-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:15.syscons Security Advisory The FreeBSD Project Topic: Boundary checking errors in syscons Category: core Module: sys_dev_syscons Announced: 2004-10-04 Credits: Christer Oberg Affects: FreeBSD 5.x releases Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6) 2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11) CVE Name: CAN-2004-0919 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background syscons(4) is the default console driver for FreeBSD. Using the physical keyboard and screen, it provides multiple virtual terminals which appear as if they were separate terminals. One virtual terminal is considered current and exclusively occupies the screen and the keyboard; the other virtual terminals are placed in the background. II. Problem Description The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. III. Impact It may be possible to cause the CONS_SCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround There is no known workaround. However, this bug is only exploitable by users who have access to the physical console or can otherwise open a /dev/ttyv* device node. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to the RELENG_5_2 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5_2 src/UPDATING 1.282.2.19 src/sys/conf/newvers.sh 1.56.2.18 src/sys/dev/syscons/syscons.c 1.409.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v SN4Y+OCpzJ7Szy3s++slzeQ= =FlYi -----END PGP SIGNATURE-----