os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add errata notices EN-18:09 through EN-18:12

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2018-09-27 19:11:47 +00:00
parent 102e80cdac
commit c039c6da13
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=52312
15 changed files with 1226 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

136
share/security/advisories/FreeBSD-EN-18:09.ip.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:09.ip Errata Notice
The FreeBSD Project
Topic: IP fragment remediation causes IPv6 fragment
reassembly failure
Category: core
Module: kernel
Announced: 2018-09-27
Credits: Kristof Provost
Affects: FreeBSD 11.1 and FreeBSD 11.2
Corrected: 2018-09-27 18:29:55 UTC (releng/11.2, 11.2-RELEASE-p4)
2018-09-27 18:29:55 UTC (releng/11.1, 11.1-RELEASE-p15)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The recent security advisory titled SA-18:10.ip resolved an issue in the IPv4
and IPv6 fragment reassembly code.
II. Problem Description
As a result of fixing the issue describe in SA-18:10.ip, a regression was
introduced in the IPv6 fragment hashing code which could cause reassembly to
fail.
III. Impact
Received IPv6 packets requiring fragment reassembly may be dropped instead of
properly reassembled and delivered.
IV. Workaround
Disable IPv6 fragment reassembly, using these commands:
% sysctl net.inet6.ip6.maxfrags=0
On systems compiled with VIMAGE, these sysctls will need to be
executed for each VNET.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch
# fetch https://security.FreeBSD.org/patches/EN-18:09/ip.patch.asc
# gpg --verify ip.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
releng/11.1/ r338978
releng/11.2/ r338978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The security advisory that introduced the regression is available at
<URL:https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231045>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:09.ip.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKTVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKagRAAh4AnkPqG5hNnpilNct2cjY6GrU+Ex0hmbDbv36RR5Cj/Xi6FrdjGdF6/
sA5/KYC1fOe07S2JJDgh2b5f1E3NBtfCCXQL3Fq46LRu8KJUifReY23kxNw74pev
86WmxtctkJ62gc3EUhaTx5tgvIqHRnLrNbJqAJ9VEZkV5aa33yT/5zDTq0TLJPsK
LfgwIWw7KAecH28cHx9KH+QyeLEsKoQPj5PIpQih7aZE/8cVLIMxKepExzPFx0s8
SV1BFVQqJaRK4frv7tHZIEjTrseKVhF6SCqbtSVP6ZBtOAaaNGobq9bQNzPPxls7
tTIGC6JVacUNNzJY+uv+DyHwCcEqyU5HQKOaJGqcQ4rxccXdWLBQOA55sRuiCZSy
SxRzs+4JNo2XDACnSECUFFos05HXxOWm8lqt8juR6fnq9Auej/PmktQYHaIXI3us
hYOlHu7Oo6sSGERBE92I1B4Y0L2BzXgroFN+rKmzlLGmM3vQYDxt2o0/GpMRf0wf
I+plRLC9osYTc/QFJzqt6dGJj+46xWyCw8aGcRhtQGPWUcB3DtYRjJxi1x6YjBkN
Cw3nepcW4rwJpmJZyGuNhsyKFZlhhz2+GV1lxsoe5TC6rRbEo30O3aU1zh5+fljo
KR9WSfy6bNoTX4NhbCJ+j9fdD6AxiqWtmB8h4Vp7ykrM/VJLUzc=
=1FtK
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-EN-18:10.syscall.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:10.syscall Errata Notice
The FreeBSD Project
Topic: NULL pointer dereference in freebsd4_getfsstat system call
Category: core
Module: kernel
Announced: 2018-09-27
Credits: Thomas Barabosch, Fraunhofer FKIE
Affects: FreeBSD 11.x
Corrected: 2018-09-27 18:54:41 UTC (stable/11, 11.1-STABLE)
2018-09-27 18:32:14 UTC (releng/11.2, 11.2-RELEASE-p4)
2018-09-27 18:32:14 UTC (releng/11.1, 11.1-RELEASE-p15)
CVE Name: CVE-2018-17154
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The freebsd4_getfsstat system call returns information about all mounted file
systems in a binary format compatible with FreeBSD 4.x. Part of the call
includes passing in a userland allocated buffer for the system call to fill
along with the size of the buffer.
II. Problem Description
Insufficient checking occurs on the buffer when a very large buffer size causes
memory allocation to fail. Resulting code attempts to free the NULL pointer.
III. Impact
A local unprivileged user may cause a denial of service using a specially
crafted binary.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch
# fetch https://security.FreeBSD.org/patches/EN-18:10/syscall-11.patch.asc
# gpg --verify syscall-11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r338987
releng/11.1/ r338979
releng/11.2/ r338979
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17154>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:10.syscall.asc>
-----BEGIN PGP SIGNATURE-----
iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKT9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJMqQ/4ycdylBNCX0cqFDYrtDU0OJO0mEi2LKqCM31YzOCLbKLtVSq06rxOj/E9
0okWag0NxaGIo2+7+b/hykDwL+1Rwpa5YNdODESRYQeW0OVdnmy/JSB/8q2I2BwX
PrqMc38sc9YuCz202B7tj4CQRKyhe2/qWRXANzh4jolC8zIuP7zAH6bMO+jc4XJS
9qe2YdvChWiwLJXOSXaqZf1xY1jY08+lRGDx03n13OLRN8PZdbIoDEmOd2/vxhcV
YRcDH0axLJSyngknPE9gU8iVZDunxpNBool5hJYDd8rBbAfypXWSDZ7wJGUn7tUZ
3Cj/NPmZ9auMTGLgpRJB/bhgCnn3mZQ5QjR1egonZf3uIlTWZ+0C9GhJjh5cw+2p
3hF+202uJicNm5TSkO6QpavVVvQNFcuCR54ZvXEICv3YNam3yDupGWsbjHloxoCw
7A/wmBBcbtAJ7ujzgPm4+yN5Vno4dcPmkIfW9bz0fwXzYF1VEaF5pZZu7a9bjdI0
xHBk2v77NIRBxC5i1KK5R5Guj0UY0EvkclBTF4Twh3TP0SAPN+5sqpmBRQwPGEdp
9v5TPQv5DJn0KTJwkdrrP+70WIYkfcUVJ9hJYbXAMXseN1q3mTggS/ypF9ckTP0Z
D1hQuUySz07GInHlJ+znS8CzVSj/iWqsxThBBbwgy1a4haxr5A==
=HCqG
-----END PGP SIGNATURE-----

146
share/security/advisories/FreeBSD-EN-18:11.listen.asc Normal file
View file

@ -0,0 +1,146 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:11.listen Errata Notice
The FreeBSD Project
Topic: Denial of service in listen syscall over IPv6 socket
Category: core
Module: kernel
Announced: 2018-09-27
Credits: Jakub Jirasek, Secunia Research at Flexera
Affects: All supported versions of FreeBSD.
Corrected: 2018-09-27 18:50:10 UTC (stable/11, 11.2-STABLE)
2018-09-27 18:34:42 UTC (releng/11.2, 11.2-RELEASE-p4)
2018-09-27 18:34:42 UTC (releng/11.1, 11.1-RELEASE-p15)
2018-09-27 18:48:50 UTC (stable/10, 10.4-STABLE)
2018-09-27 18:34:42 UTC (releng/10.4, 10.4-RELEASE-p13)
CVE Name: CVE-2018-6925
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The protocol control block is a structure that maintains the network layer
state for various sockets. There are various state flags that must be
properly maintained to keep the structure consistent.
II. Problem Description
There are various cases in the IPv6 socket code where the protocol control
block's state flags are modified during a syscall, but are not restored if
the operation fails. This can leave the control block in an inconsistent
state.
III. Impact
A local unprivileged user could exploit the inconsistent state of the
protocol control block to cause the kernel to crash, leading to a denial of
service.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch
# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-11.patch.asc
# gpg --verify listen-11.patch.asc
[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch
# fetch https://security.FreeBSD.org/patches/EN-18:11/listen-10.patch.asc
# gpg --verify listen-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r338985
releng/10.4/ r338980
stable/11/ r338986
releng/11.1/ r338980
releng/11.2/ r338980
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6925>
For information about Secunia Research:
<URL:https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:11.listen.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKURfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIUEA/+JxBo76dRre8nfvYcN2PJGGFn8i2mWwSG87SWwQUeKlkgpJCV8qMnVEr2
dGz3gwBsxFLKUjQVyl+IwFkaJgKXMbFYkfIqLaS+3a12KLllFAn2Q0dnN+oxFhS2
Wpx4DkDRgBzEyLokxwjUCtg2fd6HPlML2YXCR5SqjXDOoBGAR9GCCXXYNnWSC00y
IYgeC8UpE3ykTlwDH8q+LgLqtnx/oDW1h6UR12alP0ytH8+BldiAqRxjHE3/Wv2E
aU8m8YuAAIW4tHZ4vdqpiFP4grN/0tSf/DEPBTtVIv5FGpXSk61YTBSm4OMIKNN8
QEVEA6n6NEGSKYrbB5BE73KYgCAaeGzcGikX9F4aAlN5GSPBVJ66SEbk16YDzDfB
KimjhityEP5YXh8hVkNo6fq+17dKpqx81390wzcXeDlBTIkANnKLh23gE0RuniNY
dXrPE2HWSpkCnWN6l0BImefDeCgAaF7KZK+z7bbsn2D7UMGFGeHU/XlRM0ze7OOV
ETqwk2M4GuxddHTKktNGBItWVd6EjReAh6QOo1kAA4qMKuNIiDQdRS72x6fUbmlA
ZIOzPNd6TS57aKSnAZlR1SpvRMqo+g9cetMxuJmKnQ+hXaRk2zJVuP2RAJuoFFqf
TmnVAPpDRjoYa0lf2YkOKtYcfF+pBcWI1CVAEFuQG2PheJRYns0=
=jMY6
-----END PGP SIGNATURE-----

139
share/security/advisories/FreeBSD-EN-18:12.mem.asc Normal file
View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:12.mem Errata Notice
The FreeBSD Project
Topic: Small kernel memory disclosures in two system calls
Category: core
Module: kernel
Announced: 2018-09-27
Credits: Thomas Barabosch, Fraunhofer FKIE
Affects: All supported versions of FreeBSD.
Corrected: 2018-09-27 18:42:40 UTC (stable/11, 11.2-STABLE)
2018-09-27 18:36:30 UTC (releng/11.2, 11.2-RELEASE-p4)
2018-09-27 18:36:30 UTC (releng/11.1, 11.1-RELEASE-p15)
2018-09-27 18:44:40 UTC (stable/10, 10.4-STABLE)
2018-09-27 18:36:30 UTC (releng/10.4, 10.4-RELEASE-p13)
CVE Name: CVE-2018-17155
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The kernel provides an interface for userland programs via system calls. Two
of these system calls are named getcontext and swapcontext.
II. Problem Description
Due to insufficient initialization of memory copied to userland in the
getcontext and swapcontext system calls, small amounts of kernel memory may
be disclosed to userland processes.
III. Impact
An unprivileged local user may be able to create a specific program to read
the contents of small portions of kernel memory.
Such memory might contain sensitive information, such as portions of the file
cache or terminal buffers. This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way; for example,
a terminal buffer might include a user-entered password.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch
# fetch https://security.FreeBSD.org/patches/EN-18:12/mem.patch.asc
# gpg --verify mem.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r339984
releng/10.4/ r338981
stable/11/ r339983
releng/11.1/ r338981
releng/11.2/ r338981
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17155>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:12.mem.asc>
-----BEGIN PGP SIGNATURE-----
iQKSBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKU5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJfGA/3XLR2dunxnQZYQvdpA8k9HA1zHfKFUMbTJqESIZPofvLnFJiw7gwDl0mF
pMC5LCi+k+LIIsXPLzRk/7BUmoCt/hCbD7BOVuiYXhIZy0VgKhaOggSvOXYOsjNl
JTJa5zGsKm4BUNhAkxcJtCO9i+gOShZ2fxiJ9SU7bO/gVl5HoMh56KWTLUBXX2jD
vZfEvxJvllbvk6ST68jb7C0Ix47+idRO2hdfxVLyZfD1PsILIy6JThqKqsbGgqbA
+ma7OnCigxwI0bds4nusi7vNu3IiFuzjBLfV9exW8kcRgyotOsmCfCjSOlOcEJvR
gKcmqZccf1SMGFR336YwGB66xL56QwpgN+UZ/QhmBX15mqI/oAekd0W3fb3OmfvW
bMiDo0MHmtZqiSnQyUOcCPRW5s0l8EHeWCVbjKX1ViqY6e4NdQajrjRUyXnOqcM5
vtTWAJ+BCc3Acg1V4nkjF7HNCUyGObKZcbDqK7M7p5+i/CFxJkCdKu0x8dsZRHL8
7V4SL1sb9OkPWjBxyzHuiQNGJfTgknDsIxvBYcdPVukTtGzrWH1skhdWL2O0CNvQ
Quk2YQePQ/X4ICPIB3s+Yao5N8t0FoEM4Hus6nSCpNRyP5XpCaBISHbhG8Ay7yJr
1p0YkV22eQ5KXiNY6Qmof7S0S1p8IZlomO8J8I/yGuwqh2mkkQ==
=uZtl
-----END PGP SIGNATURE-----

13
share/security/patches/EN-18:09/ip.patch Normal file
View file

@ -0,0 +1,13 @@
--- sys/netinet6/frag6.c.orig
+++ sys/netinet6/frag6.c
@@ -216,7 +216,9 @@
int offset = *offp, nxt, i, next;
int first_frag = 0;
int fragoff, frgpartlen; /* must be larger than u_int16_t */
- uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
+ uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
+ sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
+ uint32_t hash, *hashkeyp;
struct ifnet *dstifp;
u_int8_t ecn, ecn0;
#ifdef RSS

18
share/security/patches/EN-18:09/ip.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKWZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK5fQ//cqB5ebX2iYBeKRDL7IfgBaDcojr8x8bDwu2PTRqlXtlq2pUVAkzKynaF
HUoJtvE3xKXkCOw60igjtK1AqWjOyLebUfivM/YykcuBvpiVfs6ZNHsiLCFw+oz9
pMq4I5jbhizxS4Rdo9ZFMo8Gys6lNMdq9iV6f7rJFD7Ls8sJRi5fi5BR7I08AIBl
VVP3E+0ACOitR9YidRRZ5w4QWYjoZJljMjUlIL023B3VkK+h2uxJy16wLdHv3Tpt
c0DnKyXlM1s0BoCq4qSwFkE2BfutIgsNWgzHHmDDhc6ju9eS96OtZDrok7+knLQr
eBH5WEzXnnrBc+J31LIVVev12uJhntAXRtOau218BYeCnjwln4mBk/y+JqIqLjar
jn4rWEj7lh/PTsmAEulh53mTdyz+tEHSeacNnkR+vuynLGWNUKmFkul4RCLrlP74
u5qquwkDe3l/6vluGR6tI52RiDiyAuT5s6czH5/mKb/ewWTHj3uFJx9X0J/55Kcp
pBSNuNtzwpjm2bAQy/9n6AYHqfmKvbKoIjIAB+WZwefYrEmAEfaqzchmjfrw5A0a
D8w7IQhljX1CAZ9IcjuUMOWlNSeWdIlGHMZpXM+1MH4nP3RF1JbHGlCyo5WaRHKs
0FLBWGYFN/hvUjY1H1izCCtKeUTDG6y9WnFJW+/VchZZvWFhP24=
=q3dd
-----END PGP SIGNATURE-----

11
share/security/patches/EN-18:10/syscall-11.patch Normal file
View file

@ -0,0 +1,11 @@
--- sys/kern/vfs_syscalls.c.orig
+++ sys/kern/vfs_syscalls.c
@@ -600,6 +600,8 @@
size = count * sizeof(struct statfs);
error = kern_getfsstat(td, &buf, size, &count, UIO_SYSSPACE,
uap->mode);
+ if (buf == NULL)
+ return (EINVAL);
td->td_retval[0] = count;
if (size != 0) {
sp = buf;

18
share/security/patches/EN-18:10/syscall-11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKW1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLwRxAAnybQwo07WZtP8aLAuOEzXjEJ8rLMKAV80pvIFj27TAxpiIw1cltQsZhb
qHMhYFjnJejgujwBmMEz7rAK97zte71AW4Lm4+I6r2MY8Wniu8OiTHUkYOHlNkWM
iROkSiRRLtPdH0HXk3M5n+BhprDgovOv1xQhu17RLbDYX+9mz5kB2EaRJtnv0JCT
ZfYhin262zaZR0yJ4f5Hug5NphmcbD7VtSD3ZNye2txicJ7330B3iIcpD6YZnkH2
pJqs4OzLux/xHhQdSMCN5dVtC6M5Gkt6gYDQX6vMoouRw/2o4gcpjye9aV1rkrVd
D3c8iGwdTxyYzUZ++E3OCilx4YbAqmBEXmP4BsiiiO71XHr+oB79+0FQ+U0ZNy7T
zVuc9TJOfOnIDyyz4KL5RcMSFFdNggnYHdCYQZAGk+Xv8aY1ddxmV8M1NBpMvuhS
XQpiWvfoEP5e0pmRfG3OL5XOt9J271BF+gPMRDOAAeDgU/PkWRrHWxAQJtiC6HYl
TEirv16TKpui1nITJj9Q8BBgxMdymEY5SezKdCYeX5PKwsCO9xd0ZRTBhgvVwnCU
e/UTu7vL0ngZ9TFsTVj2A5YsGhDn/7ayYBMwndplF82lpdvPGwhSYmUUpHYBesXi
NjnZjLrpxM+pntbnEcTPLuE7xqIvWsqn6M4DQeRs8+bY8zo9l9k=
=s1wm
-----END PGP SIGNATURE-----

260
share/security/patches/EN-18:11/listen-10.patch Normal file
View file

@ -0,0 +1,260 @@
--- sys/netinet/tcp_usrreq.c.orig
+++ sys/netinet/tcp_usrreq.c
@@ -328,6 +328,7 @@
struct inpcb *inp;
struct tcpcb *tp = NULL;
struct sockaddr_in6 *sin6p;
+ u_char vflagsav;
sin6p = (struct sockaddr_in6 *)nam;
if (nam->sa_len != sizeof (*sin6p))
@@ -344,6 +345,7 @@
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL"));
INP_WLOCK(inp);
+ vflagsav = inp->inp_vflag;
if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
error = EINVAL;
goto out;
@@ -373,6 +375,8 @@
error = in6_pcbbind(inp, nam, td->td_ucred);
INP_HASH_WUNLOCK(&V_tcbinfo);
out:
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
TCPDEBUG2(PRU_BIND);
INP_WUNLOCK(inp);
return (error);
@@ -434,6 +438,7 @@
int error = 0;
struct inpcb *inp;
struct tcpcb *tp = NULL;
+ u_char vflagsav;
TCPDEBUG0;
inp = sotoinpcb(so);
@@ -443,6 +448,7 @@
error = EINVAL;
goto out;
}
+ vflagsav = inp->inp_vflag;
tp = intotcpcb(inp);
TCPDEBUG1();
SOCK_LOCK(so);
@@ -469,6 +475,9 @@
if (tp->t_flags & TF_FASTOPEN)
tp->t_tfo_pending = tcp_fastopen_alloc_counter();
#endif
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
+
out:
TCPDEBUG2(PRU_LISTEN);
INP_WUNLOCK(inp);
@@ -543,6 +552,8 @@
struct inpcb *inp;
struct tcpcb *tp = NULL;
struct sockaddr_in6 *sin6p;
+ u_int8_t incflagsav;
+ u_char vflagsav;
TCPDEBUG0;
@@ -559,6 +570,8 @@
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL"));
INP_WLOCK(inp);
+ vflagsav = inp->inp_vflag;
+ incflagsav = inp->inp_inc.inc_flags;
if (inp->inp_flags & INP_TIMEWAIT) {
error = EADDRINUSE;
goto out;
@@ -584,11 +597,11 @@
}
in6_sin6_2_sin(&sin, sin6p);
- inp->inp_vflag |= INP_IPV4;
- inp->inp_vflag &= ~INP_IPV6;
if ((error = prison_remote_ip4(td->td_ucred,
&sin.sin_addr)) != 0)
goto out;
+ inp->inp_vflag |= INP_IPV4;
+ inp->inp_vflag &= ~INP_IPV6;
if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0)
goto out;
#ifdef TCP_OFFLOAD
@@ -601,11 +614,11 @@
goto out;
}
#endif
+ if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
+ goto out;
inp->inp_vflag &= ~INP_IPV4;
inp->inp_vflag |= INP_IPV6;
inp->inp_inc.inc_flags |= INC_ISIPV6;
- if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
- goto out;
if ((error = tcp6_connect(tp, nam, td)) != 0)
goto out;
#ifdef TCP_OFFLOAD
@@ -618,6 +631,15 @@
error = tcp_output(tp);
out:
+ /*
+ * If the implicit bind in the connect call fails, restore
+ * the flags we modified.
+ */
+ if (error != 0 && inp->inp_lport == 0) {
+ inp->inp_vflag = vflagsav;
+ inp->inp_inc.inc_flags = incflagsav;
+ }
+
TCPDEBUG2(PRU_CONNECT);
INP_WUNLOCK(inp);
return (error);
--- sys/netinet6/sctp6_usrreq.c.orig
+++ sys/netinet6/sctp6_usrreq.c
@@ -608,6 +608,7 @@
struct sctp_inpcb *inp;
struct in6pcb *inp6;
int error;
+ u_char vflagsav;
inp = (struct sctp_inpcb *)so->so_pcb;
if (inp == NULL) {
@@ -638,6 +639,7 @@
}
}
inp6 = (struct in6pcb *)inp;
+ vflagsav = inp6->inp_vflag;
inp6->inp_vflag &= ~INP_IPV4;
inp6->inp_vflag |= INP_IPV6;
if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) {
@@ -667,7 +669,7 @@
inp6->inp_vflag |= INP_IPV4;
inp6->inp_vflag &= ~INP_IPV6;
error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p);
- return (error);
+ goto out;
}
#endif
break;
@@ -684,7 +686,8 @@
if (addr->sa_family == AF_INET) {
/* can't bind v4 addr to v6 only socket! */
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
- return (EINVAL);
+ error = EINVAL;
+ goto out;
}
#endif
sin6_p = (struct sockaddr_in6 *)addr;
@@ -693,10 +696,14 @@
/* can't bind v4-mapped addrs either! */
/* NOTE: we don't support SIIT */
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
- return (EINVAL);
+ error = EINVAL;
+ goto out;
}
}
error = sctp_inpcb_bind(so, addr, NULL, p);
+out:
+ if (error != 0)
+ inp6->inp_vflag = vflagsav;
return (error);
}
--- sys/netinet6/udp6_usrreq.c.orig
+++ sys/netinet6/udp6_usrreq.c
@@ -947,6 +947,7 @@
struct inpcb *inp;
struct inpcbinfo *pcbinfo;
int error;
+ u_char vflagsav;
pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol);
inp = sotoinpcb(so);
@@ -954,6 +955,7 @@
INP_WLOCK(inp);
INP_HASH_WLOCK(pcbinfo);
+ vflagsav = inp->inp_vflag;
inp->inp_vflag &= ~INP_IPV4;
inp->inp_vflag |= INP_IPV6;
if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) {
@@ -981,6 +983,8 @@
#ifdef INET
out:
#endif
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
INP_HASH_WUNLOCK(pcbinfo);
INP_WUNLOCK(inp);
return (error);
@@ -1023,6 +1027,7 @@
struct inpcbinfo *pcbinfo;
struct sockaddr_in6 *sin6;
int error;
+ u_char vflagsav;
pcbinfo = get_inpcbinfo(so->so_proto->pr_protocol);
inp = sotoinpcb(so);
@@ -1046,17 +1051,26 @@
goto out;
}
in6_sin6_2_sin(&sin, sin6);
- inp->inp_vflag |= INP_IPV4;
- inp->inp_vflag &= ~INP_IPV6;
error = prison_remote_ip4(td->td_ucred, &sin.sin_addr);
if (error != 0)
goto out;
+ vflagsav = inp->inp_vflag;
+ inp->inp_vflag |= INP_IPV4;
+ inp->inp_vflag &= ~INP_IPV6;
INP_HASH_WLOCK(pcbinfo);
error = in_pcbconnect(inp, (struct sockaddr *)&sin,
td->td_ucred);
INP_HASH_WUNLOCK(pcbinfo);
+ /*
+ * If connect succeeds, mark socket as connected. If
+ * connect fails and socket is unbound, reset inp_vflag
+ * field.
+ */
if (error == 0)
soisconnected(so);
+ else if (inp->inp_laddr.s_addr == INADDR_ANY &&
+ inp->inp_lport == 0)
+ inp->inp_vflag = vflagsav;
goto out;
}
#endif
@@ -1064,16 +1078,25 @@
error = EISCONN;
goto out;
}
- inp->inp_vflag &= ~INP_IPV4;
- inp->inp_vflag |= INP_IPV6;
error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr);
if (error != 0)
goto out;
+ vflagsav = inp->inp_vflag;
+ inp->inp_vflag &= ~INP_IPV4;
+ inp->inp_vflag |= INP_IPV6;
INP_HASH_WLOCK(pcbinfo);
error = in6_pcbconnect(inp, nam, td->td_ucred);
INP_HASH_WUNLOCK(pcbinfo);
+ /*
+ * If connect succeeds, mark socket as connected. If
+ * connect fails and socket is unbound, reset inp_vflag
+ * field.
+ */
if (error == 0)
soisconnected(so);
+ else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) &&
+ inp->inp_lport == 0)
+ inp->inp_vflag = vflagsav;
out:
INP_WUNLOCK(inp);
return (error);

18
share/security/patches/EN-18:11/listen-10.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKX5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLu1Q//dA9SiNzXp7Yn4jdV4DYI9OAOeeqi0yPYNpMjA2YL3/ItEB4SrIE86ELc
9/OuUXZPUaRkvefgOO8IvY/wZKDCHOm94lizn2mstp3JyNLVFaTWimu1QQSaZZCj
bCCVqMVWlYa3ssIUv3wJ8XPf0hDAJ4m+UuMoKG/6YpIsy5AM041RHNYFj881KLRw
4vBioFuoKKQliIksfTgLJjjf6HvKeu9tHnckKrAyZ//sxAsSZ5zfnQbjXwympY8R
n22Om1aXSYQc4Pve4dXY6gLhPcEtIAZKR6L1SOWtHv1RECSK98ePbDTXqQIkpOab
au/WJyjLkZQ6SgIZofGVe9OAb0ibYO5eshgMWmHHDXyFmPAZ7P/XUFWM0C3bN5DA
gQo3sLVJxZ2x6S8/shhK9OWU0pxVFbsewKsqTpHqozhCL/s9obfr81ao2dAGV8pR
l9kT16PZcuWmvqMPgb7AF1eTBzSg4XtGcAEqcwIIuUEnCplCrnaDVaCfATsmu48s
/x8RELtfCBbwGdCcoaCTimQJSe2xVfEI/mO60C1fZCeQCVfsCepgFDfR0HGd/lIq
tCDIgoCFs978IPyApSpJ9IENK+SdA8jxfyPYbR+DrtCP23TIt+n6VISP5KCYRgn0
mk/h/BV1GxHsM3FonUE3cV+AReRT3lJZHenXKQU3mxZn9C3wpKs=
=1akG
-----END PGP SIGNATURE-----

260
share/security/patches/EN-18:11/listen-11.patch Normal file
View file

@ -0,0 +1,260 @@
--- sys/netinet/tcp_usrreq.c.orig
+++ sys/netinet/tcp_usrreq.c
@@ -339,6 +339,7 @@
struct inpcb *inp;
struct tcpcb *tp = NULL;
struct sockaddr_in6 *sin6p;
+ u_char vflagsav;
sin6p = (struct sockaddr_in6 *)nam;
if (nam->sa_len != sizeof (*sin6p))
@@ -355,6 +356,7 @@
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL"));
INP_WLOCK(inp);
+ vflagsav = inp->inp_vflag;
if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
error = EINVAL;
goto out;
@@ -384,6 +386,8 @@
error = in6_pcbbind(inp, nam, td->td_ucred);
INP_HASH_WUNLOCK(&V_tcbinfo);
out:
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
TCPDEBUG2(PRU_BIND);
TCP_PROBE2(debug__user, tp, PRU_BIND);
INP_WUNLOCK(inp);
@@ -447,6 +451,7 @@
int error = 0;
struct inpcb *inp;
struct tcpcb *tp = NULL;
+ u_char vflagsav;
TCPDEBUG0;
inp = sotoinpcb(so);
@@ -456,6 +461,7 @@
error = EINVAL;
goto out;
}
+ vflagsav = inp->inp_vflag;
tp = intotcpcb(inp);
TCPDEBUG1();
SOCK_LOCK(so);
@@ -482,6 +488,9 @@
if (tp->t_flags & TF_FASTOPEN)
tp->t_tfo_pending = tcp_fastopen_alloc_counter();
#endif
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
+
out:
TCPDEBUG2(PRU_LISTEN);
TCP_PROBE2(debug__user, tp, PRU_LISTEN);
@@ -558,6 +567,8 @@
struct inpcb *inp;
struct tcpcb *tp = NULL;
struct sockaddr_in6 *sin6p;
+ u_int8_t incflagsav;
+ u_char vflagsav;
TCPDEBUG0;
@@ -574,6 +585,8 @@
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL"));
INP_WLOCK(inp);
+ vflagsav = inp->inp_vflag;
+ incflagsav = inp->inp_inc.inc_flags;
if (inp->inp_flags & INP_TIMEWAIT) {
error = EADDRINUSE;
goto out;
@@ -603,11 +616,11 @@
}
in6_sin6_2_sin(&sin, sin6p);
- inp->inp_vflag |= INP_IPV4;
- inp->inp_vflag &= ~INP_IPV6;
if ((error = prison_remote_ip4(td->td_ucred,
&sin.sin_addr)) != 0)
goto out;
+ inp->inp_vflag |= INP_IPV4;
+ inp->inp_vflag &= ~INP_IPV6;
if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0)
goto out;
#ifdef TCP_OFFLOAD
@@ -625,11 +638,11 @@
}
}
#endif
+ if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
+ goto out;
inp->inp_vflag &= ~INP_IPV4;
inp->inp_vflag |= INP_IPV6;
inp->inp_inc.inc_flags |= INC_ISIPV6;
- if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
- goto out;
if ((error = tcp6_connect(tp, nam, td)) != 0)
goto out;
#ifdef TCP_OFFLOAD
@@ -642,6 +655,15 @@
error = tp->t_fb->tfb_tcp_output(tp);
out:
+ /*
+ * If the implicit bind in the connect call fails, restore
+ * the flags we modified.
+ */
+ if (error != 0 && inp->inp_lport == 0) {
+ inp->inp_vflag = vflagsav;
+ inp->inp_inc.inc_flags = incflagsav;
+ }
+
TCPDEBUG2(PRU_CONNECT);
TCP_PROBE2(debug__user, tp, PRU_CONNECT);
INP_WUNLOCK(inp);
--- sys/netinet6/sctp6_usrreq.c.orig
+++ sys/netinet6/sctp6_usrreq.c
@@ -557,6 +557,7 @@
struct sctp_inpcb *inp;
struct in6pcb *inp6;
int error;
+ u_char vflagsav;
inp = (struct sctp_inpcb *)so->so_pcb;
if (inp == NULL) {
@@ -587,6 +588,7 @@
}
}
inp6 = (struct in6pcb *)inp;
+ vflagsav = inp6->inp_vflag;
inp6->inp_vflag &= ~INP_IPV4;
inp6->inp_vflag |= INP_IPV6;
if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) {
@@ -616,7 +618,7 @@
inp6->inp_vflag |= INP_IPV4;
inp6->inp_vflag &= ~INP_IPV6;
error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p);
- return (error);
+ goto out;
}
#endif
break;
@@ -633,7 +635,8 @@
if (addr->sa_family == AF_INET) {
/* can't bind v4 addr to v6 only socket! */
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
- return (EINVAL);
+ error = EINVAL;
+ goto out;
}
#endif
sin6_p = (struct sockaddr_in6 *)addr;
@@ -642,10 +645,14 @@
/* can't bind v4-mapped addrs either! */
/* NOTE: we don't support SIIT */
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
- return (EINVAL);
+ error = EINVAL;
+ goto out;
}
}
error = sctp_inpcb_bind(so, addr, NULL, p);
+out:
+ if (error != 0)
+ inp6->inp_vflag = vflagsav;
return (error);
}
--- sys/netinet6/udp6_usrreq.c.orig
+++ sys/netinet6/udp6_usrreq.c
@@ -1002,6 +1002,7 @@
struct inpcb *inp;
struct inpcbinfo *pcbinfo;
int error;
+ u_char vflagsav;
pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol);
inp = sotoinpcb(so);
@@ -1009,6 +1010,7 @@
INP_WLOCK(inp);
INP_HASH_WLOCK(pcbinfo);
+ vflagsav = inp->inp_vflag;
inp->inp_vflag &= ~INP_IPV4;
inp->inp_vflag |= INP_IPV6;
if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) {
@@ -1036,6 +1038,8 @@
#ifdef INET
out:
#endif
+ if (error != 0)
+ inp->inp_vflag = vflagsav;
INP_HASH_WUNLOCK(pcbinfo);
INP_WUNLOCK(inp);
return (error);
@@ -1082,6 +1086,7 @@
struct inpcbinfo *pcbinfo;
struct sockaddr_in6 *sin6;
int error;
+ u_char vflagsav;
pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol);
inp = sotoinpcb(so);
@@ -1109,17 +1114,26 @@
goto out;
}
in6_sin6_2_sin(&sin, sin6);
- inp->inp_vflag |= INP_IPV4;
- inp->inp_vflag &= ~INP_IPV6;
error = prison_remote_ip4(td->td_ucred, &sin.sin_addr);
if (error != 0)
goto out;
+ vflagsav = inp->inp_vflag;
+ inp->inp_vflag |= INP_IPV4;
+ inp->inp_vflag &= ~INP_IPV6;
INP_HASH_WLOCK(pcbinfo);
error = in_pcbconnect(inp, (struct sockaddr *)&sin,
td->td_ucred);
INP_HASH_WUNLOCK(pcbinfo);
+ /*
+ * If connect succeeds, mark socket as connected. If
+ * connect fails and socket is unbound, reset inp_vflag
+ * field.
+ */
if (error == 0)
soisconnected(so);
+ else if (inp->inp_laddr.s_addr == INADDR_ANY &&
+ inp->inp_lport == 0)
+ inp->inp_vflag = vflagsav;
goto out;
} else {
if ((inp->inp_vflag & INP_IPV6) == 0) {
@@ -1132,16 +1146,25 @@
error = EISCONN;
goto out;
}
- inp->inp_vflag &= ~INP_IPV4;
- inp->inp_vflag |= INP_IPV6;
error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr);
if (error != 0)
goto out;
+ vflagsav = inp->inp_vflag;
+ inp->inp_vflag &= ~INP_IPV4;
+ inp->inp_vflag |= INP_IPV6;
INP_HASH_WLOCK(pcbinfo);
error = in6_pcbconnect(inp, nam, td->td_ucred);
INP_HASH_WUNLOCK(pcbinfo);
+ /*
+ * If connect succeeds, mark socket as connected. If
+ * connect fails and socket is unbound, reset inp_vflag
+ * field.
+ */
if (error == 0)
soisconnected(so);
+ else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) &&
+ inp->inp_lport == 0)
+ inp->inp_vflag = vflagsav;
out:
INP_WUNLOCK(inp);
return (error);

18
share/security/patches/EN-18:11/listen-11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKYdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJcHQ/9HOIZ1WVPhu/5uwHaLskSSXulZN5v4KIhCNA7EmArDcE6KGK8//t9O1FB
a9u9Yv9IUT9FcW4fqNIFaRbpC0o3IAEpWmK1fjcZg/2RysZhyFg0PdLVMBJNvNDN
bOxGeCigMEKL0gVCtEZ3tKPn99BoKSH2nqUvZfgVAhDp1XVBJJnKes2/32ctDohr
18UmZwS5oWGt3lRWpVXMeSwRe4wz/oQnjPlZ1+G4ZU0ZzJT7jGKwJ364CM2aiOIw
FSoM9T4DlEZeY+QuqMrG0oi2iSJgvzBQVGF4/gVBItfl3Jru9w8BKo8Mr1NzIeYz
ZVG+m5ynaYqCO2GAM3yjND2l47HYi4W2PjHwh2OKz/XmOyvZnzNSq9kakok1W9/4
BVoA/2NO2KSRrESR0vPfYTA7W5ZV70woN1oWFyo1tIZ94ltcKsNig7b7eqjsAwmq
cBI/ift5dn1++iIro7sE/iazYvLpmW3iLrV/nboWN+yj1zyzi0rfOzqZTBPE5IEP
GbtID58PaP0uAi5NGA3B7Mp9NQaenkO4jxabZp/PC8cSFFDm8QZxf3z2H1QZ5q6u
QWpcZlyHAD0vMlI79WHsBWnurh7EgSjZ2BS5i4iSJ/gWVh8xx6uJm/fEDhHbVtdF
0K9f6u6Dr51sYvd8ifJd6uek2WZCg5JPgD+WVJyP8lb2n/XuWvM=
=w/wE
-----END PGP SIGNATURE-----

18
share/security/patches/EN-18:12/mem.patch Normal file
View file

@ -0,0 +1,18 @@
--- sys/kern/kern_context.c.orig
+++ sys/kern/kern_context.c
@@ -68,6 +68,7 @@
if (uap->ucp == NULL)
ret = EINVAL;
else {
+ bzero(&uc, sizeof(ucontext_t));
get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET);
PROC_LOCK(td->td_proc);
uc.uc_sigmask = td->td_sigmask;
@@ -108,6 +109,7 @@
if (uap->oucp == NULL || uap->ucp == NULL)
ret = EINVAL;
else {
+ bzero(&uc, sizeof(ucontext_t));
get_mcontext(td, &uc.uc_mcontext, GET_MC_CLEAR_RET);
bzero(uc.__spare__, sizeof(uc.__spare__));
PROC_LOCK(td->td_proc);

18
share/security/patches/EN-18:12/mem.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlutKV5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIMyg//SsrWMe1YBdPIDU8omW318CcpnJT2StW9I7y/VKFhSTGS1VWN07ED6FJq
Du2O2bGhst765mbhDMaBQSE+gRHlegTER3oVKU7FSC9HCgQdYf1V3tHZFnlC3C84
yZ+XIOsVi/mvpUOjZ1aUlxl6qHBJy4CzeO79CgSfaLZMnYg7f4F5tHolWlTTutJs
tGfVaEojm9lzTe81fFUmSaWrNGCSBiZUgodC/n1kFSnCDCkcdaFjjkcZUPIQn3nC
JRh5GEgLatN8d8CvS6RSIKIOAPK0jS6Q0Zg7hcHaUGnJkfUwW0w0zHPCp3/7DHu2
wM5IUJvft6AZOVwMMAdDHbUUbOaC/kMcVwUYTXFBvLtQiIllr3gqGdD1MUZ77gws
WrUXcvxqpvY/MuIiMpdPNlx1JdQpqBDDDGD3GzsNWWWdLzcAZChozfG5xvmrFWb2
qIKvtwJygw7MrgLLbaF4VhblRYpWsWIWYyv6ZmFrPpW/Hoppl7ULSvktKB7tVVKk
+kW29Cy6zPP3PDEPPP7Mq+TMwTLWVtkGmLacMiJlWNPareB0Rp2i/Ch/VNmtkqPq
/D5pN5U6ptm8meKYV6AD6VvWKWECM0CyoADwOpa7iGiPBjLW5SSqHKPLuzSuAltP
iZa0xcm99ldjcUu4eYOCuOs2/XHCPZOTTUwJZn13C4Q0RvO1gN0=
=MBLp
-----END PGP SIGNATURE-----

21
share/xml/notices.xml
View file

@ -10,6 +10,27 @@
<month>
<name>9</name>
<day>
<name>27</name>
<notice>
<name>FreeBSD-EN-18:12.mem</name>
</notice>
<notice>
<name>FreeBSD-EN-18:11.listen</name>
</notice>
<notice>
<name>FreeBSD-EN-18:10.syscall</name>
</notice>
<notice>
<name>FreeBSD-EN-18:09.ip</name>
</notice>
</day>
<day>
<name>12</name>