svn commit: r193893 - head/contrib/ntp/ntpd head/sys/kern
head/sys/netinet6 releng/6.3 releng/6.3/contrib/ntp/ntpd
releng/6.3/sys/conf releng/6.3/sys/kern
releng/6.3/sys/netinet6 releng/6.4 releng/...
Colin Percival
cperciva at FreeBSD.org
Wed Jun 10 10:31:15 UTC 2009
Author: cperciva
Date: Wed Jun 10 10:31:11 2009
New Revision: 193893
URL: http://svn.freebsd.org/changeset/base/193893
Log:
Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09]
Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]
Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]
Approved by: so (cperciva)
Approved by: re (not really, but SVN wants this...)
Security: FreeBSD-SA-09:09.pipe
Security: FreeBSD-SA-09:10.ipv6
Security: FreeBSD-SA-09:11.ntpd
Modified:
releng/6.3/UPDATING
releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
releng/6.3/sys/conf/newvers.sh
releng/6.3/sys/kern/sys_pipe.c
releng/6.3/sys/netinet6/in6.c
releng/6.4/UPDATING
releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
releng/6.4/sys/conf/newvers.sh
releng/6.4/sys/kern/sys_pipe.c
releng/6.4/sys/netinet6/in6.c
releng/7.1/UPDATING
releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
releng/7.1/sys/conf/newvers.sh
releng/7.1/sys/kern/sys_pipe.c
releng/7.1/sys/netinet6/in6.c
releng/7.2/UPDATING
releng/7.2/contrib/ntp/ntpd/ntp_crypto.c
releng/7.2/sys/conf/newvers.sh
releng/7.2/sys/kern/sys_pipe.c
releng/7.2/sys/netinet6/in6.c
Changes in other areas also in this revision:
Modified:
head/contrib/ntp/ntpd/ntp_crypto.c
head/sys/kern/sys_pipe.c
head/sys/netinet6/in6.c
stable/6/contrib/ntp/ntpd/ntp_crypto.c
stable/6/sys/kern/sys_pipe.c
stable/6/sys/netinet6/in6.c
stable/7/contrib/ntp/ntpd/ntp_crypto.c
stable/7/sys/kern/sys_pipe.c
stable/7/sys/netinet6/in6.c
Modified: releng/6.3/UPDATING
==============================================================================
--- releng/6.3/UPDATING Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.3/UPDATING Wed Jun 10 10:31:11 2009 (r193893)
@@ -8,6 +8,15 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090610: p11 FreeBSD-SA-09:09.pipe, FreeBSD-SA-09:10.ipv6,
+ FreeBSD-SA-09:11.ntpd
+ Prevent integer overflow in direct pipe write code from circumventing
+ virtual-to-physical page lookups. [09:09]
+
+ Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]
+
+ Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]
+
20090422: p10 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
Don't leak information via uninitialized space in db(3) records.
[09:07]
Modified: releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -534,7 +534,7 @@ crypto_recv(
peer->issuer = emalloc(vallen + 1);
strcpy(peer->issuer, peer->subject);
temp32 = (fstamp >> 16) & 0xffff;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"flags 0x%x host %s signature %s", fstamp,
peer->subject, OBJ_nid2ln(temp32));
record_crypto_stats(&peer->srcadr, statstr);
@@ -604,7 +604,8 @@ crypto_recv(
}
peer->flash &= ~TEST10;
temp32 = cinfo->nid;
- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "cert %s 0x%x %s (%u) fs %u",
cinfo->subject, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -652,7 +653,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST10;
- sprintf(statstr, "iff fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -699,7 +700,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST10;
- sprintf(statstr, "gq fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -739,7 +740,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST10;
- sprintf(statstr, "mv fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -778,7 +779,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_SIGN;
peer->flash &= ~TEST10;
temp32 = cinfo->nid;
- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "sign %s 0x%x %s (%u) fs %u",
cinfo->issuer, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -833,7 +834,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST10;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -897,7 +898,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST10;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -947,7 +948,7 @@ crypto_recv(
peer->pkeyid = bp->key;
peer->crypto |= CRYPTO_FLAG_AUTO;
peer->flash &= ~TEST10;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"auto seq %d key %x ts %u fs %u", bp->seq,
bp->key, ntohl(ep->tstamp),
ntohl(ep->fstamp));
@@ -1051,7 +1052,7 @@ crypto_recv(
(void)ntp_adjtime(&ntv);
#endif /* NTP_API */
#endif /* KERNEL_PLL */
- sprintf(statstr, "leap %u ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "leap %u ts %u fs %u",
vallen, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -1106,7 +1107,7 @@ crypto_recv(
* scan and we return the laundry to the caller.
*/
if (rval != XEVNT_OK) {
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"error %x opcode %x ts %u fs %u", rval,
code, tstamp, fstamp);
if (rval > XEVNT_TSP)
@@ -1388,7 +1389,8 @@ crypto_xmit(
*/
if (rval > XEVNT_TSP) {
opcode |= CRYPTO_ERROR;
- sprintf(statstr, "error %x opcode %x", rval, opcode);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "error %x opcode %x", rval, opcode);
record_crypto_stats(srcadr_sin, statstr);
#ifdef DEBUG
if (debug)
@@ -1884,7 +1886,8 @@ crypto_update(void)
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
tai_leap.siglen = htonl(len);
}
- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "update ts %u", ntohl(hostval.tstamp));
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3461,7 +3464,7 @@ crypto_key(
*/
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s mod %d", &linkname[2],
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
EVP_PKEY_size(pkey) * 8);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
@@ -3563,8 +3566,8 @@ crypto_cert(
return (NULL);
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
- len);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%s 0x%x len %lu", &linkname[2], ret->flags, len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3692,7 +3695,7 @@ crypto_tai(
"crypto_tai: kernel TAI update failed");
#endif /* NTP_API */
#endif /* KERNEL_PLL */
- sprintf(statstr, "%s link %d fs %u offset %u", cp, rval, fstamp,
+ snprintf(statstr, NTP_MAXSTRLEN, "%s link %d fs %u offset %u", cp, rval, fstamp,
ntohl(tai_leap.vallen) / 4 + TAI_1972 - 1);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
Modified: releng/6.3/sys/conf/newvers.sh
==============================================================================
--- releng/6.3/sys/conf/newvers.sh Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.3/sys/conf/newvers.sh Wed Jun 10 10:31:11 2009 (r193893)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.3"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/6.3/sys/kern/sys_pipe.c
==============================================================================
--- releng/6.3/sys/kern/sys_pipe.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.3/sys/kern/sys_pipe.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -774,6 +774,8 @@ pipe_build_write_buffer(wpipe, uio)
pmap = vmspace_pmap(curproc->p_vmspace);
endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
+ if (endaddr < addr)
+ return (EFAULT);
for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
/*
* vm_fault_quick() can sleep. Consequently,
Modified: releng/6.3/sys/netinet6/in6.c
==============================================================================
--- releng/6.3/sys/netinet6/in6.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.3/sys/netinet6/in6.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -357,12 +357,12 @@ in6_control(so, cmd, data, ifp, td)
case SIOCSRTRFLUSH_IN6:
case SIOCSDEFIFACE_IN6:
case SIOCSIFINFO_FLAGS:
+ case SIOCSIFINFO_IN6:
if (!privileged)
return (EPERM);
/* FALLTHROUGH */
case OSIOCGIFINFO_IN6:
case SIOCGIFINFO_IN6:
- case SIOCSIFINFO_IN6:
case SIOCGDRLST_IN6:
case SIOCGPRLST_IN6:
case SIOCGNBRINFO_IN6:
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.4/UPDATING Wed Jun 10 10:31:11 2009 (r193893)
@@ -8,6 +8,15 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090610: p5 FreeBSD-SA-09:09.pipe, FreeBSD-SA-09:10.ipv6,
+ FreeBSD-SA-09:11.ntpd
+ Prevent integer overflow in direct pipe write code from circumventing
+ virtual-to-physical page lookups. [09:09]
+
+ Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]
+
+ Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]
+
20090422: p4 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
Don't leak information via uninitialized space in db(3) records.
[09:07]
Modified: releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -570,7 +570,7 @@ crypto_recv(
peer->issuer = emalloc(vallen + 1);
strcpy(peer->issuer, peer->subject);
temp32 = (fstamp >> 16) & 0xffff;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"flags 0x%x host %s signature %s", fstamp,
peer->subject, OBJ_nid2ln(temp32));
record_crypto_stats(&peer->srcadr, statstr);
@@ -636,7 +636,8 @@ crypto_recv(
}
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "cert %s 0x%x %s (%u) fs %u",
cinfo->subject, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -685,7 +686,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "iff fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -733,7 +734,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "gq fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -774,7 +775,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "mv fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -828,7 +829,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -893,7 +894,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -944,7 +945,7 @@ crypto_recv(
peer->pkeyid = bp->key;
peer->crypto |= CRYPTO_FLAG_AUTO;
peer->flash &= ~TEST8;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"auto seq %d key %x ts %u fs %u", bp->seq,
bp->key, ntohl(ep->tstamp),
ntohl(ep->fstamp));
@@ -987,7 +988,8 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_SIGN;
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "sign %s 0x%x %s (%u) fs %u",
cinfo->issuer, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -1071,7 +1073,8 @@ crypto_recv(
crypto_flags |= CRYPTO_FLAG_TAI;
peer->crypto |= CRYPTO_FLAG_LEAP;
peer->flash &= ~TEST8;
- sprintf(statstr, "leap %u ts %u fs %u", vallen,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "leap %u ts %u fs %u", vallen,
ntohl(ep->tstamp), ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -1127,7 +1130,7 @@ crypto_recv(
* cheerfully ignored, as the message is not sent.
*/
if (rval > XEVNT_TSP) {
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"error %x opcode %x ts %u fs %u", rval,
code, tstamp, fstamp);
record_crypto_stats(&peer->srcadr, statstr);
@@ -1453,7 +1456,8 @@ crypto_xmit(
*/
if (rval != XEVNT_OK) {
opcode |= CRYPTO_ERROR;
- sprintf(statstr, "error %x opcode %x", rval, opcode);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "error %x opcode %x", rval, opcode);
record_crypto_stats(srcadr_sin, statstr);
report_event(rval, NULL);
#ifdef DEBUG
@@ -1952,7 +1956,8 @@ crypto_update(void)
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
tai_leap.siglen = htonl(len);
}
- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "update ts %u", ntohl(hostval.tstamp));
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3606,7 +3611,7 @@ crypto_key(
*/
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s mod %d", &linkname[2],
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
EVP_PKEY_size(pkey) * 8);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
@@ -3715,8 +3720,8 @@ crypto_cert(
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
- len);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%s 0x%x len %lu", &linkname[2], ret->flags, len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3832,7 +3837,7 @@ crypto_tai(
for (j = 0; j < i; j++)
*ptr++ = htonl(leapsec[j]);
crypto_flags |= CRYPTO_FLAG_TAI;
- sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,
+ snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
leapsec[--j], len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.4/sys/conf/newvers.sh Wed Jun 10 10:31:11 2009 (r193893)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/6.4/sys/kern/sys_pipe.c
==============================================================================
--- releng/6.4/sys/kern/sys_pipe.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.4/sys/kern/sys_pipe.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -774,6 +774,8 @@ pipe_build_write_buffer(wpipe, uio)
pmap = vmspace_pmap(curproc->p_vmspace);
endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
+ if (endaddr < addr)
+ return (EFAULT);
for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
/*
* vm_fault_quick() can sleep. Consequently,
Modified: releng/6.4/sys/netinet6/in6.c
==============================================================================
--- releng/6.4/sys/netinet6/in6.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/6.4/sys/netinet6/in6.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -359,12 +359,12 @@ in6_control(so, cmd, data, ifp, td)
case SIOCSRTRFLUSH_IN6:
case SIOCSDEFIFACE_IN6:
case SIOCSIFINFO_FLAGS:
+ case SIOCSIFINFO_IN6:
if (!privileged)
return (EPERM);
/* FALLTHROUGH */
case OSIOCGIFINFO_IN6:
case SIOCGIFINFO_IN6:
- case SIOCSIFINFO_IN6:
case SIOCGDRLST_IN6:
case SIOCGPRLST_IN6:
case SIOCGNBRINFO_IN6:
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.1/UPDATING Wed Jun 10 10:31:11 2009 (r193893)
@@ -8,6 +8,15 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090610: p6 FreeBSD-SA-09:09.pipe, FreeBSD-SA-09:10.ipv6,
+ FreeBSD-SA-09:11.ntpd
+ Prevent integer overflow in direct pipe write code from circumventing
+ virtual-to-physical page lookups. [09:09]
+
+ Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]
+
+ Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]
+
20090422: p5 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
Don't leak information via uninitialized space in db(3) records.
[09:07]
Modified: releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -570,7 +570,7 @@ crypto_recv(
peer->issuer = emalloc(vallen + 1);
strcpy(peer->issuer, peer->subject);
temp32 = (fstamp >> 16) & 0xffff;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"flags 0x%x host %s signature %s", fstamp,
peer->subject, OBJ_nid2ln(temp32));
record_crypto_stats(&peer->srcadr, statstr);
@@ -636,7 +636,8 @@ crypto_recv(
}
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "cert %s 0x%x %s (%u) fs %u",
cinfo->subject, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -685,7 +686,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "iff fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -733,7 +734,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "gq fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -774,7 +775,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "mv fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -828,7 +829,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -893,7 +894,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -944,7 +945,7 @@ crypto_recv(
peer->pkeyid = bp->key;
peer->crypto |= CRYPTO_FLAG_AUTO;
peer->flash &= ~TEST8;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"auto seq %d key %x ts %u fs %u", bp->seq,
bp->key, ntohl(ep->tstamp),
ntohl(ep->fstamp));
@@ -987,7 +988,8 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_SIGN;
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "sign %s 0x%x %s (%u) fs %u",
cinfo->issuer, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -1071,7 +1073,8 @@ crypto_recv(
crypto_flags |= CRYPTO_FLAG_TAI;
peer->crypto |= CRYPTO_FLAG_LEAP;
peer->flash &= ~TEST8;
- sprintf(statstr, "leap %u ts %u fs %u", vallen,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "leap %u ts %u fs %u", vallen,
ntohl(ep->tstamp), ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -1127,7 +1130,7 @@ crypto_recv(
* cheerfully ignored, as the message is not sent.
*/
if (rval > XEVNT_TSP) {
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"error %x opcode %x ts %u fs %u", rval,
code, tstamp, fstamp);
record_crypto_stats(&peer->srcadr, statstr);
@@ -1453,7 +1456,8 @@ crypto_xmit(
*/
if (rval != XEVNT_OK) {
opcode |= CRYPTO_ERROR;
- sprintf(statstr, "error %x opcode %x", rval, opcode);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "error %x opcode %x", rval, opcode);
record_crypto_stats(srcadr_sin, statstr);
report_event(rval, NULL);
#ifdef DEBUG
@@ -1952,7 +1956,8 @@ crypto_update(void)
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
tai_leap.siglen = htonl(len);
}
- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "update ts %u", ntohl(hostval.tstamp));
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3606,7 +3611,7 @@ crypto_key(
*/
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s mod %d", &linkname[2],
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
EVP_PKEY_size(pkey) * 8);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
@@ -3715,8 +3720,8 @@ crypto_cert(
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
- len);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%s 0x%x len %lu", &linkname[2], ret->flags, len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3832,7 +3837,7 @@ crypto_tai(
for (j = 0; j < i; j++)
*ptr++ = htonl(leapsec[j]);
crypto_flags |= CRYPTO_FLAG_TAI;
- sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,
+ snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
leapsec[--j], len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.1/sys/conf/newvers.sh Wed Jun 10 10:31:11 2009 (r193893)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/sys/kern/sys_pipe.c
==============================================================================
--- releng/7.1/sys/kern/sys_pipe.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.1/sys/kern/sys_pipe.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -755,6 +755,8 @@ pipe_build_write_buffer(wpipe, uio)
pmap = vmspace_pmap(curproc->p_vmspace);
endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
+ if (endaddr < addr)
+ return (EFAULT);
for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
/*
* vm_fault_quick() can sleep. Consequently,
Modified: releng/7.1/sys/netinet6/in6.c
==============================================================================
--- releng/7.1/sys/netinet6/in6.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.1/sys/netinet6/in6.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -353,6 +353,7 @@ in6_control(struct socket *so, u_long cm
case SIOCSRTRFLUSH_IN6:
case SIOCSDEFIFACE_IN6:
case SIOCSIFINFO_FLAGS:
+ case SIOCSIFINFO_IN6:
if (td != NULL) {
error = priv_check(td, PRIV_NETINET_ND6);
if (error)
@@ -361,7 +362,6 @@ in6_control(struct socket *so, u_long cm
/* FALLTHROUGH */
case OSIOCGIFINFO_IN6:
case SIOCGIFINFO_IN6:
- case SIOCSIFINFO_IN6:
case SIOCGDRLST_IN6:
case SIOCGPRLST_IN6:
case SIOCGNBRINFO_IN6:
Modified: releng/7.2/UPDATING
==============================================================================
--- releng/7.2/UPDATING Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.2/UPDATING Wed Jun 10 10:31:11 2009 (r193893)
@@ -8,6 +8,15 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090610: p1 FreeBSD-SA-09:09.pipe, FreeBSD-SA-09:10.ipv6,
+ FreeBSD-SA-09:11.ntpd
+ Prevent integer overflow in direct pipe write code from circumventing
+ virtual-to-physical page lookups. [09:09]
+
+ Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]
+
+ Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]
+
20090504:
FreeBSD 7.2-RELEASE
Modified: releng/7.2/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.2/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.2/contrib/ntp/ntpd/ntp_crypto.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -570,7 +570,7 @@ crypto_recv(
peer->issuer = emalloc(vallen + 1);
strcpy(peer->issuer, peer->subject);
temp32 = (fstamp >> 16) & 0xffff;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"flags 0x%x host %s signature %s", fstamp,
peer->subject, OBJ_nid2ln(temp32));
record_crypto_stats(&peer->srcadr, statstr);
@@ -636,7 +636,8 @@ crypto_recv(
}
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "cert %s 0x%x %s (%u) fs %u",
cinfo->subject, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -685,7 +686,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "iff fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -733,7 +734,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "gq fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -774,7 +775,7 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer->flash &= ~TEST8;
- sprintf(statstr, "mv fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -828,7 +829,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -893,7 +894,7 @@ crypto_recv(
peer->crypto &= ~CRYPTO_FLAG_AUTO;
peer->crypto |= CRYPTO_FLAG_AGREE;
peer->flash &= ~TEST8;
- sprintf(statstr, "cook %x ts %u fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
peer->pcookie, ntohl(ep->tstamp),
ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
@@ -944,7 +945,7 @@ crypto_recv(
peer->pkeyid = bp->key;
peer->crypto |= CRYPTO_FLAG_AUTO;
peer->flash &= ~TEST8;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"auto seq %d key %x ts %u fs %u", bp->seq,
bp->key, ntohl(ep->tstamp),
ntohl(ep->fstamp));
@@ -987,7 +988,8 @@ crypto_recv(
peer->crypto |= CRYPTO_FLAG_SIGN;
peer->flash &= ~TEST8;
temp32 = cinfo->nid;
- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "sign %s 0x%x %s (%u) fs %u",
cinfo->issuer, cinfo->flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep->fstamp));
@@ -1071,7 +1073,8 @@ crypto_recv(
crypto_flags |= CRYPTO_FLAG_TAI;
peer->crypto |= CRYPTO_FLAG_LEAP;
peer->flash &= ~TEST8;
- sprintf(statstr, "leap %u ts %u fs %u", vallen,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "leap %u ts %u fs %u", vallen,
ntohl(ep->tstamp), ntohl(ep->fstamp));
record_crypto_stats(&peer->srcadr, statstr);
#ifdef DEBUG
@@ -1127,7 +1130,7 @@ crypto_recv(
* cheerfully ignored, as the message is not sent.
*/
if (rval > XEVNT_TSP) {
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
"error %x opcode %x ts %u fs %u", rval,
code, tstamp, fstamp);
record_crypto_stats(&peer->srcadr, statstr);
@@ -1453,7 +1456,8 @@ crypto_xmit(
*/
if (rval != XEVNT_OK) {
opcode |= CRYPTO_ERROR;
- sprintf(statstr, "error %x opcode %x", rval, opcode);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "error %x opcode %x", rval, opcode);
record_crypto_stats(srcadr_sin, statstr);
report_event(rval, NULL);
#ifdef DEBUG
@@ -1952,7 +1956,8 @@ crypto_update(void)
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
tai_leap.siglen = htonl(len);
}
- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "update ts %u", ntohl(hostval.tstamp));
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3606,7 +3611,7 @@ crypto_key(
*/
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s mod %d", &linkname[2],
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
EVP_PKEY_size(pkey) * 8);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
@@ -3715,8 +3720,8 @@ crypto_cert(
if ((ptr = strrchr(linkname, '\n')) != NULL)
*ptr = '\0';
- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
- len);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ "%s 0x%x len %lu", &linkname[2], ret->flags, len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
if (debug)
@@ -3832,7 +3837,7 @@ crypto_tai(
for (j = 0; j < i; j++)
*ptr++ = htonl(leapsec[j]);
crypto_flags |= CRYPTO_FLAG_TAI;
- sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,
+ snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
leapsec[--j], len);
record_crypto_stats(NULL, statstr);
#ifdef DEBUG
Modified: releng/7.2/sys/conf/newvers.sh
==============================================================================
--- releng/7.2/sys/conf/newvers.sh Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.2/sys/conf/newvers.sh Wed Jun 10 10:31:11 2009 (r193893)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.2"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.2/sys/kern/sys_pipe.c
==============================================================================
--- releng/7.2/sys/kern/sys_pipe.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.2/sys/kern/sys_pipe.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -755,6 +755,8 @@ pipe_build_write_buffer(wpipe, uio)
pmap = vmspace_pmap(curproc->p_vmspace);
endaddr = round_page((vm_offset_t)uio->uio_iov->iov_base + size);
addr = trunc_page((vm_offset_t)uio->uio_iov->iov_base);
+ if (endaddr < addr)
+ return (EFAULT);
for (i = 0; addr < endaddr; addr += PAGE_SIZE, i++) {
/*
* vm_fault_quick() can sleep. Consequently,
Modified: releng/7.2/sys/netinet6/in6.c
==============================================================================
--- releng/7.2/sys/netinet6/in6.c Wed Jun 10 09:28:50 2009 (r193892)
+++ releng/7.2/sys/netinet6/in6.c Wed Jun 10 10:31:11 2009 (r193893)
@@ -354,6 +354,7 @@ in6_control(struct socket *so, u_long cm
case SIOCSRTRFLUSH_IN6:
case SIOCSDEFIFACE_IN6:
case SIOCSIFINFO_FLAGS:
+ case SIOCSIFINFO_IN6:
if (td != NULL) {
error = priv_check(td, PRIV_NETINET_ND6);
if (error)
@@ -362,7 +363,6 @@ in6_control(struct socket *so, u_long cm
/* FALLTHROUGH */
case OSIOCGIFINFO_IN6:
case SIOCGIFINFO_IN6:
- case SIOCSIFINFO_IN6:
case SIOCGDRLST_IN6:
case SIOCGPRLST_IN6:
case SIOCGNBRINFO_IN6:
More information about the svn-src-all
mailing list