From owner-svn-src-releng@freebsd.org Thu Sep 27 18:29:57 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E93710B514F; Thu, 27 Sep 2018 18:29:57 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F9F170287; Thu, 27 Sep 2018 18:29:57 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 05F5A1BEF; Thu, 27 Sep 2018 18:29:57 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RITuHo068662; Thu, 27 Sep 2018 18:29:56 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RITtED068656; Thu, 27 Sep 2018 18:29:55 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271829.w8RITtED068656@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:29:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r338978 - in releng: 11.1 11.1/sys/conf 11.1/sys/netinet6 11.2 11.2/sys/conf 11.2/sys/netinet6 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.1 11.1/sys/conf 11.1/sys/netinet6 11.2 11.2/sys/conf 11.2/sys/netinet6 X-SVN-Commit-Revision: 338978 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:29:57 -0000 Author: gordon Date: Thu Sep 27 18:29:55 2018 New Revision: 338978 URL: https://svnweb.freebsd.org/changeset/base/338978 Log: Fix regression in IPv6 fragment reassembly. [EN-18:09.ip] Approved by: so Security: FreeBSD-EN-18:09.ip Modified: releng/11.1/UPDATING releng/11.1/sys/conf/newvers.sh releng/11.1/sys/netinet6/frag6.c releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.2/sys/netinet6/frag6.c Modified: releng/11.1/UPDATING ============================================================================== --- releng/11.1/UPDATING Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.1/UPDATING Thu Sep 27 18:29:55 2018 (r338978) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180927 p15 FreeBSD-EN-18:09.ip + FreeBSD-EN-18:10.syscall + FreeBSD-EN-18:11.listen + FreeBSD-EN-18:12.mem + + Fix regression in IPv6 fragment reassembly. [EN-18:09.ip] + + Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall] + + Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen] + + Fix small kernel memory disclosures. [EN-18:12.mem] + 20180912 p14 FreeBSD-SA-18:12.elf FreeBSD-EN-18:08.lazyfpu Modified: releng/11.1/sys/conf/newvers.sh ============================================================================== --- releng/11.1/sys/conf/newvers.sh Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.1/sys/conf/newvers.sh Thu Sep 27 18:29:55 2018 (r338978) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.1/sys/netinet6/frag6.c ============================================================================== --- releng/11.1/sys/netinet6/frag6.c Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.1/sys/netinet6/frag6.c Thu Sep 27 18:29:55 2018 (r338978) @@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto) int offset = *offp, nxt, i, next; int first_frag = 0; int fragoff, frgpartlen; /* must be larger than u_int16_t */ - uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp; + uint32_t hashkey[(sizeof(struct in6_addr) * 2 + + sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)]; + uint32_t hash, *hashkeyp; struct ifnet *dstifp; u_int8_t ecn, ecn0; #ifdef RSS Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.2/UPDATING Thu Sep 27 18:29:55 2018 (r338978) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180927 p4 FreeBSD-EN-18:09.ip + FreeBSD-EN-18:10.syscall + FreeBSD-EN-18:11.listen + FreeBSD-EN-18:12.mem + + Fix regression in IPv6 fragment reassembly. [EN-18:09.ip] + + Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall] + + Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen] + + Fix small kernel memory disclosures. [EN-18:12.mem] + 20180912 p3 FreeBSD-SA-18:12.elf FreeBSD-EN-18:08.lazyfpu Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.2/sys/conf/newvers.sh Thu Sep 27 18:29:55 2018 (r338978) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.2/sys/netinet6/frag6.c ============================================================================== --- releng/11.2/sys/netinet6/frag6.c Thu Sep 27 18:14:01 2018 (r338977) +++ releng/11.2/sys/netinet6/frag6.c Thu Sep 27 18:29:55 2018 (r338978) @@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto) int offset = *offp, nxt, i, next; int first_frag = 0; int fragoff, frgpartlen; /* must be larger than u_int16_t */ - uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp; + uint32_t hashkey[(sizeof(struct in6_addr) * 2 + + sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)]; + uint32_t hash, *hashkeyp; struct ifnet *dstifp; u_int8_t ecn, ecn0; #ifdef RSS From owner-svn-src-releng@freebsd.org Thu Sep 27 18:32:15 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA32610B533F; Thu, 27 Sep 2018 18:32:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 90938705EB; Thu, 27 Sep 2018 18:32:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8B8CF1D67; Thu, 27 Sep 2018 18:32:15 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RIWFIp073581; Thu, 27 Sep 2018 18:32:15 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RIWFxV073579; Thu, 27 Sep 2018 18:32:15 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271832.w8RIWFxV073579@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:32:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r338979 - in releng: 11.1/sys/kern 11.2/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.1/sys/kern 11.2/sys/kern X-SVN-Commit-Revision: 338979 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:32:16 -0000 Author: gordon Date: Thu Sep 27 18:32:14 2018 New Revision: 338979 URL: https://svnweb.freebsd.org/changeset/base/338979 Log: Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall] Reported by: Thomas Barabosch, Fraunhofer FKIE Approved by: so Security: FreeBSD-EN-18:10.syscall Security: CVE-2018-17154 Modified: releng/11.1/sys/kern/vfs_syscalls.c releng/11.2/sys/kern/vfs_syscalls.c Modified: releng/11.1/sys/kern/vfs_syscalls.c ============================================================================== --- releng/11.1/sys/kern/vfs_syscalls.c Thu Sep 27 18:29:55 2018 (r338978) +++ releng/11.1/sys/kern/vfs_syscalls.c Thu Sep 27 18:32:14 2018 (r338979) @@ -641,6 +641,8 @@ freebsd4_getfsstat(td, uap) size = count * sizeof(struct statfs); error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE, uap->mode); + if (buf == NULL) + return (EINVAL); td->td_retval[0] = count; if (size != 0) { sp = buf; Modified: releng/11.2/sys/kern/vfs_syscalls.c ============================================================================== --- releng/11.2/sys/kern/vfs_syscalls.c Thu Sep 27 18:29:55 2018 (r338978) +++ releng/11.2/sys/kern/vfs_syscalls.c Thu Sep 27 18:32:14 2018 (r338979) @@ -600,6 +600,8 @@ freebsd4_getfsstat(struct thread *td, struct freebsd4_ size = count * sizeof(struct statfs); error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE, uap->mode); + if (buf == NULL) + return (EINVAL); td->td_retval[0] = count; if (size != 0) { sp = buf; From owner-svn-src-releng@freebsd.org Thu Sep 27 18:34:45 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F3B110B53DF; Thu, 27 Sep 2018 18:34:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 44B34708B1; Thu, 27 Sep 2018 18:34:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3F6CA1D86; Thu, 27 Sep 2018 18:34:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RIYjJe073759; Thu, 27 Sep 2018 18:34:45 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RIYhMU073748; Thu, 27 Sep 2018 18:34:43 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271834.w8RIYhMU073748@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:34:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r338980 - in releng: 10.4 10.4/sys/conf 10.4/sys/netinet 10.4/sys/netinet6 11.1/sys/netinet 11.1/sys/netinet6 11.2/sys/netinet 11.2/sys/netinet6 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 10.4 10.4/sys/conf 10.4/sys/netinet 10.4/sys/netinet6 11.1/sys/netinet 11.1/sys/netinet6 11.2/sys/netinet 11.2/sys/netinet6 X-SVN-Commit-Revision: 338980 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:34:46 -0000 Author: gordon Date: Thu Sep 27 18:34:42 2018 New Revision: 338980 URL: https://svnweb.freebsd.org/changeset/base/338980 Log: Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen] Reported by: Jakub Jirasek, Secunia Research at Flexera Approved by: so Security: FreeBSD-EN-18:11.listen Security: CVE-2018-6925 Modified: releng/10.4/UPDATING releng/10.4/sys/conf/newvers.sh releng/10.4/sys/netinet/tcp_usrreq.c releng/10.4/sys/netinet6/sctp6_usrreq.c releng/10.4/sys/netinet6/udp6_usrreq.c releng/11.1/sys/netinet/tcp_usrreq.c releng/11.1/sys/netinet6/sctp6_usrreq.c releng/11.1/sys/netinet6/udp6_usrreq.c releng/11.2/sys/netinet/tcp_usrreq.c releng/11.2/sys/netinet6/sctp6_usrreq.c releng/11.2/sys/netinet6/udp6_usrreq.c Modified: releng/10.4/UPDATING ============================================================================== --- releng/10.4/UPDATING Thu Sep 27 18:32:14 2018 (r338979) +++ releng/10.4/UPDATING Thu Sep 27 18:34:42 2018 (r338980) @@ -17,6 +17,13 @@ stable/10, and then rebuild without this option. The b older version of current is a bit fragile. +20180927 p13 FreeBSD-EN-18:11.listen + FreeBSD-EN-18:12.mem + + Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen] + + Fix small kernel memory disclosures. [EN-18:12.mem] + 20180912 p12 FreeBSD-SA-18:12.elf Fix improper elf header parsing. Modified: releng/10.4/sys/conf/newvers.sh ============================================================================== --- releng/10.4/sys/conf/newvers.sh Thu Sep 27 18:32:14 2018 (r338979) +++ releng/10.4/sys/conf/newvers.sh Thu Sep 27 18:34:42 2018 (r338980) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.4" -BRANCH="RELEASE-p12" +BRANCH="RELEASE-p13" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.4/sys/netinet/tcp_usrreq.c ============================================================================== --- releng/10.4/sys/netinet/tcp_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/10.4/sys/netinet/tcp_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -328,6 +328,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_char vflagsav; sin6p = (struct sockaddr_in6 *)nam; if (nam->sa_len != sizeof (*sin6p)) @@ -344,6 +345,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { error = EINVAL; goto out; @@ -373,6 +375,8 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, error = in6_pcbbind(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(&V_tcbinfo); out: + if (error != 0) + inp->inp_vflag = vflagsav; TCPDEBUG2(PRU_BIND); INP_WUNLOCK(inp); return (error); @@ -434,6 +438,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct int error = 0; struct inpcb *inp; struct tcpcb *tp = NULL; + u_char vflagsav; TCPDEBUG0; inp = sotoinpcb(so); @@ -443,6 +448,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct error = EINVAL; goto out; } + vflagsav = inp->inp_vflag; tp = intotcpcb(inp); TCPDEBUG1(); SOCK_LOCK(so); @@ -469,6 +475,9 @@ tcp6_usr_listen(struct socket *so, int backlog, struct if (tp->t_flags & TF_FASTOPEN) tp->t_tfo_pending = tcp_fastopen_alloc_counter(); #endif + if (error != 0) + inp->inp_vflag = vflagsav; + out: TCPDEBUG2(PRU_LISTEN); INP_WUNLOCK(inp); @@ -543,6 +552,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_int8_t incflagsav; + u_char vflagsav; TCPDEBUG0; @@ -559,6 +570,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; + incflagsav = inp->inp_inc.inc_flags; if (inp->inp_flags & INP_TIMEWAIT) { error = EADDRINUSE; goto out; @@ -584,11 +597,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } in6_sin6_2_sin(&sin, sin6p); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; if ((error = prison_remote_ip4(td->td_ucred, &sin.sin_addr)) != 0) goto out; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -601,11 +614,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n goto out; } #endif + if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) + goto out; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; inp->inp_inc.inc_flags |= INC_ISIPV6; - if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) - goto out; if ((error = tcp6_connect(tp, nam, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -618,6 +631,15 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n error = tcp_output(tp); out: + /* + * If the implicit bind in the connect call fails, restore + * the flags we modified. + */ + if (error != 0 && inp->inp_lport == 0) { + inp->inp_vflag = vflagsav; + inp->inp_inc.inc_flags = incflagsav; + } + TCPDEBUG2(PRU_CONNECT); INP_WUNLOCK(inp); return (error); Modified: releng/10.4/sys/netinet6/sctp6_usrreq.c ============================================================================== --- releng/10.4/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/10.4/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -608,6 +608,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s struct sctp_inpcb *inp; struct in6pcb *inp6; int error; + u_char vflagsav; inp = (struct sctp_inpcb *)so->so_pcb; if (inp == NULL) { @@ -638,6 +639,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s } } inp6 = (struct in6pcb *)inp; + vflagsav = inp6->inp_vflag; inp6->inp_vflag &= ~INP_IPV4; inp6->inp_vflag |= INP_IPV6; if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) { @@ -667,7 +669,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s inp6->inp_vflag |= INP_IPV4; inp6->inp_vflag &= ~INP_IPV6; error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p); - return (error); + goto out; } #endif break; @@ -684,7 +686,8 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s if (addr->sa_family == AF_INET) { /* can't bind v4 addr to v6 only socket! */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } #endif sin6_p = (struct sockaddr_in6 *)addr; @@ -693,10 +696,14 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s /* can't bind v4-mapped addrs either! */ /* NOTE: we don't support SIIT */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } } error = sctp_inpcb_bind(so, addr, NULL, p); +out: + if (error != 0) + inp6->inp_vflag = vflagsav; return (error); } Modified: releng/10.4/sys/netinet6/udp6_usrreq.c ============================================================================== --- releng/10.4/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/10.4/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -947,6 +947,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str struct inpcb *inp; struct inpcbinfo *pcbinfo; int error; + u_char vflagsav; pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -954,6 +955,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str INP_WLOCK(inp); INP_HASH_WLOCK(pcbinfo); + vflagsav = inp->inp_vflag; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) { @@ -981,6 +983,8 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str #ifdef INET out: #endif + if (error != 0) + inp->inp_vflag = vflagsav; INP_HASH_WUNLOCK(pcbinfo); INP_WUNLOCK(inp); return (error); @@ -1023,6 +1027,7 @@ udp6_connect(struct socket *so, struct sockaddr *nam, struct inpcbinfo *pcbinfo; struct sockaddr_in6 *sin6; int error; + u_char vflagsav; pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1046,17 +1051,26 @@ udp6_connect(struct socket *so, struct sockaddr *nam, goto out; } in6_sin6_2_sin(&sin, sin6); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; error = prison_remote_ip4(td->td_ucred, &sin.sin_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in_pcbconnect(inp, (struct sockaddr *)&sin, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (inp->inp_laddr.s_addr == INADDR_ANY && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; goto out; } #endif @@ -1064,16 +1078,25 @@ udp6_connect(struct socket *so, struct sockaddr *nam, error = EISCONN; goto out; } - inp->inp_vflag &= ~INP_IPV4; - inp->inp_vflag |= INP_IPV6; error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in6_pcbconnect(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; out: INP_WUNLOCK(inp); return (error); Modified: releng/11.1/sys/netinet/tcp_usrreq.c ============================================================================== --- releng/11.1/sys/netinet/tcp_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.1/sys/netinet/tcp_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -339,6 +339,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_char vflagsav; sin6p = (struct sockaddr_in6 *)nam; if (nam->sa_len != sizeof (*sin6p)) @@ -355,6 +356,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { error = EINVAL; goto out; @@ -384,6 +386,8 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, error = in6_pcbbind(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(&V_tcbinfo); out: + if (error != 0) + inp->inp_vflag = vflagsav; TCPDEBUG2(PRU_BIND); TCP_PROBE2(debug__user, tp, PRU_BIND); INP_WUNLOCK(inp); @@ -447,6 +451,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct int error = 0; struct inpcb *inp; struct tcpcb *tp = NULL; + u_char vflagsav; TCPDEBUG0; inp = sotoinpcb(so); @@ -456,6 +461,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct error = EINVAL; goto out; } + vflagsav = inp->inp_vflag; tp = intotcpcb(inp); TCPDEBUG1(); SOCK_LOCK(so); @@ -482,6 +488,9 @@ tcp6_usr_listen(struct socket *so, int backlog, struct if (tp->t_flags & TF_FASTOPEN) tp->t_tfo_pending = tcp_fastopen_alloc_counter(); #endif + if (error != 0) + inp->inp_vflag = vflagsav; + out: TCPDEBUG2(PRU_LISTEN); TCP_PROBE2(debug__user, tp, PRU_LISTEN); @@ -558,6 +567,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_int8_t incflagsav; + u_char vflagsav; TCPDEBUG0; @@ -574,6 +585,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; + incflagsav = inp->inp_inc.inc_flags; if (inp->inp_flags & INP_TIMEWAIT) { error = EADDRINUSE; goto out; @@ -603,11 +616,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } in6_sin6_2_sin(&sin, sin6p); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; if ((error = prison_remote_ip4(td->td_ucred, &sin.sin_addr)) != 0) goto out; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -625,11 +638,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } } #endif + if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) + goto out; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; inp->inp_inc.inc_flags |= INC_ISIPV6; - if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) - goto out; if ((error = tcp6_connect(tp, nam, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -642,6 +655,15 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n error = tp->t_fb->tfb_tcp_output(tp); out: + /* + * If the implicit bind in the connect call fails, restore + * the flags we modified. + */ + if (error != 0 && inp->inp_lport == 0) { + inp->inp_vflag = vflagsav; + inp->inp_inc.inc_flags = incflagsav; + } + TCPDEBUG2(PRU_CONNECT); TCP_PROBE2(debug__user, tp, PRU_CONNECT); INP_WUNLOCK(inp); Modified: releng/11.1/sys/netinet6/sctp6_usrreq.c ============================================================================== --- releng/11.1/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.1/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -561,6 +561,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s struct sctp_inpcb *inp; struct in6pcb *inp6; int error; + u_char vflagsav; inp = (struct sctp_inpcb *)so->so_pcb; if (inp == NULL) { @@ -591,6 +592,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s } } inp6 = (struct in6pcb *)inp; + vflagsav = inp6->inp_vflag; inp6->inp_vflag &= ~INP_IPV4; inp6->inp_vflag |= INP_IPV6; if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) { @@ -620,7 +622,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s inp6->inp_vflag |= INP_IPV4; inp6->inp_vflag &= ~INP_IPV6; error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p); - return (error); + goto out; } #endif break; @@ -637,7 +639,8 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s if (addr->sa_family == AF_INET) { /* can't bind v4 addr to v6 only socket! */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } #endif sin6_p = (struct sockaddr_in6 *)addr; @@ -646,10 +649,14 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s /* can't bind v4-mapped addrs either! */ /* NOTE: we don't support SIIT */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } } error = sctp_inpcb_bind(so, addr, NULL, p); +out: + if (error != 0) + inp6->inp_vflag = vflagsav; return (error); } Modified: releng/11.1/sys/netinet6/udp6_usrreq.c ============================================================================== --- releng/11.1/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.1/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -1006,6 +1006,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str struct inpcb *inp; struct inpcbinfo *pcbinfo; int error; + u_char vflagsav; pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1013,6 +1014,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str INP_WLOCK(inp); INP_HASH_WLOCK(pcbinfo); + vflagsav = inp->inp_vflag; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) { @@ -1040,6 +1042,8 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str #ifdef INET out: #endif + if (error != 0) + inp->inp_vflag = vflagsav; INP_HASH_WUNLOCK(pcbinfo); INP_WUNLOCK(inp); return (error); @@ -1086,6 +1090,7 @@ udp6_connect(struct socket *so, struct sockaddr *nam, struct inpcbinfo *pcbinfo; struct sockaddr_in6 *sin6; int error; + u_char vflagsav; pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1113,17 +1118,26 @@ udp6_connect(struct socket *so, struct sockaddr *nam, goto out; } in6_sin6_2_sin(&sin, sin6); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; error = prison_remote_ip4(td->td_ucred, &sin.sin_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in_pcbconnect(inp, (struct sockaddr *)&sin, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (inp->inp_laddr.s_addr == INADDR_ANY && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; goto out; } else { if ((inp->inp_vflag & INP_IPV6) == 0) { @@ -1136,16 +1150,25 @@ udp6_connect(struct socket *so, struct sockaddr *nam, error = EISCONN; goto out; } - inp->inp_vflag &= ~INP_IPV4; - inp->inp_vflag |= INP_IPV6; error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in6_pcbconnect(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; out: INP_WUNLOCK(inp); return (error); Modified: releng/11.2/sys/netinet/tcp_usrreq.c ============================================================================== --- releng/11.2/sys/netinet/tcp_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.2/sys/netinet/tcp_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -339,6 +339,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_char vflagsav; sin6p = (struct sockaddr_in6 *)nam; if (nam->sa_len != sizeof (*sin6p)) @@ -355,6 +356,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { error = EINVAL; goto out; @@ -384,6 +386,8 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam, error = in6_pcbbind(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(&V_tcbinfo); out: + if (error != 0) + inp->inp_vflag = vflagsav; TCPDEBUG2(PRU_BIND); TCP_PROBE2(debug__user, tp, PRU_BIND); INP_WUNLOCK(inp); @@ -447,6 +451,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct int error = 0; struct inpcb *inp; struct tcpcb *tp = NULL; + u_char vflagsav; TCPDEBUG0; inp = sotoinpcb(so); @@ -456,6 +461,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct error = EINVAL; goto out; } + vflagsav = inp->inp_vflag; tp = intotcpcb(inp); TCPDEBUG1(); SOCK_LOCK(so); @@ -482,6 +488,9 @@ tcp6_usr_listen(struct socket *so, int backlog, struct if (tp->t_flags & TF_FASTOPEN) tp->t_tfo_pending = tcp_fastopen_alloc_counter(); #endif + if (error != 0) + inp->inp_vflag = vflagsav; + out: TCPDEBUG2(PRU_LISTEN); TCP_PROBE2(debug__user, tp, PRU_LISTEN); @@ -558,6 +567,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n struct inpcb *inp; struct tcpcb *tp = NULL; struct sockaddr_in6 *sin6p; + u_int8_t incflagsav; + u_char vflagsav; TCPDEBUG0; @@ -574,6 +585,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n inp = sotoinpcb(so); KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL")); INP_WLOCK(inp); + vflagsav = inp->inp_vflag; + incflagsav = inp->inp_inc.inc_flags; if (inp->inp_flags & INP_TIMEWAIT) { error = EADDRINUSE; goto out; @@ -603,11 +616,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } in6_sin6_2_sin(&sin, sin6p); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; if ((error = prison_remote_ip4(td->td_ucred, &sin.sin_addr)) != 0) goto out; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -625,11 +638,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n } } #endif + if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) + goto out; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; inp->inp_inc.inc_flags |= INC_ISIPV6; - if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0) - goto out; if ((error = tcp6_connect(tp, nam, td)) != 0) goto out; #ifdef TCP_OFFLOAD @@ -642,6 +655,15 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n error = tp->t_fb->tfb_tcp_output(tp); out: + /* + * If the implicit bind in the connect call fails, restore + * the flags we modified. + */ + if (error != 0 && inp->inp_lport == 0) { + inp->inp_vflag = vflagsav; + inp->inp_inc.inc_flags = incflagsav; + } + TCPDEBUG2(PRU_CONNECT); TCP_PROBE2(debug__user, tp, PRU_CONNECT); INP_WUNLOCK(inp); Modified: releng/11.2/sys/netinet6/sctp6_usrreq.c ============================================================================== --- releng/11.2/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.2/sys/netinet6/sctp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -557,6 +557,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s struct sctp_inpcb *inp; struct in6pcb *inp6; int error; + u_char vflagsav; inp = (struct sctp_inpcb *)so->so_pcb; if (inp == NULL) { @@ -587,6 +588,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s } } inp6 = (struct in6pcb *)inp; + vflagsav = inp6->inp_vflag; inp6->inp_vflag &= ~INP_IPV4; inp6->inp_vflag |= INP_IPV6; if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) { @@ -616,7 +618,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s inp6->inp_vflag |= INP_IPV4; inp6->inp_vflag &= ~INP_IPV6; error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p); - return (error); + goto out; } #endif break; @@ -633,7 +635,8 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s if (addr->sa_family == AF_INET) { /* can't bind v4 addr to v6 only socket! */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } #endif sin6_p = (struct sockaddr_in6 *)addr; @@ -642,10 +645,14 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s /* can't bind v4-mapped addrs either! */ /* NOTE: we don't support SIIT */ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL); - return (EINVAL); + error = EINVAL; + goto out; } } error = sctp_inpcb_bind(so, addr, NULL, p); +out: + if (error != 0) + inp6->inp_vflag = vflagsav; return (error); } Modified: releng/11.2/sys/netinet6/udp6_usrreq.c ============================================================================== --- releng/11.2/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:32:14 2018 (r338979) +++ releng/11.2/sys/netinet6/udp6_usrreq.c Thu Sep 27 18:34:42 2018 (r338980) @@ -1002,6 +1002,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str struct inpcb *inp; struct inpcbinfo *pcbinfo; int error; + u_char vflagsav; pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1009,6 +1010,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str INP_WLOCK(inp); INP_HASH_WLOCK(pcbinfo); + vflagsav = inp->inp_vflag; inp->inp_vflag &= ~INP_IPV4; inp->inp_vflag |= INP_IPV6; if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) { @@ -1036,6 +1038,8 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str #ifdef INET out: #endif + if (error != 0) + inp->inp_vflag = vflagsav; INP_HASH_WUNLOCK(pcbinfo); INP_WUNLOCK(inp); return (error); @@ -1082,6 +1086,7 @@ udp6_connect(struct socket *so, struct sockaddr *nam, struct inpcbinfo *pcbinfo; struct sockaddr_in6 *sin6; int error; + u_char vflagsav; pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol); inp = sotoinpcb(so); @@ -1109,17 +1114,26 @@ udp6_connect(struct socket *so, struct sockaddr *nam, goto out; } in6_sin6_2_sin(&sin, sin6); - inp->inp_vflag |= INP_IPV4; - inp->inp_vflag &= ~INP_IPV6; error = prison_remote_ip4(td->td_ucred, &sin.sin_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag |= INP_IPV4; + inp->inp_vflag &= ~INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in_pcbconnect(inp, (struct sockaddr *)&sin, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (inp->inp_laddr.s_addr == INADDR_ANY && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; goto out; } else { if ((inp->inp_vflag & INP_IPV6) == 0) { @@ -1132,16 +1146,25 @@ udp6_connect(struct socket *so, struct sockaddr *nam, error = EISCONN; goto out; } - inp->inp_vflag &= ~INP_IPV4; - inp->inp_vflag |= INP_IPV6; error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr); if (error != 0) goto out; + vflagsav = inp->inp_vflag; + inp->inp_vflag &= ~INP_IPV4; + inp->inp_vflag |= INP_IPV6; INP_HASH_WLOCK(pcbinfo); error = in6_pcbconnect(inp, nam, td->td_ucred); INP_HASH_WUNLOCK(pcbinfo); + /* + * If connect succeeds, mark socket as connected. If + * connect fails and socket is unbound, reset inp_vflag + * field. + */ if (error == 0) soisconnected(so); + else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && + inp->inp_lport == 0) + inp->inp_vflag = vflagsav; out: INP_WUNLOCK(inp); return (error); From owner-svn-src-releng@freebsd.org Thu Sep 27 18:36:31 2018 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4E8410B5471; Thu, 27 Sep 2018 18:36:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6B56970A25; Thu, 27 Sep 2018 18:36:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4C4381D89; Thu, 27 Sep 2018 18:36:31 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8RIaVmu073904; Thu, 27 Sep 2018 18:36:31 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8RIaUiZ073901; Thu, 27 Sep 2018 18:36:30 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201809271836.w8RIaUiZ073901@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Thu, 27 Sep 2018 18:36:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r338981 - in releng: 10.4/sys/kern 11.1/sys/kern 11.2/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 10.4/sys/kern 11.1/sys/kern 11.2/sys/kern X-SVN-Commit-Revision: 338981 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2018 18:36:32 -0000 Author: gordon Date: Thu Sep 27 18:36:30 2018 New Revision: 338981 URL: https://svnweb.freebsd.org/changeset/base/338981 Log: Fix small kernel memory disclosures. [EN-18:12.mem] Reported by: Thomas Barabosch, Fraunhofer FKIE Approved by: so Security: FreeBSD-EN-18:12.mem Security: CVE-2018-17155 Modified: releng/10.4/sys/kern/kern_context.c releng/11.1/sys/kern/kern_context.c releng/11.2/sys/kern/kern_context.c Modified: releng/10.4/sys/kern/kern_context.c ============================================================================== --- releng/10.4/sys/kern/kern_context.c Thu Sep 27 18:34:42 2018 (r338980) +++ releng/10.4/sys/kern/kern_context.c Thu Sep 27 18:36:30 2018 (r338981) @@ -68,6 +68,7 @@ sys_getcontext(struct thread *td, struct getcontext_ar if (uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; @@ -108,6 +109,7 @@ sys_swapcontext(struct thread *td, struct swapcontext_ if (uap->oucp == NULL || uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); bzero(uc.__spare__, sizeof(uc.__spare__)); PROC_LOCK(td->td_proc); Modified: releng/11.1/sys/kern/kern_context.c ============================================================================== --- releng/11.1/sys/kern/kern_context.c Thu Sep 27 18:34:42 2018 (r338980) +++ releng/11.1/sys/kern/kern_context.c Thu Sep 27 18:36:30 2018 (r338981) @@ -68,6 +68,7 @@ sys_getcontext(struct thread *td, struct getcontext_ar if (uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; @@ -108,6 +109,7 @@ sys_swapcontext(struct thread *td, struct swapcontext_ if (uap->oucp == NULL || uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); bzero(uc.__spare__, sizeof(uc.__spare__)); PROC_LOCK(td->td_proc); Modified: releng/11.2/sys/kern/kern_context.c ============================================================================== --- releng/11.2/sys/kern/kern_context.c Thu Sep 27 18:34:42 2018 (r338980) +++ releng/11.2/sys/kern/kern_context.c Thu Sep 27 18:36:30 2018 (r338981) @@ -68,6 +68,7 @@ sys_getcontext(struct thread *td, struct getcontext_ar if (uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); PROC_LOCK(td->td_proc); uc.uc_sigmask = td->td_sigmask; @@ -108,6 +109,7 @@ sys_swapcontext(struct thread *td, struct swapcontext_ if (uap->oucp == NULL || uap->ucp == NULL) ret = EINVAL; else { + bzero(&uc, sizeof(ucontext_t)); get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET); bzero(uc.__spare__, sizeof(uc.__spare__)); PROC_LOCK(td->td_proc);