Author: glebius
Date: Thu Jan 14 09:11:42 2016
New Revision: 293897
URL: https://svnweb.freebsd.org/changeset/base/293897
Log:
o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
Modified:
stable/10/etc/Makefile
stable/10/sys/amd64/linux32/linux32_proto.h
stable/10/sys/amd64/linux32/linux32_systrace_args.c
stable/10/sys/amd64/linux32/syscalls.master
stable/10/sys/compat/linux/linux_futex.c
stable/10/sys/compat/linux/linux_misc.c
stable/10/sys/i386/linux/syscalls.master
stable/10/sys/kern/kern_prot.c
stable/10/sys/netinet/tcp_output.c
stable/10/sys/netinet6/sctp6_usrreq.c
stable/10/sys/sys/ucred.h
Modified: stable/10/etc/Makefile
==============================================================================
--- stable/10/etc/Makefile Thu Jan 14 09:11:26 2016 (r293896)
+++ stable/10/etc/Makefile Thu Jan 14 09:11:42 2016 (r293897)
@@ -86,10 +86,6 @@ BIN1+= apmd.conf
BIN1+= auto_master
.endif
-.if ${MK_BSNMP} != "no"
-BIN1+= snmpd.config
-.endif
-
.if ${MK_FREEBSD_UPDATE} != "no"
BIN1+= freebsd-update.conf
.endif
@@ -218,6 +214,11 @@ distribution:
${BIN2} ${DESTDIR}/etc; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
+.if ${MK_BSNMP} != "no"
+ cd ${.CURDIR}; \
+ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
+ snmpd.config ${DESTDIR}/etc;
+.endif
.if ${MK_AT} == "no"
sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
.endif
Modified: stable/10/sys/amd64/linux32/linux32_proto.h
==============================================================================
--- stable/10/sys/amd64/linux32/linux32_proto.h Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/amd64/linux32/linux32_proto.h Thu Jan 14 09:11:42 2016
(r293897)
@@ -1023,7 +1023,7 @@ struct linux_set_robust_list_args {
};
struct linux_get_robust_list_args {
char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
- char head_l_[PADL_(struct linux_robust_list_head *)]; struct
linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head
*)];
+ char head_l_[PADL_(struct linux_robust_list_head **)]; struct
linux_robust_list_head ** head; char head_r_[PADR_(struct
linux_robust_list_head **)];
char len_l_[PADL_(l_size_t *)]; l_size_t * len; char
len_r_[PADR_(l_size_t *)];
};
struct linux_splice_args {
Modified: stable/10/sys/amd64/linux32/linux32_systrace_args.c
==============================================================================
--- stable/10/sys/amd64/linux32/linux32_systrace_args.c Thu Jan 14 09:11:26
2016 (r293896)
+++ stable/10/sys/amd64/linux32/linux32_systrace_args.c Thu Jan 14 09:11:42
2016 (r293897)
@@ -2122,7 +2122,7 @@ systrace_args(int sysnum, void *params,
case 312: {
struct linux_get_robust_list_args *p = params;
iarg[0] = p->pid; /* l_int */
- uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head
* */
+ uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head
** */
uarg[2] = (intptr_t) p->len; /* l_size_t * */
*n_args = 3;
break;
@@ -5551,7 +5551,7 @@ systrace_entry_setargdesc(int sysnum, in
p = "l_int";
break;
case 1:
- p = "struct linux_robust_list_head *";
+ p = "struct linux_robust_list_head **";
break;
case 2:
p = "l_size_t *";
Modified: stable/10/sys/amd64/linux32/syscalls.master
==============================================================================
--- stable/10/sys/amd64/linux32/syscalls.master Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/amd64/linux32/syscalls.master Thu Jan 14 09:11:42 2016
(r293897)
@@ -520,8 +520,8 @@
; linux 2.6.17:
311 AUE_NULL STD { int linux_set_robust_list(struct
linux_robust_list_head *head, \
l_size_t len); }
-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct
linux_robust_list_head *head, \
- l_size_t *len); }
+312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
+ struct linux_robust_list_head **head,
l_size_t *len); }
313 AUE_NULL STD { int linux_splice(void); }
314 AUE_NULL STD { int linux_sync_file_range(void); }
315 AUE_NULL STD { int linux_tee(void); }
Modified: stable/10/sys/compat/linux/linux_futex.c
==============================================================================
--- stable/10/sys/compat/linux/linux_futex.c Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/compat/linux/linux_futex.c Thu Jan 14 09:11:42 2016
(r293897)
@@ -1132,7 +1132,7 @@ linux_get_robust_list(struct thread *td,
return (EFAULT);
}
- error = copyout(head, args->head, sizeof(struct
linux_robust_list_head));
+ error = copyout(&head, args->head, sizeof(head));
if (error) {
LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error,
error);
Modified: stable/10/sys/compat/linux/linux_misc.c
==============================================================================
--- stable/10/sys/compat/linux/linux_misc.c Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/compat/linux/linux_misc.c Thu Jan 14 09:11:42 2016
(r293897)
@@ -1302,9 +1302,11 @@ linux_setgroups(struct thread *td, struc
if (error)
goto out;
newcred = crget();
+ crextend(newcred, ngrp + 1);
p = td->td_proc;
PROC_LOCK(p);
- oldcred = crcopysafe(p, newcred);
+ oldcred = p->p_ucred;
+ crcopy(newcred, oldcred);
/*
* cr_groups[0] holds egid. Setting the whole set from
Modified: stable/10/sys/i386/linux/syscalls.master
==============================================================================
--- stable/10/sys/i386/linux/syscalls.master Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/i386/linux/syscalls.master Thu Jan 14 09:11:42 2016
(r293897)
@@ -528,8 +528,8 @@
; linux 2.6.17:
311 AUE_NULL STD { int linux_set_robust_list(struct
linux_robust_list_head *head, \
l_size_t len); }
-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct
linux_robust_list_head **head, \
- l_size_t *len); }
+312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
+ struct linux_robust_list_head **head,
l_size_t *len); }
313 AUE_NULL STD { int linux_splice(void); }
314 AUE_NULL STD { int linux_sync_file_range(void); }
315 AUE_NULL STD { int linux_tee(void); }
Modified: stable/10/sys/kern/kern_prot.c
==============================================================================
--- stable/10/sys/kern/kern_prot.c Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/kern/kern_prot.c Thu Jan 14 09:11:42 2016
(r293897)
@@ -88,7 +88,6 @@ static MALLOC_DEFINE(M_CRED, "cred", "cr
SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
-static void crextend(struct ucred *cr, int n);
static void crsetgroups_locked(struct ucred *cr, int ngrp,
gid_t *groups);
@@ -1981,7 +1980,7 @@ crcopysafe(struct proc *p, struct ucred
/*
* Extend the passed in credential to hold n items.
*/
-static void
+void
crextend(struct ucred *cr, int n)
{
int cnt;
Modified: stable/10/sys/netinet/tcp_output.c
==============================================================================
--- stable/10/sys/netinet/tcp_output.c Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/netinet/tcp_output.c Thu Jan 14 09:11:42 2016
(r293897)
@@ -745,8 +745,8 @@ send:
* segments. Options for SYN-ACK segments are handled in TCP
* syncache.
*/
+ to.to_flags = 0;
if ((tp->t_flags & TF_NOOPT) == 0) {
- to.to_flags = 0;
/* Maximum segment size. */
if (flags & TH_SYN) {
tp->snd_nxt = tp->iss;
@@ -1226,7 +1226,7 @@ send:
tp->snd_up = tp->snd_una; /* drag it along */
#ifdef TCP_SIGNATURE
- if (tp->t_flags & TF_SIGNATURE) {
+ if (to.to_flags & TOF_SIGNATURE) {
int sigoff = to.to_signature - opt;
tcp_signature_compute(m, 0, len, optlen,
(u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1696,6 +1696,7 @@ tcp_addoptions(struct tcpopt *to, u_char
bcopy((u_char *)&to->to_tsecr, optp,
sizeof(to->to_tsecr));
optp += sizeof(to->to_tsecr);
break;
+#ifdef TCP_SIGNATURE
case TOF_SIGNATURE:
{
int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1714,6 +1715,7 @@ tcp_addoptions(struct tcpopt *to, u_char
*optp++ = 0;
break;
}
+#endif
case TOF_SACK:
{
int sackblks = 0;
Modified: stable/10/sys/netinet6/sctp6_usrreq.c
==============================================================================
--- stable/10/sys/netinet6/sctp6_usrreq.c Thu Jan 14 09:11:26 2016
(r293896)
+++ stable/10/sys/netinet6/sctp6_usrreq.c Thu Jan 14 09:11:42 2016
(r293897)
@@ -386,7 +386,6 @@ sctp6_ctlinput(int cmd, struct sockaddr
* XXX: We assume that when IPV6 is non NULL, M and OFF are
* valid.
*/
- /* check if we can safely examine src and dst ports */
struct sctp_inpcb *inp = NULL;
struct sctp_tcb *stcb = NULL;
struct sctp_nets *net = NULL;
@@ -395,6 +394,10 @@ sctp6_ctlinput(int cmd, struct sockaddr
if (ip6cp->ip6c_m == NULL)
return;
+ /* Check if we can safely examine the SCTP header. */
+ if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
+ return;
+
bzero(&sh, sizeof(sh));
bzero(&final, sizeof(final));
inp = NULL;
Modified: stable/10/sys/sys/ucred.h
==============================================================================
--- stable/10/sys/sys/ucred.h Thu Jan 14 09:11:26 2016 (r293896)
+++ stable/10/sys/sys/ucred.h Thu Jan 14 09:11:42 2016 (r293897)
@@ -104,6 +104,7 @@ void change_svuid(struct ucred *newcred,
void crcopy(struct ucred *dest, struct ucred *src);
struct ucred *crcopysafe(struct proc *p, struct ucred *cr);
struct ucred *crdup(struct ucred *cr);
+void crextend(struct ucred *cr, int n);
void cred_update_thread(struct thread *td);
void crfree(struct ucred *cr);
struct ucred *crget(void);
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
