FreeBSD: syscons Boundary checking errors in syscons
Posted by LinuxSecurity.com Team   
FreeBSD The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior.

=============================================================================
FreeBSD-SA-04:15.syscons                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Boundary checking errors in syscons

Category:       core
Module:         sys_dev_syscons
Announced:      2004-10-04
Credits:        Christer Oberg
Affects:        FreeBSD 5.x releases
Corrected:      2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
                2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
CVE Name:       CAN-2004-0919
FreeBSD only:   YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.freebsd.org/security/>.

I.   Background

syscons(4) is the default console driver for FreeBSD.  Using the
physical keyboard and screen, it provides multiple virtual terminals
which appear as if they were separate terminals.  One virtual terminal
is considered current and exclusively occupies the screen and the
keyboard; the other virtual terminals are placed in the background.

II.  Problem Description

The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
its input arguments.  In particular, negative coordinates or large
coordinates may cause unexpected behavior.

III. Impact

It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
kernel memory.  Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers.  This information might
be directly useful, or it might be leveraged to obtain elevated
privileges in some way.  For example, a terminal buffer might include a
user-entered password.

IV.  Workaround

There is no known workaround.  However, this bug is only exploitable
by users who have access to the physical console or can otherwise open
a /dev/ttyv* device node.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
-------------------------------------------------------------------------
RELENG_5_2
  src/UPDATING                                                 1.282.2.19
  src/sys/conf/newvers.sh                                       1.56.2.18
  src/sys/dev/syscons/syscons.c                                 1.409.2.1
-------------------------------------------------------------------------

VII. References

http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>