From owner-svn-src-all@FreeBSD.ORG Tue Nov 4 23:34:47 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9243AB57; Tue, 4 Nov 2014 23:34:47 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 737A8205; Tue, 4 Nov 2014 23:34:47 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NYlgA079316; Tue, 4 Nov 2014 23:34:47 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NYkev079313; Tue, 4 Nov 2014 23:34:46 GMT (envelope-from des@FreeBSD.org) Message-Id: <201411042334.sA4NYkev079313@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Tue, 4 Nov 2014 23:34:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r274115 - in releng/10.1: contrib/tnftp/src sys/conf sys/kern X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 23:34:47 -0000 Author: des Date: Tue Nov 4 23:34:46 2014 New Revision: 274115 URL: https://svnweb.freebsd.org/changeset/base/274115 Log: [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:26] Fix remote command execution in ftp(1). Approved by: re (gjb) Modified: releng/10.1/contrib/tnftp/src/fetch.c releng/10.1/sys/conf/newvers.sh releng/10.1/sys/kern/kern_prot.c Modified: releng/10.1/contrib/tnftp/src/fetch.c ============================================================================== --- releng/10.1/contrib/tnftp/src/fetch.c Tue Nov 4 23:33:46 2014 (r274114) +++ releng/10.1/contrib/tnftp/src/fetch.c Tue Nov 4 23:34:46 2014 (r274115) @@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p url_decode(decodedpath); if (outfile) - savefile = ftp_strdup(outfile); + savefile = outfile; else { cp = strrchr(decodedpath, '/'); /* find savefile */ if (cp != NULL) @@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p rangestart = rangeend = entitylen = -1; mtime = -1; if (restartautofetch) { - if (strcmp(savefile, "-") != 0 && *savefile != '|' && - stat(savefile, &sb) == 0) + if (stat(savefile, &sb) == 0) restart_point = sb.st_size; } if (urltype == FILE_URL_T) { /* file:// URLs */ @@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p } /* end of ftp:// or http:// specific setup */ /* Open the output file. */ - if (strcmp(savefile, "-") == 0) { - fout = stdout; - } else if (*savefile == '|') { - oldintp = xsignal(SIGPIPE, SIG_IGN); - fout = popen(savefile + 1, "w"); - if (fout == NULL) { - warn("Can't execute `%s'", savefile + 1); - goto cleanup_fetch_url; + + /* + * Only trust filenames with special meaning if they came from + * the command line + */ + if (outfile == savefile) { + if (strcmp(savefile, "-") == 0) { + fout = stdout; + } else if (*savefile == '|') { + oldintp = xsignal(SIGPIPE, SIG_IGN); + fout = popen(savefile + 1, "w"); + if (fout == NULL) { + warn("Can't execute `%s'", savefile + 1); + goto cleanup_fetch_url; + } + closefunc = pclose; } - closefunc = pclose; - } else { + } + if (fout == NULL) { if ((rangeend != -1 && rangeend <= restart_point) || (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { /* already done */ @@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p (*closefunc)(fout); if (res0) freeaddrinfo(res0); - FREEPTR(savefile); + if (savefile != outfile) + FREEPTR(savefile); FREEPTR(uuser); if (pass != NULL) memset(pass, 0, strlen(pass)); Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Nov 4 23:33:46 2014 (r274114) +++ releng/10.1/sys/conf/newvers.sh Tue Nov 4 23:34:46 2014 (r274115) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RC4" +BRANCH="RC4-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.1/sys/kern/kern_prot.c ============================================================================== --- releng/10.1/sys/kern/kern_prot.c Tue Nov 4 23:33:46 2014 (r274114) +++ releng/10.1/sys/kern/kern_prot.c Tue Nov 4 23:34:46 2014 (r274115) @@ -2073,21 +2073,20 @@ struct getlogin_args { int sys_getlogin(struct thread *td, struct getlogin_args *uap) { - int error; char login[MAXLOGNAME]; struct proc *p = td->td_proc; + size_t len; if (uap->namelen > MAXLOGNAME) uap->namelen = MAXLOGNAME; PROC_LOCK(p); SESS_LOCK(p->p_session); - bcopy(p->p_session->s_login, login, uap->namelen); + len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; SESS_UNLOCK(p->p_session); PROC_UNLOCK(p); - if (strlen(login) + 1 > uap->namelen) + if (len > uap->namelen) return (ERANGE); - error = copyout(login, uap->namebuf, uap->namelen); - return (error); + return (copyout(login, uap->namebuf, len)); } /* @@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s int error; char logintmp[MAXLOGNAME]; + CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); + error = priv_check(td, PRIV_PROC_SETLOGIN); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); - if (error == ENAMETOOLONG) - error = EINVAL; - else if (!error) { - PROC_LOCK(p); - SESS_LOCK(p->p_session); - (void) memcpy(p->p_session->s_login, logintmp, - sizeof(logintmp)); - SESS_UNLOCK(p->p_session); - PROC_UNLOCK(p); + if (error != 0) { + if (error == ENAMETOOLONG) + error = EINVAL; + return (error); } - return (error); + PROC_LOCK(p); + SESS_LOCK(p->p_session); + strcpy(p->p_session->s_login, logintmp); + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); + return (0); } void