Date: Tue, 8 Jul 2014 22:23:26 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45230 - in head/share: security/advisories security/patches/EN-14:09 security/patches/SA-14:17 xml Message-ID: <201407082223.s68MNQBh035382@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Jul 8 22:23:25 2014 New Revision: 45230 URL: http://svnweb.freebsd.org/changeset/doc/45230 Log: Add SA-14:17.kmem and EN-14:09.jail. Added: head/share/security/advisories/FreeBSD-EN-14:09.jail.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc (contents, props changed) head/share/security/patches/EN-14:09/ head/share/security/patches/EN-14:09/jail.patch (contents, props changed) head/share/security/patches/EN-14:09/jail.patch.asc (contents, props changed) head/share/security/patches/SA-14:17/ head/share/security/patches/SA-14:17/kmem-89.patch (contents, props changed) head/share/security/patches/SA-14:17/kmem-89.patch.asc (contents, props changed) head/share/security/patches/SA-14:17/kmem-9.1.patch (contents, props changed) head/share/security/patches/SA-14:17/kmem-9.1.patch.asc (contents, props changed) head/share/security/patches/SA-14:17/kmem.patch (contents, props changed) head/share/security/patches/SA-14:17/kmem.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-14:09.jail.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:09.jail.asc Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,121 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:09.jail Errata Notice + The FreeBSD Project + +Topic: Jail fails to start if WITHOUT_INET/WITHOUT_INET6 is used + +Category: core +Module: jail +Announced: 2014-07-08 +Credits: Eugene Grosbein, Chris Rees +Affects: FreeBSD 8.4 +Corrected: 2014-07-02 19:18:59 UTC (stable/8, 8.4-STABLE) + 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The jail(8) utility creates new jails, or modifies or removes existing +jails. + +II. Problem Description + +The jail(8) rc(8) script used to start jails on the system does not +properly detect if an address protocol is in use on the system. + +III. Impact + +When the FreeBSD kernel and userland are built either without IPv4 or IPv6 +support by defining WITHOUT_INET or WITHOUT_INET6 in src.conf(5), the jail(8) +will fail to start with an non-descriptive error. + +IV. Workaround + +No workaround is available, however systems that do not define WITHOUT_INET +or WITHOUT_INET6 are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch +# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch.asc +# gpg --verify jail.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r268168 +releng/8.4/ r268435 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:09.jail.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTvG0oAAoJEO1n7NZdz2rnEeUP+gJuYN0VoSbT+0zPJH9u61/K +gJma3dUY4zuKDRyLhYNTCM+fKIwCZ07+9lesAeDm8mXts0UGGvjSHVqxXlG1hiGi +2W8AxNzvV0FQuE6awlz8dDE2ikATkae7VPBoLraq0a7CEH4kW/mnl4+xQ3I2Hgc+ +wTmF+R13mb905xbF+52aj1jDUus8+ZFuDY0VRV3IY34i9OxcnoQO+T8v1w6d9ly3 +KbHmZXd2LPS0yeITAWuk4p1gwl8vi7uz7IiJcxrw/YEOUC6LkHO5/JUPRDz1O5Dd +snRmFFF5w77u5bYWpHHU6kw4/k0GwuS1jfQnQm1ag/Gl8A1O4BA4ixvItOrU/FiT +KxoOsdrMgD9jvIyHKOGPyio+FQuRdn+TsyE7WDw/MO2sZ3Et8nG49PccSbFQxuWu +IFXoK+1gI1Vst5YlMUwbCwQRCuBawaUVhfWqF5jIeVvW2uPRr6S1rIJOyGy/HlKO +HwdEtBbDcukWYojjG3pcORdv/HaQkN47NrJrJ6bWldJCshhSwPJ1ivyKLL16hjf2 +H/Tk+IHfVULjxgMEY7wQ3fL6kkgMHbrfxhBSy6LVYJggzvV+hgJXNY0116gUuAhA +5UTKFfEHyXDtlgsTHSyETiHw3qXQ6JmyNUPepuAcf1Ly/yTvlFPhM56R52ZjBLRs +rQOf3Vdelgpnpo4olu7L +=4r/Q +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,170 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:17.kmem Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in control messages and SCTP + notifications + +Category: core +Module: kern, sctp +Announced: 2014-07-08 +Credits: Michael Tuexen +Affects: All supported versions of FreeBSD. +Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE) + 2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7) + 2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE) + 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1) + 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1) + 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2) + 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2) + 2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10) + 2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17) + 2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE) + 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14) +CVE Name: CVE-2014-3952, CVE-2014-3953 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The control message API is used to construct ancillary data objects for +use in control messages sent and received across sockets and passed via +the recvmsg(2) and sendmsg(2) system calls. + +II. Problem Description + +Buffer between control message header and data may not be completely +initialized before being copied to userland. [CVE-2014-3952] + +Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit +padding that may not be completely initialized before being copied to +userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, +SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the +returning data structure that may not be completely initialized before +being copied to userland. [CVE-2014-3953] + +III. Impact + +An unprivileged local process may be able to retrieve portion of kernel +memory. + +For the generic control message, the process may be able to retrieve a +maximum of 4 bytes of kernel memory. + +For SCTP, the process may be able to retrieve 2 bytes of kernel memory +for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 +bytes for SCTP_EXTRCV. If the local process is permitted to receive +SCTP notification, a maximum of 112 bytes of kernel memory may be +returned to userland. + +This information might be directly useful, or it might be leveraged to +obtain elevated privileges in some way. For example, a terminal buffer +might include a user-entered password. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc +# gpg --verify kmem.patch.asc + +[FreeBSD 8.4, 9.2 and 9.3-RC] +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc +# gpg --verify kmem.patch.asc + +[FreeBSD 9.2] +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch +# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc +# gpg --verify kmem.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r268432 +releng/8.4/ r268435 +stable/9/ r268432 +releng/9.1/ r268434 +releng/9.2/ r268434 +releng/9.3/ r268433 +stable/10/ r268432 +releng/10.0/ r268434 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3952>; +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3953>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTvG0nAAoJEO1n7NZdz2rn9w0QANVDZ/92sbXjrREbn/qDto75 +opjg7cJUne0tAkeqoCxYNiCT0yxI4M37N41Hvq1ZbA0HFgodjb5s6pXTZ4baB4PH +CKxMvk8NB8PAw3+JfG9Ec8e4MaUd0Md04yNx/Ej1zdDz75rhHcqGiK2Agm086RSV +K7TyzZXr1QrjJCSltM5dcXHacMgIZ7OxxY/e4DrI7tsEQk50wmlSKcZZI0GC8o+p +DzhcMP+7qN9wNcZaXNNlLxLlthjlwudnGuFwg4DzkUCjCu2ooyerOref4UDWXmN8 +bky3U9wx5PnM/LmocWAPYCgA58WckbPooiWEWGWJJeogbVi6+vVNOe1516vAeTep +MyGLpdP6v2tSo6XI33yd2YrxDMGOdFN1+ZfeDvFyBk9JFEfMhKHio84967hQRQN6 +pz1+0Ga119akQZKnBs3z9YhPze26sJB+tgTdIUJnunVysdslKI2EYcJ1R+UNIoDB +h5XClPqAWyupfohp2TD8vM5RT+x6CaeW4P08KRpg8PTmqHi7CNB5wgFASG2uC/BT +3qZDebjE7CMCQ35wEWBwVHt8SK0MwaIb9u4A+Fxf/plNDwqKqtQ7LdhI/fabJl5T +IP3RbQLdiGyRAtOwcgXbmIGd2k3E9TNCQa5AdiUjiE5zGcRUs3iywVtyvellnVpI +yAc2ussNLU5vJef4t30X +=u6Xe +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:09/jail.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:09/jail.patch Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,15 @@ +Index: etc/rc.d/jail +=================================================================== +--- etc/rc.d/jail (revision 268273) ++++ etc/rc.d/jail (working copy) +@@ -647,7 +647,9 @@ jail_start() + done + + eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ +- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 ++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ ++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ ++ </dev/null + + if [ "$?" -eq 0 ] ; then + _jail_id=$(head -1 ${_tmp_jail}) Added: head/share/security/patches/EN-14:09/jail.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:09/jail.patch.asc Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTvG16AAoJEO1n7NZdz2rnZnQP/iLTnaxVHY4lxecPfSJZnMiD +l5X1mtnnpleRFOCztOQBM5qLRXxp14V3tE62vBUx5e4go3qYqVC/u+sWgvcC7sBG +aBT3cRVyTnygoXK6B7Av6hEhG9A+RBy1PmKEW/0iIKxD2oixNPtDv6u0AEEv+ipb +WAtjzngeTtrMYskWZNxC8FT+NTTUQTkeU9Rqjh+JKsS8sqpzm1gHWtbp5wKJPeLt +Rt4IULzqNoBmB9BRGYA7scFkXCUC+B1MQLUxN0p9KjNrp1REObOGfb8aTHoAuA0O +Wk6kQeF+heqxt+TRTZp3obOYHINbVfBnPGMWty4hD8JHHFDytdA6LLalILTml3Ia +iBaxWP/sk+4ziWkKtdlyc4VYSGzQNR+9/TIaBz0SuuMOdd21DWjaGtqIY/jfzUpA +CnAAwJJj2ejIqOtR20aSOlCn/DVx7qyXr+R6YyUWjqlhzIsdrxBFsajIuT8DB+U5 +BSDIAxPa5esaMQhbrtoZyb8Fto0P50vMwrfjv9wuoo2Nvz+vU3ABhaPIHzTBomxl +hepAZIGSI4UzZwk0Kj1z9I+e5EDOlFVvxhO6KYpJeulBRM+bMSILXzWH08PMoctz +MhGkkyc8svpTZB9jYxzmcWikdbRknTo3k/I2hVF8pa/sOSbXBL3/HebVuycmvL5y +2d+RwPgvW/C73wgUiFe7 +=rl/o +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:17/kmem-89.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:17/kmem-89.patch Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: head/share/security/patches/SA-14:17/kmem-89.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:17/kmem-89.patch.asc Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnxSAQAMOj+4y12nfK7TJZZV6Knr2O +Cxgee7T0CV6j7+pdSoN0KNsat6Yl9+s5tM3Akr2kkvSoviZQcXlQopJmZhjyiT3u +/RHankNfsRdZDoXzgHMkD2922eQbwz0O5MOeV+dysQCfYNW31890nCviVTr5a5SH +0C20+ka1nelBPaea4RNgyKBUEs3PAzfTz5yDRzRLFhl/8EqV/Pcom62IyEFe9TB9 +IxPk+DT3tpynWA2XioQFc3vLYz0NxBSCdsWnk9klWvmkLwJUkGGcUztWokU675ez +4bvb018YPOaqikePymMzUluLpZZH8P0Om2hnKnZP2aqOjj9IaOlNzSkY9OPqoaSN +7t29mWZ+x3e8D56c3TMfviFjTVwJjE9OH9aomoZGrxIt1W5cCKwgAJJfpXtin+bR +/nzYtomRDWxKLjfSDV2nC8N4dqh4qz7HRFSmLgXhL7LYpNtMZURZnrNke92OCZMe +hjeGFk3V9tATYeCxAZaDEe/xgW5Ir/cCWaxQUabEldc8AdHT7vumaQ9UvND8SSBp +52BPWMRFPdDtDbL61ESjrBwjFgWIeiNDbSW3VW5qTPqIxF66GcWcZf8PJE8kdYTX +0vrMsjsusu6LFc8FTwzE1O8sbPGkSdqe2GPXU2PZu8+FGkHKgz4qR/bLewG/nqwQ +3zOlJ1MrVW2nyKQK+Bik +=VGnU +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:17/kmem-9.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:17/kmem-9.1.patch Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = sp->strseq; + if (sp->some_taken) { +@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: head/share/security/patches/SA-14:17/kmem-9.1.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:17/kmem-9.1.patch.asc Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnfuYQAMucmTFZ6DMXAfniAzJK7YBj +QmPeCMS31bJePyXLQY7wyeo+xK0uV0cyhNL8Oy6OF9bziJxkkxNhT8FqPbYnD4E7 +aGT+SGhGeKWGILBbDIGD+XDMy2S3SjHUIUdVB0T95O7D0IrQqQUoVwZjDvrxRrdP +mXIvWePatyAYpwukYwVDtB2hj3vxZRuW90HGdRpEeWO/W/3Fm91Lxbgw95J/2IQl +wpTteCGAIa74ez4nYGlEIvWmw0x8eiFty6tDAoDkVYuGH9wzQek5X+Ih3MVbYPR3 +prciyU9OFoAI/asm3T04Kq50nO7tVSZrLVw+x776BkziZJ2rofib4qeQBS/0vc6m +jcuyY0zbZAb2Tl9aoKmdAYFIsWxhVNr6/NjaZbxDdirs8aV4sIw+xBTo+C6aP9eS +vX30K3Fuycl3hJ9g+Idvw21kpvApbArQztiPk/DwJMoyfSQvDCiX1mS3QX3FXjZN +P/PIvEd19T5ODde4Ae2eCQk8dxNKqvE/X5F48K0dZT3blAgYhEJW02ydz11M+1Z/ +q5Iu+LRnAsSk0yD1WjfkKIDHIQTaqsGGKsCUIfrImT09k/qJt8Wn/r7DRX5GVvX5 +rSU0941KQhYc5ffYgiLG0xQcRDKqZKlIWJtUth1rpXbQhO8uZya1O7xlaOCn1aXn +Cc+B5t8Y12ohipRNTvoC +=vpdj +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:17/kmem.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:17/kmem.patch Tue Jul 8 22:23:25 2014 (r45230) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407082223.s68MNQBh035382>