From owner-svn-src-releng@freebsd.org Wed Nov 15 22:39:42 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3FF6DE949E; Wed, 15 Nov 2017 22:39:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 960DC7EEB0; Wed, 15 Nov 2017 22:39:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMdf4R006190; Wed, 15 Nov 2017 22:39:41 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMdfXM006189; Wed, 15 Nov 2017 22:39:41 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152239.vAFMdfXM006189@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:39:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325868 - releng/11.1/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.1/sys/kern X-SVN-Commit-Revision: 325868 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:39:42 -0000 Author: gordon Date: Wed Nov 15 22:39:41 2017 New Revision: 325868 URL: https://svnweb.freebsd.org/changeset/base/325868 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/11.1/sys/kern/sys_process.c Modified: releng/11.1/sys/kern/sys_process.c ============================================================================== --- releng/11.1/sys/kern/sys_process.c Wed Nov 15 22:35:16 2017 (r325867) +++ releng/11.1/sys/kern/sys_process.c Wed Nov 15 22:39:41 2017 (r325868) @@ -518,6 +518,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1301,6 +1302,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1321,8 +1323,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX) From owner-svn-src-releng@freebsd.org Wed Nov 15 22:40:16 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88E4CDE9503; Wed, 15 Nov 2017 22:40:16 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 55C797EFE7; Wed, 15 Nov 2017 22:40:16 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMeFj0006276; Wed, 15 Nov 2017 22:40:15 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMeFSi006275; Wed, 15 Nov 2017 22:40:15 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152240.vAFMeFSi006275@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:40:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325869 - releng/11.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.0/sys/kern X-SVN-Commit-Revision: 325869 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:40:16 -0000 Author: gordon Date: Wed Nov 15 22:40:15 2017 New Revision: 325869 URL: https://svnweb.freebsd.org/changeset/base/325869 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/11.0/sys/kern/sys_process.c Modified: releng/11.0/sys/kern/sys_process.c ============================================================================== --- releng/11.0/sys/kern/sys_process.c Wed Nov 15 22:39:41 2017 (r325868) +++ releng/11.0/sys/kern/sys_process.c Wed Nov 15 22:40:15 2017 (r325869) @@ -518,6 +518,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1229,6 +1230,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1249,8 +1251,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX) From owner-svn-src-releng@freebsd.org Wed Nov 15 22:40:33 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90510DE9555; Wed, 15 Nov 2017 22:40:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D3637F11B; Wed, 15 Nov 2017 22:40:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMeWCo006331; Wed, 15 Nov 2017 22:40:32 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMeWRG006330; Wed, 15 Nov 2017 22:40:32 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152240.vAFMeWRG006330@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:40:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325870 - releng/10.4/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/10.4/sys/kern X-SVN-Commit-Revision: 325870 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:40:33 -0000 Author: gordon Date: Wed Nov 15 22:40:32 2017 New Revision: 325870 URL: https://svnweb.freebsd.org/changeset/base/325870 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/10.4/sys/kern/sys_process.c Modified: releng/10.4/sys/kern/sys_process.c ============================================================================== --- releng/10.4/sys/kern/sys_process.c Wed Nov 15 22:40:15 2017 (r325869) +++ releng/10.4/sys/kern/sys_process.c Wed Nov 15 22:40:32 2017 (r325870) @@ -474,6 +474,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1276,6 +1277,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1296,8 +1298,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX) From owner-svn-src-releng@freebsd.org Wed Nov 15 22:40:47 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDFB1DE96D4; Wed, 15 Nov 2017 22:40:47 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AAFC27F27E; Wed, 15 Nov 2017 22:40:47 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMek7e006385; Wed, 15 Nov 2017 22:40:46 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMekCD006384; Wed, 15 Nov 2017 22:40:46 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152240.vAFMekCD006384@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:40:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325871 - releng/10.3/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/10.3/sys/kern X-SVN-Commit-Revision: 325871 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:40:48 -0000 Author: gordon Date: Wed Nov 15 22:40:46 2017 New Revision: 325871 URL: https://svnweb.freebsd.org/changeset/base/325871 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/10.3/sys/kern/sys_process.c Modified: releng/10.3/sys/kern/sys_process.c ============================================================================== --- releng/10.3/sys/kern/sys_process.c Wed Nov 15 22:40:32 2017 (r325870) +++ releng/10.3/sys/kern/sys_process.c Wed Nov 15 22:40:46 2017 (r325871) @@ -474,6 +474,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1193,6 +1194,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1213,8 +1215,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX) From owner-svn-src-releng@freebsd.org Wed Nov 15 22:45:15 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16325DE986E; Wed, 15 Nov 2017 22:45:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF9B07F890; Wed, 15 Nov 2017 22:45:14 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMjDE6010821; Wed, 15 Nov 2017 22:45:13 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMjDvc010815; Wed, 15 Nov 2017 22:45:13 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152245.vAFMjDvc010815@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:45:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325873 - in releng/10.3: share/man/man9 sys/kern sys/sys X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/10.3: share/man/man9 sys/kern sys/sys X-SVN-Commit-Revision: 325873 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:45:15 -0000 Author: gordon Date: Wed Nov 15 22:45:13 2017 New Revision: 325873 URL: https://svnweb.freebsd.org/changeset/base/325873 Log: Fix namespace issue in POSIX shm implementation for jails. [SA-17:09] Approved by: so Security: FreeBSD-SA-17:09.shm Security: CVE-2017-1087 Modified: releng/10.3/share/man/man9/osd.9 releng/10.3/sys/kern/kern_osd.c releng/10.3/sys/kern/uipc_mqueue.c releng/10.3/sys/kern/uipc_sem.c releng/10.3/sys/kern/uipc_shm.c releng/10.3/sys/sys/osd.h Modified: releng/10.3/share/man/man9/osd.9 ============================================================================== --- releng/10.3/share/man/man9/osd.9 Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/share/man/man9/osd.9 Wed Nov 15 22:45:13 2017 (r325873) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 5, 2011 +.Dd March 30, 2016 .Dt OSD 9 .Os .Sh NAME @@ -33,6 +33,9 @@ .Nm osd_register , .Nm osd_deregister , .Nm osd_set , +.Nm osd_reserve , +.Nm osd_set_reserved , +.Nm osd_free_reserved , .Nm osd_get , .Nm osd_del , .Nm osd_call , @@ -63,6 +66,22 @@ .Fa "void *value" .Fc .Ft void * +.Fo osd_reserve +.Fa "u_int slot" +.Fc +.Ft int +.Fo osd_set_reserved +.Fa "u_int type" +.Fa "struct osd *osd" +.Fa "u_int slot" +.Fa "void *rsv" +.Fa "void *value" +.Fc +.Ft void +.Fo osd_free_reserved +.Fa "void *rsv" +.Fc +.Ft void * .Fo osd_get .Fa "u_int type" .Fa "struct osd *osd" @@ -198,6 +217,15 @@ argument points to a data object to associate with .Fa osd . .Pp The +.Fn osd_set_reserved +function does the same as +.Fn osd_set , +but with an extra argument +.Fa rsv +that is internal-use memory previously allocated via +.Fn osd_reserve . +.Pp +The .Fn osd_get function returns the data pointer associated with a kernel data structure's .Vt struct osd @@ -324,6 +352,24 @@ will proceed without any .Xr realloc 9 calls. .Pp +It is possible for +.Fn osd_set +to fail to allocate this array. To ensure that such allocation succeeds, +.Fn osd_reserve +may be called (in a non-blocking context), and it will pre-allocate the +memory via +.Xr malloc 9 +with M_WAITOK. +Then this pre-allocated memory is passed to +.Fn osd_set_reserved , +which will use it if necessary or otherwise discard it. +The memory may also be explicitly discarded by calling +.Fn osd_free_reserved . +As this method always allocates memory whether or not it is ultimately needed, +it should be used only rarely, such as in the unlikely event that +.Fn osd_set +fails. +.Pp The .Nm API is geared towards slot identifiers storing pointers to the same underlying @@ -359,14 +405,26 @@ the kernel including most fast paths. returns the slot identifier for the newly registered data type. .Pp .Fn osd_set -returns zero on success or ENOMEM if the specified type/slot identifier pair +and +.Fn osd_set_reserved +return zero on success or ENOMEM if the specified type/slot identifier pair triggered an internal .Xr realloc 9 -which failed. +which failed +.Fn ( osd_set_reserved +will always succeed when +.Fa rsv +is non-NULL). .Pp .Fn osd_get returns the data pointer for the specified type/slot identifier pair, or NULL if the slot has not been initialised yet. +.Pp +.Fn osd_reserve +returns a pointer suitable for passing to +.Fn osd_set_reserved +or +.Fn osd_free_reserved . .Pp .Fn osd_call returns zero if no method is run or the method for each slot runs successfully. Modified: releng/10.3/sys/kern/kern_osd.c ============================================================================== --- releng/10.3/sys/kern/kern_osd.c Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/sys/kern/kern_osd.c Wed Nov 15 22:45:13 2017 (r325873) @@ -44,6 +44,23 @@ __FBSDID("$FreeBSD$"); /* OSD (Object Specific Data) */ +/* + * Lock key: + * (m) osd_module_lock + * (o) osd_object_lock + * (l) osd_list_lock + */ +struct osd_master { + struct sx osd_module_lock; + struct rmlock osd_object_lock; + struct mtx osd_list_lock; + LIST_HEAD(, osd) osd_list; /* (l) */ + osd_destructor_t *osd_destructors; /* (o) */ + osd_method_t *osd_methods; /* (m) */ + u_int osd_ntslots; /* (m) */ + const u_int osd_nmethods; +}; + static MALLOC_DEFINE(M_OSD, "osd", "Object Specific Data"); static int osd_debug = 0; @@ -62,25 +79,12 @@ static void do_osd_del(u_int type, struct osd *osd, u_ int list_locked); /* - * Lists of objects with OSD. - * - * Lock key: - * (m) osd_module_lock - * (o) osd_object_lock - * (l) osd_list_lock + * List of objects with OSD. */ -static LIST_HEAD(, osd) osd_list[OSD_LAST + 1]; /* (m) */ -static osd_method_t *osd_methods[OSD_LAST + 1]; /* (m) */ -static u_int osd_nslots[OSD_LAST + 1]; /* (m) */ -static osd_destructor_t *osd_destructors[OSD_LAST + 1]; /* (o) */ -static const u_int osd_nmethods[OSD_LAST + 1] = { - [OSD_JAIL] = PR_MAXMETHOD, +struct osd_master osdm[OSD_LAST + 1] = { + [OSD_JAIL] = { .osd_nmethods = PR_MAXMETHOD }, }; -static struct sx osd_module_lock[OSD_LAST + 1]; -static struct rmlock osd_object_lock[OSD_LAST + 1]; -static struct mtx osd_list_lock[OSD_LAST + 1]; - static void osd_default_destructor(void *value __unused) { @@ -102,12 +106,12 @@ osd_register(u_int type, osd_destructor_t destructor, if (destructor == NULL) destructor = osd_default_destructor; - sx_xlock(&osd_module_lock[type]); + sx_xlock(&osdm[type].osd_module_lock); /* * First, we try to find unused slot. */ - for (i = 0; i < osd_nslots[type]; i++) { - if (osd_destructors[type][i] == NULL) { + for (i = 0; i < osdm[type].osd_ntslots; i++) { + if (osdm[type].osd_destructors[i] == NULL) { OSD_DEBUG("Unused slot found (type=%u, slot=%u).", type, i); break; @@ -116,31 +120,31 @@ osd_register(u_int type, osd_destructor_t destructor, /* * If no unused slot was found, allocate one. */ - if (i == osd_nslots[type]) { - osd_nslots[type]++; - if (osd_nmethods[type] != 0) - osd_methods[type] = realloc(osd_methods[type], - sizeof(osd_method_t) * osd_nslots[type] * - osd_nmethods[type], M_OSD, M_WAITOK); - newptr = malloc(sizeof(osd_destructor_t) * osd_nslots[type], - M_OSD, M_WAITOK); - rm_wlock(&osd_object_lock[type]); - bcopy(osd_destructors[type], newptr, + if (i == osdm[type].osd_ntslots) { + osdm[type].osd_ntslots++; + if (osdm[type].osd_nmethods != 0) + osdm[type].osd_methods = realloc(osdm[type].osd_methods, + sizeof(osd_method_t) * osdm[type].osd_ntslots * + osdm[type].osd_nmethods, M_OSD, M_WAITOK); + newptr = malloc(sizeof(osd_destructor_t) * + osdm[type].osd_ntslots, M_OSD, M_WAITOK); + rm_wlock(&osdm[type].osd_object_lock); + bcopy(osdm[type].osd_destructors, newptr, sizeof(osd_destructor_t) * i); - free(osd_destructors[type], M_OSD); - osd_destructors[type] = newptr; - rm_wunlock(&osd_object_lock[type]); + free(osdm[type].osd_destructors, M_OSD); + osdm[type].osd_destructors = newptr; + rm_wunlock(&osdm[type].osd_object_lock); OSD_DEBUG("New slot allocated (type=%u, slot=%u).", type, i + 1); } - osd_destructors[type][i] = destructor; - if (osd_nmethods[type] != 0) { - for (m = 0; m < osd_nmethods[type]; m++) - osd_methods[type][i * osd_nmethods[type] + m] = - methods != NULL ? methods[m] : NULL; + osdm[type].osd_destructors[i] = destructor; + if (osdm[type].osd_nmethods != 0) { + for (m = 0; m < osdm[type].osd_nmethods; m++) + osdm[type].osd_methods[i * osdm[type].osd_nmethods + m] + = methods != NULL ? methods[m] : NULL; } - sx_xunlock(&osd_module_lock[type]); + sx_xunlock(&osdm[type].osd_module_lock); return (i + 1); } @@ -151,105 +155,142 @@ osd_deregister(u_int type, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); - sx_xlock(&osd_module_lock[type]); - rm_wlock(&osd_object_lock[type]); + sx_xlock(&osdm[type].osd_module_lock); + rm_wlock(&osdm[type].osd_object_lock); /* * Free all OSD for the given slot. */ - mtx_lock(&osd_list_lock[type]); - LIST_FOREACH_SAFE(osd, &osd_list[type], osd_next, tosd) + mtx_lock(&osdm[type].osd_list_lock); + LIST_FOREACH_SAFE(osd, &osdm[type].osd_list, osd_next, tosd) do_osd_del(type, osd, slot, 1); - mtx_unlock(&osd_list_lock[type]); + mtx_unlock(&osdm[type].osd_list_lock); /* * Set destructor to NULL to free the slot. */ - osd_destructors[type][slot - 1] = NULL; - if (slot == osd_nslots[type]) { - osd_nslots[type]--; - osd_destructors[type] = realloc(osd_destructors[type], - sizeof(osd_destructor_t) * osd_nslots[type], M_OSD, + osdm[type].osd_destructors[slot - 1] = NULL; + if (slot == osdm[type].osd_ntslots) { + osdm[type].osd_ntslots--; + osdm[type].osd_destructors = realloc(osdm[type].osd_destructors, + sizeof(osd_destructor_t) * osdm[type].osd_ntslots, M_OSD, M_NOWAIT | M_ZERO); - if (osd_nmethods[type] != 0) - osd_methods[type] = realloc(osd_methods[type], - sizeof(osd_method_t) * osd_nslots[type] * - osd_nmethods[type], M_OSD, M_NOWAIT | M_ZERO); + if (osdm[type].osd_nmethods != 0) + osdm[type].osd_methods = realloc(osdm[type].osd_methods, + sizeof(osd_method_t) * osdm[type].osd_ntslots * + osdm[type].osd_nmethods, M_OSD, M_NOWAIT | M_ZERO); /* * We always reallocate to smaller size, so we assume it will * always succeed. */ - KASSERT(osd_destructors[type] != NULL && - (osd_nmethods[type] == 0 || osd_methods[type] != NULL), - ("realloc() failed")); + KASSERT(osdm[type].osd_destructors != NULL && + (osdm[type].osd_nmethods == 0 || + osdm[type].osd_methods != NULL), ("realloc() failed")); OSD_DEBUG("Deregistration of the last slot (type=%u, slot=%u).", type, slot); } else { OSD_DEBUG("Slot deregistration (type=%u, slot=%u).", type, slot); } - rm_wunlock(&osd_object_lock[type]); - sx_xunlock(&osd_module_lock[type]); + rm_wunlock(&osdm[type].osd_object_lock); + sx_xunlock(&osdm[type].osd_module_lock); } int osd_set(u_int type, struct osd *osd, u_int slot, void *value) { + + return (osd_set_reserved(type, osd, slot, NULL, value)); +} + +void * +osd_reserve(u_int slot) +{ + + KASSERT(slot > 0, ("Invalid slot.")); + + OSD_DEBUG("Reserving slot array (slot=%u).", slot); + return (malloc(sizeof(void *) * slot, M_OSD, M_WAITOK | M_ZERO)); +} + +int +osd_set_reserved(u_int type, struct osd *osd, u_int slot, void *rsv, + void *value) +{ struct rm_priotracker tracker; KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); - rm_rlock(&osd_object_lock[type], &tracker); + rm_rlock(&osdm[type].osd_object_lock, &tracker); if (slot > osd->osd_nslots) { + void *newptr; + if (value == NULL) { OSD_DEBUG( "Not allocating null slot (type=%u, slot=%u).", type, slot); - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, &tracker); + if (rsv) + osd_free_reserved(rsv); return (0); - } else if (osd->osd_nslots == 0) { + } + + /* + * Too few slots allocated here, so we need to extend or create + * the array. + */ + if (rsv) { /* - * First OSD for this object, so we need to allocate - * space and put it onto the list. + * Use the reserve passed in (assumed to be + * the right size). */ - osd->osd_slots = malloc(sizeof(void *) * slot, M_OSD, - M_NOWAIT | M_ZERO); - if (osd->osd_slots == NULL) { - rm_runlock(&osd_object_lock[type], &tracker); - return (ENOMEM); + newptr = rsv; + if (osd->osd_nslots != 0) { + memcpy(newptr, osd->osd_slots, + sizeof(void *) * osd->osd_nslots); + free(osd->osd_slots, M_OSD); } - osd->osd_nslots = slot; - mtx_lock(&osd_list_lock[type]); - LIST_INSERT_HEAD(&osd_list[type], osd, osd_next); - mtx_unlock(&osd_list_lock[type]); - OSD_DEBUG("Setting first slot (type=%u).", type); } else { - void *newptr; - - /* - * Too few slots allocated here, needs to extend - * the array. - */ newptr = realloc(osd->osd_slots, sizeof(void *) * slot, M_OSD, M_NOWAIT | M_ZERO); if (newptr == NULL) { - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, + &tracker); return (ENOMEM); } - osd->osd_slots = newptr; - osd->osd_nslots = slot; - OSD_DEBUG("Growing slots array (type=%u).", type); } - } + if (osd->osd_nslots == 0) { + /* + * First OSD for this object, so we need to put it + * onto the list. + */ + mtx_lock(&osdm[type].osd_list_lock); + LIST_INSERT_HEAD(&osdm[type].osd_list, osd, osd_next); + mtx_unlock(&osdm[type].osd_list_lock); + OSD_DEBUG("Setting first slot (type=%u).", type); + } else + OSD_DEBUG("Growing slots array (type=%u).", type); + osd->osd_slots = newptr; + osd->osd_nslots = slot; + } else if (rsv) + osd_free_reserved(rsv); OSD_DEBUG("Setting slot value (type=%u, slot=%u, value=%p).", type, slot, value); osd->osd_slots[slot - 1] = value; - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, &tracker); return (0); } +void +osd_free_reserved(void *rsv) +{ + + OSD_DEBUG("Discarding reserved slot array."); + free(rsv, M_OSD); +} + void * osd_get(u_int type, struct osd *osd, u_int slot) { @@ -258,9 +299,9 @@ osd_get(u_int type, struct osd *osd, u_int slot) KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); - rm_rlock(&osd_object_lock[type], &tracker); + rm_rlock(&osdm[type].osd_object_lock, &tracker); if (slot > osd->osd_nslots) { value = NULL; OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot); @@ -269,7 +310,7 @@ osd_get(u_int type, struct osd *osd, u_int slot) OSD_DEBUG("Returning slot value (type=%u, slot=%u, value=%p).", type, slot, value); } - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, &tracker); return (value); } @@ -278,9 +319,9 @@ osd_del(u_int type, struct osd *osd, u_int slot) { struct rm_priotracker tracker; - rm_rlock(&osd_object_lock[type], &tracker); + rm_rlock(&osdm[type].osd_object_lock, &tracker); do_osd_del(type, osd, slot, 0); - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, &tracker); } static void @@ -290,7 +331,7 @@ do_osd_del(u_int type, struct osd *osd, u_int slot, in KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); KASSERT(slot > 0, ("Invalid slot.")); - KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); + KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); OSD_DEBUG("Deleting slot (type=%u, slot=%u).", type, slot); @@ -299,7 +340,7 @@ do_osd_del(u_int type, struct osd *osd, u_int slot, in return; } if (osd->osd_slots[slot - 1] != NULL) { - osd_destructors[type][slot - 1](osd->osd_slots[slot - 1]); + osdm[type].osd_destructors[slot - 1](osd->osd_slots[slot - 1]); osd->osd_slots[slot - 1] = NULL; } for (i = osd->osd_nslots - 1; i >= 0; i--) { @@ -313,10 +354,10 @@ do_osd_del(u_int type, struct osd *osd, u_int slot, in /* No values left for this object. */ OSD_DEBUG("No more slots left (type=%u).", type); if (!list_locked) - mtx_lock(&osd_list_lock[type]); + mtx_lock(&osdm[type].osd_list_lock); LIST_REMOVE(osd, osd_next); if (!list_locked) - mtx_unlock(&osd_list_lock[type]); + mtx_unlock(&osdm[type].osd_list_lock); free(osd->osd_slots, M_OSD); osd->osd_slots = NULL; osd->osd_nslots = 0; @@ -342,21 +383,21 @@ osd_call(u_int type, u_int method, void *obj, void *da int error, i; KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); - KASSERT(method < osd_nmethods[type], ("Invalid method.")); + KASSERT(method < osdm[type].osd_nmethods, ("Invalid method.")); /* * Call this method for every slot that defines it, stopping if an * error is encountered. */ error = 0; - sx_slock(&osd_module_lock[type]); - for (i = 0; i < osd_nslots[type]; i++) { - methodfun = - osd_methods[type][i * osd_nmethods[type] + method]; + sx_slock(&osdm[type].osd_module_lock); + for (i = 0; i < osdm[type].osd_ntslots; i++) { + methodfun = osdm[type].osd_methods[i * osdm[type].osd_nmethods + + method]; if (methodfun != NULL && (error = methodfun(obj, data)) != 0) break; } - sx_sunlock(&osd_module_lock[type]); + sx_sunlock(&osdm[type].osd_module_lock); return (error); } @@ -374,14 +415,14 @@ osd_exit(u_int type, struct osd *osd) return; } - rm_rlock(&osd_object_lock[type], &tracker); + rm_rlock(&osdm[type].osd_object_lock, &tracker); for (i = 1; i <= osd->osd_nslots; i++) { - if (osd_destructors[type][i - 1] != NULL) + if (osdm[type].osd_destructors[i - 1] != NULL) do_osd_del(type, osd, i, 0); else OSD_DEBUG("Unused slot (type=%u, slot=%u).", type, i); } - rm_runlock(&osd_object_lock[type], &tracker); + rm_runlock(&osdm[type].osd_object_lock, &tracker); OSD_DEBUG("Object exit (type=%u).", type); } @@ -391,13 +432,13 @@ osd_init(void *arg __unused) u_int i; for (i = OSD_FIRST; i <= OSD_LAST; i++) { - osd_nslots[i] = 0; - LIST_INIT(&osd_list[i]); - sx_init(&osd_module_lock[i], "osd_module"); - rm_init(&osd_object_lock[i], "osd_object"); - mtx_init(&osd_list_lock[i], "osd_list", NULL, MTX_DEF); - osd_destructors[i] = NULL; - osd_methods[i] = NULL; + sx_init(&osdm[i].osd_module_lock, "osd_module"); + rm_init(&osdm[i].osd_object_lock, "osd_object"); + mtx_init(&osdm[i].osd_list_lock, "osd_list", NULL, MTX_DEF); + LIST_INIT(&osdm[i].osd_list); + osdm[i].osd_destructors = NULL; + osdm[i].osd_ntslots = 0; + osdm[i].osd_methods = NULL; } } SYSINIT(osd, SI_SUB_LOCK, SI_ORDER_ANY, osd_init, NULL); Modified: releng/10.3/sys/kern/uipc_mqueue.c ============================================================================== --- releng/10.3/sys/kern/uipc_mqueue.c Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/sys/kern/uipc_mqueue.c Wed Nov 15 22:45:13 2017 (r325873) @@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -60,8 +61,8 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include -#include #include #include #include @@ -131,6 +132,7 @@ struct mqfs_node { LIST_HEAD(,mqfs_node) mn_children; LIST_ENTRY(mqfs_node) mn_sibling; LIST_HEAD(,mqfs_vdata) mn_vnodes; + const void *mn_pr_root; int mn_refcount; mqfs_type_t mn_type; int mn_deleted; @@ -151,6 +153,11 @@ struct mqfs_node { #define FPTOMQ(fp) ((struct mqueue *)(((struct mqfs_node *) \ (fp)->f_data)->mn_data)) +struct mqfs_osd { + struct task mo_task; + const void *mo_pr_root; +}; + TAILQ_HEAD(msgq, mqueue_msg); struct mqueue; @@ -218,6 +225,7 @@ static uma_zone_t mvdata_zone; static uma_zone_t mqnoti_zone; static struct vop_vector mqfs_vnodeops; static struct fileops mqueueops; +static unsigned mqfs_osd_jail_slot; /* * Directory structure construction and manipulation @@ -235,6 +243,9 @@ static int mqfs_destroy(struct mqfs_node *mn); static void mqfs_fileno_alloc(struct mqfs_info *mi, struct mqfs_node *mn); static void mqfs_fileno_free(struct mqfs_info *mi, struct mqfs_node *mn); static int mqfs_allocv(struct mount *mp, struct vnode **vpp, struct mqfs_node *pn); +static int mqfs_prison_create(void *obj, void *data); +static void mqfs_prison_destructor(void *data); +static void mqfs_prison_remove_task(void *context, int pending); /* * Message queue construction and maniplation @@ -435,6 +446,7 @@ mqfs_create_node(const char *name, int namelen, struct node = mqnode_alloc(); strncpy(node->mn_name, name, namelen); + node->mn_pr_root = cred->cr_prison->pr_root; node->mn_type = nodetype; node->mn_refcount = 1; vfs_timestamp(&node->mn_birth); @@ -643,6 +655,10 @@ mqfs_init(struct vfsconf *vfc) { struct mqfs_node *root; struct mqfs_info *mi; + struct prison *pr; + osd_method_t methods[PR_MAXMETHOD] = { + [PR_METHOD_CREATE] = mqfs_prison_create, + }; mqnode_zone = uma_zcreate("mqnode", sizeof(struct mqfs_node), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); @@ -669,6 +685,13 @@ mqfs_init(struct vfsconf *vfc) EVENTHANDLER_PRI_ANY); mq_fdclose = mqueue_fdclose; p31b_setcfg(CTL_P1003_1B_MESSAGE_PASSING, _POSIX_MESSAGE_PASSING); + + /* Note current jails. */ + mqfs_osd_jail_slot = osd_jail_register(mqfs_prison_destructor, methods); + sx_slock(&allprison_lock); + TAILQ_FOREACH(pr, &allprison, pr_list) + (void)mqfs_prison_create(pr, NULL); + sx_sunlock(&allprison_lock); return (0); } @@ -678,10 +701,14 @@ mqfs_init(struct vfsconf *vfc) static int mqfs_uninit(struct vfsconf *vfc) { + unsigned slot; struct mqfs_info *mi; if (!unloadable) return (EOPNOTSUPP); + slot = mqfs_osd_jail_slot; + mqfs_osd_jail_slot = 0; + osd_jail_deregister(slot); EVENTHANDLER_DEREGISTER(process_exit, exit_tag); mi = &mqfs_data; mqfs_destroy(mi->mi_root); @@ -799,13 +826,17 @@ found: * Search a directory entry */ static struct mqfs_node * -mqfs_search(struct mqfs_node *pd, const char *name, int len) +mqfs_search(struct mqfs_node *pd, const char *name, int len, struct ucred *cred) { struct mqfs_node *pn; + const void *pr_root; sx_assert(&pd->mn_info->mi_lock, SX_LOCKED); + pr_root = cred->cr_prison->pr_root; LIST_FOREACH(pn, &pd->mn_children, mn_sibling) { - if (strncmp(pn->mn_name, name, len) == 0 && + /* Only match names within the same prison root directory */ + if ((pn->mn_pr_root == NULL || pn->mn_pr_root == pr_root) && + strncmp(pn->mn_name, name, len) == 0 && pn->mn_name[len] == '\0') return (pn); } @@ -877,7 +908,7 @@ mqfs_lookupx(struct vop_cachedlookup_args *ap) /* named node */ sx_xlock(&mqfs->mi_lock); - pn = mqfs_search(pd, pname, namelen); + pn = mqfs_search(pd, pname, namelen, cnp->cn_cred); if (pn != NULL) mqnode_addref(pn); sx_xunlock(&mqfs->mi_lock); @@ -1362,6 +1393,7 @@ mqfs_readdir(struct vop_readdir_args *ap) struct mqfs_node *pn; struct dirent entry; struct uio *uio; + const void *pr_root; int *tmp_ncookies = NULL; off_t offset; int error, i; @@ -1386,10 +1418,18 @@ mqfs_readdir(struct vop_readdir_args *ap) error = 0; offset = 0; + pr_root = ap->a_cred->cr_prison->pr_root; sx_xlock(&mi->mi_lock); LIST_FOREACH(pn, &pd->mn_children, mn_sibling) { entry.d_reclen = sizeof(entry); + + /* + * Only show names within the same prison root directory + * (or not associated with a prison, e.g. "." and ".."). + */ + if (pn->mn_pr_root != NULL && pn->mn_pr_root != pr_root) + continue; if (!pn->mn_fileno) mqfs_fileno_alloc(mi, pn); entry.d_fileno = pn->mn_fileno; @@ -1522,7 +1562,82 @@ mqfs_rmdir(struct vop_rmdir_args *ap) #endif /* notyet */ + /* + * Set a destructor task with the prison's root + */ +static int +mqfs_prison_create(void *obj, void *data __unused) +{ + struct prison *pr = obj; + struct mqfs_osd *mo; + void *rsv; + + if (pr->pr_root == pr->pr_parent->pr_root) + return(0); + + mo = malloc(sizeof(struct mqfs_osd), M_PRISON, M_WAITOK); + rsv = osd_reserve(mqfs_osd_jail_slot); + TASK_INIT(&mo->mo_task, 0, mqfs_prison_remove_task, mo); + mtx_lock(&pr->pr_mtx); + mo->mo_pr_root = pr->pr_root; + (void)osd_jail_set_reserved(pr, mqfs_osd_jail_slot, rsv, mo); + mtx_unlock(&pr->pr_mtx); + return (0); +} + +/* + * Queue the task for after jail/OSD locks are released + */ +static void +mqfs_prison_destructor(void *data) +{ + struct mqfs_osd *mo = data; + + if (mqfs_osd_jail_slot != 0) + taskqueue_enqueue(taskqueue_thread, &mo->mo_task); + else + free(mo, M_PRISON); +} + +/* + * See if this prison root is obsolete, and clean up associated queues if it is + */ +static void +mqfs_prison_remove_task(void *context, int pending) +{ + struct mqfs_osd *mo = context; + struct mqfs_node *pn, *tpn; + const struct prison *pr; + const void *pr_root; + int found; + + pr_root = mo->mo_pr_root; + found = 0; + sx_slock(&allprison_lock); + TAILQ_FOREACH(pr, &allprison, pr_list) { + if (pr->pr_root == pr_root) + found = 1; + } + sx_sunlock(&allprison_lock); + if (!found) { + /* + * No jails are rooted in this directory anymore, + * so no queues should be either. + */ + sx_xlock(&mqfs_data.mi_lock); + LIST_FOREACH_SAFE(pn, &mqfs_data.mi_root->mn_children, + mn_sibling, tpn) { + if (pn->mn_pr_root == pr_root) + (void)do_unlink(pn, curthread->td_ucred); + } + sx_xunlock(&mqfs_data.mi_lock); + } + free(mo, M_PRISON); +} + + +/* * Allocate a message queue */ static struct mqueue * @@ -1982,7 +2097,7 @@ kern_kmq_open(struct thread *td, const char *upath, in return (error); sx_xlock(&mqfs_data.mi_lock); - pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1); + pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred); if (pn == NULL) { if (!(flags & O_CREAT)) { error = ENOENT; @@ -2077,7 +2192,7 @@ sys_kmq_unlink(struct thread *td, struct kmq_unlink_ar return (EINVAL); sx_xlock(&mqfs_data.mi_lock); - pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1); + pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred); if (pn != NULL) error = do_unlink(pn, td->td_ucred); else Modified: releng/10.3/sys/kern/uipc_sem.c ============================================================================== --- releng/10.3/sys/kern/uipc_sem.c Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/sys/kern/uipc_sem.c Wed Nov 15 22:45:13 2017 (r325873) @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -444,12 +445,24 @@ ksem_remove(char *path, Fnv32_t fnv, struct ucred *ucr static void ksem_info_impl(struct ksem *ks, char *path, size_t size, uint32_t *value) { + const char *ks_path, *pr_path; + size_t pr_pathlen; if (ks->ks_path == NULL) return; sx_slock(&ksem_dict_lock); - if (ks->ks_path != NULL) - strlcpy(path, ks->ks_path, size); + ks_path = ks->ks_path; + if (ks_path != NULL) { + pr_path = curthread->td_ucred->cr_prison->pr_path; + if (strcmp(pr_path, "/") != 0) { + /* Return the jail-rooted pathname. */ + pr_pathlen = strlen(pr_path); + if (strncmp(ks_path, pr_path, pr_pathlen) == 0 && + ks_path[pr_pathlen] == '/') + ks_path += pr_pathlen; + } + strlcpy(path, ks_path, size); + } if (value != NULL) *value = ks->ks_value; sx_sunlock(&ksem_dict_lock); @@ -493,6 +506,8 @@ ksem_create(struct thread *td, const char *name, semid struct ksem *ks; struct file *fp; char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error, fd; @@ -529,10 +544,16 @@ ksem_create(struct thread *td, const char *name, semid ks->ks_flags |= KS_ANONYMOUS; } else { path = malloc(MAXPATHLEN, M_KSEM, M_WAITOK); - error = copyinstr(name, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + /* Construct a full pathname for jailed callers. */ + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(name, path + pr_pathlen, + MAXPATHLEN - pr_pathlen, NULL); + /* Require paths to start with a '/' character. */ - if (error == 0 && path[0] != '/') + if (error == 0 && path[pr_pathlen] != '/') error = EINVAL; if (error) { fdclose(fdp, fp, fd, td); @@ -668,11 +689,17 @@ int sys_ksem_unlink(struct thread *td, struct ksem_unlink_args *uap) { char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error; path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); - error = copyinstr(uap->name, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->name, path + pr_pathlen, MAXPATHLEN - pr_pathlen, + NULL); if (error) { free(path, M_TEMP); return (error); Modified: releng/10.3/sys/kern/uipc_shm.c ============================================================================== --- releng/10.3/sys/kern/uipc_shm.c Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/sys/kern/uipc_shm.c Wed Nov 15 22:45:13 2017 (r325873) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -711,6 +712,8 @@ sys_shm_open(struct thread *td, struct shm_open_args * struct shmfd *shmfd; struct file *fp; char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; mode_t cmode; int fd, error; @@ -748,13 +751,19 @@ sys_shm_open(struct thread *td, struct shm_open_args * shmfd = shm_alloc(td->td_ucred, cmode); } else { path = malloc(MAXPATHLEN, M_SHMFD, M_WAITOK); - error = copyinstr(uap->path, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + + /* Construct a full pathname for jailed callers. */ + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->path, path + pr_pathlen, + MAXPATHLEN - pr_pathlen, NULL); #ifdef KTRACE if (error == 0 && KTRPOINT(curthread, KTR_NAMEI)) ktrnamei(path); #endif /* Require paths to start with a '/' character. */ - if (error == 0 && path[0] != '/') + if (error == 0 && path[pr_pathlen] != '/') error = EINVAL; if (error) { fdclose(fdp, fp, fd, td); @@ -841,11 +850,17 @@ int sys_shm_unlink(struct thread *td, struct shm_unlink_args *uap) { char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error; path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); - error = copyinstr(uap->path, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->path, path + pr_pathlen, MAXPATHLEN - pr_pathlen, + NULL); if (error) { free(path, M_TEMP); return (error); @@ -1052,11 +1067,23 @@ shm_unmap(struct file *fp, void *mem, size_t size) void shm_path(struct shmfd *shmfd, char *path, size_t size) { + const char *shm_path, *pr_path; + size_t pr_pathlen; if (shmfd->shm_path == NULL) return; sx_slock(&shm_dict_lock); - if (shmfd->shm_path != NULL) - strlcpy(path, shmfd->shm_path, size); + shm_path = shmfd->shm_path; + if (shm_path != NULL) { + pr_path = curthread->td_ucred->cr_prison->pr_path; + if (strcmp(pr_path, "/") != 0) { + /* Return the jail-rooted pathname. */ + pr_pathlen = strlen(pr_path); + if (strncmp(shm_path, pr_path, pr_pathlen) == 0 && + shm_path[pr_pathlen] == '/') + shm_path += pr_pathlen; + } + strlcpy(path, shm_path, size); + } sx_sunlock(&shm_dict_lock); } Modified: releng/10.3/sys/sys/osd.h ============================================================================== --- releng/10.3/sys/sys/osd.h Wed Nov 15 22:42:20 2017 (r325872) +++ releng/10.3/sys/sys/osd.h Wed Nov 15 22:45:13 2017 (r325873) @@ -59,6 +59,10 @@ int osd_register(u_int type, osd_destructor_t destruct void osd_deregister(u_int type, u_int slot); int osd_set(u_int type, struct osd *osd, u_int slot, void *value); +void *osd_reserve(u_int slot); +int osd_set_reserved(u_int type, struct osd *osd, u_int slot, void *rsv, + void *value); *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@freebsd.org Wed Nov 15 22:45:52 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CFC5DE98CB; Wed, 15 Nov 2017 22:45:52 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 075E27F9BC; Wed, 15 Nov 2017 22:45:51 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMjp1d010885; Wed, 15 Nov 2017 22:45:51 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMjoZ7010882; Wed, 15 Nov 2017 22:45:50 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152245.vAFMjoZ7010882@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:45:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325874 - releng/10.4/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/10.4/sys/kern X-SVN-Commit-Revision: 325874 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:45:52 -0000 Author: gordon Date: Wed Nov 15 22:45:50 2017 New Revision: 325874 URL: https://svnweb.freebsd.org/changeset/base/325874 Log: Fix namespace issue in POSIX shm implementation for jails. [SA-17:09] Approved by: so Security: FreeBSD-SA-17:09.shm Security: CVE-2017-1087 Modified: releng/10.4/sys/kern/uipc_mqueue.c releng/10.4/sys/kern/uipc_sem.c releng/10.4/sys/kern/uipc_shm.c Modified: releng/10.4/sys/kern/uipc_mqueue.c ============================================================================== --- releng/10.4/sys/kern/uipc_mqueue.c Wed Nov 15 22:45:13 2017 (r325873) +++ releng/10.4/sys/kern/uipc_mqueue.c Wed Nov 15 22:45:50 2017 (r325874) @@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -60,8 +61,8 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include -#include #include #include #include @@ -131,6 +132,7 @@ struct mqfs_node { LIST_HEAD(,mqfs_node) mn_children; LIST_ENTRY(mqfs_node) mn_sibling; LIST_HEAD(,mqfs_vdata) mn_vnodes; + const void *mn_pr_root; int mn_refcount; mqfs_type_t mn_type; int mn_deleted; @@ -218,6 +220,7 @@ static uma_zone_t mvdata_zone; static uma_zone_t mqnoti_zone; static struct vop_vector mqfs_vnodeops; static struct fileops mqueueops; +static unsigned mqfs_osd_jail_slot; /* * Directory structure construction and manipulation @@ -235,6 +238,7 @@ static int mqfs_destroy(struct mqfs_node *mn); static void mqfs_fileno_alloc(struct mqfs_info *mi, struct mqfs_node *mn); static void mqfs_fileno_free(struct mqfs_info *mi, struct mqfs_node *mn); static int mqfs_allocv(struct mount *mp, struct vnode **vpp, struct mqfs_node *pn); +static int mqfs_prison_remove(void *obj, void *data); /* * Message queue construction and maniplation @@ -435,6 +439,7 @@ mqfs_create_node(const char *name, int namelen, struct node = mqnode_alloc(); strncpy(node->mn_name, name, namelen); + node->mn_pr_root = cred->cr_prison->pr_root; node->mn_type = nodetype; node->mn_refcount = 1; vfs_timestamp(&node->mn_birth); @@ -643,6 +648,9 @@ mqfs_init(struct vfsconf *vfc) { struct mqfs_node *root; struct mqfs_info *mi; + osd_method_t methods[PR_MAXMETHOD] = { + [PR_METHOD_REMOVE] = mqfs_prison_remove, + }; mqnode_zone = uma_zcreate("mqnode", sizeof(struct mqfs_node), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); @@ -669,6 +677,7 @@ mqfs_init(struct vfsconf *vfc) EVENTHANDLER_PRI_ANY); mq_fdclose = mqueue_fdclose; p31b_setcfg(CTL_P1003_1B_MESSAGE_PASSING, _POSIX_MESSAGE_PASSING); + mqfs_osd_jail_slot = osd_jail_register(NULL, methods); return (0); } @@ -682,6 +691,7 @@ mqfs_uninit(struct vfsconf *vfc) if (!unloadable) return (EOPNOTSUPP); + osd_jail_deregister(mqfs_osd_jail_slot); EVENTHANDLER_DEREGISTER(process_exit, exit_tag); mi = &mqfs_data; mqfs_destroy(mi->mi_root); @@ -801,13 +811,17 @@ found: * Search a directory entry */ static struct mqfs_node * -mqfs_search(struct mqfs_node *pd, const char *name, int len) +mqfs_search(struct mqfs_node *pd, const char *name, int len, struct ucred *cred) { struct mqfs_node *pn; + const void *pr_root; sx_assert(&pd->mn_info->mi_lock, SX_LOCKED); + pr_root = cred->cr_prison->pr_root; LIST_FOREACH(pn, &pd->mn_children, mn_sibling) { - if (strncmp(pn->mn_name, name, len) == 0 && + /* Only match names within the same prison root directory */ + if ((pn->mn_pr_root == NULL || pn->mn_pr_root == pr_root) && + strncmp(pn->mn_name, name, len) == 0 && pn->mn_name[len] == '\0') return (pn); } @@ -879,7 +893,7 @@ mqfs_lookupx(struct vop_cachedlookup_args *ap) /* named node */ sx_xlock(&mqfs->mi_lock); - pn = mqfs_search(pd, pname, namelen); + pn = mqfs_search(pd, pname, namelen, cnp->cn_cred); if (pn != NULL) mqnode_addref(pn); sx_xunlock(&mqfs->mi_lock); @@ -1364,6 +1378,7 @@ mqfs_readdir(struct vop_readdir_args *ap) struct mqfs_node *pn; struct dirent entry; struct uio *uio; + const void *pr_root; int *tmp_ncookies = NULL; off_t offset; int error, i; @@ -1388,10 +1403,18 @@ mqfs_readdir(struct vop_readdir_args *ap) error = 0; offset = 0; + pr_root = ap->a_cred->cr_prison->pr_root; sx_xlock(&mi->mi_lock); LIST_FOREACH(pn, &pd->mn_children, mn_sibling) { entry.d_reclen = sizeof(entry); + + /* + * Only show names within the same prison root directory + * (or not associated with a prison, e.g. "." and ".."). + */ + if (pn->mn_pr_root != NULL && pn->mn_pr_root != pr_root) + continue; if (!pn->mn_fileno) mqfs_fileno_alloc(mi, pn); entry.d_fileno = pn->mn_fileno; @@ -1525,6 +1548,38 @@ mqfs_rmdir(struct vop_rmdir_args *ap) #endif /* notyet */ /* + * See if this prison root is obsolete, and clean up associated queues if it is. + */ +static int +mqfs_prison_remove(void *obj, void *data __unused) +{ + const struct prison *pr = obj; + const struct prison *tpr; + struct mqfs_node *pn, *tpn; + int found; + + found = 0; + TAILQ_FOREACH(tpr, &allprison, pr_list) { + if (tpr->pr_root == pr->pr_root && tpr != pr && tpr->pr_ref > 0) + found = 1; + } + if (!found) { + /* + * No jails are rooted in this directory anymore, + * so no queues should be either. + */ + sx_xlock(&mqfs_data.mi_lock); + LIST_FOREACH_SAFE(pn, &mqfs_data.mi_root->mn_children, + mn_sibling, tpn) { + if (pn->mn_pr_root == pr->pr_root) + (void)do_unlink(pn, curthread->td_ucred); + } + sx_xunlock(&mqfs_data.mi_lock); + } + return (0); +} + +/* * Allocate a message queue */ static struct mqueue * @@ -1984,7 +2039,7 @@ kern_kmq_open(struct thread *td, const char *upath, in return (error); sx_xlock(&mqfs_data.mi_lock); - pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1); + pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred); if (pn == NULL) { if (!(flags & O_CREAT)) { error = ENOENT; @@ -2079,7 +2134,7 @@ sys_kmq_unlink(struct thread *td, struct kmq_unlink_ar return (EINVAL); sx_xlock(&mqfs_data.mi_lock); - pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1); + pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred); if (pn != NULL) error = do_unlink(pn, td->td_ucred); else Modified: releng/10.4/sys/kern/uipc_sem.c ============================================================================== --- releng/10.4/sys/kern/uipc_sem.c Wed Nov 15 22:45:13 2017 (r325873) +++ releng/10.4/sys/kern/uipc_sem.c Wed Nov 15 22:45:50 2017 (r325874) @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -444,12 +445,24 @@ ksem_remove(char *path, Fnv32_t fnv, struct ucred *ucr static void ksem_info_impl(struct ksem *ks, char *path, size_t size, uint32_t *value) { + const char *ks_path, *pr_path; + size_t pr_pathlen; if (ks->ks_path == NULL) return; sx_slock(&ksem_dict_lock); - if (ks->ks_path != NULL) - strlcpy(path, ks->ks_path, size); + ks_path = ks->ks_path; + if (ks_path != NULL) { + pr_path = curthread->td_ucred->cr_prison->pr_path; + if (strcmp(pr_path, "/") != 0) { + /* Return the jail-rooted pathname. */ + pr_pathlen = strlen(pr_path); + if (strncmp(ks_path, pr_path, pr_pathlen) == 0 && + ks_path[pr_pathlen] == '/') + ks_path += pr_pathlen; + } + strlcpy(path, ks_path, size); + } if (value != NULL) *value = ks->ks_value; sx_sunlock(&ksem_dict_lock); @@ -493,6 +506,8 @@ ksem_create(struct thread *td, const char *name, semid struct ksem *ks; struct file *fp; char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error, fd; @@ -529,10 +544,16 @@ ksem_create(struct thread *td, const char *name, semid ks->ks_flags |= KS_ANONYMOUS; } else { path = malloc(MAXPATHLEN, M_KSEM, M_WAITOK); - error = copyinstr(name, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + /* Construct a full pathname for jailed callers. */ + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(name, path + pr_pathlen, + MAXPATHLEN - pr_pathlen, NULL); + /* Require paths to start with a '/' character. */ - if (error == 0 && path[0] != '/') + if (error == 0 && path[pr_pathlen] != '/') error = EINVAL; if (error) { fdclose(td, fp, fd); @@ -668,11 +689,17 @@ int sys_ksem_unlink(struct thread *td, struct ksem_unlink_args *uap) { char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error; path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); - error = copyinstr(uap->name, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->name, path + pr_pathlen, MAXPATHLEN - pr_pathlen, + NULL); if (error) { free(path, M_TEMP); return (error); Modified: releng/10.4/sys/kern/uipc_shm.c ============================================================================== --- releng/10.4/sys/kern/uipc_shm.c Wed Nov 15 22:45:13 2017 (r325873) +++ releng/10.4/sys/kern/uipc_shm.c Wed Nov 15 22:45:50 2017 (r325874) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -712,6 +713,8 @@ sys_shm_open(struct thread *td, struct shm_open_args * struct shmfd *shmfd; struct file *fp; char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; mode_t cmode; int fd, error; @@ -749,13 +752,19 @@ sys_shm_open(struct thread *td, struct shm_open_args * shmfd = shm_alloc(td->td_ucred, cmode); } else { path = malloc(MAXPATHLEN, M_SHMFD, M_WAITOK); - error = copyinstr(uap->path, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + + /* Construct a full pathname for jailed callers. */ + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->path, path + pr_pathlen, + MAXPATHLEN - pr_pathlen, NULL); #ifdef KTRACE if (error == 0 && KTRPOINT(curthread, KTR_NAMEI)) ktrnamei(path); #endif /* Require paths to start with a '/' character. */ - if (error == 0 && path[0] != '/') + if (error == 0 && path[pr_pathlen] != '/') error = EINVAL; if (error) { fdclose(td, fp, fd); @@ -842,11 +851,17 @@ int sys_shm_unlink(struct thread *td, struct shm_unlink_args *uap) { char *path; + const char *pr_path; + size_t pr_pathlen; Fnv32_t fnv; int error; path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); - error = copyinstr(uap->path, path, MAXPATHLEN, NULL); + pr_path = td->td_ucred->cr_prison->pr_path; + pr_pathlen = strcmp(pr_path, "/") == 0 ? 0 + : strlcpy(path, pr_path, MAXPATHLEN); + error = copyinstr(uap->path, path + pr_pathlen, MAXPATHLEN - pr_pathlen, + NULL); if (error) { free(path, M_TEMP); return (error); @@ -1053,11 +1068,23 @@ shm_unmap(struct file *fp, void *mem, size_t size) void shm_path(struct shmfd *shmfd, char *path, size_t size) { + const char *shm_path, *pr_path; + size_t pr_pathlen; if (shmfd->shm_path == NULL) return; sx_slock(&shm_dict_lock); - if (shmfd->shm_path != NULL) - strlcpy(path, shmfd->shm_path, size); + shm_path = shmfd->shm_path; + if (shm_path != NULL) { + pr_path = curthread->td_ucred->cr_prison->pr_path; + if (strcmp(pr_path, "/") != 0) { + /* Return the jail-rooted pathname. */ + pr_pathlen = strlen(pr_path); + if (strncmp(shm_path, pr_path, pr_pathlen) == 0 && + shm_path[pr_pathlen] == '/') + shm_path += pr_pathlen; + } + strlcpy(path, shm_path, size); + } sx_sunlock(&shm_dict_lock); } From owner-svn-src-releng@freebsd.org Wed Nov 15 22:49:48 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA50CDE9AD8; Wed, 15 Nov 2017 22:49:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9410E7FBF6; Wed, 15 Nov 2017 22:49:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMnlSL011068; Wed, 15 Nov 2017 22:49:47 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMnlSa011064; Wed, 15 Nov 2017 22:49:47 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152249.vAFMnlSa011064@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:49:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325875 - in releng/11.1: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/11.1: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Commit-Revision: 325875 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:49:48 -0000 Author: gordon Date: Wed Nov 15 22:49:47 2017 New Revision: 325875 URL: https://svnweb.freebsd.org/changeset/base/325875 Log: Properly bzero kldstat structure to prevent information leak. [SA-17:10] Approved by: so Security: FreeBSD-SA-17:10.kldstat Security: CVE-2017-1088 Modified: releng/11.1/UPDATING releng/11.1/sys/compat/freebsd32/freebsd32_misc.c releng/11.1/sys/conf/newvers.sh releng/11.1/sys/kern/kern_linker.c Modified: releng/11.1/UPDATING ============================================================================== --- releng/11.1/UPDATING Wed Nov 15 22:45:50 2017 (r325874) +++ releng/11.1/UPDATING Wed Nov 15 22:49:47 2017 (r325875) @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20171115 p3 FreeBSD-SA-17:08.ptrace + FreeBSD-SA-17:10.kldstat + + Fix ptrace(2) vulnerability. [SA-17:08.ptrace] + + Fix kldstat(2) vulnerability. [SA-17:10.kldstat] + 20171102 p3 FreeBSD-EN-17:09.tzdata Update timezone database information. [EN-17:09] Modified: releng/11.1/sys/compat/freebsd32/freebsd32_misc.c ============================================================================== --- releng/11.1/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:45:50 2017 (r325874) +++ releng/11.1/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:49:47 2017 (r325875) @@ -2950,8 +2950,8 @@ freebsd32_copyout_strings(struct image_params *imgp) int freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap) { - struct kld_file_stat stat; - struct kld32_file_stat stat32; + struct kld_file_stat *stat; + struct kld32_file_stat *stat32; int error, version; if ((error = copyin(&uap->stat->version, &version, sizeof(version))) @@ -2961,17 +2961,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_ version != sizeof(struct kld32_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - - bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name)); - CP(stat, stat32, refs); - CP(stat, stat32, id); - PTROUT_CP(stat, stat32, address); - CP(stat, stat32, size); - bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname)); - return (copyout(&stat32, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) { + bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name)); + CP(*stat, *stat32, refs); + CP(*stat, *stat32, id); + PTROUT_CP(*stat, *stat32, address); + CP(*stat, *stat32, size); + bcopy(&stat->pathname[0], &stat32->pathname[0], + sizeof(stat->pathname)); + error = copyout(stat32, uap->stat, version); + } + free(stat, M_TEMP); + free(stat32, M_TEMP); + return (error); } int Modified: releng/11.1/sys/conf/newvers.sh ============================================================================== --- releng/11.1/sys/conf/newvers.sh Wed Nov 15 22:45:50 2017 (r325874) +++ releng/11.1/sys/conf/newvers.sh Wed Nov 15 22:49:47 2017 (r325875) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.1/sys/kern/kern_linker.c ============================================================================== --- releng/11.1/sys/kern/kern_linker.c Wed Nov 15 22:45:50 2017 (r325874) +++ releng/11.1/sys/kern/kern_linker.c Wed Nov 15 22:49:47 2017 (r325875) @@ -1201,7 +1201,7 @@ out: int sys_kldstat(struct thread *td, struct kldstat_args *uap) { - struct kld_file_stat stat; + struct kld_file_stat *stat; int error, version; /* @@ -1214,10 +1214,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua version != sizeof(struct kld_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - return (copyout(&stat, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) + error = copyout(stat, uap->stat, version); + free(stat, M_TEMP); + return (error); } int From owner-svn-src-releng@freebsd.org Wed Nov 15 22:50:21 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5CC7DE9BD7; Wed, 15 Nov 2017 22:50:21 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF98C7FD5D; Wed, 15 Nov 2017 22:50:21 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMoKVU011156; Wed, 15 Nov 2017 22:50:20 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMoKLX011152; Wed, 15 Nov 2017 22:50:20 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152250.vAFMoKLX011152@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:50:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325876 - in releng/11.0: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/11.0: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Commit-Revision: 325876 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:50:21 -0000 Author: gordon Date: Wed Nov 15 22:50:20 2017 New Revision: 325876 URL: https://svnweb.freebsd.org/changeset/base/325876 Log: Properly bzero kldstat structure to prevent information leak. [SA-17:10] Approved by: so Security: FreeBSD-SA-17:10.kldstat Security: CVE-2017-1088 Modified: releng/11.0/UPDATING releng/11.0/sys/compat/freebsd32/freebsd32_misc.c releng/11.0/sys/conf/newvers.sh releng/11.0/sys/kern/kern_linker.c Modified: releng/11.0/UPDATING ============================================================================== --- releng/11.0/UPDATING Wed Nov 15 22:49:47 2017 (r325875) +++ releng/11.0/UPDATING Wed Nov 15 22:50:20 2017 (r325876) @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20171115 p15 FreeBSD-SA-17:08.ptrace + FreeBSD-SA-17:10.kldstat + + Fix ptrace(2) vulnerability. [SA-17:08.ptrace] + + Fix kldstat(2) vulnerability. [SA-17:10.kldstat] + 20171102 p14 FreeBSD-EN-17:09.tzdata Update timezone database information. [EN-17:09] Modified: releng/11.0/sys/compat/freebsd32/freebsd32_misc.c ============================================================================== --- releng/11.0/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:49:47 2017 (r325875) +++ releng/11.0/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:50:20 2017 (r325876) @@ -2959,8 +2959,8 @@ freebsd32_copyout_strings(struct image_params *imgp) int freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap) { - struct kld_file_stat stat; - struct kld32_file_stat stat32; + struct kld_file_stat *stat; + struct kld32_file_stat *stat32; int error, version; if ((error = copyin(&uap->stat->version, &version, sizeof(version))) @@ -2970,17 +2970,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_ version != sizeof(struct kld32_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - - bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name)); - CP(stat, stat32, refs); - CP(stat, stat32, id); - PTROUT_CP(stat, stat32, address); - CP(stat, stat32, size); - bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname)); - return (copyout(&stat32, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) { + bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name)); + CP(*stat, *stat32, refs); + CP(*stat, *stat32, id); + PTROUT_CP(*stat, *stat32, address); + CP(*stat, *stat32, size); + bcopy(&stat->pathname[0], &stat32->pathname[0], + sizeof(stat->pathname)); + error = copyout(stat32, uap->stat, version); + } + free(stat, M_TEMP); + free(stat32, M_TEMP); + return (error); } int Modified: releng/11.0/sys/conf/newvers.sh ============================================================================== --- releng/11.0/sys/conf/newvers.sh Wed Nov 15 22:49:47 2017 (r325875) +++ releng/11.0/sys/conf/newvers.sh Wed Nov 15 22:50:20 2017 (r325876) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="11.0" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.0/sys/kern/kern_linker.c ============================================================================== --- releng/11.0/sys/kern/kern_linker.c Wed Nov 15 22:49:47 2017 (r325875) +++ releng/11.0/sys/kern/kern_linker.c Wed Nov 15 22:50:20 2017 (r325876) @@ -1201,7 +1201,7 @@ out: int sys_kldstat(struct thread *td, struct kldstat_args *uap) { - struct kld_file_stat stat; + struct kld_file_stat *stat; int error, version; /* @@ -1214,10 +1214,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua version != sizeof(struct kld_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - return (copyout(&stat, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) + error = copyout(stat, uap->stat, version); + free(stat, M_TEMP); + return (error); } int From owner-svn-src-releng@freebsd.org Wed Nov 15 22:50:48 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A86FDE9CB4; Wed, 15 Nov 2017 22:50:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64B9D7FEB0; Wed, 15 Nov 2017 22:50:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMoluu011220; Wed, 15 Nov 2017 22:50:47 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMolTC011216; Wed, 15 Nov 2017 22:50:47 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152250.vAFMolTC011216@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:50:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325877 - in releng/10.4: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/10.4: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Commit-Revision: 325877 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:50:48 -0000 Author: gordon Date: Wed Nov 15 22:50:47 2017 New Revision: 325877 URL: https://svnweb.freebsd.org/changeset/base/325877 Log: Properly bzero kldstat structure to prevent information leak. [SA-17:10] Approved by: so Security: FreeBSD-SA-17:10.kldstat Security: CVE-2017-1088 Modified: releng/10.4/UPDATING releng/10.4/sys/compat/freebsd32/freebsd32_misc.c releng/10.4/sys/conf/newvers.sh releng/10.4/sys/kern/kern_linker.c Modified: releng/10.4/UPDATING ============================================================================== --- releng/10.4/UPDATING Wed Nov 15 22:50:20 2017 (r325876) +++ releng/10.4/UPDATING Wed Nov 15 22:50:47 2017 (r325877) @@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20171115 p3 FreeBSD-SA-17:08.ptrace + FreeBSD-SA-17:09.shm + FreeBSD-SA-17:10.kldstat + + Fix ptrace(2) vulnerability. [SA-17:08.ptrace] + + Fix POSIX shm namespace vulnerability. [SA-17:09.shm] + + Fix kldstat(2) vulnerability. [SA-17:10.kldstat] + 20171102: p2 FreeBSD-EN-17:09.tzdata Update timezone database information. [EN-17:09] Modified: releng/10.4/sys/compat/freebsd32/freebsd32_misc.c ============================================================================== --- releng/10.4/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:50:20 2017 (r325876) +++ releng/10.4/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:50:47 2017 (r325877) @@ -3068,8 +3068,8 @@ freebsd32_copyout_strings(struct image_params *imgp) int freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap) { - struct kld_file_stat stat; - struct kld32_file_stat stat32; + struct kld_file_stat *stat; + struct kld32_file_stat *stat32; int error, version; if ((error = copyin(&uap->stat->version, &version, sizeof(version))) @@ -3079,17 +3079,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_ version != sizeof(struct kld32_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - - bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name)); - CP(stat, stat32, refs); - CP(stat, stat32, id); - PTROUT_CP(stat, stat32, address); - CP(stat, stat32, size); - bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname)); - return (copyout(&stat32, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) { + bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name)); + CP(*stat, *stat32, refs); + CP(*stat, *stat32, id); + PTROUT_CP(*stat, *stat32, address); + CP(*stat, *stat32, size); + bcopy(&stat->pathname[0], &stat32->pathname[0], + sizeof(stat->pathname)); + error = copyout(stat32, uap->stat, version); + } + free(stat, M_TEMP); + free(stat32, M_TEMP); + return (error); } int Modified: releng/10.4/sys/conf/newvers.sh ============================================================================== --- releng/10.4/sys/conf/newvers.sh Wed Nov 15 22:50:20 2017 (r325876) +++ releng/10.4/sys/conf/newvers.sh Wed Nov 15 22:50:47 2017 (r325877) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.4" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.4/sys/kern/kern_linker.c ============================================================================== --- releng/10.4/sys/kern/kern_linker.c Wed Nov 15 22:50:20 2017 (r325876) +++ releng/10.4/sys/kern/kern_linker.c Wed Nov 15 22:50:47 2017 (r325877) @@ -1196,7 +1196,7 @@ out: int sys_kldstat(struct thread *td, struct kldstat_args *uap) { - struct kld_file_stat stat; + struct kld_file_stat *stat; int error, version; /* @@ -1209,10 +1209,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua version != sizeof(struct kld_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - return (copyout(&stat, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) + error = copyout(stat, uap->stat, version); + free(stat, M_TEMP); + return (error); } int From owner-svn-src-releng@freebsd.org Wed Nov 15 22:51:09 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CEE19DE9D3A; Wed, 15 Nov 2017 22:51:09 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A90788002C; Wed, 15 Nov 2017 22:51:09 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMp8FL011287; Wed, 15 Nov 2017 22:51:08 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMp8VY011282; Wed, 15 Nov 2017 22:51:08 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152251.vAFMp8VY011282@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:51:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325878 - in releng/10.3: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/10.3: . sys/compat/freebsd32 sys/conf sys/kern X-SVN-Commit-Revision: 325878 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:51:09 -0000 Author: gordon Date: Wed Nov 15 22:51:08 2017 New Revision: 325878 URL: https://svnweb.freebsd.org/changeset/base/325878 Log: Properly bzero kldstat structure to prevent information leak. [SA-17:10] Approved by: so Security: FreeBSD-SA-17:10.kldstat Security: CVE-2017-1088 Modified: releng/10.3/UPDATING releng/10.3/sys/compat/freebsd32/freebsd32_misc.c releng/10.3/sys/conf/newvers.sh releng/10.3/sys/kern/kern_linker.c Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Wed Nov 15 22:50:47 2017 (r325877) +++ releng/10.3/UPDATING Wed Nov 15 22:51:08 2017 (r325878) @@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20171115 p24 FreeBSD-SA-17:08.ptrace + FreeBSD-SA-17:09.shm + FreeBSD-SA-17:10.kldstat + + Fix ptrace(2) vulnerability. [SA-17:08.ptrace] + + Fix POSIX shm namespace vulnerability. [SA-17:09.shm] + + Fix kldstat(2) vulnerability. [SA-17:10.kldstat] + 20171102 p23 FreeBSD-EN-17:09.tzdata Update timezone database information. [EN-17:09] Modified: releng/10.3/sys/compat/freebsd32/freebsd32_misc.c ============================================================================== --- releng/10.3/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:50:47 2017 (r325877) +++ releng/10.3/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:51:08 2017 (r325878) @@ -3040,8 +3040,8 @@ freebsd32_copyout_strings(struct image_params *imgp) int freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap) { - struct kld_file_stat stat; - struct kld32_file_stat stat32; + struct kld_file_stat *stat; + struct kld32_file_stat *stat32; int error, version; if ((error = copyin(&uap->stat->version, &version, sizeof(version))) @@ -3051,17 +3051,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_ version != sizeof(struct kld32_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - - bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name)); - CP(stat, stat32, refs); - CP(stat, stat32, id); - PTROUT_CP(stat, stat32, address); - CP(stat, stat32, size); - bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname)); - return (copyout(&stat32, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) { + bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name)); + CP(*stat, *stat32, refs); + CP(*stat, *stat32, id); + PTROUT_CP(*stat, *stat32, address); + CP(*stat, *stat32, size); + bcopy(&stat->pathname[0], &stat32->pathname[0], + sizeof(stat->pathname)); + error = copyout(stat32, uap->stat, version); + } + free(stat, M_TEMP); + free(stat32, M_TEMP); + return (error); } int Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Wed Nov 15 22:50:47 2017 (r325877) +++ releng/10.3/sys/conf/newvers.sh Wed Nov 15 22:51:08 2017 (r325878) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p23" +BRANCH="RELEASE-p24" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.3/sys/kern/kern_linker.c ============================================================================== --- releng/10.3/sys/kern/kern_linker.c Wed Nov 15 22:50:47 2017 (r325877) +++ releng/10.3/sys/kern/kern_linker.c Wed Nov 15 22:51:08 2017 (r325878) @@ -1196,7 +1196,7 @@ out: int sys_kldstat(struct thread *td, struct kldstat_args *uap) { - struct kld_file_stat stat; + struct kld_file_stat *stat; int error, version; /* @@ -1209,10 +1209,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua version != sizeof(struct kld_file_stat)) return (EINVAL); - error = kern_kldstat(td, uap->fileid, &stat); - if (error != 0) - return (error); - return (copyout(&stat, uap->stat, version)); + stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO); + error = kern_kldstat(td, uap->fileid, stat); + if (error == 0) + error = copyout(stat, uap->stat, version); + free(stat, M_TEMP); + return (error); } int From owner-svn-src-releng@freebsd.org Wed Nov 15 23:29:34 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 089ABDEE5C1; Wed, 15 Nov 2017 23:29:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C9B1A366B; Wed, 15 Nov 2017 23:29:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFNTWnk027725; Wed, 15 Nov 2017 23:29:32 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFNTWAs027724; Wed, 15 Nov 2017 23:29:32 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152329.vAFNTWAs027724@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 23:29:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325879 - releng/11.1 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.1 X-SVN-Commit-Revision: 325879 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 23:29:34 -0000 Author: gordon Date: Wed Nov 15 23:29:32 2017 New Revision: 325879 URL: https://svnweb.freebsd.org/changeset/base/325879 Log: Correct patch level. Approved by: so X-Pointy-Hat: gordon@ Modified: releng/11.1/UPDATING Modified: releng/11.1/UPDATING ============================================================================== --- releng/11.1/UPDATING Wed Nov 15 22:51:08 2017 (r325878) +++ releng/11.1/UPDATING Wed Nov 15 23:29:32 2017 (r325879) @@ -16,7 +16,7 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. -20171115 p3 FreeBSD-SA-17:08.ptrace +20171115 p4 FreeBSD-SA-17:08.ptrace FreeBSD-SA-17:10.kldstat Fix ptrace(2) vulnerability. [SA-17:08.ptrace]