From owner-svn-src-all@freebsd.org Tue Nov 27 19:42:18 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0EBBD11598E7; Tue, 27 Nov 2018 19:42:18 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A789E8F996; Tue, 27 Nov 2018 19:42:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 86E0F1FE58; Tue, 27 Nov 2018 19:42:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wARJgHwt037508; Tue, 27 Nov 2018 19:42:17 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wARJgG1X037500; Tue, 27 Nov 2018 19:42:16 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201811271942.wARJgG1X037500@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 27 Nov 2018 19:42:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r341088 - in releng/11.2: . sys/conf sys/fs/nfs sys/fs/nfsserver X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/11.2: . sys/conf sys/fs/nfs sys/fs/nfsserver X-SVN-Commit-Revision: 341088 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: A789E8F996 X-Spamd-Result: default: False [1.42 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.51)[0.511,0]; NEURAL_SPAM_MEDIUM(0.69)[0.687,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_SPAM_SHORT(0.22)[0.223,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 19:42:18 -0000 Author: gordon Date: Tue Nov 27 19:42:16 2018 New Revision: 341088 URL: https://svnweb.freebsd.org/changeset/base/341088 Log: Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs] Reported by: Jakub Jirasek, Secunia Research at Flexera Approved by: so Security: FreeBSD-SA-18:13.nfs Security: CVE-2018-17157 Security: CVE-2018-17158 Security: CVE-2018-17159 Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.2/sys/fs/nfs/nfs_commonsubs.c releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/UPDATING Tue Nov 27 19:42:16 2018 (r341088) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20181127 p5 FreeBSD-SA-18:13.nfs + FreeBSD-EN-18:13.icmp + FreeBSD-EN-18:14.tzdata + FreeBSD-EN-18:15.loader + + Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs] + + Fix ICMP buffer underwrite. [EN-18:13.icmp] + + Timezone database information update. [EN-18:14.tzdata] + + Fix deferred kernel loading breaks loader password. [EN-18:15.loader] + 20180927 p4 FreeBSD-EN-18:09.ip FreeBSD-EN-18:10.syscall FreeBSD-EN-18:11.listen Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/conf/newvers.sh Tue Nov 27 19:42:16 2018 (r341088) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.2/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- releng/11.2/sys/fs/nfs/nfs_commonsubs.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfs/nfs_commonsubs.c Tue Nov 27 19:42:16 2018 (r341088) @@ -360,10 +360,14 @@ nfsm_advance(struct nfsrv_descript *nd, int offs, int if (offs == 0) goto out; /* - * A negative offs should be considered a serious problem. + * A negative offs might indicate a corrupted mbuf chain and, + * as such, a printf is logged. */ - if (offs < 0) - panic("nfsrv_advance"); + if (offs < 0) { + printf("nfsrv_advance: negative offs\n"); + error = EBADRPC; + goto out; + } /* * If left == -1, calculate it here. Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c Tue Nov 27 19:42:16 2018 (r341088) @@ -1858,9 +1858,15 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdg * cookie) should be in the reply. At least one client "hints" 0, * so I set it to cnt for that case. I also round it up to the * next multiple of DIRBLKSIZ. + * Since the size of a Readdirplus directory entry reply will always + * be greater than a directory entry returned by VOP_READDIR(), it + * does not make sense to read more than NFS_SRVMAXDATA() via + * VOP_READDIR(). */ if (siz <= 0) siz = cnt; + else if (siz > NFS_SRVMAXDATA(nd)) + siz = NFS_SRVMAXDATA(nd); siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1)); if (nd->nd_flag & ND_NFSV4) { Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c ============================================================================== --- releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Tue Nov 27 19:40:18 2018 (r341087) +++ releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c Tue Nov 27 19:42:16 2018 (r341088) @@ -758,11 +758,6 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram *repp = *tl; op = fxdr_unsigned(int, *tl); NFSD_DEBUG(4, "op=%d\n", op); - - binuptime(&start_time); - nfsrvd_statstart(op, &start_time); - statsinprog = 1; - if (op < NFSV4OP_ACCESS || (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) || (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) { @@ -774,6 +769,11 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram } else { repp++; } + + binuptime(&start_time); + nfsrvd_statstart(op, &start_time); + statsinprog = 1; + if (i == 0) op0 = op; if (i == numops - 1)