diff options
4 files changed, 321 insertions, 0 deletions
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index dbe5ac58ce..e914a98428 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -2,6 +2,10 @@ # $FreeBSD$ [[advisories]] +name = "FreeBSD-SA-23:18.nfsclient" +date = "2023-12-12" + +[[advisories]] name = "FreeBSD-SA-23:17.pf" date = "2023-12-05" diff --git a/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc new file mode 100644 index 0000000000..66c41bd5bd --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:18.nfsclient Security Advisory + The FreeBSD Project + +Topic: NFS client data corruption and kernel memory disclosure + +Category: core +Module: nfsclient +Announced: 2023-12-12 +Credits: Hostpoint AG +Affects: FreeBSD 13.2 and 14.0 +Corrected: 2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE) + 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3) + 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE) + 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8) +CVE Name: CVE-2023-6660 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) is a distributed file system that allows remote +systems to access files and directories over a network as if they were local. +FreeBSD includes both server and client implementations of NFS. + +II. Problem Description + +In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the +performance of IO_APPEND writes, that is, writes which add data to the end of +a file and so extend its size. This uncovered an old bug in some routines +which copy userspace data into the kernel. The bug also affects the NFS +client's implementation of direct I/O; however, this implementation is +disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only +used to handle synchronous writes. + +III. Impact + +When a program running on an affected system appends data to a file via an +NFS client mount, the bug can cause the NFS client to fail to copy in the +data to be written but proceed as though the copy operation had succeeded. +This means that the data to be written is instead replaced with whatever data +had been in the packet buffer previously. Thus, an unprivileged user with +access to an affected system may abuse the bug to trigger disclosure of +sensitive information. In particular, the leak is limited to data previously +stored in mbufs, which are used for network transmission and reception, and +for certain types of inter-process communication. + +The bug can also be triggered unintentionally by system applications, in +which case the data written by the application to an NFS mount may be +corrupted. Corrupted data is written over the network to the NFS server, and +thus also susceptible to being snooped by other hosts on the network. + +Note that the bug exists only in the NFS client; the version and +implementation of the server has no effect on whether a given system is +affected by the problem. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platfrom on FreeBSD 13 and earlier, can be updated via +the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc +# gpg --verify nfsclient.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 8d42f85d9d7b stable/14-n265954 +releng/14.0/ ab60666a00c9 releng/14.0-n265397 +stable/13/ f1d1d50e1d08 stable/13-n256860 +releng/13.2/ 3f079b3f2f33 releng/13.2-n254649 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6660> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:18.nfsclient.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/kACgkQbljekB8A +Gu8kvg//RUe/q2SFiVyo94disTET5JjVAPjKzMrHuhoI92OA994zS3MXmU6cQZAh +ikWzMTf25/tgGvN8/Cujhp6zIXiPwUvwJXQqL6JN2/lqHHztxYz/m3Ol8Pc2q2yx +hDbY0dOeyaGK9CuH7hjMtu/jeh6vj+TyvzLg/KuxgdOkjdDd352CF43alkb5Q55t +3V8pcY49zCk+5aMJv667mphGxf4yRC/+bkVtJIqoAUpAg/VORMJmMiEt0LS3v7t5 +Oaal8rVfcPu8jPhkt8dIzcp1lrr+AfsOnEB68x2ECiYp2LCWp/ya7rG+DMD537kw +IhSKRpqMvc4rQpjGQIsewO+sexyYC/zYrUu4BYMUnLVEqQ+GPN7jV7uAjoGuvsus +uOAuN3l4T1x50VyBGA9Z2sVAHOkDAh98J8HDtdCK+IxNnTKFsFHBE/4zFLXkVYwr +vo15qZpHzdTnHhhq5GjxZU+j1Sw0TbMWYPVPsgv8HqZciPjmv5bW7nxvB60sqb1a +LYhE2cWilWxNKWQLhFt60ooGb09Auu+wDgnXLmTmpc/phOI+hCNOPedRF/0yPS7D +dE0Q1vjdoiJgcAdntve8fzlwq1KSG4mQZRrJvMverW+/YLtbEFYY/iFT+jYWRMcN +QwyjgbABQ9tzOVaPjSGJp/UB7SjDn8KFoOfeXWZrMkOYz95lXUk= +=Wsy4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch b/website/static/security/patches/SA-23:18/nfsclient.patch new file mode 100644 index 0000000000..2368832f03 --- /dev/null +++ b/website/static/security/patches/SA-23:18/nfsclient.patch @@ -0,0 +1,148 @@ +--- sys/fs/nfs/nfs_var.h.orig ++++ sys/fs/nfs/nfs_var.h +@@ -368,7 +368,7 @@ + struct ucred *, NFSPROC_T *); + + /* nfs_clcomsubs.c */ +-void nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int); ++int nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int); + struct mbuf *nfsm_uiombuflist(struct uio *, int, u_int); + u_int8_t *nfscl_getmyip(struct nfsmount *, struct in6_addr *, int *); + int nfsm_getfh(struct nfsrv_descript *, struct nfsfh **); +--- sys/fs/nfsclient/nfs_clcomsubs.c.orig ++++ sys/fs/nfsclient/nfs_clcomsubs.c +@@ -53,12 +53,12 @@ + * copies a uio scatter/gather list to an mbuf chain. + * NOTE: can only handle iovcnt == 1 + */ +-void ++int + nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *uiop, int siz) + { + char *uiocp; + struct mbuf *mp, *mp2; +- int xfer, left, mlen; ++ int error, xfer, left, mlen; + int uiosiz, clflg, rem; + char *mcp, *tcp; + +@@ -106,8 +106,11 @@ + xfer = (left > mlen) ? mlen : left; + if (uiop->uio_segflg == UIO_SYSSPACE) + NFSBCOPY(uiocp, mcp, xfer); +- else +- copyin(uiocp, mcp, xfer); ++ else { ++ error = copyin(uiocp, mcp, xfer); ++ if (error != 0) ++ return (error); ++ } + mp->m_len += xfer; + left -= xfer; + uiocp += xfer; +@@ -150,6 +153,7 @@ + } + nd->nd_bpos = mcp; + nd->nd_mb = mp; ++ return (0); + } + + /* +@@ -162,7 +166,7 @@ + { + char *uiocp; + struct mbuf *mp, *mp2, *firstmp; +- int extpg, extpgsiz = 0, i, left, mlen, rem, xfer; ++ int error, extpg, extpgsiz = 0, i, left, mlen, rem, xfer; + int uiosiz, clflg; + char *mcp, *tcp; + +@@ -220,8 +224,13 @@ + xfer = (left > mlen) ? mlen : left; + if (uiop->uio_segflg == UIO_SYSSPACE) + NFSBCOPY(uiocp, mcp, xfer); +- else +- copyin(uiocp, mcp, xfer); ++ else { ++ error = copyin(uiocp, mcp, xfer); ++ if (error != 0) { ++ m_freem(firstmp); ++ return (NULL); ++ } ++ } + mp->m_len += xfer; + mcp += xfer; + if (maxext > 0) { +--- sys/fs/nfsclient/nfs_clrpcops.c.orig ++++ sys/fs/nfsclient/nfs_clrpcops.c +@@ -1890,7 +1890,12 @@ + *tl++ = x; /* total to this offset */ + *tl = x; /* size of this write */ + } +- nfsm_uiombuf(nd, uiop, len); ++ error = nfsm_uiombuf(nd, uiop, len); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ free(nd, M_TEMP); ++ return (error); ++ } + /* + * Although it is tempting to do a normal Getattr Op in the + * NFSv4 compound, the result can be a nearly hung client +@@ -5981,6 +5986,10 @@ + iovlen = uiop->uio_iov->iov_len; + m = nfsm_uiombuflist(uiop, len, + 0); ++ if (m == NULL) { ++ error = EFAULT; ++ break; ++ } + } + tdrpc = drpc = malloc(sizeof(*drpc) * + (mirrorcnt - 1), M_TEMP, M_WAITOK | +@@ -6553,7 +6562,11 @@ + *tl++ = txdr_unsigned(len); + *tl++ = txdr_unsigned(*iomode); + *tl = txdr_unsigned(len); +- nfsm_uiombuf(nd, uiop, len); ++ error = nfsm_uiombuf(nd, uiop, len); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ return (error); ++ } + nrp = dsp->nfsclds_sockp; + if (nrp == NULL) + /* If NULL, use the MDS socket. */ +@@ -8639,7 +8652,11 @@ + nfsm_strtom(nd, name, strlen(name)); + NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED); + *tl = txdr_unsigned(uiop->uio_resid); +- nfsm_uiombuf(nd, uiop, uiop->uio_resid); ++ error = nfsm_uiombuf(nd, uiop, uiop->uio_resid); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ return (error); ++ } + NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED); + *tl = txdr_unsigned(NFSV4OP_GETATTR); + NFSGETATTR_ATTRBIT(&attrbits); +--- sys/fs/nfsclient/nfs_clvnops.c.orig ++++ sys/fs/nfsclient/nfs_clvnops.c +@@ -1579,7 +1579,7 @@ + error = nfscl_doiods(vp, uiop, NULL, NULL, + NFSV4OPEN_ACCESSREAD, 0, cred, uiop->uio_td); + NFSCL_DEBUG(4, "readrpc: aft doiods=%d\n", error); +- if (error != 0) ++ if (error != 0 && error != EFAULT) + error = nfsrpc_read(vp, uiop, cred, uiop->uio_td, &nfsva, + &attrflag, NULL); + if (attrflag) { +@@ -1610,7 +1610,7 @@ + error = nfscl_doiods(vp, uiop, iomode, must_commit, + NFSV4OPEN_ACCESSWRITE, 0, cred, uiop->uio_td); + NFSCL_DEBUG(4, "writerpc: aft doiods=%d\n", error); +- if (error != 0) ++ if (error != 0 && error != EFAULT) + error = nfsrpc_write(vp, uiop, iomode, must_commit, cred, + uiop->uio_td, &nfsva, &attrflag, called_from_strategy, + ioflag); diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch.asc b/website/static/security/patches/SA-23:18/nfsclient.patch.asc new file mode 100644 index 0000000000..c369cf23c7 --- /dev/null +++ b/website/static/security/patches/SA-23:18/nfsclient.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/8ACgkQbljekB8A +Gu9nWhAAx3DdIh68VWEDbgiUkUAyaBe8pRrotAGpmOWSiI+FyMMxPStuyE2r5ENs +yoXfNbfjEkOT6wkluVhw5gDzE8fcGBOVML9GFLty4qV8vtqSlNssMrr3j/+pO5ud +lYYl3OI/8tRN2CLG+jnyNnVgEo3y520orMDonJ2WWJeiW90UBtMlp/6ZXXljRBwW +43aw0rtkCi+B2COhqteADCVQtES/gyz+v+vE2lZ6hGx4MDLcmh/0B18v4h7IgTzA +4Hh8jrsXXbb9NcvAtILbS3RA+T+zIXJhX+6oGiYYXwmlm8ah+QoG1TMKGXwWkG4M +hc6C2NlhuWjKVMTtfQtgDNXyQRE2JnAzN4yOd46ebjRQLkXw6P4sCd7H2uD0MZqn +mpm9Ta4qil7mH3tcdPQgi67iN4M+fy+NV2T8B5/iN0XE/iqVKVbNUD7/L0tZWpjc +LQwaH9gzCmaC4v92yeCzFG1dZpnBLYN7KujoWkn7BF238/6frIzdcRz0go/L53GR +qokAT0h1QfF22EVxQGlCwNx967ePMRZFQIZY+jAsWur0yEIomodmQnxRUln34iUc +Z9gcMX+OYZPd9NHo93RUoSRKgidgYz9YEKuN5022tOffL2KV36KUYdXWI1OiAGVI +0IIYS74ySFqxUxuobwQQ1Qa9qHPNkfI6GOaDKjvmEBgLabcIDo0= +=nRdo +-----END PGP SIGNATURE----- |