From owner-doc-jp@jp.freebsd.org  Fri Sep 10 09:33:59 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA88570;
	Fri, 10 Sep 1999 09:33:59 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from mx.micon.co.jp (merry.micon.co.jp [210.226.150.226])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA88564
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 09:33:58 +0900 (JST)
	(envelope-from sakauchi@micon.co.jp)
Received: from sam.micon.co.jp (sam.micon.co.jp [210.226.150.227]) by mx.micon.co.jp (8.8.5/CF-3.5W+01/21/98) with ESMTP id JAA29934 for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 09:33:57 +0900 (JST)
Message-Id: <199909100033.JAA14241@kid.micon.co.jp>
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.69 on Emacs 19.28.1 / Mule 2.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Fri, 10 Sep 1999 09:33:56 +0900
From: Atushi Sakauchi <sakauchi@micon.co.jp>
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6624
Subject: [doc-jp 6624] ANNOUNCE: FreeBSD-SA-99:02
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: sakauchi@micon.co.jp

$B:dFb$G$9!#(B

$B%5%/$C$H$d$C$F$_$^$7$?!#(B

---$B$3$3$+$i(B
  $B$3$N%a!<%k$O(B announce-jp $B$KN.$l$?(B

Subject: ANNOUNCE: FreeBSD-SA-99:02: Profiling Across Exec Calls
From: security-officer@freebsd.org
Date: Fri, 03 Sep 1999 23:43:21 -0600
Message-Id: <199909040543.XAA63557@harmony.village.org>

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B. 
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B. 
                                         $BK]Lu(B : $B:dFbFX(B <sakauchi@micon.co.jp>
=============================================================================
FreeBSD-SA-99:02                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:             Profiling Across Exec Calls

$B%+%F%4%j!<(B:           core
$B%b%8%e!<%k(B:           kernel
$B9pCNF|(B:               1999$BG/(B 9$B7n(B 4$BF|(B
$B1F6ABP>](B:             FreeBSD 3.2 ($B$*$h$S(B 3.2 $B0JA0$N%P!<%8%g%s(B)
		              $B=$@5$5$l$k0JA0$N(B FreeBSD-current
$B=$@5:Q(B:               FreeBSD 3.3-RELEASE ($BLuCm(B: $BM=Dj(B)
		              1999$BG/(B 8$B7n(B11$BF|0J9_$N(B FreeBSD-current
                              1999$BG/(B 8$B7n(B22$BF|0J9_$N(B FreeBSD 3.2-stable
FreeBSD $B$@$1$NLdBj$+(B: $BH](B

$B%Q%C%A(B:               ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:02/

I.   Background

FreeBSD provides a mechanism to profile a running executable to aid in
performance tuning.  This can be accomplished via a kernel mechanism
to statistically sample the program counter of the program under
profile.

I. $BGX7J(B

FreeBSD $B$K$O(B, $B%Q%U%)!<%^%s%9!&%A%e!<%K%s%0$N$?$a$K<B9TCf$N%W%m%0%i%`$N(B
$B%W%m%U%!%$%k$r<h$k5!G=$,$"$j$^$9(B. $B$3$l$O!"<B9TCf$N%W%m%0%i%`$N%W%m%0%i(B
$B%`%+%&%s%?!<$rE}7WE*$K<}=8$9$k%+!<%M%kFb$N5!9=$K$h$j9T$J$o$l$^$9(B.

II.  Problem Description

A flaw exists in the implementation which allows an attacker to cause
arbitrary locations in program executed by the attacker.

II. $B2r@b(B

$B$3$N5!9=$N<BAu$K!"<B9TCf$N%W%m%0%i%`Fb$NG$0U$N>l=j$K967b<T$,@)8f$r0\$9(B
$B$3$H$,$G$-$k$H$$$&<eE@$,$"$j$^$9(B.

III. Impact

No attacks against using this vulnerability this are known at this
time.  An attacker could theoretically gain root access from a
carefully crafted attack.

III. $B1F6A(B

$B8=:_$3$N<eE@$rMxMQ$7$?967b$O3NG'$5$l$F$$$^$;$s(B. $BO@M}E*$K$O9*L/$K(B
$B;EAH$^$l$?967b$K$h$C$F(B root $B8"8B$rC%$o$l$k2DG=@-$,$"$j$^$9(B.

IV.  Workaround

Since profiling is done in the kernel via the profil(2) system call,
one must patch the kernel so no workaround is possible.

IV.  $BBP1~:v(B

$B%W%m%U%!%$%j%s%0$O(B profil(2) $B%7%9%F%`%3!<%k$K$h$j9T$J$o$l$^$9$+$i(B, 
$B%+!<%M%k$K%Q%C%A$r$"$F$k0J30$NBP1~:v$O$"$j$^$;$s(B.

V.   Solution

Apply the following patch.  It will apply to both FreeBSD-current before
the resolution date and to 3.2-stable before the resolution date.

V. $B2r7h:v(B

$B0J2<$N%Q%C%A$r$"$F$F2<$5$$(B. $B=$@5F|0JA0$N(B FreeBSD-current $B$H(B 3.2-stable 
$B$NN>J}$KE,MQ$G$-$^$9(B. 

    Index: kern_exec.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_exec.c,v
    retrieving revision 1.99
    retrieving revision 1.100
    diff -u -r1.99 -r1.100
    --- kern_exec.c	1999/04/27 11:15:55	1.99
    +++ kern_exec.c	1999/08/11 20:35:38	1.100
    @@ -228,6 +228,9 @@
     		fdfree(p);
     		p->p_fd = tmp;
     	}
    +
    +	/* Stop profiling */
    +	stopprofclock(p);
     
     	/* close files on exec */
     	fdcloseexec(p);


=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf$K%Q%C%A$,4^$^$l$F$$$k>l9g!"EE;R=pL>$d%a%$%i$N=hM}$GJQ99(B
      $B$5$l$k$?$a!"$=$N$^$^$G$O$-$A$s$HE,MQ$G$-$J$$$+$b$7$l$^$;$s!#I,MW(B
      $B$G$"$l$P!"K\J8=q$NKAF,$K5-:\$7$F$"$k(B URL $B$r;2>H$7$F%*%j%8%J%k$N(B
      $B%3%T!<$rF~<j$7$F$/$@$5$$!#(B
=============================================================================
