svn commit: r45230 - in head/share: security/advisories security/patches/EN-14:09 security/patches/SA-14:17 xml
Xin LI
delphij at FreeBSD.org
Tue Jul 8 22:23:28 UTC 2014
Author: delphij
Date: Tue Jul 8 22:23:25 2014
New Revision: 45230
URL: http://svnweb.freebsd.org/changeset/doc/45230
Log:
Add SA-14:17.kmem and EN-14:09.jail.
Added:
head/share/security/advisories/FreeBSD-EN-14:09.jail.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc (contents, props changed)
head/share/security/patches/EN-14:09/
head/share/security/patches/EN-14:09/jail.patch (contents, props changed)
head/share/security/patches/EN-14:09/jail.patch.asc (contents, props changed)
head/share/security/patches/SA-14:17/
head/share/security/patches/SA-14:17/kmem-89.patch (contents, props changed)
head/share/security/patches/SA-14:17/kmem-89.patch.asc (contents, props changed)
head/share/security/patches/SA-14:17/kmem-9.1.patch (contents, props changed)
head/share/security/patches/SA-14:17/kmem-9.1.patch.asc (contents, props changed)
head/share/security/patches/SA-14:17/kmem.patch (contents, props changed)
head/share/security/patches/SA-14:17/kmem.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-14:09.jail.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:09.jail.asc Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:09.jail Errata Notice
+ The FreeBSD Project
+
+Topic: Jail fails to start if WITHOUT_INET/WITHOUT_INET6 is used
+
+Category: core
+Module: jail
+Announced: 2014-07-08
+Credits: Eugene Grosbein, Chris Rees
+Affects: FreeBSD 8.4
+Corrected: 2014-07-02 19:18:59 UTC (stable/8, 8.4-STABLE)
+ 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The jail(8) utility creates new jails, or modifies or removes existing
+jails.
+
+II. Problem Description
+
+The jail(8) rc(8) script used to start jails on the system does not
+properly detect if an address protocol is in use on the system.
+
+III. Impact
+
+When the FreeBSD kernel and userland are built either without IPv4 or IPv6
+support by defining WITHOUT_INET or WITHOUT_INET6 in src.conf(5), the jail(8)
+will fail to start with an non-descriptive error.
+
+IV. Workaround
+
+No workaround is available, however systems that do not define WITHOUT_INET
+or WITHOUT_INET6 are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch.asc
+# gpg --verify jail.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r268168
+releng/8.4/ r268435
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:09.jail.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTvG0oAAoJEO1n7NZdz2rnEeUP+gJuYN0VoSbT+0zPJH9u61/K
+gJma3dUY4zuKDRyLhYNTCM+fKIwCZ07+9lesAeDm8mXts0UGGvjSHVqxXlG1hiGi
+2W8AxNzvV0FQuE6awlz8dDE2ikATkae7VPBoLraq0a7CEH4kW/mnl4+xQ3I2Hgc+
+wTmF+R13mb905xbF+52aj1jDUus8+ZFuDY0VRV3IY34i9OxcnoQO+T8v1w6d9ly3
+KbHmZXd2LPS0yeITAWuk4p1gwl8vi7uz7IiJcxrw/YEOUC6LkHO5/JUPRDz1O5Dd
+snRmFFF5w77u5bYWpHHU6kw4/k0GwuS1jfQnQm1ag/Gl8A1O4BA4ixvItOrU/FiT
+KxoOsdrMgD9jvIyHKOGPyio+FQuRdn+TsyE7WDw/MO2sZ3Et8nG49PccSbFQxuWu
+IFXoK+1gI1Vst5YlMUwbCwQRCuBawaUVhfWqF5jIeVvW2uPRr6S1rIJOyGy/HlKO
+HwdEtBbDcukWYojjG3pcORdv/HaQkN47NrJrJ6bWldJCshhSwPJ1ivyKLL16hjf2
+H/Tk+IHfVULjxgMEY7wQ3fL6kkgMHbrfxhBSy6LVYJggzvV+hgJXNY0116gUuAhA
+5UTKFfEHyXDtlgsTHSyETiHw3qXQ6JmyNUPepuAcf1Ly/yTvlFPhM56R52ZjBLRs
+rQOf3Vdelgpnpo4olu7L
+=4r/Q
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:17.kmem.asc Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,170 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:17.kmem Security Advisory
+ The FreeBSD Project
+
+Topic: Kernel memory disclosure in control messages and SCTP
+ notifications
+
+Category: core
+Module: kern, sctp
+Announced: 2014-07-08
+Credits: Michael Tuexen
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE)
+ 2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7)
+ 2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE)
+ 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1)
+ 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1)
+ 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2)
+ 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2)
+ 2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10)
+ 2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17)
+ 2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE)
+ 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
+CVE Name: CVE-2014-3952, CVE-2014-3953
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The control message API is used to construct ancillary data objects for
+use in control messages sent and received across sockets and passed via
+the recvmsg(2) and sendmsg(2) system calls.
+
+II. Problem Description
+
+Buffer between control message header and data may not be completely
+initialized before being copied to userland. [CVE-2014-3952]
+
+Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit
+padding that may not be completely initialized before being copied to
+userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE,
+SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the
+returning data structure that may not be completely initialized before
+being copied to userland. [CVE-2014-3953]
+
+III. Impact
+
+An unprivileged local process may be able to retrieve portion of kernel
+memory.
+
+For the generic control message, the process may be able to retrieve a
+maximum of 4 bytes of kernel memory.
+
+For SCTP, the process may be able to retrieve 2 bytes of kernel memory
+for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
+bytes for SCTP_EXTRCV. If the local process is permitted to receive
+SCTP notification, a maximum of 112 bytes of kernel memory may be
+returned to userland.
+
+This information might be directly useful, or it might be leveraged to
+obtain elevated privileges in some way. For example, a terminal buffer
+might include a user-entered password.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc
+# gpg --verify kmem.patch.asc
+
+[FreeBSD 8.4, 9.2 and 9.3-RC]
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc
+# gpg --verify kmem.patch.asc
+
+[FreeBSD 9.2]
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc
+# gpg --verify kmem.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r268432
+releng/8.4/ r268435
+stable/9/ r268432
+releng/9.1/ r268434
+releng/9.2/ r268434
+releng/9.3/ r268433
+stable/10/ r268432
+releng/10.0/ r268434
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3952>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3953>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTvG0nAAoJEO1n7NZdz2rn9w0QANVDZ/92sbXjrREbn/qDto75
+opjg7cJUne0tAkeqoCxYNiCT0yxI4M37N41Hvq1ZbA0HFgodjb5s6pXTZ4baB4PH
+CKxMvk8NB8PAw3+JfG9Ec8e4MaUd0Md04yNx/Ej1zdDz75rhHcqGiK2Agm086RSV
+K7TyzZXr1QrjJCSltM5dcXHacMgIZ7OxxY/e4DrI7tsEQk50wmlSKcZZI0GC8o+p
+DzhcMP+7qN9wNcZaXNNlLxLlthjlwudnGuFwg4DzkUCjCu2ooyerOref4UDWXmN8
+bky3U9wx5PnM/LmocWAPYCgA58WckbPooiWEWGWJJeogbVi6+vVNOe1516vAeTep
+MyGLpdP6v2tSo6XI33yd2YrxDMGOdFN1+ZfeDvFyBk9JFEfMhKHio84967hQRQN6
+pz1+0Ga119akQZKnBs3z9YhPze26sJB+tgTdIUJnunVysdslKI2EYcJ1R+UNIoDB
+h5XClPqAWyupfohp2TD8vM5RT+x6CaeW4P08KRpg8PTmqHi7CNB5wgFASG2uC/BT
+3qZDebjE7CMCQ35wEWBwVHt8SK0MwaIb9u4A+Fxf/plNDwqKqtQ7LdhI/fabJl5T
+IP3RbQLdiGyRAtOwcgXbmIGd2k3E9TNCQa5AdiUjiE5zGcRUs3iywVtyvellnVpI
+yAc2ussNLU5vJef4t30X
+=u6Xe
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:09/jail.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:09/jail.patch Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,15 @@
+Index: etc/rc.d/jail
+===================================================================
+--- etc/rc.d/jail (revision 268273)
++++ etc/rc.d/jail (working copy)
+@@ -647,7 +647,9 @@ jail_start()
+ done
+
+ eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \
+- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1
++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \
++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \
++ </dev/null
+
+ if [ "$?" -eq 0 ] ; then
+ _jail_id=$(head -1 ${_tmp_jail})
Added: head/share/security/patches/EN-14:09/jail.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:09/jail.patch.asc Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTvG16AAoJEO1n7NZdz2rnZnQP/iLTnaxVHY4lxecPfSJZnMiD
+l5X1mtnnpleRFOCztOQBM5qLRXxp14V3tE62vBUx5e4go3qYqVC/u+sWgvcC7sBG
+aBT3cRVyTnygoXK6B7Av6hEhG9A+RBy1PmKEW/0iIKxD2oixNPtDv6u0AEEv+ipb
+WAtjzngeTtrMYskWZNxC8FT+NTTUQTkeU9Rqjh+JKsS8sqpzm1gHWtbp5wKJPeLt
+Rt4IULzqNoBmB9BRGYA7scFkXCUC+B1MQLUxN0p9KjNrp1REObOGfb8aTHoAuA0O
+Wk6kQeF+heqxt+TRTZp3obOYHINbVfBnPGMWty4hD8JHHFDytdA6LLalILTml3Ia
+iBaxWP/sk+4ziWkKtdlyc4VYSGzQNR+9/TIaBz0SuuMOdd21DWjaGtqIY/jfzUpA
+CnAAwJJj2ejIqOtR20aSOlCn/DVx7qyXr+R6YyUWjqlhzIsdrxBFsajIuT8DB+U5
+BSDIAxPa5esaMQhbrtoZyb8Fto0P50vMwrfjv9wuoo2Nvz+vU3ABhaPIHzTBomxl
+hepAZIGSI4UzZwk0Kj1z9I+e5EDOlFVvxhO6KYpJeulBRM+bMSILXzWH08PMoctz
+MhGkkyc8svpTZB9jYxzmcWikdbRknTo3k/I2hVF8pa/sOSbXBL3/HebVuycmvL5y
+2d+RwPgvW/C73wgUiFe7
+=rl/o
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:17/kmem-89.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:17/kmem-89.patch Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = 0;
+ if (sp->some_taken) {
+@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_stream_change_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ stradd = mtod(m_notify, struct sctp_stream_change_event *);
++ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ stradd->strchange_flags = flag;
+- stradd->strchange_length = len;
++ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ stradd->strchange_instrms = numberin;
+ stradd->strchange_outstrms = numberout;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_assoc_reset_event *strasoc;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ /* event not enabled */
+ return;
+ }
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_assoc_reset_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ strasoc->assocreset_flags = flag;
+- strasoc->assocreset_length = len;
++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ strasoc->assocreset_local_tsn = sending_tsn;
+ strasoc->assocreset_remote_tsn = recv_tsn;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ return;
+ }
+ strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++ memset(strreset, 0, len);
+ strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ strreset->strreset_flags = flag;
+ strreset->strreset_length = len;
+@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
+ fromlen = 0;
+ }
+
++ if (filling_sinfo) {
++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++ }
+ error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+- if ((controlp) && (filling_sinfo)) {
++ if (controlp != NULL) {
+ /* copy back the sinfo in a CMSG format */
+ if (filling_sinfo)
+ *controlp = sctp_build_ctl_nchunk(inp,
Added: head/share/security/patches/SA-14:17/kmem-89.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:17/kmem-89.patch.asc Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnxSAQAMOj+4y12nfK7TJZZV6Knr2O
+Cxgee7T0CV6j7+pdSoN0KNsat6Yl9+s5tM3Akr2kkvSoviZQcXlQopJmZhjyiT3u
+/RHankNfsRdZDoXzgHMkD2922eQbwz0O5MOeV+dysQCfYNW31890nCviVTr5a5SH
+0C20+ka1nelBPaea4RNgyKBUEs3PAzfTz5yDRzRLFhl/8EqV/Pcom62IyEFe9TB9
+IxPk+DT3tpynWA2XioQFc3vLYz0NxBSCdsWnk9klWvmkLwJUkGGcUztWokU675ez
+4bvb018YPOaqikePymMzUluLpZZH8P0Om2hnKnZP2aqOjj9IaOlNzSkY9OPqoaSN
+7t29mWZ+x3e8D56c3TMfviFjTVwJjE9OH9aomoZGrxIt1W5cCKwgAJJfpXtin+bR
+/nzYtomRDWxKLjfSDV2nC8N4dqh4qz7HRFSmLgXhL7LYpNtMZURZnrNke92OCZMe
+hjeGFk3V9tATYeCxAZaDEe/xgW5Ir/cCWaxQUabEldc8AdHT7vumaQ9UvND8SSBp
+52BPWMRFPdDtDbL61ESjrBwjFgWIeiNDbSW3VW5qTPqIxF66GcWcZf8PJE8kdYTX
+0vrMsjsusu6LFc8FTwzE1O8sbPGkSdqe2GPXU2PZu8+FGkHKgz4qR/bLewG/nqwQ
+3zOlJ1MrVW2nyKQK+Bik
+=VGnU
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:17/kmem-9.1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:17/kmem-9.1.patch Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = sp->strseq;
+ if (sp->some_taken) {
+@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_stream_change_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ stradd = mtod(m_notify, struct sctp_stream_change_event *);
++ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ stradd->strchange_flags = flag;
+- stradd->strchange_length = len;
++ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ stradd->strchange_instrms = numberin;
+ stradd->strchange_outstrms = numberout;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_assoc_reset_event *strasoc;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ /* event not enabled */
+ return;
+ }
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_assoc_reset_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ strasoc->assocreset_flags = flag;
+- strasoc->assocreset_length = len;
++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ strasoc->assocreset_local_tsn = sending_tsn;
+ strasoc->assocreset_remote_tsn = recv_tsn;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ return;
+ }
+ strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++ memset(strreset, 0, len);
+ strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ strreset->strreset_flags = flag;
+ strreset->strreset_length = len;
+@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so,
+ fromlen = 0;
+ }
+
++ if (filling_sinfo) {
++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++ }
+ error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+- if ((controlp) && (filling_sinfo)) {
++ if (controlp != NULL) {
+ /* copy back the sinfo in a CMSG format */
+ if (filling_sinfo)
+ *controlp = sctp_build_ctl_nchunk(inp,
Added: head/share/security/patches/SA-14:17/kmem-9.1.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:17/kmem-9.1.patch.asc Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnfuYQAMucmTFZ6DMXAfniAzJK7YBj
+QmPeCMS31bJePyXLQY7wyeo+xK0uV0cyhNL8Oy6OF9bziJxkkxNhT8FqPbYnD4E7
+aGT+SGhGeKWGILBbDIGD+XDMy2S3SjHUIUdVB0T95O7D0IrQqQUoVwZjDvrxRrdP
+mXIvWePatyAYpwukYwVDtB2hj3vxZRuW90HGdRpEeWO/W/3Fm91Lxbgw95J/2IQl
+wpTteCGAIa74ez4nYGlEIvWmw0x8eiFty6tDAoDkVYuGH9wzQek5X+Ih3MVbYPR3
+prciyU9OFoAI/asm3T04Kq50nO7tVSZrLVw+x776BkziZJ2rofib4qeQBS/0vc6m
+jcuyY0zbZAb2Tl9aoKmdAYFIsWxhVNr6/NjaZbxDdirs8aV4sIw+xBTo+C6aP9eS
+vX30K3Fuycl3hJ9g+Idvw21kpvApbArQztiPk/DwJMoyfSQvDCiX1mS3QX3FXjZN
+P/PIvEd19T5ODde4Ae2eCQk8dxNKqvE/X5F48K0dZT3blAgYhEJW02ydz11M+1Z/
+q5Iu+LRnAsSk0yD1WjfkKIDHIQTaqsGGKsCUIfrImT09k/qJt8Wn/r7DRX5GVvX5
+rSU0941KQhYc5ffYgiLG0xQcRDKqZKlIWJtUth1rpXbQhO8uZya1O7xlaOCn1aXn
+Cc+B5t8Y12ohipRNTvoC
+=vpdj
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:17/kmem.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:17/kmem.patch Tue Jul 8 22:23:25 2014 (r45230)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list