FreeBSD Mail Archives

Date:      Tue, 17 May 2016 22:28:27 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r300087 - in releng/10.3: . sys/conf sys/dev/kbd sys/kern
Message-ID:  <201605172228.u4HMSRP5012070@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: glebius
Date: Tue May 17 22:28:27 2016
New Revision: 300087
URL: https://svnweb.freebsd.org/changeset/base/300087

Log:
  - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
  - Validate that user supplied control message length in sendmsg(2)
    is not negative.
  
  Security:	SA-16:18
  Security:	CVE-2016-1886
  Security:	SA-16:19
  Security:	CVE-2016-1887
  Submitted by:	C Turt <cturt hardenedbsd.org>
  Approved by:	so

Modified:
  releng/10.3/UPDATING
  releng/10.3/sys/conf/newvers.sh
  releng/10.3/sys/dev/kbd/kbd.c
  releng/10.3/sys/kern/uipc_syscalls.c

Modified: releng/10.3/UPDATING
==============================================================================
--- releng/10.3/UPDATING	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160517	p3	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p2	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:06.libc
 			FreeBSD-EN-16:07.ipi

Modified: releng/10.3/sys/conf/newvers.sh
==============================================================================
--- releng/10.3/sys/conf/newvers.sh	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.3/sys/dev/kbd/kbd.c
==============================================================================
--- releng/10.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;

Modified: releng/10.3/sys/kern/uipc_syscalls.c
==============================================================================
--- releng/10.3/sys/kern/uipc_syscalls.c	Tue May 17 22:28:20 2016	(r300086)
+++ releng/10.3/sys/kern/uipc_syscalls.c	Tue May 17 22:28:27 2016	(r300087)
@@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605172228.u4HMSRP5012070>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation