os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-17:08, SA-17:09, SA-17:10.

Browse source
This commit is contained in:
Gordon Tetlow 2017-11-15 23:08:45 +00:00
parent b8d35cef83
commit b5c3bd7933
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=51201
12 changed files with 1996 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

140
share/security/advisories/FreeBSD-SA-17:08.ptrace.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:08.ptrace Security Advisory
The FreeBSD Project
Topic: Kernel data leak via ptrace(PT_LWPINFO)
Category: core
Module: ptrace
Announced: 2017-11-15
Credits: John Baldwin
Affects: All supported versions of FreeBSD.
Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE)
2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4)
2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15)
2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE)
2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3)
2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24)
CVE Name: CVE-2017-1086
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ptrace(2) syscall provides the facility for a debugger to control the
execution of the target process and to obtain necessary status information
about it. The struct ptrace_lwpinfo structure is reported by one of the
ptrace(2) subcommand and contains a lot of the information about the stopped
thread (light-weight process or LWP, thus the name).
II. Problem Description
Not all information in the struct ptrace_lwpinfo is relevant for the state
of any thread, and the kernel does not fill the irrelevant bytes or short
strings. Since the structure filled by the kernel is allocated on the
kernel stack and copied to userspace, a leak of information of the kernel
stack of the thread is possible from the debugger.
III. Impact
Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO)
call can be observed in userspace.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch
# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc
# gpg --verify ptrace.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r325643
releng/10.3/ r325871
releng/10.4/ r325870
stable/11/ r325642
releng/11.0/ r325869
releng/11.1/ r325868
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1086>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:08.ptrace.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO
6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J
aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxXtkZMvhNSGFCShGQTNpjGfAgIwOZD8mNFi
WvYbPgzwfeE4tsaStZ91SZ8wf2nxdRXhybDXEOCAJvicP6IqYA1Zfr7RG2N3swK7
JKLXW7tiVu+zbRYYFiWYX4FIWatIlsTjpD0GyuZs0j2PCEu80z1muFnrp/dGg3Bn
APGVzIrkFjKvmXfkuFZFPMWCL+u9cUgOMNGkMFDXrLppLL7aXCGrz3BWECg581Pr
dnUrrz/iEcXGDcnTJ3Ff+OidqdhdpVQz59Ek90TMd5iO+nZ+xeVjVzxdLHb82/wt
KlgXRpwTg3Q72xDSF84UmRSkk1M/V5AZMrZiy2RjIwtvLqIJ9ZpLAMnrwTTWRDjB
YurHHNWKjMVkdKCdbpBVGRjNmS6XYS6QukmA4M85d2r0Dmb8J6Gd6juHc3Essrz+
3qEMKAcYsSWbQ5ZSMywUOzM74Dk+wUTf7jCJ1IsSqn8hYHOqvUSF0ftwXkdS1+cv
GT25iduAMCdTP15Qp57Wlhv9WCF8eOUoYKHiSpXcVa6XMqazLy4=
=Uqz2
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-SA-17:09.shm.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:09.shm Security Advisory
The FreeBSD Project
Topic: POSIX shm allows jails to access global namespace
Category: core
Module: shm
Announced: 2017-11-15
Credits: Whitewinterwolf
Affects: FreeBSD 10.x
Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE)
2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3)
2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24)
CVE Name: CVE-2017-1087
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
POSIX shared memory objects allow realtime inter-process communication by
sharing a memory area through the use of a named path (see shm_open(2)).
This is used by some multi-process applications to share data between running
processes, such as a common cache or to implement a producer-consumer model
where several worker processes handle requests pushed by a producer process.
II. Problem Description
Named paths are globally scoped, meaning a process located in one jail can
read and modify the content of POSIX shared memory objects created by a
process in another jail or the host system.
III. Impact
A malicious user that has access to a jailed system is able to abuse shared
memory by injecting malicious content in the shared memory region. This
memory region might be executed by applications trusting the shared memory,
like Squid.
This issue could lead to a Denial of Service or local privilege escalation.
IV. Workaround
No workaround is available, but systems without jails or jails not having
local users are not vulnerable.
V. Solution
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot the system for the update to take effect.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system for the update to take effect.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.4, FreeBSD 10-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc
# gpg --verify shm-10.patch.asc
[FreeBSD 10.3]
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc
# gpg --verify shm-10.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r325783
releng/10.3/ r325873
releng/10.4/ r325874
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1087>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:09.shm.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5
zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij
wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl
jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0XdElW+okM+L4Q5Nt4Krm+DDp
L0fUG5tqS+a++53mNIGeGiBhomD0zZMJZ8LXe/FAACHPWA0yUMhCVrZTwzVTHhA7
g5W1prFW3WYui7x1qF2LIA+SnGFTWXRlIhlAA/1n94Jl6shHnV6guZbzLAX0zk/C
6WFydhrYhmPXd3o5uWz+oQQHXQCcHeGrNc+fmPKg/bpkyJvgfLc6YaY2gEQmfIrI
3w/xqhN8mWVVhpHsHK+Wcz44T9uGH4NlYeDYy3TJ1ECri28fbxufAzr8hgbNRDtw
B8YTijrPUSjwKBG815oO5JsOmHVCkCkIRx7nW72bHIs8ralXX563HK3RPjlFzr2G
tzk9DF2w2TUQlgzS4wbZk9lXmlgvV0vRzsz+7jcJe1K+ZgyweNg+QIVet3BvobIA
zeiRFfZuhH3ExNoJKqfZhBtOiePD0JR6JnkhvjEJm1NoHvoDOAQ=
=epmQ
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-SA-17:10.kldstat.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:10.kldstat Security Advisory
The FreeBSD Project
Topic: Information leak in kldstat(2)
Category: core
Module: kernel
Announced: 2017-11-15
Credits: TJ Corley
Affects: All supported versions of FreeBSD.
Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE)
2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4)
2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15)
2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE)
2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3)
2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24)
CVE Name: CVE-2017-1088
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The kldstat(2) syscall provides information about loaded kld files. The
syscall takes a userland argument of struct kld_file_stat which is then
filled with data about the kld file requested.
II. Problem Description
The kernel does not properly clear the memory of the kld_file_stat
structure before filling the data. Since the structure filled by the
kernel is allocated on the kernel stack and copied to userspace, a leak
of information from the kernel stack is possible.
III. Impact
Some bytes from the kernel stack can be observed in userspace.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch
# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc
# gpg --verify kldstat.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r325867
releng/10.3/ r325878
releng/10.4/ r325877
stable/11/ r325866
releng/11.0/ r325876
releng/11.1/ r325875
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM
pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7
GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj
je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7
2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5
Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg
EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E
TNTQ/85nE4BklV1d9wiLy26C21W92IguZam0HdRYJHgEc9Mug+62MfqDzHf0w5HP
3pu8IV5KMwEjGxzaiDMETIZU+K5fkdzPDNBhscxZ6OOab4zQ0+pZgdT1CSbXV6Ru
xuOjSyBdz5vVdbq/298VJJ7hNyoP1MgnyaxPrG2ImNDKjUGqbtOgv0m3ISqtsyfs
pEvyO2MxWWZqdNhtGJuQpOYyzAMxfJdmdOz1PMFFayQiBR7F0ao=
=N2rs
-----END PGP SIGNATURE-----

27
share/security/patches/SA-17:08/ptrace.patch Normal file
View file

@ -0,0 +1,27 @@
--- sys/kern/sys_process.c.orig
+++ sys/kern/sys_process.c
@@ -518,6 +518,7 @@
struct ptrace_lwpinfo32 *pl32)
{
+ bzero(pl32, sizeof(*pl32));
pl32->pl_lwpid = pl->pl_lwpid;
pl32->pl_event = pl->pl_event;
pl32->pl_flags = pl->pl_flags;
@@ -1301,6 +1302,7 @@
} else
#endif
pl = addr;
+ bzero(pl, sizeof(*pl));
pl->pl_lwpid = td2->td_tid;
pl->pl_event = PL_EVENT_NONE;
pl->pl_flags = 0;
@@ -1321,8 +1323,6 @@
pl->pl_siginfo = td2->td_dbgksi.ksi_info;
}
}
- if ((pl->pl_flags & PL_FLAG_SI) == 0)
- bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo));
if (td2->td_dbgflags & TDB_SCE)
pl->pl_flags |= PL_FLAG_SCE;
else if (td2->td_dbgflags & TDB_SCX)

18
share/security/patches/SA-17:08/ptrace.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxiVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
aueBbRAApWCpppwWGjGogqxNVVeyROsWzCVGy4MGOT0ngU5mc2uwZA1zwbUZ0m1I
KGIGQGgkJLaU/pHJfjPmG6QGfGW2XY/VGd6EKY5P7dYXx54uGeb0OXU5e+6HLTMX
dWPkvAXeRQJuIY5A3L4K9lOiS6sLfpk759RlriuMRpqoBOZ4uQxynplYuuBJ/CRc
Tezy8LehBys2qDwhQa1wgoK/St5heh7TfOcoaumm9KvO7687DADE7bmU/iQ+XntL
eB/RVQTZ5yxDNe7z4oDsVwUwHFpwrln76feVDYVVdJFz8/dCszRenFhptrC145rY
W3o+LuczLdf+70vVY6ajLRypIpcvFEzO7X5DKafNFKG0ZvxrQp190+a4DAKJ6Vgh
8hB6Poz1aBObeJlnLNKPpcXQDwi3FCxyMardrTJG2bIAjqoS27eqF/RVhJpeXexs
plG2aRk4CdduOyrTYvvqDw2HkDB36kuE3gyFufV9DwMrPWtPQIEJcW9bPNGBdDi/
LorKHPCXiX1/M8I9DMgOAmcGkaO/UtTqGFNZRrwuC9j2XpVk4gQfF5LUTdnf7FB3
R0+/+HWYWpHm+OmuodToYgZ5X4+ftQpQztmvgArBLW83AcUUBL4ic7u5kOJCLUlT
QEseNpEHQBEIJzkOtq/nui//9kimTOWsC6rw7Raeoh/kUmurMjg=
=AJBS
-----END PGP SIGNATURE-----

1025
share/security/patches/SA-17:09/shm-10.3.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/SA-17:09/shm-10.3.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxjRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
auenfg/9E6q50Ghg4zZdsQCasxVQbKIChpZhSnWsLYPBj/6p7OvYuDEEFCmD5Em0
OVymwJZw1Ist+toQ9SmbNbkylkNW8Nsh5ZL1/LjK3/4/T6bcN4QprV3HSuUyRBVd
uN3nNw7bU7tYC0mrUi5e9V7OMW3FeQD3yusEnppe8MKjWYYSlElVJuGYoc1Wl10B
uHe2WThVEPVqkF2BQexQCo4PyszA5vH1/YseoBgW+gRBIcqHqVsH0RIC3H9shIL1
0QaeA+H/03xBtpWaZcBALYCyPWajKq5bQTSqMx6tikfNlWCWAc0LFjgpgtj+yujW
isMyDxTqdYhPGn4Rpfz7JH/OImMdICH/+9f5i0but90DD/eGo38XY7QwypZzR0eR
itCpyPLeqPJgOajSP76kVyMCr8LwmKnOrDDf1AFCjUNdrJrQybJdDHRbOOUr9arp
qyOLMDrEhjuSlcvi4jvoHufhyZ8CZESASgrB1vR3fsib0UBfcbK2DFBvQAdD55tf
LIYdf7+CcgjKxcALewL1uCOY1lmrYW1fA4SEevVQAjmuGpTQm2wFAQX86TrzMKjl
sj6MXJkI6Nawe4L/T7EnhIytEdcka7bfTHaBtzhLR1bRo8DoGk/WJkUtQNWm5kF3
UNeChno3BxTBZZK5OvVZ3lB0u4/O1UXM/zZkp0JHj1R0npNsWpw=
=uZpC
-----END PGP SIGNATURE-----

361
share/security/patches/SA-17:09/shm-10.patch Normal file
View file

@ -0,0 +1,361 @@
--- sys/kern/uipc_mqueue.c.orig
+++ sys/kern/uipc_mqueue.c
@@ -52,6 +52,7 @@
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/limits.h>
+#include <sys/malloc.h>
#include <sys/buf.h>
#include <sys/capsicum.h>
#include <sys/dirent.h>
@@ -60,8 +61,8 @@
#include <sys/fcntl.h>
#include <sys/file.h>
#include <sys/filedesc.h>
+#include <sys/jail.h>
#include <sys/lock.h>
-#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mount.h>
#include <sys/mqueue.h>
@@ -131,6 +132,7 @@
LIST_HEAD(,mqfs_node) mn_children;
LIST_ENTRY(mqfs_node) mn_sibling;
LIST_HEAD(,mqfs_vdata) mn_vnodes;
+ const void *mn_pr_root;
int mn_refcount;
mqfs_type_t mn_type;
int mn_deleted;
@@ -218,6 +220,7 @@
static uma_zone_t mqnoti_zone;
static struct vop_vector mqfs_vnodeops;
static struct fileops mqueueops;
+static unsigned mqfs_osd_jail_slot;
/*
* Directory structure construction and manipulation
@@ -235,6 +238,7 @@
static void mqfs_fileno_alloc(struct mqfs_info *mi, struct mqfs_node *mn);
static void mqfs_fileno_free(struct mqfs_info *mi, struct mqfs_node *mn);
static int mqfs_allocv(struct mount *mp, struct vnode **vpp, struct mqfs_node *pn);
+static int mqfs_prison_remove(void *obj, void *data);
/*
* Message queue construction and maniplation
@@ -435,6 +439,7 @@
node = mqnode_alloc();
strncpy(node->mn_name, name, namelen);
+ node->mn_pr_root = cred->cr_prison->pr_root;
node->mn_type = nodetype;
node->mn_refcount = 1;
vfs_timestamp(&node->mn_birth);
@@ -643,6 +648,9 @@
{
struct mqfs_node *root;
struct mqfs_info *mi;
+ osd_method_t methods[PR_MAXMETHOD] = {
+ [PR_METHOD_REMOVE] = mqfs_prison_remove,
+ };
mqnode_zone = uma_zcreate("mqnode", sizeof(struct mqfs_node),
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
@@ -669,6 +677,7 @@
EVENTHANDLER_PRI_ANY);
mq_fdclose = mqueue_fdclose;
p31b_setcfg(CTL_P1003_1B_MESSAGE_PASSING, _POSIX_MESSAGE_PASSING);
+ mqfs_osd_jail_slot = osd_jail_register(NULL, methods);
return (0);
}
@@ -682,6 +691,7 @@
if (!unloadable)
return (EOPNOTSUPP);
+ osd_jail_deregister(mqfs_osd_jail_slot);
EVENTHANDLER_DEREGISTER(process_exit, exit_tag);
mi = &mqfs_data;
mqfs_destroy(mi->mi_root);
@@ -801,13 +811,17 @@
* Search a directory entry
*/
static struct mqfs_node *
-mqfs_search(struct mqfs_node *pd, const char *name, int len)
+mqfs_search(struct mqfs_node *pd, const char *name, int len, struct ucred *cred)
{
struct mqfs_node *pn;
+ const void *pr_root;
sx_assert(&pd->mn_info->mi_lock, SX_LOCKED);
+ pr_root = cred->cr_prison->pr_root;
LIST_FOREACH(pn, &pd->mn_children, mn_sibling) {
- if (strncmp(pn->mn_name, name, len) == 0 &&
+ /* Only match names within the same prison root directory */
+ if ((pn->mn_pr_root == NULL || pn->mn_pr_root == pr_root) &&
+ strncmp(pn->mn_name, name, len) == 0 &&
pn->mn_name[len] == '\0')
return (pn);
}
@@ -879,7 +893,7 @@
/* named node */
sx_xlock(&mqfs->mi_lock);
- pn = mqfs_search(pd, pname, namelen);
+ pn = mqfs_search(pd, pname, namelen, cnp->cn_cred);
if (pn != NULL)
mqnode_addref(pn);
sx_xunlock(&mqfs->mi_lock);
@@ -1364,6 +1378,7 @@
struct mqfs_node *pn;
struct dirent entry;
struct uio *uio;
+ const void *pr_root;
int *tmp_ncookies = NULL;
off_t offset;
int error, i;
@@ -1388,10 +1403,18 @@
error = 0;
offset = 0;
+ pr_root = ap->a_cred->cr_prison->pr_root;
sx_xlock(&mi->mi_lock);
LIST_FOREACH(pn, &pd->mn_children, mn_sibling) {
entry.d_reclen = sizeof(entry);
+
+ /*
+ * Only show names within the same prison root directory
+ * (or not associated with a prison, e.g. "." and "..").
+ */
+ if (pn->mn_pr_root != NULL && pn->mn_pr_root != pr_root)
+ continue;
if (!pn->mn_fileno)
mqfs_fileno_alloc(mi, pn);
entry.d_fileno = pn->mn_fileno;
@@ -1525,6 +1548,38 @@
#endif /* notyet */
/*
+ * See if this prison root is obsolete, and clean up associated queues if it is.
+ */
+static int
+mqfs_prison_remove(void *obj, void *data __unused)
+{
+ const struct prison *pr = obj;
+ const struct prison *tpr;
+ struct mqfs_node *pn, *tpn;
+ int found;
+
+ found = 0;
+ TAILQ_FOREACH(tpr, &allprison, pr_list) {
+ if (tpr->pr_root == pr->pr_root && tpr != pr && tpr->pr_ref > 0)
+ found = 1;
+ }
+ if (!found) {
+ /*
+ * No jails are rooted in this directory anymore,
+ * so no queues should be either.
+ */
+ sx_xlock(&mqfs_data.mi_lock);
+ LIST_FOREACH_SAFE(pn, &mqfs_data.mi_root->mn_children,
+ mn_sibling, tpn) {
+ if (pn->mn_pr_root == pr->pr_root)
+ (void)do_unlink(pn, curthread->td_ucred);
+ }
+ sx_xunlock(&mqfs_data.mi_lock);
+ }
+ return (0);
+}
+
+/*
* Allocate a message queue
*/
static struct mqueue *
@@ -1984,7 +2039,7 @@
return (error);
sx_xlock(&mqfs_data.mi_lock);
- pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1);
+ pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred);
if (pn == NULL) {
if (!(flags & O_CREAT)) {
error = ENOENT;
@@ -2079,7 +2134,7 @@
return (EINVAL);
sx_xlock(&mqfs_data.mi_lock);
- pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1);
+ pn = mqfs_search(mqfs_data.mi_root, path + 1, len - 1, td->td_ucred);
if (pn != NULL)
error = do_unlink(pn, td->td_ucred);
else
--- sys/kern/uipc_sem.c.orig
+++ sys/kern/uipc_sem.c
@@ -44,6 +44,7 @@
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/fnv_hash.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/ksem.h>
#include <sys/lock.h>
@@ -444,12 +445,24 @@
static void
ksem_info_impl(struct ksem *ks, char *path, size_t size, uint32_t *value)
{
+ const char *ks_path, *pr_path;
+ size_t pr_pathlen;
if (ks->ks_path == NULL)
return;
sx_slock(&ksem_dict_lock);
- if (ks->ks_path != NULL)
- strlcpy(path, ks->ks_path, size);
+ ks_path = ks->ks_path;
+ if (ks_path != NULL) {
+ pr_path = curthread->td_ucred->cr_prison->pr_path;
+ if (strcmp(pr_path, "/") != 0) {
+ /* Return the jail-rooted pathname. */
+ pr_pathlen = strlen(pr_path);
+ if (strncmp(ks_path, pr_path, pr_pathlen) == 0 &&
+ ks_path[pr_pathlen] == '/')
+ ks_path += pr_pathlen;
+ }
+ strlcpy(path, ks_path, size);
+ }
if (value != NULL)
*value = ks->ks_value;
sx_sunlock(&ksem_dict_lock);
@@ -493,6 +506,8 @@
struct ksem *ks;
struct file *fp;
char *path;
+ const char *pr_path;
+ size_t pr_pathlen;
Fnv32_t fnv;
int error, fd;
@@ -529,10 +544,16 @@
ks->ks_flags |= KS_ANONYMOUS;
} else {
path = malloc(MAXPATHLEN, M_KSEM, M_WAITOK);
- error = copyinstr(name, path, MAXPATHLEN, NULL);
+ pr_path = td->td_ucred->cr_prison->pr_path;
+ /* Construct a full pathname for jailed callers. */
+ pr_pathlen = strcmp(pr_path, "/") == 0 ? 0
+ : strlcpy(path, pr_path, MAXPATHLEN);
+ error = copyinstr(name, path + pr_pathlen,
+ MAXPATHLEN - pr_pathlen, NULL);
+
/* Require paths to start with a '/' character. */
- if (error == 0 && path[0] != '/')
+ if (error == 0 && path[pr_pathlen] != '/')
error = EINVAL;
if (error) {
fdclose(td, fp, fd);
@@ -668,11 +689,17 @@
sys_ksem_unlink(struct thread *td, struct ksem_unlink_args *uap)
{
char *path;
+ const char *pr_path;
+ size_t pr_pathlen;
Fnv32_t fnv;
int error;
path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
- error = copyinstr(uap->name, path, MAXPATHLEN, NULL);
+ pr_path = td->td_ucred->cr_prison->pr_path;
+ pr_pathlen = strcmp(pr_path, "/") == 0 ? 0
+ : strlcpy(path, pr_path, MAXPATHLEN);
+ error = copyinstr(uap->name, path + pr_pathlen, MAXPATHLEN - pr_pathlen,
+ NULL);
if (error) {
free(path, M_TEMP);
return (error);
--- sys/kern/uipc_shm.c.orig
+++ sys/kern/uipc_shm.c
@@ -57,6 +57,7 @@
#include <sys/kernel.h>
#include <sys/uio.h>
#include <sys/signal.h>
+#include <sys/jail.h>
#include <sys/ktrace.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@@ -712,6 +713,8 @@
struct shmfd *shmfd;
struct file *fp;
char *path;
+ const char *pr_path;
+ size_t pr_pathlen;
Fnv32_t fnv;
mode_t cmode;
int fd, error;
@@ -749,13 +752,19 @@
shmfd = shm_alloc(td->td_ucred, cmode);
} else {
path = malloc(MAXPATHLEN, M_SHMFD, M_WAITOK);
- error = copyinstr(uap->path, path, MAXPATHLEN, NULL);
+ pr_path = td->td_ucred->cr_prison->pr_path;
+
+ /* Construct a full pathname for jailed callers. */
+ pr_pathlen = strcmp(pr_path, "/") == 0 ? 0
+ : strlcpy(path, pr_path, MAXPATHLEN);
+ error = copyinstr(uap->path, path + pr_pathlen,
+ MAXPATHLEN - pr_pathlen, NULL);
#ifdef KTRACE
if (error == 0 && KTRPOINT(curthread, KTR_NAMEI))
ktrnamei(path);
#endif
/* Require paths to start with a '/' character. */
- if (error == 0 && path[0] != '/')
+ if (error == 0 && path[pr_pathlen] != '/')
error = EINVAL;
if (error) {
fdclose(td, fp, fd);
@@ -842,11 +851,17 @@
sys_shm_unlink(struct thread *td, struct shm_unlink_args *uap)
{
char *path;
+ const char *pr_path;
+ size_t pr_pathlen;
Fnv32_t fnv;
int error;
path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
- error = copyinstr(uap->path, path, MAXPATHLEN, NULL);
+ pr_path = td->td_ucred->cr_prison->pr_path;
+ pr_pathlen = strcmp(pr_path, "/") == 0 ? 0
+ : strlcpy(path, pr_path, MAXPATHLEN);
+ error = copyinstr(uap->path, path + pr_pathlen, MAXPATHLEN - pr_pathlen,
+ NULL);
if (error) {
free(path, M_TEMP);
return (error);
@@ -1053,11 +1068,23 @@
void
shm_path(struct shmfd *shmfd, char *path, size_t size)
{
+ const char *shm_path, *pr_path;
+ size_t pr_pathlen;
if (shmfd->shm_path == NULL)
return;
sx_slock(&shm_dict_lock);
- if (shmfd->shm_path != NULL)
- strlcpy(path, shmfd->shm_path, size);
+ shm_path = shmfd->shm_path;
+ if (shm_path != NULL) {
+ pr_path = curthread->td_ucred->cr_prison->pr_path;
+ if (strcmp(pr_path, "/") != 0) {
+ /* Return the jail-rooted pathname. */
+ pr_pathlen = strlen(pr_path);
+ if (strncmp(shm_path, pr_path, pr_pathlen) == 0 &&
+ shm_path[pr_pathlen] == '/')
+ shm_path += pr_pathlen;
+ }
+ strlcpy(path, shm_path, size);
+ }
sx_sunlock(&shm_dict_lock);
}

18
share/security/patches/SA-17:09/shm-10.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxjBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
aud+NQ//brfNPCYRN11P4LroaBUcy5Ylz8uA95mE/MwU1R9jA0LBpIvKmuzZQ0C1
vaw8CCk2NfKZdod+/6MtPq5ngHSkaFpLEpT91T4z6CnjwDFkWtGWbSmOP6w9dtJY
tl2lU2MsQYe6xCbW6Idf45gWEbca7S3pkjc8Qrun1Eofl86OmNLcHvbQQDn0LzLv
/Albm3zqNusBJRY4GN7lcAbN8GjuYcXgqgvP4x9UkW2oUWBwaUxFieW+TqfDtQC0
a1G7OFit+kF9vDaWKM6dALPc5etV5WsUl/W1/qCpja32IZ9Dc8fiKMapp3/p2+xe
B5iA8UOa+PzOReoIc/PsCy1oKpor5vvJA5h70APfvUHwodb4slNPK15ZxynK9llE
vHIN+fY/Xfjz0NM5xEz9QhOHue7H9nNtIHQSdy9wZzXT/s8rmf+5MWFgyKtMQac3
Mat/RRZu+eLGvshQrnAseXvpmbGv7B06qOr81zx+K353rXrBm+V+5Z9ftvt2Ajlg
YfPN4ExjXSsn2m8piuPuJT/6uyfo/NKdQrT9G4GLJi/gW9FSvAMMx7kT47U6MEFq
FjYP70Z3JO/lCJz/yQHg6+LLR69GEFyqX54zrOfsYxfobLiiDJurcWHaVEnvVIes
Sqc8fw2SPz74rL2GwkQttPTqJzGfXwKJGljcG5Yfr8l+0ZxLUFs=
=4WnF
-----END PGP SIGNATURE-----

75
share/security/patches/SA-17:10/kldstat.patch Normal file
View file

@ -0,0 +1,75 @@
--- sys/compat/freebsd32/freebsd32_misc.c.orig
+++ sys/compat/freebsd32/freebsd32_misc.c
@@ -3331,8 +3331,8 @@
int
freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap)
{
- struct kld_file_stat stat;
- struct kld32_file_stat stat32;
+ struct kld_file_stat *stat;
+ struct kld32_file_stat *stat32;
int error, version;
if ((error = copyin(&uap->stat->version, &version, sizeof(version)))
@@ -3342,17 +3342,22 @@
version != sizeof(struct kld32_file_stat))
return (EINVAL);
- error = kern_kldstat(td, uap->fileid, &stat);
- if (error != 0)
- return (error);
-
- bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name));
- CP(stat, stat32, refs);
- CP(stat, stat32, id);
- PTROUT_CP(stat, stat32, address);
- CP(stat, stat32, size);
- bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname));
- return (copyout(&stat32, uap->stat, version));
+ stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+ stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO);
+ error = kern_kldstat(td, uap->fileid, stat);
+ if (error == 0) {
+ bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name));
+ CP(*stat, *stat32, refs);
+ CP(*stat, *stat32, id);
+ PTROUT_CP(*stat, *stat32, address);
+ CP(*stat, *stat32, size);
+ bcopy(&stat->pathname[0], &stat32->pathname[0],
+ sizeof(stat->pathname));
+ error = copyout(stat32, uap->stat, version);
+ }
+ free(stat, M_TEMP);
+ free(stat32, M_TEMP);
+ return (error);
}
int
--- sys/kern/kern_linker.c.orig
+++ sys/kern/kern_linker.c
@@ -1229,7 +1229,7 @@
int
sys_kldstat(struct thread *td, struct kldstat_args *uap)
{
- struct kld_file_stat stat;
+ struct kld_file_stat *stat;
int error, version;
/*
@@ -1242,10 +1242,12 @@
version != sizeof(struct kld_file_stat))
return (EINVAL);
- error = kern_kldstat(td, uap->fileid, &stat);
- if (error != 0)
- return (error);
- return (copyout(&stat, uap->stat, version));
+ stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+ error = kern_kldstat(td, uap->fileid, stat);
+ if (error == 0)
+ error = copyout(stat, uap->stat, version);
+ free(stat, M_TEMP);
+ return (error);
}
int

18
share/security/patches/SA-17:10/kldstat.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxj1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
aud7chAApmeYQat1/fM0tufIYLhiq1sNIqJWoVg1mRRIfKQWIiq1qscyke6zZvOw
AVYGEiMuLjb38cdwkJ1iASiA3HQ7tEBf/qBtOA4pxPvndGYeJE5Iubvkj57Jp0qb
xjJ21APFcxsAnqYZWz8drUEj0LhEBj/bMEcYYPcqtTZDOFy+6rjzQQZluKnDOUEL
J5FUjT7ekUAKLKPMqv1FvOZ6NwoZ2aOnI7pOZA/UOe+wPFF4aFfKfpcT7tcx7XFs
iFiyirKBq2tjLGYUqcR4U8/kDk0QVeyfGarcDU9UUDSu4cNzZu6h5p3nnVPMOHqW
lQMfONobxHwQy37Eg58W4f4cMDiOQSa48oMhE4Ai3/VDpwyBn6DYqw9BqisSZZZO
xw4Fkvvjwg0wGWgkMpgrHaan+ubyjFNcBg6RuXrODm0RDWAR3pzc0bZQzwd8tlYq
Fsku+bdaHW6VtUFFcSIXAfakFQX0F/99WW+Oy4+QzkA10oXKY9LJeFDBAAwY5mJm
SPHWrcVo08mjDO5XV642HV7K+1YWZ3l8jA2b22UlU2s6slgz+AO51DV+RONlze/E
qp25CnKkK8DUmtZ5zjXAGUfm/iA0rrSFAqHsB9xQSx5ht7Hk+EpV3d7FzeVKI0Sl
V2TCk/SHCKVwNDg53/eXl7zWsY41CBw5L2b6oAvcyuipZJOAloA=
=oLz2
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2017</name>
<month>
<name>11</name>
<day>
<name>15</name>
<advisory>
<name>FreeBSD-SA-17:10.kldstat</name>
</advisory>
<advisory>
<name>FreeBSD-SA-17:09.shm</name>
</advisory>
<advisory>
<name>FreeBSD-SA-17:08.ptrace</name>
</advisory>
</day>
</month>
<month>
<name>10</name>