diff options
author | gordon <gordon@FreeBSD.org> | 2018-11-27 19:42:16 +0000 |
---|---|---|
committer | gordon <gordon@FreeBSD.org> | 2018-11-27 19:42:16 +0000 |
commit | e0e60f4844598ff1cb636aa9b15cfe442a411e3e (patch) | |
tree | 1c431e87f8ec9cff2c7de03c17452f6bf9776e5d | |
parent | ba232b9211234a5977460b8e8458848ab5b2b75d (diff) | |
download | FreeBSD-src-e0e60f4844598ff1cb636aa9b15cfe442a411e3e.zip FreeBSD-src-e0e60f4844598ff1cb636aa9b15cfe442a411e3e.tar.gz |
Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs]
Reported by: Jakub Jirasek, Secunia Research at Flexera
Approved by: so
Security: FreeBSD-SA-18:13.nfs
Security: CVE-2018-17157
Security: CVE-2018-17158
Security: CVE-2018-17159
-rw-r--r-- | UPDATING | 13 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/fs/nfs/nfs_commonsubs.c | 10 | ||||
-rw-r--r-- | sys/fs/nfsserver/nfs_nfsdport.c | 6 | ||||
-rw-r--r-- | sys/fs/nfsserver/nfs_nfsdsocket.c | 10 |
5 files changed, 32 insertions, 9 deletions
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20181127 p5 FreeBSD-SA-18:13.nfs + FreeBSD-EN-18:13.icmp + FreeBSD-EN-18:14.tzdata + FreeBSD-EN-18:15.loader + + Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs] + + Fix ICMP buffer underwrite. [EN-18:13.icmp] + + Timezone database information update. [EN-18:14.tzdata] + + Fix deferred kernel loading breaks loader password. [EN-18:15.loader] + 20180927 p4 FreeBSD-EN-18:09.ip FreeBSD-EN-18:10.syscall FreeBSD-EN-18:11.listen diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index bd3610f..7864322 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index ade5436..29d08ee 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -360,10 +360,14 @@ nfsm_advance(struct nfsrv_descript *nd, int offs, int left) if (offs == 0) goto out; /* - * A negative offs should be considered a serious problem. + * A negative offs might indicate a corrupted mbuf chain and, + * as such, a printf is logged. */ - if (offs < 0) - panic("nfsrv_advance"); + if (offs < 0) { + printf("nfsrv_advance: negative offs\n"); + error = EBADRPC; + goto out; + } /* * If left == -1, calculate it here. diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c index 49e9a22..0a41ce5 100644 --- a/sys/fs/nfsserver/nfs_nfsdport.c +++ b/sys/fs/nfsserver/nfs_nfsdport.c @@ -1858,9 +1858,15 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdgram, * cookie) should be in the reply. At least one client "hints" 0, * so I set it to cnt for that case. I also round it up to the * next multiple of DIRBLKSIZ. + * Since the size of a Readdirplus directory entry reply will always + * be greater than a directory entry returned by VOP_READDIR(), it + * does not make sense to read more than NFS_SRVMAXDATA() via + * VOP_READDIR(). */ if (siz <= 0) siz = cnt; + else if (siz > NFS_SRVMAXDATA(nd)) + siz = NFS_SRVMAXDATA(nd); siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1)); if (nd->nd_flag & ND_NFSV4) { diff --git a/sys/fs/nfsserver/nfs_nfsdsocket.c b/sys/fs/nfsserver/nfs_nfsdsocket.c index f45bba4..ec5127e 100644 --- a/sys/fs/nfsserver/nfs_nfsdsocket.c +++ b/sys/fs/nfsserver/nfs_nfsdsocket.c @@ -758,11 +758,6 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram, u_char *tag, *repp = *tl; op = fxdr_unsigned(int, *tl); NFSD_DEBUG(4, "op=%d\n", op); - - binuptime(&start_time); - nfsrvd_statstart(op, &start_time); - statsinprog = 1; - if (op < NFSV4OP_ACCESS || (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) || (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) { @@ -774,6 +769,11 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram, u_char *tag, } else { repp++; } + + binuptime(&start_time); + nfsrvd_statstart(op, &start_time); + statsinprog = 1; + if (i == 0) op0 = op; if (i == numops - 1) |