On 5/17/2016 3:28 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Tue May 17 22:28:36 2016 > New Revision: 300088 > URL: https://svnweb.freebsd.org/changeset/base/300088 > > Log: > - Use unsigned version of min() when handling arguments of SETFKEY ioctl. > - Validate that user supplied control message length in sendmsg(2) > is not negative.
The sendmsg(2) change is not included here (9.3) nor in the advisory but
is in the commit log. Was it intended to be changed in 9.3?
Plus the only consumer I see is sendit() which seems to be protected
already from negative values when not using COMPAT_43:
> if (mp->msg_controllen < sizeof(struct cmsghdr)
> #ifdef COMPAT_OLDSOCK
> && mp->msg_flags != MSG_COMPAT
> #endif
> ) {
> error = EINVAL;
> goto bad;
> }
> error = sockargs(&control, mp->msg_control,
> mp->msg_controllen, MT_CONTROL);
...
>
> Security: SA-16:18
> Security: CVE-2016-1886
> Security: SA-16:19
> Security: CVE-2016-1887
> Submitted by: C Turt <cturt hardenedbsd.org>
> Approved by: so
>
> Modified:
> releng/9.3/UPDATING
> releng/9.3/sys/conf/newvers.sh
> releng/9.3/sys/dev/kbd/kbd.c
>
> Modified: releng/9.3/UPDATING
> ==============================================================================
> --- releng/9.3/UPDATING Tue May 17 22:28:27 2016 (r300087)
> +++ releng/9.3/UPDATING Tue May 17 22:28:36 2016 (r300088)
> @@ -11,6 +11,10 @@ handbook:
> Items affecting the ports and packages system can be found in
> /usr/ports/UPDATING. Please read that file before running portupgrade.
>
> +20160517 p42 FreeBSD-SA-16:18.atkbd
> +
> + Fix buffer overflow in keyboard driver. [SA-16:18]
> +
> 20160504 p41 FreeBSD-SA-16:17.openssl
> FreeBSD-EN-16:08.zfs
>
>
> Modified: releng/9.3/sys/conf/newvers.sh
> ==============================================================================
> --- releng/9.3/sys/conf/newvers.sh Tue May 17 22:28:27 2016
> (r300087)
> +++ releng/9.3/sys/conf/newvers.sh Tue May 17 22:28:36 2016
> (r300088)
> @@ -32,7 +32,7 @@
>
> TYPE="FreeBSD"
> REVISION="9.3"
> -BRANCH="RELEASE-p41"
> +BRANCH="RELEASE-p42"
> if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
> BRANCH=${BRANCH_OVERRIDE}
> fi
>
> Modified: releng/9.3/sys/dev/kbd/kbd.c
> ==============================================================================
> --- releng/9.3/sys/dev/kbd/kbd.c Tue May 17 22:28:27 2016
> (r300087)
> +++ releng/9.3/sys/dev/kbd/kbd.c Tue May 17 22:28:36 2016
> (r300088)
> @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_lo
> splx(s);
> return (error);
> }
> - kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
> + kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
> bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
> kbd->kb_fkeytab[fkeyp->keynum].len);
> break;
>
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
