On Wed, 2019-08-21 at 04:55 +0700, Eugene Grosbein wrote: > 21.08.2019 3:12, FreeBSD Security Advisories wrote: > > [skip] > > > IV. Workaround > > > > No workaround is available. Custom kernels without "device sound" > > are not vulnerable. > > Is it true that there is no way to disable vulnerable and unneeded > device driver > built in GENERIC other that through rebuilding the kernel? > > I remember that pre-4.x versions of FreeBSD had visual VGA-based pre- > boot configurator > allowing to disable any compiled-in device driver. Don't > device.hints(5) or loader(8) have means to do so? > > These days GENERIC have LOTS of drivers and it's convenient but > unsafe. >
"No workaround" just seems to be wrong. Aside from setting the disabled hint to turn off the driver (or using devctl to turn it off on a live system), the exploit also requires opening /dev/midistat, so a viable workaround is to change its permissions so that users can't open it. -- Ian _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
