From owner-svn-src-all@FreeBSD.ORG Fri Sep 30 08:16:31 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 1233) id 834FA1065670; Fri, 30 Sep 2011 08:16:31 +0000 (UTC) Date: Fri, 30 Sep 2011 08:16:31 +0000 From: Alexander Best To: "Bjoern A. Zeeb" Message-ID: <20110930081631.GA2005@freebsd.org> References: <201109280847.p8S8lIHV063682@svn.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201109280847.p8S8lIHV063682@svn.freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r225827 - head/sys/kern head/usr.bin/compress head/usr.bin/gzip releng/7.3 releng/7.3/sys/conf releng/7.3/sys/kern releng/7.3/usr.bin/compress releng/7.3/usr.bin/gzip releng/7.4 releng/... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 08:16:31 -0000 On Wed Sep 28 11, Bjoern A. Zeeb wrote: > Author: bz > Date: Wed Sep 28 08:47:17 2011 > New Revision: 225827 > URL: http://svn.freebsd.org/changeset/base/225827 > > Log: > Fix handling of corrupt compress(1)ed data. [11:04] a thread on freebsd-questions@ indicates that the changes to uipc_usrreq.c broke support for flash. the thread's subject line is "FreeBSD 9-Beta3 and FlashPlayer". cheers. alex > > Add missing length checks on unix socket addresses. [11:05] > > Approved by: so (cperciva) > Approved by: re (kensmith) > Security: FreeBSD-SA-11:04.compress > Security: CVE-2011-2895 [11:04] > Security: FreeBSD-SA-11:05.unix > > Modified: > head/sys/kern/uipc_usrreq.c > head/usr.bin/compress/zopen.c > head/usr.bin/gzip/zuncompress.c > > Changes in other areas also in this revision: > Modified: > releng/7.3/UPDATING > releng/7.3/sys/conf/newvers.sh > releng/7.3/sys/kern/uipc_usrreq.c > releng/7.3/usr.bin/compress/zopen.c > releng/7.3/usr.bin/gzip/zuncompress.c > releng/7.4/UPDATING > releng/7.4/sys/conf/newvers.sh > releng/7.4/sys/kern/uipc_usrreq.c > releng/7.4/usr.bin/compress/zopen.c > releng/7.4/usr.bin/gzip/zuncompress.c > releng/8.1/UPDATING > releng/8.1/sys/conf/newvers.sh > releng/8.1/sys/kern/uipc_usrreq.c > releng/8.1/usr.bin/compress/zopen.c > releng/8.1/usr.bin/gzip/zuncompress.c > releng/8.2/UPDATING > releng/8.2/sys/conf/newvers.sh > releng/8.2/sys/kern/uipc_usrreq.c > releng/8.2/usr.bin/compress/zopen.c > releng/8.2/usr.bin/gzip/zuncompress.c > stable/7/sys/kern/uipc_usrreq.c > stable/7/usr.bin/compress/zopen.c > stable/7/usr.bin/gzip/zuncompress.c > stable/8/sys/kern/uipc_usrreq.c > stable/8/usr.bin/compress/zopen.c > stable/8/usr.bin/gzip/zuncompress.c > stable/9/sys/kern/uipc_usrreq.c > stable/9/usr.bin/compress/zopen.c > stable/9/usr.bin/gzip/zuncompress.c > > Modified: head/sys/kern/uipc_usrreq.c > ============================================================================== > --- head/sys/kern/uipc_usrreq.c Wed Sep 28 08:19:45 2011 (r225826) > +++ head/sys/kern/uipc_usrreq.c Wed Sep 28 08:47:17 2011 (r225827) > @@ -462,6 +462,8 @@ uipc_bind(struct socket *so, struct sock > unp = sotounpcb(so); > KASSERT(unp != NULL, ("uipc_bind: unp == NULL")); > > + if (soun->sun_len > sizeof(struct sockaddr_un)) > + return (EINVAL); > namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path); > if (namelen <= 0) > return (EINVAL); > @@ -1252,6 +1254,8 @@ unp_connect(struct socket *so, struct so > unp = sotounpcb(so); > KASSERT(unp != NULL, ("unp_connect: unp == NULL")); > > + if (nam->sa_len > sizeof(struct sockaddr_un)) > + return (EINVAL); > len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); > if (len <= 0) > return (EINVAL); > > Modified: head/usr.bin/compress/zopen.c > ============================================================================== > --- head/usr.bin/compress/zopen.c Wed Sep 28 08:19:45 2011 (r225826) > +++ head/usr.bin/compress/zopen.c Wed Sep 28 08:47:17 2011 (r225827) > @@ -486,7 +486,7 @@ zread(void *cookie, char *rbp, int num) > block_compress = maxbits & BLOCK_MASK; > maxbits &= BIT_MASK; > maxmaxcode = 1L << maxbits; > - if (maxbits > BITS) { > + if (maxbits > BITS || maxbits < 12) { > errno = EFTYPE; > return (-1); > } > @@ -513,17 +513,28 @@ zread(void *cookie, char *rbp, int num) > for (code = 255; code >= 0; code--) > tab_prefixof(code) = 0; > clear_flg = 1; > - free_ent = FIRST - 1; > - if ((code = getcode(zs)) == -1) /* O, untimely death! */ > - break; > + free_ent = FIRST; > + oldcode = -1; > + continue; > } > incode = code; > > - /* Special case for KwKwK string. */ > + /* Special case for kWkWk string. */ > if (code >= free_ent) { > + if (code > free_ent || oldcode == -1) { > + /* Bad stream. */ > + errno = EINVAL; > + return (-1); > + } > *stackp++ = finchar; > code = oldcode; > } > + /* > + * The above condition ensures that code < free_ent. > + * The construction of tab_prefixof in turn guarantees that > + * each iteration decreases code and therefore stack usage is > + * bound by 1 << BITS - 256. > + */ > > /* Generate output characters in reverse order. */ > while (code >= 256) { > @@ -540,7 +551,7 @@ middle: do { > } while (stackp > de_stack); > > /* Generate the new entry. */ > - if ((code = free_ent) < maxmaxcode) { > + if ((code = free_ent) < maxmaxcode && oldcode != -1) { > tab_prefixof(code) = (u_short) oldcode; > tab_suffixof(code) = finchar; > free_ent = code + 1; > > Modified: head/usr.bin/gzip/zuncompress.c > ============================================================================== > --- head/usr.bin/gzip/zuncompress.c Wed Sep 28 08:19:45 2011 (r225826) > +++ head/usr.bin/gzip/zuncompress.c Wed Sep 28 08:47:17 2011 (r225827) > @@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num) > zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK; > zs->zs_maxbits &= BIT_MASK; > zs->zs_maxmaxcode = 1L << zs->zs_maxbits; > - if (zs->zs_maxbits > BITS) { > + if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) { > errno = EFTYPE; > return (-1); > } > @@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num) > } > zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256; > > - zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs); > - if (zs->u.r.zs_oldcode == -1) /* EOF already? */ > - return (0); /* Get out of here */ > - > - /* First code must be 8 bits = char. */ > - *bp++ = (u_char)zs->u.r.zs_finchar; > - count--; > + zs->u.r.zs_oldcode = -1; > zs->u.r.zs_stackp = de_stack; > > while ((zs->u.r.zs_code = getcode(zs)) > -1) { > @@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num) > zs->u.r.zs_code--) > tab_prefixof(zs->u.r.zs_code) = 0; > zs->zs_clear_flg = 1; > - zs->zs_free_ent = FIRST - 1; > - if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */ > - break; > + zs->zs_free_ent = FIRST; > + zs->u.r.zs_oldcode = -1; > + continue; > } > zs->u.r.zs_incode = zs->u.r.zs_code; > > /* Special case for KwKwK string. */ > if (zs->u.r.zs_code >= zs->zs_free_ent) { > + if (zs->u.r.zs_code > zs->zs_free_ent || > + zs->u.r.zs_oldcode == -1) { > + /* Bad stream. */ > + errno = EINVAL; > + return (-1); > + } > *zs->u.r.zs_stackp++ = zs->u.r.zs_finchar; > zs->u.r.zs_code = zs->u.r.zs_oldcode; > } > + /* > + * The above condition ensures that code < free_ent. > + * The construction of tab_prefixof in turn guarantees that > + * each iteration decreases code and therefore stack usage is > + * bound by 1 << BITS - 256. > + */ > > /* Generate output characters in reverse order. */ > while (zs->u.r.zs_code >= 256) { > @@ -302,7 +308,8 @@ middle: do { > } while (zs->u.r.zs_stackp > de_stack); > > /* Generate the new entry. */ > - if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) { > + if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode && > + zs->u.r.zs_oldcode != -1) { > tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode; > tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar; > zs->zs_free_ent = zs->u.r.zs_code + 1;