FreeBSD security update
The FreeBSD developers have released new updates to their operating system to close three vulnerabilities. Users with restricted privileges can reportedly exploit all three holes to elevate their privileges. One of the vulnerabilities is caused by a design flaw recently also discovered and fixed in the kernel. It allows programming flaws to cause a NULL pointer dereference. A function pointer will in this case point to the (virtual) address 0, which is allocated to userland. This enables users to execute code at kernel privilege level.
To fix this problem, in the new versions the FreeBSD developers have introduced a function that prevents users from mapping code to address 0. However, this functions is disabled by default in versions 6.x and 7.x and has to be activated by setting the security.bsd.map_at_zero to 0 (using sysctl). In the forthcoming version 8, the function is to be enabled by default.
The other two flaws involve race conditions in the virtual file system (in 7.x and 6.x) and pipe issues (in 6.x) that can be exploited to dereference Null pointers. In addition to the updates, the developers have also provided source code patches.
See also:
- No zero mapping feature, a FreeBSD errata notice.
- devfs / VFS NULL pointer race condition, a FreeBSD security advisory.
- kqueue pipe race conditions, a FreeBSD security advisory.
- Critical vulnerability in the Linux kernel affects all versions since 2001, a report from The H.
(crve)