From owner-svn-src-all@FreeBSD.ORG Thu May 27 03:15:05 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5E1D106567F; Thu, 27 May 2010 03:15:05 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (unknown [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id B0C628FC28; Thu, 27 May 2010 03:15:05 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o4R3F5oV041611; Thu, 27 May 2010 03:15:05 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o4R3F5YA041588; Thu, 27 May 2010 03:15:05 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201005270315.o4R3F5YA041588@svn.freebsd.org> From: Colin Percival Date: Thu, 27 May 2010 03:15:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r208586 - head/contrib/opie/libopie head/lib/libc/sys head/sys/nfsclient head/usr.sbin/jail releng/6.4 releng/6.4/contrib/opie/libopie releng/6.4/sys/conf releng/7.1 releng/7.1/contrib/... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 03:15:05 -0000 Author: cperciva Date: Thu May 27 03:15:04 2010 New Revision: 208586 URL: http://svn.freebsd.org/changeset/base/208586 Log: Change the current working directory to be inside the jail created by the jail(8) command. [10:04] Fix a one-NUL-byte buffer overflow in libopie. [10:05] Correctly sanity-check a buffer length in nfs mount. [10:06] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-10:04.jail Security: FreeBSD-SA-10:05.opie Security: FreeBSD-SA-10:06.nfsclient Modified: releng/6.4/UPDATING releng/6.4/contrib/opie/libopie/readrec.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/opie/libopie/readrec.c releng/7.1/sys/conf/newvers.sh releng/7.2/UPDATING releng/7.2/contrib/opie/libopie/readrec.c releng/7.2/lib/libc/sys/mount.2 releng/7.2/sys/conf/newvers.sh releng/7.2/sys/nfsclient/nfs_vfsops.c releng/7.3/UPDATING releng/7.3/contrib/opie/libopie/readrec.c releng/7.3/lib/libc/sys/mount.2 releng/7.3/sys/conf/newvers.sh releng/7.3/sys/nfsclient/nfs_vfsops.c releng/8.0/UPDATING releng/8.0/contrib/opie/libopie/readrec.c releng/8.0/lib/libc/sys/mount.2 releng/8.0/sys/conf/newvers.sh releng/8.0/sys/nfsclient/nfs_vfsops.c releng/8.0/usr.sbin/jail/jail.c Changes in other areas also in this revision: Modified: head/contrib/opie/libopie/readrec.c head/lib/libc/sys/mount.2 head/sys/nfsclient/nfs_vfsops.c head/usr.sbin/jail/jail.c stable/6/contrib/opie/libopie/readrec.c stable/7/contrib/opie/libopie/readrec.c stable/7/lib/libc/sys/mount.2 stable/7/sys/nfsclient/nfs_vfsops.c stable/8/contrib/opie/libopie/readrec.c stable/8/lib/libc/sys/mount.2 stable/8/sys/nfsclient/nfs_vfsops.c stable/8/usr.sbin/jail/jail.c Modified: releng/6.4/UPDATING ============================================================================== --- releng/6.4/UPDATING Thu May 27 01:27:25 2010 (r208585) +++ releng/6.4/UPDATING Thu May 27 03:15:04 2010 (r208586) @@ -8,6 +8,9 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100526: p10 FreeBSD-SA-10:05.opie + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + 20100106: p9 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd Fix BIND named(8) cache poisoning with DNSSEC validation. [SA-10:01] Modified: releng/6.4/contrib/opie/libopie/readrec.c ============================================================================== --- releng/6.4/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585) +++ releng/6.4/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586) @@ -139,10 +139,8 @@ int __opiereadrec FUNCTION((opie), struc if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) Modified: releng/6.4/sys/conf/newvers.sh ============================================================================== --- releng/6.4/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585) +++ releng/6.4/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Thu May 27 01:27:25 2010 (r208585) +++ releng/7.1/UPDATING Thu May 27 03:15:04 2010 (r208586) @@ -8,6 +8,9 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100526: p12 FreeBSD-SA-10:05.opie + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + 20100227: p11 FreeBSD-EN-10:02.sched_ule Fix a deadlock in the ULE scheduler. Modified: releng/7.1/contrib/opie/libopie/readrec.c ============================================================================== --- releng/7.1/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585) +++ releng/7.1/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586) @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) Modified: releng/7.1/sys/conf/newvers.sh ============================================================================== --- releng/7.1/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585) +++ releng/7.1/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.1" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.2/UPDATING ============================================================================== --- releng/7.2/UPDATING Thu May 27 01:27:25 2010 (r208585) +++ releng/7.2/UPDATING Thu May 27 03:15:04 2010 (r208586) @@ -8,6 +8,11 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100526: p8 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + + Correctly sanity-check a buffer length in nfs mount. [10:06] + 20100227: p7 FreeBSD-EN-10:02.sched_ule Fix a deadlock in the ULE scheduler. Modified: releng/7.2/contrib/opie/libopie/readrec.c ============================================================================== --- releng/7.2/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585) +++ releng/7.2/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586) @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) Modified: releng/7.2/lib/libc/sys/mount.2 ============================================================================== --- releng/7.2/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585) +++ releng/7.2/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586) @@ -107,7 +107,7 @@ This restriction can be removed by setti .Va vfs.usermount .Xr sysctl 8 variable -to a non-zero value. +to a non-zero value; see the BUGS section for more information. .Pp The following .Fa flags @@ -370,3 +370,10 @@ functions appeared in .At v6 . .Sh BUGS Some of the error codes need translation to more obvious messages. +.Pp +Allowing untrusted users to mount arbitrary media, e.g. by enabling +.Va vfs.usermount , +should not be considered safe. +Most file systems in +.Fx +were not built to safeguard against malicious devices. Modified: releng/7.2/sys/conf/newvers.sh ============================================================================== --- releng/7.2/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585) +++ releng/7.2/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.2" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.2/sys/nfsclient/nfs_vfsops.c ============================================================================== --- releng/7.2/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585) +++ releng/7.2/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586) @@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct threa nfs_decode_args(mp, nmp, &args, NULL); goto out; } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) { + vfs_mount_error(mp, "Bad file handle"); + error = EINVAL; + goto out; + } /* * Make the nfs_ip_paranoia sysctl serve as the default connection Modified: releng/7.3/UPDATING ============================================================================== --- releng/7.3/UPDATING Thu May 27 01:27:25 2010 (r208585) +++ releng/7.3/UPDATING Thu May 27 03:15:04 2010 (r208586) @@ -8,6 +8,11 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100526: p1 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + + Correctly sanity-check a buffer length in nfs mount. [10:06] + 20100323: FreeBSD 7.3-RELEASE Modified: releng/7.3/contrib/opie/libopie/readrec.c ============================================================================== --- releng/7.3/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585) +++ releng/7.3/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586) @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) Modified: releng/7.3/lib/libc/sys/mount.2 ============================================================================== --- releng/7.3/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585) +++ releng/7.3/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586) @@ -107,7 +107,7 @@ This restriction can be removed by setti .Va vfs.usermount .Xr sysctl 8 variable -to a non-zero value. +to a non-zero value; see the BUGS section for more information. .Pp The following .Fa flags @@ -370,3 +370,10 @@ functions appeared in .At v6 . .Sh BUGS Some of the error codes need translation to more obvious messages. +.Pp +Allowing untrusted users to mount arbitrary media, e.g. by enabling +.Va vfs.usermount , +should not be considered safe. +Most file systems in +.Fx +were not built to safeguard against malicious devices. Modified: releng/7.3/sys/conf/newvers.sh ============================================================================== --- releng/7.3/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585) +++ releng/7.3/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.3" -BRANCH="RELEASE" +BRANCH="RELEASE-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.3/sys/nfsclient/nfs_vfsops.c ============================================================================== --- releng/7.3/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585) +++ releng/7.3/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586) @@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct threa nfs_decode_args(mp, nmp, &args, NULL); goto out; } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) { + vfs_mount_error(mp, "Bad file handle"); + error = EINVAL; + goto out; + } /* * Make the nfs_ip_paranoia sysctl serve as the default connection Modified: releng/8.0/UPDATING ============================================================================== --- releng/8.0/UPDATING Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/UPDATING Thu May 27 03:15:04 2010 (r208586) @@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20100526: p3 FreeBSD-SA-10:04.jail, FreeBSD-SA-10:05.opie, + FreeBSD-SA-10:06.nfsclient + Change the current working directory to be inside the jail created by + the jail(8) command. [10:04] + + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + + Correctly sanity-check a buffer length in nfs mount. [10:06] + 20100106: p2 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd, FreeBSD-SA-10:03.zfs, FreeBSD-EN-10:01.freebsd Fix BIND named(8) cache poisoning with DNSSEC validation. Modified: releng/8.0/contrib/opie/libopie/readrec.c ============================================================================== --- releng/8.0/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586) @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) Modified: releng/8.0/lib/libc/sys/mount.2 ============================================================================== --- releng/8.0/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586) @@ -107,7 +107,7 @@ This restriction can be removed by setti .Va vfs.usermount .Xr sysctl 8 variable -to a non-zero value. +to a non-zero value; see the BUGS section for more information. .Pp The following .Fa flags @@ -370,3 +370,10 @@ functions appeared in .At v6 . .Sh BUGS Some of the error codes need translation to more obvious messages. +.Pp +Allowing untrusted users to mount arbitrary media, e.g. by enabling +.Va vfs.usermount , +should not be considered safe. +Most file systems in +.Fx +were not built to safeguard against malicious devices. Modified: releng/8.0/sys/conf/newvers.sh ============================================================================== --- releng/8.0/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.0/sys/nfsclient/nfs_vfsops.c ============================================================================== --- releng/8.0/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586) @@ -1054,6 +1054,11 @@ nfs_mount(struct mount *mp) error = EINVAL; goto out; } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) { + vfs_mount_error(mp, "Bad file handle"); + error = EINVAL; + goto out; + } if (mp->mnt_flag & MNT_UPDATE) { struct nfsmount *nmp = VFSTONFS(mp); Modified: releng/8.0/usr.sbin/jail/jail.c ============================================================================== --- releng/8.0/usr.sbin/jail/jail.c Thu May 27 01:27:25 2010 (r208585) +++ releng/8.0/usr.sbin/jail/jail.c Thu May 27 03:15:04 2010 (r208586) @@ -511,6 +511,10 @@ set_param(const char *name, char *value) *value++ = '\0'; } + /* jail_set won't chdir along with its chroot, so do it here. */ + if (!strcmp(name, "path") && chdir(value) < 0) + err(1, "chdir: %s", value); + /* Check for repeat parameters */ for (i = 0; i < nparams; i++) if (!strcmp(name, params[i].jp_name)) {