Home / mailingsPDF  

FreeBSD Security Advisory FreeBSD-SA-24:18.ctl

Posted on 29 October 2024
FreeBSD security notificat

=============================================================================FreeBSD-SA-24:18.ctl Security Advisory
The FreeBSD Project

Topic: Unbounded allocation in ctl(4) CAM Target Layer

Category: core
Module: ctl
Announced: 2024-10-29
Credits: Synacktiv
Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
Affects: All supported versions of FreeBSD.
Corrected: 2024-10-11 15:53:17 UTC (stable/14, 14.1-STABLE)
2024-10-29 18:45:37 UTC (releng/14.1, 14.1-RELEASE-p6)
2024-10-11 15:53:53 UTC (stable/13, 13.4-STABLE)
2024-10-29 18:49:56 UTC (releng/13.4, 13.4-RELEASE-p2)
2024-10-29 18:53:42 UTC (releng/13.3, 13.3-RELEASE-p8)
CVE Name: CVE-2024-39281

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The ctl subsystem provides SCSI target devices emulation. The bhyve(8)
hypervisor and ctld(8) iSCSI target daemon make use of ctl.

II. Problem Description

The command ctl_persistent_reserve_out allows the caller to specify an
arbitrary size which will be passed to the kernel's memory allocator.

III. Impact

A malicious guest could cause a Denial of Service (DoS) on the host.

IV. Workaround

No workaround is available. Systems not using virtio_scsi(4) or ctld(8)
are not affected.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and reboot
the system.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch
# fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch.asc
# gpg --verify ctl.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 2e7f4728fa73 stable/14-n269070
releng/14.1/ a8df23541444 releng/14.1-n267724
stable/13/ 367d8c86a182 stable/13-n258514
releng/13.4/ e389eb99fb63 releng/13.4-n258266
releng/13.3/ 9867aebc1d04 releng/13.3-n257476
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39281>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:18.ctl.asc>

 

TOP