From c531075a515bc35c47b6afba2f5b285bda62d8e3 Mon Sep 17 00:00:00 2001 From: Gordon Tetlow <gordon@FreeBSD.org> Date: Wed, 24 Jul 2019 13:28:52 +0000 Subject: [PATCH] Add EN-19:13 and SA-19:12 to SA-19:17. Approved by: so --- .../advisories/FreeBSD-EN-19:13.mds.asc | 133 ++++++++++++++++ .../advisories/FreeBSD-SA-19:12.telnet.asc | 136 ++++++++++++++++ .../advisories/FreeBSD-SA-19:13.pts.asc | 132 ++++++++++++++++ .../advisories/FreeBSD-SA-19:14.freebsd32.asc | 135 ++++++++++++++++ .../advisories/FreeBSD-SA-19:15.mqueuefs.asc | 138 +++++++++++++++++ .../advisories/FreeBSD-SA-19:16.bhyve.asc | 135 ++++++++++++++++ .../advisories/FreeBSD-SA-19:17.fd.asc | 146 ++++++++++++++++++ share/security/patches/EN-19:13/mds.11.patch | 18 +++ .../patches/EN-19:13/mds.11.patch.asc | 18 +++ share/security/patches/EN-19:13/mds.12.patch | 18 +++ .../patches/EN-19:13/mds.12.patch.asc | 18 +++ share/security/patches/SA-19:12/telnet.patch | 60 +++++++ .../patches/SA-19:12/telnet.patch.asc | 18 +++ share/security/patches/SA-19:13/pts.patch | 22 +++ share/security/patches/SA-19:13/pts.patch.asc | 18 +++ .../security/patches/SA-19:14/freebsd32.patch | 11 ++ .../patches/SA-19:14/freebsd32.patch.asc | 18 +++ .../security/patches/SA-19:15/mqueuefs.patch | 51 ++++++ .../patches/SA-19:15/mqueuefs.patch.asc | 18 +++ share/security/patches/SA-19:16/bhyve.patch | 49 ++++++ .../security/patches/SA-19:16/bhyve.patch.asc | 18 +++ share/security/patches/SA-19:17/fd.11.2.patch | 72 +++++++++ .../patches/SA-19:17/fd.11.2.patch.asc | 18 +++ share/security/patches/SA-19:17/fd.11.patch | 73 +++++++++ .../security/patches/SA-19:17/fd.11.patch.asc | 18 +++ share/security/patches/SA-19:17/fd.12.patch | 73 +++++++++ .../security/patches/SA-19:17/fd.12.patch.asc | 18 +++ share/xml/advisories.xml | 29 ++++ share/xml/notices.xml | 9 ++ 29 files changed, 1620 insertions(+) create mode 100644 share/security/advisories/FreeBSD-EN-19:13.mds.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:12.telnet.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:13.pts.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:16.bhyve.asc create mode 100644 share/security/advisories/FreeBSD-SA-19:17.fd.asc create mode 100644 share/security/patches/EN-19:13/mds.11.patch create mode 100644 share/security/patches/EN-19:13/mds.11.patch.asc create mode 100644 share/security/patches/EN-19:13/mds.12.patch create mode 100644 share/security/patches/EN-19:13/mds.12.patch.asc create mode 100644 share/security/patches/SA-19:12/telnet.patch create mode 100644 share/security/patches/SA-19:12/telnet.patch.asc create mode 100644 share/security/patches/SA-19:13/pts.patch create mode 100644 share/security/patches/SA-19:13/pts.patch.asc create mode 100644 share/security/patches/SA-19:14/freebsd32.patch create mode 100644 share/security/patches/SA-19:14/freebsd32.patch.asc create mode 100644 share/security/patches/SA-19:15/mqueuefs.patch create mode 100644 share/security/patches/SA-19:15/mqueuefs.patch.asc create mode 100644 share/security/patches/SA-19:16/bhyve.patch create mode 100644 share/security/patches/SA-19:16/bhyve.patch.asc create mode 100644 share/security/patches/SA-19:17/fd.11.2.patch create mode 100644 share/security/patches/SA-19:17/fd.11.2.patch.asc create mode 100644 share/security/patches/SA-19:17/fd.11.patch create mode 100644 share/security/patches/SA-19:17/fd.11.patch.asc create mode 100644 share/security/patches/SA-19:17/fd.12.patch create mode 100644 share/security/patches/SA-19:17/fd.12.patch.asc diff --git a/share/security/advisories/FreeBSD-EN-19:13.mds.asc b/share/security/advisories/FreeBSD-EN-19:13.mds.asc new file mode 100644 index 0000000000..6749ddbc57 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-19:13.mds.asc @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:13.mds Errata Notice + The FreeBSD Project + +Topic: Kernel panic from Intel CPU vulnerability mitigation + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Schuendehuette, Matthias + All supported versions of FreeBSD. +Corrected: 2019-07-14 05:40:03 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:50:46 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-14 05:41:43 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:50:46 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:50:46 UTC (releng/11.3, 11.3-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +In a previous update FreeBSD added mitigations for an Intel CPU +vulnerability known as "microarchitectural data sampling." + +II. Problem Description + +Under certain configurations a pointer to the mitigation routine may be +dereferenced before it is initialized. + +III. Impact + +Depending on system configuration, version, and architecture, the system +may panic early in boot process, and thus be unusable. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Errata update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2, FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch.asc +# gpg --verify mds.11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch.asc +# gpg --verify mds.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349983 +releng/12.0/ r350280 +stable/11/ r349985 +releng/11.2/ r350280 +releng/11.3/ r350280 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:13.mds.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WkVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIkZA//ZbeSb2yAsux4w/nOLXQI1kfNWFT3LjVsiYS0VXCoixHr07nkDNMUv2Pn +08eP+9hy5mtgtooOjxP/aYIzR11+HZKpS/MG1x8KGAA/0TWY4EObJUTQ53UHY5+i +WStyHgKvqgeV2vuTqtjK5eAJfaTQV9huoapcQo0ngJMlbzICxN37UBZhOnSGb5HL +vRAL1AnI37LBWeZJhp3nyNatUjYfaL/HBYVpmuO9g+lgXqcFRpgIZxTNSzpDsAUb +7ARtHNUOelUoeMcMQXHbYtNOpM9c84fWxLftNsVfD3d9+GiHpklU2B++aBfzbTl3 +3lgRRk1p1p0JUNXCJy/cPb6/4SqnQRHehu1pwnJnuOM4PBpLB5HRD4WWGzM2A4Jq +SB1rLKCwfeSWPDQ0/iOs6P+UPFjqV8WvbNmQQT+oZxZH7YSm2TY9EGd8V/3wxzYo ++FeVQ+KTW+qxXTKHnNS9KGD26Xseq8S7Ft4dzIjm6hZVwSwNPBQFnPptv4b42/sQ +1sJxjKwKb7CrJJl4uf7vlIyNRHu7FrdyE9w1YlSB1yC2lX9Q/PQqVOxToGCIlhPk +JvGlPa6O4ZIkhBUKDt6XJdYrRrzlM3bV5Z1lNvW02ii7KG0pDWpzGHuUdkKIF1p0 +qHugXJ4OG+lOr5n0KKfUE66gfJV0WVUDBPCeEuBun75YG++TP2w= +=P8y6 +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:12.telnet.asc b/share/security/advisories/FreeBSD-SA-19:12.telnet.asc new file mode 100644 index 0000000000..158923aef2 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:12.telnet.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:12.telnet Security Advisory + The FreeBSD Project + +Topic: telnet(1) client multiple vulnerabilities + +Category: contrib +Module: contrib/telnet +Announced: 2019-07-24 +Credits: Juniper Networks +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-0053 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The telnet(1) command is a TELNET protocol client, used primarily to +establish terminal sessions across a network. + +II. Problem Description + +Insufficient validation of environment variables in the telnet client +supplied in FreeBSD can lead to stack-based buffer overflows. A stack- +based overflow is present in the handling of environment variables when +connecting via the telnet client to remote telnet servers. + +This issue only affects the telnet client. Inbound telnet sessions to +telnetd(8) are not affected by this issue. + +III. Impact + +These buffer overflows may be triggered when connecting to a malicious +server, or by an active attacker in the network path between the client +and server. Specially crafted TELNET command sequences may cause the +execution of arbitrary code with the privileges of the user invoking +telnet(1). + +IV. Workaround + +Do not use telnet(1) to connect to untrusted machines or over an +untrusted network. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch +# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc +# gpg --verify telnet.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350139 +releng/12.0/ r350281 +stable/11/ r350140 +releng/11.2/ r350281 +releng/11.3/ r350281 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv +raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv +bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA +dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8 +HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5jXJQopJ2h +Qax7fmMP+RpGGrfp9Uom63tj79eQk2NirpUtfAaYkfGKzj6fNcq/7jxZfbobx0R8 +uTiF88mlv2/SGxpo11Z/QBqOSYTQtjDRYJvjCo77g7YW8HauECC3tiklpPfFOIO8 +m5qNOORKI74Do377GBF3gxDF2T8ILwj1j7nKHf3apotvQXJkkbpWBG7ADRTFcZWd +PMKdYiDPHV33YmCAg9tOAqV4O7TvaB07ZLKiI6kuSBtPVrazB8Az/oRJwfF6JQ6g +4ZdinyCrXWYrWslkW8402GKCERFFYJUvwLSUqHxYMRgZWPy9zf/mH56vh4bleYnP +kz2X7OgtB3Juu0Uzwv927+KZuyzitniaPlLe9tsyBwXFbUM+BrY= +=LWVf +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:13.pts.asc b/share/security/advisories/FreeBSD-SA-19:13.pts.asc new file mode 100644 index 0000000000..af224fdccf --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:13.pts.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:13.pts Security Advisory + The FreeBSD Project + +Topic: pts(4) write-after-free + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: syzkaller +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5606 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The posix_openpt(2) system call allocates a pseudo-terminal device and +returns a descriptor referencing that device. Such a descriptor may be +configured such that a SIGIO signal will be sent to a designated process +or process group when the device is ready to perform I/O. + +II. Problem Description + +The code which handles a close(2) of a descriptor created by +posix_openpt(2) fails to undo the configuration which causes SIGIO to be +raised. This bug can lead to a write-after-free of kernel memory. + +III. Impact + +The bug permits malicious code to trigger a write-after-free, which may +be used to gain root privileges or escape a jail. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch +# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc +# gpg --verify pts.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349805 +releng/12.0/ r350282 +stable/11/ r349806 +releng/11.2/ r350282 +releng/11.3/ r350282 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+ +e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ +hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS +IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN +fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr +aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d +dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk +wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D +EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto +H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUlqi+xnXMmBScJnQuRtiUdbpOCkPD2 +gLJmcyy7qjKw87i8KaQF5hUcym2D9xygbUV+I4RT93jR2DCVBA0= +=Cpu+ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc b/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc new file mode 100644 index 0000000000..f92dc52940 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:14.freebsd32 Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in freebsd32_ioctl + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Ilja van Sprundel, IOActive +Affects: FreeBSD 11.2 and FreeBSD 11.3 +Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5605 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD kernel supports executing 32-bit applications on a 64-bit +kernel, including the ioctl(2) interface. + +II. Problem Description + +Due to insufficient initialization of memory copied to userland in the +components listed above small amounts of kernel memory may be disclosed +to userland processes. + +III. Impact + +A user who can invoke 32-bit FreeBSD ioctls may be able to read the +contents of small portions of kernel memory. + +Such memory might contain sensitive information, such as portions of the +file cache or terminal buffers. This information might be directly +useful, or it might be leveraged to obtain elevated privileges in some +way; for example, a terminal buffer might include a user-entered +password. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch +# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc +# gpg --verify freebsd32.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r350217 +releng/11.2/ r350283 +releng/11.3/ r350283 +- ------------------------------------------------------------------------- + +Note: This issue was addressed in a different way prior to the branch point +for stable/12. As such, no patch is needed for FreeBSD 12.x. + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu +lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS +kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN +X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq +iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT +pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT +8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR +qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD +u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId +zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7boEOylEgkHTl30aZ8nV2wvpaM3 +1Y/IwBnGmI4iNLMnRoIDlac6rR3dMUS4gtH+lkfxlBri9Qc3Qso= +=8LlB +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc b/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc new file mode 100644 index 0000000000..62ead97ba5 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:15.mqueuefs Security Advisory + The FreeBSD Project + +Topic: Reference count overflow in mqueue filesystem + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5603 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +mqueuefs(5) implements POSIX message queue file system which can be used +by processes as a communication mechanism. + +'struct file' represents open files, directories, sockets and other +entities. + +II. Problem Description + +System calls operating on file descriptors obtain a reference to +relevant struct file which due to a programming error was not always put +back, which in turn could be used to overflow the counter of affected +struct file. + +III. Impact + +A local user can use this flaw to obtain access to files, directories, +sockets etc. opened by processes owned by other users. If obtained +struct file represents a directory from outside of user's jail, it can +be used to access files outside of the jail. If the user in question is +a jailed root they can obtain root privileges on the host system. + +IV. Workaround + +No workaround is available. Note that the mqueuefs file system is not +enabled by default. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch +# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc +# gpg --verify mqueuefs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350261 +releng/12.0/ r350284 +stable/11/ r350263 +releng/11.2/ r350284 +releng/11.3/ r350284 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ +ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S +WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX +WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN +GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg4JK+uzneJNze+rOghGbyQ9F046z9 +H0M0Ae6M74UCyioyoTrQgvivWvATtNRkLBoRfvHQUNGSt6bS9g1F0N5J7NCgaIPx +vos7P4vnRM1avEAAnAhmm9eYAkO5VLmTb1ry5vOY1o2viesN3P0URcj7o+JIipaA +Kqlff154N2nJmCkT0BJ3m+80GWeAnwqli/LvAIruXxc2hqgWLh7wO+71mraPrV5Z +2+IiuLPMF18FdpTBjhXyX5zCtW7t7uARgZLJMjM+hTXc7aAer7746XY5JyXfRsa9 +jLVWHlff2YoF7DySyDIC7+ONfPIHGgr45imdJgJ9Cxu31ZBmCjesNR4x1DCKgLvT +KnpBvofWIkIb8sEikEnXMfrHqoP/RtVtK73GlmT7sbH9PDQPUYw= +=ehKK +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc b/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc new file mode 100644 index 0000000000..7384f74b35 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:16.bhyve Security Advisory + The FreeBSD Project + +Topic: Bhyve out-of-bounds read in XHCI device + +Category: core +Module: bhyve +Announced: 2019-07-24 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5604 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of virtual +machines (guests). bhyve includes an emulated XHCI device. + +II. Problem Description + +The pci_xhci_device_doorbell() function does not validate the 'epid' and +'streamid' provided by the guest, leading to an out-of-bounds read. + +III. Impact + +A misbehaving bhyve guest could crash the system or access memory that +it should not be able to. + +IV. Workaround + +No workaround is available, however systems not using bhyve(8) for +virtualization are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is required. Rather the bhyve(8) process for vulnerable virtual +machines should be restarted. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart any bhyve virtual machines or reboot the system. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart any bhyve virtual machines, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350246 +releng/12.0/ r350285 +stable/11/ r350247 +releng/11.2/ r350285 +releng/11.3/ r350285 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9 ++dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6 +77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS +0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK +0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf +J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak +BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23 +NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH +43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQVzHI7NU/gdVe25TLnAv+X9lO +aAkV/WAyszux/Io2G2DfJNTc8Am/xRzFBvmydOnbMtzw8X/xgxB1/0ysl51O9Bdw +OhfpMygAsxbG0e8y5VuhpuoHd8/vIoBmA0z+u1tt4zxJIXgqSgE= +=/161 +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:17.fd.asc b/share/security/advisories/FreeBSD-SA-19:17.fd.asc new file mode 100644 index 0000000000..3612eecd8f --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:17.fd.asc @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:17.fd Security Advisory + The FreeBSD Project + +Topic: File description reference count leak + +Category: core +Module: unix +Announced: 2019-07-24 +Credits: Mark Johnston +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5607 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +UNIX-domain sockets are used for inter-process communication. It is +possible to use UNIX-domain sockets to transfer rights, encoded as file +descriptors, to another process. Rights are encapsulated in control +messages, and multiple such messages may be transmitted with a single +system call. + +II. Problem Description + +If a process attempts to transmit rights over a UNIX-domain socket and +an error causes the attempt to fail, references acquired on the rights +are not released and are leaked. This bug can be used to cause the +reference counter to wrap around and free the corresponding file +structure. + +III. Impact + +A local user can exploit the bug to gain root privileges or escape from +a jail. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc +# gpg --verify fd.11.2.patch.asc + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc +# gpg --verify fd.11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc +# gpg --verify fd.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350222 +releng/12.0/ r350286 +stable/11/ r350223 +releng/11.2/ r350286 +releng/11.3/ r350286 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7 +yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr +bDeBs7J3dM/VnH/lSlPc/LlbnH4iN+gj6SSqpsWAIdq99VIviAnzHTr7SniGfXul +hP+5+xSlfAYOKuH7jM1+gpuld9kR2QzGObiUJ6gfJk+I41C90tSJHb3v+DCanyrM +N2NXKbkgRtZoaIItiqZVIKHJP+VaHOnHCBq3uEbj2+OR7I5yFkDYdQbTiWVU1bl0 +9Ps/5LPDEiQYQqgCGadzZyqyEHvoPFy2vWvc1GFya6cV1L3gtM51C713ci2Xa3NK +ZknS4bIC2Nhtrf9PcFJRkMKW8OOdwYi/2vL9I4W/PAs2EV3thQivBB7dH9TYRTdC +BWP2tFM+isibjezJfj2RAjdAq0Kln0U+4AkNWgNNToyzSNFJ0LBtvzlgS7mmtuN0 +mA9n7tYyQM5vCXEQqcC3hIkJSeNE2Sj4/RVd8oo1Ngh1el0AFTJ2aq+QowG/lWO/ +pK1lvOQXMPElbSSxCytqALWY995VRxmEUO/TF6pCgsRDIXxx+eSf1XrtT2d1+Na7 +nzt511Ho9/F4Uwbih7u+IhnWReB2Da0djLBWUtOc+HsMLQZVAUk= +=juJj +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-19:13/mds.11.patch b/share/security/patches/EN-19:13/mds.11.patch new file mode 100644 index 0000000000..a0b62c41d6 --- /dev/null +++ b/share/security/patches/EN-19:13/mds.11.patch @@ -0,0 +1,18 @@ +--- sys/x86/x86/cpu_machdep.c.orig ++++ sys/x86/x86/cpu_machdep.c +@@ -953,7 +953,6 @@ + * architectural state except possibly %rflags. Also, it is always + * called with interrupts disabled. + */ +-void (*mds_handler)(void); + void mds_handler_void(void); + void mds_handler_verw(void); + void mds_handler_ivb(void); +@@ -962,6 +961,7 @@ + void mds_handler_skl_avx(void); + void mds_handler_skl_avx512(void); + void mds_handler_silvermont(void); ++void (*mds_handler)(void) = mds_handler_void; + + static int + sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) diff --git a/share/security/patches/EN-19:13/mds.11.patch.asc b/share/security/patches/EN-19:13/mds.11.patch.asc new file mode 100644 index 0000000000..24b33f86ea --- /dev/null +++ b/share/security/patches/EN-19:13/mds.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WohfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL2Uw/7BSeV5qpvcB0DWjmccL4skTSJt37KOZ+2B4kO3RuCQ3VLZm73tAJZYGkZ +gUlgluC0qr6mzjtG5eXfFB0yQ95XfM5/Fcu/d1m/g7Zg/OC/lTzfyoMiW3cKrY0E +p1t5zPmWMJ3rbLGaJy5NimUl+ef/y8LRXmUyzrK3vExN/NXt+ACwndZxPiXLQ7PC +qATgsksuzLrTkYhW1lbX3yewU2R4DTiDoe2ytx1W9BFIE+AhtuEGb4mk4sAaqXzf +cL4NWDETq6BDldYo9hXikHzZL8hzE5zyuFK/wYQ7a4JN05KqI0iSiMMhlhe4g0ui +BzurSSSKPvJRHaA6YD3HWTPOZBv9rGf4xFRAAjZpjOlT+iWPMO73rdQQkEIbHBQc +JWm6fOGodnP01qVjNpYXpjgGyzDvFoI3b1YMktPy0o8tYadHzHYsinH883Ihik97 +i9EqjxacqBoAK3XKatDNM83ZIE1VfanULktCZ1eloxIrlkBqjjHw2VmiWgB6s7j7 +t0o3+SP7gfusBmagHRdv9pfDd8Jp5RDG8aRhZP7Gd2zb2lNop9TfdyxMGMEFEh3f +IG5X8/UED3MBjwVgem74k0Pov/NUzW3x9TB14hoPO5Z1CewlKWCirDXn5l1qhpkf +4pGXZdd10QW1UGRG7NQ+dbRLiqX0YdfUGJm78ntoczYP1zNBpH0= +=lZrt +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-19:13/mds.12.patch b/share/security/patches/EN-19:13/mds.12.patch new file mode 100644 index 0000000000..7da39f2028 --- /dev/null +++ b/share/security/patches/EN-19:13/mds.12.patch @@ -0,0 +1,18 @@ +--- sys/x86/x86/cpu_machdep.c.orig ++++ sys/x86/x86/cpu_machdep.c +@@ -924,7 +924,6 @@ + * architectural state except possibly %rflags. Also, it is always + * called with interrupts disabled. + */ +-void (*mds_handler)(void); + void mds_handler_void(void); + void mds_handler_verw(void); + void mds_handler_ivb(void); +@@ -933,6 +932,7 @@ + void mds_handler_skl_avx(void); + void mds_handler_skl_avx512(void); + void mds_handler_silvermont(void); ++void (*mds_handler)(void) = mds_handler_void; + + static int + sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) diff --git a/share/security/patches/EN-19:13/mds.12.patch.asc b/share/security/patches/EN-19:13/mds.12.patch.asc new file mode 100644 index 0000000000..fbef69aa21 --- /dev/null +++ b/share/security/patches/EN-19:13/mds.12.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WohfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKNWQ//S9SPs5aLAn548fpti++SamgqLC+OpBWilFxruB+Y4i1J8EKYde58DzIw +GSpJya11QZz+oHUhHGuR3gqxCeaUK3Qyvld1NNqPg5nRDPBdEWWxkX0slliRbKWM +VYQdak5SkRozvc1A7Ssy8bZ3krqgpRLCdETvy2RCFURPXWs7lAFqCYP6FiJvPd5n +gzi49FFLMXr5REtHe9D2i3z1/3v0mwOwSE7uvgBHHqf9/Cu7cypSLpZc4b9nwmta +r9gB2jLM+9+Stocsilht5fdH2X2+3iTIxuYKkkjvkqKcLD0cOYdm+CvnaRqf5GhA +9lFC/wsbcTz6itn0MmBgPReN6fTRGAmr0dACkU6mtPHke8x9Cii8u5GQD/W+Q6Zs +UJ9CMvE4EuaUFCfooigHDCeLM4jRBzF6auZL6BXPDENC0btJaU9iYnwkuxH7jyFy +LWcm67asSqDy9YMhip4SUmeQZe03wMvxPnDf9QXGclo9AhWAH2YxjFxIXOZlQOwO +fbVedzyxEtBjYLZz8c9GSoklKnS0d7FEGK9hZxAx4QFMsAMTiidPFhSUiP65F1du +Y5kkDw3a8xFeBegA+43s1ds+Y7YGKyrEwao/L7N1NZ2fvqHNUnbpa/A0uTvr17Dc +1Ja/FDSLV2X3bffidbn4BkBuWXIEjJJHuKVPl10tMgV4BbrJPMQ= +=rBsY +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:12/telnet.patch b/share/security/patches/SA-19:12/telnet.patch new file mode 100644 index 0000000000..9d3deaeb02 --- /dev/null +++ b/share/security/patches/SA-19:12/telnet.patch @@ -0,0 +1,60 @@ +--- contrib/telnet/telnet/commands.c.orig ++++ contrib/telnet/telnet/commands.c +@@ -45,6 +45,7 @@ + #include <sys/socket.h> + #include <netinet/in.h> + ++#include <assert.h> + #include <ctype.h> + #include <err.h> + #include <errno.h> +@@ -1654,11 +1655,14 @@ + || (strncmp((char *)ep->value, "unix:", 5) == 0))) { + char hbuf[256+1]; + char *cp2 = strchr((char *)ep->value, ':'); ++ size_t buflen; + +- gethostname(hbuf, 256); +- hbuf[256] = '\0'; +- cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); +- sprintf((char *)cp, "%s%s", hbuf, cp2); ++ gethostname(hbuf, sizeof(hbuf)); ++ hbuf[sizeof(hbuf)-1] = '\0'; ++ buflen = strlen(hbuf) + strlen(cp2) + 1; ++ cp = (char *)malloc(sizeof(char)*buflen); ++ assert(cp != NULL); ++ snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); + free(ep->value); + ep->value = (unsigned char *)cp; + } +--- contrib/telnet/telnet/utilities.c.orig ++++ contrib/telnet/telnet/utilities.c +@@ -629,7 +629,7 @@ + } + { + char tbuf[64]; +- sprintf(tbuf, "%s%s%s%s%s", ++ snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s", + pointer[2]&MODE_EDIT ? "|EDIT" : "", + pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", + pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", +--- contrib/telnet/telnet/telnet.c.orig ++++ contrib/telnet/telnet/telnet.c +@@ -785,7 +785,7 @@ + name = gettermname(); + len = strlen(name) + 4 + 2; + if (len < NETROOM()) { +- sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, ++ snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, + TELQUAL_IS, name, IAC, SE); + ring_supply_data(&netoring, temp, len); + printsub('>', &temp[2], len-2); +@@ -807,7 +807,7 @@ + + TerminalSpeeds(&ispeed, &ospeed); + +- sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, ++ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, + TELQUAL_IS, ospeed, ispeed, IAC, SE); + len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */ + diff --git a/share/security/patches/SA-19:12/telnet.patch.asc b/share/security/patches/SA-19:12/telnet.patch.asc new file mode 100644 index 0000000000..eeca9b6f38 --- /dev/null +++ b/share/security/patches/SA-19:12/telnet.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJr9Q//SGYP2npXtSX0LVpT8luManWEbjjhTTz12ZW80R/QOwheoJXq9zJ4R812 +WlHtEtFi4PBIqGAdvSOUISHVJTzpLy9jOVoavW5jynFDUiE2gFikirVxu+ERWxDm +MMYJ6b/0P7VWAlyp0+05NuOGSOxFEiGs43qP8rVYUVLQF7zUYwR8nKVRxvxwSm9E +xp5gy0bM00O2Ct8cH1IS9lJjFFopIHXU0Xv2HxxURSZUJfbHKvc4+3mPXqTeyBmw +YEziisxeUuU2h4z4dbbsv3Vhz1RiN+4+7EfaFDcFLryn1h5LSqdrlHkqgea6K8gW +CMYUE4MWYOWHzZIWLQJ0nb2R+7qo8xCbPjSsOf6qQ+x5NWqb7SX6HPNGy7LAKpXa +xGY7Ffefl2qtHwe3If7O4PKG30VGMdQfhn9OBgiX0gGf3Datyihcn9GwiSF7NrHs +bIh8RIAM1AbmpI3tkNrUhFyV7N1aAF08wjkn9G8AaUtqHwnjkfWXlzegJGYidRmx +7AU/oem/7jm7NqjccrglEkRpKUz2f9fTPnpAVdqs18XfZfCgqkVeaz284WRDWV5r +QXd64u38lyitZBBCnGR6tbeD429437ZbWtX4X97bdVUaUUIg2YUzkDsnFFSYBJh9 +7POO792tDemfPvgQdIvq9+OMGMULus+4SQ9D+gQ7DWKRQVxsAiE= +=eI9w +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:13/pts.patch b/share/security/patches/SA-19:13/pts.patch new file mode 100644 index 0000000000..3ab7161764 --- /dev/null +++ b/share/security/patches/SA-19:13/pts.patch @@ -0,0 +1,22 @@ +--- sys/kern/tty.c.orig ++++ sys/kern/tty.c +@@ -231,9 +231,6 @@ + + tp->t_flags |= TF_OPENCLOSE; + +- /* Stop asynchronous I/O. */ +- funsetown(&tp->t_sigio); +- + /* Remove console TTY. */ + if (constty == tp) + constty_clear(); +@@ -1124,6 +1121,9 @@ + return; + } + ++ /* Stop asynchronous I/O. */ ++ funsetown(&tp->t_sigio); ++ + /* TTY can be deallocated. */ + dev = tp->t_dev; + tp->t_dev = NULL; diff --git a/share/security/patches/SA-19:13/pts.patch.asc b/share/security/patches/SA-19:13/pts.patch.asc new file mode 100644 index 0000000000..80f43e6966 --- /dev/null +++ b/share/security/patches/SA-19:13/pts.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKlaw//dbfqbTg1CcRs+IrcUydAbJIk4uLnrw69HIWYTGt0kN0Kcv6WoVxY5ecM +KkQMRMq9e+8L0Sy7FH9A9QV99FoQeAxlzZsy1tXpqrVd50SCgpzC0XaBtaqzT7vY +q00IWIXUXlbAnoIeKs/mnNjoeLRnesLLt7swWiUXQYtD2xPeJIA01TFaG0EwvBC5 +wZ0S9UD0dwQZzUVxXz+SI6V+3seYLkGtL8csnfom1LiGRX6M3OuMz6Kgoss3St8R +Lvq3pFwdWnAHm2ewv7rpF0M8R4vbLQw/sikoK3xTCbv+Wi9xbv85OR2HN6NDLsjs +g11zvnHt5fDYnWtZvoplUFNg98rxKc0T1zcae91ZaenPqV+F4dsVvs4RdO2MmNmf +ye2GyzO/QkiOzZsgAQm+C7hUIkYfe16swAhd8qYLw7AQkF0ax10HKw+0QVMfQPTK +jRT79IHILRzMm4wIyE18n6WPFuvQP+PHcJ4ky+PY8lTtZFpuLZTTOIM7KJNAAFtS +dtJnHDZiJuxcDeGZHRQJW6WFgk+oFpiB2Pe0rSmZIZYe2yJ6rwoPubEenWEMUKrr +mOqCBGIB8kVSixZX8dQeDacrPN5qjuQkEoh1H+jG/CtYEYdgFm/ybyKFY9Qqz/X4 +UPnAQMRrZpXLjqbd6/5qcDiDUXDwrBryEcgSsLXOSQSPXxgy8Dw= +=/BMl +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:14/freebsd32.patch b/share/security/patches/SA-19:14/freebsd32.patch new file mode 100644 index 0000000000..be10d46550 --- /dev/null +++ b/share/security/patches/SA-19:14/freebsd32.patch @@ -0,0 +1,11 @@ +--- sys/compat/freebsd32/freebsd32_ioctl.c.orig ++++ sys/compat/freebsd32/freebsd32_ioctl.c +@@ -262,6 +262,8 @@ + vm_offset_t addr; + int error; + ++ memset(&pmc, 0, sizeof(pmc)); ++ memset(&pc32, 0, sizeof(pc32)); + if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0) + return (error); + diff --git a/share/security/patches/SA-19:14/freebsd32.patch.asc b/share/security/patches/SA-19:14/freebsd32.patch.asc new file mode 100644 index 0000000000..5f3f699c0a --- /dev/null +++ b/share/security/patches/SA-19:14/freebsd32.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIa8xAAnsULsYOMNQbGeBE3LMOa3RfB0PQ2EElLcEnkAgnmTYY/rEaX4ekTFZV8 +W7uC111kJCvbJQOWgT2w28Xn0+rqY4Jp2zQKoJ8bqxSxGkKjVls2dsywa50NehD4 +YOBWW2B6G9LxFYFOmkSNq/lFHKSkacwC7wP4/NjRqJ36Ky+AJYRTUwdguTlAO/DU +dYbmuXTiZSryxiyYglRJi+ZhQ8BnIkseSuZMn+4KuKMp9CMpxTB+qIIAmCcf0Mdt +ac/VTVmrnnBvaSjRGQdrwzpX2e23cThCuaSY0M5R4/KfaNoZQ6Jhejm4hJm+XPw2 +S4ZT9ZGdqNK/qFBgZrunWrJA2AxXxG8SJtC/kDb6H1pikrfE8TmE74IzWBOCfDJ9 +XioQF7OvV1pNDgGMhP3O5FYrUeTCe2OyQsAjYJu371i0YsoDTMuL5d8Gj/0JAX0U +DDZPW/0eOb0rMnLE9jc++cNdFuBhJXbkfP8TQ2hef224/WXoQYsq1g6sPgnUCAkS +fE4HDUAzfxAwNNHsF8ZLI2KonCIY8fBTT3NvNXihBxQvPDiXg/RlEKS7EYlR65CC +6mwlnKgBmmeQT3F1C3FSMt9T9ncwZxvCaVk2u7gpH/TiycuSF7H1D226HcRYXKyu +8Q6GhnOBbS2TXBCKca/1HS/WfvyNA4FXUDvK0ZSch3nFGbEJVmA= +=fjwv +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:15/mqueuefs.patch b/share/security/patches/SA-19:15/mqueuefs.patch new file mode 100644 index 0000000000..e0b7f2cc33 --- /dev/null +++ b/share/security/patches/SA-19:15/mqueuefs.patch @@ -0,0 +1,51 @@ +--- sys/kern/uipc_mqueue.c.orig ++++ sys/kern/uipc_mqueue.c +@@ -2283,13 +2283,14 @@ + if (uap->abs_timeout != NULL) { + error = copyin(uap->abs_timeout, &ets, sizeof(ets)); + if (error != 0) +- return (error); ++ goto out; + abs_timeout = &ets; + } else + abs_timeout = NULL; + waitok = !(fp->f_flag & O_NONBLOCK); + error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, + uap->msg_prio, waitok, abs_timeout); ++out: + fdrop(fp, td); + return (error); + } +@@ -2309,13 +2310,14 @@ + if (uap->abs_timeout != NULL) { + error = copyin(uap->abs_timeout, &ets, sizeof(ets)); + if (error != 0) +- return (error); ++ goto out; + abs_timeout = &ets; + } else + abs_timeout = NULL; + waitok = !(fp->f_flag & O_NONBLOCK); + error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, + uap->msg_prio, waitok, abs_timeout); ++out: + fdrop(fp, td); + return (error); + } +@@ -2834,7 +2836,7 @@ + if (uap->abs_timeout != NULL) { + error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); + if (error != 0) +- return (error); ++ goto out; + CP(ets32, ets, tv_sec); + CP(ets32, ets, tv_nsec); + abs_timeout = &ets; +@@ -2843,6 +2845,7 @@ + waitok = !(fp->f_flag & O_NONBLOCK); + error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, + uap->msg_prio, waitok, abs_timeout); ++out: + fdrop(fp, td); + return (error); + } diff --git a/share/security/patches/SA-19:15/mqueuefs.patch.asc b/share/security/patches/SA-19:15/mqueuefs.patch.asc new file mode 100644 index 0000000000..ffb17b9c7d --- /dev/null +++ b/share/security/patches/SA-19:15/mqueuefs.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKwuw//cbOammnRyK+06gajcjueERuZUL8F3YGwnMfok0Afx0QXGS/OGYsCFbmx +CeuX6ZICoGlNo94kWT0Gv8g7fZy2XuZMIcjaG1PHmPODIz27zo1DeMXvB9Yj4oEp +oeGbf7mXqwgxHVQxY94j8oFRunTFRAUkjIJZfeLWq5JZTnLNWm2WhJBR0prH4SL/ +pkGWca/QdnrFiDYBm02FLcUF3lXgSkZLLm63FDb7P+ouahlTzL0CMzV/TaMMwTGS +XFOvIwkeeU0ni8BPRUpbamFo4caTlffC2n+FPa6/wmoW9URW9SHLkkAsPfq9IfBC +UUF8DXYkOkpbduXpmXK7IzE3eINW7zJD3dz3AvjpXq9GxUXIgXN76cOnbM/pur5p +BTVdEgcpmM8h8crERS+nXC3uh9w0mSJg/66qRjpOF8SfI59uUqVkd1vvenTke/zF +etgGRjQtm4f8kHH6S6b96kQWmBRD1xZwwXS2sJgvd1VVcb0dB0GFFv/FJ8hWNWKl +nY/JaUUYf6sxC4Lm1X9g5cCluiSnGNBGOlKeNoOIj20NvUa6dgi5CBWxGlzwUTOP +GzO9dkwij8wb9sHPXk3INpOLzSzwua9a8YQVNQf5aFErPiw3nuU6Bc16qJ/GV+Rg +F2D49u63NrIak1JwQ27PNmoNs7XpEI4QCF7ASoqWqu+2YGwCigs= +=Zirz +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:16/bhyve.patch b/share/security/patches/SA-19:16/bhyve.patch new file mode 100644 index 0000000000..eefea38c70 --- /dev/null +++ b/share/security/patches/SA-19:16/bhyve.patch @@ -0,0 +1,49 @@ +--- usr.sbin/bhyve/pci_xhci.c.orig ++++ usr.sbin/bhyve/pci_xhci.c +@@ -1900,6 +1900,11 @@ + return; + } + ++ if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) { ++ DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid)); ++ return; ++ } ++ + dev = XHCI_SLOTDEV_PTR(sc, slot); + devep = &dev->eps[epid]; + dev_ctx = pci_xhci_get_dev_ctx(sc, slot); +@@ -1925,6 +1930,23 @@ + + /* get next trb work item */ + if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { ++ struct xhci_stream_ctx *sctx; ++ ++ /* ++ * Stream IDs of 0, 65535 (any stream), and 65534 ++ * (prime) are invalid. ++ */ ++ if (streamid == 0 || streamid == 65534 || streamid == 65535) { ++ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); ++ return; ++ } ++ ++ sctx = NULL; ++ pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx); ++ if (sctx == NULL) { ++ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); ++ return; ++ } + sctx_tr = &devep->ep_sctx_trbs[streamid]; + ringaddr = sctx_tr->ringaddr; + ccs = sctx_tr->ccs; +@@ -1933,6 +1955,10 @@ + streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT, + trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT)); + } else { ++ if (streamid != 0) { ++ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); ++ return; ++ } + ringaddr = devep->ep_ringaddr; + ccs = devep->ep_ccs; + trb = devep->ep_tr; diff --git a/share/security/patches/SA-19:16/bhyve.patch.asc b/share/security/patches/SA-19:16/bhyve.patch.asc new file mode 100644 index 0000000000..c587ea6c34 --- /dev/null +++ b/share/security/patches/SA-19:16/bhyve.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLhbQ//fufmu/lZgce6Y+GGMZdBCEIAE305OqASgpXt0ifC5/swQ83ky3P/yJcI +Qh9YeH57JZ5YI+K29mqP+lkTrYiBKqHl1zAK4qm+XUkXAq+5GOSQqDB4ZJdq12za +wDO8toOtNkv6Yz1L+dYnG3iFEzbdz8FzoZMv2FTbZ22o0NobzH3YHtODS4nsLuJT +lCaoJctYnpZ+4ajhnvSfBiQbFr3zwCpLvbLLox0QGZ+v/Pjn976c//RRj0z6ed5J +bmyr6nFPIleqJ8T+W36E00W3EB7sc/h1gxtyJtKJm4lqgTCY+qREr1/4gXIiqHwd +m8S13X39J9E4PhLbtw2m5f6yth/Qfjyh70wgOdb3LItjfZG6Swdo8NR6tuXJu+ZR +XcYCsqeQkn8sivT3GZvvJlPx8DUJe0MtiB4pOy2MpLWTEcUM8S9sBCcFz9EMA06M +rK1pE+4W1fWxYbISXY5UNEOQgQE82+aJDFmACKmIJhKO+bbgH9RjekklUbtoSUdD +Qeu4yVrhliFUWqCv0phhIZz3UPlU+Ewqb8imH6b5tAX1+XM9kMeSZdO80qZKK20J +9/jXGuMt9MX4bpErdFY1l0GtGblNa1XASaOGGGTs8dwPRq1jBaVKSus4AslVkbuj +6UZEdaNn4ysAWpe/B1z0nr0TThGyA9wWX+AqPfKAD5VAJV+xTpU= +=qjT1 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:17/fd.11.2.patch b/share/security/patches/SA-19:17/fd.11.2.patch new file mode 100644 index 0000000000..1302dce25f --- /dev/null +++ b/share/security/patches/SA-19:17/fd.11.2.patch @@ -0,0 +1,72 @@ +--- sys/kern/uipc_usrreq.c.orig ++++ sys/kern/uipc_usrreq.c +@@ -1896,29 +1896,52 @@ + UNP_DEFERRED_LOCK_INIT(); + } + ++static void ++unp_internalize_cleanup_rights(struct mbuf *control) ++{ ++ struct cmsghdr *cp; ++ struct mbuf *m; ++ void *data; ++ socklen_t datalen; ++ ++ for (m = control; m != NULL; m = m->m_next) { ++ cp = mtod(m, struct cmsghdr *); ++ if (cp->cmsg_level != SOL_SOCKET || ++ cp->cmsg_type != SCM_RIGHTS) ++ continue; ++ data = CMSG_DATA(cp); ++ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; ++ unp_freerights(data, datalen / sizeof(struct filedesc *)); ++ } ++} ++ + static int + unp_internalize(struct mbuf **controlp, struct thread *td) + { +- struct mbuf *control = *controlp; +- struct proc *p = td->td_proc; +- struct filedesc *fdesc = p->p_fd; ++ struct mbuf *control, **initial_controlp; ++ struct proc *p; ++ struct filedesc *fdesc; + struct bintime *bt; +- struct cmsghdr *cm = mtod(control, struct cmsghdr *); ++ struct cmsghdr *cm; + struct cmsgcred *cmcred; + struct filedescent *fde, **fdep, *fdev; + struct file *fp; + struct timeval *tv; +- int i, *fdp; + void *data; +- socklen_t clen = control->m_len, datalen; +- int error, oldfds; ++ socklen_t clen, datalen; ++ int i, error, *fdp, oldfds; + u_int newlen; + + UNP_LINK_UNLOCK_ASSERT(); + ++ p = td->td_proc; ++ fdesc = p->p_fd; + error = 0; ++ control = *controlp; ++ clen = control->m_len; + *controlp = NULL; +- while (cm != NULL) { ++ initial_controlp = controlp; ++ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { + if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET + || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { + error = EINVAL; +@@ -2045,6 +2068,8 @@ + } + + out: ++ if (error != 0 && initial_controlp != NULL) ++ unp_internalize_cleanup_rights(*initial_controlp); + m_freem(control); + return (error); + } diff --git a/share/security/patches/SA-19:17/fd.11.2.patch.asc b/share/security/patches/SA-19:17/fd.11.2.patch.asc new file mode 100644 index 0000000000..0655ff7d8b --- /dev/null +++ b/share/security/patches/SA-19:17/fd.11.2.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI3nw/+NnAFVvmg//5FWzm6875s9mJ51hJaG0svbq7xp9qfyc8m+E8rQihZsyX1 +0/oNuOnthlqfO3qGPjxDi5WpQ6bHeVjx//73wxUtYmCHr1vVNHttKjWdR5jyfafX +dvacX9lWmNJhKl6r4eC/Fn79R7ARqWy52+bQruTRqyJvMPna7ck/7dhqbOq+FFEN +5ld+5DSfIycp5u4gMqB9a6QneUw93tBnF1LqRw4v4OOmreZ2OZj3khDiQ+ALOU/b +LJgn/nuDwVxLeStMPZSlrz+Gvg92ZjlcPt4krS4tK3Wana9su/0pr+QjhjLvog51 +TtCZmnw3geDj7BdL4YWqv/odnU9vFZJ/j97Aa7WJldH89g1egN6a5TIw8FPqDyS5 +Z+VHWczypGxLL8hLOkK76GbqqbwQDhomosl4GDOOiNoAHrflB+qWm1Eyq7hlOKEF +aghZPSa31LJ5wbX7PxSPK+LBp/3wV1ukGbbUok7UHAjnUaU4NeE643Gv1q1xXNeR +PwvJVTdXSwuOgdUA3Da+6np45K6ysPgKiHpwy53sNfdLsTDftfCxC4+nYrqeAy3b +2Vl7UZpherBns95HBYTZ2jIrxjhF19KYRatfsGAGA0yEvmG96vKk59P/+Br9Hpui +YJ+xZFDgU25+VpMHGLtiE5YQeQ4Vdsqr6LNlkPnwUVH5aRBH/Ys= +=trQX +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:17/fd.11.patch b/share/security/patches/SA-19:17/fd.11.patch new file mode 100644 index 0000000000..24fa145565 --- /dev/null +++ b/share/security/patches/SA-19:17/fd.11.patch @@ -0,0 +1,73 @@ +--- sys/kern/uipc_usrreq.c.orig ++++ sys/kern/uipc_usrreq.c +@@ -1908,30 +1908,53 @@ + UNP_DEFERRED_LOCK_INIT(); + } + ++static void ++unp_internalize_cleanup_rights(struct mbuf *control) ++{ ++ struct cmsghdr *cp; ++ struct mbuf *m; ++ void *data; ++ socklen_t datalen; ++ ++ for (m = control; m != NULL; m = m->m_next) { ++ cp = mtod(m, struct cmsghdr *); ++ if (cp->cmsg_level != SOL_SOCKET || ++ cp->cmsg_type != SCM_RIGHTS) ++ continue; ++ data = CMSG_DATA(cp); ++ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; ++ unp_freerights(data, datalen / sizeof(struct filedesc *)); ++ } ++} ++ + static int + unp_internalize(struct mbuf **controlp, struct thread *td) + { +- struct mbuf *control = *controlp; +- struct proc *p = td->td_proc; +- struct filedesc *fdesc = p->p_fd; ++ struct mbuf *control, **initial_controlp; ++ struct proc *p; ++ struct filedesc *fdesc; + struct bintime *bt; +- struct cmsghdr *cm = mtod(control, struct cmsghdr *); ++ struct cmsghdr *cm; + struct cmsgcred *cmcred; + struct filedescent *fde, **fdep, *fdev; + struct file *fp; + struct timeval *tv; + struct timespec *ts; +- int i, *fdp; + void *data; +- socklen_t clen = control->m_len, datalen; +- int error, oldfds; ++ socklen_t clen, datalen; ++ int i, error, *fdp, oldfds; + u_int newlen; + + UNP_LINK_UNLOCK_ASSERT(); + ++ p = td->td_proc; ++ fdesc = p->p_fd; + error = 0; ++ control = *controlp; ++ clen = control->m_len; + *controlp = NULL; +- while (cm != NULL) { ++ initial_controlp = controlp; ++ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { + if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET + || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { + error = EINVAL; +@@ -2082,6 +2105,8 @@ + } + + out: ++ if (error != 0 && initial_controlp != NULL) ++ unp_internalize_cleanup_rights(*initial_controlp); + m_freem(control); + return (error); + } diff --git a/share/security/patches/SA-19:17/fd.11.patch.asc b/share/security/patches/SA-19:17/fd.11.patch.asc new file mode 100644 index 0000000000..577378d261 --- /dev/null +++ b/share/security/patches/SA-19:17/fd.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJmTxAAjBscnsnRUzIkRuvJ+5F6VrwduZye14G5jwbW6/fUnmI6mt2wyGSkHVHQ +bcVTAaF5g8fN1xBk0urta1q3nlGJRCKIyVp+qkBLxiiMvrZlryZ2nsgVmylRZ7oA +kQK96WWORU8fptXqeG0q3N+i3EoZPMqd2d38Xh4TlqupYlFYOJUcTJOFV/Hb4qZC +Sd1bIj3DdtX+2hhXPr5LOe3w2ootgqxF7l/LloQ2LXpPqsPm31EXYTexetowyMXz +2PaXPLKE44eVseaazS/S/F9bG6weFgxqjjbzzzXI1uiXqctwODL4f1QDEz/G1/+g +SlrR6pXD2wtFZGWTJr8FjwwpJl78sH0ov9NvtO5MdRUvCB7p4lp6DGP+tIbzugbH ++D5nlpEUFBUGwM3VNQ79zAzNQkSlAm551RxGgGA8RxlXQrwqZQ7TYSgoDonABfCm +ELkMv/3GcuaEtljXBTN44rCJZjuRlGi/k2nDs5phlUGnN5fk6nQtWdzo7p63kdYE +mR9vR9VVO11KAFm1SVp4w9hmIRTtt1Vd9Rm2PKAxiAJzwZTWWmjUfSg2DO6DFOb8 +rlK5pqgOml3FIDAfegrhvjsyrsc7Fbp6Rjny+MM58fcKBpuJNAOIgB+lqN8GbTaV +sZsSZiiTtBSV93JvcwWe+My+59GbpoAEwex0OMkuxa/T0+yeh5E= +=ptiz +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:17/fd.12.patch b/share/security/patches/SA-19:17/fd.12.patch new file mode 100644 index 0000000000..fb48d5e0eb --- /dev/null +++ b/share/security/patches/SA-19:17/fd.12.patch @@ -0,0 +1,73 @@ +--- sys/kern/uipc_usrreq.c.orig ++++ sys/kern/uipc_usrreq.c +@@ -2120,30 +2120,53 @@ + UNP_DEFERRED_LOCK_INIT(); + } + ++static void ++unp_internalize_cleanup_rights(struct mbuf *control) ++{ ++ struct cmsghdr *cp; ++ struct mbuf *m; ++ void *data; ++ socklen_t datalen; ++ ++ for (m = control; m != NULL; m = m->m_next) { ++ cp = mtod(m, struct cmsghdr *); ++ if (cp->cmsg_level != SOL_SOCKET || ++ cp->cmsg_type != SCM_RIGHTS) ++ continue; ++ data = CMSG_DATA(cp); ++ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; ++ unp_freerights(data, datalen / sizeof(struct filedesc *)); ++ } ++} ++ + static int + unp_internalize(struct mbuf **controlp, struct thread *td) + { +- struct mbuf *control = *controlp; +- struct proc *p = td->td_proc; +- struct filedesc *fdesc = p->p_fd; ++ struct mbuf *control, **initial_controlp; ++ struct proc *p; ++ struct filedesc *fdesc; + struct bintime *bt; +- struct cmsghdr *cm = mtod(control, struct cmsghdr *); ++ struct cmsghdr *cm; + struct cmsgcred *cmcred; + struct filedescent *fde, **fdep, *fdev; + struct file *fp; + struct timeval *tv; + struct timespec *ts; +- int i, *fdp; + void *data; +- socklen_t clen = control->m_len, datalen; +- int error, oldfds; ++ socklen_t clen, datalen; ++ int i, error, *fdp, oldfds; + u_int newlen; + + UNP_LINK_UNLOCK_ASSERT(); + ++ p = td->td_proc; ++ fdesc = p->p_fd; + error = 0; ++ control = *controlp; ++ clen = control->m_len; + *controlp = NULL; +- while (cm != NULL) { ++ initial_controlp = controlp; ++ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { + if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET + || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { + error = EINVAL; +@@ -2294,6 +2317,8 @@ + } + + out: ++ if (error != 0 && initial_controlp != NULL) ++ unp_internalize_cleanup_rights(*initial_controlp); + m_freem(control); + return (error); + } diff --git a/share/security/patches/SA-19:17/fd.12.patch.asc b/share/security/patches/SA-19:17/fd.12.patch.asc new file mode 100644 index 0000000000..d95ddff4b9 --- /dev/null +++ b/share/security/patches/SA-19:17/fd.12.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI9ChAAiOmOES6zvuVjCZayU6TCnSvyeMIAqVEpJHEqJrHUVbjXZrxnGrz8Tc3D +yQ62leplJY4H+BPf1k4MqTQNQej6cEbbUOL6OqwOqXq3Ej3IKIGSqW/0S0xNZi6s +JhAw2GkS8UHsWzpTkyMaqsl4m3PSx/L8T1qOHNZ/EwMes64pBRLPyAH2ePU4eOdP +cZV3Tug4TzeCfz/j8R+bBcHWjpPcfumgXkvR1QH+uEd8GjkRuw1U7dsnj7EpXQeF +JH4Ap/QA5V1vfPCO0KJBRI8scwnXB6WAzQ4VHcmk6euNDHAWDCVS4RcmyFk7baA+ +NFbr+JhyDQ+fzLGmPUGmNElQGx9ypckxd3KAt4Q1LasXyzHbmx8qFBmvxqoPhg0r +uYRXBpaDDdChm1zMRuEKvqHEW4Kr/WIXIevY0vSgsebZEB0LnhxSY0syHJiPF7FD +TY7u7Am59FtxLbXsWOnyfdOiQBDPppSyUZ1YhEKeqMJ4qih0h9bJFanZWixGGzHa +1nXwN1UMbF01NCzxDSt3NGfKYEbW1ogeV8B81aqxxQDKuf71PL84WN/+C31ZZXNJ +IFFH/arlmacriXKHlIzAJ/bU2maX7F3y5WjFsMVEgMiP6V4qkragSHCJqfSdwJkP +wrf2nA3RFErqVlG9wMVbCuvzZrEZ/q+oixQdrdE7D++oCNdVrjY= +=29X3 +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index c4bcf06268..38bb2ee12d 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -10,6 +10,35 @@ <month> <name>7</name> + <day> + <name>24</name> + + <advisory> + <name>FreeBSD-SA-19:17.fd</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-19:16.bhyve</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-19:15.mqueuefs</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-19:14.freebsd32</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-19:13.pts</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-19:12.telnet</name> + </advisory> + + </day> + <day> <name>2</name> diff --git a/share/xml/notices.xml b/share/xml/notices.xml index b1f4db1fc1..4ff7895bbf 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -10,6 +10,15 @@ <month> <name>7</name> + <day> + <name>24</name> + + <notice> + <name>FreeBSD-EN-19:13.mds</name> + </notice> + + </day> + <day> <name>2</name>