Date: Tue, 27 Nov 2018 19:42:16 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r341088 - in releng/11.2: . sys/conf sys/fs/nfs sys/fs/nfsserver Message-ID: <201811271942.wARJgG1X037500@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Tue Nov 27 19:42:16 2018 New Revision: 341088 URL: https://svnweb.freebsd.org/changeset/base/341088 Log: Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs] Reported by: Jakub Jirasek, Secunia Research at Flexera Approved by: so Security: FreeBSD-SA-18:13.nfs Security: CVE-2018-17157 Security: CVE-2018-17158 Security: CVE-2018-17159 Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.2/sys/fs/nfs/nfs_commonsubs.c releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/UPDATING Tue Nov 27 19:42:16 2018 (r341088) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20181127 p5 FreeBSD-SA-18:13.nfs + FreeBSD-EN-18:13.icmp + FreeBSD-EN-18:14.tzdata + FreeBSD-EN-18:15.loader + + Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs] + + Fix ICMP buffer underwrite. [EN-18:13.icmp] + + Timezone database information update. [EN-18:14.tzdata] + + Fix deferred kernel loading breaks loader password. [EN-18:15.loader] + 20180927 p4 FreeBSD-EN-18:09.ip FreeBSD-EN-18:10.syscall FreeBSD-EN-18:11.listen Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/conf/newvers.sh Tue Nov 27 19:42:16 2018 (r341088) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.2/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- releng/11.2/sys/fs/nfs/nfs_commonsubs.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfs/nfs_commonsubs.c Tue Nov 27 19:42:16 2018 (r341088) @@ -360,10 +360,14 @@ nfsm_advance(struct nfsrv_descript *nd, int offs, int if (offs == 0) goto out; /* - * A negative offs should be considered a serious problem. + * A negative offs might indicate a corrupted mbuf chain and, + * as such, a printf is logged. */ - if (offs < 0) - panic("nfsrv_advance"); + if (offs < 0) { + printf("nfsrv_advance: negative offs\n"); + error = EBADRPC; + goto out; + } /* * If left == -1, calculate it here. Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c Tue Nov 27 19:42:16 2018 (r341088) @@ -1858,9 +1858,15 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdg * cookie) should be in the reply. At least one client "hints" 0, * so I set it to cnt for that case. I also round it up to the * next multiple of DIRBLKSIZ. + * Since the size of a Readdirplus directory entry reply will always + * be greater than a directory entry returned by VOP_READDIR(), it + * does not make sense to read more than NFS_SRVMAXDATA() via + * VOP_READDIR(). */ if (siz <= 0) siz = cnt; + else if (siz > NFS_SRVMAXDATA(nd)) + siz = NFS_SRVMAXDATA(nd); siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1)); if (nd->nd_flag & ND_NFSV4) { Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c ============================================================================== --- releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Tue Nov 27 19:42:16 2018 (r341088) @@ -758,11 +758,6 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram *repp = *tl; op = fxdr_unsigned(int, *tl); NFSD_DEBUG(4, "op=%d\n", op); - - binuptime(&start_time); - nfsrvd_statstart(op, &start_time); - statsinprog = 1; - if (op < NFSV4OP_ACCESS || (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) || (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) { @@ -774,6 +769,11 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram } else { repp++; } + + binuptime(&start_time); + nfsrvd_statstart(op, &start_time); + statsinprog = 1; + if (i == 0) op0 = op; if (i == numops - 1)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811271942.wARJgG1X037500>