FreeBSD Kernel Memory Map Bug in 'mmap()' and 'msync()' May Let Local Users Crash the System
|
Date: Apr 25 2002
|
Impact: Denial of service via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A denial of service vulnerability was reported in the FreeBSD operating system in the mmap(2) and msync(2) system calls. A local user can exploit these components of the memory mapped I/O API to cause the system to crash.
FreeBSD reported a flaw in the FreeBSD virtual memory management system involving a failure to check for the existence of a VM object
during page invalidation. A local user could call msync(2) on an anonymous, asynchronous memory map (i.e., created using the mmap
flags MAP_ANON and MAP_NOSYNC) which had not been accessed previously to cause the system to crash.
This reportedly only affects
the FreeBSD operating system.
FreeBSD credits Harry Newton <harry_newton@telinco.co.uk> with reporting this flaw.
|
Impact: A local user can cause the system to crash.
|
Solution: The vendor has issued a fix.
1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the RELENG_4_5 (4.5-RELEASE-p3)
or RELENG_4_4 (4.4-RELEASE-p10) security branches dated after the respective correction dates. The correction dates are:
2002-03-08
17:22:20 UTC (RELENG_4)
2002-04-15 17:14:28 UTC (RELENG_4_5)
2002-04-15 17:18:12 UTC (RELENG_4_4)
2) To patch your present
system:
a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.
#
fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:22/mmap.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:22/mmap.patch.asc
b)
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconf
ig.html and reboot the system.
|
Vendor URL: www.freebsd.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (FreeBSD)
|
Underlying OS Comments: 4, 4.4, 4.5
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Apr 2002 02:30:14 -0400
Subject: FreeBSD-SA-02:22.mmap
|
This is a multi-part message in MIME format.
--------------14550803318B02D95EDF2B1E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A22.mmap.asc
--------------14550803318B02D95EDF2B1E
Content-Type: text/plain; charset=us-ascii;
name="FreeBSD-SA-02:22.mmap.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="FreeBSD-SA-02:22.mmap.asc"
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:22.mmap Security Advisory
FreeBSD, Inc.
Topic: mmap/msync denial of service
Category: core
Module: net
Announced: 2002-04-18
Credits: Harry Newton <harry_newton@telinco.co.uk>
Matt Dillon <dillon@FreeBSD.org>
Affects: All releases of FreeBSD up to and including 4.5-RELEASE
4.5-STABLE prior to the correction date
Corrected: 2002-03-08 17:22:20 UTC (RELENG_4)
2002-04-15 17:14:28 UTC (RELENG_4_5)
2002-04-15 17:18:12 UTC (RELENG_4_4)
FreeBSD only: YES
I. Background
The mmap(2) and msync(2) system calls are part of the memory mapped
I/O API.
II. Problem Description
A bug existed in the virtual memory management system involving a
failure to check for the existence of a VM object during page
invalidation. This bug could be triggered by calling msync(2) on an
anonymous, asynchronous memory map (i.e. created using the mmap flags
MAP_ANON and MAP_NOSYNC) which had not been accessed previously.
III. Impact
Local users may cause the system to crash.
IV. Workaround
None.
V. Solution
1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p3) or RELENG_4_4 (4.4-RELEASE-p10) security
branches dated after the respective correction dates.
2) To patch your present system:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:22/mmap.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:22/mmap.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
Branch
- -------------------------------------------------------------------------
sys/vm/vm_map.c
RELENG_4 1.187.2.13
RELENG_4_5 1.187.2.12.2.1
RELENG_4_4 1.187.2.9.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPL8Rs1UuHi5z0oilAQFlZwP8CUMHSJ7p0ODbcPty+ugWwOTgYeiI9A2K
P3ezU/PZmEU3Opb864q+J2lhudBUW0NSmVCW4PWdiaPq7Rbhic5QZ7J4eCMPbyKe
IjSVmSsqvJhjEcHW8i7w0PCe1+hKWWRm1Z2X9SvWNVJqpfkggGdJQMZKNH1lJQN8
6Dm26nElyww=
=/H3G
-----END PGP SIGNATURE-----
--------------14550803318B02D95EDF2B1E--
|
|
