Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-166: FreeBSD Direct Pipe Writes Information Disclosure Vulnerability

[CVE-2009-1935]

June 19, 2009 12:00 GMT
PROBLEM: A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to disclose potentially sensitive information.
PLATFORM: FreeBSD 6.3, 6.4, 7.1, 7.2 systems
ABSTRACT: The vulnerability is caused due to an integer overflow within the implementation of "direct pipe writes", which can lead to virtual-to-physical address lookups being skipped.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-166.shtml
  OTHER LINKS: NIST
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1935
Security Tracker
http://securitytracker.com/alerts/2009/Jun/1022365.html
Freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
SECUNIA
http://secunia.com/advisories/35398
CVE: CVE-2009-1935
IMPACT ASSESSMENT This risk is medium. An unprivileged process can read pages of memory which belong to other processes or to the kernel. These may contain information which is sensitive in itself; or may contain passwords or cryptographic keys which can be indirectly exploited to gain sensitive information or access. 
[***** Start CVE-2009-1935 *****]

Discussion:
A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to disclose potentially
sensitive information. Integer overflow in the pipe_build_write_buffer function (sys/kern/sys_pipe.c) in the direct write
optimization feature in the pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 allows local users to bypass
virtual-to-physical address lookups and read sensitive information in memory pages via unspecified vectors.

The vulnerability is caused due to an integer overflow within the implementation of "direct pipe writes", which can lead to
virtual-to-physical address lookups being skipped. This can be exploited to e.g. disclose memory parts of other processes.

Solution:
Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch

# fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
 and reboot the
system.


[***** End CVE-2009-1935 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788