svn commit: r208586 - head/contrib/opie/libopie head/lib/libc/sys
head/sys/nfsclient head/usr.sbin/jail releng/6.4
releng/6.4/contrib/opie/libopie releng/6.4/sys/conf
releng/7.1 releng/7.1/contrib/...
Colin Percival
cperciva at FreeBSD.org
Thu May 27 03:15:05 UTC 2010
Author: cperciva
Date: Thu May 27 03:15:04 2010
New Revision: 208586
URL: http://svn.freebsd.org/changeset/base/208586
Log:
Change the current working directory to be inside the jail created by
the jail(8) command. [10:04]
Fix a one-NUL-byte buffer overflow in libopie. [10:05]
Correctly sanity-check a buffer length in nfs mount. [10:06]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-10:04.jail
Security: FreeBSD-SA-10:05.opie
Security: FreeBSD-SA-10:06.nfsclient
Modified:
releng/6.4/UPDATING
releng/6.4/contrib/opie/libopie/readrec.c
releng/6.4/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/opie/libopie/readrec.c
releng/7.1/sys/conf/newvers.sh
releng/7.2/UPDATING
releng/7.2/contrib/opie/libopie/readrec.c
releng/7.2/lib/libc/sys/mount.2
releng/7.2/sys/conf/newvers.sh
releng/7.2/sys/nfsclient/nfs_vfsops.c
releng/7.3/UPDATING
releng/7.3/contrib/opie/libopie/readrec.c
releng/7.3/lib/libc/sys/mount.2
releng/7.3/sys/conf/newvers.sh
releng/7.3/sys/nfsclient/nfs_vfsops.c
releng/8.0/UPDATING
releng/8.0/contrib/opie/libopie/readrec.c
releng/8.0/lib/libc/sys/mount.2
releng/8.0/sys/conf/newvers.sh
releng/8.0/sys/nfsclient/nfs_vfsops.c
releng/8.0/usr.sbin/jail/jail.c
Changes in other areas also in this revision:
Modified:
head/contrib/opie/libopie/readrec.c
head/lib/libc/sys/mount.2
head/sys/nfsclient/nfs_vfsops.c
head/usr.sbin/jail/jail.c
stable/6/contrib/opie/libopie/readrec.c
stable/7/contrib/opie/libopie/readrec.c
stable/7/lib/libc/sys/mount.2
stable/7/sys/nfsclient/nfs_vfsops.c
stable/8/contrib/opie/libopie/readrec.c
stable/8/lib/libc/sys/mount.2
stable/8/sys/nfsclient/nfs_vfsops.c
stable/8/usr.sbin/jail/jail.c
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Thu May 27 01:27:25 2010 (r208585)
+++ releng/6.4/UPDATING Thu May 27 03:15:04 2010 (r208586)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100526: p10 FreeBSD-SA-10:05.opie
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
20100106: p9 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd
Fix BIND named(8) cache poisoning with DNSSEC validation.
[SA-10:01]
Modified: releng/6.4/contrib/opie/libopie/readrec.c
==============================================================================
--- releng/6.4/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/6.4/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586)
@@ -139,10 +139,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585)
+++ releng/6.4/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.1/UPDATING Thu May 27 03:15:04 2010 (r208586)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100526: p12 FreeBSD-SA-10:05.opie
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
20100227: p11 FreeBSD-EN-10:02.sched_ule
Fix a deadlock in the ULE scheduler.
Modified: releng/7.1/contrib/opie/libopie/readrec.c
==============================================================================
--- releng/7.1/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.1/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586)
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.1/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.2/UPDATING
==============================================================================
--- releng/7.2/UPDATING Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.2/UPDATING Thu May 27 03:15:04 2010 (r208586)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100526: p8 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+ Correctly sanity-check a buffer length in nfs mount. [10:06]
+
20100227: p7 FreeBSD-EN-10:02.sched_ule
Fix a deadlock in the ULE scheduler.
Modified: releng/7.2/contrib/opie/libopie/readrec.c
==============================================================================
--- releng/7.2/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.2/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586)
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: releng/7.2/lib/libc/sys/mount.2
==============================================================================
--- releng/7.2/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.2/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586)
@@ -107,7 +107,7 @@ This restriction can be removed by setti
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
Modified: releng/7.2/sys/conf/newvers.sh
==============================================================================
--- releng/7.2/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.2/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.2"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.2/sys/nfsclient/nfs_vfsops.c
==============================================================================
--- releng/7.2/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.2/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586)
@@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct threa
nfs_decode_args(mp, nmp, &args, NULL);
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
/*
* Make the nfs_ip_paranoia sysctl serve as the default connection
Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.3/UPDATING Thu May 27 03:15:04 2010 (r208586)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100526: p1 FreeBSD-SA-10:05.opie, FreeBSD-SA-10:06.nfsclient
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+ Correctly sanity-check a buffer length in nfs mount. [10:06]
+
20100323:
FreeBSD 7.3-RELEASE
Modified: releng/7.3/contrib/opie/libopie/readrec.c
==============================================================================
--- releng/7.3/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.3/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586)
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: releng/7.3/lib/libc/sys/mount.2
==============================================================================
--- releng/7.3/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.3/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586)
@@ -107,7 +107,7 @@ This restriction can be removed by setti
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.3/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.3"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.3/sys/nfsclient/nfs_vfsops.c
==============================================================================
--- releng/7.3/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/7.3/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586)
@@ -1002,6 +1002,11 @@ nfs_mount(struct mount *mp, struct threa
nfs_decode_args(mp, nmp, &args, NULL);
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
/*
* Make the nfs_ip_paranoia sysctl serve as the default connection
Modified: releng/8.0/UPDATING
==============================================================================
--- releng/8.0/UPDATING Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/UPDATING Thu May 27 03:15:04 2010 (r208586)
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20100526: p3 FreeBSD-SA-10:04.jail, FreeBSD-SA-10:05.opie,
+ FreeBSD-SA-10:06.nfsclient
+ Change the current working directory to be inside the jail created by
+ the jail(8) command. [10:04]
+
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+ Correctly sanity-check a buffer length in nfs mount. [10:06]
+
20100106: p2 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd,
FreeBSD-SA-10:03.zfs, FreeBSD-EN-10:01.freebsd
Fix BIND named(8) cache poisoning with DNSSEC validation.
Modified: releng/8.0/contrib/opie/libopie/readrec.c
==============================================================================
--- releng/8.0/contrib/opie/libopie/readrec.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/contrib/opie/libopie/readrec.c Thu May 27 03:15:04 2010 (r208586)
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struc
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
Modified: releng/8.0/lib/libc/sys/mount.2
==============================================================================
--- releng/8.0/lib/libc/sys/mount.2 Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/lib/libc/sys/mount.2 Thu May 27 03:15:04 2010 (r208586)
@@ -107,7 +107,7 @@ This restriction can be removed by setti
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
Modified: releng/8.0/sys/conf/newvers.sh
==============================================================================
--- releng/8.0/sys/conf/newvers.sh Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/sys/conf/newvers.sh Thu May 27 03:15:04 2010 (r208586)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.0"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.0/sys/nfsclient/nfs_vfsops.c
==============================================================================
--- releng/8.0/sys/nfsclient/nfs_vfsops.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/sys/nfsclient/nfs_vfsops.c Thu May 27 03:15:04 2010 (r208586)
@@ -1054,6 +1054,11 @@ nfs_mount(struct mount *mp)
error = EINVAL;
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
if (mp->mnt_flag & MNT_UPDATE) {
struct nfsmount *nmp = VFSTONFS(mp);
Modified: releng/8.0/usr.sbin/jail/jail.c
==============================================================================
--- releng/8.0/usr.sbin/jail/jail.c Thu May 27 01:27:25 2010 (r208585)
+++ releng/8.0/usr.sbin/jail/jail.c Thu May 27 03:15:04 2010 (r208586)
@@ -511,6 +511,10 @@ set_param(const char *name, char *value)
*value++ = '\0';
}
+ /* jail_set won't chdir along with its chroot, so do it here. */
+ if (!strcmp(name, "path") && chdir(value) < 0)
+ err(1, "chdir: %s", value);
+
/* Check for repeat parameters */
for (i = 0; i < nparams; i++)
if (!strcmp(name, params[i].jp_name)) {
More information about the svn-src-all
mailing list