BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Security Advisory FreeBSD-SA-24:18.ctl

29 October, 2024 by security-advisories@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-24:18.ctl                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Unbounded allocation in ctl(4) CAM Target Layer

Category:       core
Module:         ctl
Announced:      2024-10-29
Credits:        Synacktiv
Sponsored by:   The FreeBSD Foundation, The Alpha-Omega Project
Affects:        All supported versions of FreeBSD.
Corrected:      2024-10-11 15:53:17 UTC (stable/14, 14.1-STABLE)
                2024-10-29 18:45:37 UTC (releng/14.1, 14.1-RELEASE-p6)
                2024-10-11 15:53:53 UTC (stable/13, 13.4-STABLE)
                2024-10-29 18:49:56 UTC (releng/13.4, 13.4-RELEASE-p2)
                2024-10-29 18:53:42 UTC (releng/13.3, 13.3-RELEASE-p8)
CVE Name:       CVE-2024-39281

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The ctl subsystem provides SCSI target devices emulation.  The bhyve(8)
hypervisor and ctld(8) iSCSI target daemon make use of ctl.

II.  Problem Description

The command ctl_persistent_reserve_out allows the caller to specify an
arbitrary size which will be passed to the kernel's memory allocator.

III. Impact

A malicious guest could cause a Denial of Service (DoS) on the host.

IV.  Workaround

No workaround is available.  Systems not using virtio_scsi(4) or ctld(8)
are not affected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and reboot
the system.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch
# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch.asc
# gpg --verify ctl.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              2e7f4728fa73    stable/14-n269070
releng/14.1/                            a8df23541444  releng/14.1-n267724
stable/13/                              367d8c86a182    stable/13-n258514
releng/13.4/                            e389eb99fb63  releng/13.4-n258266
releng/13.3/                            9867aebc1d04  releng/13.3-n257476
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39281>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:18.ctl.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCcACgkQbljekB8A
Gu86VhAArJMRQcCCLdF1dflUMBKXROmUUZRHZg/fDS6QvGgZXQ0vKaGsHYjdNS2Z
oM+RgfsE98CU5FoiqBNdJNlAMX9+/JSN1h2wPD3UJfk/j6TLbj78RMcNnfG9OGSb
/J626CnpcIz/9ORSVb5FRSe3Ac+aS19Gh7g4wY9RY/sRA2tR9+8A96JdD3nQCkAQ
+oEiB3sNfo9rTxVNtPV7J47HwLcHecfqmUNp1fJ4eWs2utebyG0IoLWI6SlFrx81
peBImJvVZviZVesEeibTT/nBcbuugq9pGUp5EqVcoZM5VHqN/DIm3uI1jpNzAyvR
NBoFBBI6+DxUfw3D1MFP6s341Ixmz1UBhqlGewhAryKTGT1Pm0ong69vH96hAEDT
Q8OnigHESE94O76u61NsaQydjcqnC1gRw0NkRl7FNja4tLDKxKQ72P0tPSYyFSNp
h7V2F+1g6EbMxWpb19KEjYIF6AAv4ijUc1DseW0NITteofufcm+yytvksOQGKbDm
Vx8m+6ONqVSs09Bi7bIG0n5yF1qjFyLkWfKs/FiJF5tfu9bdXpm6VG32KSBsaF/2
O/0h6OKIyHHqOaKr9NgBt78gAknwPdi083ir7HIihzkaGfoMLhkyyss3G+cOa45I
G3bfpjyQSpqwVgypP9KEogFU0Cb51GkKK3Hed4GyZ88c6C+QcAA=ew5T
-----END PGP SIGNATURE-----