From owner-svn-src-all@FreeBSD.ORG  Tue Oct  4 19:07:39 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C5393106567C;
	Tue,  4 Oct 2011 19:07:39 +0000 (UTC)
	(envelope-from cperciva@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id B0FB88FC13;
	Tue,  4 Oct 2011 19:07:39 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p94J7dUL075299;
	Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org)
Received: (from cperciva@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p94J7dnD075286;
	Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org)
Message-Id: <201110041907.p94J7dnD075286@svn.freebsd.org>
From: Colin Percival <cperciva@FreeBSD.org>
Date: Tue, 4 Oct 2011 19:07:39 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-releng@freebsd.org
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r226023 - head/sys/compat/linux releng/7.3
	releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4
	releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1
	releng/8.1/sys/compat/li...
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2011 19:07:40 -0000

Author: cperciva
Date: Tue Oct  4 19:07:38 2011
New Revision: 226023
URL: http://svn.freebsd.org/changeset/base/226023

Log:
  Fix a bug in UNIX socket handling in the linux emulator which was
  exposed by the security fix in FreeBSD-SA-11:05.unix.
  
  Approved by:	so (cperciva)
  Approved by:	re (kib)
  Security:	Related to FreeBSD-SA-11:05.unix, but not actually
  		a security fix.

Modified:
  releng/7.3/UPDATING
  releng/7.3/sys/compat/linux/linux_socket.c
  releng/7.3/sys/conf/newvers.sh
  releng/7.4/UPDATING
  releng/7.4/sys/compat/linux/linux_socket.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/sys/compat/linux/linux_socket.c
  releng/8.1/sys/conf/newvers.sh
  releng/8.2/UPDATING
  releng/8.2/sys/compat/linux/linux_socket.c
  releng/8.2/sys/conf/newvers.sh

Changes in other areas also in this revision:
Modified:
  head/sys/compat/linux/linux_socket.c
  stable/7/sys/compat/linux/linux_socket.c
  stable/8/sys/compat/linux/linux_socket.c
  stable/9/sys/compat/linux/linux_socket.c

Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.3/UPDATING	Tue Oct  4 19:07:38 2011	(r226023)
@@ -8,6 +8,10 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20111004:	p8	FreeBSD-SA-11:05.unix (revised)
+	Fix a bug in UNIX socket handling in the linux emulator which was
+	exposed by the security fix in FreeBSD-SA-11:05.unix.
+
 20110928:	p7	FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
 	Fix handling of corrupt compress(1)ed data. [11:04]
 

Modified: releng/7.3/sys/compat/linux/linux_socket.c
==============================================================================
--- releng/7.3/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.3/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -158,6 +159,20 @@ do_sa_get(struct sockaddr **sap, const s
 	if (bdom == AF_INET)
 		alloclen = sizeof(struct sockaddr_in);
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;

Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.3/sys/conf/newvers.sh	Tue Oct  4 19:07:38 2011	(r226023)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.3"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/7.4/UPDATING
==============================================================================
--- releng/7.4/UPDATING	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.4/UPDATING	Tue Oct  4 19:07:38 2011	(r226023)
@@ -8,6 +8,10 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20111004:	p4	FreeBSD-SA-11:05.unix (revised)
+	Fix a bug in UNIX socket handling in the linux emulator which was
+	exposed by the security fix in FreeBSD-SA-11:05.unix.
+
 20110928:	p3	FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
 	Fix handling of corrupt compress(1)ed data. [11:04]
 

Modified: releng/7.4/sys/compat/linux/linux_socket.c
==============================================================================
--- releng/7.4/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.4/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -163,6 +164,20 @@ do_sa_get(struct sockaddr **sap, const s
 		}
 	}
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;

Modified: releng/7.4/sys/conf/newvers.sh
==============================================================================
--- releng/7.4/sys/conf/newvers.sh	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/7.4/sys/conf/newvers.sh	Tue Oct  4 19:07:38 2011	(r226023)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.4"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.1/UPDATING
==============================================================================
--- releng/8.1/UPDATING	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.1/UPDATING	Tue Oct  4 19:07:38 2011	(r226023)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20111004:	p6	FreeBSD-SA-11:05.unix (revised)
+	Fix a bug in UNIX socket handling in the linux emulator which was
+	exposed by the security fix in FreeBSD-SA-11:05.unix.
+
 20110928:	p5	FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
 	Fix handling of corrupt compress(1)ed data. [11:04]
 

Modified: releng/8.1/sys/compat/linux/linux_socket.c
==============================================================================
--- releng/8.1/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.1/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s
 		}
 	}
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;

Modified: releng/8.1/sys/conf/newvers.sh
==============================================================================
--- releng/8.1/sys/conf/newvers.sh	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.1/sys/conf/newvers.sh	Tue Oct  4 19:07:38 2011	(r226023)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.1"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.2/UPDATING
==============================================================================
--- releng/8.2/UPDATING	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.2/UPDATING	Tue Oct  4 19:07:38 2011	(r226023)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20111004:	p4	FreeBSD-SA-11:05.unix (revised)
+	Fix a bug in UNIX socket handling in the linux emulator which was
+	exposed by the security fix in FreeBSD-SA-11:05.unix.
+
 20110928:	p3	FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix
 	Fix handling of corrupt compress(1)ed data. [11:04]
 

Modified: releng/8.2/sys/compat/linux/linux_socket.c
==============================================================================
--- releng/8.2/sys/compat/linux/linux_socket.c	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.2/sys/compat/linux/linux_socket.c	Tue Oct  4 19:07:38 2011	(r226023)
@@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s
 	int oldv6size;
 	struct sockaddr_in6 *sin6;
 #endif
+	int namelen;
 
 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
 		return (EINVAL);
@@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s
 		}
 	}
 
+	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
+		for (namelen = 0;
+		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
+		    namelen++)
+			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
+				break;
+		if (namelen + offsetof(struct sockaddr_un, sun_path) >
+		    sizeof(struct sockaddr_un)) {
+			error = EINVAL;
+			goto out;
+		}
+		alloclen = sizeof(struct sockaddr_un);
+	}
+
 	sa = (struct sockaddr *) kosa;
 	sa->sa_family = bdom;
 	sa->sa_len = alloclen;

Modified: releng/8.2/sys/conf/newvers.sh
==============================================================================
--- releng/8.2/sys/conf/newvers.sh	Tue Oct  4 18:45:29 2011	(r226022)
+++ releng/8.2/sys/conf/newvers.sh	Tue Oct  4 19:07:38 2011	(r226023)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi