git: 8ca7cece26 - main - Add SA-23:18.nfsclient.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Dec 2023 19:30:06 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=8ca7cece26ebebed9a25488c587820e18de887ba
commit 8ca7cece26ebebed9a25488c587820e18de887ba
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-12-12 19:27:41 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-12-12 19:27:41 +0000
Add SA-23:18.nfsclient.
Approved by: so
---
website/data/security/advisories.toml | 4 +
.../advisories/FreeBSD-SA-23:18.nfsclient.asc | 153 +++++++++++++++++++++
.../security/patches/SA-23:18/nfsclient.patch | 148 ++++++++++++++++++++
.../security/patches/SA-23:18/nfsclient.patch.asc | 16 +++
4 files changed, 321 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index dbe5ac58ce..e914a98428 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:18.nfsclient"
+date = "2023-12-12"
+
[[advisories]]
name = "FreeBSD-SA-23:17.pf"
date = "2023-12-05"
diff --git a/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc
new file mode 100644
index 0000000000..66c41bd5bd
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:18.nfsclient Security Advisory
+ The FreeBSD Project
+
+Topic: NFS client data corruption and kernel memory disclosure
+
+Category: core
+Module: nfsclient
+Announced: 2023-12-12
+Credits: Hostpoint AG
+Affects: FreeBSD 13.2 and 14.0
+Corrected: 2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE)
+ 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3)
+ 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE)
+ 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8)
+CVE Name: CVE-2023-6660
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Network File System (NFS) is a distributed file system that allows remote
+systems to access files and directories over a network as if they were local.
+FreeBSD includes both server and client implementations of NFS.
+
+II. Problem Description
+
+In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the
+performance of IO_APPEND writes, that is, writes which add data to the end of
+a file and so extend its size. This uncovered an old bug in some routines
+which copy userspace data into the kernel. The bug also affects the NFS
+client's implementation of direct I/O; however, this implementation is
+disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only
+used to handle synchronous writes.
+
+III. Impact
+
+When a program running on an affected system appends data to a file via an
+NFS client mount, the bug can cause the NFS client to fail to copy in the
+data to be written but proceed as though the copy operation had succeeded.
+This means that the data to be written is instead replaced with whatever data
+had been in the packet buffer previously. Thus, an unprivileged user with
+access to an affected system may abuse the bug to trigger disclosure of
+sensitive information. In particular, the leak is limited to data previously
+stored in mbufs, which are used for network transmission and reception, and
+for certain types of inter-process communication.
+
+The bug can also be triggered unintentionally by system applications, in
+which case the data written by the application to an NFS mount may be
+corrupted. Corrupted data is written over the network to the NFS server, and
+thus also susceptible to being snooped by other hosts on the network.
+
+Note that the bug exists only in the NFS client; the version and
+implementation of the server has no effect on whether a given system is
+affected by the problem.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc
+# gpg --verify nfsclient.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 8d42f85d9d7b stable/14-n265954
+releng/14.0/ ab60666a00c9 releng/14.0-n265397
+stable/13/ f1d1d50e1d08 stable/13-n256860
+releng/13.2/ 3f079b3f2f33 releng/13.2-n254649
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6660>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:18.nfsclient.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/kACgkQbljekB8A
+Gu8kvg//RUe/q2SFiVyo94disTET5JjVAPjKzMrHuhoI92OA994zS3MXmU6cQZAh
+ikWzMTf25/tgGvN8/Cujhp6zIXiPwUvwJXQqL6JN2/lqHHztxYz/m3Ol8Pc2q2yx
+hDbY0dOeyaGK9CuH7hjMtu/jeh6vj+TyvzLg/KuxgdOkjdDd352CF43alkb5Q55t
+3V8pcY49zCk+5aMJv667mphGxf4yRC/+bkVtJIqoAUpAg/VORMJmMiEt0LS3v7t5
+Oaal8rVfcPu8jPhkt8dIzcp1lrr+AfsOnEB68x2ECiYp2LCWp/ya7rG+DMD537kw
+IhSKRpqMvc4rQpjGQIsewO+sexyYC/zYrUu4BYMUnLVEqQ+GPN7jV7uAjoGuvsus
+uOAuN3l4T1x50VyBGA9Z2sVAHOkDAh98J8HDtdCK+IxNnTKFsFHBE/4zFLXkVYwr
+vo15qZpHzdTnHhhq5GjxZU+j1Sw0TbMWYPVPsgv8HqZciPjmv5bW7nxvB60sqb1a
+LYhE2cWilWxNKWQLhFt60ooGb09Auu+wDgnXLmTmpc/phOI+hCNOPedRF/0yPS7D
+dE0Q1vjdoiJgcAdntve8fzlwq1KSG4mQZRrJvMverW+/YLtbEFYY/iFT+jYWRMcN
+QwyjgbABQ9tzOVaPjSGJp/UB7SjDn8KFoOfeXWZrMkOYz95lXUk=
+=Wsy4
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch b/website/static/security/patches/SA-23:18/nfsclient.patch
new file mode 100644
index 0000000000..2368832f03
--- /dev/null
+++ b/website/static/security/patches/SA-23:18/nfsclient.patch
@@ -0,0 +1,148 @@
+--- sys/fs/nfs/nfs_var.h.orig
++++ sys/fs/nfs/nfs_var.h
+@@ -368,7 +368,7 @@
+ struct ucred *, NFSPROC_T *);
+
+ /* nfs_clcomsubs.c */
+-void nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int);
++int nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int);
+ struct mbuf *nfsm_uiombuflist(struct uio *, int, u_int);
+ u_int8_t *nfscl_getmyip(struct nfsmount *, struct in6_addr *, int *);
+ int nfsm_getfh(struct nfsrv_descript *, struct nfsfh **);
+--- sys/fs/nfsclient/nfs_clcomsubs.c.orig
++++ sys/fs/nfsclient/nfs_clcomsubs.c
+@@ -53,12 +53,12 @@
+ * copies a uio scatter/gather list to an mbuf chain.
+ * NOTE: can only handle iovcnt == 1
+ */
+-void
++int
+ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *uiop, int siz)
+ {
+ char *uiocp;
+ struct mbuf *mp, *mp2;
+- int xfer, left, mlen;
++ int error, xfer, left, mlen;
+ int uiosiz, clflg, rem;
+ char *mcp, *tcp;
+
+@@ -106,8 +106,11 @@
+ xfer = (left > mlen) ? mlen : left;
+ if (uiop->uio_segflg == UIO_SYSSPACE)
+ NFSBCOPY(uiocp, mcp, xfer);
+- else
+- copyin(uiocp, mcp, xfer);
++ else {
++ error = copyin(uiocp, mcp, xfer);
++ if (error != 0)
++ return (error);
++ }
+ mp->m_len += xfer;
+ left -= xfer;
+ uiocp += xfer;
+@@ -150,6 +153,7 @@
+ }
+ nd->nd_bpos = mcp;
+ nd->nd_mb = mp;
++ return (0);
+ }
+
+ /*
+@@ -162,7 +166,7 @@
+ {
+ char *uiocp;
+ struct mbuf *mp, *mp2, *firstmp;
+- int extpg, extpgsiz = 0, i, left, mlen, rem, xfer;
++ int error, extpg, extpgsiz = 0, i, left, mlen, rem, xfer;
+ int uiosiz, clflg;
+ char *mcp, *tcp;
+
+@@ -220,8 +224,13 @@
+ xfer = (left > mlen) ? mlen : left;
+ if (uiop->uio_segflg == UIO_SYSSPACE)
+ NFSBCOPY(uiocp, mcp, xfer);
+- else
+- copyin(uiocp, mcp, xfer);
++ else {
++ error = copyin(uiocp, mcp, xfer);
++ if (error != 0) {
++ m_freem(firstmp);
++ return (NULL);
++ }
++ }
+ mp->m_len += xfer;
+ mcp += xfer;
+ if (maxext > 0) {
+--- sys/fs/nfsclient/nfs_clrpcops.c.orig
++++ sys/fs/nfsclient/nfs_clrpcops.c
+@@ -1890,7 +1890,12 @@
+ *tl++ = x; /* total to this offset */
+ *tl = x; /* size of this write */
+ }
+- nfsm_uiombuf(nd, uiop, len);
++ error = nfsm_uiombuf(nd, uiop, len);
++ if (error != 0) {
++ m_freem(nd->nd_mreq);
++ free(nd, M_TEMP);
++ return (error);
++ }
+ /*
+ * Although it is tempting to do a normal Getattr Op in the
+ * NFSv4 compound, the result can be a nearly hung client
+@@ -5981,6 +5986,10 @@
+ iovlen = uiop->uio_iov->iov_len;
+ m = nfsm_uiombuflist(uiop, len,
+ 0);
++ if (m == NULL) {
++ error = EFAULT;
++ break;
++ }
+ }
+ tdrpc = drpc = malloc(sizeof(*drpc) *
+ (mirrorcnt - 1), M_TEMP, M_WAITOK |
+@@ -6553,7 +6562,11 @@
+ *tl++ = txdr_unsigned(len);
+ *tl++ = txdr_unsigned(*iomode);
+ *tl = txdr_unsigned(len);
+- nfsm_uiombuf(nd, uiop, len);
++ error = nfsm_uiombuf(nd, uiop, len);
++ if (error != 0) {
++ m_freem(nd->nd_mreq);
++ return (error);
++ }
+ nrp = dsp->nfsclds_sockp;
+ if (nrp == NULL)
+ /* If NULL, use the MDS socket. */
+@@ -8639,7 +8652,11 @@
+ nfsm_strtom(nd, name, strlen(name));
+ NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);
+ *tl = txdr_unsigned(uiop->uio_resid);
+- nfsm_uiombuf(nd, uiop, uiop->uio_resid);
++ error = nfsm_uiombuf(nd, uiop, uiop->uio_resid);
++ if (error != 0) {
++ m_freem(nd->nd_mreq);
++ return (error);
++ }
+ NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);
+ *tl = txdr_unsigned(NFSV4OP_GETATTR);
+ NFSGETATTR_ATTRBIT(&attrbits);
+--- sys/fs/nfsclient/nfs_clvnops.c.orig
++++ sys/fs/nfsclient/nfs_clvnops.c
+@@ -1579,7 +1579,7 @@
+ error = nfscl_doiods(vp, uiop, NULL, NULL,
+ NFSV4OPEN_ACCESSREAD, 0, cred, uiop->uio_td);
+ NFSCL_DEBUG(4, "readrpc: aft doiods=%d\n", error);
+- if (error != 0)
++ if (error != 0 && error != EFAULT)
+ error = nfsrpc_read(vp, uiop, cred, uiop->uio_td, &nfsva,
+ &attrflag, NULL);
+ if (attrflag) {
+@@ -1610,7 +1610,7 @@
+ error = nfscl_doiods(vp, uiop, iomode, must_commit,
+ NFSV4OPEN_ACCESSWRITE, 0, cred, uiop->uio_td);
+ NFSCL_DEBUG(4, "writerpc: aft doiods=%d\n", error);
+- if (error != 0)
++ if (error != 0 && error != EFAULT)
+ error = nfsrpc_write(vp, uiop, iomode, must_commit, cred,
+ uiop->uio_td, &nfsva, &attrflag, called_from_strategy,
+ ioflag);
diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch.asc b/website/static/security/patches/SA-23:18/nfsclient.patch.asc
new file mode 100644
index 0000000000..c369cf23c7
--- /dev/null
+++ b/website/static/security/patches/SA-23:18/nfsclient.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/8ACgkQbljekB8A
+Gu9nWhAAx3DdIh68VWEDbgiUkUAyaBe8pRrotAGpmOWSiI+FyMMxPStuyE2r5ENs
+yoXfNbfjEkOT6wkluVhw5gDzE8fcGBOVML9GFLty4qV8vtqSlNssMrr3j/+pO5ud
+lYYl3OI/8tRN2CLG+jnyNnVgEo3y520orMDonJ2WWJeiW90UBtMlp/6ZXXljRBwW
+43aw0rtkCi+B2COhqteADCVQtES/gyz+v+vE2lZ6hGx4MDLcmh/0B18v4h7IgTzA
+4Hh8jrsXXbb9NcvAtILbS3RA+T+zIXJhX+6oGiYYXwmlm8ah+QoG1TMKGXwWkG4M
+hc6C2NlhuWjKVMTtfQtgDNXyQRE2JnAzN4yOd46ebjRQLkXw6P4sCd7H2uD0MZqn
+mpm9Ta4qil7mH3tcdPQgi67iN4M+fy+NV2T8B5/iN0XE/iqVKVbNUD7/L0tZWpjc
+LQwaH9gzCmaC4v92yeCzFG1dZpnBLYN7KujoWkn7BF238/6frIzdcRz0go/L53GR
+qokAT0h1QfF22EVxQGlCwNx967ePMRZFQIZY+jAsWur0yEIomodmQnxRUln34iUc
+Z9gcMX+OYZPd9NHo93RUoSRKgidgYz9YEKuN5022tOffL2KV36KUYdXWI1OiAGVI
+0IIYS74ySFqxUxuobwQQ1Qa9qHPNkfI6GOaDKjvmEBgLabcIDo0=
+=nRdo
+-----END PGP SIGNATURE-----