Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: FreeBSD Security Advisory FreeBSD-SA-10:07.mbuf
From: FreeBSD Security Advisories <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Tue, 13 Jul 2010 02:52:10 GMT

Hash: SHA1

FreeBSD-SA-10:07.mbuf                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Lost mbuf flag resulting in data corruption

Category:       core
Module:         kern
Announced:      2010-07-13
Credits:        Ming Fu
Affects:        FreeBSD 7.x and later.
Corrected:      2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE)
                2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE)
                2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4)
                2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE)
                2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2)
                2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13)
CVE Name:       CVE-2010-2693

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I.   Background

An mbuf is a basic unit of memory management in the FreeBSD kernel
inter-process communication and networking subsystem.  Network packets
and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference
external buffers.  The sendfile(2) system call uses external mbuf storage
to directly map the contents of a file into a chain of mbufs for
transmission purposes.  The mbuf object supports a read-only flag that
must be honored to prevent modification or writes to buffer data in
cases like these.

II.  Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference
is duplicated.  When the sendfile(2) system call is used to transmit
data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate
their privilege by carefully controlling the corruption of system files.
It should be noted that the attacker can corrupt any file they have read
access to.

NOTE: While systems without untrusted local users are not affected by
the security aspects of this issue, the potential for data corruption
implies that this should still be treated as a critical erratum.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Now reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.


Branch                                                           Revision
- -------------------------------------------------------------------------
  src/UPDATING                                             1.507.
  src/UPDATING                                            1.507.
  src/UPDATING                                             1.632.
  src/UPDATING                                              1.632.
- -------------------------------------------------------------------------


Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r209964
releng/7.3/                                                       r209964
releng/7.1/                                                       r209964
stable/8/                                                         r209964
releng/8.0/                                                       r209964
releng/8.1/                                                       r209964
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
Version: GnuPG v1.4.10 (FreeBSD)

This email address is being protected from spambots. You need JavaScript enabled to view it. mailing list
To unsubscribe, send any mail to "This email address is being protected from spambots. You need JavaScript enabled to view it."

Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology