exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FreeBSD Security Advisory - Devfs / VFS

FreeBSD Security Advisory - Devfs / VFS
Posted Oct 2, 2009
Site security.freebsd.org

FreeBSD Security Advisory - Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer.

tags | advisory, kernel
systems | freebsd
SHA-256 | 4b21def402ce048506cd636e20e57f215a29c797ecd2817b7359d5b1e52ab3ef

FreeBSD Security Advisory - Devfs / VFS

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:14.devfs Security Advisory
The FreeBSD Project

Topic: Devfs / VFS NULL pointer race condition

Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
Affects: FreeBSD 6.x and 7.x
Corrected: 2009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE)
2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4)
2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8)
2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The device file system (devfs) provides access to system devices, such as
storage devices and serial ports, via the file system namespace.

VFS is the Virtual File System, which abstracts file system operations in
the kernel from the actual underlying file system.

II. Problem Description

Due to the interaction between devfs and VFS, a race condition exists
where the kernel might dereference a NULL pointer.

III. Impact

Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.

IV. Workaround

An errata note, FreeBSD-EN-09:05.null has been released simultaneously to
this advisory, and contains a kernel patch implementing a workaround for a
more broad class of vulnerabilities. However, prior to those changes, no
workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/fs/devfs/devfs_vnops.c 1.114.2.17
RELENG_6_4
src/UPDATING 1.416.2.40.2.11
src/sys/conf/newvers.sh 1.69.2.18.2.13
src/sys/fs/devfs/devfs_vnops.c 1.114.2.16.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.18
src/sys/conf/newvers.sh 1.69.2.15.2.17
src/sys/fs/devfs/devfs_vnops.c 1.114.2.15.2.1
RELENG_7
src/sys/fs/devfs/devfs_vnops.c 1.149.2.9
RELENG_7_2
src/UPDATING 1.507.2.23.2.7
src/sys/conf/newvers.sh 1.72.2.11.2.8
src/sys/fs/devfs/devfs_vnops.c 1.149.2.8.2.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.11
src/sys/conf/newvers.sh 1.72.2.9.2.12
src/sys/fs/devfs/devfs_vnops.c 1.149.2.4.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r197715
releng/6.4/ r197715
releng/6.3/ r197715
stable/7/ r192301
releng/7.2/ r197715
releng/7.1/ r197715
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO
Syds53GSM0YbsMNUVMGsLaU=
=exPZ
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close