From nobody Tue Dec 12 19:30:06 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqTGR1Dsnz54KsD for ; Tue, 12 Dec 2023 19:30:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SqTGR0jZZz3f2l; Tue, 12 Dec 2023 19:30:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702409407; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LILOP3HwhShf1e6y7jRdno/fb5y17e7QaoBwPwOjiyw=; b=PWUzokdtyQ7jropaEBjFrfb9WIdM0JFcfDBy5SOP62ihn1t2dAEvDoAapSLCWdfaku3UcN NvpqCQN6BIxAMOfu1fy47O/J7WrBmj850hXxpRaMvGH0w15q6Y2y2V/SnZF9q//oROHtI/ VUva9mZD9TyeslKyrpDx9jyHtFFv6DZbIX2uwUd6erpuItU3Q3tq5dyOjNgZDPQPBdW1Sa 5wulHJMN99BqmrEoec/HwzFdkEKQ0iUlkESGvTFdJdyFtm9PNRcdu4iSDp0U3HqxjiObRB 7IM/oht7p8FJu5U7+R0qZZBM0kOygcjDkzd5AmtohTNV4eQFw10lGZ7LBZJDVg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702409407; a=rsa-sha256; cv=none; b=es6biDStVlkNpJtghy7ZUTolqjmBXQ/RgV7V+m4KMrFAZSKRQdKqft/uC4rABDttLDI7qi Kw8JGYPaMGf6FnTurDn3gqIui/z3A7CbkHmQlnnfdUshJkCeCs84QiRu9SmntUfj0/2T2D MKZrHpFIVSqz1bsYRqv4cS9CA89xmH579IAcrKgZc+SWeIPO9Cqf5UnEbbtq7j1OVMqx4p ZjklGtNh9debljgE/079MjyhKzaxbDCu79VK3XO9TOvvdJPTBLPBI6SfEv0vb+XeADKflj 9yPyrjKYCePGG1ibt6EPHGnAQC94mwLV/bV7U0puh4uxQg+0dlzcFB/v1McxXA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702409407; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LILOP3HwhShf1e6y7jRdno/fb5y17e7QaoBwPwOjiyw=; b=Y7xoxeQSdJyuRHprIgHwJIxoIY1oNpxzrriC7F5Y4CjXux+uo/viKB0+4+UYTvp0LvXk/4 XcDv62Um7FBj5FEHechP37WvsMbKES5FsFK+tYbDDu14eFLramHZQhYX1VHx/2KDOFY3St mnr4jFdx7epp8BfJcjjxPXI3WU9Z0p466Yt5MCGHrW6qPWriz9Lqz1Dq/SFpQJw+BRaWhE N/e1wwi74ZPXXEA5IJEmNkOXZSKsWZ6+YAWSqlaNtqRXPJXVxETr7MMj+AOIVAWcqpCQnd IAYzWHCYOOWgn2eqGNwF14H17EdrNfuU57MAPrhJqDcEY4hXDeBeJRlJ39tTxQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SqTGQ6n6tzCBk; Tue, 12 Dec 2023 19:30:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BCJU6Xm008203; Tue, 12 Dec 2023 19:30:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BCJU6KS008198; Tue, 12 Dec 2023 19:30:06 GMT (envelope-from git) Date: Tue, 12 Dec 2023 19:30:06 GMT Message-Id: <202312121930.3BCJU6KS008198@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 8ca7cece26 - main - Add SA-23:18.nfsclient. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8ca7cece26ebebed9a25488c587820e18de887ba Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=8ca7cece26ebebed9a25488c587820e18de887ba commit 8ca7cece26ebebed9a25488c587820e18de887ba Author: Gordon Tetlow AuthorDate: 2023-12-12 19:27:41 +0000 Commit: Gordon Tetlow CommitDate: 2023-12-12 19:27:41 +0000 Add SA-23:18.nfsclient. Approved by: so --- website/data/security/advisories.toml | 4 + .../advisories/FreeBSD-SA-23:18.nfsclient.asc | 153 +++++++++++++++++++++ .../security/patches/SA-23:18/nfsclient.patch | 148 ++++++++++++++++++++ .../security/patches/SA-23:18/nfsclient.patch.asc | 16 +++ 4 files changed, 321 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index dbe5ac58ce..e914a98428 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,10 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-23:18.nfsclient" +date = "2023-12-12" + [[advisories]] name = "FreeBSD-SA-23:17.pf" date = "2023-12-05" diff --git a/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc new file mode 100644 index 0000000000..66c41bd5bd --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:18.nfsclient Security Advisory + The FreeBSD Project + +Topic: NFS client data corruption and kernel memory disclosure + +Category: core +Module: nfsclient +Announced: 2023-12-12 +Credits: Hostpoint AG +Affects: FreeBSD 13.2 and 14.0 +Corrected: 2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE) + 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3) + 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE) + 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8) +CVE Name: CVE-2023-6660 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Network File System (NFS) is a distributed file system that allows remote +systems to access files and directories over a network as if they were local. +FreeBSD includes both server and client implementations of NFS. + +II. Problem Description + +In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the +performance of IO_APPEND writes, that is, writes which add data to the end of +a file and so extend its size. This uncovered an old bug in some routines +which copy userspace data into the kernel. The bug also affects the NFS +client's implementation of direct I/O; however, this implementation is +disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only +used to handle synchronous writes. + +III. Impact + +When a program running on an affected system appends data to a file via an +NFS client mount, the bug can cause the NFS client to fail to copy in the +data to be written but proceed as though the copy operation had succeeded. +This means that the data to be written is instead replaced with whatever data +had been in the packet buffer previously. Thus, an unprivileged user with +access to an affected system may abuse the bug to trigger disclosure of +sensitive information. In particular, the leak is limited to data previously +stored in mbufs, which are used for network transmission and reception, and +for certain types of inter-process communication. + +The bug can also be triggered unintentionally by system applications, in +which case the data written by the application to an NFS mount may be +corrupted. Corrupted data is written over the network to the NFS server, and +thus also susceptible to being snooped by other hosts on the network. + +Note that the bug exists only in the NFS client; the version and +implementation of the server has no effect on whether a given system is +affected by the problem. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platfrom on FreeBSD 13 and earlier, can be updated via +the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc +# gpg --verify nfsclient.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 8d42f85d9d7b stable/14-n265954 +releng/14.0/ ab60666a00c9 releng/14.0-n265397 +stable/13/ f1d1d50e1d08 stable/13-n256860 +releng/13.2/ 3f079b3f2f33 releng/13.2-n254649 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/kACgkQbljekB8A +Gu8kvg//RUe/q2SFiVyo94disTET5JjVAPjKzMrHuhoI92OA994zS3MXmU6cQZAh +ikWzMTf25/tgGvN8/Cujhp6zIXiPwUvwJXQqL6JN2/lqHHztxYz/m3Ol8Pc2q2yx +hDbY0dOeyaGK9CuH7hjMtu/jeh6vj+TyvzLg/KuxgdOkjdDd352CF43alkb5Q55t +3V8pcY49zCk+5aMJv667mphGxf4yRC/+bkVtJIqoAUpAg/VORMJmMiEt0LS3v7t5 +Oaal8rVfcPu8jPhkt8dIzcp1lrr+AfsOnEB68x2ECiYp2LCWp/ya7rG+DMD537kw +IhSKRpqMvc4rQpjGQIsewO+sexyYC/zYrUu4BYMUnLVEqQ+GPN7jV7uAjoGuvsus +uOAuN3l4T1x50VyBGA9Z2sVAHOkDAh98J8HDtdCK+IxNnTKFsFHBE/4zFLXkVYwr +vo15qZpHzdTnHhhq5GjxZU+j1Sw0TbMWYPVPsgv8HqZciPjmv5bW7nxvB60sqb1a +LYhE2cWilWxNKWQLhFt60ooGb09Auu+wDgnXLmTmpc/phOI+hCNOPedRF/0yPS7D +dE0Q1vjdoiJgcAdntve8fzlwq1KSG4mQZRrJvMverW+/YLtbEFYY/iFT+jYWRMcN +QwyjgbABQ9tzOVaPjSGJp/UB7SjDn8KFoOfeXWZrMkOYz95lXUk= +=Wsy4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch b/website/static/security/patches/SA-23:18/nfsclient.patch new file mode 100644 index 0000000000..2368832f03 --- /dev/null +++ b/website/static/security/patches/SA-23:18/nfsclient.patch @@ -0,0 +1,148 @@ +--- sys/fs/nfs/nfs_var.h.orig ++++ sys/fs/nfs/nfs_var.h +@@ -368,7 +368,7 @@ + struct ucred *, NFSPROC_T *); + + /* nfs_clcomsubs.c */ +-void nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int); ++int nfsm_uiombuf(struct nfsrv_descript *, struct uio *, int); + struct mbuf *nfsm_uiombuflist(struct uio *, int, u_int); + u_int8_t *nfscl_getmyip(struct nfsmount *, struct in6_addr *, int *); + int nfsm_getfh(struct nfsrv_descript *, struct nfsfh **); +--- sys/fs/nfsclient/nfs_clcomsubs.c.orig ++++ sys/fs/nfsclient/nfs_clcomsubs.c +@@ -53,12 +53,12 @@ + * copies a uio scatter/gather list to an mbuf chain. + * NOTE: can only handle iovcnt == 1 + */ +-void ++int + nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *uiop, int siz) + { + char *uiocp; + struct mbuf *mp, *mp2; +- int xfer, left, mlen; ++ int error, xfer, left, mlen; + int uiosiz, clflg, rem; + char *mcp, *tcp; + +@@ -106,8 +106,11 @@ + xfer = (left > mlen) ? mlen : left; + if (uiop->uio_segflg == UIO_SYSSPACE) + NFSBCOPY(uiocp, mcp, xfer); +- else +- copyin(uiocp, mcp, xfer); ++ else { ++ error = copyin(uiocp, mcp, xfer); ++ if (error != 0) ++ return (error); ++ } + mp->m_len += xfer; + left -= xfer; + uiocp += xfer; +@@ -150,6 +153,7 @@ + } + nd->nd_bpos = mcp; + nd->nd_mb = mp; ++ return (0); + } + + /* +@@ -162,7 +166,7 @@ + { + char *uiocp; + struct mbuf *mp, *mp2, *firstmp; +- int extpg, extpgsiz = 0, i, left, mlen, rem, xfer; ++ int error, extpg, extpgsiz = 0, i, left, mlen, rem, xfer; + int uiosiz, clflg; + char *mcp, *tcp; + +@@ -220,8 +224,13 @@ + xfer = (left > mlen) ? mlen : left; + if (uiop->uio_segflg == UIO_SYSSPACE) + NFSBCOPY(uiocp, mcp, xfer); +- else +- copyin(uiocp, mcp, xfer); ++ else { ++ error = copyin(uiocp, mcp, xfer); ++ if (error != 0) { ++ m_freem(firstmp); ++ return (NULL); ++ } ++ } + mp->m_len += xfer; + mcp += xfer; + if (maxext > 0) { +--- sys/fs/nfsclient/nfs_clrpcops.c.orig ++++ sys/fs/nfsclient/nfs_clrpcops.c +@@ -1890,7 +1890,12 @@ + *tl++ = x; /* total to this offset */ + *tl = x; /* size of this write */ + } +- nfsm_uiombuf(nd, uiop, len); ++ error = nfsm_uiombuf(nd, uiop, len); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ free(nd, M_TEMP); ++ return (error); ++ } + /* + * Although it is tempting to do a normal Getattr Op in the + * NFSv4 compound, the result can be a nearly hung client +@@ -5981,6 +5986,10 @@ + iovlen = uiop->uio_iov->iov_len; + m = nfsm_uiombuflist(uiop, len, + 0); ++ if (m == NULL) { ++ error = EFAULT; ++ break; ++ } + } + tdrpc = drpc = malloc(sizeof(*drpc) * + (mirrorcnt - 1), M_TEMP, M_WAITOK | +@@ -6553,7 +6562,11 @@ + *tl++ = txdr_unsigned(len); + *tl++ = txdr_unsigned(*iomode); + *tl = txdr_unsigned(len); +- nfsm_uiombuf(nd, uiop, len); ++ error = nfsm_uiombuf(nd, uiop, len); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ return (error); ++ } + nrp = dsp->nfsclds_sockp; + if (nrp == NULL) + /* If NULL, use the MDS socket. */ +@@ -8639,7 +8652,11 @@ + nfsm_strtom(nd, name, strlen(name)); + NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED); + *tl = txdr_unsigned(uiop->uio_resid); +- nfsm_uiombuf(nd, uiop, uiop->uio_resid); ++ error = nfsm_uiombuf(nd, uiop, uiop->uio_resid); ++ if (error != 0) { ++ m_freem(nd->nd_mreq); ++ return (error); ++ } + NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED); + *tl = txdr_unsigned(NFSV4OP_GETATTR); + NFSGETATTR_ATTRBIT(&attrbits); +--- sys/fs/nfsclient/nfs_clvnops.c.orig ++++ sys/fs/nfsclient/nfs_clvnops.c +@@ -1579,7 +1579,7 @@ + error = nfscl_doiods(vp, uiop, NULL, NULL, + NFSV4OPEN_ACCESSREAD, 0, cred, uiop->uio_td); + NFSCL_DEBUG(4, "readrpc: aft doiods=%d\n", error); +- if (error != 0) ++ if (error != 0 && error != EFAULT) + error = nfsrpc_read(vp, uiop, cred, uiop->uio_td, &nfsva, + &attrflag, NULL); + if (attrflag) { +@@ -1610,7 +1610,7 @@ + error = nfscl_doiods(vp, uiop, iomode, must_commit, + NFSV4OPEN_ACCESSWRITE, 0, cred, uiop->uio_td); + NFSCL_DEBUG(4, "writerpc: aft doiods=%d\n", error); +- if (error != 0) ++ if (error != 0 && error != EFAULT) + error = nfsrpc_write(vp, uiop, iomode, must_commit, cred, + uiop->uio_td, &nfsva, &attrflag, called_from_strategy, + ioflag); diff --git a/website/static/security/patches/SA-23:18/nfsclient.patch.asc b/website/static/security/patches/SA-23:18/nfsclient.patch.asc new file mode 100644 index 0000000000..c369cf23c7 --- /dev/null +++ b/website/static/security/patches/SA-23:18/nfsclient.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/8ACgkQbljekB8A +Gu9nWhAAx3DdIh68VWEDbgiUkUAyaBe8pRrotAGpmOWSiI+FyMMxPStuyE2r5ENs +yoXfNbfjEkOT6wkluVhw5gDzE8fcGBOVML9GFLty4qV8vtqSlNssMrr3j/+pO5ud +lYYl3OI/8tRN2CLG+jnyNnVgEo3y520orMDonJ2WWJeiW90UBtMlp/6ZXXljRBwW +43aw0rtkCi+B2COhqteADCVQtES/gyz+v+vE2lZ6hGx4MDLcmh/0B18v4h7IgTzA +4Hh8jrsXXbb9NcvAtILbS3RA+T+zIXJhX+6oGiYYXwmlm8ah+QoG1TMKGXwWkG4M +hc6C2NlhuWjKVMTtfQtgDNXyQRE2JnAzN4yOd46ebjRQLkXw6P4sCd7H2uD0MZqn +mpm9Ta4qil7mH3tcdPQgi67iN4M+fy+NV2T8B5/iN0XE/iqVKVbNUD7/L0tZWpjc +LQwaH9gzCmaC4v92yeCzFG1dZpnBLYN7KujoWkn7BF238/6frIzdcRz0go/L53GR +qokAT0h1QfF22EVxQGlCwNx967ePMRZFQIZY+jAsWur0yEIomodmQnxRUln34iUc +Z9gcMX+OYZPd9NHo93RUoSRKgidgYz9YEKuN5022tOffL2KV36KUYdXWI1OiAGVI +0IIYS74ySFqxUxuobwQQ1Qa9qHPNkfI6GOaDKjvmEBgLabcIDo0= +=nRdo +-----END PGP SIGNATURE-----