os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Document today updates:

Browse source 
FreeBSD-16:04.hyperv
FreeBSD-16:05.hv_netvsc
FreeBSD-SA-16:14.openssh
FreeBSD-SA-16:15.sysarch
This commit is contained in:
Gleb Smirnoff 2016-03-16 23:10:13 +00:00
parent f307cfe43e
commit 7a3fc19192
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=48424
14 changed files with 803 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

137
share/security/advisories/FreeBSD-16:04.hyperv.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:04.hyperv Errata Notice
The FreeBSD Project
Topic: Hyper-V KVP (Key-Value Pair) daemon indefinite sleep
Category: core
Module: hyperv
Announced: 2016-03-16
Credits: Microsoft Open Source Technology Center(OSTC)
Affects: FreeBSD 10.x
Corrected: 2015-12-18 14:52:12 UTC (stable/10, 10.2-STABLE)
2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Hyper-V is a native hypervisor running on Windows operating system. It can
run FreeBSD 10.x as guest in virtual machine.
Data Exchange is an integration service, also known as a key-value pair or
KVP, that can be used to share information between virtual machines and the
Hyper-V host. For more information, see
<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
II. Problem Description
The KVP driver code doesn't implement the KVP device's .d_poll callback
correctly: when there is no data available to the user-mode KVP daemon, the
driver forgets to remember the daemon and wake up the daemon later. As a
result, the daemon can't be woken up in a predictable period of time, and
the host side's KVP query can hang for an unexpected period of time and get
timeout, and finally the host can think the VM is irresponsive or unhealthy.
III. Impact
When a FreeBSD 10.x virtual machine runs on Hyper-V, the host may not get the
expected response of a KVP query. When a virtual machine runs on Azure, the
host may try to recover the "irresponsive" virtual machine by killing it and
starting it later, causing unnecessary virtual machine downtime.
IV. Workaround
Don't run the KVP daemon on a virtual machine. With this, the host will know
that KVP functionality is not working at all, so the host won't try to send KVP
query to virtual machine.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Reboot is required.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is required.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch
# fetch https://security.FreeBSD.org/patches/EN-16:04/hyperv.patch.asc
# gpg --verify hyperv.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r292438
releng/10.1/ r296954
releng/10.2/ r296955
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://technet.microsoft.com/en-us/library/dn798287.aspx>.
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:04.hyperv.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW6eQmAAoJEO1n7NZdz2rnq+sQAOOnGB826xMwM5xW7a2rnOKV
SDPzC0XXkHhRltJWSaIBi+nhKusMQcuYEaZDG8P5pvugpJfBPDhv2THu9ofEhvB4
88iT4sFOKi20iXJxrZQM5UT9tPaDoWUCQ9isr4HseotF5Hda4onplGK3/VXq3xGF
tGjgOfnHbhQbXAf7JZwCfjUeIyYYY2VGBscSwDF/AS0Z9vUEudNKnPEZcC5V19LJ
8vZHjknNpchklnaT0UFZwrpFEgpmSU5rtYlH6FbfWYbspqRjEk1Ia2wkasB9im2z
v2vc+qNOqgOMATgatix0yqzXnBkOqi+5ra0MUipXG89l3Yxvekv0mvqQFYRWN7MN
fjPOnP9i2hjoKbbPEArEmYffOFMjxrOTgzLYVxXntOTUFMgGcUXltgjlo/Ov4Fm0
CfDIDUBlyPlDkemPYiaRinyLim4M3TOll2M6ucnonFuE//sLfU/DEnlz8pf+yJg3
jeJ7Pi6YKe+YUrTj2kL8shoPWjg00oHCIZua9nFhdHwNURX5XuoPlf84qxeSmumL
lbQ8Dq82zkECJmJe7fGshUyPGlXqN+ValGYtZkuQwS/vq1cxRomvO1naZQDqJuVA
Z15SW63CnsFIYJvK0Dd0v0i3Nw0WYHRRJ5nFo18WIzHs2FZguib1wqiN6D1oRnrH
0YgK0KZFzwWufB7YB0TG
=4BjO
-----END PGP SIGNATURE-----

129
share/security/advisories/FreeBSD-16:05.hv_netvsc.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:05.hv_netvsc Errata Notice
The FreeBSD Project
Topic: hv_netvsc(4) incorrect TCP/IP checksums
Category: core
Module: hyperv
Announced: 2016-03-16
Credits: Larry Baird
Affects: FreeBSD 10.2
Corrected: 2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE)
2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Hyper-V is a native hypervisor running on Windows operating system. It can
run FreeBSD 10.x as guest in virtual machine.
When FreeBSD guest runs on Hyper-V, to get the best network performance,
it usually uses the Hyper-V synthetic network device. The driver of the
network device is called hv_netvsc(4). Since FreeBSD 10.2-RELEASE the
driver supports TCP segmentation and TCP/IP checksum offloading.
II. Problem Description
Together with the TCP segmentation and TCP/IP checksum offloading a regression
was introduced. The driver checked the inbound checksum flags when deciding
whether to process checksums or not, while it should have checked the outbound
flags only.
III. Impact
If the guest running on Hyper-V is configured as a gateway, the host will
silently drop certain packets from the guest.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Reboot is required.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is required.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch
# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc
# gpg --verify hv_netvsc.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r292439
releng/10.2/ r296955
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:05.hv_netvsc.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52
OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u
yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz
cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv
UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX
vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc
y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr
g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB
czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O
L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT
VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745
VnvCDT/XPOCODW1KdsSc
=vkxR
-----END PGP SIGNATURE-----

153
share/security/advisories/FreeBSD-SA-16:14.openssh.asc Normal file
View file

@ -0,0 +1,153 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:14.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH xauth(1) command injection
Category: contrib
Module: OpenSSH
Announced: 2016-03-16
Credits:
Affects: All supported versions of FreeBSD.
Corrected: 2016-03-12 23:53:20 UTC (stable/10, 10.2-STABLE)
2016-03-14 13:05:13 UTC (releng/10.3, 10.3-RC2)
2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
2016-03-13 23:50:19 UTC (stable/9, 9.3-STABLE)
2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
CVE Name: CVE-2016-3115
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access. OpenSSH supports X11 forwarding,
allowing X11 applications on the server to connect to the client's
display.
When an X11 forwarding session is established, the OpenSSH daemon runs
the xauth tool with information provided by the client to create an
authority file on the server containing information that applications
need in order to connect to the client's X11 display.
II. Problem Description
Due to insufficient input validation in OpenSSH, a client which has
permission to establish X11 forwarding sessions to a server can
piggyback arbitrary shell commands on the data intended to be passed
to the xauth tool.
III. Impact
An attacker with valid credentials and permission to establish X11
forwarding sessions can bypass other restrictions which may have been
placed on their account, for instance using ForceCommand directives in
the server's configuration file.
IV. Workaround
Disable X11 forwarding globally by adding the following line to
/etc/ssh/sshd_config, before any Match blocks:
X11Forwarding no
then either restart the OpenSSH daemon or reboot the system.
Consult the sshd(8) and sshd_config(5) manual pages for additional
information on how to enable or disable X11 forwarding on a per-user
or per-key basis.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
then either restart the OpenSSH daemon or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# service sshd restart
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch
# fetch https://security.FreeBSD.org/patches/SA-16:14/openssh-xauth.patch.asc
# gpg --verify openssh-xauth.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
d) Either restart the OpenSSH daemon or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r296780
releng/9.3/ r296953
stable/10/ r296781
releng/10.1/ r296954
releng/10.2/ r296955
releng/10.3/ r296853
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://www.openssh.com/txt/x11fwd.adv>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:14.openssh.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW6ePuAAoJEO1n7NZdz2rncF0QAOu5DtldNmqgqr7iwdCguoiB
wTYAenLBBhbj4SoMeqhGd9p6RfoKtgsjt1Pbw/4XXJOIsgvFezm4GvDHWrHCqp14
3DIJWTxcXcDkRvnqiqUJSDszeM7BYu7G+q8VXEGl0ObMBWfgfsP42jnemx81bI4e
W4Y5/idRvE+6yn7ja3qnNFEB8NfBZOYBV27+tTBiKaZgOt52yWQiFuVIE0WDYS/f
I7Pc5DzMAU5l4bEPRYlniuVKOaGY+JYjbuVW/4af9MU6JYmK3HATtNcAuDi2SsSo
SIpbJeILtyXTi72LClT/Px1GsQi/OIjiE2/7DOtNODyjPnQlRIoHveaaYBZ+WUks
A0hEgaxdDLU+SUHcJKmbdu65eCQtrkdS0vquGnlqd2Q1fqQwwE4U1A2tEgbsGZ6R
fikKBHISZYwhGMkIijy0ImDAD/SzO5UrIsgePM+9PoeGqLRZXKVNCtxaKpA9tO80
J9MAbLsi7jgzncCGliL6x3m/w6xsJWP//NtyZVF74ydMEh8IuW4n8yrlrZN5cWJa
2rySvewHvdXwlClFzMrAxwRPEo845xmsIvODMpaZplXaIzqNN46WfkBsPZTBkYR4
xF/YNQkLSjYpbrv9GLfJtDn2+ny5OYkJ/pWhaiN0r7oeBjnbXLz9Y/4sS1rFyIMR
OYy+uH7vcQ7RLXfVgahv
=RZqF
-----END PGP SIGNATURE-----

141
share/security/advisories/FreeBSD-SA-16:15.sysarch.asc Normal file
View file

@ -0,0 +1,141 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:15.sysarch Security Advisory
The FreeBSD Project
Topic: Incorrect argument validation in sysarch(2)
Category: core
Module: kernel
Announced: 2016-03-16
Credits: Core Security
Affects: All supported versions of FreeBSD.
Corrected: 2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE)
2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31)
2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE)
2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39)
CVE Name: CVE-2016-1885
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The IA-32 architecture allows programs to define segments, which provides
based and size-limited view into the program address space. The
memory-resident processor structure, called Local Descriptor Table,
usually abbreviated LDT, contains definitions of the segments. Since
incorrect or malicious segments would breach system integrity, operating
systems do not provide processes direct access to the LDT, instead
they provide system calls which allow controlled installation and removal
of segments.
II. Problem Description
A special combination of sysarch(2) arguments, specify a request to
uninstall a set of descriptors from the LDT. The start descriptor
is cleared and the number of descriptors are provided. Due to invalid
use of a signed intermediate value in the bounds checking during argument
validity verification, unbound zero'ing of the process LDT and adjacent
memory can be initiated from usermode.
III. Impact
This vulnerability could cause the kernel to panic. In addition it is
possible to perform a local Denial of Service against the system by
unprivileged processes.
IV. Workaround
No workaround is available, but only the amd64 architecture is affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot is required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD platforms can be updated
via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
# gpg --verify sysarch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r296958
releng/9.3/ r296953
stable/10/ r296957
releng/10.1/ r296954
releng/10.2/ r296955
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS
H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra
yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p
c3bXEjzn/lTA5T0zTcGS2o9IgORvYrKRIGW0KJDsCWsDgVyWngsJAJdIrzwx022Q
ENoIGmgLnYsx7TY1cuMtdb3TVyJsZv8zjrrmcLzw67Vly7wShs22CKK23ydDDyy9
xFYsbWA+X8CarV2uSk8xJCIbWjJSlfc9XvOlHLZEiT7PNCZIk2c2fNLENxHvyNl1
vgIUBoD/wzzS5QqdnT4r726aQt3pNezns1NDxujwUovVn5nQaXnKOTJHsOthDJ99
PakEMa93iZqOfzbVouBIBH1IPgNLHof9Jdq3wYiKhrQVJXRespdpCfh3/wdph9LB
ElBOTlrCcShV+N6deO4KI2wNK5h704D4hOMsqlInLwGQmGi7qa4ouWASgzQQmU/8
6va3mJsgCvzHUpRCMQo7pIZm6SnOIYLdg7S4vV7P6q5oOIBnjFa8bK/Cq+zOR42e
gJs9ou65JTTC0KG+26wXaD2Wx8uriO/+ZfCT/YM29FUUqIdayqHxhACjF0lkY83P
02CAQXURVoI7kbjHaGT7
=jV9z
-----END PGP SIGNATURE-----

48
share/security/patches/EN-16:04/hyperv.patch Normal file
View file

@ -0,0 +1,48 @@
--- sys/dev/hyperv/utilities/hv_kvp.c.orig
+++ sys/dev/hyperv/utilities/hv_kvp.c
@@ -44,6 +44,7 @@
#include <sys/reboot.h>
#include <sys/lock.h>
#include <sys/taskqueue.h>
+#include <sys/selinfo.h>
#include <sys/sysctl.h>
#include <sys/poll.h>
#include <sys/proc.h>
@@ -114,6 +115,8 @@
static struct hv_kvp_msg *hv_kvp_dev_buf;
struct proc *daemon_task;
+static struct selinfo hv_kvp_selinfo;
+
/*
* Global state to track and synchronize multiple
* KVP transaction requests from the host.
@@ -628,6 +631,9 @@
/* Send the msg to user via function deamon_read - setting sema */
sema_post(&kvp_globals.dev_sema);
+
+ /* We should wake up the daemon, in case it's doing poll() */
+ selwakeup(&hv_kvp_selinfo);
}
@@ -940,7 +946,7 @@
* for daemon to read.
*/
static int
-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused)
+hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
{
int revents = 0;
@@ -953,6 +959,9 @@
*/
if (kvp_globals.daemon_busy == true)
revents = POLLIN;
+ else
+ selrecord(td, &hv_kvp_selinfo);
+
mtx_unlock(&kvp_globals.pending_mutex);
return (revents);

16
share/security/patches/EN-16:04/hyperv.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJW6eTNAAoJEO1n7NZdz2rncSgQALit1G2h1OmIqsoK70jv9SuZ
TUiuIeubcbcw2jvhaOiR2PFSr7nI/2K03mhoWZk7g8klG38WKIRd9FONfGim4gTi
eqJTlu/uERLvPUsfrlYZ1XAIkG9xQVXR5BlCAZC3cbE+SL6arBnCMwdGb9WYojR7
t9iS7Q1tUi3BmH73gPtDC34fIQVvO1SVeAqrtggPbeWu0aS4Orr4y/LtNKltN3Fu
Szzj4fNn6Sr0FHNn3dH6v6QSvuodeCOqwEsEC4mn0b2YYbP3p5XTZJVOEZGuQjjV
SBHbTFBPnkeTpcPRls41vMPvEK8xwm+0ISoZSUseudt0LMSB7KsydLZ7tZ2erT8R
xEKpVIhFWhu9K0gydYyjaNncVIgkp4RMcIdOXmrr6CTDwpz2UYOmEoMm7y3Gfepn
bp+Azu59DsgK0l5YqgPPdNksP2LFwUl+4y+7CoO99KzBaVt79cf8jRFz+Qa3ejX0
Sb0CRdQL41F06EAaxbj+kRLhUCt8aqRGcBODwLdzEyoByA+MfsU4aI2+6sMZ6+CF
+bByt5Q2vbN8Ke4MukczOYx9xk3oZ5Dh9LobaDM1ymq5YhTfcNNSjHplrk4bmx4n
fsKkEw4q2zxaEvglBeCdK7k4JsJyWgCmo7R0K9d/qo+MWu3dS4F6vC6zqCFG3V8P
03wCEqy0B0RTcoZSgH7Q
=rIbe
-----END PGP SIGNATURE-----

28
share/security/patches/EN-16:05/hv_netvsc.patch Normal file
View file

@ -0,0 +1,28 @@
--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig
+++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
@@ -128,6 +128,15 @@
#define HV_NV_SC_PTR_OFFSET_IN_BUF 0
#define HV_NV_PACKET_OFFSET_IN_BUF 16
+/*
+ * A unified flag for all outbound check sum flags is useful,
+ * and it helps avoiding unnecessary check sum calculation in
+ * network forwarding scenario.
+ */
+#define HV_CSUM_FOR_OUTBOUND \
+ (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO| \
+ CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP| \
+ CSUM_IP6_TSO|CSUM_IP6_ISCSI)
/*
* Data types
@@ -570,7 +579,8 @@
packet->vlan_tci & 0xfff;
}
- if (0 == m_head->m_pkthdr.csum_flags) {
+ /* Only check the flags for outbound and ignore the ones for inbound */
+ if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
goto pre_send;
}

16
share/security/patches/EN-16:05/hv_netvsc.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJW6eSgAAoJEO1n7NZdz2rnTWYQAOrx8JpIRuiqkHBHKMuzKTuN
IRL/Jmas4XfNDim45g2mZdKFPqW6LwcquKreET6bD6ld+vO9XWD3WVkAoEClzn41
uo9PJ0gtiKR3M6UupQWeT86lVFIAGmN51vpNb7+IL9saRgl5iqhlnP3ctOI/W1Mn
NfRh4bg/9OQN9eYWRzN2Se5cHO45GTbEgrAdcpFYqItyREwdQV/O/DyGOBnaSWFR
xIcmMxGwF6unuJ3Ah1nG0HVid3s2z4ih/KW68k5WXlasERe7NmR39UN4FgPLUC08
nR/Jvi3vSd6qSiiHxZQGK9ZvWFKGAy9e6w1bhA8+zkciH3i+4b/3d5yr3F9og6Ol
cxshafgPwC647laEPEW2n3ZEw2elDISD097MhJhu0Yp0Y5VI9LM2bPUTZhfknT6j
Xm1fHthkNJ9OJbD3zsZXtMDY7q3MO6Fg6YnYO0N5V30pn4yHHEyHO6Yqx+lXKeEn
Ig/IDYlo6g8USEBht8ZleOumjuGWrRZ1uHXobPClERbdkntI8xwnRhyiXYRp3P0X
lrrJmlvrN7A4d3HEjOtUC/H1XRxjCIbZJGBDdDRShiEmBPNMqSCIQWqVDDApqZZJ
N2MudpAPKPGGHCM2DL90PYp0FZJg3paEUYTtp7jEyjwaD605C36VzcVgYPHfWCa8
zektJEKNcu4ciRJN2f0N
=nPnm
-----END PGP SIGNATURE-----

62
share/security/patches/SA-16:14/openssh-xauth.patch Normal file
View file

@ -0,0 +1,62 @@
--- crypto/openssh/session.c.orig
+++ crypto/openssh/session.c
@@ -46,6 +46,7 @@
#include <arpa/inet.h>
+#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -274,6 +275,21 @@
do_cleanup(authctxt);
}
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum((u_char)s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@
s->screen = 0;
}
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -2178,7 +2200,13 @@
s->screen = packet_get_int();
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);

16
share/security/patches/SA-16:14/openssh-xauth.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJW6eThAAoJEO1n7NZdz2rnZqoP/RS674pw04h0UWqQQOJSSioN
eNWOepSLNydoyL+XBkeOFwJ2n8j17TGP+ClBNAl9AQJa6u6hNQfu2jqJyd6cUcDE
fIDKuVXFraRixlh/mLKB105Wfx5nnfz3buwGiLc0vgLkoV1M6dUVWQAu34oEb72Q
mqei/7ob5zw0IObC1PUkp2ar7BmkPjOdl264bpY+mlGe5+bRa142JbK8W+ZubMS7
Bi5L73Z9dSRxM0toXw1trSU2OBx3+IOeF+JC1YM+zy/g88peldUuiYUUhYQrUsQ3
Joahl/BvTPml5wpOWUEcdr+PMVTkCT+SYSKxWg8/sIfkESAU2J1AYHHVJbeF8ja1
1dkCEOwGDrZ2zGmCyZeLLKyDvN8Do56DWz0vmgXxcTY4PKWyn4myWqGQBXVnmfcT
Lm3leUSqFNtFptUovLOgQxMGXPSQFEuOURw/Ze1jytT+y2gLCfga9NxO0dtVEBoC
yC9swFSOq24N4hTkLYw0W0d3Ms5waUx04KayI/Xkh/dNu5Zvg6nwqlf+Rw1jR2/Q
EBMBqV8OxMpKBf0wZkEGu6ed72dOzUZ/G7uUi9UNzlRfmjPxFXp7NB0QLsMQQoCp
PEfX3HaeGtapNrEOoezZ15ou1UNJu0GWQEHmnB6l2ian42M0UeiBWqkwRfVDWdeO
X12SMxZqWG+rayyhEski
=gZFi
-----END PGP SIGNATURE-----

13
share/security/patches/SA-16:15/sysarch.patch Normal file
View file

@ -0,0 +1,13 @@
--- sys/amd64/amd64/sys_machdep.c.orig
+++ sys/amd64/amd64/sys_machdep.c
@@ -580,8 +580,8 @@
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
- int error = 0, i;
- int largest_ld;
+ int error = 0;
+ unsigned int largest_ld, i;
struct mdproc *mdp = &td->td_proc->p_md;
struct proc_ldt *pldt;
struct user_segment_descriptor *dp;

16
share/security/patches/SA-16:15/sysarch.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJW6eUyAAoJEO1n7NZdz2rnaSIQAJTQUQ1TymgrFTpruBnZXlti
EM1Q0DikCelD6mycM7qVMvl3n3QMgbs1tYlzHnt+Mt7UGqLBwKJH8vbAUf4Tb4mK
kWSHXtGivmQQoinCNJ5W2gJG4k+47eYvNKAtty4VI65tvzWWTRBaXtR065okqmzy
DPqu40pv6Liw9MwTvvw/+aoI7AY1AK/ao7lbBzDL7BYy0iHrsWWIqJiDU9UFxJ8H
7EFZRMvavG13yKZsEjiRk+3UzF/xZ8bguvOvrz37GT51bT6EuwFxkYRqxc/YgD+0
uxds5o2Ot77qOxCQDVIOvHkhFNQhwonJKGbVbZ3ZAEhFs2DKbu198RIaXviiizwk
DJefFdXpDRN8qGkjAxo0ycggaqnreQt8YRSObpZdSzeTilyQddwbZ2JYCzswwpkJ
MrPK0RjB3IJPEJJ6W7wqwVXoQaC7N8VYZ/K13GgEYktLQCxGWWvSIKqQ+X+wKbjN
ibW6ep4ChZTo59jsPexkqXzZ4KSPZEfiLiRYwwAYgSYHwPBcuKVCAx6aPiyF9jN3
BTTQ+QCI+7IOzggKjBGn05moc1WEiumWi/KJ8KkSGc5v8ilfFRGJ98YYVG+1BNja
GO7STPpIeOcvuQKDG2brUeTI8Z67gQ4ly9D5NTg6b7iPFsz8S71fmJH3rH5kF16f
1gEAuD/03MUEpkFcG2ZW
=bUiv
-----END PGP SIGNATURE-----

12
share/xml/advisories.xml
View file

@ -10,6 +10,18 @@
<month>
<name>3</name>
<day>
<name>16</name>
<advisory>
<name>FreeBSD-SA-16:15.sysarch</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:14.openssh</name>
</advisory>
</day>
<day>
<name>10</name>

16
share/xml/notices.xml
View file

@ -7,6 +7,22 @@
<year>
<name>2016</name>
<month>
<name>3</name>
<day>
<name>16</name>
<notice>
<name>FreeBSD-EN-16:05.hv_netvsc</name>
</notice>
<notice>
<name>FreeBSD-EN-16:04.hyperv</name>
</notice>
</day>
</month>
<month>
<name>1</name>