From a8a47b5dccf790122298b446082534e693b77281 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:50:46 +0000 Subject: Fix panic from Intel CPU vulnerability mitigation. Approved by: so Security: FreeBSD-EN-19:13.mds --- sys/x86/x86/cpu_machdep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/x86/x86/cpu_machdep.c b/sys/x86/x86/cpu_machdep.c index 0604054..54b22d9 100644 --- a/sys/x86/x86/cpu_machdep.c +++ b/sys/x86/x86/cpu_machdep.c @@ -946,7 +946,6 @@ int hw_mds_disable; * architectural state except possibly %rflags. Also, it is always * called with interrupts disabled. */ -void (*mds_handler)(void); void mds_handler_void(void); void mds_handler_verw(void); void mds_handler_ivb(void); @@ -955,6 +954,7 @@ void mds_handler_skl_sse(void); void mds_handler_skl_avx(void); void mds_handler_skl_avx512(void); void mds_handler_silvermont(void); +void (*mds_handler)(void) = mds_handler_void; static int sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) -- cgit v1.1 From c9864bb82da03e4c9da220a9196275bbdfb72cc5 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:51:52 +0000 Subject: Fix multiple telnet client vulnerabilities. Approved by: so Security: FreeBSD-SA-19:12.telnet Security: CVE-2019-0053 --- contrib/telnet/telnet/commands.c | 14 +++++++++----- contrib/telnet/telnet/telnet.c | 4 ++-- contrib/telnet/telnet/utilities.c | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/contrib/telnet/telnet/commands.c b/contrib/telnet/telnet/commands.c index 02a0de5..c6dc4ca 100644 --- a/contrib/telnet/telnet/commands.c +++ b/contrib/telnet/telnet/commands.c @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -1654,11 +1655,14 @@ env_init(void) || (strncmp((char *)ep->value, "unix:", 5) == 0))) { char hbuf[256+1]; char *cp2 = strchr((char *)ep->value, ':'); - - gethostname(hbuf, 256); - hbuf[256] = '\0'; - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); - sprintf((char *)cp, "%s%s", hbuf, cp2); + size_t buflen; + + gethostname(hbuf, sizeof(hbuf)); + hbuf[sizeof(hbuf)-1] = '\0'; + buflen = strlen(hbuf) + strlen(cp2) + 1; + cp = (char *)malloc(sizeof(char)*buflen); + assert(cp != NULL); + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); free(ep->value); ep->value = (unsigned char *)cp; } diff --git a/contrib/telnet/telnet/telnet.c b/contrib/telnet/telnet/telnet.c index 80f43b2..33a2ed5 100644 --- a/contrib/telnet/telnet/telnet.c +++ b/contrib/telnet/telnet/telnet.c @@ -785,7 +785,7 @@ suboption(void) name = gettermname(); len = strlen(name) + 4 + 2; if (len < NETROOM()) { - sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, + snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, name, IAC, SE); ring_supply_data(&netoring, temp, len); printsub('>', &temp[2], len-2); @@ -807,7 +807,7 @@ suboption(void) TerminalSpeeds(&ispeed, &ospeed); - sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, + snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, TELQUAL_IS, ospeed, ispeed, IAC, SE); len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */ diff --git a/contrib/telnet/telnet/utilities.c b/contrib/telnet/telnet/utilities.c index 8d1ea2a..f10c040 100644 --- a/contrib/telnet/telnet/utilities.c +++ b/contrib/telnet/telnet/utilities.c @@ -629,7 +629,7 @@ printsub(char direction, unsigned char *pointer, int length) } { char tbuf[64]; - sprintf(tbuf, "%s%s%s%s%s", + snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s", pointer[2]&MODE_EDIT ? "|EDIT" : "", pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", -- cgit v1.1 From aae64a845b6024a348ac03faab07830ca176c2cb Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:53:06 +0000 Subject: Fix pts write-after-free. Approved by: so Security: FreeBSD-SA-19:13.pts Security: CVE-2019-5606 --- sys/kern/tty.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index b0a535c..210d91d 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -230,9 +230,6 @@ ttydev_leave(struct tty *tp) tp->t_flags |= TF_OPENCLOSE; - /* Stop asynchronous I/O. */ - funsetown(&tp->t_sigio); - /* Remove console TTY. */ if (constty == tp) constty_clear(); @@ -1123,6 +1120,9 @@ tty_rel_free(struct tty *tp) return; } + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); + /* TTY can be deallocated. */ dev = tp->t_dev; tp->t_dev = NULL; -- cgit v1.1 From c9f55f4afeb8674e5bcc7888c2b7288937a25ea4 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:54:10 +0000 Subject: Fix kernel memory disclosure in freebsd32_ioctl. Approved by: so Security: FreeBSD-SA-19:14.freebsd32 Security: CVE-2019-5605 --- sys/compat/freebsd32/freebsd32_ioctl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/compat/freebsd32/freebsd32_ioctl.c b/sys/compat/freebsd32/freebsd32_ioctl.c index b634b30..b6cdbd9 100644 --- a/sys/compat/freebsd32/freebsd32_ioctl.c +++ b/sys/compat/freebsd32/freebsd32_ioctl.c @@ -262,6 +262,8 @@ freebsd32_ioctl_pciocgetconf(struct thread *td, vm_offset_t addr; int error; + memset(&pmc, 0, sizeof(pmc)); + memset(&pc32, 0, sizeof(pc32)); if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0) return (error); -- cgit v1.1 From add26e3d7b39aeb5e74011bd8d3d74c946771e8a Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:55:16 +0000 Subject: Fix reference count overflow in mqueuefs. Approved by: so Security: FreeBSD-SA-19:15.mqueuefs Security: CVE-2019-5603 --- sys/kern/uipc_mqueue.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/uipc_mqueue.c b/sys/kern/uipc_mqueue.c index 5df97d7..994c530 100644 --- a/sys/kern/uipc_mqueue.c +++ b/sys/kern/uipc_mqueue.c @@ -2266,13 +2266,14 @@ sys_kmq_timedreceive(struct thread *td, struct kmq_timedreceive_args *uap) if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2291,13 +2292,14 @@ sys_kmq_timedsend(struct thread *td, struct kmq_timedsend_args *uap) if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2815,7 +2817,7 @@ freebsd32_kmq_timedreceive(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2824,6 +2826,7 @@ freebsd32_kmq_timedreceive(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } -- cgit v1.1 From 7ff5bf4da5b7ccef5593da9181d436e9043437a9 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:56:06 +0000 Subject: Fix byhve out-of-bounds read in XHCI device. Approved by: so Security: FreeBSD-SA-19:16.bhyve Security: CVE-2019-5604 --- usr.sbin/bhyve/pci_xhci.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/usr.sbin/bhyve/pci_xhci.c b/usr.sbin/bhyve/pci_xhci.c index f178468..f0bbb0d 100644 --- a/usr.sbin/bhyve/pci_xhci.c +++ b/usr.sbin/bhyve/pci_xhci.c @@ -1898,6 +1898,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, uint32_t slot, return; } + if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) { + DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid)); + return; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); @@ -1923,6 +1928,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, uint32_t slot, /* get next trb work item */ if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { + struct xhci_stream_ctx *sctx; + + /* + * Stream IDs of 0, 65535 (any stream), and 65534 + * (prime) are invalid. + */ + if (streamid == 0 || streamid == 65534 || streamid == 65535) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } + + sctx = NULL; + pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx); + if (sctx == NULL) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } sctx_tr = &devep->ep_sctx_trbs[streamid]; ringaddr = sctx_tr->ringaddr; ccs = sctx_tr->ccs; @@ -1931,6 +1953,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, uint32_t slot, streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT, trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT)); } else { + if (streamid != 0) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } ringaddr = devep->ep_ringaddr; ccs = devep->ep_ccs; trb = devep->ep_tr; -- cgit v1.1 From c1fcd74c987c51e233da57e48dfda0bbd87da794 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:57:49 +0000 Subject: Fix file descriptor reference count leak. Approved by: so Security: FreeBSD-SA-19:17.fd Security: CVE-2019-5607 --- sys/kern/uipc_usrreq.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 0ff3540..d1a3958 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1896,29 +1896,52 @@ unp_init(void) UNP_DEFERRED_LOCK_INIT(); } +static void +unp_internalize_cleanup_rights(struct mbuf *control) +{ + struct cmsghdr *cp; + struct mbuf *m; + void *data; + socklen_t datalen; + + for (m = control; m != NULL; m = m->m_next) { + cp = mtod(m, struct cmsghdr *); + if (cp->cmsg_level != SOL_SOCKET || + cp->cmsg_type != SCM_RIGHTS) + continue; + data = CMSG_DATA(cp); + datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; + unp_freerights(data, datalen / sizeof(struct filedesc *)); + } +} + static int unp_internalize(struct mbuf **controlp, struct thread *td) { - struct mbuf *control = *controlp; - struct proc *p = td->td_proc; - struct filedesc *fdesc = p->p_fd; + struct mbuf *control, **initial_controlp; + struct proc *p; + struct filedesc *fdesc; struct bintime *bt; - struct cmsghdr *cm = mtod(control, struct cmsghdr *); + struct cmsghdr *cm; struct cmsgcred *cmcred; struct filedescent *fde, **fdep, *fdev; struct file *fp; struct timeval *tv; - int i, *fdp; void *data; - socklen_t clen = control->m_len, datalen; - int error, oldfds; + socklen_t clen, datalen; + int i, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + p = td->td_proc; + fdesc = p->p_fd; error = 0; + control = *controlp; + clen = control->m_len; *controlp = NULL; - while (cm != NULL) { + initial_controlp = controlp; + for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; @@ -2045,6 +2068,8 @@ unp_internalize(struct mbuf **controlp, struct thread *td) } out: + if (error != 0 && initial_controlp != NULL) + unp_internalize_cleanup_rights(*initial_controlp); m_freem(control); return (error); } -- cgit v1.1 From 52d986082942f508af53f46ba60b8000fde1e8b0 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 24 Jul 2019 12:58:21 +0000 Subject: Bump version information and update UPDATING. Approved by: so --- UPDATING | 22 ++++++++++++++++++++++ sys/conf/newvers.sh | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 9a06291..5d53d4f 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,28 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190724 p12 FreeBSD-EN-19:13.mds + FreeBSD-SA-19:12.telnet + FreeBSD-SA-19:13.pts + FreeBSD-SA-19:14.freebsd32 + FreeBSD-SA-19:15.mqueuefs + FreeBSD-SA-19:16.bhyve + FreeBSD-SA-19:17.fd + + Fix panic from Intel CPU vulnerability mitigation. [EN-19:13.mds] + + Fix multiple telnet client vulnerabilities. [SA-19:12.telnet] + + Fix pts write-after-free. [SA-19:13.pts] + + Fix kernel memory disclosure in freebsd32_ioctl. [SA-19:14.freebsd32] + + Fix reference count overflow in mqueuefs. [SA-19:15.mqueuefs] + + Fix byhve out-of-bounds read in XHCI device. [SA-19:16.bhyve] + + Fix file descriptor reference count leak. [SA-19:17.fd] + 20190702 p11 FreeBSD-EN-19:12.tzdata FreeBSD-SA-19:09.iconv FreeBSD-SA-19:10.ufs diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 0f0d814..c3556ce 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- cgit v1.1