From owner-svn-src-releng@freebsd.org  Tue May 17 22:28:12 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D8E6B40574;
 Tue, 17 May 2016 22:28:12 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3671B4D;
 Tue, 17 May 2016 22:28:12 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4HMSBUK011969;
 Tue, 17 May 2016 22:28:11 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4HMSBou011965;
 Tue, 17 May 2016 22:28:11 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201605172228.u4HMSBou011965@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:11 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r300085 - in releng/10.1: . sys/conf sys/dev/kbd sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:28:12 -0000

Author: glebius
Date: Tue May 17 22:28:11 2016
New Revision: 300085
URL: https://svnweb.freebsd.org/changeset/base/300085

Log:
  - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
  - Validate that user supplied control message length in sendmsg(2)
    is not negative.
  
  Security:	SA-16:18
  Security:	CVE-2016-1886
  Security:	SA-16:19
  Security:	CVE-2016-1887
  Submitted by:	C Turt <cturt hardenedbsd.org>
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/sys/dev/kbd/kbd.c
  releng/10.1/sys/kern/uipc_syscalls.c

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Tue May 17 21:35:35 2016	(r300084)
+++ releng/10.1/UPDATING	Tue May 17 22:28:11 2016	(r300085)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160517	p34	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p33	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:08.zfs
 

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Tue May 17 21:35:35 2016	(r300084)
+++ releng/10.1/sys/conf/newvers.sh	Tue May 17 22:28:11 2016	(r300085)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p33"
+BRANCH="RELEASE-p34"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/sys/dev/kbd/kbd.c
==============================================================================
--- releng/10.1/sys/dev/kbd/kbd.c	Tue May 17 21:35:35 2016	(r300084)
+++ releng/10.1/sys/dev/kbd/kbd.c	Tue May 17 22:28:11 2016	(r300085)
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;

Modified: releng/10.1/sys/kern/uipc_syscalls.c
==============================================================================
--- releng/10.1/sys/kern/uipc_syscalls.c	Tue May 17 21:35:35 2016	(r300084)
+++ releng/10.1/sys/kern/uipc_syscalls.c	Tue May 17 22:28:11 2016	(r300085)
@@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)

From owner-svn-src-releng@freebsd.org  Tue May 17 22:28:21 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA671B4059F;
 Tue, 17 May 2016 22:28:21 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F1701CE8;
 Tue, 17 May 2016 22:28:21 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4HMSK2N012022;
 Tue, 17 May 2016 22:28:20 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4HMSKxO012018;
 Tue, 17 May 2016 22:28:20 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201605172228.u4HMSKxO012018@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r300086 - in releng/10.2: . sys/conf sys/dev/kbd sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:28:21 -0000

Author: glebius
Date: Tue May 17 22:28:20 2016
New Revision: 300086
URL: https://svnweb.freebsd.org/changeset/base/300086

Log:
  - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
  - Validate that user supplied control message length in sendmsg(2)
    is not negative.
  
  Security:	SA-16:18
  Security:	CVE-2016-1886
  Security:	SA-16:19
  Security:	CVE-2016-1887
  Submitted by:	C Turt <cturt hardenedbsd.org>
  Approved by:	so

Modified:
  releng/10.2/UPDATING
  releng/10.2/sys/conf/newvers.sh
  releng/10.2/sys/dev/kbd/kbd.c
  releng/10.2/sys/kern/uipc_syscalls.c

Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING	Tue May 17 22:28:11 2016	(r300085)
+++ releng/10.2/UPDATING	Tue May 17 22:28:20 2016	(r300086)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160517	p17	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p16	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:07.ipi
 			FreeBSD-EN-16:08.zfs

Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh	Tue May 17 22:28:11 2016	(r300085)
+++ releng/10.2/sys/conf/newvers.sh	Tue May 17 22:28:20 2016	(r300086)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.2/sys/dev/kbd/kbd.c
==============================================================================
--- releng/10.2/sys/dev/kbd/kbd.c	Tue May 17 22:28:11 2016	(r300085)
+++ releng/10.2/sys/dev/kbd/kbd.c	Tue May 17 22:28:20 2016	(r300086)
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;

Modified: releng/10.2/sys/kern/uipc_syscalls.c
==============================================================================
--- releng/10.2/sys/kern/uipc_syscalls.c	Tue May 17 22:28:11 2016	(r300085)
+++ releng/10.2/sys/kern/uipc_syscalls.c	Tue May 17 22:28:20 2016	(r300086)
@@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)

From owner-svn-src-releng@freebsd.org  Tue May 17 22:28:29 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09DA4B405D0;
 Tue, 17 May 2016 22:28:29 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6E5D81DD8;
 Tue, 17 May 2016 22:28:28 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4HMSRV7012074;
 Tue, 17 May 2016 22:28:27 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4HMSRP5012070;
 Tue, 17 May 2016 22:28:27 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201605172228.u4HMSRP5012070@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:27 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r300087 - in releng/10.3: . sys/conf sys/dev/kbd sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:28:29 -0000

Author: glebius
Date: Tue May 17 22:28:27 2016
New Revision: 300087
URL: https://svnweb.freebsd.org/changeset/base/300087

Log:
  - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
  - Validate that user supplied control message length in sendmsg(2)
    is not negative.
  
  Security:	SA-16:18
  Security:	CVE-2016-1886
  Security:	SA-16:19
  Security:	CVE-2016-1887
  Submitted by:	C Turt <cturt hardenedbsd.org>
  Approved by:	so

Modified:
  releng/10.3/UPDATING
  releng/10.3/sys/conf/newvers.sh
  releng/10.3/sys/dev/kbd/kbd.c
  releng/10.3/sys/kern/uipc_syscalls.c

Modified: releng/10.3/UPDATING
==============================================================================
--- releng/10.3/UPDATING	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160517	p3	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p2	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:06.libc
 			FreeBSD-EN-16:07.ipi

Modified: releng/10.3/sys/conf/newvers.sh
==============================================================================
--- releng/10.3/sys/conf/newvers.sh	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.3/sys/dev/kbd/kbd.c
==============================================================================
--- releng/10.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;

Modified: releng/10.3/sys/kern/uipc_syscalls.c
==============================================================================
--- releng/10.3/sys/kern/uipc_syscalls.c	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/kern/uipc_syscalls.c	Tue May 17 22:28:27 2016	(r300087)
@@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)

From owner-svn-src-releng@freebsd.org  Tue May 17 22:28:38 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5494EB40606;
 Tue, 17 May 2016 22:28:38 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0D21F1F82;
 Tue, 17 May 2016 22:28:37 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4HMSbMk012127;
 Tue, 17 May 2016 22:28:37 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4HMSbhj012124;
 Tue, 17 May 2016 22:28:37 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201605172228.u4HMSbhj012124@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:37 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:28:38 -0000

Author: glebius
Date: Tue May 17 22:28:36 2016
New Revision: 300088
URL: https://svnweb.freebsd.org/changeset/base/300088

Log:
  - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
  - Validate that user supplied control message length in sendmsg(2)
    is not negative.
  
  Security:	SA-16:18
  Security:	CVE-2016-1886
  Security:	SA-16:19
  Security:	CVE-2016-1887
  Submitted by:	C Turt <cturt hardenedbsd.org>
  Approved by:	so

Modified:
  releng/9.3/UPDATING
  releng/9.3/sys/conf/newvers.sh
  releng/9.3/sys/dev/kbd/kbd.c

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
+++ releng/9.3/UPDATING	Tue May 17 22:28:36 2016	(r300088)
@@ -11,6 +11,10 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20160517	p42	FreeBSD-SA-16:18.atkbd
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
 20160504	p41	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:08.zfs
 

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
+++ releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:36 2016	(r300088)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p41"
+BRANCH="RELEASE-p42"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/sys/dev/kbd/kbd.c
==============================================================================
--- releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
+++ releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:36 2016	(r300088)
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;

From owner-svn-src-releng@freebsd.org  Tue May 17 22:59:36 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C3C6B40A5D;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 1523412AB;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 09AF7110D;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id 74A9C1F6B7;
 Tue, 17 May 2016 22:59:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id 96tPMSVjH4B7; Tue, 17 May 2016 22:59:31 +0000 (UTC)
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 56C131F6B2
To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-releng@freebsd.org
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
From: Bryan Drewery <bdrewery@FreeBSD.org>
Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF;
 url=http://www.shatow.net/bryan/bryan2.asc
Organization: FreeBSD
Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
Date: Tue, 17 May 2016 15:59:26 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh"
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:59:36 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh
Content-Type: multipart/mixed; boundary="FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39"
From: Bryan Drewery <bdrewery@FreeBSD.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org>

--FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 5/17/2016 3:28 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Tue May 17 22:28:36 2016
> New Revision: 300088
> URL: https://svnweb.freebsd.org/changeset/base/300088
>=20
> Log:
>   - Use unsigned version of min() when handling arguments of SETFKEY io=
ctl.
>   - Validate that user supplied control message length in sendmsg(2)
>     is not negative.

The sendmsg(2) change is not included here (9.3) nor in the advisory but
is in the commit log.  Was it intended to be changed in 9.3?

Plus the only consumer I see is sendit() which seems to be protected
already from negative values when not using COMPAT_43:

>                  if (mp->msg_controllen < sizeof(struct cmsghdr)
>  #ifdef COMPAT_OLDSOCK
>                      && mp->msg_flags !=3D MSG_COMPAT
>  #endif
>                  ) {
>                          error =3D EINVAL;
>                          goto bad;
>                  }
>                  error =3D sockargs(&control, mp->msg_control,
>                      mp->msg_controllen, MT_CONTROL);

=2E..

>  =20
>   Security:	SA-16:18
>   Security:	CVE-2016-1886
>   Security:	SA-16:19
>   Security:	CVE-2016-1887
>   Submitted by:	C Turt <cturt hardenedbsd.org>
>   Approved by:	so
>=20
> Modified:
>   releng/9.3/UPDATING
>   releng/9.3/sys/conf/newvers.sh
>   releng/9.3/sys/dev/kbd/kbd.c
>=20
> Modified: releng/9.3/UPDATING
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/UPDATING	Tue May 17 22:28:36 2016	(r300088)
> @@ -11,6 +11,10 @@ handbook:
>  Items affecting the ports and packages system can be found in
>  /usr/ports/UPDATING.  Please read that file before running portupgrade=
=2E
> =20
> +20160517	p42	FreeBSD-SA-16:18.atkbd
> +
> +	Fix buffer overflow in keyboard driver. [SA-16:18]
> +
>  20160504	p41	FreeBSD-SA-16:17.openssl
>  			FreeBSD-EN-16:08.zfs
> =20
>=20
> Modified: releng/9.3/sys/conf/newvers.sh
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:36 2016	(r300088)
> @@ -32,7 +32,7 @@
> =20
>  TYPE=3D"FreeBSD"
>  REVISION=3D"9.3"
> -BRANCH=3D"RELEASE-p41"
> +BRANCH=3D"RELEASE-p42"
>  if [ "X${BRANCH_OVERRIDE}" !=3D "X" ]; then
>  	BRANCH=3D${BRANCH_OVERRIDE}
>  fi
>=20
> Modified: releng/9.3/sys/dev/kbd/kbd.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:36 2016	(r300088)
> @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
>  			splx(s);
>  			return (error);
>  		}
> -		kbd->kb_fkeytab[fkeyp->keynum].len =3D imin(fkeyp->flen, MAXFK);
> +		kbd->kb_fkeytab[fkeyp->keynum].len =3D min(fkeyp->flen, MAXFK);
>  		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
>  		    kbd->kb_fkeytab[fkeyp->keynum].len);
>  		break;
>=20


--=20
Regards,
Bryan Drewery


--FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39--

--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJXO6JTAAoJEDXXcbtuRpfPvD0IAOGgTX4QeCbPRTBVb+S8d4qa
m4/mTeeTuNkhqn8GOpLCPVYepmko7Tv5NIlD/+tjSP+6oIlQlmztD6SuLjpXCJvw
jWeG/oFUb+M89wL2nv1lzo0XzQ5W7wX/XeuCgZPu64+8euPmHkaix04kvQwwMFW8
22adL2ox1B9KrLZTN7gAoZtVmywbjsxXC4PgJeLjfmA8286qYlGgGE6IaUjZ1uDQ
b5cG0/w2mNUjh5jUbbawX84+e0keGwkE7T/2NwZpTbg00V/QC0t+YTVP/hylyjzS
LEAE5Ql0boajRuFqjUGN905zBzeVMiNs79NCQMliVQBJFaLPYyImEq4h8SZWPIw=
=Z4O/
-----END PGP SIGNATURE-----

--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh--

From owner-svn-src-releng@freebsd.org  Tue May 17 23:07:14 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6DFBB40BF7;
 Tue, 17 May 2016 23:07:14 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from cell.glebi.us (glebi.us [96.95.210.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BBA1217F7;
 Tue, 17 May 2016 23:07:11 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from cell.glebi.us (localhost [127.0.0.1])
 by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id u4HN7AeJ038710
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Tue, 17 May 2016 16:07:10 -0700 (PDT)
 (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by cell.glebi.us (8.15.2/8.15.2/Submit) id u4HN7AH1038709;
 Tue, 17 May 2016 16:07:10 -0700 (PDT)
 (envelope-from glebius@FreeBSD.org)
X-Authentication-Warning: cell.glebi.us: glebius set sender to
 glebius@FreeBSD.org using -f
Date: Tue, 17 May 2016 16:07:10 -0700
From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
Message-ID: <20160517230710.GB1015@FreeBSD.org>
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
 <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 23:07:15 -0000

On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
B> > Author: glebius
B> > Date: Tue May 17 22:28:36 2016
B> > New Revision: 300088
B> > URL: https://svnweb.freebsd.org/changeset/base/300088
B> > 
B> > Log:
B> >   - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
B> >   - Validate that user supplied control message length in sendmsg(2)
B> >     is not negative.
B> 
B> The sendmsg(2) change is not included here (9.3) nor in the advisory but
B> is in the commit log.  Was it intended to be changed in 9.3?

That was my failure to mention SA-16:19 in commit message for 9.3. It doesn't
apply to 9.x.

B> Plus the only consumer I see is sendit() which seems to be protected
B> already from negative values when not using COMPAT_43:
B> 
B> >                  if (mp->msg_controllen < sizeof(struct cmsghdr)
B> >  #ifdef COMPAT_OLDSOCK
B> >                      && mp->msg_flags != MSG_COMPAT
B> >  #endif
B> >                  ) {
B> >                          error = EINVAL;
B> >                          goto bad;
B> >                  }
B> >                  error = sockargs(&control, mp->msg_control,
B> >                      mp->msg_controllen, MT_CONTROL);

No, it isn't protected. In the comparison (mp->msg_controllen < sizeof(struct cmsghdr))
both values are unsigned. Later in sockargs() it is treated as signed.

-- 
Totus tuus, Glebius.

From owner-svn-src-releng@freebsd.org  Tue May 17 23:10:10 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 503CBB40CE4;
 Tue, 17 May 2016 23:10:10 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 406A519F8;
 Tue, 17 May 2016 23:10:10 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 3A79D1430;
 Tue, 17 May 2016 23:10:10 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id 9AE7A1F6D7;
 Tue, 17 May 2016 23:10:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id 01lt2HfIdmBm; Tue, 17 May 2016 23:10:06 +0000 (UTC)
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 5B8B61F6CF
To: Gleb Smirnoff <glebius@FreeBSD.org>
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
 <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
 <20160517230710.GB1015@FreeBSD.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
From: Bryan Drewery <bdrewery@FreeBSD.org>
Organization: FreeBSD
Message-ID: <38ca6091-5607-5796-9f6e-7f2d6c117707@FreeBSD.org>
Date: Tue, 17 May 2016 16:10:05 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <20160517230710.GB1015@FreeBSD.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 23:10:10 -0000

On 5/17/16 4:07 PM, Gleb Smirnoff wrote:
> On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
> B> > Author: glebius
> B> > Date: Tue May 17 22:28:36 2016
> B> > New Revision: 300088
> B> > URL: https://svnweb.freebsd.org/changeset/base/300088
> B> > 
> B> > Log:
> B> >   - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
> B> >   - Validate that user supplied control message length in sendmsg(2)
> B> >     is not negative.
> B> 
> B> The sendmsg(2) change is not included here (9.3) nor in the advisory but
> B> is in the commit log.  Was it intended to be changed in 9.3?
> 
> That was my failure to mention SA-16:19 in commit message for 9.3. It doesn't
> apply to 9.x.
> 
> B> Plus the only consumer I see is sendit() which seems to be protected
> B> already from negative values when not using COMPAT_43:
> B> 
> B> >                  if (mp->msg_controllen < sizeof(struct cmsghdr)
> B> >  #ifdef COMPAT_OLDSOCK
> B> >                      && mp->msg_flags != MSG_COMPAT
> B> >  #endif
> B> >                  ) {
> B> >                          error = EINVAL;
> B> >                          goto bad;
> B> >                  }
> B> >                  error = sockargs(&control, mp->msg_control,
> B> >                      mp->msg_controllen, MT_CONTROL);
> 
> No, it isn't protected. In the comparison (mp->msg_controllen < sizeof(struct cmsghdr))
> both values are unsigned. Later in sockargs() it is treated as signed.

Ah, I see the (u_int)buflen casts on the older code now.  Thanks.

-- 
Regards,
Bryan Drewery

From owner-svn-src-releng@freebsd.org  Wed May 18 02:41:58 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47445B4075D;
 Wed, 18 May 2016 02:41:58 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from mail107.syd.optusnet.com.au (mail107.syd.optusnet.com.au
 [211.29.132.53])
 by mx1.freebsd.org (Postfix) with ESMTP id EB75112F6;
 Wed, 18 May 2016 02:41:57 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from c122-106-149-109.carlnfd1.nsw.optusnet.com.au
 (c122-106-149-109.carlnfd1.nsw.optusnet.com.au [122.106.149.109])
 by mail107.syd.optusnet.com.au (Postfix) with ESMTPS id EDC19D426F7;
 Wed, 18 May 2016 12:41:54 +1000 (AEST)
Date: Wed, 18 May 2016 12:41:51 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: yBryan Drewery <bdrewery@freebsd.org>
cc: Gleb Smirnoff <glebius@freebsd.org>, src-committers@freebsd.org, 
 svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
In-Reply-To: <38ca6091-5607-5796-9f6e-7f2d6c117707@FreeBSD.org>
Message-ID: <20160518124147.V7042@besplex.bde.org>
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
 <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
 <20160517230710.GB1015@FreeBSD.org>
 <38ca6091-5607-5796-9f6e-7f2d6c117707@FreeBSD.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Optus-CM-Score: 0
X-Optus-CM-Analysis: v=2.1 cv=TuMb/2jh c=1 sm=1 tr=0
 a=R/f3m204ZbWUO/0rwPSMPw==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10
 a=s5jvgZ67dGcA:10 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8
 a=RrjDVB9uFQ6jx_tRzx8A:9 a=xs5e6R2pbfrhoDf7:21 a=vVAk96Y2HvFUoVgZ:21
 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 02:41:58 -0000

On Tue, 17 May 2016, Bryan Drewery wrote:

> On 5/17/16 4:07 PM, Gleb Smirnoff wrote:
>> On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
>> B> > Author: glebius
>> B> > Date: Tue May 17 22:28:36 2016
>> B> > New Revision: 300088
>> B> > URL: https://svnweb.freebsd.org/changeset/base/300088
>> B> >
>> B> > Log:
>> B> >   - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
>> B> >   - Validate that user supplied control message length in sendmsg(2)
>> B> >     is not negative.
>> B>
>> B> The sendmsg(2) change is not included here (9.3) nor in the advisory but
>> B> is in the commit log.  Was it intended to be changed in 9.3?
>>
>> That was my failure to mention SA-16:19 in commit message for 9.3. It doesn't
>> apply to 9.x.
>>
>> B> Plus the only consumer I see is sendit() which seems to be protected
>> B> already from negative values when not using COMPAT_43:
>> B>
>> B> >                  if (mp->msg_controllen < sizeof(struct cmsghdr)
>> B> >  #ifdef COMPAT_OLDSOCK
>> B> >                      && mp->msg_flags != MSG_COMPAT
>> B> >  #endif
>> B> >                  ) {
>> B> >                          error = EINVAL;
>> B> >                          goto bad;
>> B> >                  }
>> B> >                  error = sockargs(&control, mp->msg_control,
>> B> >                      mp->msg_controllen, MT_CONTROL);
>>
>> No, it isn't protected. In the comparison (mp->msg_controllen < sizeof(struct cmsghdr))
>> both values are unsigned. Later in sockargs() it is treated as signed.

But it is protected (except on exotic unsupported arches).  The above is
a complete bounds check for mp->msg_controllen, written in an obfuscated
way using an unsigned type botch/hack.  Negative values are normally
promoted to large unsigned values, so they fail this check and sockargs()
is never called with them.

On exotic arches, the analysis is more complicated and the hack doesn't
work.  It isn't true in general that both values are unsigned (after
promotion).  E.g., size_t might be uint31_t and int int32_t.  Then the
binary promotions give int for both operands.  Negative values always
pass the bounds check then.

Part of the botch is the design error that sizeof() is unsigned.  This
makes it hard to use.  It poisons nearby signed types worse than const
poisons pointer types.

> Ah, I see the (u_int)buflen casts on the older code now.  Thanks.

That is a different way of writing the botch/hack.  It ensures that the
hack works for a left operand that has signed type int or small and a
right operand that is >= 0 and is representable as u_int.  It ensures
that both operands are promoted to u_int, with negative values becoming
large unsigned ones.  I think.  This requires int to not have a very
large negative range.  (u_int)-1 is UINT_MAX, but it isn't so clear
what (u_int)INT_MIN is.  In fact, I think it can by 0 with 31-bit u_int
padded to 32 bits and 32-bit int with INT_MIN = 0x80000000.  If this is
allowed, then (u_int)INT_MIN is 0.

The botch/hack should never be used.  Just check for negative values
like sockargs() now does.  But it is probably better to check in the
caller (not using the botch/hack).

I also don't like the change from imin() to min() in kbd.c.  One of
the args is a small integer (MAXFK = 16).  Since this doesn't use
sizeof(), it doesn't encourage an unsigned botch.  The other arg is
'char flen'.  char should never be used for numeric values, but this
is an old API written before int8_t was available.  Using int8_t
instead of simply int might be reasonable packing.  flen seems to
be only initialized once, from <table>.len.  This already gives
undefined behaviour from overflow, since len has type u_char.  The
bounds check should be before this assignment, or just use the same
type.  Using the unsigned botch for len is probably not justified,
but u_char is good for packing.  If the common type is int8_t or
signed char (or plain char to maximise complications),  then a
check that the length >= 0 will be needed later if the table is
under user control.  Perhaps the length needs to be strictly > 0
so you need to check the lower bound even using the unsigned botch.

The packing using chars is actually just at the end.  struct fkeytab
is uchar [16] followed by 1 u_char for 'len' at the end.  4 bytes
would be natural.  On x86, this gives a 17-byte struct which gives
a bad layout in arrays, and on other arches it gives portaility
problems.  struct fkeyarg is u_short, then char [16], then 1 char
for 'flen' at the end.  2 bytes would be natural.

Bruce

From owner-svn-src-releng@freebsd.org  Wed May 18 20:05:45 2016
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61B1AB41BD9;
 Wed, 18 May 2016 20:05:45 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from mail106.syd.optusnet.com.au (mail106.syd.optusnet.com.au
 [211.29.132.42])
 by mx1.freebsd.org (Postfix) with ESMTP id EC29A111D;
 Wed, 18 May 2016 20:05:44 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from c122-106-149-109.carlnfd1.nsw.optusnet.com.au
 (c122-106-149-109.carlnfd1.nsw.optusnet.com.au [122.106.149.109])
 by mail106.syd.optusnet.com.au (Postfix) with ESMTPS id A01833C57DF;
 Thu, 19 May 2016 06:05:37 +1000 (AEST)
Date: Thu, 19 May 2016 06:05:36 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: Bruce Evans <brde@optusnet.com.au>
cc: yBryan Drewery <bdrewery@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>,
 src-committers@freebsd.org, svn-src-all@freebsd.org, 
 svn-src-releng@freebsd.org
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
In-Reply-To: <20160518124147.V7042@besplex.bde.org>
Message-ID: <20160519060448.B1270@besplex.bde.org>
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
 <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
 <20160517230710.GB1015@FreeBSD.org>
 <38ca6091-5607-5796-9f6e-7f2d6c117707@FreeBSD.org>
 <20160518124147.V7042@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Optus-CM-Score: 0
X-Optus-CM-Analysis: v=2.1 cv=TuMb/2jh c=1 sm=1 tr=0
 a=R/f3m204ZbWUO/0rwPSMPw==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10
 a=s5jvgZ67dGcA:10 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8
 a=YdjKeqWGE6BAugsnKCQA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 20:05:45 -0000

On Wed, 18 May 2016, Bruce Evans wrote:

> On Tue, 17 May 2016, Bryan Drewery wrote:
>
>> On 5/17/16 4:07 PM, Gleb Smirnoff wrote:
>>> On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
>>> B> > Author: glebius
>>> B> > Date: Tue May 17 22:28:36 2016
>>> B> > New Revision: 300088
>>> B> > URL: https://svnweb.freebsd.org/changeset/base/300088
>>> B> >
>>> B> > Log:
>>> B> >   - Use unsigned version of min() when handling arguments of SETFKEY 
>>> ioctl.
>>> B> >   - Validate that user supplied control message length in sendmsg(2)
>>> B> >     is not negative.
>>> B>
>>> B> The sendmsg(2) change is not included here (9.3) nor in the advisory 
>>> but
>>> B> is in the commit log.  Was it intended to be changed in 9.3?
>>> 
>>> That was my failure to mention SA-16:19 in commit message for 9.3. It 
>>> doesn't
>>> apply to 9.x.
>>> 
>>> B> Plus the only consumer I see is sendit() which seems to be protected
>>> B> already from negative values when not using COMPAT_43:
>>> B>
>>> B> >                  if (mp->msg_controllen < sizeof(struct cmsghdr)
>>> B> >  #ifdef COMPAT_OLDSOCK
>>> B> >                      && mp->msg_flags != MSG_COMPAT
>>> B> >  #endif
>>> B> >                  ) {
>>> B> >                          error = EINVAL;
>>> B> >                          goto bad;
>>> B> >                  }
>>> B> >                  error = sockargs(&control, mp->msg_control,
>>> B> >                      mp->msg_controllen, MT_CONTROL);
>>> 
>>> No, it isn't protected. In the comparison (mp->msg_controllen < 
>>> sizeof(struct cmsghdr))
>>> both values are unsigned. Later in sockargs() it is treated as signed.
>
> But it is protected (except on exotic unsupported arches).  The above is
> a complete bounds check for mp->msg_controllen, written in an obfuscated
> way using an unsigned type botch/hack.  Negative values are normally
> promoted to large unsigned values, so they fail this check and sockargs()
> is never called with them.
>
> On exotic arches, the analysis is more complicated and the hack doesn't
> work.  ...

Oops.  I read this sort of backwards.  The unsign botches are somewhat
larger, and more like the one in kbd.c:
- this only checks the lower bound, so if the operands were negative then
   they would pass instead of fail the check after bogus unsign extension
- the operands are actually both unsigned, since msg_controllen already
   has unsigned poisoning.  It was poisoned even in FreeBSD-1.  It was
   u_int then.  It is still u_int in 4.4BSD-Lite*.  Now it is socklen_t,
   which is uint32_t.  POSIX has messes for this.  At least in the 2001
   version, it doesn't seem to require the poisoning, but recommends that
   applications not use values above 2**31-1 [since these values require
   the poisoning to represent, and are not very useful except for opening
   security holes like here].
- so after passing the lower bound check, msg_controllen may have a large
   unsigned 32-bit value.  Undefined behaviour occurs when we pass this
   to sockargs() which doesn't have unsign poisoning.  Except on unsupported
   exotic arches, the behaviour is to overflow to a negative value.
- sockargs() then checks the overflowed value.  This is robust enough if
   the overflow gives any value at all, but still bogus.

Correct code would do bounds checks before calling sockargs (of the
form val >= min && val <= INT_MAX), but there are several callers and
it is convenient to check only in sockargs().  For that, sockargs must
take a parameter with the same type as msg_controllen, although old
unsign botches force this to be unsigned (precisely socklen_t).  It is
too late to change socklen_t back to int.

Bruce