FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 21:00:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d1ac6a6a-bea8-11eb-b87a-901b0ef719ab	FreeBSD-kernel -- SMAP bypass Problem Description: The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses. Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. Impact: This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit. Discovery 2021-05-27 Entry 2021-05-27 FreeBSD-kernel ge 13.0 lt 13.0_1 ge 12.2 lt 12.2_7 CVE-2021-29628 SA-21:11.smap

VuXML ID

Description

d1ac6a6a-bea8-11eb-b87a-901b0ef719ab

FreeBSD-kernel -- SMAP bypass

Problem Description:

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode.

Impact:

This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.

Discovery 2021-05-27
Entry 2021-05-27
FreeBSD-kernel

ge 13.0 lt 13.0_1

ge 12.2 lt 12.2_7

CVE-2021-29628
SA-21:11.smap