From owner-svn-src-stable@freebsd.org Thu Jan 14 09:11:45 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 466E7A6D0A9; Thu, 14 Jan 2016 09:11:45 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 076021617; Thu, 14 Jan 2016 09:11:44 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u0E9Bitm022573; Thu, 14 Jan 2016 09:11:44 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u0E9BgVn022562; Thu, 14 Jan 2016 09:11:42 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201601140911.u0E9BgVn022562@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 14 Jan 2016 09:11:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r293897 - in stable/10: etc sys/amd64/linux32 sys/compat/linux sys/i386/linux sys/kern sys/netinet sys/netinet6 sys/sys X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 09:11:45 -0000 Author: glebius Date: Thu Jan 14 09:11:42 2016 New Revision: 293897 URL: https://svnweb.freebsd.org/changeset/base/293897 Log: o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd] Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879 Security: FreeBSD-SA-16:03.linux, CVE-2016-1880 Security: FreeBSD-SA-16:04.linux, CVE-2016-1881 Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882 Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677 Modified: stable/10/etc/Makefile stable/10/sys/amd64/linux32/linux32_proto.h stable/10/sys/amd64/linux32/linux32_systrace_args.c stable/10/sys/amd64/linux32/syscalls.master stable/10/sys/compat/linux/linux_futex.c stable/10/sys/compat/linux/linux_misc.c stable/10/sys/i386/linux/syscalls.master stable/10/sys/kern/kern_prot.c stable/10/sys/netinet/tcp_output.c stable/10/sys/netinet6/sctp6_usrreq.c stable/10/sys/sys/ucred.h Modified: stable/10/etc/Makefile ============================================================================== --- stable/10/etc/Makefile Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/etc/Makefile Thu Jan 14 09:11:42 2016 (r293897) @@ -86,10 +86,6 @@ BIN1+= apmd.conf BIN1+= auto_master .endif -.if ${MK_BSNMP} != "no" -BIN1+= snmpd.config -.endif - .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif @@ -218,6 +214,11 @@ distribution: ${BIN2} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; +.if ${MK_BSNMP} != "no" + cd ${.CURDIR}; \ + ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ + snmpd.config ${DESTDIR}/etc; +.endif .if ${MK_AT} == "no" sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab .endif Modified: stable/10/sys/amd64/linux32/linux32_proto.h ============================================================================== --- stable/10/sys/amd64/linux32/linux32_proto.h Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/amd64/linux32/linux32_proto.h Thu Jan 14 09:11:42 2016 (r293897) @@ -1023,7 +1023,7 @@ struct linux_set_robust_list_args { }; struct linux_get_robust_list_args { char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)]; - char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)]; + char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)]; char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)]; }; struct linux_splice_args { Modified: stable/10/sys/amd64/linux32/linux32_systrace_args.c ============================================================================== --- stable/10/sys/amd64/linux32/linux32_systrace_args.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/amd64/linux32/linux32_systrace_args.c Thu Jan 14 09:11:42 2016 (r293897) @@ -2122,7 +2122,7 @@ systrace_args(int sysnum, void *params, case 312: { struct linux_get_robust_list_args *p = params; iarg[0] = p->pid; /* l_int */ - uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */ + uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */ uarg[2] = (intptr_t) p->len; /* l_size_t * */ *n_args = 3; break; @@ -5551,7 +5551,7 @@ systrace_entry_setargdesc(int sysnum, in p = "l_int"; break; case 1: - p = "struct linux_robust_list_head *"; + p = "struct linux_robust_list_head **"; break; case 2: p = "l_size_t *"; Modified: stable/10/sys/amd64/linux32/syscalls.master ============================================================================== --- stable/10/sys/amd64/linux32/syscalls.master Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/amd64/linux32/syscalls.master Thu Jan 14 09:11:42 2016 (r293897) @@ -520,8 +520,8 @@ ; linux 2.6.17: 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \ l_size_t len); } -312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \ - l_size_t *len); } +312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \ + struct linux_robust_list_head **head, l_size_t *len); } 313 AUE_NULL STD { int linux_splice(void); } 314 AUE_NULL STD { int linux_sync_file_range(void); } 315 AUE_NULL STD { int linux_tee(void); } Modified: stable/10/sys/compat/linux/linux_futex.c ============================================================================== --- stable/10/sys/compat/linux/linux_futex.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/compat/linux/linux_futex.c Thu Jan 14 09:11:42 2016 (r293897) @@ -1132,7 +1132,7 @@ linux_get_robust_list(struct thread *td, return (EFAULT); } - error = copyout(head, args->head, sizeof(struct linux_robust_list_head)); + error = copyout(&head, args->head, sizeof(head)); if (error) { LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error, error); Modified: stable/10/sys/compat/linux/linux_misc.c ============================================================================== --- stable/10/sys/compat/linux/linux_misc.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/compat/linux/linux_misc.c Thu Jan 14 09:11:42 2016 (r293897) @@ -1302,9 +1302,11 @@ linux_setgroups(struct thread *td, struc if (error) goto out; newcred = crget(); + crextend(newcred, ngrp + 1); p = td->td_proc; PROC_LOCK(p); - oldcred = crcopysafe(p, newcred); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); /* * cr_groups[0] holds egid. Setting the whole set from Modified: stable/10/sys/i386/linux/syscalls.master ============================================================================== --- stable/10/sys/i386/linux/syscalls.master Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/i386/linux/syscalls.master Thu Jan 14 09:11:42 2016 (r293897) @@ -528,8 +528,8 @@ ; linux 2.6.17: 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \ l_size_t len); } -312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \ - l_size_t *len); } +312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \ + struct linux_robust_list_head **head, l_size_t *len); } 313 AUE_NULL STD { int linux_splice(void); } 314 AUE_NULL STD { int linux_sync_file_range(void); } 315 AUE_NULL STD { int linux_tee(void); } Modified: stable/10/sys/kern/kern_prot.c ============================================================================== --- stable/10/sys/kern/kern_prot.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/kern/kern_prot.c Thu Jan 14 09:11:42 2016 (r293897) @@ -88,7 +88,6 @@ static MALLOC_DEFINE(M_CRED, "cred", "cr SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy"); -static void crextend(struct ucred *cr, int n); static void crsetgroups_locked(struct ucred *cr, int ngrp, gid_t *groups); @@ -1981,7 +1980,7 @@ crcopysafe(struct proc *p, struct ucred /* * Extend the passed in credential to hold n items. */ -static void +void crextend(struct ucred *cr, int n) { int cnt; Modified: stable/10/sys/netinet/tcp_output.c ============================================================================== --- stable/10/sys/netinet/tcp_output.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/netinet/tcp_output.c Thu Jan 14 09:11:42 2016 (r293897) @@ -745,8 +745,8 @@ send: * segments. Options for SYN-ACK segments are handled in TCP * syncache. */ + to.to_flags = 0; if ((tp->t_flags & TF_NOOPT) == 0) { - to.to_flags = 0; /* Maximum segment size. */ if (flags & TH_SYN) { tp->snd_nxt = tp->iss; @@ -1226,7 +1226,7 @@ send: tp->snd_up = tp->snd_una; /* drag it along */ #ifdef TCP_SIGNATURE - if (tp->t_flags & TF_SIGNATURE) { + if (to.to_flags & TOF_SIGNATURE) { int sigoff = to.to_signature - opt; tcp_signature_compute(m, 0, len, optlen, (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND); @@ -1696,6 +1696,7 @@ tcp_addoptions(struct tcpopt *to, u_char bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr)); optp += sizeof(to->to_tsecr); break; +#ifdef TCP_SIGNATURE case TOF_SIGNATURE: { int siglen = TCPOLEN_SIGNATURE - 2; @@ -1714,6 +1715,7 @@ tcp_addoptions(struct tcpopt *to, u_char *optp++ = 0; break; } +#endif case TOF_SACK: { int sackblks = 0; Modified: stable/10/sys/netinet6/sctp6_usrreq.c ============================================================================== --- stable/10/sys/netinet6/sctp6_usrreq.c Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/netinet6/sctp6_usrreq.c Thu Jan 14 09:11:42 2016 (r293897) @@ -386,7 +386,6 @@ sctp6_ctlinput(int cmd, struct sockaddr * XXX: We assume that when IPV6 is non NULL, M and OFF are * valid. */ - /* check if we can safely examine src and dst ports */ struct sctp_inpcb *inp = NULL; struct sctp_tcb *stcb = NULL; struct sctp_nets *net = NULL; @@ -395,6 +394,10 @@ sctp6_ctlinput(int cmd, struct sockaddr if (ip6cp->ip6c_m == NULL) return; + /* Check if we can safely examine the SCTP header. */ + if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh)) + return; + bzero(&sh, sizeof(sh)); bzero(&final, sizeof(final)); inp = NULL; Modified: stable/10/sys/sys/ucred.h ============================================================================== --- stable/10/sys/sys/ucred.h Thu Jan 14 09:11:26 2016 (r293896) +++ stable/10/sys/sys/ucred.h Thu Jan 14 09:11:42 2016 (r293897) @@ -104,6 +104,7 @@ void change_svuid(struct ucred *newcred, void crcopy(struct ucred *dest, struct ucred *src); struct ucred *crcopysafe(struct proc *p, struct ucred *cr); struct ucred *crdup(struct ucred *cr); +void crextend(struct ucred *cr, int n); void cred_update_thread(struct thread *td); void crfree(struct ucred *cr); struct ucred *crget(void);