From owner-cvs-src-old@FreeBSD.ORG  Sat Aug  7 08:08:35 2010
Return-Path: <owner-cvs-src-old@FreeBSD.ORG>
Delivered-To: cvs-src-old@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AA57C106567F
	for <cvs-src-old@freebsd.org>; Sat,  7 Aug 2010 08:08:35 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 987388FC18
	for <cvs-src-old@freebsd.org>; Sat,  7 Aug 2010 08:08:35 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id o7788ZEB044544
	for <cvs-src-old@freebsd.org>; Sat, 7 Aug 2010 08:08:35 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from svn2cvs@localhost)
	by repoman.freebsd.org (8.14.4/8.14.4/Submit) id o7788Z96044543
	for cvs-src-old@freebsd.org; Sat, 7 Aug 2010 08:08:35 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Message-Id: <201008070808.o7788Z96044543@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to
	rwatson@repoman.freebsd.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sat, 7 Aug 2010 08:08:14 +0000 (UTC)
To: cvs-src-old@freebsd.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/fs/coda coda.h coda_venus.c coda_vnops.c
X-BeenThere: cvs-src-old@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the src tree
	<cvs-src-old.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src-old>
List-Post: <mailto:cvs-src-old@freebsd.org>
List-Help: <mailto:cvs-src-old-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src-old>,
	<mailto:cvs-src-old-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Aug 2010 08:08:35 -0000

rwatson     2010-08-07 08:08:14 UTC

  FreeBSD src repository

  Modified files:
    sys/fs/coda          coda.h coda_venus.c coda_vnops.c 
  Log:
  SVN rev 210997 on 2010-08-07 08:08:14Z by rwatson
  
  Properly bounds check ioctl/pioctl data arguments for Coda:
  
  1. Use unsigned rather than signed lengths
  2. Bound messages to/from Venus to VC_MAXMSGSIZE
  3. Bound messages to/from general user processes to VC_MAXDATASIZE
  4. Update comment regarding data limits for pioctl
  
  Without (1) and (3), it may be possible for unprivileged user processes to
  read sensitive portions of kernel memory.  This issue is only present if
  the Coda kernel module is loaded and venus (the userspace Coda daemon) is
  running and has /coda mounted.
  
  As Coda is considered experimental and production use is warned against in
  the coda(4) man page, and because Coda must be explicitly configured for a
  configuration to be vulnerable, we won't be issuing a security advisory.
  However, if you are using Coda, then you are advised to apply these fixes.
  
  Reported by:    Dan J. Rosenberg <drosenberg at vsecurity.com>
  Obtained from:  NetBSD (Christos Zoulas)
  Security:       Kernel memory disclosure; no advisory as feature experimental
  MFC after:      3 days
  
  Revision  Changes    Path
  1.19      +4 -2      src/sys/fs/coda/coda.h
  1.34      +6 -0      src/sys/fs/coda/coda_venus.c
  1.103     +2 -1      src/sys/fs/coda/coda_vnops.c