svn commit: r296954 - in releng/10.1: . crypto/openssh sys/amd64/amd64 sys/conf sys/dev/hyperv/utilities

Sun, 20 Mar 2016 01:32:22 -0700 

Author: glebius
Date: Wed Mar 16 22:30:56 2016
New Revision: 296954
URL: https://svnweb.freebsd.org/changeset/base/296954

Log:
  o Fix OpenSSH xauth(1) command injection. [SA-16:14]
  o Fix incorrect argument validation in sysarch(2). [SA-16:15]
  o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
  
  Errata:         FreeBSD-EN-16:04.hyperv
  Security:       FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
  Security:       FreeBSD-SA-16:15.sysarch, CVE-2016-1885
  Approved by:    so

Modified:
  releng/10.1/UPDATING
  releng/10.1/crypto/openssh/session.c
  releng/10.1/sys/amd64/amd64/sys_machdep.c
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c
Directory Properties:
  releng/10.1/   (props changed)

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING        Wed Mar 16 22:30:03 2016        (r296953)
+++ releng/10.1/UPDATING        Wed Mar 16 22:30:56 2016        (r296954)
@@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160316       p31     FreeBSD-SA-16:14.openssh-xauth
+                       FreeBSD-SA-16:15.sysarch
+                       FreeBSD-EN-16:04.hyperv
+
+       Fix OpenSSH xauth(1) command injection. [SA-16:14]
+       Fix incorrect argument validation in sysarch(2). [SA-16:15]
+       Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
+
 20160303       p30     FreeBSD-SA-16:12.openssl
 
        Fix multiple vulnerabilities of OpenSSL.

Modified: releng/10.1/crypto/openssh/session.c
==============================================================================
--- releng/10.1/crypto/openssh/session.c        Wed Mar 16 22:30:03 2016        
(r296953)
+++ releng/10.1/crypto/openssh/session.c        Wed Mar 16 22:30:56 2016        
(r296954)
@@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
        do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+       size_t i;
+
+       for (i = 0; s[i] != '\0'; i++) {
+               if (!isalnum((u_char)s[i]) &&
+                   s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+                   s[i] != '-' && s[i] != '_')
+               return 0;
+       }
+       return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
                                s->screen = 0;
                        }
                        packet_check_eom();
-                       success = session_setup_x11fwd(s);
+                       if (xauth_valid_string(s->auth_proto) &&
+                           xauth_valid_string(s->auth_data))
+                               success = session_setup_x11fwd(s);
+                       else {
+                               success = 0;
+                               error("Invalid X11 forwarding data");
+                       }
                        if (!success) {
                                free(s->auth_proto);
                                free(s->auth_data);
@@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
        s->screen = packet_get_int();
        packet_check_eom();
 
-       success = session_setup_x11fwd(s);
+       if (xauth_valid_string(s->auth_proto) &&
+           xauth_valid_string(s->auth_data))
+               success = session_setup_x11fwd(s);
+       else {
+               success = 0;
+               error("Invalid X11 forwarding data");
+       }
        if (!success) {
                free(s->auth_proto);
                free(s->auth_data);

Modified: releng/10.1/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- releng/10.1/sys/amd64/amd64/sys_machdep.c   Wed Mar 16 22:30:03 2016        
(r296953)
+++ releng/10.1/sys/amd64/amd64/sys_machdep.c   Wed Mar 16 22:30:56 2016        
(r296954)
@@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs)
        struct i386_ldt_args *uap;
        struct user_segment_descriptor *descs;
 {
-       int error = 0, i;
-       int largest_ld;
+       int error = 0;
+       unsigned int largest_ld, i;
        struct mdproc *mdp = &td->td_proc->p_md;
        struct proc_ldt *pldt;
        struct user_segment_descriptor *dp;

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh     Wed Mar 16 22:30:03 2016        
(r296953)
+++ releng/10.1/sys/conf/newvers.sh     Wed Mar 16 22:30:56 2016        
(r296954)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p30"
+BRANCH="RELEASE-p31"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
        BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c
==============================================================================
--- releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c       Wed Mar 16 22:30:03 
2016        (r296953)
+++ releng/10.1/sys/dev/hyperv/utilities/hv_kvp.c       Wed Mar 16 22:30:56 
2016        (r296954)
@@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/reboot.h>
 #include <sys/lock.h>
 #include <sys/taskqueue.h>
+#include <sys/selinfo.h>
 #include <sys/sysctl.h>
 #include <sys/poll.h>
 #include <sys/proc.h>
@@ -113,6 +114,8 @@ static struct cdev *hv_kvp_dev;
 static struct hv_kvp_msg *hv_kvp_dev_buf;
 struct proc *daemon_task;
 
+static struct selinfo hv_kvp_selinfo;
+
 /*
  * Global state to track and synchronize multiple
  * KVP transaction requests from the host.
@@ -627,6 +630,9 @@ hv_kvp_send_msg_to_daemon(void)
 
        /* Send the msg to user via function deamon_read - setting sema */
        sema_post(&kvp_globals.dev_sema);
+
+       /* We should wake up the daemon, in case it's doing poll() */
+       selwakeup(&hv_kvp_selinfo);
 }
 
 
@@ -939,7 +945,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev
  * for daemon to read.
  */
 static int
-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread 
*td  __unused)
+hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread 
*td)
 {
        int revents = 0;
 
@@ -952,6 +958,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev 
         */
        if (kvp_globals.daemon_busy == true)
                revents = POLLIN;
+       else
+               selrecord(td, &hv_kvp_selinfo);
+
        mtx_unlock(&kvp_globals.pending_mutex);
 
        return (revents);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to