From owner-svn-src-all@freebsd.org  Tue May 17 22:59:36 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C3C6B40A5D;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 1523412AB;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 09AF7110D;
 Tue, 17 May 2016 22:59:36 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id 74A9C1F6B7;
 Tue, 17 May 2016 22:59:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id 96tPMSVjH4B7; Tue, 17 May 2016 22:59:31 +0000 (UTC)
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 56C131F6B2
To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-releng@freebsd.org
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
From: Bryan Drewery <bdrewery@FreeBSD.org>
Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF;
 url=http://www.shatow.net/bryan/bryan2.asc
Organization: FreeBSD
Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
Date: Tue, 17 May 2016 15:59:26 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh"
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 22:59:36 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh
Content-Type: multipart/mixed; boundary="FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39"
From: Bryan Drewery <bdrewery@FreeBSD.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org,
 svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Message-ID: <14a8d29d-bc14-3f96-57a4-81f1b6dfdd82@FreeBSD.org>
Subject: Re: svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
References: <201605172228.u4HMSbhj012124@repo.freebsd.org>
In-Reply-To: <201605172228.u4HMSbhj012124@repo.freebsd.org>

--FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 5/17/2016 3:28 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Tue May 17 22:28:36 2016
> New Revision: 300088
> URL: https://svnweb.freebsd.org/changeset/base/300088
>=20
> Log:
>   - Use unsigned version of min() when handling arguments of SETFKEY io=
ctl.
>   - Validate that user supplied control message length in sendmsg(2)
>     is not negative.

The sendmsg(2) change is not included here (9.3) nor in the advisory but
is in the commit log.  Was it intended to be changed in 9.3?

Plus the only consumer I see is sendit() which seems to be protected
already from negative values when not using COMPAT_43:

>                  if (mp->msg_controllen < sizeof(struct cmsghdr)
>  #ifdef COMPAT_OLDSOCK
>                      && mp->msg_flags !=3D MSG_COMPAT
>  #endif
>                  ) {
>                          error =3D EINVAL;
>                          goto bad;
>                  }
>                  error =3D sockargs(&control, mp->msg_control,
>                      mp->msg_controllen, MT_CONTROL);

=2E..

>  =20
>   Security:	SA-16:18
>   Security:	CVE-2016-1886
>   Security:	SA-16:19
>   Security:	CVE-2016-1887
>   Submitted by:	C Turt <cturt hardenedbsd.org>
>   Approved by:	so
>=20
> Modified:
>   releng/9.3/UPDATING
>   releng/9.3/sys/conf/newvers.sh
>   releng/9.3/sys/dev/kbd/kbd.c
>=20
> Modified: releng/9.3/UPDATING
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/UPDATING	Tue May 17 22:28:36 2016	(r300088)
> @@ -11,6 +11,10 @@ handbook:
>  Items affecting the ports and packages system can be found in
>  /usr/ports/UPDATING.  Please read that file before running portupgrade=
=2E
> =20
> +20160517	p42	FreeBSD-SA-16:18.atkbd
> +
> +	Fix buffer overflow in keyboard driver. [SA-16:18]
> +
>  20160504	p41	FreeBSD-SA-16:17.openssl
>  			FreeBSD-EN-16:08.zfs
> =20
>=20
> Modified: releng/9.3/sys/conf/newvers.sh
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:36 2016	(r300088)
> @@ -32,7 +32,7 @@
> =20
>  TYPE=3D"FreeBSD"
>  REVISION=3D"9.3"
> -BRANCH=3D"RELEASE-p41"
> +BRANCH=3D"RELEASE-p42"
>  if [ "X${BRANCH_OVERRIDE}" !=3D "X" ]; then
>  	BRANCH=3D${BRANCH_OVERRIDE}
>  fi
>=20
> Modified: releng/9.3/sys/dev/kbd/kbd.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:36 2016	(r300088)
> @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
>  			splx(s);
>  			return (error);
>  		}
> -		kbd->kb_fkeytab[fkeyp->keynum].len =3D imin(fkeyp->flen, MAXFK);
> +		kbd->kb_fkeytab[fkeyp->keynum].len =3D min(fkeyp->flen, MAXFK);
>  		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
>  		    kbd->kb_fkeytab[fkeyp->keynum].len);
>  		break;
>=20


--=20
Regards,
Bryan Drewery


--FAh4wcOMKj9HEW9bGlHNReFxxFPvquB39--

--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJXO6JTAAoJEDXXcbtuRpfPvD0IAOGgTX4QeCbPRTBVb+S8d4qa
m4/mTeeTuNkhqn8GOpLCPVYepmko7Tv5NIlD/+tjSP+6oIlQlmztD6SuLjpXCJvw
jWeG/oFUb+M89wL2nv1lzo0XzQ5W7wX/XeuCgZPu64+8euPmHkaix04kvQwwMFW8
22adL2ox1B9KrLZTN7gAoZtVmywbjsxXC4PgJeLjfmA8286qYlGgGE6IaUjZ1uDQ
b5cG0/w2mNUjh5jUbbawX84+e0keGwkE7T/2NwZpTbg00V/QC0t+YTVP/hylyjzS
LEAE5Ql0boajRuFqjUGN905zBzeVMiNs79NCQMliVQBJFaLPYyImEq4h8SZWPIw=
=Z4O/
-----END PGP SIGNATURE-----

--m7UKHXsceuXi7S98v6DVM4uNkrt2tvGKh--