From owner-svn-src-head@freebsd.org Thu Jun 23 05:41:47 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6969B72B56; Thu, 23 Jun 2016 05:41:47 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 76D1816DF; Thu, 23 Jun 2016 05:41:47 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u5N5fkQa083573; Thu, 23 Jun 2016 05:41:46 GMT (envelope-from bz@FreeBSD.org) Received: (from bz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u5N5fku1083572; Thu, 23 Jun 2016 05:41:46 GMT (envelope-from bz@FreeBSD.org) Message-Id: <201606230541.u5N5fku1083572@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bz set sender to bz@FreeBSD.org using -f From: "Bjoern A. Zeeb" Date: Thu, 23 Jun 2016 05:41:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r302117 - head/sys/netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2016 05:41:47 -0000 Author: bz Date: Thu Jun 23 05:41:46 2016 New Revision: 302117 URL: https://svnweb.freebsd.org/changeset/base/302117 Log: Import a fix for and old security issue (CVE-2010-3830) in pf which was not relevant to FreeBSD as only root could open /dev/pf by default. With VIMAGE this is will longer be the case. As pf(4) starts to be supported with VNETs 3rd party users may open /dev/pf inside the virtual jail instance; thus we need to address this issue after all. While OpenBSD largely rewrote code parts for the fix [1], and it's unclear what Apple [3] did, import the minimal fix from NetBSD [2]. [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c.diff?r1=1.235&r2=1.236 [2] http://mail-index.netbsd.org/source-changes/2011/01/19/msg017518.html [3] https://support.apple.com/en-gb/HT202154 Obtained from: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dist/pf/net/pf_ioctl.c.diff?r1=1.42&r2=1.43&only_with_tag=MAIN MFC After: 2 weeks Approved by: re (gjb) Sponsored by: The FreeBSD Foundation Security: CVE-2010-3830 Modified: head/sys/netpfil/pf/pf_ioctl.c Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Thu Jun 23 05:35:08 2016 (r302116) +++ head/sys/netpfil/pf/pf_ioctl.c Thu Jun 23 05:41:46 2016 (r302117) @@ -1254,6 +1254,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca error = ENOMEM; } + rule->overload_tbl = NULL; if (rule->overload_tblname[0]) { if ((rule->overload_tbl = pfr_attach_table(ruleset, rule->overload_tblname)) == NULL) @@ -1511,6 +1512,7 @@ DIOCADDRULE_error: error = ENOMEM; } + newrule->overload_tbl = NULL; if (newrule->overload_tblname[0]) { if ((newrule->overload_tbl = pfr_attach_table( ruleset, newrule->overload_tblname)) ==