From owner-svn-src-vendor@FreeBSD.ORG Mon Feb 3 08:00:46 2014 Return-Path: Delivered-To: svn-src-vendor@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92D5A557; Mon, 3 Feb 2014 08:00:46 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 73B43195F; Mon, 3 Feb 2014 08:00:46 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s1380kcC069313; Mon, 3 Feb 2014 08:00:46 GMT (envelope-from bapt@svn.freebsd.org) Received: (from bapt@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1380kek069310; Mon, 3 Feb 2014 08:00:46 GMT (envelope-from bapt@svn.freebsd.org) Message-Id: <201402030800.s1380kek069310@svn.freebsd.org> From: Baptiste Daroussin Date: Mon, 3 Feb 2014 08:00:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r261429 - vendor/libyaml/dist/src X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Feb 2014 08:00:46 -0000 Author: bapt Date: Mon Feb 3 08:00:45 2014 New Revision: 261429 URL: http://svnweb.freebsd.org/changeset/base/261429 Log: Apply patch for CVE-2013-6393 [1] to fix heap-based buffer overflow when parsing YAML tags. Also apply a patch for hardenning the guards againt the issue The only user in base in yaml is pkg(7) which uses the library a way that it is not affected Submitted by: delphij Obtained from: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 Security: CVE-2013-6393 Modified: vendor/libyaml/dist/src/api.c vendor/libyaml/dist/src/scanner.c Modified: vendor/libyaml/dist/src/api.c ============================================================================== --- vendor/libyaml/dist/src/api.c Mon Feb 3 04:22:29 2014 (r261428) +++ vendor/libyaml/dist/src/api.c Mon Feb 3 08:00:45 2014 (r261429) @@ -117,7 +117,12 @@ yaml_string_join( YAML_DECLARE(int) yaml_stack_extend(void **start, void **top, void **end) { - void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); + void *new_start; + + if ((char *)*end - (char *)*start >= INT_MAX / 2) + return 0; + + new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); if (!new_start) return 0; Modified: vendor/libyaml/dist/src/scanner.c ============================================================================== --- vendor/libyaml/dist/src/scanner.c Mon Feb 3 04:22:29 2014 (r261428) +++ vendor/libyaml/dist/src/scanner.c Mon Feb 3 08:00:45 2014 (r261429) @@ -615,11 +615,14 @@ yaml_parser_decrease_flow_level(yaml_par */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, +yaml_parser_roll_indent(yaml_parser_t *parser, size_t column, int number, yaml_token_type_t type, yaml_mark_t mark); static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column); +yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column); + +static int +yaml_parser_reset_indent(yaml_parser_t *parser); /* * Token fetchers. @@ -1206,7 +1209,7 @@ yaml_parser_decrease_flow_level(yaml_par */ static int -yaml_parser_roll_indent(yaml_parser_t *parser, int column, +yaml_parser_roll_indent(yaml_parser_t *parser, size_t column, int number, yaml_token_type_t type, yaml_mark_t mark) { yaml_token_t token; @@ -1216,7 +1219,7 @@ yaml_parser_roll_indent(yaml_parser_t *p if (parser->flow_level) return 1; - if (parser->indent < column) + if (parser->indent == -1 || parser->indent < column) { /* * Push the current indentation level to the stack and set the new @@ -1254,7 +1257,7 @@ yaml_parser_roll_indent(yaml_parser_t *p static int -yaml_parser_unroll_indent(yaml_parser_t *parser, int column) +yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column) { yaml_token_t token; @@ -1263,6 +1266,15 @@ yaml_parser_unroll_indent(yaml_parser_t if (parser->flow_level) return 1; + /* + * column is unsigned and parser->indent is signed, so if + * parser->indent is less than zero the conditional in the while + * loop below is incorrect. Guard against that. + */ + + if (parser->indent < 0) + return 1; + /* Loop through the intendation levels in the stack. */ while (parser->indent > column) @@ -1283,6 +1295,41 @@ yaml_parser_unroll_indent(yaml_parser_t } /* + * Pop indentation levels from the indents stack until the current + * level resets to -1. For each intendation level, append the + * BLOCK-END token. + */ + +static int +yaml_parser_reset_indent(yaml_parser_t *parser) +{ + yaml_token_t token; + + /* In the flow context, do nothing. */ + + if (parser->flow_level) + return 1; + + /* Loop through the intendation levels in the stack. */ + + while (parser->indent > -1) + { + /* Create a token and append it to the queue. */ + + TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark); + + if (!ENQUEUE(parser, parser->tokens, token)) + return 0; + + /* Pop the indentation level. */ + + parser->indent = POP(parser, parser->indents); + } + + return 1; +} + +/* * Initialize the scanner and produce the STREAM-START token. */ @@ -1338,7 +1385,7 @@ yaml_parser_fetch_stream_end(yaml_parser /* Reset the indentation level. */ - if (!yaml_parser_unroll_indent(parser, -1)) + if (!yaml_parser_reset_indent(parser)) return 0; /* Reset simple keys. */ @@ -1369,7 +1416,7 @@ yaml_parser_fetch_directive(yaml_parser_ /* Reset the indentation level. */ - if (!yaml_parser_unroll_indent(parser, -1)) + if (!yaml_parser_reset_indent(parser)) return 0; /* Reset simple keys. */ @@ -1407,7 +1454,7 @@ yaml_parser_fetch_document_indicator(yam /* Reset the indentation level. */ - if (!yaml_parser_unroll_indent(parser, -1)) + if (!yaml_parser_reset_indent(parser)) return 0; /* Reset simple keys. */ From owner-svn-src-vendor@FreeBSD.ORG Sat Feb 8 05:30:33 2014 Return-Path: Delivered-To: svn-src-vendor@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 984B94E8; Sat, 8 Feb 2014 05:30:33 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 829021996; Sat, 8 Feb 2014 05:30:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s185UX6g011636; Sat, 8 Feb 2014 05:30:33 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s185UXJl011635; Sat, 8 Feb 2014 05:30:33 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201402080530.s185UXJl011635@svn.freebsd.org> From: Xin LI Date: Sat, 8 Feb 2014 05:30:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r261619 - vendor-sys/illumos/dist/uts/common/fs/zfs X-SVN-Group: vendor-sys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Feb 2014 05:30:33 -0000 Author: delphij Date: Sat Feb 8 05:30:33 2014 New Revision: 261619 URL: http://svnweb.freebsd.org/changeset/base/261619 Log: 4574 get_clones_stat does not call zap_count in non-debug kernel illumos/illumos-gate@03d1795fa6f720eafbee821ad37f4343c391cfe4 Modified: vendor-sys/illumos/dist/uts/common/fs/zfs/dsl_dataset.c Modified: vendor-sys/illumos/dist/uts/common/fs/zfs/dsl_dataset.c ============================================================================== --- vendor-sys/illumos/dist/uts/common/fs/zfs/dsl_dataset.c Sat Feb 8 05:17:49 2014 (r261618) +++ vendor-sys/illumos/dist/uts/common/fs/zfs/dsl_dataset.c Sat Feb 8 05:30:33 2014 (r261619) @@ -22,6 +22,7 @@ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013 by Delphix. All rights reserved. * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014 RackTop Systems. */ #include @@ -1364,7 +1365,7 @@ get_clones_stat(dsl_dataset_t *ds, nvlis * Only trust it if it has the right number of entries. */ if (ds->ds_phys->ds_next_clones_obj != 0) { - ASSERT0(zap_count(mos, ds->ds_phys->ds_next_clones_obj, + VERIFY0(zap_count(mos, ds->ds_phys->ds_next_clones_obj, &count)); } if (count != ds->ds_phys->ds_num_children - 1)