Date: Tue, 17 May 2016 15:59:26 -0700 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org> In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org> References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh Content-Type: multipart/mixed; boundary="FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39" From: Bryan Drewery <bdrewery@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org> Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd References: <201605172228.u4HMSbhj012124@repo.freebsd.org> In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org> --FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 5/17/2016 3:28 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Tue May 17 22:28:36 2016 > New Revision: 300088 > URL: https://svnweb.freebsd.org/changeset/base/300088 >=20 > Log: > - Use unsigned version of min() when handling arguments of SETFKEY io= ctl. > - Validate that user supplied control message length in sendmsg(2) > is not negative. The sendmsg(2) change is not included here (9.3) nor in the advisory but is in the commit log. Was it intended to be changed in 9.3? Plus the only consumer I see is sendit() which seems to be protected already from negative values when not using COMPAT_43: > if (mp->msg_controllen < sizeof(struct cmsghdr) > #ifdef COMPAT_OLDSOCK > && mp->msg_flags !=3D MSG_COMPAT > #endif > ) { > error =3D EINVAL; > goto bad; > } > error =3D sockargs(&control, mp->msg_control, > mp->msg_controllen, MT_CONTROL); =2E.. > =20 > Security: SA-16:18 > Security: CVE-2016-1886 > Security: SA-16:19 > Security: CVE-2016-1887 > Submitted by: C Turt <cturt hardenedbsd.org> > Approved by: so >=20 > Modified: > releng/9.3/UPDATING > releng/9.3/sys/conf/newvers.sh > releng/9.3/sys/dev/kbd/kbd.c >=20 > Modified: releng/9.3/UPDATING > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- releng/9.3/UPDATING Tue May 17 22:28:27 2016 (r300087) > +++ releng/9.3/UPDATING Tue May 17 22:28:36 2016 (r300088) > @@ -11,6 +11,10 @@ handbook: > Items affecting the ports and packages system can be found in > /usr/ports/UPDATING. Please read that file before running portupgrade= =2E > =20 > +20160517 p42 FreeBSD-SA-16:18.atkbd > + > + Fix buffer overflow in keyboard driver. [SA-16:18] > + > 20160504 p41 FreeBSD-SA-16:17.openssl > FreeBSD-EN-16:08.zfs > =20 >=20 > Modified: releng/9.3/sys/conf/newvers.sh > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- releng/9.3/sys/conf/newvers.sh Tue May 17 22:28:27 2016 (r300087) > +++ releng/9.3/sys/conf/newvers.sh Tue May 17 22:28:36 2016 (r300088) > @@ -32,7 +32,7 @@ > =20 > TYPE=3D"FreeBSD" > REVISION=3D"9.3" > -BRANCH=3D"RELEASE-p41" > +BRANCH=3D"RELEASE-p42" > if [ "X${BRANCH_OVERRIDE}" !=3D "X" ]; then > BRANCH=3D${BRANCH_OVERRIDE} > fi >=20 > Modified: releng/9.3/sys/dev/kbd/kbd.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- releng/9.3/sys/dev/kbd/kbd.c Tue May 17 22:28:27 2016 (r300087) > +++ releng/9.3/sys/dev/kbd/kbd.c Tue May 17 22:28:36 2016 (r300088) > @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo > splx(s); > return (error); > } > - kbd->kb_fkeytab[fkeyp->keynum].len =3D imin(fkeyp->flen, MAXFK); > + kbd->kb_fkeytab[fkeyp->keynum].len =3D min(fkeyp->flen, MAXFK); > bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str, > kbd->kb_fkeytab[fkeyp->keynum].len); > break; >=20 --=20 Regards, Bryan Drewery --FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39-- --m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJXO6JTAAoJEDXXcbtuRpfPvD0IAOGgTX4QeCbPRTBVb+S8d4qa m4/mTeeTuNkhqn8GOpLCPVYepmko7Tv5NIlD/+tjSP+6oIlQlmztD6SuLjpXCJvw jWeG/oFUb+M89wL2nv1lzo0XzQ5W7wX/XeuCgZPu64+8euPmHkaix04kvQwwMFW8 22adL2ox1B9KrLZTN7gAoZtVmywbjsxXC4PgJeLjfmA8286qYlGgGE6IaUjZ1uDQ b5cG0/w2mNUjh5jUbbawX84+e0keGwkE7T/2NwZpTbg00V/QC0t+YTVP/hylyjzS LEAE5Ql0boajRuFqjUGN905zBzeVMiNs79NCQMliVQBJFaLPYyImEq4h8SZWPIw= =Z4O/ -----END PGP SIGNATURE----- --m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14a8d29d-bc14-3f96-57a4-81f1b6dfdd82>