Publish SA-16:18 and SA-16:19.

svn path=/head/; revision=48826

share/security/advisories/FreeBSD-SA-16:18.atkbd.asc

@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:18.atkbd	                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Buffer overflow in keyboard driver
+
+Category:       core
+Module:         atkbd
+Announced:      2016-05-17
+Credits:        CTurt and the HardenedBSD team
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-05-17 22:29:59 UTC (stable/10, 10.3-STABLE)
+                2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3)
+                2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17)
+                2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34)
+                2016-05-17 22:31:12 UTC (stable/9, 9.3-STABLE)
+                2016-05-17 22:28:36 UTC (releng/9.3, 9.3-RELEASE-p42)
+CVE Name:       CVE-2016-1886
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The atkbd(4) driver, together with the atkbdc(4) driver, provides access
+to the AT 84 keyboard or the AT enhanced keyboard which is connected to
+the AT keyboard controller.  The driver is required for the console driver
+syscons(4) or vt(4).  The driver exposes its own ioctl(2) interface to allow
+it to be configured from userland through the kbdcontrol(1) utility.
+
+II.  Problem Description
+
+Incorrect signedness comparison in the ioctl(2) handler allows a malicious
+local user to overwrite a portion of the kernel memory.
+
+III. Impact
+
+A local user may crash the kernel, read a portion of kernel memory and
+execute arbitrary code in kernel context.  The result of executing an
+arbitrary kernel code is privilege escalation.
+
+IV.  Workaround
+
+Disallow keymap changes for non-privileged users:
+
+sysctl hw.kbd.keymap_restrict_change=4
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reboot is required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch.asc
+# gpg --verify atkbd.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r300093
+releng/9.3/                                                       r300088
+stable/10/                                                        r300091
+releng/10.1/                                                      r300085
+releng/10.2/                                                      r300086
+releng/10.3/                                                      r300087
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cturt.github.io/SETFKEY.html>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1886>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:18.atkbd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXO5z8AAoJEO1n7NZdz2rns0MQAKaUrGjGn0nkFpx/PpiM6SHv
+s/Fj/z/qTXTUmimZloiQd9bkMh5wFMymozihVqoQVX2jwzPFm4Cql+Ez8ihTl9YX
+s+vMgQA8mUrinebwqXHRY+bZrwbJzsvLhAepL6vrSncPBaXM37smOmVlfjyUySWZ
+61L1QPhDZIYSamAMDZFx4qkdv32nWTTaE6OImQOFWY19l2tAxUMrUsTM5zSUfSas
+Tq2oP4BUvI58psapMgs38UY1Bjo33E/Gd7n6FS8gUQAX1OspN1wh981oX9GHU+U1
+bHY/Ihl+rqlh3Dmxp1JBP8ma2DSLXcuhrywNpE8i/dNQA4sxXXGQyuzVk24QNXbt
+cnV7F3nTqBpB9evhNFuHk0Z/z2Lg4cCaId+xSJjX8eWfvfjP8q+c9SblC2LdJg6V
+D0Gt0rbUNvSikCLDI/RYY1K5pWdjvtRN6ES+YO+sk2er9Uq/ZPrNj2SfNYguRkTV
+Kfwut8aQW5AQ9JTr9YGFxfqEWOzgBWutE3ysWtx6bLoROY4/vUPRBrcVDOmsiiJt
+QLPdf/m8VM/NH2lQoSQ44mUXvp+BdclrhM74C7GCc0RGmdEtuoC49esNKtZ+0349
+Sm7Tj/3ZWfwN0x+DQnbnDUeRmI5zaU3o4VycmhFcm3eWQ+je8O8aCLKI/iPTKYO7
+/OVeNnLKzp5Z7naKeHct
+=6GJy
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc

@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:19.sendmsg                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Incorrect argument handling in sendmsg(2)
+
+Category:       core
+Module:         kernel
+Announced:      2016-05-17
+Credits:        CTurt and the HardenedBSD team
+Affects:        FreeBSD 10.x
+Corrected:      2016-05-17 22:30:43 UTC (stable/10, 10.3-STABLE)
+                2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3)
+                2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17)
+                2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34)
+CVE Name:       CVE-2016-1887
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The sendmsg(2) system call allows to send data to a socket.  The data
+may be accompanied by optional ancillary data.
+
+II.  Problem Description
+
+Incorrect argument handling in the socket code allows malicious local
+user to overwrite large portion of the kernel memory.
+
+III. Impact
+
+Malicious local user may crash kernel or execute arbitrary code in the kernel,
+potentially gaining superuser privileges.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reboot is required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot is required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch.asc
+# gpg --verify sendmsg.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r300093
+releng/10.1/                                                      r300085
+releng/10.2/                                                      r300086
+releng/10.3/                                                      r300087
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cturt.github.io/sendmsg.html>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1887>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:19.sendmsg.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXO50VAAoJEO1n7NZdz2rnWOAP/RyUks4Xf30YVGra+bHUjOsw
+gFQEJ7HNNJHkkaJ5l0LpVh87YQxr7VXnlddskDRcL6MDf7IjW5bkpw+875iEFz93
+VykCN+1l84D0WlXAi9YZwg1GWoQs3SBfNpT1dtr9GuqJYAAeBfvMydJI1jHbJzJJ
+7inDzgvhfPOaq8wQBfjXbUN0GgYiz6dJc3xir4+4JRw0C9sgzh1pI14o1oREJbZ0
+glmHRCpuijndqluabl7rF19mSSDyF0AV7RqDCZIt7AkYHWvR1yLl4o0LGGBYCLXx
+iArz2ayzbAqBVw1JktVHzGx0HuVpobxb/yOpDuYBcaxtSL6riuSYrkzHp0Dca+JT
+0/qENdMnXDN98ZMBcvVR66uWUuTVEF3/T2LXCi6G+RllrcoavvLqrcjghqT5k84P
+jmAjO3Q3rIeAinjArfyexHo/f/A5CHGJylsY0FZd41A35xWaYg/dd0cT+8qsoigD
+65Ix+/6AOIjocqqQToFXiHKBCN5unwrn/UT5heU0K3ZqESGmxUrx+6yJ3mjDjtLh
+C7zWcNaJu1whcT7e4eKx9vMlAFFt6OrSnr1V09KnqPiHPtIu95PZhGlrizlZVELQ
+8fKHoycOkT5F+00CWzcQuZK+l9p5iT5aWGkhunwvR7EKzqvgEFbDDpaJ5QzKTNTl
+lJXypb8SMlol4YY8Spdo
+=wuhi
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:18/atkbd.patch

@@ -0,0 +1,11 @@
+--- sys/dev/kbd/kbd.c.orig
++++ sys/dev/kbd/kbd.c
+@@ -996,7 +996,7 @@
+ 			splx(s);
+ 			return (error);
+ 		}
+-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
++		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
+ 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
+ 		    kbd->kb_fkeytab[fkeyp->keynum].len);
+ 		break;

share/security/patches/SA-16:18/atkbd.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXO2BtAAoJEO1n7NZdz2rnB6kP/R2dxR6o6GemMN2VjdgOp9rM
+i3DEFEcimF1oGOfwF7kIDabr9XLubeU1l+NnJhuExnAdyrcVr+7+SvgFAzv6lZlS
+47wDgw/HABsjeJSYE2+hcrOAOKTvC4qObBB7YuOJu4e1vW5MJKcqBYsLk7+ECwVr
+sDhelLXLcvTunR2aLg5jEsgRwHEvOwB7GR1SQ6ABU7w+emCCabJLvYe3stMYKsFE
+CxL6hKDjShN0Vyqx6d76Bja6ZsWmMo2SLgz3e/m072imHfmHaAhc5GlAvdOPihzJ
+OsRlIGd7jR5+mTikmWZG0s3/IVoEf+udC/CJ/3JyL3NEywQXEogJpPY2Zjv6P8or
+6vWvyoIqrXrKZ5k6DxUHJzJdAhmbxZHfCVlwidu+aTfp9M8x5W7tu711wPFwAcEW
+/HSQ1mssj7GEzDy2kbhKiEXTRV0YXatVy1L2o/ckYiLFMk0HhYEqFXLV36VUPIRl
+h2SOUpsaLbhVuUlT+XF1jXrTc1gOW5woLl8uQ6h84cfcdQj6tUk2ZBzobKjz+zEk
+VP/julLL8cGUDemnWeMLWuBClsAuf5pLMg405m1uIBd9kxEHhGKprz/kGhFfGl/3
+PyESdLIq8VD9Grjzb8rgCfL0USepeiCnOTI8uYwRNUUrAFSMqtWrx4zvl1tWdHE9
+1SBJLfQgQKuIaBAtxnHV
+=Ful4
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:19/sendmsg.patch

@@ -0,0 +1,12 @@
+--- sys/kern/uipc_syscalls.c.orig
++++ sys/kern/uipc_syscalls.c
+@@ -1699,6 +1699,9 @@
+ 	struct mbuf *m;
+ 	int error;
+ 
++	if (buflen < 0)
++		return (EINVAL);
++
+ 	if (buflen > MLEN) {
+ #ifdef COMPAT_OLDSOCK
+ 		if (type == MT_SONAME && buflen <= 112)

share/security/patches/SA-16:19/sendmsg.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXO2CNAAoJEO1n7NZdz2rnuvcP/R501Yhdfqfmw1XDYqMkKS6L
+ehQwFX8rnlbZVfKEhVcZL0kGgo43jyBvuHG55vk6iwC6EjHKE6BSgUVhbRaIdfJ5
+H0gRdUL9q9inTRGLEU7P2D7E0SMsRm+PtKW5F0uw5BfZw2LD1SIBBEKGBN0M48u0
+PhTzIXzgFsvSNFbZ85Un90hi2N67hrq3rOGtxC10/jAGBpGgRGCQKqr0lssIS+6r
+7QT3fEH8MQGnYW0RP26rJHh0ae0Wd0DLBdnLG0cHx6bwYEGKb6/GH65Vvl1feMAU
+61O6wL3BnrSXfJQmSx34sokhh3BT7pfEEwkw3xtsdqjP6h4PXxiI2l+UlB5eGCAY
+kT0eLz7qyR1vXvJUZnXezBdllUu/nWtyMmuUnoM0xnytNYeHAqDoL4o6T4lMERmy
+DUn6LvrC8oqdqDKtBpaWMCq2OMb4/mNUvVdn2oh67Tq4ZFLxsGOEMm+lTYJOZdkU
+um+KG7LGiWkj9G08yPiayVhDcigvIK9v9/p9E3tv5rNVyCaOvpJsezM7Z+mMIS68
+IG72BvLh+idOaVW1tib9s9nXYQTc1V9u+Fp356/eDSE1h0uEd12l+swwRcz5NmBv
+78Ki51E1ZQ87b9J4RacL31MauINyN0SIJI1QRu7lLe62tgGlGKQND6/Na993EdUM
+ftK8gS0awc3Rr3Bw540N
+=yry1
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,18 @@
     <month>
       <name>5</name>
 
+      <day>
+        <name>17</name>
+
+        <advisory>
+          <name>FreeBSD-SA-16:19.sendmsg</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-16:18.atkbd</name>
+        </advisory>
+      </day>
+
       <day>
         <name>4</name>