COMMAND

    kernel

SYSTEMS AFFECTED

    FreeBSD 3.2 (and earlier), FreeBSD-Current before August 11, 1999

PROBLEM

    FreeBSD provides a  mechanism to profile  a running executable  to
    aid in performance tuning.  This can be accomplished via a  kernel
    mechanism  to  statistically  sample  the  program  counter of the
    program under profile.  A flaw exists in the implementation  which
    allows  an  attacker  to  cause  arbitrary  locations  in  program
    executed  by  the  attacker.    No  attacks  against  using   this
    vulnerability this  are known  at this  time.    An attacker could
    theoretically gain root access from a carefully crafted attack.

SOLUTION

    Since profiling  is done  in the  kernel via  the profil(2) system
    call, one  must patch  the kernel  so no  workaround is  possible.
    Apply the following patch.  It will apply to both  FreeBSD-current
    before the resolution date and to 3.2-stable before the resolution
    date.

    Index: kern_exec.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_exec.c,v
    retrieving revision 1.99
    retrieving revision 1.100
    diff -u -r1.99 -r1.100
    --- kern_exec.c     1999/04/27 11:15:55     1.99
    +++ kern_exec.c     1999/08/11 20:35:38     1.100
        @@ -228,6 +228,9 @@
                fdfree(p);
                p->p_fd = tmp;
        }
    +
    +   /* Stop profiling */
    +   stopprofclock(p);

        /* close files on exec */
        fdcloseexec(p);

    Corrected:

        FreeBSD-3.3 RELEASE
        FreeBSD-current as of August 11, 1999
        FreeBSD-3.2-stable as of August 22, 1999