From owner-svn-src-releng@freebsd.org Tue Jan 28 18:53:15 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E5536237B04; Tue, 28 Jan 2020 18:53:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bNW5rVcz4NGv; Tue, 28 Jan 2020 18:53:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C1D40278BF; Tue, 28 Jan 2020 18:53:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SIrF0g037604; Tue, 28 Jan 2020 18:53:15 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SIrF0T037601; Tue, 28 Jan 2020 18:53:15 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281853.00SIrF0T037601@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:53:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357215 - in releng: 11.3/lib/libc/secure 12.0/lib/libc/secure 12.1/lib/libc/secure X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3/lib/libc/secure 12.0/lib/libc/secure 12.1/lib/libc/secure X-SVN-Commit-Revision: 357215 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:53:16 -0000 Author: gordon Date: Tue Jan 28 18:53:14 2020 New Revision: 357215 URL: https://svnweb.freebsd.org/changeset/base/357215 Log: Fix imprecise ordering of SSP canary initialization Submitted by: Kyle Evans Approved by: so Security: FreeBSD-EN-20:01.ssp Modified: releng/11.3/lib/libc/secure/stack_protector.c releng/12.0/lib/libc/secure/stack_protector.c releng/12.1/lib/libc/secure/stack_protector.c Modified: releng/11.3/lib/libc/secure/stack_protector.c ============================================================================== --- releng/11.3/lib/libc/secure/stack_protector.c Tue Jan 28 18:42:06 2020 (r357214) +++ releng/11.3/lib/libc/secure/stack_protector.c Tue Jan 28 18:53:14 2020 (r357215) @@ -40,11 +40,29 @@ __FBSDID("$FreeBSD$"); #include #include "libc_private.h" +/* + * We give __guard_setup a defined priority early on so that statically linked + * applications have a defined priority at which __stack_chk_guard will be + * getting initialized. This will not matter to most applications, because + * they're either not usually statically linked or they simply don't do things + * in constructors that would be adversely affected by their positioning with + * respect to this initialization. + * + * This conditional should be removed when GCC 4.2 is removed. + */ +#if __has_attribute(__constructor__) || __GNUC_PREREQ__(4, 3) +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__ (200), __used__)); +#else +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__, __used__)); +#endif + extern int __sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen); long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0}; -static void __guard_setup(void) __attribute__((__constructor__, __used__)); +static void __guard_setup(void) _GUARD_SETUP_CTOR_ATTR; static void __fail(const char *); void __stack_chk_fail(void); void __chk_fail(void); Modified: releng/12.0/lib/libc/secure/stack_protector.c ============================================================================== --- releng/12.0/lib/libc/secure/stack_protector.c Tue Jan 28 18:42:06 2020 (r357214) +++ releng/12.0/lib/libc/secure/stack_protector.c Tue Jan 28 18:53:14 2020 (r357215) @@ -40,11 +40,29 @@ __FBSDID("$FreeBSD$"); #include #include "libc_private.h" +/* + * We give __guard_setup a defined priority early on so that statically linked + * applications have a defined priority at which __stack_chk_guard will be + * getting initialized. This will not matter to most applications, because + * they're either not usually statically linked or they simply don't do things + * in constructors that would be adversely affected by their positioning with + * respect to this initialization. + * + * This conditional should be removed when GCC 4.2 is removed. + */ +#if __has_attribute(__constructor__) || __GNUC_PREREQ__(4, 3) +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__ (200), __used__)); +#else +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__, __used__)); +#endif + extern int __sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen); long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0}; -static void __guard_setup(void) __attribute__((__constructor__, __used__)); +static void __guard_setup(void) _GUARD_SETUP_CTOR_ATTR; static void __fail(const char *); void __stack_chk_fail(void); void __chk_fail(void); Modified: releng/12.1/lib/libc/secure/stack_protector.c ============================================================================== --- releng/12.1/lib/libc/secure/stack_protector.c Tue Jan 28 18:42:06 2020 (r357214) +++ releng/12.1/lib/libc/secure/stack_protector.c Tue Jan 28 18:53:14 2020 (r357215) @@ -40,11 +40,29 @@ __FBSDID("$FreeBSD$"); #include #include "libc_private.h" +/* + * We give __guard_setup a defined priority early on so that statically linked + * applications have a defined priority at which __stack_chk_guard will be + * getting initialized. This will not matter to most applications, because + * they're either not usually statically linked or they simply don't do things + * in constructors that would be adversely affected by their positioning with + * respect to this initialization. + * + * This conditional should be removed when GCC 4.2 is removed. + */ +#if __has_attribute(__constructor__) || __GNUC_PREREQ__(4, 3) +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__ (200), __used__)); +#else +#define _GUARD_SETUP_CTOR_ATTR \ + __attribute__((__constructor__, __used__)); +#endif + extern int __sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen); long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0}; -static void __guard_setup(void) __attribute__((__constructor__, __used__)); +static void __guard_setup(void) _GUARD_SETUP_CTOR_ATTR; static void __fail(const char *); void __stack_chk_fail(void); void __chk_fail(void); From owner-svn-src-releng@freebsd.org Tue Jan 28 18:54:16 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F22F5237C08; Tue, 28 Jan 2020 18:54:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bPg6Bf0z4NPq; Tue, 28 Jan 2020 18:54:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CFC0A278C0; Tue, 28 Jan 2020 18:54:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SIsFt3037697; Tue, 28 Jan 2020 18:54:15 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SIsFLG037695; Tue, 28 Jan 2020 18:54:15 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281854.00SIsFLG037695@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:54:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357216 - in releng: 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 357216 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:54:16 -0000 Author: gordon Date: Tue Jan 28 18:54:15 2020 New Revision: 357216 URL: https://svnweb.freebsd.org/changeset/base/357216 Log: Fix nmount invalid pointer dereference Submitted by: Andrew Turner Approved by: so Security: FreeBSD-EN-20:02.nmount Modified: releng/11.3/sys/kern/vfs_mount.c releng/12.0/sys/kern/vfs_mount.c Modified: releng/11.3/sys/kern/vfs_mount.c ============================================================================== --- releng/11.3/sys/kern/vfs_mount.c Tue Jan 28 18:53:14 2020 (r357215) +++ releng/11.3/sys/kern/vfs_mount.c Tue Jan 28 18:54:15 2020 (r357216) @@ -591,7 +591,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru */ fstypelen = 0; error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen); - if (error || fstype[fstypelen - 1] != '\0') { + if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fstype", errmsg_len); @@ -599,7 +599,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru } fspathlen = 0; error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen); - if (error || fspath[fspathlen - 1] != '\0') { + if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fspath", errmsg_len); Modified: releng/12.0/sys/kern/vfs_mount.c ============================================================================== --- releng/12.0/sys/kern/vfs_mount.c Tue Jan 28 18:53:14 2020 (r357215) +++ releng/12.0/sys/kern/vfs_mount.c Tue Jan 28 18:54:15 2020 (r357216) @@ -603,7 +603,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru */ fstypelen = 0; error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen); - if (error || fstype[fstypelen - 1] != '\0') { + if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fstype", errmsg_len); @@ -611,7 +611,7 @@ vfs_donmount(struct thread *td, uint64_t fsflags, stru } fspathlen = 0; error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen); - if (error || fspath[fspathlen - 1] != '\0') { + if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') { error = EINVAL; if (errmsg != NULL) strncpy(errmsg, "Invalid fspath", errmsg_len); From owner-svn-src-releng@freebsd.org Tue Jan 28 18:55:26 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9C174237D4E; Tue, 28 Jan 2020 18:55:26 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bR23g6rz4NfF; Tue, 28 Jan 2020 18:55:26 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5EA45278C1; Tue, 28 Jan 2020 18:55:26 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SItQE9037832; Tue, 28 Jan 2020 18:55:26 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SItPh4037830; Tue, 28 Jan 2020 18:55:25 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281855.00SItPh4037830@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:55:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357217 - in releng: 11.3/lib/libfetch 12.0/lib/libfetch 12.1/lib/libfetch X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3/lib/libfetch 12.0/lib/libfetch 12.1/lib/libfetch X-SVN-Commit-Revision: 357217 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:55:26 -0000 Author: gordon Date: Tue Jan 28 18:55:25 2020 New Revision: 357217 URL: https://svnweb.freebsd.org/changeset/base/357217 Log: Fix libfetch buffer overflow Reported by: Duncan Overbruck Approved by: so Security: FreeBSD-SA-20:01.libfetch Security: CVE-2020-7450 Modified: releng/11.3/lib/libfetch/fetch.c releng/12.0/lib/libfetch/fetch.c releng/12.1/lib/libfetch/fetch.c Modified: releng/11.3/lib/libfetch/fetch.c ============================================================================== --- releng/11.3/lib/libfetch/fetch.c Tue Jan 28 18:54:15 2020 (r357216) +++ releng/11.3/lib/libfetch/fetch.c Tue Jan 28 18:55:25 2020 (r357217) @@ -328,6 +328,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dle } if (dlen-- > 0) *dst++ = c; + else + return (NULL); } return (s); } @@ -375,11 +377,15 @@ fetchParseURL(const char *URL) if (p && *p == '@') { /* username */ q = fetch_pctdecode(u->user, URL, URL_USERLEN); + if (q == NULL) + goto ouch; /* password */ - if (*q == ':') + if (*q == ':') { q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN); - + if (q == NULL) + goto ouch; + } p++; } else { p = URL; Modified: releng/12.0/lib/libfetch/fetch.c ============================================================================== --- releng/12.0/lib/libfetch/fetch.c Tue Jan 28 18:54:15 2020 (r357216) +++ releng/12.0/lib/libfetch/fetch.c Tue Jan 28 18:55:25 2020 (r357217) @@ -330,6 +330,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dle } if (dlen-- > 0) *dst++ = c; + else + return (NULL); } return (s); } @@ -377,11 +379,15 @@ fetchParseURL(const char *URL) if (p && *p == '@') { /* username */ q = fetch_pctdecode(u->user, URL, URL_USERLEN); + if (q == NULL) + goto ouch; /* password */ - if (*q == ':') + if (*q == ':') { q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN); - + if (q == NULL) + goto ouch; + } p++; } else { p = URL; Modified: releng/12.1/lib/libfetch/fetch.c ============================================================================== --- releng/12.1/lib/libfetch/fetch.c Tue Jan 28 18:54:15 2020 (r357216) +++ releng/12.1/lib/libfetch/fetch.c Tue Jan 28 18:55:25 2020 (r357217) @@ -330,6 +330,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dle } if (dlen-- > 0) *dst++ = c; + else + return (NULL); } return (s); } @@ -377,11 +379,15 @@ fetchParseURL(const char *URL) if (p && *p == '@') { /* username */ q = fetch_pctdecode(u->user, URL, URL_USERLEN); + if (q == NULL) + goto ouch; /* password */ - if (*q == ':') + if (*q == ':') { q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN); - + if (q == NULL) + goto ouch; + } p++; } else { p = URL; From owner-svn-src-releng@freebsd.org Tue Jan 28 18:56:46 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C649C237E0F; Tue, 28 Jan 2020 18:56:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bSZ4rTKz4Nmt; Tue, 28 Jan 2020 18:56:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A17BF278C2; Tue, 28 Jan 2020 18:56:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SIukDw037934; Tue, 28 Jan 2020 18:56:46 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SIukjv037933; Tue, 28 Jan 2020 18:56:46 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281856.00SIukjv037933@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:56:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357218 - releng/12.0/sys/netipsec X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/12.0/sys/netipsec X-SVN-Commit-Revision: 357218 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:56:46 -0000 Author: gordon Date: Tue Jan 28 18:56:46 2020 New Revision: 357218 URL: https://svnweb.freebsd.org/changeset/base/357218 Log: Fix missing IPsec anti-replay window check Reported by: Jean-Francois HREN Approved by: so Security: FreeBSD-SA-20:02.ipsec Security: CVE-2019-5613 Modified: releng/12.0/sys/netipsec/ipsec.c Modified: releng/12.0/sys/netipsec/ipsec.c ============================================================================== --- releng/12.0/sys/netipsec/ipsec.c Tue Jan 28 18:55:25 2020 (r357217) +++ releng/12.0/sys/netipsec/ipsec.c Tue Jan 28 18:56:46 2020 (r357218) @@ -1318,6 +1318,8 @@ ok: __func__, replay->overflow, ipsec_sa2str(sav, buf, sizeof(buf)))); } + + replay->count++; return (0); } From owner-svn-src-releng@freebsd.org Tue Jan 28 18:57:46 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0E5B5237ECD; Tue, 28 Jan 2020 18:57:46 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bTj6gvHz4Ntm; Tue, 28 Jan 2020 18:57:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E0912278C4; Tue, 28 Jan 2020 18:57:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SIvj4n038020; Tue, 28 Jan 2020 18:57:45 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SIvjeF038017; Tue, 28 Jan 2020 18:57:45 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281857.00SIvjeF038017@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:57:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357219 - in releng: 11.3/sys/kern 12.0/sys/kern 12.1/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3/sys/kern 12.0/sys/kern 12.1/sys/kern X-SVN-Commit-Revision: 357219 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:57:46 -0000 Author: gordon Date: Tue Jan 28 18:57:45 2020 New Revision: 357219 URL: https://svnweb.freebsd.org/changeset/base/357219 Log: Fix kernel stack data disclosure Reported by: Ilja Van Sprundel Approved by: so Security: FreeBSD-SA-20:03.thrmisc Security: CVE-2019-15875 Modified: releng/11.3/sys/kern/imgact_elf.c releng/12.0/sys/kern/imgact_elf.c releng/12.1/sys/kern/imgact_elf.c Modified: releng/11.3/sys/kern/imgact_elf.c ============================================================================== --- releng/11.3/sys/kern/imgact_elf.c Tue Jan 28 18:56:46 2020 (r357218) +++ releng/11.3/sys/kern/imgact_elf.c Tue Jan 28 18:57:45 2020 (r357219) @@ -2007,7 +2007,7 @@ __elfN(note_thrmisc)(void *arg, struct sbuf *sb, size_ td = (struct thread *)arg; if (sb != NULL) { KASSERT(*sizep == sizeof(thrmisc), ("invalid size")); - bzero(&thrmisc._pad, sizeof(thrmisc._pad)); + bzero(&thrmisc, sizeof(thrmisc)); strcpy(thrmisc.pr_tname, td->td_name); sbuf_bcat(sb, &thrmisc, sizeof(thrmisc)); } Modified: releng/12.0/sys/kern/imgact_elf.c ============================================================================== --- releng/12.0/sys/kern/imgact_elf.c Tue Jan 28 18:56:46 2020 (r357218) +++ releng/12.0/sys/kern/imgact_elf.c Tue Jan 28 18:57:45 2020 (r357219) @@ -2022,7 +2022,7 @@ __elfN(note_thrmisc)(void *arg, struct sbuf *sb, size_ td = (struct thread *)arg; if (sb != NULL) { KASSERT(*sizep == sizeof(thrmisc), ("invalid size")); - bzero(&thrmisc._pad, sizeof(thrmisc._pad)); + bzero(&thrmisc, sizeof(thrmisc)); strcpy(thrmisc.pr_tname, td->td_name); sbuf_bcat(sb, &thrmisc, sizeof(thrmisc)); } Modified: releng/12.1/sys/kern/imgact_elf.c ============================================================================== --- releng/12.1/sys/kern/imgact_elf.c Tue Jan 28 18:56:46 2020 (r357218) +++ releng/12.1/sys/kern/imgact_elf.c Tue Jan 28 18:57:45 2020 (r357219) @@ -2211,7 +2211,7 @@ __elfN(note_thrmisc)(void *arg, struct sbuf *sb, size_ td = (struct thread *)arg; if (sb != NULL) { KASSERT(*sizep == sizeof(thrmisc), ("invalid size")); - bzero(&thrmisc._pad, sizeof(thrmisc._pad)); + bzero(&thrmisc, sizeof(thrmisc)); strcpy(thrmisc.pr_tname, td->td_name); sbuf_bcat(sb, &thrmisc, sizeof(thrmisc)); } From owner-svn-src-releng@freebsd.org Tue Jan 28 18:58:39 2020 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 47255238011; Tue, 28 Jan 2020 18:58:39 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 486bVl17Pdz4P2f; Tue, 28 Jan 2020 18:58:39 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2213A278C6; Tue, 28 Jan 2020 18:58:39 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00SIwdx6038108; Tue, 28 Jan 2020 18:58:39 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00SIwbQL038100; Tue, 28 Jan 2020 18:58:37 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <202001281858.00SIwbQL038100@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 28 Jan 2020 18:58:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r357220 - in releng: 11.3 11.3/sys/conf 12.0 12.0/sys/conf 12.1 12.1/sys/conf X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3 11.3/sys/conf 12.0 12.0/sys/conf 12.1 12.1/sys/conf X-SVN-Commit-Revision: 357220 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2020 18:58:39 -0000 Author: gordon Date: Tue Jan 28 18:58:37 2020 New Revision: 357220 URL: https://svnweb.freebsd.org/changeset/base/357220 Log: Add UPDATING entries and bump version. Approved by: so Modified: releng/11.3/UPDATING releng/11.3/sys/conf/newvers.sh releng/12.0/UPDATING releng/12.0/sys/conf/newvers.sh releng/12.1/UPDATING releng/12.1/sys/conf/newvers.sh Modified: releng/11.3/UPDATING ============================================================================== --- releng/11.3/UPDATING Tue Jan 28 18:57:45 2020 (r357219) +++ releng/11.3/UPDATING Tue Jan 28 18:58:37 2020 (r357220) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20200128 p6 FreeBSD-EN-20:01.ssp + FreeBSD-EN-20:02.nmount + FreeBSD-SA-20:01.libfetch + FreeBSD-SA-20:03.thrmisc + + Fix imprecise ordering of SSP canary initialization [EN-20:01.ssp] + + Fix nmount invalid pointer dereference [EN-20:02.nmount] + + Fix libfetch buffer overflow [SA-20:01.libfetch] + + Fix kernel stack data disclosure [SA-20:03.thrmisc] + 20191112 p5 FreeBSD-SA-19:25.mcepsc Fix Machine Check Exception on Page Size Change [SA-19:25.mcepsc] Modified: releng/11.3/sys/conf/newvers.sh ============================================================================== --- releng/11.3/sys/conf/newvers.sh Tue Jan 28 18:57:45 2020 (r357219) +++ releng/11.3/sys/conf/newvers.sh Tue Jan 28 18:58:37 2020 (r357220) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.3" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/12.0/UPDATING ============================================================================== --- releng/12.0/UPDATING Tue Jan 28 18:57:45 2020 (r357219) +++ releng/12.0/UPDATING Tue Jan 28 18:58:37 2020 (r357220) @@ -16,6 +16,22 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20200128 p13 FreeBSD-EN-20:01.ssp + FreeBSD-EN-20:02.nmount + FreeBSD-SA-20:01.libfetch + FreeBSD-SA-20:02.ipsec + FreeBSD-SA-20:03.thrmisc + + Fix imprecise ordering of SSP canary initialization [EN-20:01.ssp] + + Fix nmount invalid pointer dereference [EN-20:02.nmount] + + Fix libfetch buffer overflow [SA-20:01.libfetch] + + Fix missing IPsec anti-replay window check [SA-20:02.ipsec] + + Fix kernel stack data disclosure [SA-20:03.thrmisc] + 20191112 p12 FreeBSD-EN-19:19.loader FreeBSD-SA-19:25.mcepsc Modified: releng/12.0/sys/conf/newvers.sh ============================================================================== --- releng/12.0/sys/conf/newvers.sh Tue Jan 28 18:57:45 2020 (r357219) +++ releng/12.0/sys/conf/newvers.sh Tue Jan 28 18:58:37 2020 (r357220) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.0" -BRANCH="RELEASE-p12" +BRANCH="RELEASE-p13" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/12.1/UPDATING ============================================================================== --- releng/12.1/UPDATING Tue Jan 28 18:57:45 2020 (r357219) +++ releng/12.1/UPDATING Tue Jan 28 18:58:37 2020 (r357220) @@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20200128 p2 FreeBSD-EN-20:01.ssp + FreeBSD-SA-20:01.libfetch + FreeBSD-SA-20:03.thrmisc + + Fix imprecise ordering of SSP canary initialization [EN-20:01.ssp] + + Fix libfetch buffer overflow [SA-20:01.libfetch] + + Fix kernel stack data disclosure [SA-20:03.thrmisc] + 20191112 p1 FreeBSD-EN-19:19.loader FreeBSD-SA-19:25.mcepsc Modified: releng/12.1/sys/conf/newvers.sh ============================================================================== --- releng/12.1/sys/conf/newvers.sh Tue Jan 28 18:57:45 2020 (r357219) +++ releng/12.1/sys/conf/newvers.sh Tue Jan 28 18:58:37 2020 (r357220) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.1" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi