Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Sep 2011 08:47:18 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
Subject:   svn commit: r225827 - head/sys/kern head/usr.bin/compress head/usr.bin/gzip releng/7.3 releng/7.3/sys/conf releng/7.3/sys/kern releng/7.3/usr.bin/compress releng/7.3/usr.bin/gzip releng/7.4 releng/...
Message-ID:  <201109280847.p8S8lIRf063633@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bz
Date: Wed Sep 28 08:47:17 2011
New Revision: 225827
URL: http://svn.freebsd.org/changeset/base/225827

Log:
  Fix handling of corrupt compress(1)ed data. [11:04]
  
  Add missing length checks on unix socket addresses. [11:05]
  
  Approved by:	so (cperciva)
  Approved by:	re (kensmith)
  Security:	FreeBSD-SA-11:04.compress
  Security:	CVE-2011-2895 [11:04]
  Security:	FreeBSD-SA-11:05.unix

Modified:
  stable/7/sys/kern/uipc_usrreq.c
  stable/7/usr.bin/compress/zopen.c
  stable/7/usr.bin/gzip/zuncompress.c

Changes in other areas also in this revision:
Modified:
  head/sys/kern/uipc_usrreq.c
  head/usr.bin/compress/zopen.c
  head/usr.bin/gzip/zuncompress.c
  releng/7.3/UPDATING
  releng/7.3/sys/conf/newvers.sh
  releng/7.3/sys/kern/uipc_usrreq.c
  releng/7.3/usr.bin/compress/zopen.c
  releng/7.3/usr.bin/gzip/zuncompress.c
  releng/7.4/UPDATING
  releng/7.4/sys/conf/newvers.sh
  releng/7.4/sys/kern/uipc_usrreq.c
  releng/7.4/usr.bin/compress/zopen.c
  releng/7.4/usr.bin/gzip/zuncompress.c
  releng/8.1/UPDATING
  releng/8.1/sys/conf/newvers.sh
  releng/8.1/sys/kern/uipc_usrreq.c
  releng/8.1/usr.bin/compress/zopen.c
  releng/8.1/usr.bin/gzip/zuncompress.c
  releng/8.2/UPDATING
  releng/8.2/sys/conf/newvers.sh
  releng/8.2/sys/kern/uipc_usrreq.c
  releng/8.2/usr.bin/compress/zopen.c
  releng/8.2/usr.bin/gzip/zuncompress.c
  stable/8/sys/kern/uipc_usrreq.c
  stable/8/usr.bin/compress/zopen.c
  stable/8/usr.bin/gzip/zuncompress.c
  stable/9/sys/kern/uipc_usrreq.c
  stable/9/usr.bin/compress/zopen.c
  stable/9/usr.bin/gzip/zuncompress.c

Modified: stable/7/sys/kern/uipc_usrreq.c
==============================================================================
--- stable/7/sys/kern/uipc_usrreq.c	Wed Sep 28 08:19:45 2011	(r225826)
+++ stable/7/sys/kern/uipc_usrreq.c	Wed Sep 28 08:47:17 2011	(r225827)
@@ -395,6 +395,8 @@ uipc_bind(struct socket *so, struct sock
 	unp = sotounpcb(so);
 	KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
 
+	if (soun->sun_len > sizeof(struct sockaddr_un))
+		return (EINVAL);
 	namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
 	if (namelen <= 0)
 		return (EINVAL);
@@ -1142,6 +1144,8 @@ unp_connect(struct socket *so, struct so
 	unp = sotounpcb(so);
 	KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
 
+	if (nam->sa_len > sizeof(struct sockaddr_un))
+		return (EINVAL);
 	len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
 	if (len <= 0)
 		return (EINVAL);

Modified: stable/7/usr.bin/compress/zopen.c
==============================================================================
--- stable/7/usr.bin/compress/zopen.c	Wed Sep 28 08:19:45 2011	(r225826)
+++ stable/7/usr.bin/compress/zopen.c	Wed Sep 28 08:47:17 2011	(r225827)
@@ -490,7 +490,7 @@ zread(void *cookie, char *rbp, int num)
 	block_compress = maxbits & BLOCK_MASK;
 	maxbits &= BIT_MASK;
 	maxmaxcode = 1L << maxbits;
-	if (maxbits > BITS) {
+	if (maxbits > BITS || maxbits < 12) {
 		errno = EFTYPE;
 		return (-1);
 	}
@@ -517,17 +517,28 @@ zread(void *cookie, char *rbp, int num)
 			for (code = 255; code >= 0; code--)
 				tab_prefixof(code) = 0;
 			clear_flg = 1;
-			free_ent = FIRST - 1;
-			if ((code = getcode(zs)) == -1)	/* O, untimely death! */
-				break;
+			free_ent = FIRST;
+			oldcode = -1;
+			continue;
 		}
 		incode = code;
 
-		/* Special case for KwKwK string. */
+		/* Special case for kWkWk string. */
 		if (code >= free_ent) {
+			if (code > free_ent || oldcode == -1) {
+				/* Bad stream. */
+				errno = EINVAL;
+				return (-1);
+			}
 			*stackp++ = finchar;
 			code = oldcode;
 		}
+		/*
+		 * The above condition ensures that code < free_ent.
+		 * The construction of tab_prefixof in turn guarantees that
+		 * each iteration decreases code and therefore stack usage is
+		 * bound by 1 << BITS - 256.
+		 */
 
 		/* Generate output characters in reverse order. */
 		while (code >= 256) {
@@ -544,7 +555,7 @@ middle:		do {
 		} while (stackp > de_stack);
 
 		/* Generate the new entry. */
-		if ((code = free_ent) < maxmaxcode) {
+		if ((code = free_ent) < maxmaxcode && oldcode != -1) {
 			tab_prefixof(code) = (u_short) oldcode;
 			tab_suffixof(code) = finchar;
 			free_ent = code + 1;

Modified: stable/7/usr.bin/gzip/zuncompress.c
==============================================================================
--- stable/7/usr.bin/gzip/zuncompress.c	Wed Sep 28 08:19:45 2011	(r225826)
+++ stable/7/usr.bin/gzip/zuncompress.c	Wed Sep 28 08:47:17 2011	(r225827)
@@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num)
 	zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK;
 	zs->zs_maxbits &= BIT_MASK;
 	zs->zs_maxmaxcode = 1L << zs->zs_maxbits;
-	if (zs->zs_maxbits > BITS) {
+	if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) {
 		errno = EFTYPE;
 		return (-1);
 	}
@@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num)
 	}
 	zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256;
 
-	zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs);
-	if (zs->u.r.zs_oldcode == -1)	/* EOF already? */
-		return (0);	/* Get out of here */
-
-	/* First code must be 8 bits = char. */
-	*bp++ = (u_char)zs->u.r.zs_finchar;
-	count--;
+	zs->u.r.zs_oldcode = -1;
 	zs->u.r.zs_stackp = de_stack;
 
 	while ((zs->u.r.zs_code = getcode(zs)) > -1) {
@@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num)
 			    zs->u.r.zs_code--)
 				tab_prefixof(zs->u.r.zs_code) = 0;
 			zs->zs_clear_flg = 1;
-			zs->zs_free_ent = FIRST - 1;
-			if ((zs->u.r.zs_code = getcode(zs)) == -1)	/* O, untimely death! */
-				break;
+			zs->zs_free_ent = FIRST;
+			zs->u.r.zs_oldcode = -1;
+			continue;
 		}
 		zs->u.r.zs_incode = zs->u.r.zs_code;
 
 		/* Special case for KwKwK string. */
 		if (zs->u.r.zs_code >= zs->zs_free_ent) {
+			if (zs->u.r.zs_code > zs->zs_free_ent ||
+			    zs->u.r.zs_oldcode == -1) {
+				/* Bad stream. */
+				errno = EINVAL;
+				return (-1);
+			}
 			*zs->u.r.zs_stackp++ = zs->u.r.zs_finchar;
 			zs->u.r.zs_code = zs->u.r.zs_oldcode;
 		}
+		/*
+		 * The above condition ensures that code < free_ent.
+		 * The construction of tab_prefixof in turn guarantees that
+		 * each iteration decreases code and therefore stack usage is
+		 * bound by 1 << BITS - 256.
+		 */
 
 		/* Generate output characters in reverse order. */
 		while (zs->u.r.zs_code >= 256) {
@@ -302,7 +308,8 @@ middle:		do {
 		} while (zs->u.r.zs_stackp > de_stack);
 
 		/* Generate the new entry. */
-		if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) {
+		if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode &&
+		    zs->u.r.zs_oldcode != -1) {
 			tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode;
 			tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar;
 			zs->zs_free_ent = zs->u.r.zs_code + 1;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109280847.p8S8lIRf063633>