svn commit: r318030 - stable/10/lib/libc/regex
Author: brooks Date: Tue May 9 16:29:06 2017 New Revision: 318030 URL: https://svnweb.freebsd.org/changeset/base/318030 Log: MFC r317707: Correct an out-of-bounds read in regcomp when the RE is bad. When passed the invalid regular expression "a**", the error is eventually detected and seterr() is called. It sets p->error appropriatly and p->next and p->end to nuls which is a never used char nuls[10] which is zeros due to .bss initialization. Unfortunatly, p_ere_exp() and p_simp_re() both have fall through cases where they set the error, decrement p->next and access it which means a read from whatever .bss variable comes before nuls. Found with regex_test:repet_multi and CHERI bounds checking. Reviewed by: ngie, pfg, emaste Obtained from:CheriBSD Sponsored by: DARPA, AFRL Differential Revision:https://reviews.freebsd.org/D10541 Modified: stable/10/lib/libc/regex/regcomp.c Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/regex/regcomp.c == --- stable/10/lib/libc/regex/regcomp.c Tue May 9 16:27:20 2017 (r318029) +++ stable/10/lib/libc/regex/regcomp.c Tue May 9 16:29:06 2017 (r318030) @@ -444,6 +444,8 @@ p_ere_exp(struct parse *p) (void)REQUIRE(!MORE() || !isdigit((uch)PEEK()), REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return; p->next--; wc = WGETNEXT(); ordinary(p, wc); @@ -651,6 +653,8 @@ p_simp_re(struct parse *p, (void)REQUIRE(starordinary, REG_BADRPT); /* FALLTHROUGH */ default: + if (p->error != 0) + return(0); /* Definitely not $... */ p->next--; wc = WGETNEXT(); ordinary(p, wc); ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
svn commit: r318031 - stable/10/contrib/libc++/include
Author: dim Date: Tue May 9 16:58:08 2017 New Revision: 318031 URL: https://svnweb.freebsd.org/changeset/base/318031 Log: MFC r317888 and two upstream prerequisites: Pull in r227097 from upstream libc++ trunk (by Marshall Clow): Fix PR21428. Buffer was one byte too small in octal formatting case. Add test Pull in r268009 from upstream libc++ trunk (by Eric Fiselier): Fix PR21428 for long. Buffer was one byte too small in octal formatting case. Rename previously added test Pull in r302362 from upstream libc++ trunk (by me): Ensure showbase does not overflow do_put buffers Summary: In https://bugs.freebsd.org/207918, Daniel McRobb describes how using std::showbase with ostreams can cause truncation of unsigned long long when output format is octal. In fact, this can even happen with unsigned int and unsigned long. To ensure this does not happen, add one additional character to the do_put buffers if std::showbase is on. Also add a test case. Reviewers: EricWF, mclow.lists Reviewed By: EricWF Subscribers: cfe-commits, emaste Differential Revision: https://reviews.llvm.org/D32670 PR: 207918 Modified: stable/10/contrib/libc++/include/locale Directory Properties: stable/10/ (props changed) Modified: stable/10/contrib/libc++/include/locale == --- stable/10/contrib/libc++/include/locale Tue May 9 16:29:06 2017 (r318030) +++ stable/10/contrib/libc++/include/locale Tue May 9 16:58:08 2017 (r318031) @@ -1555,7 +1555,8 @@ num_put<_CharT, _OutputIterator>::do_put this->__format_int(__fmt+1, __len, true, __iob.flags()); const unsigned __nbuf = (numeric_limits::digits / 3) + ((numeric_limits::digits % 3) != 0) - + 1; + + ((__iob.flags() & ios_base::showbase) != 0) + + 2; char __nar[__nbuf]; #ifdef _LIBCPP_LOCALE__L_EXTENSIONS int __nc = snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, __fmt, __v); @@ -1585,7 +1586,8 @@ num_put<_CharT, _OutputIterator>::do_put this->__format_int(__fmt+1, __len, true, __iob.flags()); const unsigned __nbuf = (numeric_limits::digits / 3) + ((numeric_limits::digits % 3) != 0) - + 1; + + ((__iob.flags() & ios_base::showbase) != 0) + + 2; char __nar[__nbuf]; #ifdef _LIBCPP_LOCALE__L_EXTENSIONS int __nc = snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, __fmt, __v); @@ -1615,6 +1617,7 @@ num_put<_CharT, _OutputIterator>::do_put this->__format_int(__fmt+1, __len, false, __iob.flags()); const unsigned __nbuf = (numeric_limits::digits / 3) + ((numeric_limits::digits % 3) != 0) + + ((__iob.flags() & ios_base::showbase) != 0) + 1; char __nar[__nbuf]; #ifdef _LIBCPP_LOCALE__L_EXTENSIONS @@ -1645,6 +1648,7 @@ num_put<_CharT, _OutputIterator>::do_put this->__format_int(__fmt+1, __len, false, __iob.flags()); const unsigned __nbuf = (numeric_limits::digits / 3) + ((numeric_limits::digits % 3) != 0) + + ((__iob.flags() & ios_base::showbase) != 0) + 1; char __nar[__nbuf]; #ifdef _LIBCPP_LOCALE__L_EXTENSIONS ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
svn commit: r318071 - stable/10/lib/libc/sys
Author: bdrewery Date: Tue May 9 18:15:29 2017 New Revision: 318071 URL: https://svnweb.freebsd.org/changeset/base/318071 Log: MFC r306771: Improve grammar. Modified: stable/10/lib/libc/sys/kqueue.2 Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libc/sys/kqueue.2 == --- stable/10/lib/libc/sys/kqueue.2 Tue May 9 18:14:45 2017 (r318070) +++ stable/10/lib/libc/sys/kqueue.2 Tue May 9 18:15:29 2017 (r318071) @@ -367,7 +367,7 @@ A file descriptor referencing the monito The closed file descriptor did not have write access. .It Dv NOTE_CLOSE_WRITE A file descriptor referencing the monitored file, was closed. -The closed file descriptor has write access. +The closed file descriptor had write access. .Pp This note, as well as .Dv NOTE_CLOSE , ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
svn commit: r318096 - stable/10/usr.bin/xinstall
Author: bdrewery
Date: Tue May 9 19:14:26 2017
New Revision: 318096
URL: https://svnweb.freebsd.org/changeset/base/318096
Log:
MFC r303450:
Pull a copy of the input string before calling basename() and dirname().
Modified:
stable/10/usr.bin/xinstall/xinstall.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/usr.bin/xinstall/xinstall.c
==
--- stable/10/usr.bin/xinstall/xinstall.c Tue May 9 19:01:57 2017
(r318095)
+++ stable/10/usr.bin/xinstall/xinstall.c Tue May 9 19:14:26 2017
(r318096)
@@ -669,7 +669,7 @@ makelink(const char *from_name, const ch
}
if (dolink & LN_RELATIVE) {
- char *cp, *d, *s;
+ char *to_name_copy, *cp, *d, *s;
/* Resolve pathnames. */
if (realpath(from_name, src) == NULL)
@@ -679,7 +679,10 @@ makelink(const char *from_name, const ch
* The last component of to_name may be a symlink,
* so use realpath to resolve only the directory.
*/
- cp = dirname(to_name);
+ to_name_copy = strdup(to_name);
+ if (to_name_copy == NULL)
+ err(EX_OSERR, "%s: strdup", to_name);
+ cp = dirname(to_name_copy);
if (realpath(cp, dst) == NULL)
err(EX_OSERR, "%s: realpath", cp);
/* .. and add the last component. */
@@ -687,9 +690,11 @@ makelink(const char *from_name, const ch
if (strlcat(dst, "/", sizeof(dst)) > sizeof(dst))
errx(1, "resolved pathname too long");
}
- cp = basename(to_name);
+ strcpy(to_name_copy, to_name);
+ cp = basename(to_name_copy);
if (strlcat(dst, cp, sizeof(dst)) > sizeof(dst))
errx(1, "resolved pathname too long");
+ free(to_name_copy);
/* Trim common path components. */
for (s = src, d = dst; *s == *d; s++, d++)
___
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
Re: svn commit: r317529 - in stable: 10/sys/sys 11/sys/sys
On Thu, Apr 27, 2017 at 10:28:50PM +, Eric Badger wrote: > Author: badger > Date: Thu Apr 27 22:28:49 2017 > New Revision: 317529 > URL: https://svnweb.freebsd.org/changeset/base/317529 > > Log: > Move td_sigqueue to the end of struct thread > > In order to preserve KBI in stable branches, replace the existing > td_sigqueue slot with padding and move the expanded (as of r315949) > td_sigqueue to the end of the struct. > > Reported by:jhb > Suggested by: kib > Reviewed by:jhb, kib, vangyzen > Sponsored by: Dell EMC > Differential Revision: https://reviews.freebsd.org/D10515 > > Modified: > stable/10/sys/sys/proc.h Is this resolve only crash related to nvidia-driver? Like virtualbox related crash still occur. ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
svn commit: r318120 - in stable: 10/release/doc/share/xml 11/release/doc/share/xml
Author: gjb Date: Tue May 9 23:28:42 2017 New Revision: 318120 URL: https://svnweb.freebsd.org/changeset/base/318120 Log: Document SA-17:04. Sponsored by: The FreeBSD Foundation Modified: stable/10/release/doc/share/xml/security.xml Changes in other areas also in this revision: Modified: stable/11/release/doc/share/xml/security.xml Modified: stable/10/release/doc/share/xml/security.xml == --- stable/10/release/doc/share/xml/security.xmlTue May 9 23:13:26 2017(r318119) +++ stable/10/release/doc/share/xml/security.xmlTue May 9 23:28:42 2017(r318120) @@ -199,6 +199,13 @@ 12 April 2017 Multiple vulnerabilities + + + FreeBSD-SA-17:04.ipfilter + 27 April 2017 + Fix fragment handling panic + ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
svn commit: r318128 - stable/10/sys/fs/nfsclient
Author: rmacklem
Date: Wed May 10 01:39:21 2017
New Revision: 318128
URL: https://svnweb.freebsd.org/changeset/base/318128
Log:
MFC: r317465
Fix handling of a NFSv4.1 callback reply from the session cache.
The nfsv4_seqsession() call returns NFSERR_REPLYFROMCACHE when it has a
reply in the session, due to a requestor retry. The code erroneously
assumed a return of 0 for this case. This patch fixes this and adds
a KASSERT(). This would be an extremely rare occurrence. It was found
during code inspection during the pNFS server development.
Modified:
stable/10/sys/fs/nfsclient/nfs_clstate.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/fs/nfsclient/nfs_clstate.c
==
--- stable/10/sys/fs/nfsclient/nfs_clstate.cWed May 10 01:28:58 2017
(r318127)
+++ stable/10/sys/fs/nfsclient/nfs_clstate.cWed May 10 01:39:21 2017
(r318128)
@@ -3560,9 +3560,18 @@ nfscl_docb(struct nfsrv_descript *nd, NF
tsep->nfsess_backslots);
}
NFSUNLOCKCLSTATE();
- if (error == 0) {
+ if (error == 0 || error == NFSERR_REPLYFROMCACHE) {
gotseq_ok = 1;
if (rep != NULL) {
+ /*
+* Handle a reply for a retried
+* callback. The reply will be
+* re-inserted in the session cache
+* by the nfsv4_seqsess_cacherep() call
+* after out:
+*/
+ KASSERT(error == NFSERR_REPLYFROMCACHE,
+ ("cbsequence: non-NULL rep"));
NFSCL_DEBUG(4, "Got cbretry\n");
m_freem(nd->nd_mreq);
nd->nd_mreq = rep;
___
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
Re: svn commit: r317529 - in stable: 10/sys/sys 11/sys/sys
On 05/09/2017 03:32 PM, Slawa Olhovchenkov wrote: On Thu, Apr 27, 2017 at 10:28:50PM +, Eric Badger wrote: Author: badger Date: Thu Apr 27 22:28:49 2017 New Revision: 317529 URL: https://svnweb.freebsd.org/changeset/base/317529 Log: Move td_sigqueue to the end of struct thread In order to preserve KBI in stable branches, replace the existing td_sigqueue slot with padding and move the expanded (as of r315949) td_sigqueue to the end of the struct. Reported by: jhb Suggested by: kib Reviewed by: jhb, kib, vangyzen Sponsored by: Dell EMC Differential Revision:https://reviews.freebsd.org/D10515 Modified: stable/10/sys/sys/proc.h Is this resolve only crash related to nvidia-driver? Like virtualbox related crash still occur. Yes, this was intended to address nvidia driver crashes. Is the virtual box problem the same as the one described here? https://lists.freebsd.org/pipermail/freebsd-stable/2017-March/087028.html ___ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
