svn commit: r45000 - in head/share: security/advisories security/patches/EN-14:06 security/patches/SA-14:11 security/patches/SA-14:12 security/patches/SA-14:13 xml

Xin LI delphij at FreeBSD.org
Tue Jun 3 19:32:07 UTC 2014


Author: delphij
Date: Tue Jun  3 19:32:04 2014
New Revision: 45000
URL: http://svnweb.freebsd.org/changeset/doc/45000

Log:
  Add 3 latest advisories and 1 errata:
  
  Fix sendmail improper close-on-exec flag handling. [SA-14:11]
  
  Fix ktrace memory disclosure. [SA-14:12]
  
  Fix incorrect error handling in PAM policy parser. [SA-14:13]
  
  Fix triple-fault when executing from a threaded process. [EN-14:06]

Added:
  head/share/security/advisories/FreeBSD-EN-14:06.exec.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-14:11.sendmail.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-14:12.ktrace.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-14:13.pam.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/
  head/share/security/patches/EN-14:06/exec-10.0.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-10.0.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-10.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-10.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-8.4.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-8.4.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-8.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-8.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.1.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.1.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.2.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.2.patch.asc   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.patch   (contents, props changed)
  head/share/security/patches/EN-14:06/exec-9.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:11/
  head/share/security/patches/SA-14:11/sendmail.patch   (contents, props changed)
  head/share/security/patches/SA-14:11/sendmail.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:12/
  head/share/security/patches/SA-14:12/ktrace.patch   (contents, props changed)
  head/share/security/patches/SA-14:12/ktrace.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:13/
  head/share/security/patches/SA-14:13/pam-freebsd10.patch   (contents, props changed)
  head/share/security/patches/SA-14:13/pam-freebsd10.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:13/pam-freebsd9.patch   (contents, props changed)
  head/share/security/patches/SA-14:13/pam-freebsd9.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml
  head/share/xml/notices.xml

Added: head/share/security/advisories/FreeBSD-EN-14:06.exec.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:06.exec.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,163 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:06.exec                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          triple-fault when executing from a threaded process
+
+Category:       core
+Module:         kern
+Announced:      2014-06-03
+Credits:        Ivo De Decker and Debian GNU/kFreeBSD porters
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-05-23 09:29:04 UTC (stable/10, 10.0-STABLE)
+                2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
+                2014-05-23 11:56:32 UTC (stable/9, 9.2-STABLE)
+                2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
+                2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
+                2014-05-23 09:48:42 UTC (stable/8, 8.4-STABLE)
+                2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
+CVE Name:       CVE-2014-3880
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I.   Background
+
+The execve and fexecve system calls transforms the calling process into a
+new process, constructed from an ordinarty file.
+
+When executing a new process, the FreeBSD virtual memory subsystem tries to
+optimize the process by avoiding destroying the old virtual memory address
+space when the calling process do not share its address space with another
+process (for instance, via rfork(2) with RFMEM) and when the new min/max
+address limit stays the same.  In the optimized scenario, the virtual memory
+subsystem only removes usermode mappings from the existing virtual memory
+address space instead of destroying and recreating it.
+
+II.  Problem Description
+
+When the virtual memory address space is recreated for the calling process,
+the old virtual memory address space as well as its associated mappings are
+destroyed before thread_single(9) boundary, where threads were allowed to
+run to safely terminate.  If such threads were on other CPUs, the old page
+table pointer may still be referenced.
+
+III. Impact
+
+The system will crash when this happens due to a triple-fault triggered by
+dereferencing an invalid page table pointer.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not run binaries that are
+of different bit-ness (e.g. 32-bit and 64-bit binaries) are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.4]
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-8.4.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-8.4.patch.asc
+# gpg --verify exec-8.4.patch.asc
+
+[FreeBSD 9.1]
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.1.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.1.patch.asc
+# gpg --verify exec-9.1.patch.asc
+
+[FreeBSD 9.2]
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.2.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.2.patch.asc
+# gpg --verify exec-9.2.patch.asc
+
+[FreeBSD 10.0]
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-10.0.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-10.0.patch.asc
+# gpg --verify exec-10.0.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r266583
+releng/8.4/                                                       r267019
+stable/9/                                                         r266585
+releng/9.1/                                                       r267018
+releng/9.2/                                                       r267018
+stable/10/                                                        r266582
+releng/10.0/                                                      r267017
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://bugs.debian.org/743141>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3880>
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:06.exec.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnNcIQANX2RW/Yeuso43ziviT10iH9
+IBd0Ibazfq4HIVANEGfBF9pkL7vQ4VZzzWJBZEA6r/0qDMVO0mMoFA2/SDAB3oCO
+Wjc2TF/FLNPlrYamO1Comb1lKG8nmXj3C+AEEOyzlxDBLIH4cEuCX6yBbjZgjeuz
+eYTmFWqiMBwjOctZSFzmaZjaG0EtUIig8ELkPePXBP+zGZiBlBRpLuXWTUuRTT1T
+I8YbhEhlvw7rZmtK7rq5uRFfFclmFCC1cYRxKb9o+9tXUL9Qq6q0740hAG/I1HJU
+s7M3gvQZNhFa6B8fC2XbBwe1g51pfcxRkU8ZZ0kIU4064r9CP9In9InmcFKrfZTo
+xNYNiV9/8rY2lHts6cXZgfrJQLfEWzYghlKVBBZpd8syVjt8ozA08YAD4RAzGAsb
+s1cwI9ZCpc9ak6kd9xvDV/ZUmJLE3XS8HkogUd/RBYiu0GTn6MsCIc/pnOpAL1Cq
+BWLmWS8vDT4rcuC828L2VmdfLjrdWcr9DHreiW7xxCX4O+/ktOT43PrgQtjd/mf+
+i0k9OAJRwdoh92ylLkEJqm3kugoDGxOITKHvo2dx+g2ySukIzTv0BCNT9EAJ0kX+
+i4G0eyGNTsIycZcokil1rUzk2giNLa5yqKOZNzPZ3EA7U/knuXDN1rdN0OzrqncY
+WZlllko53SvpSDli15vp
+=A9nK
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-14:11.sendmail.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:11.sendmail.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:11.sendmail                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          sendmail improper close-on-exec flag handling
+
+Category:       contrib
+Module:         sendmail
+Announced:      2014-06-03
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-05-26 15:35:11 UTC (stable/10, 10.0-STABLE)
+                2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
+                2014-05-26 20:10:00 UTC (stable/9, 9.3-PRERELEASE)
+                2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
+                2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
+                2014-05-26 15:30:27 UTC (stable/8, 8.4-STABLE)
+                2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes sendmail(8), a general purpose internetwork mail
+routing facility, as the default Mail Transfer Agent (MTA).
+
+FreeBSD uses file descriptor as an abstract indicator for accessing a file.
+Upon execve(2), file descriptors open in the calling process image remain
+open in the new process image, except for those for which the close-on-exec
+flag is set.
+
+II.  Problem Description
+
+There is a programming error in sendmail(8) that prevented open file
+descriptors have close-on-exec properly set.  Consequently a subprocess
+will be able to access all open files that the parent process have open.
+
+III. Impact
+
+A local user who can execute their own program for mail delivery will be
+able to interfere with an open SMTP connection.
+
+IV.  Workaround
+
+Do not allow untrusted users to specify programs for mail delivery, for
+instance, procmail.
+
+Systems that do not use sendmail(8) MTA are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch.asc
+# gpg --verify sendmail.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r266693
+releng/8.4/                                                       r267019
+stable/9/                                                         r266711
+releng/9.1/                                                       r267018
+releng/9.2/                                                       r267018
+stable/10/                                                        r266692
+releng/10.0/                                                      r267017
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:11.sendmail.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnMxgP/0N9dTCKztkx92+Er1riKEns
+k0dfQswsTn2BwKzqIwiuzYcC9YFuBbU/ydfhIy3CGHJoZXd98sl0IZkWok7N7gYb
+N46aSyMypHh5RtoxtRm7aLhmKSBXiXhygwoeV8HW5fBhgZG544BQ+zs3wDWL/Y4J
+sfTEV4C254hm8+loCjtg+WIoFDtaYFWTWCUm1Yhxb1puN5scCNNgbvqvmhmrCLtb
+n/AoWUvqQi8B7tu2YafbG+BE8qaLC+tGpqC4mF3NxtNUX++4HMC6ZhbcOaa2PKrk
+kepReV/zdc3DaZ0e0KsiwFBiWMe9NW0RjHaZeDe3wzbX9fer2WjoOszLw7xLo/8s
+GPZwI+fPRysKGRXeW+0Bp3itbHYAFUhS5PttZQcGqzFKIRNLdVcAIMsj/+j32/LM
+vVw3e1NpsIhpxqIorxJEwuBxr4SWzCY26TbJVG+jWqEzhaRgjgpW+TZ2bhW3EDKm
+CNnngufJzh54/rEKolWxntyiw442JRpcPvumiUiH9WmRHipkCrMttQGA9TfjUy0u
+diQFs/nWNa9YeUkF1jB7eMFoJubg5d/7/gDFPbHMvgjP7kN75k1TmeyzrBVUuplH
+ek+XMzxkWYPStw1QHub94VpKhVm7fjvLrq2+2bfdQnM7bRbgwdA66jSwqVQ569Hr
+oOFXJjVfz279BMqszAsw
+=JUzV
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-14:12.ktrace.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:12.ktrace.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:12.ktrace                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ktrace kernel memory disclosure
+
+Category:       core
+Module:         kern
+Announced:      2014-06-03
+Credits:        Jilles Tjoelker
+Affects:        FreeBSD 8.4, FreeBSD 9.1 and FreeBSD 9.2
+Corrected:      2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1)
+                2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1)
+                2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
+                2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
+                2014-06-03 19:02:42 UTC (stable/8, 8.4-STABLE)
+                2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
+CVE Name:       CVE-2014-3873
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The ktrace utility enables kernel trace logging for the specified processes,
+commonly used for diagnostic or debugging purposes.  The kernel operations
+that are traced include system calls, namei translations, signal processing,
+and I/O as well as data associated with these operations.
+
+The utility may be used only with a kernel that has been built with the
+``KTRACE'' option in the kernel configuration file, which is enabled by
+default.
+
+II.  Problem Description
+
+Due to an overlooked merge to -STABLE branches, the size for page fault
+kernel trace entries was set incorrectly.
+
+III. Impact
+
+A user who can enable kernel process tracing could end up reading the
+contents of kernel memory.
+
+Such memory might contain sensitive information, such as portions of the
+file cache or terminal buffers.  This information might be directly
+useful, or it might be leveraged to obtain elevated privileges in some
+way; for example, a terminal buffer might include a user-entered
+password.
+
+IV.  Workaround
+
+The system administrator may set sysctl security.bsd.unprivileged_proc_debug
+to 0 to prevent non-privileged users from using all process debugging
+facilities provided by the kernel, that includes ktrace functionality.
+Please note that this flag have broad effect and may break applications,
+as some of them may rely on certain debugging facilities to function.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch.asc
+# gpg --verify ktrace.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r267016
+releng/8.4/                                                       r267019
+stable/9/                                                         r267015
+releng/9.1/                                                       r267018
+releng/9.2/                                                       r267018
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3873>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:12.ktrace.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnIfQP/0kHBNvnNUiZ+1OWo5fMDg3N
+Oe7UdrvnfyeXlgw5bP4t0qwbTpn0kVYL2dfr3bxhkT1w7oF/xQjbcosx/DbzPZZs
+VtlAGQYh0CvOXcUZmh+COuRfcy2wkr1kKFlc2bGQVTq1uzKS+vceqA3619IWMnJO
+b6ClzFnn+0hk6BrUd8xdvoiYIF2RG+zcw7CxuoBQrzPYA9iO/S4ACmxzfTIgRcAD
+ZLGXfUEw3wlftfg605H1iV9xKm4FDUGr9qoL4W0UmYmmTmU4Z71yXSzX3A53qlRg
+Xd1Grw2K+zhaKaV6xL+mqox0nzSKiYuNf/ZguB5+x9ZA14ck7NtCYg6up1fgh7Ms
+pznVb8/GCc+IPdWJGXpSz6yFhl/MJc6mTOi+L0gOGvNKp0raNHelCpxlqavGt/tv
+9Niv791FK32S8ynlP0yKRvd8Hzq4b185ehWuGWbQO8bEHljqhOyZDhysBYYWdgFi
+0KG16lJopCbMPPPBVb4zfsFBvokr31m2w+/xsDD+hmaXa6C9bHIvHpuyJep4q02E
+4NOoVr1x8dO5s7yVk7bNZx0WFCDYZ/DLMycLjEftHog7iq4nw29HW/Mt/rPgJWOf
+NiO0GEJ1XucJ1ShV/OC0B+69mFx9OsOI8kDNLE4l9oqGu2UqcZ/W0Dsa9PPl+ec+
+njyksdL+yqvx9kF8fnJ0
+=46Yf
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-14:13.pam.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:13.pam.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,171 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:13.pam                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Incorrect error handling in PAM policy parser
+
+Category:       contrib
+Module:         pam
+Announced:      2014-06-03
+Credits:        Peter Wemm, Dag-Erling Smørgrav
+Affects:        FreeBSD 9.2 and later.
+Corrected:      2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1)
+                2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1)
+                2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
+                2014-06-03 19:02:18 UTC (stable/10, 10.0-STABLE)
+                2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
+CVE Name:       CVE-2014-3879
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.  It is
+used not only in the base system, but also by a large number of
+third-party applications.
+
+Various authentication methods (UNIX, LDAP, Kerberos etc.) are
+implemented in modules which are loaded and executed according to
+predefined, named policies.  These policies are defined in
+/etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf or
+/usr/local/etc/pam.d/<policy name>.
+
+The PAM API is a de facto industry standard which has been implemented
+by several parties.  FreeBSD uses the OpenPAM implementation.
+
+II.  Problem Description
+
+The OpenPAM library searches for policy definitions in several
+locations.  While doing so, the absence of a policy file is a soft
+failure (handled by searching in the next location) while the presence
+of an invalid file is a hard failure (handled by returning an error to
+the caller).
+
+The policy parser returns the same error code (ENOENT) when a
+syntactically valid policy references a non-existent module as when
+the requested policy file does not exist.  The search loop regards
+this as a soft failure and looks for the next similarly-named policy,
+without discarding the partially-loaded configuration.
+
+A similar issue can arise if a policy contains an include directive
+that refers to a non-existent policy.
+
+III. Impact
+
+If a module is removed, or the name of a module is misspelled in the
+policy file, the PAM library will proceed with a partially loaded
+configuration.  Depending on the exact circumstances, this may result
+in a fail-open scenario where users are allowed to log in without a
+password, or with an incorrect password.
+
+In particular, if a policy references a module installed by a package
+or port, and that package or port is being reinstalled or upgraded,
+there is a brief window of time during which the module is absent and
+policies that use it may fail open.  This can be especially damaging
+to Internet-facing SSH servers, which are regularly subjected to
+brute-force scans.
+
+IV.  Workaround
+
+If your system uses customized PAM policies, carefully review your
+policies to ensure that all module names are spelled correctly.
+
+If your system uses third-party authentication modules, either refrain
+from upgrading those modules until you have patched your system, or
+shut down the affected services before upgrading.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.2]
+# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch.asc
+# gpg --verify pam-freebsd9.patch.asc
+
+[FreeBSD 9.3 and 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch.asc
+# gpg --verify pam-freebsd10.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r267015
+releng/9.2/                                                       r267018
+stable/10/                                                        r267014
+releng/10.0/                                                      r267017
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3879>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:13.pam.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnx90P/je9ArC02N90sK//UauenbXV
+BJCNh1WRSVE3hoxgVyPC0R+6Ts6J9At42ANUHXHVxipA2Qpu2UKf+/c3JreSuSGs
+6rgAj1TPZEideQInTs9qCJWr6f/M2aPlYCF8iHuuLMJTO35wfVYQENDaFJmebKoI
+fKkVvTh8ig2cgJWe7RZxd+Y4tPxKZb5ix5jV+xFjDPrmzVgSCUVpW0GrD7qWOg1W
+25Ysx+LLBr03guDnFd9RodObWoNZ+aFxuvkKELmjUKva7xRSEw6PfwPCpLp9/83Q
+HDVlkw0jH+0sF1SY7V+GUvQriPNpwyGNEOfDvL47gnlN/Z7HOZ0hYlVuYw4QYGv5
+l5PZOL5eFC6xl88fn+ypKQwGDdzpM4i+svBy//2CW17luU31L4F/cde+yCxsEJB5
+JXNhVTYe2z+ACfSs+Oxzk5uGI1f9FhvTzIyoO26Coq6e2Nk2633451kRgdPNxoAP
+kMimT2Mle/1kqupLirGi44lEyUYV9As2AhnLBFFUXTnESlWVe6q0N0Rb8G6D2jcR
+0m5hccsS2HcysUtSIP8ADB6LlSgH+bKP2FUFopdjQUx3J+/KQ5kl6L/UhOOr1Hag
+4PdoCPpR15s2CaICmu5HkDtGNkZQV7xdN6TLcksJHXRshISlbzZjlaNyrbu6oJu9
+nz3mhzGz1ZH6l7kuNYXD
+=qUxk
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-14:06/exec-10.0.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-10.0.patch	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,66 @@
+Index: sys/kern/kern_exec.c
+===================================================================
+--- sys/kern/kern_exec.c	(revision 266979)
++++ sys/kern/kern_exec.c	(working copy)
+@@ -283,6 +283,7 @@ kern_execve(td, args, mac_p)
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -299,6 +300,8 @@ kern_execve(td, args, mac_p)
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -313,6 +316,12 @@ kern_execve(td, args, mac_p)
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+Index: sys/sys/proc.h
+===================================================================
+--- sys/sys/proc.h	(revision 266979)
++++ sys/sys/proc.h	(working copy)
+@@ -966,4 +966,5 @@ curthread_pflags_restore(int save)
+ 
+ #endif	/* _KERNEL */
+ 
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ #endif	/* !_SYS_PROC_H_ */
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 266979)
++++ sys/vm/vm_map.c	(working copy)
+@@ -3725,6 +3725,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser, NULL);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3741,7 +3743,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 

Added: head/share/security/patches/EN-14:06/exec-10.0.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-10.0.patch.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnKXEQAJxIZgrVrGZobVSEztzpE8hT
+yFcp2Yd0AZesA0glaqBaReEyDxpyKXvDDX33q3nFc+C5rhOePZXp5zw0e4MLT/DX
+hGxBp9/sbji+w7soUdL25y5h6QfY19LK1WwJlI4+6CNQUGVvN/bN/uF0vyaiTk1k
+9j5Twmtb31hsbpJNwHL6D7+K2vSd5hrMBxaozTn9TOBDzI0KS19NUp6Xt1CrpkAL
+NmM65tD1PZ9flsoXqsUBdENydrIEH8XrCovwPXzYipUnqeEvl6VGS5D7U3t/m/SC
+bh8v1mK6Ipt7YLJ0HducqO643XkG7n01pJKY8LIXEX1x0yVLI+hLqvSIfPjEza1j
+kNs289QiWX3FG7k0ufucnd8tGbaZ5gyrJuA2OWERZurEDPoGYkHxz4cMPXKoTSw+
+ZX4h/mz8zvNGak9Jy6xStWAMGG1FdnrPAWDddNb1aOQJCdx3Ur+fOOTkrYT76JHA
+k8iWI44rmBL0BFqkJk/LbcA2NI43pKN/WEVAgufi06yK3poQzV93WyunZ/iBJJVO
+boz6F+cCG023r8Obq1jMv7qi+seuUL8pi8PxlYqWeye6xtOKc1Utm6yHJyFmLFN0
+4OmVxgOneS5jcn4IV/F0WNuuRLshTEjpcOKxf9qn2Izll219ikZZtiCD4U5FN0hL
+910LWVL+ek6GRdVOyRwg
+=fRaC
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-14:06/exec-10.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-10.patch	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,77 @@
+Index: sys/sys/proc.h
+===================================================================
+--- sys/sys/proc.h	(revision 266581)
++++ sys/sys/proc.h	(revision 266582)
+@@ -425,6 +425,7 @@ do {									\
+ #define	TDP_NERRNO	0x08000000 /* Last errno is already in td_errno */
+ #define	TDP_UIOHELD	0x10000000 /* Current uio has pages held in td_ma */
+ #define	TDP_DEVMEMIO	0x20000000 /* Accessing memory for /dev/mem */
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ 
+ /*
+  * Reasons that the current thread can not be run yet.
+Index: sys/kern/kern_exec.c
+===================================================================
+--- sys/kern/kern_exec.c	(revision 266581)
++++ sys/kern/kern_exec.c	(revision 266582)
+@@ -283,6 +283,7 @@ kern_execve(td, args, mac_p)
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -299,6 +300,8 @@ kern_execve(td, args, mac_p)
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -313,6 +316,12 @@ kern_execve(td, args, mac_p)
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 266581)
++++ sys/vm/vm_map.c	(revision 266582)
+@@ -3751,6 +3751,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser, NULL);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3767,7 +3769,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 
+Index: .
+===================================================================
+--- .	(revision 266581)
++++ .	(revision 266582)
+
+Property changes on: .
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /head:r266464

Added: head/share/security/patches/EN-14:06/exec-10.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-10.patch.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnohMQAIzPJ9eBbU4Xdrk5QVHXIFYa
+CFeHZM1JOSaNv/XLXXVIvLbZF8m5Egdskj8+PPbn4+cO6c1QhyNRAt/lcc+2Fqpb
+w011aG2zTMNCJCTnU26l68cB//MmeWeu6RI2BvSDh6zQlluy9NPrONnSvhb8Y8tM
+LZr9c4CVoe0esDTs06X6/0p2f1OStRpIH8hgNI+0OK1DAkL45XcJF5s4PdIkPIgM
+0VzSXz93cxTMFAwbWzFNoo+JPM9AFtweUyVQ3vLFCLOSn198IAHrlYCvAoKsoRjI
+kv69njIKpzKlRiD98PQxKjVSnMrZ9VcCtSXfEZgDzeBjrNMx7GpBCsVNkL3WHbDa
+EgmoBb35mpKDkJ3SMMCDRIYOMTbmESek2Fgj2/u1n3ypNTE54VHevDCeb03+xnag
+i3la3eBcRJ49QJcSWRci5S4FjiMX5ujdH6tLYJq1dz2qnqla3GV5jPM8ph6ZY5ZA
+Keqf1eieQPaHL+7wfuRBeeDk4KXK7YYtj2/V9DDFuf7PndArHQx72tJjPamcgaEy
+CoICjTEFwDHlyN0yJlNe0EWNaC5ItR6zdHEAcs7j9Jsgfn5AAfa+rhg90KuiBVjF
+wnXIdWYfiUS65VHVgSO/x/n2/wOoF0Ky9v2CFMoDx5P6/2CCHadY8KcxiVRJs89M
+epY+RFb27pmmbTIbV5P+
+=Lp2V
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-14:06/exec-8.4.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-8.4.patch	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,66 @@
+Index: sys/kern/kern_exec.c
+===================================================================
+--- sys/kern/kern_exec.c	(revision 266979)
++++ sys/kern/kern_exec.c	(working copy)
+@@ -278,6 +278,7 @@ kern_execve(td, args, mac_p)
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -294,6 +295,8 @@ kern_execve(td, args, mac_p)
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -308,6 +311,12 @@ kern_execve(td, args, mac_p)
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+Index: sys/sys/proc.h
+===================================================================
+--- sys/sys/proc.h	(revision 266979)
++++ sys/sys/proc.h	(working copy)
+@@ -938,4 +938,5 @@ curthread_pflags_restore(int save)
+ 
+ #endif	/* _KERNEL */
+ 
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ #endif	/* !_SYS_PROC_H_ */
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 266979)
++++ sys/vm/vm_map.c	(working copy)
+@@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 

Added: head/share/security/patches/EN-14:06/exec-8.4.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-8.4.patch.asc	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (FreeBSD)
+
+iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnc3EP/3U2Q1wMCK+35jIdsGJ0g+sy
+5Dr3VKBYO7h3Tt+V2bUtzDvIEleh7pqtjJZM1k4bT78VgFW0+y/3qdOdVrSbsEqc
+0uDYwklb/VMpdQEFh4Qs5qiRt7xuBQPChKDlyzaOIjPl2YM4vy51aGxrwlyH/J9I
+/OIEMIOdANDU7YSkm70+edV9/egR9zGupWSBaEfVtH0WUNm3AubyyU8pbE8DDsuz
+dLS+PQF9ISZDDwGJgju07GCDmSyZkL0hBzhPQhaXvooxu3KZw8e1mapN7CCU/ntx
+Dc9T5QKmuREkbY5ZmK+H2bhGfHU7+sEVwSKUzK3xhhSaBcTQ381q11+TtF2EaPkc
+mLd0A4D1O8nJMX/OoLXy3vipS9kz6U10i9+PuntM4QzQqcNYvEjyLnQDpWOslIim
+WabFiJL/bPYQiLF3dwcW43+V+acTJ1mXGIhh6iuCospL328JHj4sbp8KDU+qftSx
+D/7+ojrxp8sD9m4Up3W8FZ7/DODJv+Rz2n2vXozpBOAo8gXYU30k313y6s/KAH+4
+9AQlohIjJVBMv3LX4Erx1CfPpR/Vs1rrswH2VpmMPGNkCy4HHDuKNda4z6r+huU+
+QgFVwOj6ooTod5yRVEnFqsZtkFAWvkWWOEpgkalEKVmVCha2d98ImdU7n6bSjipt
+l404I80gEZeyntZHGMO2
+=DGKB
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/EN-14:06/exec-8.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/EN-14:06/exec-8.patch	Tue Jun  3 19:32:04 2014	(r45000)
@@ -0,0 +1,104 @@
+Index: sys/kern/kern_exec.c
+===================================================================
+--- sys/kern/kern_exec.c	(revision 266582)
++++ sys/kern/kern_exec.c	(revision 266583)
+@@ -278,6 +278,7 @@ kern_execve(td, args, mac_p)
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -294,6 +295,8 @@ kern_execve(td, args, mac_p)
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -308,6 +311,12 @@ kern_execve(td, args, mac_p)
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+Index: sys/kern
+===================================================================
+--- sys/kern	(revision 266582)
++++ sys/kern	(revision 266583)
+
+Property changes on: sys/kern
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /head/sys/kern:r266464
+Index: sys/vm/vm_map.c
+===================================================================
+--- sys/vm/vm_map.c	(revision 266582)
++++ sys/vm/vm_map.c	(revision 266583)
+@@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 
+Index: sys/vm
+===================================================================
+--- sys/vm	(revision 266582)
++++ sys/vm	(revision 266583)
+
+Property changes on: sys/vm
+___________________________________________________________________
+Modified: svn:mergeinfo
+   Merged /head/sys/vm:r266464
+Index: sys/sys/proc.h
+===================================================================
+--- sys/sys/proc.h	(revision 266582)
++++ sys/sys/proc.h	(revision 266583)
+@@ -414,6 +414,7 @@ do {									\
+ #define	TDP_AUDITREC	0x01000000 /* Audit record pending on thread */
+ #define	TDP_RESETSPUR	0x04000000 /* Reset spurious page fault history. */
+ #define	TDP_NERRNO	0x08000000 /* Last errno is already in td_errno */
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ 
+ /*
+  * Reasons that the current thread can not be run yet.
+Index: sys/sys
+===================================================================
+--- sys/sys	(revision 266582)
++++ sys/sys	(revision 266583)
+
+Property changes on: sys/sys

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-doc-all mailing list