From owner-svn-src-all@freebsd.org Wed Mar 16 22:30:57 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4C5EAD3A33; Wed, 16 Mar 2016 22:30:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 878AEF18; Wed, 16 Mar 2016 22:30:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u2GMUumP043120; Wed, 16 Mar 2016 22:30:56 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u2GMUutt043115; Wed, 16 Mar 2016 22:30:56 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201603162230.u2GMUutt043115@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Wed, 16 Mar 2016 22:30:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r296954 - in releng/10.1: . crypto/openssh sys/amd64/amd64 sys/conf sys/dev/hyperv/utilities X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2016 22:30:57 -0000 Author: glebius Date: Wed Mar 16 22:30:56 2016 New Revision: 296954 URL: https://svnweb.freebsd.org/changeset/base/296954 Log: o Fix OpenSSH xauth(1) command injection. [SA-16:14] o Fix incorrect argument validation in sysarch(2). [SA-16:15] o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04] Errata: FreeBSD-EN-16:04.hyperv Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115 Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885 Approved by: so Modified: releng/10.1/UPDATING releng/10.1/crypto/openssh/session.c releng/10.1/sys/amd64/amd64/sys_machdep.c releng/10.1/sys/conf/newvers.sh releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Wed Mar 16 22:30:03 2016 (r296953) +++ releng/10.1/UPDATING Wed Mar 16 22:30:56 2016 (r296954) @@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160316 p31 FreeBSD-SA-16:14.openssh-xauth + FreeBSD-SA-16:15.sysarch + FreeBSD-EN-16:04.hyperv + + Fix OpenSSH xauth(1) command injection. [SA-16:14] + Fix incorrect argument validation in sysarch(2). [SA-16:15] + Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04] + 20160303 p30 FreeBSD-SA-16:12.openssl Fix multiple vulnerabilities of OpenSSL. Modified: releng/10.1/crypto/openssh/session.c ============================================================================== --- releng/10.1/crypto/openssh/session.c Wed Mar 16 22:30:03 2016 (r296953) +++ releng/10.1/crypto/openssh/session.c Wed Mar 16 22:30:56 2016 (r296954) @@ -48,6 +48,7 @@ __RCSID("$FreeBSD$"); #include +#include #include #include #include @@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -2199,7 +2221,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); Modified: releng/10.1/sys/amd64/amd64/sys_machdep.c ============================================================================== --- releng/10.1/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:30:03 2016 (r296953) +++ releng/10.1/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:30:56 2016 (r296954) @@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs) struct i386_ldt_args *uap; struct user_segment_descriptor *descs; { - int error = 0, i; - int largest_ld; + int error = 0; + unsigned int largest_ld, i; struct mdproc *mdp = &td->td_proc->p_md; struct proc_ldt *pldt; struct user_segment_descriptor *dp; Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Wed Mar 16 22:30:03 2016 (r296953) +++ releng/10.1/sys/conf/newvers.sh Wed Mar 16 22:30:56 2016 (r296954) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p30" +BRANCH="RELEASE-p31" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c ============================================================================== --- releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c Wed Mar 16 22:30:03 2016 (r296953) +++ releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c Wed Mar 16 22:30:56 2016 (r296954) @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -113,6 +114,8 @@ static struct cdev *hv_kvp_dev; static struct hv_kvp_msg *hv_kvp_dev_buf; struct proc *daemon_task; +static struct selinfo hv_kvp_selinfo; + /* * Global state to track and synchronize multiple * KVP transaction requests from the host. @@ -627,6 +630,9 @@ hv_kvp_send_msg_to_daemon(void) /* Send the msg to user via function deamon_read - setting sema */ sema_post(&kvp_globals.dev_sema); + + /* We should wake up the daemon, in case it's doing poll() */ + selwakeup(&hv_kvp_selinfo); } @@ -939,7 +945,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev * for daemon to read. */ static int -hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused) +hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td) { int revents = 0; @@ -952,6 +958,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev */ if (kvp_globals.daemon_busy == true) revents = POLLIN; + else + selrecord(td, &hv_kvp_selinfo); + mtx_unlock(&kvp_globals.pending_mutex); return (revents);