Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.236 -- FreeBSD-SA-00:42
Linux binary compatibility mode can cause system compromise
30 August 2000
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FreeBSD kernel
Vendor: FreeBSD
Operating System: FreeBSD
Platform: N/A
Impact: Root Compromise
Access Required: Local
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-00:42 Security Advisory
FreeBSD, Inc.
Topic: Linux binary compatability mode can cause system compromise
Category: core
Module: kernel
Announced: 2000-08-28
Credits: Boris Nikolaus <boris@cs.tu-berlin.de>
Affects: FreeBSD 3.x, 4.x and 5.x prior to the correction date
Corrected: 2000-07-23 (FreeBSD 5.0-CURRENT)
2000-07-29 (FreeBSD 4.1-STABLE)
2000-08-24 (FreeBSD 3.5-STABLE)
FreeBSD only: Yes
I. Background
FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component.
II. Problem Description
The linux binary-compatability module implements a "shadow" filesystem
hierarchy rooted in /compat/linux, which is overlayed against the
regular filesystem hierarchy so that Linux binaries "see" files in the
shadow hierarchy which can mask the native files.
Filenames in this shadow hierarchy are treated incorrectly by the
linux kernel module under certain circumstances, and a kernel stack
overflow leading to a system compromise by an unprivileged user may be
possible when very long filenames are used. This is only possible when
the linux kernel module is loaded, or the equivalent functionality is
statically compiled into the kernel. It is not enabled by default.
This vulnerability was fixed just after the release of FreeBSD
4.1-RELEASE, and 3.5-RELEASE is also vulnerable.
III. Impact
Local users may be able to obtain root privileges on the system when
linux compatability mode is enabled.
IV. Workaround
To determine whether the linux compatability module has been loaded,
execute the following command as root and look for a 'linux.ko' entry:
# kldstat
Id Refs Address Size Name
1 7 0xc0100000 270be0 kernel
2 1 0xc0371000 5540 vesa.ko
3 1 0xc0377000 10094 randomdev.ko
4 1 0xc0e17000 4e000 nfs.ko
5 1 0xc0e83000 11000 linux.ko
If present, unload the "linux" module by executing the following
command as root:
# kldunload linux
For safety, remove the /modules/linux.ko file to prevent it being
reloaded accidentally, and add or change the following line in
/etc/rc.conf:
linux_enable="NO" # Linux binary compatibility loaded at startup (or NO).
If the module is not loaded, to determine whether the functionality
has been statically compiled into the kernel, check the kernel
configuration file for the following line:
options COMPAT_LINUX
If present, remove and recompile the kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.
V. Solution
One of the following:
1) Upgrade your vulnerable FreeBSD system to 3.5-STABLE, 4.1-STABLE or
5.0-CURRENT after the respective correction dates.
2) Apply the patch below and recompile your kernel.
Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch.asc
# cd /usr/src/sys/i386/linux
# patch -p < /path/to/patch_or_advisory
[ Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system ]
Index: linux_misc.c
===================================================================
RCS file: /home/ncvs/src/sys/i386/linux/linux_misc.c,v
retrieving revision 1.77.2.3
retrieving revision 1.77.2.4
diff -u -r1.77.2.3 -r1.77.2.4
--- linux_misc.c 2000/07/20 05:31:56 1.77.2.3
+++ linux_misc.c 2000/07/30 05:36:11 1.77.2.4
@@ -954,6 +954,8 @@
tv[1].tv_usec = 0;
/* so that utimes can copyin */
tvp = (struct timeval *)stackgap_alloc(&sg, sizeof(tv));
+ if (tvp == NULL)
+ return (ENAMETOOLONG);
if ((error = copyout(tv, tvp, sizeof(tv))))
return error;
bsdutimes.tptr = tvp;
Index: linux_util.c
===================================================================
RCS file: /home/ncvs/src/sys/i386/linux/linux_util.c,v
retrieving revision 1.9.2.1
retrieving revision 1.9.2.2
diff -u -r1.9.2.1 -r1.9.2.2
--- linux_util.c 2000/07/07 01:23:45 1.9.2.1
+++ linux_util.c 2000/07/30 05:36:11 1.9.2.2
@@ -162,7 +162,10 @@
else {
sz = &ptr[len] - buf;
*pbuf = stackgap_alloc(sgp, sz + 1);
- error = copyout(buf, *pbuf, sz);
+ if (*pbuf != NULL)
+ error = copyout(buf, *pbuf, sz);
+ else
+ error = ENAMETOOLONG;
free(buf, M_TEMP);
}
Index: linux_util.h
===================================================================
RCS file: /home/ncvs/src/sys/i386/linux/linux_util.h,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -u -r1.10 -r1.10.2.1
--- linux_util.h 1999/12/04 11:10:22 1.10
+++ linux_util.h 2000/07/30 05:36:11 1.10.2.1
@@ -56,29 +56,27 @@
static __inline caddr_t stackgap_init(void);
static __inline void *stackgap_alloc(caddr_t *, size_t);
+#define szsigcode (*(curproc->p_sysent->sv_szsigcode))
+
static __inline caddr_t
stackgap_init()
{
-#define szsigcode (*(curproc->p_sysent->sv_szsigcode))
return (caddr_t)(PS_STRINGS - szsigcode - SPARE_USRSPACE);
}
-
static __inline void *
stackgap_alloc(sgp, sz)
caddr_t *sgp;
size_t sz;
{
- void *p = (void *) *sgp;
- *sgp += ALIGN(sz);
+ void *p = (void *) *sgp;
+
+ sz = ALIGN(sz);
+ if (*sgp + sz > (caddr_t)(PS_STRINGS - szsigcode))
+ return NULL;
+ *sgp += sz;
return p;
}
-
-#ifdef DEBUG_LINUX
-#define DPRINTF(a) printf a;
-#else
-#define DPRINTF(a)
-#endif
extern const char linux_emul_path[];
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOaq1wFUuHi5z0oilAQFcVQQAlYhhDM6T/qEDqVTvG9yr9mv++LVGqqRE
SI4MEbmwbV5NvmFqTM2OzGpKsUaAy9gEfA5mjVKR+PRFoY7g68heFGAKWSRHmgs5
ramrzVxBHOeviaHeAXpH7LgJOdFo8EwhqehLtv+M0I5n9JJjPvAEWXG9cdiYXTto
pKJAPVXr9NU=
=r8gN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOcd28Sh9+71yA2DNAQFKcgQAk7V3b5wkZOzOjnLO+8+7MJ8//IJHZ4zK
QRmmJCVppx1C62kfY4wi1kJ8ux7DJjQ2I+5zylCwJUhPwIry+Eyolfv/6Q+QJX1+
lA/93ZzH+O8FYfC425Vt37McVTACukMXnq0xAOKwl2r4RimfFlcV1sIPOKPPmfZb
l5o6HsryBYM=
=Wj2G
-----END PGP SIGNATURE-----