FreeBSD Security Advisory FreeBSD-SA-25:04.ktrace
29 January, 2025 by security-advisories@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:04.ktrace Security Advisory
The FreeBSD Project
Topic: Uninitialized kernel memory disclosure via ktrace(2)
Category: core
Module: ktrace
Announced: 2025-01-29
Credits: Yichen Chai and Zhuo Ying Jiang Li
Affects: FreeBSD 14.2
Corrected: 2025-01-20 22:09:53 UTC (stable/14, 14.2-STABLE)
2025-01-29 18:54:50 UTC (releng/14.2, 14.2-RELEASE-p1)
CVE Name: CVE-2025-0662
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ktrace utility enables kernel trace logging for the specified
processes, commonly used for diagnostic or debugging purposes. The
kernel operations that are traced include system calls, namei
translations, signal processing, and I/O as well as data associated with
these operations.
II. Problem Description
In some cases, the ktrace facility will log the contents of kernel
structures to userspace. In one such case, ktrace dumps a
variable-sized sockaddr to userspace. There, the full sockaddr is
copied, even when it is shorter than the full size. This can result in
up to 14 uninitialized bytes of kernel memory being copied out to
userspace.
III. Impact
It is possible for an unprivileged userspace program to leak 14 bytes of
a kernel heap allocation to userspace.
IV. Workaround
No workaround is available.
V. Solution
<insert solution here>
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch
# fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch.asc
# gpg --verify ktrace.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 99d5ee8738a3 stable/14-n270190
releng/14.2/ 10f8a9df522f releng/14.2-n269507
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0662>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:04.ktrace.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajK4ACgkQbljekB8A
Gu84pQ//WXxC3kW+JP6R73oQ3s5hhokCE7FjwlRj6QhkblmgBdRrwwFzkR0nLfSK
TUirfyYikaCtw3K/FpAYfm4VSJR3MlFhjUXhU+4KWBnJHf0t6NYEJP6MixsDFMvn
IZWZsrLs8Ryl03kKiH3EWfA9KVqx0OI0Cj9LOLo5nBzZjR0auUxYRdNrYuEq4i9n
OxMRbB3i5C3oy+I8ZW6fAAyYRb008oLDZmMBluIybCH01B35NQP/iAjpO6HQT5rt
fvHlo/kEOGSqBrwcnJXzLiJE4uKtiS4CDBltEN1WpP3N1MBqbLj6GO5uEWQGA73F
MhOzeCd3kM+41KQjdtxvIJ9yc0i/m0VLOnBTaKCqAS4bGTOl5FIIZEaY3J3+7dOP
wkcdFTOxl9K+RZ5CERAUxoGqgS9r+HOvWBIQcQoD9j4UCBocwyZn8fvp6niK0CWl
TR4T7UE8nAiK/QqBQ7DTqKlAkrMC3+FS5XVfw6GXJ7NFMP/HFh/AIE7oEYN+h/rQ
JXPmuU9Ml0ZHuy4PLcX16YSX+T+fdNWMxL1eomHE/FUwZoNP2RC0Wi9nGxEKtLun
JLGFkfQzuwfIItGYICvvOKw6Ry9Q1WYJFTdrNLCn7upUW0BnXVDVzRz7X68FJgtO
uXQGChtW/PfG/KoMY544eX5lL27Kxi5oBNS/VzDtCPG0bHAAgMw=ErDS
-----END PGP SIGNATURE-----