Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Jan 2014 19:42:28 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r260647 - in releng: 8.3 8.3/contrib/bind9/bin/named 8.3/contrib/bsnmp/lib 8.3/contrib/ntp/ntpd 8.3/sys/conf 8.3/sys/dev/random 8.3/sys/vm 8.4 8.4/contrib/bind9/bin/named 8.4/contrib/bs...
Message-ID:  <201401141942.s0EJgSVO019605@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Tue Jan 14 19:42:28 2014
New Revision: 260647
URL: http://svnweb.freebsd.org/changeset/base/260647

Log:
  Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
  
  Fix ntpd distributed reflection Denial of Service vulnerability.
  [SA-14:02]
  
  Fix BIND remote denial of service vulnerability. [SA-14:04]
  
  Disable hardware RNGs by default. [EN-14:01]
  
  Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
  
  Approved by:	so

Modified:
  releng/8.3/UPDATING
  releng/8.3/contrib/bind9/bin/named/query.c
  releng/8.3/contrib/bsnmp/lib/snmpagent.c
  releng/8.3/contrib/ntp/ntpd/ntp_config.c
  releng/8.3/sys/conf/newvers.sh
  releng/8.3/sys/dev/random/probe.c
  releng/8.3/sys/vm/vm_map.c
  releng/8.4/UPDATING
  releng/8.4/contrib/bind9/bin/named/query.c
  releng/8.4/contrib/bsnmp/lib/snmpagent.c
  releng/8.4/contrib/ntp/ntpd/ntp_config.c
  releng/8.4/sys/conf/newvers.sh
  releng/8.4/sys/dev/random/probe.c
  releng/8.4/sys/vm/vm_map.c
  releng/9.1/UPDATING
  releng/9.1/contrib/bind9/bin/named/query.c
  releng/9.1/contrib/bsnmp/lib/snmpagent.c
  releng/9.1/contrib/ntp/ntpd/ntp_config.c
  releng/9.1/sys/conf/newvers.sh
  releng/9.1/sys/dev/random/probe.c
  releng/9.1/sys/vm/vm_map.c
  releng/9.2/UPDATING
  releng/9.2/contrib/bind9/bin/named/query.c
  releng/9.2/contrib/bsnmp/lib/snmpagent.c
  releng/9.2/contrib/ntp/ntpd/ntp_config.c
  releng/9.2/sys/conf/newvers.sh
  releng/9.2/sys/dev/random/probe.c
  releng/9.2/sys/vm/vm_map.c

Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/UPDATING	Tue Jan 14 19:42:28 2014	(r260647)
@@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20140114:	p14	FreeBSD-SA-14:01.bsnmpd
+			FreeBSD-SA-14:02.ntpd
+			FreeBSD-SA-14:04.bind
+			FreeBSD-EN-14:01.random
+			FreeBSD-EN-14:02.mmap
+	Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
+
+	Fix ntpd distributed reflection Denial of Service
+	vulnerability. [SA-14:02]
+
+	Fix BIND remote denial of service vulnerability. [SA-14:04]
+
+	Disable hardware RNGs by default. [EN-14:01]
+
+	Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
+
 20131128:	p13	FreeBSD-EN-13:05.freebsd-update
 	Fix error in patch for FreeBSD-EN-13:04.freebsd-update.
 

Modified: releng/8.3/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/8.3/contrib/bind9/bin/named/query.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/contrib/bind9/bin/named/query.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname
 	dns_fixedname_t fixed;
 	dns_hash_t hash;
 	dns_name_t name;
-	int order;
-	unsigned int count;
+	unsigned int skip = 0, labels;
 	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t optout;
@@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname
 
 	dns_name_init(&name, NULL);
 	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
 
 	/*
 	 * Map unknown algorithm to known value.
@@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname
 		dns_rdata_reset(&rdata);
 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
 		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
 			dns_rdataset_disassociate(rdataset);
 			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
 				      "looking for closest provable encloser");
@@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname
 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
+	if (found == qname) {
+		if (skip != 0U)
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+	} else if (found != NULL)
 		dns_name_copy(&name, found, NULL);
 	return;
 }

Modified: releng/8.3/contrib/bsnmp/lib/snmpagent.c
==============================================================================
--- releng/8.3/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc
 	for (cnt = 0; cnt < pdu->error_index; cnt++) {
 		eomib = 1;
 		for (i = non_rep; i < pdu->nbindings; i++) {
+
+			if (resp->nbindings == SNMP_MAX_BINDINGS)
+				/* PDU is full */
+				goto done;
+
 			if (cnt == 0) 
 				result = do_getnext(&context, &pdu->bindings[i],
 				    &resp->bindings[resp->nbindings], pdu);

Modified: releng/8.3/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- releng/8.3/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -597,6 +597,8 @@ getconfig(
 #endif /* not SYS_WINNT */
 	}
 
+	proto_config(PROTO_MONITOR, 0, 0., NULL);
+
 	for (;;) {
 		if (tok == CONFIG_END) 
 			break;

Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/sys/conf/newvers.sh	Tue Jan 14 19:42:28 2014	(r260647)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.3"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.3/sys/dev/random/probe.c
==============================================================================
--- releng/8.3/sys/dev/random/probe.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/sys/dev/random/probe.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/random.h>
 #include <sys/selinfo.h>
@@ -57,7 +59,12 @@ random_ident_hardware(struct random_syst
 	/* Then go looking for hardware */
 #if defined(__i386__) && !defined(PC98)
 	if (via_feature_rng & VIA_HAS_RNG) {
-		*systat = random_nehemiah;
+		int enable;
+
+		enable = 0;
+		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+		if (enable)
+			*systat = random_nehemiah;
 	}
 #endif
 }

Modified: releng/8.3/sys/vm/vm_map.c
==============================================================================
--- releng/8.3/sys/vm/vm_map.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.3/sys/vm/vm_map.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -1215,6 +1215,7 @@ charged:
 	}
 	else if ((prev_entry != &map->header) &&
 		 (prev_entry->eflags == protoeflags) &&
+		 (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
 		 (prev_entry->end == start) &&
 		 (prev_entry->wired_count == 0) &&
 		 (prev_entry->uip == uip ||
@@ -3186,7 +3187,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a
 	 * NOTE: We explicitly allow bi-directional stacks.
 	 */
 	orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
-	cow &= ~orient;
 	KASSERT(orient != 0, ("No stack grow direction"));
 
 	if (addrbos < vm_map_min(map) ||

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/UPDATING	Tue Jan 14 19:42:28 2014	(r260647)
@@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20140114:	p7	FreeBSD-SA-14:01.bsnmpd
+			FreeBSD-SA-14:02.ntpd
+			FreeBSD-SA-14:04.bind
+			FreeBSD-EN-14:01.random
+			FreeBSD-EN-14:02.mmap
+	Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
+
+	Fix ntpd distributed reflection Denial of Service
+	vulnerability. [SA-14:02]
+
+	Fix BIND remote denial of service vulnerability. [SA-14:04]
+
+	Disable hardware RNGs by default. [EN-14:01]
+
+	Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
+
 20131128:	p6	FreeBSD-EN-13:05.freebsd-update
 	Fix error in patch for FreeBSD-EN-13:04.freebsd-update.
 

Modified: releng/8.4/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/8.4/contrib/bind9/bin/named/query.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/contrib/bind9/bin/named/query.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname
 	dns_fixedname_t fixed;
 	dns_hash_t hash;
 	dns_name_t name;
-	int order;
-	unsigned int count;
+	unsigned int skip = 0, labels;
 	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t optout;
@@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname
 
 	dns_name_init(&name, NULL);
 	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
 
 	/*
 	 * Map unknown algorithm to known value.
@@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname
 		dns_rdata_reset(&rdata);
 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
 		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
 			dns_rdataset_disassociate(rdataset);
 			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
 				      "looking for closest provable encloser");
@@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname
 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
+	if (found == qname) {
+		if (skip != 0U)
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+	} else if (found != NULL)
 		dns_name_copy(&name, found, NULL);
 	return;
 }

Modified: releng/8.4/contrib/bsnmp/lib/snmpagent.c
==============================================================================
--- releng/8.4/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc
 	for (cnt = 0; cnt < pdu->error_index; cnt++) {
 		eomib = 1;
 		for (i = non_rep; i < pdu->nbindings; i++) {
+
+			if (resp->nbindings == SNMP_MAX_BINDINGS)
+				/* PDU is full */
+				goto done;
+
 			if (cnt == 0) 
 				result = do_getnext(&context, &pdu->bindings[i],
 				    &resp->bindings[resp->nbindings], pdu);

Modified: releng/8.4/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- releng/8.4/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -597,6 +597,8 @@ getconfig(
 #endif /* not SYS_WINNT */
 	}
 
+	proto_config(PROTO_MONITOR, 0, 0., NULL);
+
 	for (;;) {
 		if (tok == CONFIG_END) 
 			break;

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/sys/conf/newvers.sh	Tue Jan 14 19:42:28 2014	(r260647)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.4/sys/dev/random/probe.c
==============================================================================
--- releng/8.4/sys/dev/random/probe.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/sys/dev/random/probe.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -73,7 +73,7 @@ random_ident_hardware(struct random_syst
 	if (via_feature_rng & VIA_HAS_RNG) {
 		int enable;
 
-		enable = 1;
+		enable = 0;
 		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
 		if (enable)
 			*systat = random_nehemiah;
@@ -83,7 +83,7 @@ random_ident_hardware(struct random_syst
 	if (cpu_feature2 & CPUID2_RDRAND) {
 		int enable;
 
-		enable = 1;
+		enable = 0;
 		TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable);
 		if (enable)
 			*systat = random_ivy;

Modified: releng/8.4/sys/vm/vm_map.c
==============================================================================
--- releng/8.4/sys/vm/vm_map.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/8.4/sys/vm/vm_map.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -1217,6 +1217,7 @@ charged:
 	}
 	else if ((prev_entry != &map->header) &&
 		 (prev_entry->eflags == protoeflags) &&
+		 (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
 		 (prev_entry->end == start) &&
 		 (prev_entry->wired_count == 0) &&
 		 (prev_entry->uip == uip ||
@@ -3189,7 +3190,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a
 	 * NOTE: We explicitly allow bi-directional stacks.
 	 */
 	orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
-	cow &= ~orient;
 	KASSERT(orient != 0, ("No stack grow direction"));
 
 	if (addrbos < vm_map_min(map) ||

Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/UPDATING	Tue Jan 14 19:42:28 2014	(r260647)
@@ -9,6 +9,22 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20140114:	p10	FreeBSD-SA-14:01.bsnmpd
+			FreeBSD-SA-14:02.ntpd
+			FreeBSD-SA-14:04.bind
+			FreeBSD-EN-14:01.random
+			FreeBSD-EN-14:02.mmap
+	Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
+
+	Fix ntpd distributed reflection Denial of Service
+	vulnerability. [SA-14:02]
+
+	Fix BIND remote denial of service vulnerability. [SA-14:04]
+
+	Disable hardware RNGs by default. [EN-14:01]
+
+	Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
+
 20131128:	p9	FreeBSD-EN-13:05.freebsd-update
 	Fix error in patch for FreeBSD-EN-13:04.freebsd-update.
 

Modified: releng/9.1/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.1/contrib/bind9/bin/named/query.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/contrib/bind9/bin/named/query.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -5022,8 +5022,7 @@ query_findclosestnsec3(dns_name_t *qname
 	dns_fixedname_t fixed;
 	dns_hash_t hash;
 	dns_name_t name;
-	int order;
-	unsigned int count;
+	unsigned int skip = 0, labels;
 	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t optout;
@@ -5036,6 +5035,7 @@ query_findclosestnsec3(dns_name_t *qname
 
 	dns_name_init(&name, NULL);
 	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
 
 	/*
 	 * Map unknown algorithm to known value.
@@ -5067,13 +5067,14 @@ query_findclosestnsec3(dns_name_t *qname
 		dns_rdata_reset(&rdata);
 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
 		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
 			dns_rdataset_disassociate(rdataset);
 			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
 				      "looking for closest provable encloser");
@@ -5091,7 +5092,11 @@ query_findclosestnsec3(dns_name_t *qname
 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
+	if (found == qname) {
+		if (skip != 0U)
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+	} else if (found != NULL)
 		dns_name_copy(&name, found, NULL);
 	return;
 }

Modified: releng/9.1/contrib/bsnmp/lib/snmpagent.c
==============================================================================
--- releng/9.1/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc
 	for (cnt = 0; cnt < pdu->error_index; cnt++) {
 		eomib = 1;
 		for (i = non_rep; i < pdu->nbindings; i++) {
+
+			if (resp->nbindings == SNMP_MAX_BINDINGS)
+				/* PDU is full */
+				goto done;
+
 			if (cnt == 0) 
 				result = do_getnext(&context, &pdu->bindings[i],
 				    &resp->bindings[resp->nbindings], pdu);

Modified: releng/9.1/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- releng/9.1/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -597,6 +597,8 @@ getconfig(
 #endif /* not SYS_WINNT */
 	}
 
+	proto_config(PROTO_MONITOR, 0, 0., NULL);
+
 	for (;;) {
 		if (tok == CONFIG_END) 
 			break;

Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/sys/conf/newvers.sh	Tue Jan 14 19:42:28 2014	(r260647)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.1/sys/dev/random/probe.c
==============================================================================
--- releng/9.1/sys/dev/random/probe.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/sys/dev/random/probe.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/random.h>
 #include <sys/selinfo.h>
@@ -57,7 +59,12 @@ random_ident_hardware(struct random_syst
 	/* Then go looking for hardware */
 #if defined(__amd64__) || (defined(__i386__) && !defined(PC98))
 	if (via_feature_rng & VIA_HAS_RNG) {
-		*systat = random_nehemiah;
+		int enable;
+
+		enable = 0;
+		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+		if (enable)
+			*systat = random_nehemiah;
 	}
 #endif
 }

Modified: releng/9.1/sys/vm/vm_map.c
==============================================================================
--- releng/9.1/sys/vm/vm_map.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.1/sys/vm/vm_map.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -1236,6 +1236,7 @@ charged:
 	}
 	else if ((prev_entry != &map->header) &&
 		 (prev_entry->eflags == protoeflags) &&
+		 (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
 		 (prev_entry->end == start) &&
 		 (prev_entry->wired_count == 0) &&
 		 (prev_entry->cred == cred ||
@@ -3256,7 +3257,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a
 	 * NOTE: We explicitly allow bi-directional stacks.
 	 */
 	orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
-	cow &= ~orient;
 	KASSERT(orient != 0, ("No stack grow direction"));
 
 	if (addrbos < vm_map_min(map) ||

Modified: releng/9.2/UPDATING
==============================================================================
--- releng/9.2/UPDATING	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/UPDATING	Tue Jan 14 19:42:28 2014	(r260647)
@@ -11,6 +11,22 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20140114:	p3	FreeBSD-SA-14:01.bsnmpd
+			FreeBSD-SA-14:02.ntpd
+			FreeBSD-SA-14:04.bind
+			FreeBSD-EN-14:01.random
+			FreeBSD-EN-14:02.mmap
+	Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
+
+	Fix ntpd distributed reflection Denial of Service
+	vulnerability. [SA-14:02]
+
+	Fix BIND remote denial of service vulnerability. [SA-14:04]
+
+	Disable hardware RNGs by default. [EN-14:01]
+
+	Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
+
 20131128:	p2	FreeBSD-EN-13:05.freebsd-update
 	Fix error in patch for FreeBSD-EN-13:04.freebsd-update.
 

Modified: releng/9.2/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.2/contrib/bind9/bin/named/query.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/contrib/bind9/bin/named/query.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname
 	dns_fixedname_t fixed;
 	dns_hash_t hash;
 	dns_name_t name;
-	int order;
-	unsigned int count;
+	unsigned int skip = 0, labels;
 	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t optout;
@@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname
 
 	dns_name_init(&name, NULL);
 	dns_name_clone(qname, &name);
+	labels = dns_name_countlabels(&name);
 
 	/*
 	 * Map unknown algorithm to known value.
@@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname
 		dns_rdata_reset(&rdata);
 		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
 		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
+		    dns_name_issubdomain(&name, dns_db_origin(db)))
+		{
 			dns_rdataset_disassociate(rdataset);
 			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
+			skip++;
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  &name);
 			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
 				      "looking for closest provable encloser");
@@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname
 		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
 			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
+	if (found == qname) {
+		if (skip != 0U)
+			dns_name_getlabelsequence(qname, skip, labels - skip,
+						  found);
+	} else if (found != NULL)
 		dns_name_copy(&name, found, NULL);
 	return;
 }

Modified: releng/9.2/contrib/bsnmp/lib/snmpagent.c
==============================================================================
--- releng/9.2/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/contrib/bsnmp/lib/snmpagent.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc
 	for (cnt = 0; cnt < pdu->error_index; cnt++) {
 		eomib = 1;
 		for (i = non_rep; i < pdu->nbindings; i++) {
+
+			if (resp->nbindings == SNMP_MAX_BINDINGS)
+				/* PDU is full */
+				goto done;
+
 			if (cnt == 0) 
 				result = do_getnext(&context, &pdu->bindings[i],
 				    &resp->bindings[resp->nbindings], pdu);

Modified: releng/9.2/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- releng/9.2/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/contrib/ntp/ntpd/ntp_config.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -597,6 +597,8 @@ getconfig(
 #endif /* not SYS_WINNT */
 	}
 
+	proto_config(PROTO_MONITOR, 0, 0., NULL);
+
 	for (;;) {
 		if (tok == CONFIG_END) 
 			break;

Modified: releng/9.2/sys/conf/newvers.sh
==============================================================================
--- releng/9.2/sys/conf/newvers.sh	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/sys/conf/newvers.sh	Tue Jan 14 19:42:28 2014	(r260647)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.2"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.2/sys/dev/random/probe.c
==============================================================================
--- releng/9.2/sys/dev/random/probe.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/sys/dev/random/probe.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -73,7 +73,7 @@ random_ident_hardware(struct random_syst
 	if (via_feature_rng & VIA_HAS_RNG) {
 		int enable;
 
-		enable = 1;
+		enable = 0;
 		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
 		if (enable)
 			*systat = random_nehemiah;
@@ -83,7 +83,7 @@ random_ident_hardware(struct random_syst
 	if (cpu_feature2 & CPUID2_RDRAND) {
 		int enable;
 
-		enable = 1;
+		enable = 0;
 		TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable);
 		if (enable)
 			*systat = random_ivy;

Modified: releng/9.2/sys/vm/vm_map.c
==============================================================================
--- releng/9.2/sys/vm/vm_map.c	Tue Jan 14 19:38:37 2014	(r260646)
+++ releng/9.2/sys/vm/vm_map.c	Tue Jan 14 19:42:28 2014	(r260647)
@@ -1230,6 +1230,7 @@ charged:
 	}
 	else if ((prev_entry != &map->header) &&
 		 (prev_entry->eflags == protoeflags) &&
+		 (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
 		 (prev_entry->end == start) &&
 		 (prev_entry->wired_count == 0) &&
 		 (prev_entry->cred == cred ||
@@ -3260,7 +3261,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a
 	 * NOTE: We explicitly allow bi-directional stacks.
 	 */
 	orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
-	cow &= ~orient;
 	KASSERT(orient != 0, ("No stack grow direction"));
 
 	if (addrbos < vm_map_min(map) ||



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401141942.s0EJgSVO019605>