-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:21.43bsd Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in 4.3BSD compatibility layer Category: core Module: kernel Announced: 2016-05-31 Credits: CTurt Affects: All supported versions of FreeBSD. Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD has binary compatibility layer with historic 4.3BSD operating system. II. Problem Description The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland. III. Impact An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available, but systems not using the 4.3BSD compatibility layer are not vulnerable. The 4.3BSD compatibility layer is not included into the default GENERIC kernel configuration. A custom kernel config that does not have the COMPAT_43 option is also not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch.asc # gpg --verify stat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r301055 releng/9.3/ r301049 stable/10/ r301054 releng/10.1/ r301050 releng/10.2/ r301051 releng/10.3/ r301052 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:http://cturt.github.io/compat-info-leaks.html> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:21.43bsd.asc> -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTcSQAAoJEO1n7NZdz2rn/JYQAKrbMPuSBxDZzMS0iq76R5Gw RPkTZcH5zFqXI6s7WGNLtdV6VgatQtG8WsYdaGn+E+dKqGmIu4xtcIfXS6dgP/fT aqP522x5CbZt2nl3bpQ/vPDnJbEJ/a25nydLjHuCbJP1MqPKCWOJFlt/EOXlqXd4 SptiShq/EDPZgJSODmGp34raAIIeuMHUz2gF8YEBD3Uu8cV6zMHlc1Lj8veI1NJv xKaSK+31HAdAgkP5NKPEXA3Ei553i1tzN8KGgbEeFvsjtNUuqxR8n2nB2XJ3GANb E7Z3byjajZqgYim6tYqobAyZEjrdGInNt8E5XEdrJhsIhzn6mqcdpJsf9yur1xY2 TSNaNNlWGicd1TYuPQjd7LPiqKKdIKO3s7P3vHXhJRvy2vD9B4NfX/kcU1UjJkAI h19iI1B9WbiLakTTJLSn5tcSSIUUNJ3c70jYIoo4WOEHN3x8HvjtaGuH2TK89CA2 tPqkKau4Txd3ikdpNbU6pYDyWAYG+z/cH6F1dYrkchULK8uNP+sEkHai2MYtNv/W Q0CDy46iHBmbYkTwlEDxPkfDEKsiUbm32AgvfwuEAfjszwYuO1+KjZ6oKXwycQz9 gCyNZVfsjSOV5srzVQ2daUmuNkQiua2zt8JX5J64rUJSYx3AkZHOTNxmVEu12K1U RdI/7TaMcgMzkGMlwEv9 =qPmZ -----END PGP SIGNATURE-----