o Fix OpenSSH xauth(1) command injection. [SA-16:14]

o Fix incorrect argument validation in sysarch(2). [SA-16:15]
o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]

Errata:         FreeBSD-EN-16:04.hyperv
Security:       FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security:       FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by:    so

5 files changed, 51 insertions, 6 deletions

diff --git a/UPDATING b/UPDATING
index 8ea7bf7..b83da9d 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160316	p31	FreeBSD-SA-16:14.openssh-xauth
+			FreeBSD-SA-16:15.sysarch
+			FreeBSD-EN-16:04.hyperv
+
+	Fix OpenSSH xauth(1) command injection. [SA-16:14]
+	Fix incorrect argument validation in sysarch(2). [SA-16:15]
+	Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
+
 20160303	p30	FreeBSD-SA-16:12.openssl
 
 	Fix multiple vulnerabilities of OpenSSL.
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 9fe6a1a..17397e6 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
 	do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+	size_t i;
+
+	for (i = 0; s[i] != '\0'; i++) {
+		if (!isalnum((u_char)s[i]) &&
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+		    s[i] != '-' && s[i] != '_')
+		return 0;
+	}
+	return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
 				s->screen = 0;
 			}
 			packet_check_eom();
-			success = session_setup_x11fwd(s);
+			if (xauth_valid_string(s->auth_proto) &&
+			    xauth_valid_string(s->auth_data))
+				success = session_setup_x11fwd(s);
+			else {
+				success = 0;
+				error("Invalid X11 forwarding data");
+			}
 			if (!success) {
 				free(s->auth_proto);
 				free(s->auth_data);
@@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
 	s->screen = packet_get_int();
 	packet_check_eom();
 
-	success = session_setup_x11fwd(s);
+	if (xauth_valid_string(s->auth_proto) &&
+	    xauth_valid_string(s->auth_data))
+		success = session_setup_x11fwd(s);
+	else {
+		success = 0;
+		error("Invalid X11 forwarding data");
+	}
 	if (!success) {
 		free(s->auth_proto);
 		free(s->auth_data);
diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
index 36d9f08..330e8a4 100644
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs)
 	struct i386_ldt_args *uap;
 	struct user_segment_descriptor *descs;
 {
-	int error = 0, i;
-	int largest_ld;
+	int error = 0;
+	unsigned int largest_ld, i;
 	struct mdproc *mdp = &td->td_proc->p_md;
 	struct proc_ldt *pldt;
 	struct user_segment_descriptor *dp;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 9bb38a1..99b76f4 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p30"
+BRANCH="RELEASE-p31"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/dev/hyperv/utilities/hv_kvp.c b/sys/dev/hyperv/utilities/hv_kvp.c
index 848d364..50ef971 100644
--- a/sys/dev/hyperv/utilities/hv_kvp.c
+++ b/sys/dev/hyperv/utilities/hv_kvp.c
@@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/reboot.h>
 #include <sys/lock.h>
 #include <sys/taskqueue.h>
+#include <sys/selinfo.h>
 #include <sys/sysctl.h>
 #include <sys/poll.h>
 #include <sys/proc.h>
@@ -113,6 +114,8 @@ static struct cdev *hv_kvp_dev;
 static struct hv_kvp_msg *hv_kvp_dev_buf;
 struct proc *daemon_task;
 
+static struct selinfo hv_kvp_selinfo;
+
 /*
  * Global state to track and synchronize multiple
  * KVP transaction requests from the host.
@@ -627,6 +630,9 @@ hv_kvp_send_msg_to_daemon(void)
 
 	/* Send the msg to user via function deamon_read - setting sema */
 	sema_post(&kvp_globals.dev_sema);
+
+	/* We should wake up the daemon, in case it's doing poll() */
+	selwakeup(&hv_kvp_selinfo);
 }
 
 
@@ -939,7 +945,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev __unused, struct uio *uio, int ioflag _
  * for daemon to read.
  */
 static int
-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
+hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
 {
 	int revents = 0;
 
@@ -952,6 +958,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td
 	 */
 	if (kvp_globals.daemon_busy == true)
 		revents = POLLIN;
+	else
+		selrecord(td, &hv_kvp_selinfo);
+
 	mtx_unlock(&kvp_globals.pending_mutex);
 
 	return (revents);