From 8a232783c3444677eb1faa3048123dda21767094 Mon Sep 17 00:00:00 2001 From: glebius Date: Tue, 17 May 2016 22:28:27 +0000 Subject: - Use unsigned version of min() when handling arguments of SETFKEY ioctl. - Validate that user supplied control message length in sendmsg(2) is not negative. Security: SA-16:18 Security: CVE-2016-1886 Security: SA-16:19 Security: CVE-2016-1887 Submitted by: C Turt Approved by: so --- UPDATING | 7 +++++++ sys/conf/newvers.sh | 2 +- sys/dev/kbd/kbd.c | 2 +- sys/kern/uipc_syscalls.c | 3 +++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/UPDATING b/UPDATING index f6a5f2a..2a1249e 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160517 p3 FreeBSD-SA-16:18.atkbd + FreeBSD-SA-16:19.sendmsg + + Fix buffer overflow in keyboard driver. [SA-16:18] + + Fix incorrect argument handling in sendmsg(2). [SA-16:19] + 20160504 p2 FreeBSD-SA-16:17.openssl FreeBSD-EN-16:06.libc FreeBSD-EN-16:07.ipi diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 5ad43e3..142bd8a 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/kbd/kbd.c b/sys/dev/kbd/kbd.c index 8036762..f1a1b29 100644 --- a/sys/dev/kbd/kbd.c +++ b/sys/dev/kbd/kbd.c @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_long cmd, caddr_t arg) splx(s); return (error); } - kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK); + kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK); bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str, kbd->kb_fkeytab[fkeyp->keynum].len); break; diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index fa36849..97ca115 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type) struct mbuf *m; int error; + if (buflen < 0) + return (EINVAL); + if (buflen > MLEN) { #ifdef COMPAT_OLDSOCK if (type == MT_SONAME && buflen <= 112) -- cgit v1.1