From owner-svn-src-all@FreeBSD.ORG Tue Nov 4 23:30:24 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85EFDF70; Tue, 4 Nov 2014 23:30:24 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6861D120; Tue, 4 Nov 2014 23:30:24 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NUO3d074844; Tue, 4 Nov 2014 23:30:24 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NUNTw074841; Tue, 4 Nov 2014 23:30:23 GMT (envelope-from des@FreeBSD.org) Message-Id: <201411042330.sA4NUNTw074841@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Tue, 4 Nov 2014 23:30:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r274108 - in stable/8: contrib/lukemftp/src sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/kern X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 23:30:24 -0000 Author: des Date: Tue Nov 4 23:30:23 2014 New Revision: 274108 URL: https://svnweb.freebsd.org/changeset/base/274108 Log: [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:26] Fix remote command execution in ftp(1). [EN-14:12] Fix NFSv4 and ZFS cache consistency issue. Approved by: so (des) Modified: stable/8/contrib/lukemftp/src/fetch.c stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c stable/8/sys/kern/kern_prot.c Modified: stable/8/contrib/lukemftp/src/fetch.c ============================================================================== --- stable/8/contrib/lukemftp/src/fetch.c Tue Nov 4 23:29:57 2014 (r274107) +++ stable/8/contrib/lukemftp/src/fetch.c Tue Nov 4 23:30:23 2014 (r274108) @@ -540,7 +540,7 @@ fetch_url(const char *url, const char *p url_decode(decodedpath); if (outfile) - savefile = xstrdup(outfile); + savefile = outfile; else { cp = strrchr(decodedpath, '/'); /* find savefile */ if (cp != NULL) @@ -566,8 +566,7 @@ fetch_url(const char *url, const char *p rangestart = rangeend = entitylen = -1; mtime = -1; if (restartautofetch) { - if (strcmp(savefile, "-") != 0 && *savefile != '|' && - stat(savefile, &sb) == 0) + if (stat(savefile, &sb) == 0) restart_point = sb.st_size; } if (urltype == FILE_URL_T) { /* file:// URLs */ @@ -1085,17 +1084,25 @@ fetch_url(const char *url, const char *p } /* end of ftp:// or http:// specific setup */ /* Open the output file. */ - if (strcmp(savefile, "-") == 0) { - fout = stdout; - } else if (*savefile == '|') { - oldintp = xsignal(SIGPIPE, SIG_IGN); - fout = popen(savefile + 1, "w"); - if (fout == NULL) { - warn("Can't run `%s'", savefile + 1); - goto cleanup_fetch_url; + + /* + * Only trust filenames with special meaning if they came from + * the command line + */ + if (outfile == savefile) { + if (strcmp(savefile, "-") == 0) { + fout = stdout; + } else if (*savefile == '|') { + oldintp = xsignal(SIGPIPE, SIG_IGN); + fout = popen(savefile + 1, "w"); + if (fout == NULL) { + warn("Can't execute `%s'", savefile + 1); + goto cleanup_fetch_url; + } + closefunc = pclose; } - closefunc = pclose; - } else { + } + if (fout == NULL) { if ((rangeend != -1 && rangeend <= restart_point) || (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { /* already done */ @@ -1278,7 +1285,8 @@ fetch_url(const char *url, const char *p (*closefunc)(fout); if (res0) freeaddrinfo(res0); - FREEPTR(savefile); + if (savefile != outfile) + FREEPTR(savefile); FREEPTR(user); FREEPTR(pass); FREEPTR(host); Modified: stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c ============================================================================== --- stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c Tue Nov 4 23:29:57 2014 (r274107) +++ stable/8/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c Tue Nov 4 23:30:23 2014 (r274108) @@ -2836,6 +2836,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i #endif vap->va_seq = zp->z_seq; vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */ + vap->va_filerev = zp->z_seq; /* * Add in any requested optional attributes and the create time. Modified: stable/8/sys/kern/kern_prot.c ============================================================================== --- stable/8/sys/kern/kern_prot.c Tue Nov 4 23:29:57 2014 (r274107) +++ stable/8/sys/kern/kern_prot.c Tue Nov 4 23:30:23 2014 (r274108) @@ -2054,21 +2054,20 @@ struct getlogin_args { int getlogin(struct thread *td, struct getlogin_args *uap) { - int error; char login[MAXLOGNAME]; struct proc *p = td->td_proc; + size_t len; if (uap->namelen > MAXLOGNAME) uap->namelen = MAXLOGNAME; PROC_LOCK(p); SESS_LOCK(p->p_session); - bcopy(p->p_session->s_login, login, uap->namelen); + len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); - if (strlen(login) + 1 > uap->namelen) + if (len > uap->namelen) return (ERANGE); - error = copyout(login, uap->namebuf, uap->namelen); - return (error); + return (copyout(login, uap->namebuf, len)); } /* @@ -2087,21 +2086,23 @@ setlogin(struct thread *td, struct setlo int error; char logintmp[MAXLOGNAME]; + CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); - if (error == ENAMETOOLONG) - error = EINVAL; - else if (!error) { - PROC_LOCK(p); - SESS_LOCK(p->p_session); - (void) memcpy(p->p_session->s_login, logintmp, - sizeof(logintmp)); - SESS_UNLOCK(p->p_session); - PROC_UNLOCK(p); + if (error != 0) { + if (error == ENAMETOOLONG) + error = EINVAL; + return (error); } - return (error); + PROC_LOCK(p); + SESS_LOCK(p->p_session); + strcpy(p->p_session->s_login, logintmp); + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); + return (0); } void