diff options
author | glebius <glebius@FreeBSD.org> | 2016-01-14 09:11:42 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2016-01-14 09:11:42 +0000 |
commit | 924e9fd65e75f0b1f25b22443f905c323a489c11 (patch) | |
tree | 0ead046e380329851a42682978596c116adac8dc /sys/compat | |
parent | 66d55487b96620356eabe606681cb650cab137a9 (diff) | |
download | FreeBSD-src-924e9fd65e75f0b1f25b22443f905c323a489c11.zip FreeBSD-src-924e9fd65e75f0b1f25b22443f905c323a489c11.tar.gz |
o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
Diffstat (limited to 'sys/compat')
-rw-r--r-- | sys/compat/linux/linux_futex.c | 2 | ||||
-rw-r--r-- | sys/compat/linux/linux_misc.c | 4 |
2 files changed, 4 insertions, 2 deletions
diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c index 4573f73..c7688ae 100644 --- a/sys/compat/linux/linux_futex.c +++ b/sys/compat/linux/linux_futex.c @@ -1132,7 +1132,7 @@ linux_get_robust_list(struct thread *td, struct linux_get_robust_list_args *args return (EFAULT); } - error = copyout(head, args->head, sizeof(struct linux_robust_list_head)); + error = copyout(&head, args->head, sizeof(head)); if (error) { LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error, error); diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index d87d786..8f2a687 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -1302,9 +1302,11 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args) if (error) goto out; newcred = crget(); + crextend(newcred, ngrp + 1); p = td->td_proc; PROC_LOCK(p); - oldcred = crcopysafe(p, newcred); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); /* * cr_groups[0] holds egid. Setting the whole set from |