Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi
On Wed, 2019-08-21 at 04:55 +0700, Eugene Grosbein wrote: > 21.08.2019 3:12, FreeBSD Security Advisories wrote: > > [skip] > > > IV. Workaround > > > > No workaround is available. Custom kernels without "device sound" > > are not vulnerable. > > Is it true that there is no way to disable vulnerable and unneeded > device driver > built in GENERIC other that through rebuilding the kernel? > > I remember that pre-4.x versions of FreeBSD had visual VGA-based pre- > boot configurator > allowing to disable any compiled-in device driver. Don't > device.hints(5) or loader(8) have means to do so? > > These days GENERIC have LOTS of drivers and it's convenient but > unsafe. > "No workaround" just seems to be wrong. Aside from setting the disabled hint to turn off the driver (or using devctl to turn it off on a live system), the exploit also requires opening /dev/midistat, so a viable workaround is to change its permissions so that users can't open it. -- Ian ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi
On Wed, 21 Aug 2019, Eugene Grosbein wrote: 21.08.2019 3:12, FreeBSD Security Advisories wrote: [skip] IV. Workaround No workaround is available. Custom kernels without "device sound" are not vulnerable. Is it true that there is no way to disable vulnerable and unneeded device driver built in GENERIC other that through rebuilding the kernel? I remember that pre-4.x versions of FreeBSD had visual VGA-based pre-boot configurator Visual userconfig and command-line userconfug were in all versions of 4.x too. allowing to disable any compiled-in device driver. Don't device.hints(5) or loader(8) have means to do so? Configuration was unimproved by hints, env and new-bus after 4.x. In 4.x and earlier, the irq and other parameters, and disable and other flags, were part of a formal syntax implemented at config(8) time using yacc and at kernel userconfig time more hackishly and at kernel visual userconfig time more guishlly. Now hints and env give a random mostly undocumented syntax. Even disable flags don't work right. New-bus allows more complicated or just larger topologies which are harder to control using disable flags. These days GENERIC have LOTS of drivers and it's convenient but unsafe. It is hard to even find the list of (unattached) drivers, or get useful (fauling) probe messages for drivers that aren't used. I use the following patch mainly to fix sio and uart probing in uncontrollable or hard-coded order and/or precendence when both are statically configured. One must be disabled on a per-device basis, but even disabling doesn't work without this patch. The patch preserves some historical mistakes and adds some excessive verboseness about probe failures. I'm still waiting for jhb to reply to mails on 30 Oct 2015 and 23 Jan 2018 asking for a review of this patch or better a complete fix. XX Index: subr_bus.c XX === XX --- subr_bus.c (revision 332488) XX +++ subr_bus.c (working copy) XX @@ -2079,6 +2079,12 @@ XX return (TAILQ_NEXT(last, link)); XX } XX XX +/* XX + * Keep probing disabled devices for now, in case this has beneficial side XX + * effects. XX + */ XX +static volatile int probe_rdisabled = 0; XX + XX /** XX * @internal XX */ XX @@ -2088,7 +2094,7 @@ XX devclass_t dc; XX driverlink_t best = NULL; XX driverlink_t dl; XX -int result, pri = 0; XX +int rdisabled, result, unit, pri = 0; XX int hasclass = (child->devclass != NULL); XX XX GIANT_REQUIRED; XX @@ -2139,8 +2145,27 @@ XX resource_int_value(dl->driver->name, child->unit, XX "flags", >devflags); XX XX - result = DEVICE_PROBE(child); XX +/* Record other state while the unit is valid. */ XX +unit = child->unit; XX +rdisabled = resource_disabled(dl->driver->name, unit); XX XX + /* See below for more details. */ XX +if (rdisabled) { XX +device_print_prettyname(dev); XX +if (probe_rdisabled) XX +device_printf(child, XX +"probing disabled device\n"); XX +else { XX +device_printf(child, XX +"disabled in probe by hints\n"); XX +device_disable(child); XX +} XX +} XX +if (rdisabled && !probe_rdisabled) XX +result = ENXIO; XX +else XX +result = DEVICE_PROBE(child); XX + XX /* Reset flags and devclass before the next probe. */ XX child->devflags = 0; XX if (!hasclass) XX @@ -2182,6 +2207,30 @@ XX } XX XX /* XX + * Ignore the result of probing a disabled device, XX + * so that disabled devices with higher priorities XX + * are not preferred, only to do nothing at attach XX + * time but complete their disablement and fail. XX + * This is not quite right since it loses the XX + * accidental (?) feature of being able to disable XX + * attaching a resource for all drivers by XX + * disabling it for one driver if there happens to XX + * one with highest priority (or equal highest, XX + * with the disabled one preferred because it is XX + * probed first. XX + */ XX +if (rdisabled) { XX +device_print_prettyname(dev); XX +/* XXX device_printf() fails -- child inval. */ XX +
FreeBSD Security Advisory FreeBSD-SA-19:23.midi [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-08-20 Initial release. v1.1 2019-08-21 Updated workaround. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround Restrict permissions on /dev/midistat by adding an entry to /etc/devfs.conf and restarting the service: # echo "perm midistat 0600" >> /etc/devfs.conf # service devfs restart Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1d58xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJ3pw//fbHMCysvmMh+2RZ47d4i9d61cdYEq51VUwT2Cp2pGz+mWAoac89c4k2v coo+nuvsXfgNGjr6SHGjLw0kCjeJPdPBDstHLnrzqbmuUFeS8rbRS9AGySy8cW7Z
Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi
On Tue, Aug 20, 2019 at 04:01:39PM -0600, Ian Lepore wrote: > On Wed, 2019-08-21 at 04:55 +0700, Eugene Grosbein wrote: > > 21.08.2019 3:12, FreeBSD Security Advisories wrote: > > > > [skip] > > > > > IV. Workaround > > > > > > No workaround is available. Custom kernels without "device sound" > > > are not vulnerable. > > > > Is it true that there is no way to disable vulnerable and unneeded > > device driver > > built in GENERIC other that through rebuilding the kernel? > > > > I remember that pre-4.x versions of FreeBSD had visual VGA-based pre- > > boot configurator > > allowing to disable any compiled-in device driver. Don't > > device.hints(5) or loader(8) have means to do so? > > > > These days GENERIC have LOTS of drivers and it's convenient but > > unsafe. > > > > "No workaround" just seems to be wrong. Aside from setting the > disabled hint to turn off the driver (or using devctl to turn it off on > a live system), the exploit also requires opening /dev/midistat, so a > viable workaround is to change its permissions so that users can't open > it. Yeah, this was an oversight. The SA text will be amended. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-19:23.midi
21.08.2019 3:12, FreeBSD Security Advisories wrote: [skip] > IV. Workaround > > No workaround is available. Custom kernels without "device sound" > are not vulnerable. Is it true that there is no way to disable vulnerable and unneeded device driver built in GENERIC other that through rebuilding the kernel? I remember that pre-4.x versions of FreeBSD had visual VGA-based pre-boot configurator allowing to disable any compiled-in device driver. Don't device.hints(5) or loader(8) have means to do so? These days GENERIC have LOTS of drivers and it's convenient but unsafe. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
FreeBSD Security Advisory FreeBSD-SA-19:23.midi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround No workaround is available. Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+ +pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u 5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49BgqTb