svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd

Bryan Drewery bdrewery at FreeBSD.org
Tue May 17 22:59:36 UTC 2016 

On 5/17/2016 3:28 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Tue May 17 22:28:36 2016
> New Revision: 300088
> URL: https://svnweb.freebsd.org/changeset/base/300088
> 
> Log:
>   - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
>   - Validate that user supplied control message length in sendmsg(2)
>     is not negative.

The sendmsg(2) change is not included here (9.3) nor in the advisory but
is in the commit log.  Was it intended to be changed in 9.3?

Plus the only consumer I see is sendit() which seems to be protected
already from negative values when not using COMPAT_43:

>                  if (mp->msg_controllen < sizeof(struct cmsghdr)
>  #ifdef COMPAT_OLDSOCK
>                      && mp->msg_flags != MSG_COMPAT
>  #endif
>                  ) {
>                          error = EINVAL;
>                          goto bad;
>                  }
>                  error = sockargs(&control, mp->msg_control,
>                      mp->msg_controllen, MT_CONTROL);

...

>   
>   Security:	SA-16:18
>   Security:	CVE-2016-1886
>   Security:	SA-16:19
>   Security:	CVE-2016-1887
>   Submitted by:	C Turt <cturt hardenedbsd.org>
>   Approved by:	so
> 
> Modified:
>   releng/9.3/UPDATING
>   releng/9.3/sys/conf/newvers.sh
>   releng/9.3/sys/dev/kbd/kbd.c
> 
> Modified: releng/9.3/UPDATING
> ==============================================================================
> --- releng/9.3/UPDATING	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/UPDATING	Tue May 17 22:28:36 2016	(r300088)
> @@ -11,6 +11,10 @@ handbook:
>  Items affecting the ports and packages system can be found in
>  /usr/ports/UPDATING.  Please read that file before running portupgrade.
>  
> +20160517	p42	FreeBSD-SA-16:18.atkbd
> +
> +	Fix buffer overflow in keyboard driver. [SA-16:18]
> +
>  20160504	p41	FreeBSD-SA-16:17.openssl
>  			FreeBSD-EN-16:08.zfs
>  
> 
> Modified: releng/9.3/sys/conf/newvers.sh
> ==============================================================================
> --- releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/conf/newvers.sh	Tue May 17 22:28:36 2016	(r300088)
> @@ -32,7 +32,7 @@
>  
>  TYPE="FreeBSD"
>  REVISION="9.3"
> -BRANCH="RELEASE-p41"
> +BRANCH="RELEASE-p42"
>  if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
>  	BRANCH=${BRANCH_OVERRIDE}
>  fi
> 
> Modified: releng/9.3/sys/dev/kbd/kbd.c
> ==============================================================================
> --- releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:27 2016	(r300087)
> +++ releng/9.3/sys/dev/kbd/kbd.c	Tue May 17 22:28:36 2016	(r300088)
> @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
>  			splx(s);
>  			return (error);
>  		}
> -		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
> +		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
>  		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
>  		    kbd->kb_fkeytab[fkeyp->keynum].len);
>  		break;
> 


-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20160517/8168e91d/attachment.sig>

More information about the svn-src-all mailing list