deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-20:19.audit

Hash: SHA512

FreeBSD-EN-20:19.audit                                          Errata Notice
                                                          The FreeBSD Project

Topic:          execve/fexecve system call auditing

Category:       core
Module:         kernel
Announced:      2020-12-01
Affects:        FreeBSD 12.1 and later.
Corrected:      2020-10-27 13:13:04 UTC (stable/12, 12.2-STABLE)
                2020-12-01 19:34:45 UTC (releng/12.2, 12.2-RELEASE-p1)
                2020-12-01 19:34:45 UTC (releng/12.1, 12.1-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit

I.   Background

The audit(4) facility allows a system administrator to audit
security-relevant events.  System calls are one such security-related event,
and the audit(4) facility will record whether the system call was successful
along with other important details.

II.  Problem Description

All execve/fexecve system calls in affected versions will be reported as a
failure, even upon successful execution.  For affected kernels, the exact
error reported is EJUSTRETURN, 201, or "Just return" depending on the tooling
used.  These can safely be considered successful returns for the fexecve and
execve system calls.  Note that audit trails that were produced by kernels
starting with FreeBSD 12.0 will exhibit this problem.

III. Impact

It is important to be able to determine when a process is, for instance,
executing a shell.  Such events may be indicative of an intrusion if they
are not expected.  Failure to report such an execution as successful may
result in intrusions that are no longer detectable.

IV.  Workaround

No workaround is available.  This error is irrelevant for system
administrators that do not use the audit(4) facility.  Users of the
audit(4) facility could detect the specific error that is being
returned as success, but this may complicate auditing as all failures
must be recorded.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.2]
# fetch
# fetch
# gpg --verify audit.12.2.patch.asc

[FreeBSD 12.1]
# fetch
# fetch
# gpg --verify audit.12.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r367080
releng/12.2/                                                      r368249
releng/12.1/                                                      r368249
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at

_______________________________________________ mailing list
To unsubscribe, send any mail to ""