-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-20:05.if_oce_ioctl                               Security Advisory
                                                          The FreeBSD Project

Topic:          Insufficient oce(4) ioctl(2) privilege checking

Category:       core
Module:         oce(4)
Announced:      2020-03-19
Credits:        Ilja Van Sprundel
Affects:        All supported versions of FreeBSD.
Corrected:      2019-12-26 16:56:42 UTC (stable/12, 12.1-STABLE)
                2020-03-19 16:48:29 UTC (releng/12.1, 12.1-RELEASE-p3)
                2019-12-26 16:58:11 UTC (stable/11, 11.3-STABLE)
                2020-03-19 16:48:29 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name:       CVE-2019-15876

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The primary interface used for network driver configuration is ioctl(2).
Several ioctl(2) commands are reserved for driver-specific purposes.  For
instance, a driver may use one of these ioctls to implement an interface for
updating device firmware.

II.  Problem Description

The driver-specific ioctl(2) command handlers in oce(4) failed to check
whether the caller has sufficient privileges to perform the corresponding
operation.

III. Impact

The oce(4) handler permits unprivileged users to send passthrough commands to
device firmware.

IV.  Workaround

No workaround is available.  Systems that do not contain devices driven by
oce(4) are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch.asc
# gpg --verify if_oce_ioctl.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r356089
releng/12.1/                                                      r359139
stable/11/                                                        r356090
releng/11.3/                                                      r359139
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15876>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJAuBAAnsnjdm2aTLo14rOiNHTNh0NqJPQTJ5F6MwE1P/nUlP5xM21GzDkyki7H
4AytZiCma6MCPzbc8aO6wGnc5zfSA1G/5TLetIgIQeyDQ8wRd0uhIoeO3NB3EXhz
KJkNqtyosmzKUSmq7V/WqYN7VOVceegvbvLXCMTYFkUmvJxYbB67s0upqydFBAD4
j1ecKkNOIehV6cGColM3Dv7sJtVgdvaKg2ehW+AWR7UBOntIr/X3mVpkUE5Y2oLX
tpjuEbdraOpIw/ohKfvpZNPXnEFmhgxrRV4WRw8yFeMsEtLI2HyyUV4ysZrgMKB+
LKxdhfd7HhIiGdoRZO4P60traRiRD+VfqU9Jt3xd9fO1t0MZYTS0R0Lqt9n3UPhR
26YcyrJgElaHIz8Viiw1U7Pdxila7b7gL+V4QVNSG00OqCKkdepgURRepzaz8Zhd
lrfLf+9vysPIL6RsJwDb77qYbu9kK/afGmadBVot6QGg6ovWVLUGd0pQFJuLihZl
YRocdxDO0lgF+w6llmp6ZidEjaScL7XG3yKG1DuoSa0tS+0eQU2U2hByJDzzzkTn
x7t7WU8o5gSRYDe68yuJHXiHWswA4IK+tkYf+h8fDhENDbt7PCo86Vq0Dixg3hoG
ak/KfomAAsnh6MfWNRlCWDXbe0p/yxYLPRHugDdrZ2IpX+uJWHs=
=pADZ
-----END PGP SIGNATURE-----