Date: Wed, 2 Sep 2020 16:53:17 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54452 - in head/share: security/advisories security/patches/EN-20:17 security/patches/EN-20:18 security/patches/SA-20:24 security/patches/SA-20:25 security/patches/SA-20:26 xml Message-ID: <202009021653.082GrHat055863@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Wed Sep 2 16:53:16 2020 New Revision: 54452 URL: https://svnweb.freebsd.org/changeset/doc/54452 Log: Add EN-20:17, EN-20:18, and SA-20:24 to SA-20:26. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc (contents, props changed) head/share/security/patches/EN-20:17/ head/share/security/patches/EN-20:17/linuxthread.patch (contents, props changed) head/share/security/patches/EN-20:17/linuxthread.patch.asc (contents, props changed) head/share/security/patches/EN-20:18/ head/share/security/patches/EN-20:18/getfsstat.patch (contents, props changed) head/share/security/patches/EN-20:18/getfsstat.patch.asc (contents, props changed) head/share/security/patches/SA-20:24/ head/share/security/patches/SA-20:24/ipv6.patch (contents, props changed) head/share/security/patches/SA-20:24/ipv6.patch.asc (contents, props changed) head/share/security/patches/SA-20:25/ head/share/security/patches/SA-20:25/sctp.11.3.patch (contents, props changed) head/share/security/patches/SA-20:25/sctp.11.3.patch.asc (contents, props changed) head/share/security/patches/SA-20:25/sctp.11.4.patch (contents, props changed) head/share/security/patches/SA-20:25/sctp.11.4.patch.asc (contents, props changed) head/share/security/patches/SA-20:25/sctp.12.1.patch (contents, props changed) head/share/security/patches/SA-20:25/sctp.12.1.patch.asc (contents, props changed) head/share/security/patches/SA-20:26/ head/share/security/patches/SA-20:26/dhclient.patch (contents, props changed) head/share/security/patches/SA-20:26/dhclient.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:17.linuxthread Errata Notice + The FreeBSD Project + +Topic: FreeBSD Linux ABI kernel panic + +Category: core +Module: kernel +Announced: 2020-09-02 +Credits: Martin Filla + Henrique L. Amorim, Independent Security Researcher + Rodrigo Rubira Branco (BSDaemon), Amazon Web Services +Affects: All supported versions of FreeBSD. +Corrected: 2020-06-25 05:24:35 UTC (stable/12, 12.1-STABLE) + 2020-09-02 16:21:27 UTC (releng/12.1, 12.1-RELEASE-p9) + 2020-06-25 05:35:46 UTC (stable/11, 11.4-STABLE) + 2020-09-02 16:21:27 UTC (releng/11.4, 11.4-RELEASE-p3) + 2020-09-02 16:21:27 UTC (releng/11.3, 11.3-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The Linux ABI layer (Linuxulator) allows Linux binaries to be executed on a +FreeBSD kernel. + +II. Problem Description + +The kernel function handling exec(3) of a Linux binary did not correctly +handle a calling process with multiple threads. + +III. Impact + +A multithread non-Linux process execing a Linux binary would fail a kernel +assertion, resuting in a kernel panic "thread_detach: emuldata not found." + +IV. Workaround + +No workaround is available. Systems not using the Linux ABI layer are not +affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch +# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch.asc +# gpg --verify linuxthread.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r362605 +releng/12.1/ r365253 +stable/11/ r362606 +releng/11.4/ r365253 +releng/11.3/ r365253 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247020> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:17.linuxthread.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzRZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIZEw//QwJJ3DX0k1PnOwRDdl5KSORAZq1Qfa0Rdo4N3QK31Ap/GiAmW+6wZRr1 +Cb3dAywlfjw8F+Hnxc6za1V0W7Ckr/tbJHGt1XXsq8Pjpc6+GdNGRZi7eiAQHvU7 +I9xkL1jnerBY0l5hq8A6ti1vhraNEFvA0/0lluhqCpgFPEtc/vbvKemyC0RAKVzF +wAz7P3/OyQqcd5qVHBIYfOziau/lfQ2/qD+6hLSZ5pgGX4e/tB1NrYVSd0vNevOl +d3P9LDQYxSIzQ5jHbfLSFOPkT471ItJ6+QW+pAIZQ0Sv4hTQPBRHOL4ZfXG/IDgr ++mVBa6L8lykeC+xh9Teih+dKqZRY5SzKuZVUqURCY2P6miq8C5A2eiTtGIIuwgFF +okqTJx0a+ECAEc7dmaEAM8snqKiPYgu1cCOXKrvAPpkB/Ss1w0Zr/YxLW6v3lMmO +nFOUGeXF9hLxDIINdKRNdaum8aqy1Vtg6xKNfP6z/H4V6saLSLrWk0M2HDKNOyts +MHc/P7zg7hMw1ft/VhiOEWgCk7Se3Q1D2IY53BsUNgtbs5ti29mEeOkNO09FkPYL +t9f3uIOZD9PLg1kDIDA97DulL95gXyX2K10wHciOnDgU+UitHCOqXAnkYGKbezfS +ID1JRdq4uHHIjPOTOiUkTYJDnR/Lgz2572KkTjM5d7YOviS8nS0= +=1pOR +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,124 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:18.getfsstat Errata Notice + The FreeBSD Project + +Topic: getfsstat compatibility system call panic + +Category: core +Module: getfsstat +Announced: 2020-09-02 +Credits: Rodrigo Rubira Branco (BSDaemon), Amazon Web Services +Affects: FreeBSD 11.3 and 11.4 +Corrected: 2020-06-20 04:39:52 UTC (stable/11, 11.4-STABLE) + 2020-09-02 16:22:14 UTC (releng/11.4, 11.4-RELEASE-p3) + 2020-09-02 16:22:14 UTC (releng/11.3, 11.3-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +getfsstat(2) is a system call which provides information about mounted +filesystems. The kernel provides compatibility system calls for old +versions of the interface. + +II. Problem Description + +A bug in an internal interface used by getfsstat(2) compatibility system +calls could result in a free of an uninitialized pointer when getfsstat(2) +is called with an invalid argument. + +III. Impact + +A kernel panic can be triggered by an unprivileged user process. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch +# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch.asc +# gpg --verify getfsstat.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r362426 +releng/11.4/ r365254 +releng/11.3/ r365254 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:18.getfsstat.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzSVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJrrw/9E3bKTN36F+FPrGdi6wWeAHUEZt3hoonrFqrn4SPUEVSRkk39HGpitgJ8 +KU7HDr9U9B6zaIYnqE+1BWiIYYhqQQM5zb77TGr0fy/LVa8a+m/6o9wzib26lsAT +jrBS0hsZ0Swb8TlrQdaEpLp1wkEdhy5t10hJ/+/nezzo+q2C52m4Bs80J7gE9BCq +uxgCRlnld3fXJrKrOva8WfvMziE8nV9CzKF9luYlP7U9s1PS5H5U6r22Y8tvzZqS +IbH60i7vPhlqX8faxZfKGRIABsJhnee98JF0rDRBOmMwTnFBTmaot75eEjwZIc5p +0GtM27NOM6a/AaO9Yr8U4PI0PffTi8hVm/1t6dlhG5X3O7IUxKC0XT1vlh3jJ1j2 +9i1iuuGU3zSzTSMyWMmzuxCz/YK0C/g4C86ehkdxOYtn6RV31rMSoKdPjxSbyhIJ +ef1eXHm6iBM8aofto24WjCSftPno0rx1peeOnKAqvpTpGH+n08H6iRFagaOt6kkQ +qhy+ZtrlzmjUeUqwLSnyuHJtK+QkP1WFTnT9QgMPnqpRB9e+OsQC2K1KgR9lkOG0 +2kyTu+fJGkNvhiHxKuvIsh5OiNvNm/QHYwESaGPbFhierh+CHs00M00GyeeCjBSr +nMbA3DsD3OxrrxYqh/17x4XoiopY6gUSlDSG+RbsTFsTqTxi308= +=E4P4 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:24.ipv6.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,124 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:24.ipv6 Security Advisory + The FreeBSD Project + +Topic: IPv6 Hop-by-Hop options use-after-free bug + +Category: core +Module: kernel +Announced: 2020-09-02 +Affects: FreeBSD 11.3 +Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE) + 2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13) +CVE Name: CVE-2020-7462 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by +applications via the socket API. The memory management for packet handling +is done using mbufs. + +II. Problem Description + +Due to improper mbuf handling in the kernel, a use-after-free bug might be +triggered by sending IPv6 Hop-by-Hop options over the loopback interface. + +III. Impact + +Triggering the use-after-free situation may result in unintended kernel +behaviour including a kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch +# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc +# gpg --verify ipv6.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r360733 +releng/11.3/ r365255 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7462> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:24.ipv6.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U +U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef +h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk// +NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr +xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL +XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N +MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE +/OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar +WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0 +lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL +s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs= +=kFlz +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:25.sctp.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:25.sctp Security Advisory + The FreeBSD Project + +Topic: SCTP socket use-after-free bug + +Category: core +Module: kernel +Announced: 2020-09-02 +Credits: Megan2013678@protonmail.com +Affects: All supported versions of FreeBSD. +Corrected: 2020-08-24 09:19:05 UTC (stable/12, 12.1-STABLE) + 2020-09-02 16:24:32 UTC (releng/12.1, 12.1-RELEASE-p9) + 2020-08-24 09:46:36 UTC (stable/11, 11.4-STABLE) + 2020-09-02 16:24:32 UTC (releng/11.4, 11.4-RELEASE-p3) + 2020-09-02 16:24:32 UTC (releng/11.3, 11.3-RELEASE-p13) +CVE Name: CVE-2020-7463 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Stream Control Transmission Protocol (SCTP) is a message oriented +transport protocol supporting arbitrary large user messages. +It can be accessed from applications by using the the socket API. + +II. Problem Description + +Due to improper handling in the kernel, a use-after-free bug can be triggered +by sending large user messages from multiple threads on the same socket. + +III. Impact + +Triggering the use-after-free situation may result in unintended kernel +behaviour including a kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch.asc +# gpg --verify sctp.12.1.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch.asc +# gpg --verify sctp.11.4.patch.asc + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch +# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch.asc +# gpg --verify sctp.11.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r364644 +releng/12.1/ r365256 +stable/11/ r364651 +releng/11.4/ r365256 +releng/11.3/ r365256 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7463> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:25.sctp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIMPw//ZOYh7TQdwvreQ/iZbJphPp7hBVJqFWPE9M72Yfo87/vkl+T5/GW9wiLT +MQlknQ7SDyzE7i8RpGvX0lmXLbr1e2rkvin1ZFdCbWkPzC7w0WVH7XX6+I+RJmkh +E4dtmHrYhLRwmVtW5WYZdfO+iYVTJl/h43eYbYvNgJZSuKkvl2Vk6DqyseHx7xR6 +gc7/41AIpMiqRLQI9ZnRvZCEiLq4G+q5z499ACfAutT9o+1T9L6QLCPuyY+fziiq +cI2E/pQA5uxOY/z3ejKHeOzErjycY6GEhMiBKmsJqV6oU/cZd5hZ1qsmE9Xbi3/c +Ax+OZr+Ve2a78dD7jOrmCrpBtG1Pg39c6VuQqHD3UN3seBNEkn4kto9vDX9fLceD +GZbueV97boFxjnXu1B6C8ufqEZDqTaf/SU3+vCobBgydP+V8c1P5LbP6qcFHOUrk +k7ijiJv03aYyY1Z6XtqbRsudZzIaTt+jneUA1eA46iWQqVZQHKo2liw5kAtsGu0k +injGcazWRphV6xgOHIMCfrGcLLf0j+4UjiDUk30cansLGewuk/uEh6FlA4NzyRWA +4L3Q0l/XQWvO2sNMtF9LbBUUujDyy93Vy8BouSp59v7+bAYrRHfcIAmaQnE4jev2 +BY7/JsrfQ9rG/Anzg49Hec8pw9VEvv4kA1STqXcpMt9Fq+0DslA= +=2ET6 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:26.dhclient.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,145 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:26.dhclient Security Advisory + The FreeBSD Project + +Topic: dhclient heap overflow + +Category: core +Module: dhclient +Announced: 2020-09-02 +Credits: Shlomi Oberman, JSOF +Affects: All supported versions of FreeBSD. +Corrected: 2020-08-31 21:28:09 UTC (stable/12, 12.1-STABLE) + 2020-09-02 16:25:31 UTC (releng/12.1, 12.1-RELEASE-p9) + 2020-08-31 21:28:57 UTC (stable/11, 11.4-STABLE) + 2020-09-02 16:25:31 UTC (releng/11.4, 11.4-RELEASE-p3) + 2020-09-02 16:25:31 UTC (releng/11.3, 11.3-RELEASE-p13) +CVE Name: CVE-2020-7461 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is +responsible for contacting DHCP servers on a network segment, and for +initializing and configuring network interfaces and configuring name +resolution based on received information. + +dhclient(8) handles DHCP option 119, the Domain Search Option, which provides +a list of domains to search when resolving names using DNS. The option data +format uses a compression scheme to avoid transmitting duplicate domain name +labels. + +II. Problem Description + +When parsing option 119 data, dhclient(8) computes the uncompressed domain +list length so that it can allocate an appropriately sized buffer to store +the uncompressed list. The code to compute the length failed to handle +certain malformed input, resulting in a heap overflow when the uncompressed +list is copied into in inadequately sized buffer. + +III. Impact + +The heap overflow could in principle be exploited to achieve remote code +execution. The affected process runs with reduced privileges in a Capsicum +sandbox, limiting the immediate impact of an exploit. However, it is +possible the bug could be combined with other vulnerabilities to escape the +sandbox. + +IV. Workaround + +No workaround is available. To trigger the bug, a system must be running +dhclient(8) on the same network as a malicious DHCP server. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +restart dhclient or reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch +# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch.asc +# gpg --verify dhclient.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r365010 +releng/12.1/ r365257 +stable/11/ r365011 +releng/11.4/ r365257 +releng/11.3/ r365257 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7461> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLLPxAAhg/FSqWLykYAiQ8czoy98X00VIWAP1f4InfUKm8qOB8/7ptzv3A+2Hov +7lHlyN0D4OwhJFt7fw9oTwNe4UgxShso6QrezaTJZR7juFELy9WODbRFnNK4i8w9 +NCBab+NIn1o7nFZnB0M5TMKfa4gc1jAV+Q/U/zi+ONvwZegmjXJxuop3Sq8wfBd2 +Vp9VAvEJvvBlQKExR2xNRDKV/0LpW+VffIuzlWT2ex3WwGpFVeVSL0ZNJsPbzMYX +j0aqGo9B/mHfXtKSQ415kGxiaQctnu5FqjNgSc00byzOU0YTiLsPwPdUgIt+nuQd +WFSePoZsDYstkkJ8YaCA/LVzmZo0tNR8m+z7xmhCszUbMIV+iRSycUexEbCXoPx/ +Ebg6ycyYMwguK7rL2dkjNWTkr3hP5CgLD7VnzVBYGiBY7ha0zOgbaYWl/33Az5Fb +0eaIyJRFCDmI32NZfri1WLc06K1gFcVcR6VO+BUqRHG6bkYnF/4xlla8ERhYgNeC +Y9cs4Y9TNRges79k7jovpu9B5nicTEqMRQBubcARX5+w9zLg8h2aKH6inuVy1srn +M9H/mjdCHMkySpSSrENw9Jk5I7RAgHHRgA1OTkB6Da02aMzPEh6fYHWeR7IpvxPc +2A/hxnZy0tTeZ4aKbds1GYZWUVDd3I8DlSVcT5Bq1g5kk6I+PN8= +=jfay +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:17/linuxthread.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:17/linuxthread.patch Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,63 @@ +--- sys/compat/linux/linux_emul.c.orig ++++ sys/compat/linux/linux_emul.c +@@ -261,22 +261,13 @@ + void + linux_proc_exec(void *arg __unused, struct proc *p, struct image_params *imgp) + { +- struct thread *td = curthread; ++ struct thread *td; + struct thread *othertd; + #if defined(__amd64__) + struct linux_pemuldata *pem; + #endif + +- /* +- * In a case of execing from Linux binary properly detach +- * other threads from the user space. +- */ +- if (__predict_false(SV_PROC_ABI(p) == SV_ABI_LINUX)) { +- FOREACH_THREAD_IN_PROC(p, othertd) { +- if (td != othertd) +- (p->p_sysent->sv_thread_detach)(othertd); +- } +- } ++ td = curthread; + + /* + * In a case of execing to Linux binary we create Linux +@@ -284,11 +275,32 @@ + */ + if (__predict_false((imgp->sysent->sv_flags & SV_ABI_MASK) == + SV_ABI_LINUX)) { +- +- if (SV_PROC_ABI(p) == SV_ABI_LINUX) ++ if (SV_PROC_ABI(p) == SV_ABI_LINUX) { ++ /* ++ * Process already was under Linuxolator ++ * before exec. Update emuldata to reflect ++ * single-threaded cleaned state after exec. ++ */ + linux_proc_init(td, NULL, 0); +- else ++ } else { ++ /* ++ * We are switching the process to Linux emulator. ++ */ + linux_proc_init(td, td, 0); ++ ++ /* ++ * Create a transient td_emuldata for all suspended ++ * threads, so that p->p_sysent->sv_thread_detach() == ++ * linux_thread_detach() can find expected but unused ++ * emuldata. ++ */ ++ FOREACH_THREAD_IN_PROC(td->td_proc, othertd) { ++ if (othertd != td) { ++ linux_proc_init(td, othertd, ++ LINUX_CLONE_THREAD); ++ } ++ } ++ } + #if defined(__amd64__) + /* + * An IA32 executable which has executable stack will have the Added: head/share/security/patches/EN-20:17/linuxthread.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:17/linuxthread.patch.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLxQw/9HUXUeCz5XHIK6qL0yaGIDQh2QOlLXiHSf+5EvGOv+xFsP+IFFwWLNCud +D5LCquLDcFOAxb2PZOZ8Of2zUtmiFGi2rly+aw//pNMiRzbI/wGfwvcr2iwleP0P +DBn0PDJzOJO87FzjdPnm3p8GqlndCkb2YEDzVDCzA29uTyXbNSB38fj5W+Nqg/H3 +ouxl9NEcN5q8cdUn2//F6DX/NKKoQ+KUR5ImAm5VPDDzs+i3U7uIGO/o1B1iZd1+ +EvSLRDmaB58xmqbhudbb//gzJycD8OAv0djxjjfsYhR2yr1sKWi0+lM22QFvSPGY +2PC4692pzOySX2sDf9qdVk2ljv8ab498Kkeo1fUtSTNIjwei2OjYsRYq5nmRfb0Q +2pKHOb80NfQTMIZ6nQHNi6AQ9T/Jezp14VlCeMzkIWQ9o8Lez6W3fxy+59Ir+tQh +CsWXIoTPXO9RjHkqQ8jw2F0qjI77dFxpN1hixi/3Wn5KA+3BkLidcCoXiejkR9jy +FnmAAWjS97TIpLMMwScmA5X83wNpylX1Y+/69NNxw6IiJvNN4KhLWAj2V4l0OSrZ +IJlBReeEJk0wL5z6JQyJ4XB6zTDjBb3Cx9grmDH6CPssLsDlcrJGyICpawXPLOeg +aLg8h1bgD8YlMVxyxUgqpPGaCDwY1pRale8+mYbWFUWfGcCll5U= +=InXC +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:18/getfsstat.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:18/getfsstat.patch Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,11 @@ +--- sys/kern/vfs_syscalls.c.orig ++++ sys/kern/vfs_syscalls.c +@@ -409,6 +409,8 @@ + case MNT_NOWAIT: + break; + default: ++ if (bufseg == UIO_SYSSPACE) ++ *buf = NULL; + return (EINVAL); + } + restart: Added: head/share/security/patches/EN-20:18/getfsstat.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:18/getfsstat.patch.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cISgA/7Bc4uiJyULvRciFN5W7X1aNFKjFtBlP3LAsRVZFkAxxb5SEN9NIuMqru3 +smZ3oIPswksChJYWdGuiegvzVRPo73YinMnFZu+i064wLttnlOEJXIePfEgpvu81 +BaCtBI3iPrHroFA6LiSUPFlZUBYxl9sMucusRWOpORDPOeNVVoBm0jC282B2k6m0 +h6dPQG++ARXdoH8hBnXrZt17Lu8kK6BOQFysru8G35UCLf9jAczrzStaq9DC6rdi +UHilIaeXKvEM10r7hos8d3wLQjpKRXcSEmcYAWgbCG8ewlSVDDhORftqZ2gv6I/P +dqDwnwznS1ArhYWjk+RHheekbgqP89nJpaYT3rvne3wuzjX6fIDtJBEg0/v5PbOX +VZu/5MG8M/l02j5NLghgGnqRmQjalpl4khsBBweQfht/w4eSURA219V497v6Dm0w +cwk/+R1Nql7NY83PK3PhSvVkmjLvlRYYm47yJphWtqxZ2forwT9KSPZgcEYByd0t +Fiw2rJCyUDXtgMPNmIYcqeX/5IUT921L1wr8VWCYdaS15qFEjU790M+moiK9j6En +IyCsoNN6WASORwcgJGqi6kiScYQEUR+I34feox4dkfavDMrG2ll7Spzz4RZJSar/ +HF191J+feeHbMFcz7gqH6vumj8mMKrx/ARWD16OVSFIFaaF7QjA= +=yl10 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-20:24/ipv6.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-20:24/ipv6.patch Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,37 @@ +--- sys/netinet6/ip6_input.c ++++ sys/netinet6/ip6_input.c +@@ -402,20 +402,22 @@ VNET_SYSUNINIT(inet6, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip6_destroy, NULL); + #endif + + static int +-ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off, ++ip6_input_hbh(struct mbuf **mp, uint32_t *plen, uint32_t *rtalert, int *off, + int *nxt, int *ours) + { ++ struct mbuf *m; + struct ip6_hdr *ip6; + struct ip6_hbh *hbh; + +- if (ip6_hopopts_input(plen, rtalert, &m, off)) { ++ if (ip6_hopopts_input(plen, rtalert, mp, off)) { + #if 0 /*touches NULL pointer*/ +- in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); ++ in6_ifstat_inc((*mp)->m_pkthdr.rcvif, ifs6_in_discard); + #endif + goto out; /* m have already been freed */ + } + + /* adjust pointer */ ++ m = *mp; + ip6 = mtod(m, struct ip6_hdr *); + + /* +@@ -855,7 +857,7 @@ ip6_input(struct mbuf *m) + */ + plen = (u_int32_t)ntohs(ip6->ip6_plen); + if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { +- if (ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours) != 0) ++ if (ip6_input_hbh(&m, &plen, &rtalert, &off, &nxt, &ours) != 0) + return; + } else + nxt = ip6->ip6_nxt; Added: head/share/security/patches/SA-20:24/ipv6.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-20:24/ipv6.patch.asc Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9Py7tfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIWLQ//f5XvBbodgJD5LiVh8RJwlPjdTI72UqY+YoFq2v3ELlaIL40Zpfr1WUE/ +70lPdfeX8GgKDLzvV0RA05HFYyhMD8zOY2TOglS0dEcU6gQ7z0ncPm3pmS2G8JjS +/f8Lioqp1UbxROpW+vquj3Zls40Lkk5T2xOrhR6mNzOVSFHm3q8+ElPAEFsrfPy1 +KZEM3CefIEgngED9m5bUsICnuIIdyiOZW+zx+3NnJEzwL4laS7KKzzplzibBtogq +2qx6tDnIatRUJLb7ZVzayW4FAT2aRhS02JqcnL5vljtkefr50f5a+yA8lflBJm5I ++3rCJcFG89c4OOjO6e7LtyorFk7OKtdWGkHFNLlXmN9C8a6Rap9r3SW3NC/6YJHB +7v7sZ0WHv8ECl65HnA/KCBvtdfCUEb6EqOCJW2CncmVFdBxMcCOAsAdC36Cc4yPl +3/7HFzhrO5LoM8xbGZdYKjb+T+LgsrIyeYgGr19RfoYNqVkzxxFX8Nz+OLwbPIC3 +/MTSM0VYEelmAEsFiEV4oL6D42xYhafXSRRstQAMSijW8v4ao8KpJaz2dzbcQ2NO +U8S9NI3kwC7lvjO+hH1n7w2nJi25Z4fTBiz6vKCOYwEEN38tis6S2YOusfPiI39z +0C8VvWVXRHUJBqsjBZ6I74Bs5CSjRSL2YQbVyvLl82WctHrXk5Q= +=y2VF +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-20:25/sctp.11.3.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-20:25/sctp.11.3.patch Wed Sep 2 16:53:16 2020 (r54452) @@ -0,0 +1,305 @@ +--- sys/netinet/sctp_input.c ++++ sys/netinet/sctp_input.c +@@ -839,7 +839,6 @@ sctp_handle_abort(struct sctp_abort_chunk *abort, + SCTP_TCB_LOCK(stcb); + atomic_subtract_int(&stcb->asoc.refcnt, 1); + #endif +- SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_WAS_ABORTED); + (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, + SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); + #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) +@@ -1989,7 +1988,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + /* send up all the data */ + SCTP_TCB_SEND_LOCK(stcb); + +- sctp_report_all_outbound(stcb, 0, 1, SCTP_SO_LOCKED); ++ sctp_report_all_outbound(stcb, 0, SCTP_SO_LOCKED); + for (i = 0; i < stcb->asoc.streamoutcnt; i++) { + stcb->asoc.strmout[i].chunks_on_queues = 0; + #if defined(SCTP_DETAILED_STR_STATS) +--- sys/netinet/sctp_output.c ++++ sys/netinet/sctp_output.c +@@ -13159,11 +13159,10 @@ sctp_lower_sosend(struct socket *so, + error = EINVAL; + goto out; + } +- SCTP_TCB_SEND_UNLOCK(stcb); +- + strm = &stcb->asoc.strmout[srcv->sinfo_stream]; + if (strm->last_msg_incomplete == 0) { + do_a_copy_in: ++ SCTP_TCB_SEND_UNLOCK(stcb); + sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error); + if (error) { + goto out; +@@ -13189,13 +13188,11 @@ sctp_lower_sosend(struct socket *so, + if (srcv->sinfo_flags & SCTP_UNORDERED) { + SCTP_STAT_INCR(sctps_sends_with_unord); + } ++ sp->processing = 1; + TAILQ_INSERT_TAIL(&strm->outqueue, sp, next); + stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1); +- SCTP_TCB_SEND_UNLOCK(stcb); + } else { +- SCTP_TCB_SEND_LOCK(stcb); + sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead); +- SCTP_TCB_SEND_UNLOCK(stcb); + if (sp == NULL) { + /* ???? Huh ??? last msg is gone */ + #ifdef INVARIANTS +@@ -13207,7 +13204,16 @@ sctp_lower_sosend(struct socket *so, + goto do_a_copy_in; + + } ++ if (sp->processing) { ++ SCTP_TCB_SEND_UNLOCK(stcb); ++ SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL); ++ error = EINVAL; ++ goto out; ++ } else { ++ sp->processing = 1; ++ } + } ++ SCTP_TCB_SEND_UNLOCK(stcb); + while (uio->uio_resid > 0) { + /* How much room do we have? */ + struct mbuf *new_tail, *mm; +@@ -13232,20 +13238,29 @@ sctp_lower_sosend(struct socket *so, + if (mm) { + sctp_m_freem(mm); + } ++ SCTP_TCB_SEND_LOCK(stcb); ++ if (sp != NULL) { ++ sp->processing = 0; ++ } ++ SCTP_TCB_SEND_UNLOCK(stcb); + goto out; + } + /* Update the mbuf and count */ + SCTP_TCB_SEND_LOCK(stcb); +- if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { ++ if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) || ++ (stcb->asoc.state & SCTP_STATE_WAS_ABORTED)) { + /* + * we need to get out. Peer probably + * aborted. + */ + sctp_m_freem(mm); +- if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) { ++ if (stcb->asoc.state & SCTP_STATE_WAS_ABORTED) { + SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET); + error = ECONNRESET; + } ++ if (sp != NULL) { ++ sp->processing = 0; ++ } + SCTP_TCB_SEND_UNLOCK(stcb); + goto out; + } +@@ -13305,6 +13320,11 @@ sctp_lower_sosend(struct socket *so, + /* wait for space now */ + if (non_blocking) { + /* Non-blocking io in place out */ ++ SCTP_TCB_SEND_LOCK(stcb); ++ if (sp != NULL) { ++ sp->processing = 0; ++ } ++ SCTP_TCB_SEND_UNLOCK(stcb); + goto skip_out_eof; + } + /* What about the INIT, send it maybe */ +@@ -13428,6 +13448,11 @@ sctp_lower_sosend(struct socket *so, + } + } + SOCKBUF_UNLOCK(&so->so_snd); ++ SCTP_TCB_SEND_LOCK(stcb); ++ if (sp != NULL) { ++ sp->processing = 0; ++ } ++ SCTP_TCB_SEND_UNLOCK(stcb); + goto out_unlocked; + } + +@@ -13437,12 +13462,19 @@ sctp_lower_sosend(struct socket *so, + } + } + SOCKBUF_UNLOCK(&so->so_snd); ++ SCTP_TCB_SEND_LOCK(stcb); + if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { ++ if (sp != NULL) { ++ sp->processing = 0; ++ } ++ SCTP_TCB_SEND_UNLOCK(stcb); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009021653.082GrHat055863>