Date: Tue, 4 Oct 2011 19:07:39 +0000 (UTC) From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r226023 - head/sys/compat/linux releng/7.3 releng/7.3/sys/compat/linux releng/7.3/sys/conf releng/7.4 releng/7.4/sys/compat/linux releng/7.4/sys/conf releng/8.1 releng/8.1/sys/compat/li... Message-ID: <201110041907.p94J7dnD075286@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cperciva Date: Tue Oct 4 19:07:38 2011 New Revision: 226023 URL: http://svn.freebsd.org/changeset/base/226023 Log: Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Approved by: so (cperciva) Approved by: re (kib) Security: Related to FreeBSD-SA-11:05.unix, but not actually a security fix. Modified: releng/7.3/UPDATING releng/7.3/sys/compat/linux/linux_socket.c releng/7.3/sys/conf/newvers.sh releng/7.4/UPDATING releng/7.4/sys/compat/linux/linux_socket.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/sys/compat/linux/linux_socket.c releng/8.1/sys/conf/newvers.sh releng/8.2/UPDATING releng/8.2/sys/compat/linux/linux_socket.c releng/8.2/sys/conf/newvers.sh Changes in other areas also in this revision: Modified: head/sys/compat/linux/linux_socket.c stable/7/sys/compat/linux/linux_socket.c stable/8/sys/compat/linux/linux_socket.c stable/9/sys/compat/linux/linux_socket.c Modified: releng/7.3/UPDATING ============================================================================== --- releng/7.3/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111004: p8 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p7 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/7.3/sys/compat/linux/linux_socket.c ============================================================================== --- releng/7.3/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -158,6 +159,20 @@ do_sa_get(struct sockaddr **sap, const s if (bdom == AF_INET) alloclen = sizeof(struct sockaddr_in); + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/7.3/sys/conf/newvers.sh ============================================================================== --- releng/7.3/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.3/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.3" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.4/UPDATING ============================================================================== --- releng/7.4/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111004: p4 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/7.4/sys/compat/linux/linux_socket.c ============================================================================== --- releng/7.4/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -101,6 +101,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -163,6 +164,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/7.4/sys/conf/newvers.sh ============================================================================== --- releng/7.4/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/7.4/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.4" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.1/UPDATING ============================================================================== --- releng/8.1/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111004: p6 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p5 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/8.1/sys/compat/linux/linux_socket.c ============================================================================== --- releng/8.1/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/8.1/sys/conf/newvers.sh ============================================================================== --- releng/8.1/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.1/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.1" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.2/UPDATING ============================================================================== --- releng/8.2/UPDATING Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/UPDATING Tue Oct 4 19:07:38 2011 (r226023) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111004: p4 FreeBSD-SA-11:05.unix (revised) + Fix a bug in UNIX socket handling in the linux emulator which was + exposed by the security fix in FreeBSD-SA-11:05.unix. + 20110928: p3 FreeBSD-SA-11:04.compress, FreeBSD-SA-11:05.unix Fix handling of corrupt compress(1)ed data. [11:04] Modified: releng/8.2/sys/compat/linux/linux_socket.c ============================================================================== --- releng/8.2/sys/compat/linux/linux_socket.c Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/sys/compat/linux/linux_socket.c Tue Oct 4 19:07:38 2011 (r226023) @@ -103,6 +103,7 @@ do_sa_get(struct sockaddr **sap, const s int oldv6size; struct sockaddr_in6 *sin6; #endif + int namelen; if (*osalen < 2 || *osalen > UCHAR_MAX || !osa) return (EINVAL); @@ -165,6 +166,20 @@ do_sa_get(struct sockaddr **sap, const s } } + if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) { + for (namelen = 0; + namelen < *osalen - offsetof(struct sockaddr_un, sun_path); + namelen++) + if (!((struct sockaddr_un *)kosa)->sun_path[namelen]) + break; + if (namelen + offsetof(struct sockaddr_un, sun_path) > + sizeof(struct sockaddr_un)) { + error = EINVAL; + goto out; + } + alloclen = sizeof(struct sockaddr_un); + } + sa = (struct sockaddr *) kosa; sa->sa_family = bdom; sa->sa_len = alloclen; Modified: releng/8.2/sys/conf/newvers.sh ============================================================================== --- releng/8.2/sys/conf/newvers.sh Tue Oct 4 18:45:29 2011 (r226022) +++ releng/8.2/sys/conf/newvers.sh Tue Oct 4 19:07:38 2011 (r226023) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.2" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110041907.p94J7dnD075286>