svn commit: r267829 - in releng/10.0: . contrib/file contrib/file/Magdir lib/libc/iconv lib/libiconv_modules/BIG5 lib/libiconv_modules/HZ lib/libiconv_modules/VIQR sys/amd64/amd64 sys/conf
Xin LI
delphij at FreeBSD.org
Tue Jun 24 19:05:11 UTC 2014
Author: delphij
Date: Tue Jun 24 19:05:08 2014
New Revision: 267829
URL: http://svnweb.freebsd.org/changeset/base/267829
Log:
Fix iconv(3) NULL pointer dereference and out-of-bounds array
access. [SA-14:15]
Fix multiple vulnerabilities in file(1) and libmagic(3).
[SA-14:16]
Worked around bug with PCID implementation. [EN-14:07]
Security: CVE-2014-3951
Security: FreeBSD-SA-14:15.iconv
Security: CVE-2013-7345, CVE-2014-1943, CVE-2014-2270
Security: FreeBSD-SA-14:16.file
Approved by: so
Modified:
releng/10.0/UPDATING
releng/10.0/contrib/file/Magdir/commands
releng/10.0/contrib/file/ascmagic.c
releng/10.0/contrib/file/file.h
releng/10.0/contrib/file/funcs.c
releng/10.0/contrib/file/softmagic.c
releng/10.0/lib/libc/iconv/citrus_prop.c
releng/10.0/lib/libc/iconv/citrus_prop.h
releng/10.0/lib/libiconv_modules/BIG5/citrus_big5.c
releng/10.0/lib/libiconv_modules/HZ/citrus_hz.c
releng/10.0/lib/libiconv_modules/VIQR/citrus_viqr.c
releng/10.0/sys/amd64/amd64/pmap.c
releng/10.0/sys/conf/newvers.sh
Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/UPDATING Tue Jun 24 19:05:08 2014 (r267829)
@@ -16,6 +16,18 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20140624: p6 FreeBSD-SA-14:15.iconv
+ FreeBSD-SA-14:16.file
+ FreeBSD-EN-14:07.pmap
+
+ Fix iconv(3) NULL pointer dereference and out-of-bounds array
+ access. [SA-14:15]
+
+ Fix multiple vulnerabilities in file(1) and libmagic(3).
+ [SA-14:16]
+
+ Worked around bug with PCID implementation. [EN-14:07]
+
20140605: p5 FreeBSD-SA-14:14.openssl
Fix OpenSSL multiple vulnerabilities. [SA-14:14]
Modified: releng/10.0/contrib/file/Magdir/commands
==============================================================================
--- releng/10.0/contrib/file/Magdir/commands Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/contrib/file/Magdir/commands Tue Jun 24 19:05:08 2014 (r267829)
@@ -49,7 +49,8 @@
!:mime text/x-awk
0 string/wt #!\ /usr/bin/awk awk script text executable
!:mime text/x-awk
-0 regex =^\\s*BEGIN\\s*[{] awk script text
+0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text
+!:strength - 12
# AT&T Bell Labs' Plan 9 shell
0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable
Modified: releng/10.0/contrib/file/ascmagic.c
==============================================================================
--- releng/10.0/contrib/file/ascmagic.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/contrib/file/ascmagic.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic
== NULL)
goto done;
if ((rv = file_softmagic(ms, utf8_buf,
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
rv = -1;
}
Modified: releng/10.0/contrib/file/file.h
==============================================================================
--- releng/10.0/contrib/file/file.h Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/contrib/file/file.h Tue Jun 24 19:05:08 2014 (r267829)
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic
unichar **, size_t *, const char **, const char **, const char **);
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
- int, int);
+ size_t, int, int);
protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
protected uint64_t file_signextend(struct magic_set *, struct magic *,
uint64_t);
Modified: releng/10.0/contrib/file/funcs.c
==============================================================================
--- releng/10.0/contrib/file/funcs.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/contrib/file/funcs.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd
/* try soft magic tests */
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
looks_text)) != 0) {
if ((ms->flags & MAGIC_DEBUG) != 0)
(void)fprintf(stderr, "softmagic %d\n", m);
Modified: releng/10.0/contrib/file/softmagic.c
==============================================================================
--- releng/10.0/contrib/file/softmagic.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/contrib/file/softmagic.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
private int match(struct magic_set *, struct magic *, uint32_t,
- const unsigned char *, size_t, int, int);
+ const unsigned char *, size_t, int, int, int);
private int mget(struct magic_set *, const unsigned char *,
- struct magic *, size_t, unsigned int, int);
+ struct magic *, size_t, unsigned int, int, int);
private int magiccheck(struct magic_set *, struct magic *);
private int32_t mprint(struct magic_set *, struct magic *);
private int32_t moffset(struct magic_set *, struct magic *);
@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, c
private void cvt_32(union VALUETYPE *, const struct magic *);
private void cvt_64(union VALUETYPE *, const struct magic *);
+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
/*
* softmagic - lookup one file in parsed, in-memory copy of database
* Passed the name and FILE * of one file to be typed.
@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, c
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
protected int
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
- int mode, int text)
+ size_t level, int mode, int text)
{
struct mlist *ml;
int rv;
for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
- text)) != 0)
+ text, level)) != 0)
return rv;
return 0;
@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, con
*/
private int
match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- const unsigned char *s, size_t nbytes, int mode, int text)
+ const unsigned char *s, size_t nbytes, int mode, int text,
+ int recursion_level)
{
uint32_t magindex = 0;
unsigned int cont_level = 0;
@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic
ms->line = m->lineno;
/* if main entry matches, print it... */
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic
continue;
}
#endif
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUET
private int
mget(struct magic_set *ms, const unsigned char *s,
- struct magic *m, size_t nbytes, unsigned int cont_level, int text)
+ struct magic *m, size_t nbytes, unsigned int cont_level, int text,
+ int recursion_level)
{
uint32_t offset = ms->offset;
uint32_t count = m->str_range;
union VALUETYPE *p = &ms->ms_value;
+ if (recursion_level >= 20) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
+
if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
return -1;
@@ -1073,7 +1081,7 @@ mget(struct magic_set *ms, const unsigne
}
switch (m->in_type) {
case FILE_BYTE:
- if (nbytes < (offset + 1))
+ if (OFFSET_OOB(nbytes, offset, 1))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1108,7 +1116,7 @@ mget(struct magic_set *ms, const unsigne
offset = ~offset;
break;
case FILE_BESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1160,7 +1168,7 @@ mget(struct magic_set *ms, const unsigne
offset = ~offset;
break;
case FILE_LESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1212,7 +1220,7 @@ mget(struct magic_set *ms, const unsigne
offset = ~offset;
break;
case FILE_SHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1249,7 +1257,7 @@ mget(struct magic_set *ms, const unsigne
break;
case FILE_BELONG:
case FILE_BEID3:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1320,7 +1328,7 @@ mget(struct magic_set *ms, const unsigne
break;
case FILE_LELONG:
case FILE_LEID3:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1390,7 +1398,7 @@ mget(struct magic_set *ms, const unsigne
offset = ~offset;
break;
case FILE_MELONG:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1460,7 +1468,7 @@ mget(struct magic_set *ms, const unsigne
offset = ~offset;
break;
case FILE_LONG:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1527,14 +1535,14 @@ mget(struct magic_set *ms, const unsigne
/* Verify we have enough data to match magic type */
switch (m->type) {
case FILE_BYTE:
- if (nbytes < (offset + 1)) /* should alway be true */
+ if (OFFSET_OOB(nbytes, offset, 1))
return 0;
break;
case FILE_SHORT:
case FILE_BESHORT:
case FILE_LESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
break;
@@ -1553,21 +1561,21 @@ mget(struct magic_set *ms, const unsigne
case FILE_FLOAT:
case FILE_BEFLOAT:
case FILE_LEFLOAT:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
break;
case FILE_DOUBLE:
case FILE_BEDOUBLE:
case FILE_LEDOUBLE:
- if (nbytes < (offset + 8))
+ if (OFFSET_OOB(nbytes, offset, 8))
return 0;
break;
case FILE_STRING:
case FILE_PSTRING:
case FILE_SEARCH:
- if (nbytes < (offset + m->vallen))
+ if (OFFSET_OOB(nbytes, offset, m->vallen))
return 0;
break;
@@ -1577,13 +1585,15 @@ mget(struct magic_set *ms, const unsigne
break;
case FILE_INDIRECT:
+ if (offset == 0)
+ return 0;
if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
file_printf(ms, "%s", m->desc) == -1)
return -1;
if (nbytes < offset)
return 0;
return file_softmagic(ms, s + offset, nbytes - offset,
- BINTEST, text);
+ recursion_level, BINTEST, text);
case FILE_DEFAULT: /* nothing to check */
default:
Modified: releng/10.0/lib/libc/iconv/citrus_prop.c
==============================================================================
--- releng/10.0/lib/libc/iconv/citrus_prop.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/lib/libc/iconv/citrus_prop.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -339,7 +339,7 @@ name_found:
static int
_citrus_prop_parse_element(struct _memstream * __restrict ms,
- const _citrus_prop_hint_t * __restrict hints, void ** __restrict context)
+ const _citrus_prop_hint_t * __restrict hints, void * __restrict context)
{
int ch, errnum;
#define _CITRUS_PROP_HINT_NAME_LEN_MAX 255
@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citru
if (ch == EOF || ch == '\0')
break;
_memstream_ungetc(&ms, ch);
- errnum = _citrus_prop_parse_element(
- &ms, hints, (void ** __restrict)context);
+ errnum = _citrus_prop_parse_element(&ms, hints, context);
if (errnum != 0)
return (errnum);
}
Modified: releng/10.0/lib/libc/iconv/citrus_prop.h
==============================================================================
--- releng/10.0/lib/libc/iconv/citrus_prop.h Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/lib/libc/iconv/citrus_prop.h Tue Jun 24 19:05:08 2014 (r267829)
@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citr
#define _CITRUS_PROP_CB0_T(_func_, _type_) \
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
- (void ** __restrict, const char *, _type_); \
+ (void * __restrict, const char *, _type_); \
typedef struct { \
_citrus_prop_##_func_##_cb_func_t func; \
} _citrus_prop_##_func_##_cb_t;
@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *)
#define _CITRUS_PROP_CB1_T(_func_, _type_) \
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
- (void ** __restrict, const char *, _type_, _type_); \
+ (void * __restrict, const char *, _type_, _type_); \
typedef struct { \
_citrus_prop_##_func_##_cb_func_t func; \
} _citrus_prop_##_func_##_cb_t;
Modified: releng/10.0/lib/libiconv_modules/BIG5/citrus_big5.c
==============================================================================
--- releng/10.0/lib/libiconv_modules/BIG5/citrus_big5.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/lib/libiconv_modules/BIG5/citrus_big5.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5Encodin
}
static int
-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s,
+_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s,
uint64_t start, uint64_t end)
{
_BIG5EncodingInfo *ei;
@@ -189,7 +189,7 @@ _citrus_BIG5_fill_rowcol(void ** __restr
static int
/*ARGSUSED*/
-_citrus_BIG5_fill_excludes(void ** __restrict ctx,
+_citrus_BIG5_fill_excludes(void * __restrict ctx,
const char * __restrict s __unused, uint64_t start, uint64_t end)
{
_BIG5EncodingInfo *ei;
@@ -235,7 +235,6 @@ static int
_citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei,
const void * __restrict var, size_t lenvar)
{
- void *ctx = (void *)ei;
const char *s;
int err;
@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5E
}
/* fallback Big5-1984, for backward compatibility. */
- _citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE);
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E);
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE);
+ _citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE);
+ _citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E);
+ _citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE);
return (0);
}
Modified: releng/10.0/lib/libiconv_modules/HZ/citrus_hz.c
==============================================================================
--- releng/10.0/lib/libiconv_modules/HZ/citrus_hz.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/lib/libiconv_modules/HZ/citrus_hz.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -65,8 +65,8 @@ typedef enum {
} charset_t;
typedef struct {
- int end;
int start;
+ int end;
int width;
} range_t;
@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEnc
}
static int
-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s)
+_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s)
{
escape_t *escape;
void **p;
- p = (void **)*context;
+ p = (void **)context;
escape = (escape_t *)p[0];
if (escape->ch != '\0')
return (EINVAL);
@@ -520,14 +520,14 @@ _citrus_HZ_parse_char(void **context, co
}
static int
-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s)
+_citrus_HZ_parse_graphic(void *context, const char *name, const char *s)
{
_HZEncodingInfo *ei;
escape_t *escape;
graphic_t *graphic;
void **p;
- p = (void **)*context;
+ p = (void **)context;
escape = (escape_t *)p[0];
ei = (_HZEncodingInfo *)p[1];
graphic = malloc(sizeof(*graphic));
@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END
};
static int
-_citrus_HZ_parse_escape(void **context, const char *name, const char *s)
+_citrus_HZ_parse_escape(void *context, const char *name, const char *s)
{
_HZEncodingInfo *ei;
escape_t *escape;
void *p[2];
- ei = (_HZEncodingInfo *)*context;
+ ei = (_HZEncodingInfo *)context;
escape = malloc(sizeof(*escape));
if (escape == NULL)
return (EINVAL);
Modified: releng/10.0/lib/libiconv_modules/VIQR/citrus_viqr.c
==============================================================================
--- releng/10.0/lib/libiconv_modules/VIQR/citrus_viqr.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/lib/libiconv_modules/VIQR/citrus_viqr.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -431,7 +431,6 @@ static int
_citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei,
const void * __restrict var __unused, size_t lenvar __unused)
{
- const mnemonic_def_t *p;
const char *s;
size_t i, n;
int errnum;
@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQRE
return (errnum);
}
}
- for (i = 0;; ++i) {
+ /* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */
+ for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) {
+ const mnemonic_def_t *p;
+
p = &mnemonic_ext[i];
n = strlen(p->name);
if (ei->mb_cur_max < n)
Modified: releng/10.0/sys/amd64/amd64/pmap.c
==============================================================================
--- releng/10.0/sys/amd64/amd64/pmap.c Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/sys/amd64/amd64/pmap.c Tue Jun 24 19:05:08 2014 (r267829)
@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPA
static struct unrhdr pcid_unr;
static struct mtx pcid_mtx;
-int pmap_pcid_enabled = 1;
+int pmap_pcid_enabled = 0;
SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled,
0, "Is TLB Context ID enabled ?");
int invpcid_works = 0;
Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh Tue Jun 24 19:04:55 2014 (r267828)
+++ releng/10.0/sys/conf/newvers.sh Tue Jun 24 19:05:08 2014 (r267829)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.0"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-all
mailing list