU4=
=2iFe
-----END PGP SIGNATURE-----