FreeBSD Security Advisory FreeBSD-SA-10:07.mbuf

Type securityvulns
Reporter Securityvulns
Modified 2010-07-14T00:00:00



============================================================================= FreeBSD-SA-10:07.mbuf Security Advisory The FreeBSD Project

Topic: Lost mbuf flag resulting in data corruption

Category: core Module: kern Announced: 2010-07-13 Credits: Ming Fu Affects: FreeBSD 7.x and later. Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) CVE Name: CVE-2010-2693

For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:>.

I. Background

An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these.

II. Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to.

NOTE: While systems without untrusted local users are not affected by the security aspects of this issue, the potential for data corruption implies that this should still be treated as a critical erratum.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.



b) Apply the patch.

cd /usr/src

patch < /path/to/patch

c) Recompile your kernel as described in <URL:> and reboot the system.

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility:

freebsd-update fetch

freebsd-update install

Now reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was corrected in FreeBSD.


Branch Revision Path

RELENG_7 src/sys/kern/uipc_mbuf.c RELENG_7_3 src/UPDATING 1.507. src/sys/conf/ src/sys/kern/uipc_mbuf.c RELENG_7_1 src/UPDATING 1.507. src/sys/conf/ src/sys/kern/uipc_mbuf.c RELENG_8 src/sys/kern/uipc_mbuf.c RELENG_8_1 src/UPDATING 1.632. src/sys/conf/ src/sys/kern/uipc_mbuf.c RELENG_8_0 src/UPDATING 1.632. src/sys/conf/ src/sys/kern/uipc_mbuf.c


Branch/path Revision

stable/7/ r209964 releng/7.3/ r209964 releng/7.1/ r209964 stable/8/ r209964 releng/8.0/ r209964 releng/8.1/ r209964

VII. References

The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI =Reds -----END PGP SIGNATURE-----