FreeBSD Security Advisory FreeBSD-SA-24:18.ctl
29 October, 2024 by security-advisories@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:18.ctl Security Advisory The FreeBSD Project Topic: Unbounded allocation in ctl(4) CAM Target Layer Category: core Module: ctl Announced: 2024-10-29 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-10-11 15:53:17 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:45:37 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-11 15:53:53 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:49:56 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:53:42 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-39281 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ctl subsystem provides SCSI target devices emulation. The bhyve(8) hypervisor and ctld(8) iSCSI target daemon make use of ctl. II. Problem Description The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator. III. Impact A malicious guest could cause a Denial of Service (DoS) on the host. IV. Workaround No workaround is available. Systems not using virtio_scsi(4) or ctld(8) are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch # fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch.asc # gpg --verify ctl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 2e7f4728fa73 stable/14-n269070 releng/14.1/ a8df23541444 releng/14.1-n267724 stable/13/ 367d8c86a182 stable/13-n258514 releng/13.4/ e389eb99fb63 releng/13.4-n258266 releng/13.3/ 9867aebc1d04 releng/13.3-n257476 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39281> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:18.ctl.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCcACgkQbljekB8A Gu86VhAArJMRQcCCLdF1dflUMBKXROmUUZRHZg/fDS6QvGgZXQ0vKaGsHYjdNS2Z oM+RgfsE98CU5FoiqBNdJNlAMX9+/JSN1h2wPD3UJfk/j6TLbj78RMcNnfG9OGSb /J626CnpcIz/9ORSVb5FRSe3Ac+aS19Gh7g4wY9RY/sRA2tR9+8A96JdD3nQCkAQ +oEiB3sNfo9rTxVNtPV7J47HwLcHecfqmUNp1fJ4eWs2utebyG0IoLWI6SlFrx81 peBImJvVZviZVesEeibTT/nBcbuugq9pGUp5EqVcoZM5VHqN/DIm3uI1jpNzAyvR NBoFBBI6+DxUfw3D1MFP6s341Ixmz1UBhqlGewhAryKTGT1Pm0ong69vH96hAEDT Q8OnigHESE94O76u61NsaQydjcqnC1gRw0NkRl7FNja4tLDKxKQ72P0tPSYyFSNp h7V2F+1g6EbMxWpb19KEjYIF6AAv4ijUc1DseW0NITteofufcm+yytvksOQGKbDm Vx8m+6ONqVSs09Bi7bIG0n5yF1qjFyLkWfKs/FiJF5tfu9bdXpm6VG32KSBsaF/2 O/0h6OKIyHHqOaKr9NgBt78gAknwPdi083ir7HIihzkaGfoMLhkyyss3G+cOa45I G3bfpjyQSpqwVgypP9KEogFU0Cb51GkKK3Hed4GyZ88c6C+QcAA=ew5T -----END PGP SIGNATURE-----