diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-03-16 22:31:04 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2016-03-16 22:31:04 +0000 |
| commit | c2d52282768af9a11735b27ed3bc9e8f2e850783 (patch) | |
| tree | 43de112c934ea94689b0f8c47b24e62be665cbe8 | |
| parent | e71f5c6f0d52db4178ab6ea33619ef778eebed47 (diff) | |
| download | src-c2d52282768af9a11735b27ed3bc9e8f2e850783.tar.gz src-c2d52282768af9a11735b27ed3bc9e8f2e850783.zip | |
o Fix OpenSSH xauth(1) command injection. [SA-16:14]
o Fix incorrect argument validation in sysarch(2). [SA-16:15]
o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
o Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05]
Errata: FreeBSD-EN-16:04.hyperv
Errata: FreeBSD-EN-16:05.hv_netvsc
Security: FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security: FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by: so
Notes
Notes:
svn path=/releng/10.2/; revision=296955
| -rw-r--r-- | UPDATING | 10 | ||||
| -rw-r--r-- | crypto/openssh/session.c | 32 | ||||
| -rw-r--r-- | sys/amd64/amd64/sys_machdep.c | 4 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c | 12 | ||||
| -rw-r--r-- | sys/dev/hyperv/utilities/hv_kvp.c | 11 |
6 files changed, 64 insertions, 7 deletions
@@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160316 p14 FreeBSD-SA-16:14.openssh-xauth + FreeBSD-SA-16:15.sysarch + FreeBSD-EN-16:04.hyperv + FreeBSD-EN-16:05.hv_netvsc + + Fix OpenSSH xauth(1) command injection. [SA-16:14] + Fix incorrect argument validation in sysarch(2). [SA-16:15] + Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04] + Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05] + 20160303 p13 FreeBSD-SA-16:12.openssl Fix multiple vulnerabilities of OpenSSL. diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index 9fe6a1ad26a6..17397e6f8c72 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -48,6 +48,7 @@ __RCSID("$FreeBSD$"); #include <arpa/inet.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> @@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -2199,7 +2221,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c index 98d47b8678fd..ff3bd3edcf8b 100644 --- a/sys/amd64/amd64/sys_machdep.c +++ b/sys/amd64/amd64/sys_machdep.c @@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs) struct i386_ldt_args *uap; struct user_segment_descriptor *descs; { - int error = 0, i; - int largest_ld; + int error = 0; + unsigned int largest_ld, i; struct mdproc *mdp = &td->td_proc->p_md; struct proc_ldt *pldt; struct user_segment_descriptor *dp; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index c3cdf52a0cda..297159aec475 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p13" +BRANCH="RELEASE-p14" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c b/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c index 5502d1bf4f7e..33718a9e0d76 100644 --- a/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c +++ b/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c @@ -128,6 +128,15 @@ __FBSDID("$FreeBSD$"); #define HV_NV_SC_PTR_OFFSET_IN_BUF 0 #define HV_NV_PACKET_OFFSET_IN_BUF 16 +/* + * A unified flag for all outbound check sum flags is useful, + * and it helps avoiding unnecessary check sum calculation in + * network forwarding scenario. + */ +#define HV_CSUM_FOR_OUTBOUND \ + (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO| \ + CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP| \ + CSUM_IP6_TSO|CSUM_IP6_ISCSI) /* * Data types @@ -570,7 +579,8 @@ hn_start_locked(struct ifnet *ifp) packet->vlan_tci & 0xfff; } - if (0 == m_head->m_pkthdr.csum_flags) { + /* Only check the flags for outbound and ignore the ones for inbound */ + if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) { goto pre_send; } diff --git a/sys/dev/hyperv/utilities/hv_kvp.c b/sys/dev/hyperv/utilities/hv_kvp.c index 4598510bb8d5..58d565c44bfb 100644 --- a/sys/dev/hyperv/utilities/hv_kvp.c +++ b/sys/dev/hyperv/utilities/hv_kvp.c @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include <sys/reboot.h> #include <sys/lock.h> #include <sys/taskqueue.h> +#include <sys/selinfo.h> #include <sys/sysctl.h> #include <sys/poll.h> #include <sys/proc.h> @@ -114,6 +115,8 @@ static struct cdev *hv_kvp_dev; static struct hv_kvp_msg *hv_kvp_dev_buf; struct proc *daemon_task; +static struct selinfo hv_kvp_selinfo; + /* * Global state to track and synchronize multiple * KVP transaction requests from the host. @@ -628,6 +631,9 @@ hv_kvp_send_msg_to_daemon(void) /* Send the msg to user via function deamon_read - setting sema */ sema_post(&kvp_globals.dev_sema); + + /* We should wake up the daemon, in case it's doing poll() */ + selwakeup(&hv_kvp_selinfo); } @@ -940,7 +946,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev __unused, struct uio *uio, int ioflag _ * for daemon to read. */ static int -hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused) +hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td) { int revents = 0; @@ -953,6 +959,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td */ if (kvp_globals.daemon_busy == true) revents = POLLIN; + else + selrecord(td, &hv_kvp_selinfo); + mtx_unlock(&kvp_globals.pending_mutex); return (revents); |