Home / mailings FreeBSD Security Advisory FreeBSD-SA-25:02.fs
Posted on 29 January 2025
FreeBSD security notificat=============================================================================FreeBSD-SA-25:02.fs Security Advisory
The FreeBSD Project
Topic: Buffer overflow in some filesystems via NFS
Category: core
Module: fs
Announced: 2025-01-29
Credits: Kevin Miller
Affects: All supported versions of FreeBSD.
Corrected: 2025-01-17 13:53:10 UTC (stable/14, 14.2-STABLE)
2025-01-29 18:54:56 UTC (releng/14.2, 14.2-RELEASE-p1)
2025-01-29 18:55:22 UTC (releng/14.1, 14.1-RELEASE-p7)
2025-01-17 14:00:40 UTC (stable/13, 13.4-STABLE)
2025-01-29 18:55:29 UTC (releng/13.4, 13.4-RELEASE-p3)
CVE Name: CVE-2025-0373
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD provides a number of filesystem implementations for different
purposes. cd9660 is used to mount ISO 9660 images; tarfs is used to mount
POSIX tar archives; ext2fs is used to mount ext2, ext3, and ext4 filesystems.
II. Problem Description
In order to export a file system via NFS, the file system must define a file
system identifier (FID) for all exported files. Each FreeBSD file system
implements operations to translate between FIDs and vnodes, the kernel's
in-memory representation of files. These operations are VOP_VPTOFH(9) and
VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and
ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack
buffer overflow.
III. Impact
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made
to panic by mounting and accessing the export with an NFS client. Further
exploitation (e.g., bypassing file permission checking or remote kernel code
execution) is potentially possible, though this has not been demonstrated. In
particular, release kernels are compiled with stack protection enabled, and
some instances of the overflow are caught by this mechanism, causing a panic.
IV. Workaround
No workaround is available, however, only systems which export a cd9660,
tarfs, or ext2fs filesystem via NFS are affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch.asc
# gpg --verify fs-14.patch.asc
[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch.asc
# gpg --verify fs-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 7a3a0402aeb6 stable/14-n270143
releng/14.2/ faa47d299a0e releng/14.2-n269512
releng/14.1/ c90866090517 releng/14.1-n267732
stable/13/ ee931cf4a49c stable/13-n259016
releng/13.4/ 0365b776f1b1 releng/13.4-n258273
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0373>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:02.fs.asc>
