FreeBSD-SA-10:07.mbuf: Lost mbuf flag resulting in data corruption

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-10:07.mbuf                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Lost mbuf flag resulting in data corruption

Category:       core
Module:         kern
Announced:      2010-07-13
Credits:        Ming Fu
Affects:        FreeBSD 7.x and later.
Corrected:      2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE)
                2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE)
                2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4)
                2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE)
                2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2)
                2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13)
CVE Name:       CVE-2010-2693

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I.   Background

An mbuf is a basic unit of memory management in the FreeBSD kernel
inter-process communication and networking subsystem.  Network packets
and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference
external buffers.  The sendfile(2) system call uses external mbuf storage
to directly map the contents of a file into a chain of mbufs for
transmission purposes.  The mbuf object supports a read-only flag that
must be honored to prevent modification or writes to buffer data in
cases like these.

II.  Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference
is duplicated.  When the sendfile(2) system call is used to transmit
data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate
their privilege by carefully controlling the corruption of system files.
It should be noted that the attacker can corrupt any file they have read
access to.

NOTE: While systems without untrusted local users are not affected by
the security aspects of this issue, the potential for data corruption
implies that this should still be treated as a critical erratum.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch
# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Now reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/sys/kern/uipc_mbuf.c                                      1.174.2.4
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.4
  src/sys/conf/newvers.sh                                   1.72.2.16.2.6
  src/sys/kern/uipc_mbuf.c                                  1.174.2.3.4.2
RELENG_7_1
  src/UPDATING                                            1.507.2.13.2.16
  src/sys/conf/newvers.sh                                   1.72.2.9.2.17
  src/sys/kern/uipc_mbuf.c                                  1.174.2.2.2.2
RELENG_8
  src/sys/kern/uipc_mbuf.c                                      1.185.2.3
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.2
  src/sys/conf/newvers.sh                                   1.83.2.10.2.4
  src/sys/kern/uipc_mbuf.c                                  1.185.2.2.2.2
RELENG_8_0
  src/UPDATING                                              1.632.2.7.2.7
  src/sys/conf/newvers.sh                                    1.83.2.6.2.7
  src/sys/kern/uipc_mbuf.c                                  1.185.2.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r209964
releng/7.3/                                                       r209964
releng/7.1/                                                       r209964
stable/8/                                                         r209964
releng/8.0/                                                       r209964
releng/8.1/                                                       r209964
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB
JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI
=Reds
-----END PGP SIGNATURE-----