From owner-svn-src-all@FreeBSD.ORG Wed Jun 10 10:31:15 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C76FB106564A; Wed, 10 Jun 2009 10:31:13 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id AECE88FC20; Wed, 10 Jun 2009 10:31:13 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5AAVDNO010158; Wed, 10 Jun 2009 10:31:13 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5AAVDU5010155; Wed, 10 Jun 2009 10:31:13 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <200906101031.n5AAVDU5010155@svn.freebsd.org> From: Colin Percival Date: Wed, 10 Jun 2009 10:31:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r193893 - head/contrib/ntp/ntpd head/sys/kern head/sys/netinet6 releng/6.3 releng/6.3/contrib/ntp/ntpd releng/6.3/sys/conf releng/6.3/sys/kern releng/6.3/sys/netinet6 releng/6.4 releng/... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 10:31:15 -0000 Author: cperciva Date: Wed Jun 10 10:31:11 2009 New Revision: 193893 URL: http://svn.freebsd.org/changeset/base/193893 Log: Prevent integer overflow in direct pipe write code from circumventing virtual-to-physical page lookups. [09:09] Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10] Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11] Approved by: so (cperciva) Approved by: re (not really, but SVN wants this...) Security: FreeBSD-SA-09:09.pipe Security: FreeBSD-SA-09:10.ipv6 Security: FreeBSD-SA-09:11.ntpd Modified: stable/6/contrib/ntp/ntpd/ntp_crypto.c stable/6/sys/kern/sys_pipe.c stable/6/sys/netinet6/in6.c Changes in other areas also in this revision: Modified: head/contrib/ntp/ntpd/ntp_crypto.c head/sys/kern/sys_pipe.c head/sys/netinet6/in6.c releng/6.3/UPDATING releng/6.3/contrib/ntp/ntpd/ntp_crypto.c releng/6.3/sys/conf/newvers.sh releng/6.3/sys/kern/sys_pipe.c releng/6.3/sys/netinet6/in6.c releng/6.4/UPDATING releng/6.4/contrib/ntp/ntpd/ntp_crypto.c releng/6.4/sys/conf/newvers.sh releng/6.4/sys/kern/sys_pipe.c releng/6.4/sys/netinet6/in6.c releng/7.1/UPDATING releng/7.1/contrib/ntp/ntpd/ntp_crypto.c releng/7.1/sys/conf/newvers.sh releng/7.1/sys/kern/sys_pipe.c releng/7.1/sys/netinet6/in6.c releng/7.2/UPDATING releng/7.2/contrib/ntp/ntpd/ntp_crypto.c releng/7.2/sys/conf/newvers.sh releng/7.2/sys/kern/sys_pipe.c releng/7.2/sys/netinet6/in6.c stable/7/contrib/ntp/ntpd/ntp_crypto.c stable/7/sys/kern/sys_pipe.c stable/7/sys/netinet6/in6.c Modified: stable/6/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- stable/6/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 09:28:50 2009 (r193892) +++ stable/6/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 10:31:11 2009 (r193893) @@ -570,7 +570,7 @@ crypto_recv( peer->issuer = emalloc(vallen + 1); strcpy(peer->issuer, peer->subject); temp32 = (fstamp >> 16) & 0xffff; - sprintf(statstr, + snprintf(statstr, NTP_MAXSTRLEN, "flags 0x%x host %s signature %s", fstamp, peer->subject, OBJ_nid2ln(temp32)); record_crypto_stats(&peer->srcadr, statstr); @@ -636,7 +636,8 @@ crypto_recv( } peer->flash &= ~TEST8; temp32 = cinfo->nid; - sprintf(statstr, "cert %s 0x%x %s (%u) fs %u", + snprintf(statstr, NTP_MAXSTRLEN, + "cert %s 0x%x %s (%u) fs %u", cinfo->subject, cinfo->flags, OBJ_nid2ln(temp32), temp32, ntohl(ep->fstamp)); @@ -685,7 +686,7 @@ crypto_recv( peer->crypto |= CRYPTO_FLAG_VRFY | CRYPTO_FLAG_PROV; peer->flash &= ~TEST8; - sprintf(statstr, "iff fs %u", + snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u", ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); #ifdef DEBUG @@ -733,7 +734,7 @@ crypto_recv( peer->crypto |= CRYPTO_FLAG_VRFY | CRYPTO_FLAG_PROV; peer->flash &= ~TEST8; - sprintf(statstr, "gq fs %u", + snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u", ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); #ifdef DEBUG @@ -774,7 +775,7 @@ crypto_recv( peer->crypto |= CRYPTO_FLAG_VRFY | CRYPTO_FLAG_PROV; peer->flash &= ~TEST8; - sprintf(statstr, "mv fs %u", + snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u", ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); #ifdef DEBUG @@ -828,7 +829,7 @@ crypto_recv( peer->crypto &= ~CRYPTO_FLAG_AUTO; peer->crypto |= CRYPTO_FLAG_AGREE; peer->flash &= ~TEST8; - sprintf(statstr, "cook %x ts %u fs %u", + snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u", peer->pcookie, ntohl(ep->tstamp), ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); @@ -893,7 +894,7 @@ crypto_recv( peer->crypto &= ~CRYPTO_FLAG_AUTO; peer->crypto |= CRYPTO_FLAG_AGREE; peer->flash &= ~TEST8; - sprintf(statstr, "cook %x ts %u fs %u", + snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u", peer->pcookie, ntohl(ep->tstamp), ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); @@ -944,7 +945,7 @@ crypto_recv( peer->pkeyid = bp->key; peer->crypto |= CRYPTO_FLAG_AUTO; peer->flash &= ~TEST8; - sprintf(statstr, + snprintf(statstr, NTP_MAXSTRLEN, "auto seq %d key %x ts %u fs %u", bp->seq, bp->key, ntohl(ep->tstamp), ntohl(ep->fstamp)); @@ -987,7 +988,8 @@ crypto_recv( peer->crypto |= CRYPTO_FLAG_SIGN; peer->flash &= ~TEST8; temp32 = cinfo->nid; - sprintf(statstr, "sign %s 0x%x %s (%u) fs %u", + snprintf(statstr, NTP_MAXSTRLEN, + "sign %s 0x%x %s (%u) fs %u", cinfo->issuer, cinfo->flags, OBJ_nid2ln(temp32), temp32, ntohl(ep->fstamp)); @@ -1071,7 +1073,8 @@ crypto_recv( crypto_flags |= CRYPTO_FLAG_TAI; peer->crypto |= CRYPTO_FLAG_LEAP; peer->flash &= ~TEST8; - sprintf(statstr, "leap %u ts %u fs %u", vallen, + snprintf(statstr, NTP_MAXSTRLEN, + "leap %u ts %u fs %u", vallen, ntohl(ep->tstamp), ntohl(ep->fstamp)); record_crypto_stats(&peer->srcadr, statstr); #ifdef DEBUG @@ -1127,7 +1130,7 @@ crypto_recv( * cheerfully ignored, as the message is not sent. */ if (rval > XEVNT_TSP) { - sprintf(statstr, + snprintf(statstr, NTP_MAXSTRLEN, "error %x opcode %x ts %u fs %u", rval, code, tstamp, fstamp); record_crypto_stats(&peer->srcadr, statstr); @@ -1453,7 +1456,8 @@ crypto_xmit( */ if (rval != XEVNT_OK) { opcode |= CRYPTO_ERROR; - sprintf(statstr, "error %x opcode %x", rval, opcode); + snprintf(statstr, NTP_MAXSTRLEN, + "error %x opcode %x", rval, opcode); record_crypto_stats(srcadr_sin, statstr); report_event(rval, NULL); #ifdef DEBUG @@ -1952,7 +1956,8 @@ crypto_update(void) if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey)) tai_leap.siglen = htonl(len); } - sprintf(statstr, "update ts %u", ntohl(hostval.tstamp)); + snprintf(statstr, NTP_MAXSTRLEN, + "update ts %u", ntohl(hostval.tstamp)); record_crypto_stats(NULL, statstr); #ifdef DEBUG if (debug) @@ -3606,7 +3611,7 @@ crypto_key( */ if ((ptr = strrchr(linkname, '\n')) != NULL) *ptr = '\0'; - sprintf(statstr, "%s mod %d", &linkname[2], + snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2], EVP_PKEY_size(pkey) * 8); record_crypto_stats(NULL, statstr); #ifdef DEBUG @@ -3715,8 +3720,8 @@ crypto_cert( if ((ptr = strrchr(linkname, '\n')) != NULL) *ptr = '\0'; - sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags, - len); + snprintf(statstr, NTP_MAXSTRLEN, + "%s 0x%x len %lu", &linkname[2], ret->flags, len); record_crypto_stats(NULL, statstr); #ifdef DEBUG if (debug) @@ -3832,7 +3837,7 @@ crypto_tai( for (j = 0; j < i; j++) *ptr++ = htonl(leapsec[j]); crypto_flags |= CRYPTO_FLAG_TAI; - sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp, + snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp, leapsec[--j], len); record_crypto_stats(NULL, statstr); #ifdef DEBUG Modified: stable/6/sys/kern/sys_pipe.c ============================================================================== --- stable/6/sys/kern/sys_pipe.c Wed Jun 10 09:28:50 2009 (r193892) +++ stable/6/sys/kern/sys_pipe.c Wed Jun 10 10:31:11 2009 (r193893) @@ -774,6 +774,8 @@ pipe_build_write_buffer(wpipe, uio) pmap = vmspace_pmap(curproc->p_vmspace); endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size); addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base); + if (endaddr < addr) + return (EFAULT); for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) { /* * vm_fault_quick() can sleep. Consequently, Modified: stable/6/sys/netinet6/in6.c ============================================================================== --- stable/6/sys/netinet6/in6.c Wed Jun 10 09:28:50 2009 (r193892) +++ stable/6/sys/netinet6/in6.c Wed Jun 10 10:31:11 2009 (r193893) @@ -359,12 +359,12 @@ in6_control(so, cmd, data, ifp, td) case SIOCSRTRFLUSH_IN6: case SIOCSDEFIFACE_IN6: case SIOCSIFINFO_FLAGS: + case SIOCSIFINFO_IN6: if (!privileged) return (EPERM); /* FALLTHROUGH */ case OSIOCGIFINFO_IN6: case SIOCGIFINFO_IN6: - case SIOCSIFINFO_IN6: case SIOCGDRLST_IN6: case SIOCGPRLST_IN6: case SIOCGNBRINFO_IN6: