Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: FreeBSD Security Advisory FreeBSD-SA-08:07.amd64
From: FreeBSD Security Advisories <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Wed, 3 Sep 2008 20:13:05 GMT

Hash: SHA1

FreeBSD-SA-08:07.amd64                                      Security Advisory
                                                          The FreeBSD Project

Topic:          amd64 swapgs local privilege escalation

Category:       core
Module:         sys_amd64_amd64
Announced:      2008-09-03
Credits:        Nate Eldredge
Affects:        All supported FreeBSD/amd64 versions.
Corrected:      2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
                2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
                2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
                2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name:       CVE-2008-3890

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I.   Background

FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's.  For Intel CPU's this architecture is known as EM64T or Intel

The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data.  User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data.  As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.

The kernel stores critical information in its per-processor data
block.  This includes the currently executing process and its

As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system.  If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF).  In that case, the processor aborts the return to the
user level process and re-enters the kernel.  The FreeBSD kernel
allows the user process to be notified of such an event by a signal

II.  Problem Description

If a General Protection Fault happens on a FreeBSD/amd64 system while
it is returning from an interrupt, trap or system call, the swapgs CPU
instruction may be called one extra time when it should not resulting
in userland and kernel state being mixed.

III. Impact

A local attacker can by causing a General Protection Fault while the
kernel is returning from an interrupt, trap or system call while
manipulating stack frames and, run arbitrary code with kernel

The vulnerability can be used to gain kernel / supervisor privilege.
This can for example be used by normal users to gain root privileges,
to break out of jails, or bypass Mandatory Access Control (MAC)

IV.  Workaround

No workaround is available, but only systems running the 64 bit
FreeSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
- -------------------------------------------------------------------------
  src/UPDATING                                             1.416.
  src/UPDATING                                              1.507.
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
Version: GnuPG v1.4.9 (FreeBSD)

This email address is being protected from spambots. You need JavaScript enabled to view it. mailing list
To unsubscribe, send any mail to "This email address is being protected from spambots. You need JavaScript enabled to view it."
Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology