From owner-svn-src-all@FreeBSD.ORG Tue Oct 4 19:07:39 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5393106567C; Tue, 4 Oct 2011 19:07:39 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id B0FB88FC13; Tue, 4 Oct 2011 19:07:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p94J7dUL075299; Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p94J7dnD075286; Tue, 4 Oct 2011 19:07:39 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201110041907.p94J7dnD075286@svn.freebsd.org> From: Colin Percival Date: Tue, 4 Oct 2011 19:07:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 19:07:40 -0000 Author: cperciva Date: Tue Oct 4 19:07:38 2011 New Revision: 226023 URL: http://svn.freebsd.org/changeset/base/226023 Log: Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix. Modified: releng/7.3/UPDATING releng/7.3/sys/compat/linux/linux_socket.c releng/7.3/sys/conf/newvers.sh releng/7.4/UPDATING releng/7.4/sys/compat/linux/linux_socket.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/sys/compat/linux/linux_socket.c releng/8.1/sys/conf/newvers.sh releng/8.2/UPDATING releng/8.2/sys/compat/linux/linux_socket.c releng/8.2/sys/conf/newvers.sh Changes in other areas also in this revision: Modified: head/sys/compat/linux/linux_socket.c stable/7/sys/compat/linux/linux_socket.c stable/8/sys/compat/linux/linux_socket.c stable/9/sys/compat/linux/linux_socket.c Modified: releng/7.3/UPDATING ============================================================================== --- releng/7.3/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111004: p8 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p7 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/7.3/sys/compat/linux/linux_socket.c ============================================================================== --- releng/7.3/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -158,6 +159,20 @@ do_sa_get(struct sockaddr **sap, const s if (bdom == AF_INET) alloclen = sizeof(struct sockaddr_in); + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/7.3/sys/conf/newvers.sh ============================================================================== --- releng/7.3/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.3" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.4/UPDATING ============================================================================== --- releng/7.4/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111004: p4 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/7.4/sys/compat/linux/linux_socket.c ============================================================================== --- releng/7.4/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -163,6 +164,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/7.4/sys/conf/newvers.sh ============================================================================== --- releng/7.4/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.4" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.1/UPDATING ============================================================================== --- releng/8.1/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111004: p6 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p5 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/8.1/sys/compat/linux/linux_socket.c ============================================================================== --- releng/8.1/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/8.1/sys/conf/newvers.sh ============================================================================== --- releng/8.1/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.1" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.2/UPDATING ============================================================================== --- releng/8.2/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111004: p4 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/8.2/sys/compat/linux/linux_socket.c ============================================================================== --- releng/8.2/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/8.2/sys/conf/newvers.sh ============================================================================== --- releng/8.2/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.2" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi