From owner-svn-src-releng@FreeBSD.ORG  Sun Sep  8 18:27:27 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 4959A41F;
 Sun,  8 Sep 2013 18:27:27 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1C5E02A42;
 Sun,  8 Sep 2013 18:27:27 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r88IRQ25067579;
 Sun, 8 Sep 2013 18:27:26 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r88IRQT6067577;
 Sun, 8 Sep 2013 18:27:26 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309081827.r88IRQT6067577@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Sun, 8 Sep 2013 18:27:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255398 - releng/9.2/usr.sbin/rtadvd
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2013 18:27:27 -0000

Author: des
Date: Sun Sep  8 18:27:26 2013
New Revision: 255398
URL: http://svnweb.freebsd.org/changeset/base/255398

Log:
  MFH (r254684, r254955): fix segfault on reload.
  MFH (r255156): silence an error message on non-IPv6 interfaces.
  
  Approved by:    re (glebius)

Modified:
  releng/9.2/usr.sbin/rtadvd/config.c
  releng/9.2/usr.sbin/rtadvd/if.c
Directory Properties:
  releng/9.2/usr.sbin/rtadvd/   (props changed)

Modified: releng/9.2/usr.sbin/rtadvd/config.c
==============================================================================
--- releng/9.2/usr.sbin/rtadvd/config.c	Sun Sep  8 18:19:40 2013	(r255397)
+++ releng/9.2/usr.sbin/rtadvd/config.c	Sun Sep  8 18:27:26 2013	(r255398)
@@ -296,10 +296,8 @@ rm_rainfo(struct rainfo *rai)
 	if (rai->rai_ra_data != NULL)
 		free(rai->rai_ra_data);
 
-	while ((pfx = TAILQ_FIRST(&rai->rai_prefix)) != NULL) {
-		TAILQ_REMOVE(&rai->rai_prefix, pfx, pfx_next);
-		free(pfx);
-	}
+	while ((pfx = TAILQ_FIRST(&rai->rai_prefix)) != NULL)
+		delete_prefix(pfx);
 	while ((sol = TAILQ_FIRST(&rai->rai_soliciter)) != NULL) {
 		TAILQ_REMOVE(&rai->rai_soliciter, sol, sol_next);
 		free(sol);
@@ -1123,9 +1121,9 @@ add_prefix(struct rainfo *rai, struct in
 	pfx->pfx_onlinkflg = ipr->ipr_raf_onlink;
 	pfx->pfx_autoconfflg = ipr->ipr_raf_auto;
 	pfx->pfx_origin = PREFIX_FROM_DYNAMIC;
+	pfx->pfx_rainfo = rai;
 
 	TAILQ_INSERT_TAIL(&rai->rai_prefix, pfx, pfx_next);
-	pfx->pfx_rainfo = rai;
 
 	syslog(LOG_DEBUG, "<%s> new prefix %s/%d was added on %s",
 	    __func__,

Modified: releng/9.2/usr.sbin/rtadvd/if.c
==============================================================================
--- releng/9.2/usr.sbin/rtadvd/if.c	Sun Sep  8 18:19:40 2013	(r255397)
+++ releng/9.2/usr.sbin/rtadvd/if.c	Sun Sep  8 18:27:26 2013	(r255398)
@@ -394,8 +394,8 @@ update_ifinfo_nd_flags(struct ifinfo *if
 	error = ioctl(s, SIOCGIFINFO_IN6, (caddr_t)&nd);
 	if (error) {
 		close(s);
-		syslog(LOG_ERR,
-		    "<%s> ioctl() failed.", __func__);
+		if (errno != EPFNOSUPPORT)
+			syslog(LOG_ERR, "<%s> ioctl() failed.", __func__);
 		return (1);
 	}
 	ifi->ifi_nd_flags = nd.ndi.flags;

From owner-svn-src-releng@FreeBSD.ORG  Sun Sep  8 19:29:46 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 085773C1;
 Sun,  8 Sep 2013 19:29:46 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E7C3F2CEA;
 Sun,  8 Sep 2013 19:29:45 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r88JTjNK004363;
 Sun, 8 Sep 2013 19:29:45 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r88JTjWY004362;
 Sun, 8 Sep 2013 19:29:45 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309081929.r88JTjWY004362@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Sun, 8 Sep 2013 19:29:45 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255401 - releng/9.2/etc/mtree
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2013 19:29:46 -0000

Author: des
Date: Sun Sep  8 19:29:45 2013
New Revision: 255401
URL: http://svnweb.freebsd.org/changeset/base/255401

Log:
  MFH (r255243): create /var/authpf with correct ownership and permissions.
  
  Approved by:	re (glebius)

Modified:
  releng/9.2/etc/mtree/BSD.var.dist
Directory Properties:
  releng/9.2/etc/   (props changed)
  releng/9.2/etc/mtree/   (props changed)

Modified: releng/9.2/etc/mtree/BSD.var.dist
==============================================================================
--- releng/9.2/etc/mtree/BSD.var.dist	Sun Sep  8 19:13:06 2013	(r255400)
+++ releng/9.2/etc/mtree/BSD.var.dist	Sun Sep  8 19:29:45 2013	(r255401)
@@ -23,6 +23,8 @@
         remote          uname=auditdistd gname=wheel mode=0700
         ..
     ..
+    authpf              uname=root gname=authpf mode=0770
+    ..
 /set gname=wheel
     backups
     ..

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 01:38:42 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 6953E739;
 Tue, 10 Sep 2013 01:38:42 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2F48720DE;
 Tue, 10 Sep 2013 01:38:42 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8A1cg04085913;
 Tue, 10 Sep 2013 01:38:42 GMT (envelope-from delphij@svn.freebsd.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8A1cggx085912;
 Tue, 10 Sep 2013 01:38:42 GMT (envelope-from delphij@svn.freebsd.org)
Message-Id: <201309100138.r8A1cggx085912@svn.freebsd.org>
From: Xin LI <delphij@FreeBSD.org>
Date: Tue, 10 Sep 2013 01:38:42 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255436 - releng/9.2/sys/dev/hpt27xx
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 01:38:42 -0000

Author: delphij
Date: Tue Sep 10 01:38:41 2013
New Revision: 255436
URL: http://svnweb.freebsd.org/changeset/base/255436

Log:
  MFS r255435: MFC r255320:
  
  Return BUS_PROBE_DEFAULT instead of BUS_PROBE_SPECIFIC.
  
  Approved by:	re (hrs)

Modified:
  releng/9.2/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
Directory Properties:
  releng/9.2/sys/   (props changed)
  releng/9.2/sys/dev/   (props changed)

Modified: releng/9.2/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- releng/9.2/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Tue Sep 10 00:40:21 2013	(r255435)
+++ releng/9.2/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Tue Sep 10 01:38:41 2013	(r255436)
@@ -52,7 +52,7 @@ static int hpt_probe(device_t dev)
 				memset(hba, 0, sizeof(HBA));
 				hba->ext_type = EXT_TYPE_HBA;
 				hba->ldm_adapter.him = him;
-				return 0;
+				return (BUS_PROBE_DEFAULT);
 			}
 		}
 	}

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 10:08:21 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C5C34F68;
 Tue, 10 Sep 2013 10:08:21 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id A34622A4D;
 Tue, 10 Sep 2013 10:08:21 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AA8LMc097845;
 Tue, 10 Sep 2013 10:08:21 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AA8KJa097830;
 Tue, 10 Sep 2013 10:08:20 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309101008.r8AA8KJa097830@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:08:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255444 - in releng/9.2/sys: conf fs/nullfs net netinet6
 netnatm
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 10:08:21 -0000

Author: des
Date: Tue Sep 10 10:08:20 2013
New Revision: 255444
URL: http://svnweb.freebsd.org/changeset/base/255444

Log:
  In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
  and SIOCSIFNETMASK at the socket layer rather than pass them on to the
  link layer without validation or credential checks.  [SA-13:12]
  
  Prevent cross-mount hardlinks between different nullfs mounts of the
  same underlying filesystem.  [SA-13:13]
  
  Security:	CVE-2013-5691
  Security:	FreeBSD-SA-13:12.ifioctl
  Security:	CVE-2013-5710
  Security:	FreeBSD-SA-13:13.nullfs
  Approved by:	re

Modified:
  releng/9.2/sys/conf/newvers.sh
  releng/9.2/sys/fs/nullfs/null_vnops.c
  releng/9.2/sys/net/if.c
  releng/9.2/sys/netinet6/in6.c
  releng/9.2/sys/netnatm/natm.c

Modified: releng/9.2/sys/conf/newvers.sh
==============================================================================
--- releng/9.2/sys/conf/newvers.sh	Tue Sep 10 10:07:21 2013	(r255443)
+++ releng/9.2/sys/conf/newvers.sh	Tue Sep 10 10:08:20 2013	(r255444)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.2"
-BRANCH="RC3"
+BRANCH="RC3-p1"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.2/sys/fs/nullfs/null_vnops.c
==============================================================================
--- releng/9.2/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:07:21 2013	(r255443)
+++ releng/9.2/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:08:20 2013	(r255444)
@@ -858,6 +858,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -871,6 +880,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,

Modified: releng/9.2/sys/net/if.c
==============================================================================
--- releng/9.2/sys/net/if.c	Tue Sep 10 10:07:21 2013	(r255443)
+++ releng/9.2/sys/net/if.c	Tue Sep 10 10:08:20 2013	(r255444)
@@ -2555,11 +2555,23 @@ ifioctl(struct socket *so, u_long cmd, c
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2603,7 +2615,9 @@ ifioctl(struct socket *so, u_long cmd, c
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 

Modified: releng/9.2/sys/netinet6/in6.c
==============================================================================
--- releng/9.2/sys/netinet6/in6.c	Tue Sep 10 10:07:21 2013	(r255443)
+++ releng/9.2/sys/netinet6/in6.c	Tue Sep 10 10:08:20 2013	(r255444)
@@ -422,6 +422,18 @@ in6_control(struct socket *so, u_long cm
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;

Modified: releng/9.2/sys/netnatm/natm.c
==============================================================================
--- releng/9.2/sys/netnatm/natm.c	Tue Sep 10 10:07:21 2013	(r255443)
+++ releng/9.2/sys/netnatm/natm.c	Tue Sep 10 10:08:20 2013	(r255444)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 10:13:16 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 92B8033E;
 Tue, 10 Sep 2013 10:13:16 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7E6642ABA;
 Tue, 10 Sep 2013 10:13:16 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AADGpM001832;
 Tue, 10 Sep 2013 10:13:16 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AADFwF001822;
 Tue, 10 Sep 2013 10:13:15 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309101013.r8AADFwF001822@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:13:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255446 - in releng/8.3: . sys/conf sys/fs/nullfs sys/net
 sys/netinet6 sys/netnatm
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 10:13:16 -0000

Author: des
Date: Tue Sep 10 10:13:14 2013
New Revision: 255446
URL: http://svnweb.freebsd.org/changeset/base/255446

Log:
  In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
  and SIOCSIFNETMASK at the socket layer rather than pass them on to the
  link layer without validation or credential checks.  [SA-13:12]
  
  Prevent cross-mount hardlinks between different nullfs mounts of the
  same underlying filesystem.  [SA-13:13]
  
  Security:	CVE-2013-5691
  Security:	FreeBSD-SA-13:12.ifioctl
  Security:	CVE-2013-5710
  Security:	FreeBSD-SA-13:13.nullfs
  Approved by:	so

Modified:
  releng/8.3/UPDATING
  releng/8.3/sys/conf/newvers.sh
  releng/8.3/sys/fs/nullfs/null_vnops.c
  releng/8.3/sys/net/if.c
  releng/8.3/sys/netinet6/in6.c
  releng/8.3/sys/netnatm/natm.c

Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/UPDATING	Tue Sep 10 10:13:14 2013	(r255446)
@@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20130910:	p11	FreeBSD-SA-13:12.ifioctl
+			FreeBSD-SA-13:13.nullfs
+
+	In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR,
+	SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather
+	than pass them on to the link layer without validation or
+	credential checks.  [SA-13:12]
+
+	Prevent cross-mount hardlinks between different nullfs mounts
+	of the same underlying filesystem.  [SA-13:13]
+
 20130822:	p10	FreeBSD-SA-13:09.ip_multicast
 			FreeBSD-SA-13:10.sctp
 	Fix an integer overflow in computing the size of a temporary buffer

Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/sys/conf/newvers.sh	Tue Sep 10 10:13:14 2013	(r255446)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.3"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.3/sys/fs/nullfs/null_vnops.c
==============================================================================
--- releng/8.3/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:13:14 2013	(r255446)
@@ -817,6 +817,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -829,6 +838,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,

Modified: releng/8.3/sys/net/if.c
==============================================================================
--- releng/8.3/sys/net/if.c	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/sys/net/if.c	Tue Sep 10 10:13:14 2013	(r255446)
@@ -2606,11 +2606,23 @@ ifioctl(struct socket *so, u_long cmd, c
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2654,7 +2666,9 @@ ifioctl(struct socket *so, u_long cmd, c
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 

Modified: releng/8.3/sys/netinet6/in6.c
==============================================================================
--- releng/8.3/sys/netinet6/in6.c	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/sys/netinet6/in6.c	Tue Sep 10 10:13:14 2013	(r255446)
@@ -339,6 +339,18 @@ in6_control(struct socket *so, u_long cm
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;

Modified: releng/8.3/sys/netnatm/natm.c
==============================================================================
--- releng/8.3/sys/netnatm/natm.c	Tue Sep 10 10:12:09 2013	(r255445)
+++ releng/8.3/sys/netnatm/natm.c	Tue Sep 10 10:13:14 2013	(r255446)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 10:14:20 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C4AFD472;
 Tue, 10 Sep 2013 10:14:20 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id B16882AC6;
 Tue, 10 Sep 2013 10:14:20 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AAEK30002387;
 Tue, 10 Sep 2013 10:14:20 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AAEJHZ002344;
 Tue, 10 Sep 2013 10:14:19 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309101014.r8AAEJHZ002344@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:14:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255447 - in releng/8.4: . sys/conf sys/fs/nullfs sys/net
 sys/netinet6 sys/netnatm
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 10:14:20 -0000

Author: des
Date: Tue Sep 10 10:14:19 2013
New Revision: 255447
URL: http://svnweb.freebsd.org/changeset/base/255447

Log:
  In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
  and SIOCSIFNETMASK at the socket layer rather than pass them on to the
  link layer without validation or credential checks.  [SA-13:12]
  
  Prevent cross-mount hardlinks between different nullfs mounts of the
  same underlying filesystem.  [SA-13:13]
  
  Security:	CVE-2013-5691
  Security:	FreeBSD-SA-13:12.ifioctl
  Security:	CVE-2013-5710
  Security:	FreeBSD-SA-13:13.nullfs
  Approved by:	so

Modified:
  releng/8.4/UPDATING
  releng/8.4/sys/conf/newvers.sh
  releng/8.4/sys/fs/nullfs/null_vnops.c
  releng/8.4/sys/net/if.c
  releng/8.4/sys/netinet6/in6.c
  releng/8.4/sys/netnatm/natm.c

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/UPDATING	Tue Sep 10 10:14:19 2013	(r255447)
@@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20130910:	p4	FreeBSD-SA-13:12.ifioctl
+			FreeBSD-SA-13:13.nullfs
+
+	In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR,
+	SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather
+	than pass them on to the link layer without validation or
+	credential checks.  [SA-13:12]
+
+	Prevent cross-mount hardlinks between different nullfs mounts
+	of the same underlying filesystem.  [SA-13:13]
+
 20130822:	p3	FreeBSD-SA-13:09.ip_multicast
 			FreeBSD-SA-13:10.sctp
 	Fix an integer overflow in computing the size of a temporary buffer

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/sys/conf/newvers.sh	Tue Sep 10 10:14:19 2013	(r255447)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.4/sys/fs/nullfs/null_vnops.c
==============================================================================
--- releng/8.4/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:14:19 2013	(r255447)
@@ -816,6 +816,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -828,6 +837,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,

Modified: releng/8.4/sys/net/if.c
==============================================================================
--- releng/8.4/sys/net/if.c	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/sys/net/if.c	Tue Sep 10 10:14:19 2013	(r255447)
@@ -2602,11 +2602,23 @@ ifioctl(struct socket *so, u_long cmd, c
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2650,7 +2662,9 @@ ifioctl(struct socket *so, u_long cmd, c
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 

Modified: releng/8.4/sys/netinet6/in6.c
==============================================================================
--- releng/8.4/sys/netinet6/in6.c	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/sys/netinet6/in6.c	Tue Sep 10 10:14:19 2013	(r255447)
@@ -344,6 +344,18 @@ in6_control(struct socket *so, u_long cm
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;

Modified: releng/8.4/sys/netnatm/natm.c
==============================================================================
--- releng/8.4/sys/netnatm/natm.c	Tue Sep 10 10:13:14 2013	(r255446)
+++ releng/8.4/sys/netnatm/natm.c	Tue Sep 10 10:14:19 2013	(r255447)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 10:15:35 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 924805CC;
 Tue, 10 Sep 2013 10:15:35 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7ECD12ADF;
 Tue, 10 Sep 2013 10:15:35 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AAFZq1003104;
 Tue, 10 Sep 2013 10:15:35 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AAFYeX003097;
 Tue, 10 Sep 2013 10:15:34 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309101015.r8AAFYeX003097@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:15:34 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255448 - in releng/9.1: . sys/conf sys/fs/nullfs sys/net
 sys/netinet6 sys/netnatm
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 10:15:35 -0000

Author: des
Date: Tue Sep 10 10:15:33 2013
New Revision: 255448
URL: http://svnweb.freebsd.org/changeset/base/255448

Log:
  In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
  and SIOCSIFNETMASK at the socket layer rather than pass them on to the
  link layer without validation or credential checks.  [SA-13:12]
  
  Prevent cross-mount hardlinks between different nullfs mounts of the
  same underlying filesystem.  [SA-13:13]
  
  Security:	CVE-2013-5691
  Security:	FreeBSD-SA-13:12.ifioctl
  Security:	CVE-2013-5710
  Security:	FreeBSD-SA-13:13.nullfs
  Approved by:	so

Modified:
  releng/9.1/UPDATING
  releng/9.1/sys/conf/newvers.sh
  releng/9.1/sys/fs/nullfs/null_vnops.c
  releng/9.1/sys/net/if.c
  releng/9.1/sys/netinet6/in6.c
  releng/9.1/sys/netnatm/natm.c

Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/UPDATING	Tue Sep 10 10:15:33 2013	(r255448)
@@ -9,6 +9,17 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20130910:	p7	FreeBSD-SA-13:12.ifioctl
+			FreeBSD-SA-13:13.nullfs
+
+	In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR,
+	SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather
+	than pass them on to the link layer without validation or
+	credential checks.  [SA-13:12]
+
+	Prevent cross-mount hardlinks between different nullfs mounts
+	of the same underlying filesystem.  [SA-13:13]
+
 20130822:	p6	FreeBSD-SA-13:09.ip_multicast
 			FreeBSD-SA-13:10.sctp
 			FreeBSD-EN-13:03.mfi

Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/sys/conf/newvers.sh	Tue Sep 10 10:15:33 2013	(r255448)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.1/sys/fs/nullfs/null_vnops.c
==============================================================================
--- releng/9.1/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:15:33 2013	(r255448)
@@ -815,6 +815,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -828,6 +837,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,

Modified: releng/9.1/sys/net/if.c
==============================================================================
--- releng/9.1/sys/net/if.c	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/sys/net/if.c	Tue Sep 10 10:15:33 2013	(r255448)
@@ -2542,11 +2542,23 @@ ifioctl(struct socket *so, u_long cmd, c
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2590,7 +2602,9 @@ ifioctl(struct socket *so, u_long cmd, c
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 

Modified: releng/9.1/sys/netinet6/in6.c
==============================================================================
--- releng/9.1/sys/netinet6/in6.c	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/sys/netinet6/in6.c	Tue Sep 10 10:15:33 2013	(r255448)
@@ -421,6 +421,18 @@ in6_control(struct socket *so, u_long cm
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;

Modified: releng/9.1/sys/netnatm/natm.c
==============================================================================
--- releng/9.1/sys/netnatm/natm.c	Tue Sep 10 10:14:19 2013	(r255447)
+++ releng/9.1/sys/netnatm/natm.c	Tue Sep 10 10:15:33 2013	(r255448)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));

From owner-svn-src-releng@FreeBSD.ORG  Tue Sep 10 19:00:32 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id A3E30628;
 Tue, 10 Sep 2013 19:00:32 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 920E62316;
 Tue, 10 Sep 2013 19:00:32 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AJ0Wfv030044;
 Tue, 10 Sep 2013 19:00:32 GMT (envelope-from gjb@svn.freebsd.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AJ0WnI030043;
 Tue, 10 Sep 2013 19:00:32 GMT (envelope-from gjb@svn.freebsd.org)
Message-Id: <201309101900.r8AJ0WnI030043@svn.freebsd.org>
From: Glen Barber <gjb@FreeBSD.org>
Date: Tue, 10 Sep 2013 19:00:32 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255456 - releng/9.2/sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 19:00:32 -0000

Author: gjb
Date: Tue Sep 10 19:00:32 2013
New Revision: 255456
URL: http://svnweb.freebsd.org/changeset/base/255456

Log:
  Reintegrate r250907 (previously reverted as r254754) plus MFS r254947,
  r255443:
  
  r250907 (scottl):
    MFC r248830, r250027, r250409: Several fixes and improvements
    to sendfile()
  
  r254947 (kib):
    NFS implementation of VOP_READ() sometimes upgrades the vnode lock,
    which causes drop of the shared lock and sleep for exclusive.  As
    result, busying of the page before the call to vn_rdwr() makes NFS
    code to wait for vnode lock while page is busy, which contradicts the
    proper order of vnode lock -> busy.
  
  r255443 (des):
    Fix the length calculation for the final block of a sendfile(2)
    transmission which could be tricked into rounding up to the nearest
    page size, leaking up to a page of kernel memory.  [13:11]
  
  Approved by:	re (delphij)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/9.2/sys/kern/uipc_syscalls.c
Directory Properties:
  releng/9.2/sys/   (props changed)

Modified: releng/9.2/sys/kern/uipc_syscalls.c
==============================================================================
--- releng/9.2/sys/kern/uipc_syscalls.c	Tue Sep 10 18:40:43 2013	(r255455)
+++ releng/9.2/sys/kern/uipc_syscalls.c	Tue Sep 10 19:00:32 2013	(r255456)
@@ -1835,9 +1835,11 @@ kern_sendfile(struct thread *td, struct 
 	struct mbuf *m = NULL;
 	struct sf_buf *sf;
 	struct vm_page *pg;
+	struct vattr va;
 	off_t off, xfsize, fsbytes = 0, sbytes = 0, rem = 0;
 	int error, hdrlen = 0, mnw = 0;
 	int vfslocked;
+	int bsize;
 	struct sendfile_sync *sfs = NULL;
 
 	/*
@@ -1852,6 +1854,18 @@ kern_sendfile(struct thread *td, struct 
 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 	vn_lock(vp, LK_SHARED | LK_RETRY);
 	if (vp->v_type == VREG) {
+		bsize = vp->v_mount->mnt_stat.f_iosize;
+		if (uap->nbytes == 0) {
+			error = VOP_GETATTR(vp, &va, td->td_ucred);
+			if (error != 0) {
+				VOP_UNLOCK(vp, 0);
+				VFS_UNLOCK_GIANT(vfslocked);
+				obj = NULL;
+				goto out;
+			}
+			rem = va.va_size;
+		} else
+			rem = uap->nbytes;
 		obj = vp->v_object;
 		if (obj != NULL) {
 			/*
@@ -1869,7 +1883,8 @@ kern_sendfile(struct thread *td, struct 
 				obj = NULL;
 			}
 		}
-	}
+	} else
+		bsize = 0;	/* silence gcc */
 	VOP_UNLOCK(vp, 0);
 	VFS_UNLOCK_GIANT(vfslocked);
 	if (obj == NULL) {
@@ -1962,11 +1977,20 @@ kern_sendfile(struct thread *td, struct 
 	 * The outer loop checks the state and available space of the socket
 	 * and takes care of the overall progress.
 	 */
-	for (off = uap->offset, rem = uap->nbytes; ; ) {
-		struct mbuf *mtail = NULL;
-		int loopbytes = 0;
-		int space = 0;
-		int done = 0;
+	for (off = uap->offset; ; ) {
+		struct mbuf *mtail;
+		int loopbytes;
+		int space;
+		int done;
+
+		if ((uap->nbytes != 0 && uap->nbytes == fsbytes) ||
+		    (uap->nbytes == 0 && va.va_size == fsbytes))
+			break;
+
+		mtail = NULL;
+		loopbytes = 0;
+		space = 0;
+		done = 0;
 
 		/*
 		 * Check the socket state for ongoing connection,
@@ -2034,6 +2058,20 @@ retry_space:
 		 */
 		space -= hdrlen;
 
+		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
+		error = vn_lock(vp, LK_SHARED);
+		if (error != 0) {
+			VFS_UNLOCK_GIANT(vfslocked);
+			goto done;
+		}
+		error = VOP_GETATTR(vp, &va, td->td_ucred);
+		if (error != 0 || off >= va.va_size) {
+			VOP_UNLOCK(vp, 0);
+			VFS_UNLOCK_GIANT(vfslocked);
+			goto done;
+		}
+		VFS_UNLOCK_GIANT(vfslocked);
+
 		/*
 		 * Loop and construct maximum sized mbuf chain to be bulk
 		 * dumped into socket buffer.
@@ -2043,25 +2081,19 @@ retry_space:
 			vm_offset_t pgoff;
 			struct mbuf *m0;
 
-			VM_OBJECT_LOCK(obj);
 			/*
 			 * Calculate the amount to transfer.
 			 * Not to exceed a page, the EOF,
 			 * or the passed in nbytes.
 			 */
 			pgoff = (vm_offset_t)(off & PAGE_MASK);
-			xfsize = omin(PAGE_SIZE - pgoff,
-			    obj->un_pager.vnp.vnp_size - uap->offset -
-			    fsbytes - loopbytes);
-			if (uap->nbytes)
-				rem = (uap->nbytes - fsbytes - loopbytes);
-			else
-				rem = obj->un_pager.vnp.vnp_size -
-				    uap->offset - fsbytes - loopbytes;
-			xfsize = omin(rem, xfsize);
+			rem = va.va_size - uap->offset;
+			if (uap->nbytes != 0)
+				rem = omin(rem, uap->nbytes);
+			rem -= fsbytes + loopbytes;
+			xfsize = omin(PAGE_SIZE - pgoff, rem);
 			xfsize = omin(space - loopbytes, xfsize);
 			if (xfsize <= 0) {
-				VM_OBJECT_UNLOCK(obj);
 				done = 1;		/* all data sent */
 				break;
 			}
@@ -2071,6 +2103,7 @@ retry_space:
 			 * if not found or wait and loop if busy.
 			 */
 			pindex = OFF_TO_IDX(off);
+			VM_OBJECT_LOCK(obj);
 			pg = vm_page_grab(obj, pindex, VM_ALLOC_NOBUSY |
 			    VM_ALLOC_NORMAL | VM_ALLOC_WIRED | VM_ALLOC_RETRY);
 
@@ -2088,42 +2121,25 @@ retry_space:
 			else if (uap->flags & SF_NODISKIO)
 				error = EBUSY;
 			else {
-				int bsize;
 				ssize_t resid;
 
-				/*
-				 * Ensure that our page is still around
-				 * when the I/O completes.
-				 */
-				vm_page_io_start(pg);
 				VM_OBJECT_UNLOCK(obj);
 
 				/*
 				 * Get the page from backing store.
-				 */
-				vfslocked = VFS_LOCK_GIANT(vp->v_mount);
-				error = vn_lock(vp, LK_SHARED);
-				if (error != 0)
-					goto after_read;
-				bsize = vp->v_mount->mnt_stat.f_iosize;
-
-				/*
 				 * XXXMAC: Because we don't have fp->f_cred
 				 * here, we pass in NOCRED.  This is probably
 				 * wrong, but is consistent with our original
 				 * implementation.
 				 */
+				vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 				error = vn_rdwr(UIO_READ, vp, NULL, MAXBSIZE,
 				    trunc_page(off), UIO_NOCOPY, IO_NODELOCKED |
 				    IO_VMIO | ((MAXBSIZE / bsize) << IO_SEQSHIFT),
 				    td->td_ucred, NOCRED, &resid, td);
-				VOP_UNLOCK(vp, 0);
-			after_read:
 				VFS_UNLOCK_GIANT(vfslocked);
-				VM_OBJECT_LOCK(obj);
-				vm_page_io_finish(pg);
-				if (!error)
-					VM_OBJECT_UNLOCK(obj);
+				if (error)
+					VM_OBJECT_LOCK(obj);
 				mbstat.sf_iocnt++;
 			}
 			if (error) {
@@ -2174,7 +2190,7 @@ retry_space:
 			m0 = m_get((mnw ? M_NOWAIT : M_WAITOK), MT_DATA);
 			if (m0 == NULL) {
 				error = (mnw ? EAGAIN : ENOBUFS);
-				sf_buf_mext((void *)sf_buf_kva(sf), sf);
+				sf_buf_mext(NULL, sf);
 				break;
 			}
 			MEXTADD(m0, sf_buf_kva(sf), PAGE_SIZE, sf_buf_mext,
@@ -2202,6 +2218,8 @@ retry_space:
 			}
 		}
 
+		VOP_UNLOCK(vp, 0);
+
 		/* Add the buffer chain to the socket buffer. */
 		if (m != NULL) {
 			int mlen, err;

From owner-svn-src-releng@FreeBSD.ORG  Wed Sep 11 00:42:51 2013
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 829A71D1;
 Wed, 11 Sep 2013 00:42:51 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6FAA429CD;
 Wed, 11 Sep 2013 00:42:51 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8B0gpw4042643;
 Wed, 11 Sep 2013 00:42:51 GMT (envelope-from gjb@svn.freebsd.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8B0gpfs042640;
 Wed, 11 Sep 2013 00:42:51 GMT (envelope-from gjb@svn.freebsd.org)
Message-Id: <201309110042.r8B0gpfs042640@svn.freebsd.org>
From: Glen Barber <gjb@FreeBSD.org>
Date: Wed, 11 Sep 2013 00:42:51 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r255465 - in releng/9.2: release sys/conf
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 00:42:51 -0000

Author: gjb
Date: Wed Sep 11 00:42:50 2013
New Revision: 255465
URL: http://svnweb.freebsd.org/changeset/base/255465

Log:
  Update releng/9.2 to -RC4.
  
  Approved by:	re (implicit)

Modified:
  releng/9.2/release/Makefile.sysinstall
  releng/9.2/sys/conf/newvers.sh

Modified: releng/9.2/release/Makefile.sysinstall
==============================================================================
--- releng/9.2/release/Makefile.sysinstall	Wed Sep 11 00:19:16 2013	(r255464)
+++ releng/9.2/release/Makefile.sysinstall	Wed Sep 11 00:42:50 2013	(r255465)
@@ -24,7 +24,7 @@
 # Set these, release builder!
 #
 # Fixed version:
-#BUILDNAME=9.2-RC3
+#BUILDNAME=9.2-RC4
 #
 # Automatic SNAP versioning:
 DATE != date +%Y%m%d

Modified: releng/9.2/sys/conf/newvers.sh
==============================================================================
--- releng/9.2/sys/conf/newvers.sh	Wed Sep 11 00:19:16 2013	(r255464)
+++ releng/9.2/sys/conf/newvers.sh	Wed Sep 11 00:42:50 2013	(r255465)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.2"
-BRANCH="RC3-p1"
+BRANCH="RC4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi