-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:07.amd64                                      Security Advisory
                                                          The FreeBSD Project

Topic:          amd64 swapgs local privilege escalation

Category:       core
Module:         sys_amd64_amd64
Announced:      2008-09-03
Credits:        Nate Eldredge
Affects:        All supported FreeBSD/amd64 versions.
Corrected:      2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
                2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
                2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
                2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name:       CVE-2008-3890

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's.  For Intel CPU's this architecture is known as EM64T or Intel
64.

The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data.  User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data.  As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.

The kernel stores critical information in its per-processor data
block.  This includes the currently executing process and its
credentials.

As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system.  If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF).  In that case, the processor aborts the return to the
user level process and re-enters the kernel.  The FreeBSD kernel
allows the user process to be notified of such an event by a signal
(SIGSEGV or SIGBUS).

II.  Problem Description

If a General Protection Fault happens on a FreeBSD/amd64 system while
it is returning from an interrupt, trap or system call, the swapgs CPU
instruction may be called one extra time when it should not resulting
in userland and kernel state being mixed.

III. Impact

A local attacker can by causing a General Protection Fault while the
kernel is returning from an interrupt, trap or system call while
manipulating stack frames and, run arbitrary code with kernel
privileges.

The vulnerability can be used to gain kernel / supervisor privilege.
This can for example be used by normal users to gain root privileges,
to break out of jails, or bypass Mandatory Access Control (MAC)
restrictions.

IV.  Workaround

No workaround is available, but only systems running the 64 bit
FreeSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_6
  src/sys/amd64/amd64/exception.S                               1.125.2.3
RELENG_6_3
  src/UPDATING                                             1.416.2.37.2.9
  src/sys/conf/newvers.sh                                   1.69.2.15.2.8
  src/sys/amd64/amd64/exception.S                           1.125.2.2.2.1
RELENG_7
  src/sys/amd64/amd64/exception.S                               1.129.2.2
RELENG_7_0
  src/UPDATING                                              1.507.2.3.2.8
  src/sys/conf/newvers.sh                                    1.72.2.5.2.8
  src/sys/amd64/amd64/exception.S                           1.129.2.1.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs
0JZMykjScj7GbrsOlOW3uQg=
=bs1z
-----END PGP SIGNATURE-----