From owner-svn-src-stable-6@FreeBSD.ORG Mon Nov 23 11:52:21 2009 Return-Path: Delivered-To: svn-src-stable-6@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44FD0106566B; Mon, 23 Nov 2009 11:52:21 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 18D458FC13; Mon, 23 Nov 2009 11:52:21 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nANBqKZS055646; Mon, 23 Nov 2009 11:52:20 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nANBqKOt055644; Mon, 23 Nov 2009 11:52:20 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <200911231152.nANBqKOt055644@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Mon, 23 Nov 2009 11:52:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r199712 - stable/6/sys/compat/pecoff X-BeenThere: svn-src-stable-6@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 6-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 11:52:21 -0000 Author: bz Date: Mon Nov 23 11:52:20 2009 New Revision: 199712 URL: http://svn.freebsd.org/changeset/base/199712 Log: MF7 r199330: Note: this change was never in head; thus directly merged from stable/7. As we pass the 'offset' unvalidated to vn_rdwr() make sure that it is unsigned rather than possibly set to something negative by a malicious binary. This is just the immediate fix to the problem mentioned in PR kern/80742 and by http://milw0rm.com/exploits/9206 but does not fix all possible problems imgact_pecoff has. As this feature does not work and is not compiled in by default, the security team considers this vulnerability to be of low risk to the user population and will not be issuing an advisory. PR: kern/80742 Reported by: Oliver Pinter (oliver.pntr gmail.com) via freebsd-security Help reproducing and testing by: Damian Weber (dweber htw-saarland.de) Modified: stable/6/sys/compat/pecoff/imgact_pecoff.c Directory Properties: stable/6/sys/ (props changed) stable/6/sys/conf/ (props changed) stable/6/sys/contrib/pf/ (props changed) stable/6/sys/dev/cxgb/ (props changed) Modified: stable/6/sys/compat/pecoff/imgact_pecoff.c ============================================================================== --- stable/6/sys/compat/pecoff/imgact_pecoff.c Mon Nov 23 09:45:59 2009 (r199711) +++ stable/6/sys/compat/pecoff/imgact_pecoff.c Mon Nov 23 11:52:20 2009 (r199712) @@ -135,7 +135,7 @@ exec_pecoff_coff_makecmds(struct image_p struct coff_filehdr *, int); static int pecoff_signature(struct thread *, struct vnode *, const struct pecoff_dos_filehdr *); -static int pecoff_read_from(struct thread *, struct vnode *, int, caddr_t, int); +static int pecoff_read_from(struct thread *, struct vnode *, unsigned int, caddr_t, int); static int pecoff_load_section(struct thread * td, struct vmspace * vmspace, struct vnode * vp, @@ -291,7 +291,7 @@ pecoff_load_file(struct thread * td, con struct vmspace *vmspace = td->td_proc->p_vmspace; struct vattr attr; struct image_params image_params, *imgp; - int peofs; + unsigned int peofs; int error, i, scnsiz; imgp = &image_params; @@ -549,7 +549,7 @@ int pecoff_read_from(td, vp, pos, buf, siz) struct thread *td; struct vnode *vp; - int pos; + unsigned int pos; caddr_t buf; int siz; {