os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Publish todays advisories.

Browse source 
Approved by:	so
This commit is contained in:
Gleb Smirnoff 2016-01-14 09:40:53 +00:00
parent 54307e8eb4
commit f77f7192a0
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=48011
33 changed files with 35398 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
share/security/advisories/FreeBSD-EN-16:01.filemon.asc Normal file
View file

@ -0,0 +1,124 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:01.filemon Errata Notice
The FreeBSD Project
Topic: filemon and bmake meta-mode stability issues
Category: core
Module: filemon
Announced: 2016-01-14
Credits: Bryan Drewery
Affects: FreeBSD 10.2-RELEASE
Corrected: 2015-09-09 17:15:13 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security branches,
and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
In FreeBSD 10.2, /usr/bin/make is the NetBSD bmake utility. bmake has
a feature called meta-mode [1], which can make use of the filemon(4) kernel
module to perform reliable update builds and provide better build
dependencies.
[1] http://www.crufty.net/sjg/blog/freebsd-meta-mode.htm
II. Problem Description
Multiple stability and locking problems have been fixed in the filemon(4)
kernel module. Without these fixes, using meta-mode and filemon(4) on a
FreeBSD 10.2 system may result in kernel panics.
III. Impact
For the jails and virtual machines used by the FreeBSD Jenkins Continuous
Integration builders, it is desirable to use released versions FreeBSD.
This will allow us to set up builders to test building FreeBSD-CURRENT with
meta-mode, using a FreeBSD 10.2-RELEASE-p9 build host.
IV. Workaround
No workaround is available for the filemon stability problems.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:01/filemon.patch
# fetch https://security.FreeBSD.org/patches/EN-16:01/filemon.patch.asc
# gpg --verify filemon.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10 r287598
releng/10.2 r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:01.filemon.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2jlAAoJEO1n7NZdz2rnF6kQAJEgtPKwowupOd3QV2UvMJ4T
PP/UK9tvF+Tbmow+5z9vV8ghh/oHc/AUWxhbIcnOFO7YldwrYJDXAHWF5VoTgatb
Ycg+R10Kyg8loZZuAAaGsY+zS78BIXunKVduWealz6TV978sZ5mr7qVJjX03Bvdh
9s3dX6PLfA0ZtqxXuhJ3oMj1Nt7UoGyNNNg23TWhQDMzpueB1EihhjzcLEk8UCjR
OlZElMXsnI/c9zG0eaSDPqfUuQrZDasQ+kM4eWaEXxcZVHSEQtU7vJ6SjxAkeCHT
fzRcAilzQBQJzObzpdXCxrd3OmKL52Ml44Kll2k31QQM3YDHw5g+mMJ+G6BoD5HZ
hQktb7Y064s/SQ0S91aTCgdSBzlTOny7IjsE1W+T6WD4Dohc1aY5y5u2UDBIRIS9
BvovQF9k0PXIqpA3DjV1cGp3oYLpmJc5NYqHuJ9hkQWSp8FntfuQ1gKpieznyg25
mb7fsOU693Dglcodtz1uQcwwgh/0s7bEcP6o7ejzsd4bzhe9CTLgD5qp0MD8htiH
Li+i9O5hUS8nheJt03btw/mq7CPbr66JWnpVHmPe8kL8SU7qmwBwq6d3buk5Hyr1
tOmpuTyW+dq4iWweG411/j9M8Q03fD/DI4Ez2KS5OTizNAWb2wq8e+OZIk6TDE37
Aam3KrksQZjG+sqL7NVp
=INcx
-----END PGP SIGNATURE-----

149
share/security/advisories/FreeBSD-EN-16:02.pf.asc Normal file
View file

@ -0,0 +1,149 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:02.pf Errata Notice
The FreeBSD Project
Topic: Invalid TCP checksums with pf(4)
Category: core
Module: pf
Announced: 2016-01-14
Credits: Kristof Provost <kp@FreeBSD.org>
Affects: All supported versions of FreeBSD.
Corrected: 2015-11-11 12:36:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2015-12-25 15:12:54 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The pf(4) is one of several packet filters available in FreeBSD, originally
written for OpenBSD. In addition to filtering packets, it also has packet
normalization capabilities.
II. Problem Description
When running with certain network interfaces, capable for hardware transmit
checksum offloading, or TCP segmentation offload, pf(4) produces packets with
invalid TCP checksums.
III. Impact
The TCP packets with invalid checksums are rejected by the remote host,
leading to large performance impacts or inability to successfully run
a TCP connection.
IV. Workaround
Disable transmit checksum offloading and TSO support on the affected
network interface:
# ifconfig ue0 -txcsum -tso
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Reboot the system or unload and reload the pf.ko kernel module.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system or unload and reload the pf.ko kernel module.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch.asc
# gpg --verify pf-10.2.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch.asc
# gpg --verify pf-10.1.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.3.patch.asc
# gpg --verify pf-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or unload and reload the pf.ko kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r292732
releng/9.3/ r293896
stable/10/ r290669
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193579>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:02.pf.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2rlAAoJEO1n7NZdz2rnv0QP/RXPzKbSRsyyX3914BJv/W4V
coLFodRd62WxPvFIOXaLbNsVSi1yqRqNS3BPNTXnldEvjZWS5HsRlY5inq7hCjOn
NzZFIBVD3aL3eIXBUghNHTcCp3Ml5zIzcGUwJ0wW4F8j3D8Ty0YbJs+E7Ku63DIb
3rR2Mj1Jcoxi4JNVaQ962JlRrqauQUIiFbS0bSmP/cQCUlvhm+uk8Yj1KgSYesSu
n+lQAipH2zZWGjVj1xxvqi4cUcr6J6LEF0eTmg+UoM24vhq+QNql5aactYMOORiW
f+80HOWm6R8F/6TI2xs7HpNfnQNuNBRTfmfViQB8GgzgV2juElcTXW4NKXALrkWy
HxAfv6wdhDxclOXzumUXDOXC90o62Jv5gWiToJWLyETHI1vTe4UuE0egejFHSDJB
bmFpbYeuvXJ5/3dAYHHtnjtIPE9PXG+c16eJr3XDkY4plreL/hpyDHFRd3scqWew
EvPnkYcXZmzpCC/wZbDM5sI76YAfX7vayVqsUI0X4WRueYyIljRQGwygwfmHWiac
HIrgLgJvXZCGXiiuSpZq5874er0/UN9czGuMVOFZoXZ45yuj99pO1rJNZryO926A
UAOsC76m78myPrM+a4dJDrnWKgZjputCEBHXXNS8Yxt1cimrrbAb2wy0gt1CIMFm
cuAfikAwdNj3JAvjS4oA
=Aw1R
-----END PGP SIGNATURE-----

139
share/security/advisories/FreeBSD-EN-16:03.yplib.asc Normal file
View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:03.ypclnt Errata Notice
The FreeBSD Project
Topic: YP/NIS client library critical bug
Category: core
Module: ypclnt
Announced: 2016-01-14
Credits: Ravi Pokala,
Lakshmi Narasimhan Sundararajan,
Fred Lewis,
Pushkar Kothavade
Affects: All supported versions of FreeBSD.
Corrected: 2015-12-21 14:32:29 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-13 05:32:24 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The YP/NIS subsystem allows network management of passwd, group, netgroup,
hosts, services, rpc, bootparams and ethers file entries. The ypclnt suite
provides an interface to the YP subsystem.
The standard NIS protocol limits its database entries to YPMAXRECORD (1024
characters).
II. Problem Description
There is a bug with the NIS client library, which can lead to an infinite
loop.
III. Impact
A server that is deliberately configured to violate the NIS/YP protocol can
cause a FreeBSD NIS client to be stuck forever.
IV. Workaround
No workaround is available, but systems that are not configured to use
NIS/YP are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
A reboot is recommended.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
A reboot is recommended.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:03/yplib.patch
# fetch https://security.FreeBSD.org/patches/EN-16:03/yplib.patch.asc
# gpg --verify yplib.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
A reboot is recommended.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293804
releng/9.3/ r293896
stable/10/ r292547
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://reviews.freebsd.org/D4095>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:03.ypclnt.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j1AAoJEO1n7NZdz2rnRZQP/iZq/xlDFZrxwpW4S0GimmmK
CdB9yE8rITW2XRWIaTW+fj4aqQ8cvD3IpqtgPe1wCXe69XgmICPwwBh/zNB4w0qu
xmyihP6/2qTLatIq886StqXRkS+05U5y4VoEwFaRkBCy3IWDVXgM41DsRhOuYq3y
Y72VNeJFSuD+qb0i0B56PpPhaVd7hyEgvuXLXxi3l/BiUMD9t4Z36W8a2IPrF1wa
wviTB6cr614dzH+Jou+d9ffKoD6TWeZtbcf1jrw12YVBJhPx3vCqPVJGerGRUwVF
TeD4cUyHmY1nRa4zssKJcbAbgbYGtumRZTysa50eXBVsd7MTloZk0o8Angr6uGeR
rRo8Sop8PbwWm81Zykb4lIBOVUB4TsEfMjusKhgcJ5kmd+gK8z1ZzE/ZlOes2UJ8
eH+LOEKjux3c9UKkz6RDWinM277J5fhZ5Zi6jO6n/LrJRKiqKud6VeHQLOElXye7
/8KFqCaym8JpZ0P3Cywid+2EyqjlNwvsZleDs8EE/d1+60yX+Qm2j+BKAfqhSyLD
a9TimJTsEMA47Rf3af2lx1q4bnrKJVSBGhNaNzDHe5UIge0FAt8uUwgL/yIDpBlS
/5TtnD3F30B34482sAf4u/WW/1ipppIFEe8i6d9uwIGjG9Z5eVVom2FJbAHHdVA6
w8xVZil5irkB2fdI1DOi
=A4Qy
-----END PGP SIGNATURE-----

145
share/security/advisories/FreeBSD-SA-16:01.sctp.asc Normal file
View file

@ -0,0 +1,145 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:01.sctp Security Advisory
The FreeBSD Project
Topic: SCTP ICMPv6 error message vulnerability
Category: core
Module: SCTP
Announced: 2016-01-14
Credits: Jonathan T. Looney
Affects: All supported versions of FreeBSD
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2016-1879
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Stream Control Transmission Protocol (SCTP) protocol provides reliable,
flow-controlled, two-way transmission of data.
The Internet Control Message Protocol for IPv6 (ICMPv6) provides a way for
hosts on the Internet to exchange control information. Among other uses,
a host or router can use ICMPv6 to inform a host when there is an error
delivering a packet sent by that host.
II. Problem Description
A lack of proper input checks in the ICMPv6 processing in the SCTP stack
can lead to either a failed kernel assertion or to a NULL pointer
dereference. In either case, a kernel panic will follow.
III. Impact
A remote, unauthenticated attacker can reliably trigger a kernel panic
in a vulnerable system running IPv6. Any kernel compiled with both IPv6
and SCTP support is vulnerable. There is no requirement to have an SCTP
socket open.
IPv4 ICMP processing is not impacted by this vulnerability.
IV. Workaround
No workaround is available, but systems using a kernel compiled without
SCTP support or IPv6 support are not vulnerable.
In addition, some stateful firewalls may block ICMPv6 messages that are
not responding to a legitimate connection. (However, this may not
completely block the problem, as an ICMPv6 message could still be sent
in response to a legitimate SCTP connection.)
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Rebooting to the new kernel is required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Rebooting to the new kernel is required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch
# fetch https://security.FreeBSD.org/patches/SA-16:01/sctp.patch.asc
# gpg --verify sctp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293898
releng/9.3/ r293896
stable/10/ r293897
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1879>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:01.sctp.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j1AAoJEO1n7NZdz2rnIfoQAOZTLX3VovQPGj9wr7PspLQi
Tazu6vRnjzdOdjpeWwSgYlq6DJGjT71c/BRyCWCoijr2uyBWRlANqzMO64thuTzx
gc6juRlChLDF4sNVWbNDMRwuHTfCpgDH2/4hQeR/9CmiQxHJyqL0gXc889D206i9
KzgmYrSALEVK0E2kDBeRMsadtqPIEzCw4LygWd4qrtYNPjAfBR/a9U4rg7ZN0ICZ
RCPnkAF6qI09B931QfHaI4C9wdBF8DJ6nKN/2aU9ATdOJJb7oUkpaHht8kmbdZS+
Tn12nEXkQvNxuAKT7Fb87M14s7LUR12V5wgDeMd2UtOfkeSpGEDFACdhYW3IpKan
gD+2IlzLRhoQTJ7lQWMRTKh3OiDDR2kLwvbEU7BGecDSG6fVkgumn6NlHYybdH7L
axpDOxPz8ITfcdRipIXLOQEC308ckdmaEwqi4ikgBGwEkSgIwj1flGStswvcMrim
vT0xof2dv1y6RW5xYnJF7Mtn/rEcqrql/BeBp/kxJZ2Qt3hkppQnjWD6kvrEj00s
CajzxdBTM7J3buDzu++RL2GL9p5Cwo1kDmUJdWimIbSecL62J9+PwFCDYp/dOy25
GAPGnf7gk8YhwM8pHwLtcX0b9UundkXLWnLBN7R12fL7Ch2CmPbgPcoFc5CSbcIx
TBRU+4TGcNGxigXyzIHT
=G0DD
-----END PGP SIGNATURE-----

155
share/security/advisories/FreeBSD-SA-16:02.ntp.asc Normal file
View file

@ -0,0 +1,155 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:02.ntp Security Advisory
The FreeBSD Project
Topic: ntp panic threshold bypass vulnerability
Category: contrib
Module: ntp
Announced: 2016-01-14
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-11 01:09:50 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-11 01:48:16 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2015-5300
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
The ntpd(8) daemon has a safety feature to prevent excessive stepping of
the clock called the "panic threshold". If ever ntpd(8) determines the
system clock is incorrect by more than this threshold, the daemon exits.
There is an implementation error within the ntpd(8) implementation of this
feature, which allows the system time be adjusted in certain circumstances.
III. Impact
When ntpd(8) is started with the '-g' option specified, the system time will
be corrected regardless of if the time offset exceeds the panic threshold (by
default, 1000 seconds). The FreeBSD rc(8) subsystem allows specifying the
'-g' option by either including '-g' in the ntpd_flags list or by enabling
ntpd_sync_on_start in the system rc.conf(5) file.
If at the moment ntpd(8) is restarted, an attacker can immediately respond to
enough requests from enough sources trusted by the target, which is difficult
and not common, there is a window of opportunity where the attacker can cause
ntpd(8) to set the time to an arbitrary value.
IV. Workaround
No workaround is available, but systems not running ntpd(8), or running
ntpd(8) but do not use ntpd_sync_on_start="YES" or specify the '-g' option in
ntpd_flags are not affected. Neither of these are set by default.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.1 and 10.2]
# fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-10.patch.asc
# gpg --verify ntp-10.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch
# fetch https://security.FreeBSD.org/patches/SA-16:02/ntp-9.patch.asc
# gpg --verify ntp-9.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293652
releng/9.3/ r293896
stable/10/ r293650
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.cs.bu.edu/~goldbe/NTPattack.html>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:02.ntp.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rnyg4QAJ/x3xs+pNGXxTT63hbBqLcB
NTSljW5+hFpL94Nr+rHrelvcT3HkvdWUC+7BvMksoUYCZv0vClp5W7tsfuojDPr0
GechK1BpLwxeLnRexulWEuvDQpbr6BN9ABdfSl4h3AaUwGYbBVLMY8aT5JpTiE3I
UZg/5iPXVGFPcfdFhzaPgCpZxQtGI3QV7m5jx+Pf8r0ifuTNi8bAbwHCRzmOV8rA
1LM4fvlCPd6TiP3UANWM7PFGbX8UArgzXlb8jSwkxEVC02oZitol4UhcLgacwVrO
0/0q71pyn8W3NBQ1QPUaUg1M81sE501NCTCP3rEg+o6g7oxiq+GpgB0FKwCJxrTk
n3EL7tyhbvVcsglPLRkIXkGz3o5XdelFJ66+qS+mZAiPozkzEFUIdxd8rHKsA1e4
ZIFARDvDgi8iTArbJnPsQH0CgK8+/2RV2ILFW00Zcu7batvSWJtAUNNFqTSN34tk
JJzHWYwKfGwRIMyEABsy9wLez9K2tRIG0fX75p82dVbRcRZwwSfPmFdfDPuMRRmc
dsNF3133TA92uxwZ177cZk537g+Q0/0I6bts8us3GlCdY2HBuIc+HvRJQyEEqGEv
v1GfEdnwGLp4rmPI8uY+JQ87now7KYhAK1SVil9AXm3tLrIqJsHYayA9nI8mjxfY
Mh1utEeP+TMuievDMQNo
=il8c
-----END PGP SIGNATURE-----

133
share/security/advisories/FreeBSD-SA-16:03.linux.asc Normal file
View file

@ -0,0 +1,133 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:03.linux Security Advisory
The FreeBSD Project
Topic: Linux compatibility layer incorrect futex handling
Category: core
Module: kernel
Announced: 2016-01-14
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2016-1880
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component. The support is
provided on amd64 and i386 machines.
II. Problem Description
A programming error in the handling of Linux futex robust lists may result
in incorrect memory locations being accessed.
III. Impact
It is possible for a local attacker to read portions of kernel memory, which
may result in a privilege escalation.
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
compatibility layer is loaded:
# kldstat -m linuxelf
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot the system or unload and reload the linux.ko kernel module.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system or unload and reload the linux.ko kernel module.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch
# fetch http://security.FreeBSD.org/patches/SA-16:03/linux.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/amd64/linux32
# make sysent
# cd /usr/src/i386/linux
# make sysent
c) Recompile your kernel and modules as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>.
Reboot the system or unload and reload the linux.ko kernel module.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Subversion:
Branch/path Revision
- ---------------------------------------------------------------------------
stable/9/ r293898
releng/9.3/ r293896
stable/10/ r293897
releng/10.1/ r293894
releng/10.2/ r293893
- ---------------------------------------------------------------------------
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1880>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-16:03.linux.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j2AAoJEO1n7NZdz2rngkcQAJ8yxlxYd+qZPf+pbP+0Kj6w
+Sy8BrSUrYLMFynrs4vRPTJobLnVGpwkp6I6ZCDL/yoI/7Xkl3ld7HWfH7MAJ6WP
x0j5/bC+AlWGpKfL6wqeddxjHgmaAlDznN1MyO+3byVfP1Y8VVppbzqPNw9AW17Q
kNqNAMsVuk3OMpoE7CYEsaH6rzHzbMGAPuR+KN5J55Mth6dNkIYSIFJ0sCae5cnv
P6SoMKjn7ffcHymmX/Yj7K0FTOrJOePR0eLbTITivJT1uZ3bYbbYyK1bYslE6bwF
EQ3Ij+LhZdM5D7GBOpILBZ9ojvVMq8PiW9yY3zo7DRrwWajBy8pe/3ow0u7igoOK
/0XUFmRT0Q0iCxlGhXPxEGcc40g6oE6oVz1m3Ewgqc2+iZm+w6N/w88dRqiBHNgL
AiCqleI10eRNgP1uq7XT/5PEslmQLxSCrDPFDOgmSZc3uY7H5LBb6O9fb7YTpn6J
bfL7yyJFei/lAlY1s2b+4/DW9PE1OwxNw/R85mSUpbP5my5wwZR+s3mGTLI2JAlk
74Nw/OR9HLLHoEO5JlagfEclKp7O+JzhHYkAcBm7yRMRr1LV+7JZQEaTCeWTkm6L
YvL8Ca1PAL6qNLZbxQ26Gjka7KCrFhhNfR22c3Lz4pLtkg9YmDRb4sy6i+q3ellG
0mLi0OqTu2gn+25xhidf
=OQft
-----END PGP SIGNATURE-----

145
share/security/advisories/FreeBSD-SA-16:04.linux.asc Normal file
View file

@ -0,0 +1,145 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:04.linux Security Advisory
The FreeBSD Project
Topic: Linux compatibility layer setgroups(2) system call
vulnerability
Category: core
Module: kernel
Announced: 2016-01-14
Credits: Dmitry Chagin
Affects: All supported versions of FreeBSD
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2016-1881
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component. The support is
provided on amd64 and i386 machines.
II. Problem Description
A programming error in the Linux compatibility layer setgroups(2) system
call can lead to an unexpected results, such as overwriting random kernel
memory contents.
III. Impact
It is possible for a local attacker to overwrite portions of kernel
memory, which may result in a privilege escalation or cause a system
panic.
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
compatibility layer is loaded:
# kldstat -m linuxelf
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot the system or unload and reload the linux.ko kernel module.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system or unload and reload the linux.ko kernel module.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch
# fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch.asc
# gpg --verify linux.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/amd64/linux32
# make sysent
# cd /usr/src/i386/linux
# make sysent
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
Reboot the system or unload and reload the linux.ko kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293898
releng/9.3/ r293896
stable/10/ r293897
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1881>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:04.linux.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnstMP/jddSJehSXe9rlL2qhYfRrQY
XZSuoOtolvcl2xSQCZYprXN95/i890VOdJ9x4+iYJA2IQO55a8MjS1DcJjjonV7J
zJa7Apnu1jaK1jDx+RL6C3eVDff0ss1B7NvZTXmjHn+nIsIRxd6vzxDp2NujTnWS
XHNinNAPcVK9Hy/AJh1W+mClvgLg+lyMICuraMjTDc5ML3+fxUmXfDUWq1mm2Chq
uYXMXcIBXBJx1mnnm9n2izExr7j7AHaVJywe/UYk+KCNbSeags76pt1vuPfoOjdE
BaSlX9KNMouYU0JNfv/wC7/UnuQ/BY1XzxheVpIqmXwlFstAmSiKYIQkpIuypVF1
yUmf8CjN6AOx9P5CjxX88eeY3F6J1yohch1AI4IMqT3F3fd5LbJ5WqOjritt0J96
hDjnsiVhw4ozQE6SWTY8TKlokOOEfJC+yhNIJ0cNaHnkLSCUuDDErtGzp1CYoYmt
Q8D1VJ1UEaVPaKcaNAo4+sjiE1uK6svPiWa1+W9VbKGvc3Y7PbcuVIzU0aI4ySgj
VecEFM1O5wr3WXIYnDQNwkWVxbCQdxOIPyW0rqMGQVpu1h7MKk0oMboY1bLcQYFy
Aa9okOl+D7ItpEpRUgnIT06B6krC5sUQuzkUxnVIBPKtcl1OZ4B8KidLjEqu4BSx
3qOQSGqZzr8TFcwPIJv4
=JKVW
-----END PGP SIGNATURE-----

129
share/security/advisories/FreeBSD-SA-16:05.tcp.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:05.tcp Security Advisory
The FreeBSD Project
Topic: TCP MD5 signature denial of service
Category: core
Module: kernel
Announced: 2016-01-14
Credits: Ryan Stone,
Jonathan T. Looney
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2016-1882
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. An optional extension to TCP described in RFC 2385 allows
protecting data streams against spoofed packets with MD5 signature.
Support for TCP MD5 signatures is not enabled in default kernel.
II. Problem Description
A programming error in processing a TCP connection with both TCP_MD5SIG
and TCP_NOOPT socket options may lead to kernel crash.
III. Impact
A local attacker can crash the kernel, resulting in a denial-of-service.
A remote attack is theoretically possible, if server has a listening
socket with TCP_NOOPT set, and server is either out of SYN cache entries,
or SYN cache is disabled by configuration.
IV. Workaround
No workaround is available, but installations running a default kernel,
or a custom kernel without TCP_SIGNATURE option are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
System reboot is required.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293898
releng/9.3/ r293896
stable/10/ r293897
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1882>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:05.tcp.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnrWcQAN+QX6wEvC7FkTXyX2LHFWas
CVOI/KkxkHSVwYMMScmorG27OxDsHTkvrGfqyVbYDczmC5NY+AorMiZMoo7CHn5J
gYmS8NZvBPeMKmFt45lBTBDnKT6mOvHBz6UPhyyHruvR6VZ2h3fyLqYzbMKcy12i
Onmk/nm3vgrqOCmnqYQN8Xo2v2x4KcKU3/jegK+pdfOwd9Q1bmxzBWwFx8yc7pZ0
3YItalkiMsuRppSuNS9fGoRSoB/Ybf/8pu6SDnhvJnw4CIRGAl3IDKpBanB7F/9E
sofcI499s+uyOHPY8TrQ62L4UjteEukwaV8EJh6vPaLm3pns0cSURzKczgytTH3G
Nz9GcI3hYdfbXRBgJvwtZv9JY5s3ZtPiqqTwHta7AdplXwiOJJ1Ylso5lZ4beiJh
q7Sv+YMJr9cNfnYmSGv33rKN4hdae7XfJm+Ipde4bpgCLFpKkb/aQaGxGlowjDaW
0C77qCg+se3TzwGl0A7ClEq4dLaadTsiShQCpZGQOgc6Wgz9QUBGxU811e3KQHLo
3XQgxGSB9+3d7YiK/ZNkzi8d89VXMgUOx4HoOZ7+SkVBg1+qpbiYnk8VJjLmXyOz
dPtDbzWG68wluWcSc7TD5yIYx2Lw4E9ZMWzh2boOxEWrcd9mxCUPiU9nsF+PIAPG
kTcLnX0+iXijpKMnQpgP
=UjjC
-----END PGP SIGNATURE-----

142
share/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:06.bsnmpd Security Advisory
The FreeBSD Project
Topic: Insecure default bsnmpd.conf permissions
Category: contrib
Module: bsnmpd
Announced: 2016-01-14
Credits: Pierre Kim
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
CVE Name: CVE-2015-5677
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bsnmpd daemon serves the Internet SNMP (Simple Network Management
Protocol). It is intended to serve only the absolute basic MIBs and
implements all other MIBs through loadable modules.
II. Problem Description
The SNMP protocol supports an authentication model called USM, which relies
on a shared secret. The default permission of the bsnmpd configuration file,
/etc/bsnmpd.conf, is weak and does not provide adequate protection against
local unprivileged users.
III. Impact
A local user may be able to read the shared secret, if configured and used
by the system administrator.
IV. Workaround
No workaround is available, but systems that do not use bsnmpd with its USM
authentication model are not vulnerable.
V. Solution
This vulnerability can be fixed by modifying the permission on
/etc/bsnmpd.conf to owner root:wheel and permission 0600.
The patch is provided mainly for third party vendors who deploy FreeBSD
and provide a safe default. The patch itself DOES NOT fix the permissions
for existing installations.
The patch can be applied by performing one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The system administrator should change the permission on /etc/bsnmpd.conf
to root:wheel and 0600.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The system administrator should change the permission on /etc/bsnmpd.conf
to root:wheel and 0600.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch
# fetch https://security.FreeBSD.org/patches/SA-16:06/bsnmpd.patch.asc
# gpg --verify bsnmpd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r293898
releng/9.3/ r293896
stable/10/ r293897
releng/10.1/ r293894
releng/10.2/ r293893
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5677>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:06.bsnmpd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWl2j4AAoJEO1n7NZdz2rnkaQP/3K9kqYY1YoHQ++uzFPnfuZQ
mkGPJ0frGG46pTL806QJidky6D0LP0zNCzhtU45ZlFMguJ3B3QYp/62Cw61dBG22
x0uEkvI2F2F39IPA/clspyUHg3Y1RYgTpJrxey0JLrK0yxelyI8vMwB4tCB2eEDW
ZGVU6rvFQcWJOWHABXVYcc+4Yy5ucudp0QbJsVHAKLtF7MLuntVlUj+x4Nncog5k
kmGt6W7tzFn2gNsWcmntmG/LWyPkPURWhYfIj3fgcRrpMTVIDFX5PTgQyJR7DwOM
/beIoQxxKBUwTW1ZRgvcCqFBu7DKSCMABoHgpqLj1gdeiJ1LaO4dErtWXvdBEAAP
+XLi5OkRG3OKzIAIRnkz/SrkAUoRkzHEK1dI0coyw7AdXXjDBWtX+n9lzRXs7hqT
LC3riK/Km9OYVn3+T7tCWnvKN45f+FnD8zxZDE+33Jv9wI8X+CCs9GjJdoJ0HDSd
b6rg8E4gGPzfwFxSNXZQKfDSSuVBECIp3av1gp6hN3qZNOX/sadMsxro8VVGFLPg
81rC+JfKNTeVtxF8oJi9eg3FQ/eupxQv4RvC2c37R7LcErAU1KKxZyNrwv6xDEMx
QVnx74o+luxXSirLxq276pfBQJdMjxYzWCj6E8ztcAZenz3M4WNiRFlt7hdq/3YO
bDBdQPe4eYSHHSGyGcz/
=LDPU
-----END PGP SIGNATURE-----

625
share/security/patches/EN-16:01/filemon.patch Normal file
View file

@ -0,0 +1,625 @@
--- sys/dev/filemon/filemon.c.orig
+++ sys/dev/filemon/filemon.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2011, David E. O'Brien.
* Copyright (c) 2009-2011, Juniper Networks, Inc.
+ * Copyright (c) 2015, EMC Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -39,6 +40,7 @@
#include <sys/fcntl.h>
#include <sys/ioccom.h>
#include <sys/kernel.h>
+#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
@@ -45,6 +47,7 @@
#include <sys/poll.h>
#include <sys/proc.h>
#include <sys/queue.h>
+#include <sys/sx.h>
#include <sys/syscall.h>
#include <sys/sysent.h>
#include <sys/sysproto.h>
@@ -85,12 +88,8 @@
struct filemon {
TAILQ_ENTRY(filemon) link; /* Link into the in-use list. */
- struct mtx mtx; /* Lock mutex for this filemon. */
- struct cv cv; /* Lock condition variable for this
- filemon. */
+ struct sx lock; /* Lock mutex for this filemon. */
struct file *fp; /* Output file pointer. */
- struct thread *locker; /* Ptr to the thread locking this
- filemon. */
pid_t pid; /* The process ID being monitored. */
char fname1[MAXPATHLEN]; /* Temporary filename buffer. */
char fname2[MAXPATHLEN]; /* Temporary filename buffer. */
@@ -99,11 +98,7 @@
static TAILQ_HEAD(, filemon) filemons_inuse = TAILQ_HEAD_INITIALIZER(filemons_inuse);
static TAILQ_HEAD(, filemon) filemons_free = TAILQ_HEAD_INITIALIZER(filemons_free);
-static int n_readers = 0;
-static struct mtx access_mtx;
-static struct cv access_cv;
-static struct thread *access_owner = NULL;
-static struct thread *access_requester = NULL;
+static struct sx access_lock;
static struct cdev *filemon_dev;
@@ -203,8 +198,7 @@
filemon->fp = NULL;
- mtx_init(&filemon->mtx, "filemon", "filemon", MTX_DEF);
- cv_init(&filemon->cv, "filemon");
+ sx_init(&filemon->lock, "filemon");
}
filemon->pid = curproc->p_pid;
@@ -234,8 +228,7 @@
static void
filemon_load(void *dummy __unused)
{
- mtx_init(&access_mtx, "filemon", "filemon", MTX_DEF);
- cv_init(&access_cv, "filemon");
+ sx_init(&access_lock, "filemons_inuse");
/* Install the syscall wrappers. */
filemon_wrapper_install();
@@ -270,14 +263,12 @@
filemon_lock_write();
while ((filemon = TAILQ_FIRST(&filemons_free)) != NULL) {
TAILQ_REMOVE(&filemons_free, filemon, link);
- mtx_destroy(&filemon->mtx);
- cv_destroy(&filemon->cv);
+ sx_destroy(&filemon->lock);
free(filemon, M_FILEMON);
}
filemon_unlock_write();
- mtx_destroy(&access_mtx);
- cv_destroy(&access_cv);
+ sx_destroy(&access_lock);
}
return (error);
--- sys/dev/filemon/filemon_lock.c.orig
+++ sys/dev/filemon/filemon_lock.c
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2009-2011, Juniper Networks, Inc.
+ * Copyright (c) 2015, EMC Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -27,96 +28,44 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
-static void
+static __inline void
filemon_filemon_lock(struct filemon *filemon)
{
- mtx_lock(&filemon->mtx);
- while (filemon->locker != NULL && filemon->locker != curthread)
- cv_wait(&filemon->cv, &filemon->mtx);
-
- filemon->locker = curthread;
-
- mtx_unlock(&filemon->mtx);
+ sx_xlock(&filemon->lock);
}
-static void
+static __inline void
filemon_filemon_unlock(struct filemon *filemon)
{
- mtx_lock(&filemon->mtx);
- if (filemon->locker == curthread)
- filemon->locker = NULL;
-
- /* Wake up threads waiting. */
- cv_broadcast(&filemon->cv);
-
- mtx_unlock(&filemon->mtx);
+ sx_xunlock(&filemon->lock);
}
-static void
+static __inline void
filemon_lock_read(void)
{
- mtx_lock(&access_mtx);
- while (access_owner != NULL || access_requester != NULL)
- cv_wait(&access_cv, &access_mtx);
-
- n_readers++;
-
- /* Wake up threads waiting. */
- cv_broadcast(&access_cv);
-
- mtx_unlock(&access_mtx);
+ sx_slock(&access_lock);
}
-static void
+static __inline void
filemon_unlock_read(void)
{
- mtx_lock(&access_mtx);
- if (n_readers > 0)
- n_readers--;
-
- /* Wake up a thread waiting. */
- cv_broadcast(&access_cv);
-
- mtx_unlock(&access_mtx);
+ sx_sunlock(&access_lock);
}
-static void
+static __inline void
filemon_lock_write(void)
{
- mtx_lock(&access_mtx);
- while (access_owner != curthread) {
- if (access_owner == NULL &&
- (access_requester == NULL ||
- access_requester == curthread)) {
- access_owner = curthread;
- access_requester = NULL;
- } else {
- if (access_requester == NULL)
- access_requester = curthread;
-
- cv_wait(&access_cv, &access_mtx);
- }
- }
-
- mtx_unlock(&access_mtx);
+ sx_xlock(&access_lock);
}
-static void
+static __inline void
filemon_unlock_write(void)
{
- mtx_lock(&access_mtx);
- /* Sanity check that the current thread actually has the write lock. */
- if (access_owner == curthread)
- access_owner = NULL;
-
- /* Wake up a thread waiting. */
- cv_broadcast(&access_cv);
-
- mtx_unlock(&access_mtx);
+ sx_xunlock(&access_lock);
}
--- sys/dev/filemon/filemon_wrapper.c.orig
+++ sys/dev/filemon/filemon_wrapper.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2011, David E. O'Brien.
* Copyright (c) 2009-2011, Juniper Networks, Inc.
+ * Copyright (c) 2015, EMC Corp.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -86,11 +87,18 @@
{
struct filemon *filemon;
+ filemon_lock_read();
+ if (TAILQ_EMPTY(&filemons_inuse)) {
+ filemon_unlock_read();
+ return (NULL);
+ }
sx_slock(&proctree_lock);
while (p != initproc) {
TAILQ_FOREACH(filemon, &filemons_inuse, link) {
if (p->p_pid == filemon->pid) {
sx_sunlock(&proctree_lock);
+ filemon_filemon_lock(filemon);
+ filemon_unlock_read();
return (filemon);
}
}
@@ -97,6 +105,7 @@
p = proc_realparent(p);
}
sx_sunlock(&proctree_lock);
+ filemon_unlock_read();
return (NULL);
}
@@ -109,9 +118,6 @@
/* Load timestamp before locking. Less accurate but less contention. */
getmicrotime(&now);
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
/* Lock the found filemon structure. */
filemon_filemon_lock(filemon);
@@ -124,9 +130,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
-
- /* Release the read lock. */
- filemon_unlock_read();
}
static int
@@ -138,13 +141,7 @@
struct filemon *filemon;
if ((ret = sys_chdir(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -157,9 +154,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -177,13 +171,7 @@
copyinstr(uap->fname, fname, sizeof(fname), &done);
if ((ret = sys_execve(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
len = snprintf(filemon->msgbufr,
sizeof(filemon->msgbufr), "E %d %s\n",
curproc->p_pid, fname);
@@ -193,9 +181,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -215,13 +200,7 @@
copyinstr(uap->fname, fname, sizeof(fname), &done);
if ((ret = freebsd32_execve(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
len = snprintf(filemon->msgbufr,
sizeof(filemon->msgbufr), "E %d %s\n",
curproc->p_pid, fname);
@@ -231,9 +210,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -248,13 +224,7 @@
struct filemon *filemon;
if ((ret = sys_fork(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
len = snprintf(filemon->msgbufr,
sizeof(filemon->msgbufr), "F %d %ld\n",
curproc->p_pid, (long)curthread->td_retval[0]);
@@ -264,9 +234,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -281,13 +248,7 @@
struct filemon *filemon;
if ((ret = sys_open(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -313,9 +274,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -330,13 +288,7 @@
struct filemon *filemon;
if ((ret = sys_openat(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -375,9 +327,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -392,13 +341,7 @@
struct filemon *filemon;
if ((ret = sys_rename(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->from, filemon->fname1,
sizeof(filemon->fname1), &done);
copyinstr(uap->to, filemon->fname2,
@@ -413,9 +356,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -430,13 +370,7 @@
struct filemon *filemon;
if ((ret = sys_link(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
copyinstr(uap->link, filemon->fname2,
@@ -451,9 +385,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -468,13 +399,7 @@
struct filemon *filemon;
if ((ret = sys_symlink(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
copyinstr(uap->link, filemon->fname2,
@@ -489,9 +414,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -507,13 +429,7 @@
struct filemon *filemon;
if ((ret = sys_linkat(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path1, filemon->fname1,
sizeof(filemon->fname1), &done);
copyinstr(uap->path2, filemon->fname2,
@@ -528,9 +444,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -546,13 +459,7 @@
struct filemon *filemon;
if ((ret = sys_stat(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -565,9 +472,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -584,13 +488,7 @@
struct filemon *filemon;
if ((ret = freebsd32_stat(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -603,9 +501,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -622,13 +517,7 @@
/* Get timestamp before locking. */
getmicrotime(&now);
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
len = snprintf(filemon->msgbufr, sizeof(filemon->msgbufr),
"X %d %d\n", curproc->p_pid, uap->rval);
@@ -649,9 +538,6 @@
filemon_filemon_unlock(filemon);
}
- /* Release the read lock. */
- filemon_unlock_read();
-
sys_sys_exit(td, uap);
}
@@ -664,13 +550,7 @@
struct filemon *filemon;
if ((ret = sys_unlink(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), &done);
@@ -683,9 +563,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);
@@ -699,13 +576,7 @@
struct filemon *filemon;
if ((ret = sys_vfork(td, uap)) == 0) {
- /* Grab a read lock on the filemon inuse list. */
- filemon_lock_read();
-
if ((filemon = filemon_pid_check(curproc)) != NULL) {
- /* Lock the found filemon structure. */
- filemon_filemon_lock(filemon);
-
len = snprintf(filemon->msgbufr,
sizeof(filemon->msgbufr), "F %d %ld\n",
curproc->p_pid, (long)curthread->td_retval[0]);
@@ -715,9 +586,6 @@
/* Unlock the found filemon structure. */
filemon_filemon_unlock(filemon);
}
-
- /* Release the read lock. */
- filemon_unlock_read();
}
return (ret);

16
share/security/patches/EN-16:01/filemon.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vPAAoJEO1n7NZdz2rnKwUQAKVHEkB285VYYoYqJKoy8Pr6
SG71lY59IZ1YRuFoSQq8RkizrskBDNhSqEXdDgjdMOIqSdaJqXaIHMwtKAv+/I1Y
oRgUtIyLZYhuEUgsbjInNpd7Wk7Y2TQYjb1ZsI3hrNwFLxt5jzrYZCs0Ouk0RkB3
nR++SMIrBtI5Ak48I8q0KZFPnIralqTmASo8m7QYvqI3Jmq6L06F5LHQ8t/oXVlB
Dubf/SndnZnHtGV2a1qg9uuYvoqEaaH7kY6ZheRrhP5s1AduEWZB4fTiB0Yz9dtv
+hYEO+cP2ynkSispljvtDDC717tOZeWhCisl/D1R+ohlKHiwtQRSLObeKHue27Fx
Ku8c6BvpR311c9WazHIMT9CguvU3WEWnUgm1j+CyRb6KXgCuRaRIDl5vOwvFvGNW
83imL3UY7Z0khlPZKicWWPqhC/Mn0MR5mKza0nyeTTRpWh4ynTZn6fWyU4RO99ic
Zv1bRB6OS5LrL4uFConTXk+n5qo2hILGZfnFODlUZ8QasC/BB6SC+1R0a6kx9dOs
1XYyoZBnjKgn8P/yEqpjOa/KMTDp90jkocjP35HkJBoKftewR2eAtceY4lbw1/Tl
07YYbBmoKjNH4qTH5Rp76m9Dd+vDVpyHQ+Ov5Wm9h8/WUDP3p6aahGh1s5qPYBN3
AZ3ZmnOKIHgNp1vtWbDq
=j+SB
-----END PGP SIGNATURE-----

392
share/security/patches/EN-16:02/pf-10.1.patch Normal file
View file

@ -0,0 +1,392 @@
--- sys/net/pfvar.h.orig
+++ sys/net/pfvar.h
@@ -1558,6 +1558,8 @@
extern void pf_print_flags(u_int8_t);
extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
u_int8_t);
+extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
+ u_int16_t, u_int16_t, u_int8_t);
VNET_DECLARE(struct ifnet *, sync_ifp);
#define V_sync_ifp VNET(sync_ifp);
@@ -1582,6 +1584,9 @@
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
+void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t,
+ u_int8_t);
+void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t);
void pf_send_deferred_syn(struct pf_state *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
--- sys/netinet6/ip6_output.c.orig
+++ sys/netinet6/ip6_output.c
@@ -184,7 +184,7 @@
}\
} while (/*CONSTCOND*/ 0)
-static void
+void
in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
{
u_short csum;
--- sys/netinet6/ip6_var.h.orig
+++ sys/netinet6/ip6_var.h
@@ -456,6 +456,7 @@
struct rtentry **, u_int);
u_int32_t ip6_randomid(void);
u_int32_t ip6_randomflowlabel(void);
+void in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset);
#endif /* _KERNEL */
#endif /* !_NETINET6_IP6_VAR_H_ */
--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
@@ -203,7 +203,7 @@
static void pf_add_threshold(struct pf_threshold *);
static int pf_check_threshold(struct pf_threshold *);
-static void pf_change_ap(struct pf_addr *, u_int16_t *,
+static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *,
u_int16_t *, u_int16_t *, struct pf_addr *,
u_int16_t, u_int8_t, sa_family_t);
static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
@@ -1966,6 +1966,22 @@
}
}
+/**
+ * Checksum updates are a little complicated because the checksum in the TCP/UDP
+ * header isn't always a full checksum. In some cases (i.e. output) it's a
+ * pseudo-header checksum, which is a partial checksum over src/dst IP
+ * addresses, protocol number and length.
+ *
+ * That means we have the following cases:
+ * * Input or forwarding: we don't have TSO, the checksum fields are full
+ * checksums, we need to update the checksum whenever we change anything.
+ * * Output (i.e. the checksum is a pseudo-header checksum):
+ * x The field being updated is src/dst address or affects the length of
+ * the packet. We need to update the pseudo-header checksum (note that this
+ * checksum is not ones' complement).
+ * x Some other field is being modified (e.g. src/dst port numbers): We
+ * don't have to update anything.
+ **/
u_int16_t
pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
{
@@ -1981,9 +1997,20 @@
return (l);
}
+u_int16_t
+pf_proto_cksum_fixup(struct mbuf *m, u_int16_t cksum, u_int16_t old,
+ u_int16_t new, u_int8_t udp)
+{
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ return (cksum);
+
+ return (pf_cksum_fixup(cksum, old, new, udp));
+}
+
static void
-pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
- struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
+pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
+ u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u,
+ sa_family_t af)
{
struct pf_addr ao;
u_int16_t po = *p;
@@ -1991,6 +2018,9 @@
PF_ACPY(&ao, a, af);
PF_ACPY(a, an, af);
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ *pc = ~*pc;
+
*p = pn;
switch (af) {
@@ -2000,10 +2030,12 @@
ao.addr16[0], an->addr16[0], 0),
ao.addr16[1], an->addr16[1], 0);
*p = pn;
- *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+
+ *pc = pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
- ao.addr16[1], an->addr16[1], u),
- po, pn, u);
+ ao.addr16[1], an->addr16[1], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET */
#ifdef INET6
@@ -2010,7 +2042,7 @@
case AF_INET6:
*pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
- pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+ pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
ao.addr16[1], an->addr16[1], u),
ao.addr16[2], an->addr16[2], u),
@@ -2018,14 +2050,21 @@
ao.addr16[4], an->addr16[4], u),
ao.addr16[5], an->addr16[5], u),
ao.addr16[6], an->addr16[6], u),
- ao.addr16[7], an->addr16[7], u),
- po, pn, u);
+ ao.addr16[7], an->addr16[7], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET6 */
}
+
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
+ CSUM_DELAY_DATA_IPV6)) {
+ *pc = ~*pc;
+ if (! *pc)
+ *pc = 0xffff;
+ }
}
-
/* Changes a u_int32_t. Uses a void * so there are no align restrictions */
void
pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
@@ -2038,6 +2077,19 @@
ao % 65536, an % 65536, u);
}
+void
+pf_change_proto_a(struct mbuf *m, void *a, u_int16_t *c, u_int32_t an, u_int8_t udp)
+{
+ u_int32_t ao;
+
+ memcpy(&ao, a, sizeof(ao));
+ memcpy(a, &an, sizeof(u_int32_t));
+
+ *c = pf_proto_cksum_fixup(m,
+ pf_proto_cksum_fixup(m, *c, ao / 65536, an / 65536, udp),
+ ao % 65536, an % 65536, udp);
+}
+
#ifdef INET6
static void
pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
@@ -2183,12 +2235,10 @@
for (i = 2; i + TCPOLEN_SACK <= olen;
i += TCPOLEN_SACK) {
memcpy(&sack, &opt[i], sizeof(sack));
- pf_change_a(&sack.start, &th->th_sum,
- htonl(ntohl(sack.start) -
- dst->seqdiff), 0);
- pf_change_a(&sack.end, &th->th_sum,
- htonl(ntohl(sack.end) -
- dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.start, &th->th_sum,
+ htonl(ntohl(sack.start) - dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.end, &th->th_sum,
+ htonl(ntohl(sack.end) - dst->seqdiff), 0);
memcpy(&opt[i], &sack, sizeof(sack));
}
copyback = 1;
@@ -3092,7 +3142,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
+ pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, af);
pd->sport = &th->th_sport;
@@ -3101,7 +3151,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
+ pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, af);
dport = th->th_dport;
@@ -3115,7 +3165,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
+ pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->sidx],
nk->port[pd->sidx], 1, af);
@@ -3125,7 +3175,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
+ pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->didx],
nk->port[pd->didx], 1, af);
@@ -3477,7 +3527,7 @@
if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
0)
s->src.seqdiff = 1;
- pf_change_a(&th->th_seq, &th->th_sum,
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum,
htonl(s->src.seqlo + s->src.seqdiff), 0);
*rewrite = 1;
} else
@@ -3786,9 +3836,9 @@
while ((src->seqdiff = arc4random() - seq) == 0)
;
ack = ntohl(th->th_ack) - dst->seqdiff;
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
} else {
ack = ntohl(th->th_ack);
@@ -3838,9 +3888,9 @@
ack = ntohl(th->th_ack) - dst->seqdiff;
if (src->seqdiff) {
/* Modulate sequence numbers */
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
}
end = seq + pd->p_len;
@@ -4294,14 +4344,14 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != th->th_sport)
- pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->sidx],
+ pf_change_ap(m, pd->src, &th->th_sport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != th->th_dport)
- pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->didx],
+ pf_change_ap(m, pd->dst, &th->th_dport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, pd->af);
copyback = 1;
}
@@ -4365,13 +4415,13 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != uh->uh_sport)
- pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
+ pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != uh->uh_dport)
- pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
+ pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
@@ -5487,6 +5537,13 @@
if (ifp->if_flags & IFF_LOOPBACK)
m0->m_flags |= M_SKIP_FIREWALL;
+ if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
+ ~ifp->if_hwassist) {
+ uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
+ in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
+ m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ }
+
/*
* If the packet is too large for the outgoing interface,
* send back an icmp6 error.
--- sys/netpfil/pf/pf_ioctl.c.orig
+++ sys/netpfil/pf/pf_ioctl.c
@@ -3571,12 +3571,6 @@
{
int chk;
- /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
- in_delayed_cksum(*m);
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
- }
-
chk = pf_test(PF_OUT, ifp, m, inp);
if (chk && *m) {
m_freem(*m);
@@ -3615,14 +3609,6 @@
{
int chk;
- /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-#ifdef INET
- /* XXX-BZ copy&paste error from r126261? */
- in_delayed_cksum(*m);
-#endif
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
- }
CURVNET_SET(ifp->if_vnet);
chk = pf_test6(PF_OUT, ifp, m, inp);
CURVNET_RESTORE();
--- sys/netpfil/pf/pf_norm.c.orig
+++ sys/netpfil/pf/pf_norm.c
@@ -1374,13 +1374,14 @@
th->th_x2 = 0;
nv = *(u_int16_t *)(&th->th_ack + 1);
- th->th_sum = pf_cksum_fixup(th->th_sum, ov, nv, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
rewrite = 1;
}
/* Remove urgent pointer, if TH_URG is not set */
if (!(flags & TH_URG) && th->th_urp) {
- th->th_sum = pf_cksum_fixup(th->th_sum, th->th_urp, 0, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp,
+ 0, 0);
th->th_urp = 0;
rewrite = 1;
}
@@ -1581,7 +1582,7 @@
(src->scrub->pfss_flags &
PFSS_TIMESTAMP)) {
tsval = ntohl(tsval);
- pf_change_a(&opt[2],
+ pf_change_proto_a(m, &opt[2],
&th->th_sum,
htonl(tsval +
src->scrub->pfss_ts_mod),
@@ -1597,7 +1598,7 @@
PFSS_TIMESTAMP)) {
tsecr = ntohl(tsecr)
- dst->scrub->pfss_ts_mod;
- pf_change_a(&opt[6],
+ pf_change_proto_a(m, &opt[6],
&th->th_sum, htonl(tsecr),
0);
copyback = 1;
@@ -1924,8 +1925,8 @@
case TCPOPT_MAXSEG:
mss = (u_int16_t *)(optp + 2);
if ((ntohs(*mss)) > r->max_mss) {
- th->th_sum = pf_cksum_fixup(th->th_sum,
- *mss, htons(r->max_mss), 0);
+ th->th_sum = pf_proto_cksum_fixup(m,
+ th->th_sum, *mss, htons(r->max_mss), 0);
*mss = htons(r->max_mss);
rewrite = 1;
}

16
share/security/patches/EN-16:02/pf-10.1.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vRAAoJEO1n7NZdz2rneQkP/A5c7Q56gNdajrwxyWwV4jmN
cNtmgLfs9dp2IpyBHkh+kAr+TCiI9ymX7XjxfHr2VZsrzEOiOObj8eRUivORybo2
Qq7I1ALXUxL2RLzJHRDunWc7h7JC5uAikrv8DCKZ5h3Hu2e5s07fHZqYXbPJyMcb
xzfB6GNXpCSutDnJgHOZqgCefokb5O+J2ER8Zk4Q4Q0ILs1MO6aiseDEoFapFTBk
2rxf1dEzwYxRTpDkqbnVNQb3JNg9YemnlX265kOYUf10sG969EB+W3cOfuP/mRZS
5ff+S7si+5sHFn/0TVc4yN3iEqjxUlYX5IlzRENQEXztxoqLQDuuQ4nF92703loH
5Ay6kp+fci2UiIaK5PNnEWtvNpvgeuK9kY5H40P+qEMPv5nCrGtKzumKy6tlPuIo
ppSc3QCTWjvIbs2MYbonDooCo4z7WQ7P2OJT0kUbHYwaez0gullOt8nv9GgNvLIX
hbox02nWvHV/x9pCtBpFW8qxKVmrNvvYkujhr5G8sf/xmNtUNK8xv2vpKRmatJWC
jzUmJl+UZC6fy60ThaosZO7uZlsC6POtSzQVA4DcIATB/LMNRhf4Z4q8qut0ur64
YQnKDch1mepEmr/+mTkLf8nk/8kQMHpmij6Dv9xN+dCA5rPozjCervjjiKjRDD4G
gRBpo4VOn2B/ApFDzCP8
=wyiX
-----END PGP SIGNATURE-----

368
share/security/patches/EN-16:02/pf-10.2.patch Normal file
View file

@ -0,0 +1,368 @@
--- sys/net/pfvar.h.orig
+++ sys/net/pfvar.h
@@ -1554,6 +1554,8 @@
extern void pf_print_flags(u_int8_t);
extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
u_int8_t);
+extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
+ u_int16_t, u_int16_t, u_int8_t);
VNET_DECLARE(struct ifnet *, sync_ifp);
#define V_sync_ifp VNET(sync_ifp);
@@ -1583,6 +1585,9 @@
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
+void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t,
+ u_int8_t);
+void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t);
void pf_send_deferred_syn(struct pf_state *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
--- sys/netpfil/pf/pf.c.orig
+++ sys/netpfil/pf/pf.c
@@ -203,7 +203,7 @@
static void pf_add_threshold(struct pf_threshold *);
static int pf_check_threshold(struct pf_threshold *);
-static void pf_change_ap(struct pf_addr *, u_int16_t *,
+static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *,
u_int16_t *, u_int16_t *, struct pf_addr *,
u_int16_t, u_int8_t, sa_family_t);
static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
@@ -1989,6 +1989,22 @@
}
}
+/**
+ * Checksum updates are a little complicated because the checksum in the TCP/UDP
+ * header isn't always a full checksum. In some cases (i.e. output) it's a
+ * pseudo-header checksum, which is a partial checksum over src/dst IP
+ * addresses, protocol number and length.
+ *
+ * That means we have the following cases:
+ * * Input or forwarding: we don't have TSO, the checksum fields are full
+ * checksums, we need to update the checksum whenever we change anything.
+ * * Output (i.e. the checksum is a pseudo-header checksum):
+ * x The field being updated is src/dst address or affects the length of
+ * the packet. We need to update the pseudo-header checksum (note that this
+ * checksum is not ones' complement).
+ * x Some other field is being modified (e.g. src/dst port numbers): We
+ * don't have to update anything.
+ **/
u_int16_t
pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
{
@@ -2004,9 +2020,20 @@
return (l);
}
+u_int16_t
+pf_proto_cksum_fixup(struct mbuf *m, u_int16_t cksum, u_int16_t old,
+ u_int16_t new, u_int8_t udp)
+{
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ return (cksum);
+
+ return (pf_cksum_fixup(cksum, old, new, udp));
+}
+
static void
-pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
- struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
+pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
+ u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u,
+ sa_family_t af)
{
struct pf_addr ao;
u_int16_t po = *p;
@@ -2014,6 +2041,9 @@
PF_ACPY(&ao, a, af);
PF_ACPY(a, an, af);
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ *pc = ~*pc;
+
*p = pn;
switch (af) {
@@ -2023,17 +2053,19 @@
ao.addr16[0], an->addr16[0], 0),
ao.addr16[1], an->addr16[1], 0);
*p = pn;
- *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+
+ *pc = pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
- ao.addr16[1], an->addr16[1], u),
- po, pn, u);
+ ao.addr16[1], an->addr16[1], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
*pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
- pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+ pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
ao.addr16[1], an->addr16[1], u),
ao.addr16[2], an->addr16[2], u),
@@ -2041,13 +2073,20 @@
ao.addr16[4], an->addr16[4], u),
ao.addr16[5], an->addr16[5], u),
ao.addr16[6], an->addr16[6], u),
- ao.addr16[7], an->addr16[7], u),
- po, pn, u);
+ ao.addr16[7], an->addr16[7], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET6 */
}
-}
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
+ CSUM_DELAY_DATA_IPV6)) {
+ *pc = ~*pc;
+ if (! *pc)
+ *pc = 0xffff;
+ }
+}
/* Changes a u_int32_t. Uses a void * so there are no align restrictions */
void
@@ -2061,6 +2100,19 @@
ao % 65536, an % 65536, u);
}
+void
+pf_change_proto_a(struct mbuf *m, void *a, u_int16_t *c, u_int32_t an, u_int8_t udp)
+{
+ u_int32_t ao;
+
+ memcpy(&ao, a, sizeof(ao));
+ memcpy(a, &an, sizeof(u_int32_t));
+
+ *c = pf_proto_cksum_fixup(m,
+ pf_proto_cksum_fixup(m, *c, ao / 65536, an / 65536, udp),
+ ao % 65536, an % 65536, udp);
+}
+
#ifdef INET6
static void
pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
@@ -2206,12 +2258,10 @@
for (i = 2; i + TCPOLEN_SACK <= olen;
i += TCPOLEN_SACK) {
memcpy(&sack, &opt[i], sizeof(sack));
- pf_change_a(&sack.start, &th->th_sum,
- htonl(ntohl(sack.start) -
- dst->seqdiff), 0);
- pf_change_a(&sack.end, &th->th_sum,
- htonl(ntohl(sack.end) -
- dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.start, &th->th_sum,
+ htonl(ntohl(sack.start) - dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.end, &th->th_sum,
+ htonl(ntohl(sack.end) - dst->seqdiff), 0);
memcpy(&opt[i], &sack, sizeof(sack));
}
copyback = 1;
@@ -3115,7 +3165,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
+ pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, af);
pd->sport = &th->th_sport;
@@ -3124,7 +3174,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
+ pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, af);
dport = th->th_dport;
@@ -3138,7 +3188,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
+ pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->sidx],
nk->port[pd->sidx], 1, af);
@@ -3148,7 +3198,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
+ pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->didx],
nk->port[pd->didx], 1, af);
@@ -3500,7 +3550,7 @@
if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
0)
s->src.seqdiff = 1;
- pf_change_a(&th->th_seq, &th->th_sum,
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum,
htonl(s->src.seqlo + s->src.seqdiff), 0);
*rewrite = 1;
} else
@@ -3824,9 +3874,9 @@
while ((src->seqdiff = arc4random() - seq) == 0)
;
ack = ntohl(th->th_ack) - dst->seqdiff;
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
} else {
ack = ntohl(th->th_ack);
@@ -3876,9 +3926,9 @@
ack = ntohl(th->th_ack) - dst->seqdiff;
if (src->seqdiff) {
/* Modulate sequence numbers */
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
}
end = seq + pd->p_len;
@@ -4332,14 +4382,14 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != th->th_sport)
- pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->sidx],
+ pf_change_ap(m, pd->src, &th->th_sport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != th->th_dport)
- pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->didx],
+ pf_change_ap(m, pd->dst, &th->th_dport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, pd->af);
copyback = 1;
}
@@ -4403,13 +4453,13 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != uh->uh_sport)
- pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
+ pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != uh->uh_dport)
- pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
+ pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
@@ -5526,6 +5576,13 @@
if (ifp->if_flags & IFF_LOOPBACK)
m0->m_flags |= M_SKIP_FIREWALL;
+ if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
+ ~ifp->if_hwassist) {
+ uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
+ in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
+ m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ }
+
/*
* If the packet is too large for the outgoing interface,
* send back an icmp6 error.
--- sys/netpfil/pf/pf_ioctl.c.orig
+++ sys/netpfil/pf/pf_ioctl.c
@@ -3561,12 +3561,6 @@
{
int chk;
- /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
- in_delayed_cksum(*m);
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
- }
-
chk = pf_test(PF_OUT, ifp, m, inp);
if (chk && *m) {
m_freem(*m);
@@ -3605,13 +3599,6 @@
{
int chk;
- /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
- in6_delayed_cksum(*m,
- (*m)->m_pkthdr.len - sizeof(struct ip6_hdr),
- sizeof(struct ip6_hdr));
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
- }
CURVNET_SET(ifp->if_vnet);
chk = pf_test6(PF_OUT, ifp, m, inp);
CURVNET_RESTORE();
--- sys/netpfil/pf/pf_norm.c.orig
+++ sys/netpfil/pf/pf_norm.c
@@ -1680,13 +1680,14 @@
th->th_x2 = 0;
nv = *(u_int16_t *)(&th->th_ack + 1);
- th->th_sum = pf_cksum_fixup(th->th_sum, ov, nv, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
rewrite = 1;
}
/* Remove urgent pointer, if TH_URG is not set */
if (!(flags & TH_URG) && th->th_urp) {
- th->th_sum = pf_cksum_fixup(th->th_sum, th->th_urp, 0, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp,
+ 0, 0);
th->th_urp = 0;
rewrite = 1;
}
@@ -1887,7 +1888,7 @@
(src->scrub->pfss_flags &
PFSS_TIMESTAMP)) {
tsval = ntohl(tsval);
- pf_change_a(&opt[2],
+ pf_change_proto_a(m, &opt[2],
&th->th_sum,
htonl(tsval +
src->scrub->pfss_ts_mod),
@@ -1903,7 +1904,7 @@
PFSS_TIMESTAMP)) {
tsecr = ntohl(tsecr)
- dst->scrub->pfss_ts_mod;
- pf_change_a(&opt[6],
+ pf_change_proto_a(m, &opt[6],
&th->th_sum, htonl(tsecr),
0);
copyback = 1;
@@ -2230,8 +2231,8 @@
case TCPOPT_MAXSEG:
mss = (u_int16_t *)(optp + 2);
if ((ntohs(*mss)) > r->max_mss) {
- th->th_sum = pf_cksum_fixup(th->th_sum,
- *mss, htons(r->max_mss), 0);
+ th->th_sum = pf_proto_cksum_fixup(m,
+ th->th_sum, *mss, htons(r->max_mss), 0);
*mss = htons(r->max_mss);
rewrite = 1;
}

16
share/security/patches/EN-16:02/pf-10.2.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vVAAoJEO1n7NZdz2rnwAsP/jRzi56f90G3nCAJx18gorHB
unXB4gMVkQvFoEYrhn9N96HhvFPdvEm0/YwAJqWpiRH3OO9RtAjGIJUc1vpBzCIk
XROAzwV4EevwcqhfVpZlQ/SxrU1+TXAL/sLSgnaSapCaTadUGDbetDpCi6ZeWzb3
Kn8xeYZcIGDxQgiDBvzq3xcpxoQNc5VzpTwfE5P3yrfjFEPhW13J+6+PZuQEr3Hd
44vqFI+me0g498CSuokctqidGTCqsd0ak6y6t1r1wRkBnZJ12kc1TQT0FCkTB38I
THgdpglmr2ZNN7RRw0L30N28XPUipoVfzIjv8c7bWFY6j7SzjIWdGQVbnzOdNUyg
YbR68yVA4uZ0/vpTHLlme3s90NdUufS7DVL7ner7hFjAuSMJU11UyLYRcZhMCsMs
V3Zssu49J7as/f5qvRCJOrR2DBQwX8XnvuMLBRf2GdseHhrNn8RSRIsMGgOu96XN
NriyyoV7XcM30Tn1OlLdPNlrIYi/OB8STstdWRnSDhimdkf/t7IGYKUdhNAadCQI
X0tsNalFP0ChbrKpooJ0wVExeS6mF+cWJqvS78y1we/3rQYBPDKA1vMptt7shHI7
Cy1uZezwh5Pge2CeRgkyBvdplmZIbwNi3pah8JwE9cdlipEvf9qEydY8pooQIpZe
sk42yCvQAjd69q7VWdhx
=b/JC
-----END PGP SIGNATURE-----

389
share/security/patches/EN-16:02/pf-9.patch Normal file
View file

@ -0,0 +1,389 @@
--- sys/contrib/pf/net/pf.c.orig
+++ sys/contrib/pf/net/pf.c
@@ -239,7 +239,7 @@
void pf_add_threshold(struct pf_threshold *);
int pf_check_threshold(struct pf_threshold *);
-void pf_change_ap(struct pf_addr *, u_int16_t *,
+void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *,
u_int16_t *, u_int16_t *, struct pf_addr *,
u_int16_t, u_int8_t, sa_family_t);
int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
@@ -2007,6 +2007,22 @@
}
}
+/**
+ * Checksum updates are a little complicated because the checksum in the TCP/UDP
+ * header isn't always a full checksum. In some cases (i.e. output) it's a
+ * pseudo-header checksum, which is a partial checksum over src/dst IP
+ * addresses, protocol number and length.
+ *
+ * That means we have the following cases:
+ * * Input or forwarding: we don't have TSO, the checksum fields are full
+ * checksums, we need to update the checksum whenever we change anything.
+ * * Output (i.e. the checksum is a pseudo-header checksum):
+ * x The field being updated is src/dst address or affects the length of
+ * the packet. We need to update the pseudo-header checksum (note that this
+ * checksum is not ones' complement).
+ * x Some other field is being modified (e.g. src/dst port numbers): We
+ * don't have to update anything.
+ **/
u_int16_t
pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
{
@@ -2022,9 +2038,20 @@
return (l);
}
+u_int16_t
+pf_proto_cksum_fixup(struct mbuf *m, u_int16_t cksum, u_int16_t old,
+ u_int16_t new, u_int8_t udp)
+{
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ return (cksum);
+
+ return (pf_cksum_fixup(cksum, old, new, udp));
+}
+
void
-pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
- struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
+pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
+ u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u,
+ sa_family_t af)
{
struct pf_addr ao;
u_int16_t po = *p;
@@ -2032,6 +2059,9 @@
PF_ACPY(&ao, a, af);
PF_ACPY(a, an, af);
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ *pc = ~*pc;
+
*p = pn;
switch (af) {
@@ -2041,17 +2071,19 @@
ao.addr16[0], an->addr16[0], 0),
ao.addr16[1], an->addr16[1], 0);
*p = pn;
- *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+
+ *pc = pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
- ao.addr16[1], an->addr16[1], u),
- po, pn, u);
+ ao.addr16[1], an->addr16[1], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
*pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
- pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
+ pf_cksum_fixup(pf_cksum_fixup(*pc,
ao.addr16[0], an->addr16[0], u),
ao.addr16[1], an->addr16[1], u),
ao.addr16[2], an->addr16[2], u),
@@ -2059,13 +2091,20 @@
ao.addr16[4], an->addr16[4], u),
ao.addr16[5], an->addr16[5], u),
ao.addr16[6], an->addr16[6], u),
- ao.addr16[7], an->addr16[7], u),
- po, pn, u);
+ ao.addr16[7], an->addr16[7], u);
+
+ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
break;
#endif /* INET6 */
}
-}
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
+ CSUM_DELAY_DATA_IPV6)) {
+ *pc = ~*pc;
+ if (! *pc)
+ *pc = 0xffff;
+ }
+}
/* Changes a u_int32_t. Uses a void * so there are no align restrictions */
void
@@ -2079,6 +2118,19 @@
ao % 65536, an % 65536, u);
}
+void
+pf_change_proto_a(struct mbuf *m, void *a, u_int16_t *c, u_int32_t an, u_int8_t udp)
+{
+ u_int32_t ao;
+
+ memcpy(&ao, a, sizeof(ao));
+ memcpy(a, &an, sizeof(u_int32_t));
+
+ *c = pf_proto_cksum_fixup(m,
+ pf_proto_cksum_fixup(m, *c, ao / 65536, an / 65536, udp),
+ ao % 65536, an % 65536, udp);
+}
+
#ifdef INET6
void
pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
@@ -2228,12 +2280,10 @@
for (i = 2; i + TCPOLEN_SACK <= olen;
i += TCPOLEN_SACK) {
memcpy(&sack, &opt[i], sizeof(sack));
- pf_change_a(&sack.start, &th->th_sum,
- htonl(ntohl(sack.start) -
- dst->seqdiff), 0);
- pf_change_a(&sack.end, &th->th_sum,
- htonl(ntohl(sack.end) -
- dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.start, &th->th_sum,
+ htonl(ntohl(sack.start) - dst->seqdiff), 0);
+ pf_change_proto_a(m, &sack.end, &th->th_sum,
+ htonl(ntohl(sack.end) - dst->seqdiff), 0);
memcpy(&opt[i], &sack, sizeof(sack));
}
copyback = 1;
@@ -3400,7 +3450,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
+ pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, af);
pd->sport = &th->th_sport;
@@ -3409,7 +3459,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
+ pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, af);
dport = th->th_dport;
@@ -3423,7 +3473,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
+ pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->sidx],
nk->port[pd->sidx], 1, af);
@@ -3433,7 +3483,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
+ pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport,
pd->ip_sum, &pd->hdr.udp->uh_sum,
&nk->addr[pd->didx],
nk->port[pd->didx], 1, af);
@@ -3845,7 +3895,7 @@
if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
0)
s->src.seqdiff = 1;
- pf_change_a(&th->th_seq, &th->th_sum,
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum,
htonl(s->src.seqlo + s->src.seqdiff), 0);
*rewrite = 1;
} else
@@ -4175,9 +4225,9 @@
while ((src->seqdiff = arc4random() - seq) == 0)
;
ack = ntohl(th->th_ack) - dst->seqdiff;
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
} else {
ack = ntohl(th->th_ack);
@@ -4227,9 +4277,9 @@
ack = ntohl(th->th_ack) - dst->seqdiff;
if (src->seqdiff) {
/* Modulate sequence numbers */
- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
}
end = seq + pd->p_len;
@@ -4729,14 +4779,14 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != th->th_sport)
- pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->sidx],
+ pf_change_ap(m, pd->src, &th->th_sport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != th->th_dport)
- pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
- &th->th_sum, &nk->addr[pd->didx],
+ pf_change_ap(m, pd->dst, &th->th_dport,
+ pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, pd->af);
copyback = 1;
}
@@ -4807,13 +4857,13 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != uh->uh_sport)
- pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
+ pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != uh->uh_dport)
- pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
+ pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
#ifdef __FreeBSD__
@@ -6290,6 +6340,13 @@
ip6 = mtod(m0, struct ip6_hdr *);
}
+ if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
+ ~ifp->if_hwassist) {
+ uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
+ in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
+ m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ }
+
/*
* If the packet is too large for the outgoing interface,
* send back an icmp6 error.
--- sys/contrib/pf/net/pf_ioctl.c.orig
+++ sys/contrib/pf/net/pf_ioctl.c
@@ -4158,11 +4158,6 @@
struct ip *h = NULL;
int chk;
- /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
- in_delayed_cksum(*m);
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
- }
if ((*m)->m_pkthdr.len >= (int)sizeof(*h)) {
/* if m_pkthdr.len is less than ip header, pf will handle. */
h = mtod(*m, struct ip *);
@@ -4222,14 +4217,6 @@
*/
int chk;
- /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-#ifdef INET
- /* XXX-BZ copy&paste error from r126261? */
- in_delayed_cksum(*m);
-#endif
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
- }
CURVNET_SET(ifp->if_vnet);
chk = pf_test6(PF_OUT, ifp, m, NULL, inp);
CURVNET_RESTORE();
--- sys/contrib/pf/net/pf_norm.c.orig
+++ sys/contrib/pf/net/pf_norm.c
@@ -1657,13 +1657,14 @@
th->th_x2 = 0;
nv = *(u_int16_t *)(&th->th_ack + 1);
- th->th_sum = pf_cksum_fixup(th->th_sum, ov, nv, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
rewrite = 1;
}
/* Remove urgent pointer, if TH_URG is not set */
if (!(flags & TH_URG) && th->th_urp) {
- th->th_sum = pf_cksum_fixup(th->th_sum, th->th_urp, 0, 0);
+ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp,
+ 0, 0);
th->th_urp = 0;
rewrite = 1;
}
@@ -1889,7 +1890,7 @@
(src->scrub->pfss_flags &
PFSS_TIMESTAMP)) {
tsval = ntohl(tsval);
- pf_change_a(&opt[2],
+ pf_change_proto_a(m, &opt[2],
&th->th_sum,
htonl(tsval +
src->scrub->pfss_ts_mod),
@@ -1905,7 +1906,7 @@
PFSS_TIMESTAMP)) {
tsecr = ntohl(tsecr)
- dst->scrub->pfss_ts_mod;
- pf_change_a(&opt[6],
+ pf_change_proto_a(m, &opt[6],
&th->th_sum, htonl(tsecr),
0);
copyback = 1;
@@ -2286,8 +2287,8 @@
case TCPOPT_MAXSEG:
mss = (u_int16_t *)(optp + 2);
if ((ntohs(*mss)) > r->max_mss) {
- th->th_sum = pf_cksum_fixup(th->th_sum,
- *mss, htons(r->max_mss), 0);
+ th->th_sum = pf_proto_cksum_fixup(m,
+ th->th_sum, *mss, htons(r->max_mss), 0);
*mss = htons(r->max_mss);
rewrite = 1;
}
--- sys/contrib/pf/net/pfvar.h.orig
+++ sys/contrib/pf/net/pfvar.h
@@ -1909,6 +1909,8 @@
extern void pf_print_flags(u_int8_t);
extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
u_int8_t);
+extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
+ u_int16_t, u_int16_t, u_int8_t);
#ifdef __FreeBSD__
VNET_DECLARE(struct ifnet *, sync_ifp);
@@ -1954,6 +1956,9 @@
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
+void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t,
+ u_int8_t);
+void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t);
int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
struct pf_pdesc *);
--- sys/netinet6/ip6_output.c.orig
+++ sys/netinet6/ip6_output.c
@@ -184,7 +184,7 @@
}\
} while (/*CONSTCOND*/ 0)
-static void
+void
in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
{
u_short csum;
--- sys/netinet6/ip6_var.h.orig
+++ sys/netinet6/ip6_var.h
@@ -456,6 +456,7 @@
struct rtentry **, u_int);
u_int32_t ip6_randomid(void);
u_int32_t ip6_randomflowlabel(void);
+void in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset);
#endif /* _KERNEL */
#endif /* !_NETINET6_IP6_VAR_H_ */

16
share/security/patches/EN-16:02/pf-9.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vXAAoJEO1n7NZdz2rnWksQANG3wnvt9x7pSkzPczC76OlN
FVDRCnBNcBe4Jpr0KixCGBxY5ICVLPTbyS9REX3cNY5PokjKuFEqvX6EUtE0W6Jp
k3Y4AYRvCGCrCbn7HXwlbmRDKZNjvnC0Ek6SQYotcSGeY69RyusZ2tAZKQRv+TGR
JO95YKORnU4NvBtm6jDQAvdFodDG2yLpj5Q8V8/N7aA+0CKHp5+RkTUv/2THmrKD
8BeMWbtCJBVIAEuChfuDKj5fpWKaCAm7TmZZJHUviY1BmRu2z0CAya7Z//a74d+s
uvkDC2ohjqZ13EmC9dQ+WyRIlb8KbBGl5f8zM2wNX2Cqvlt0tAeoEHl/KAJTJ2Ap
PAJd6DCz2Fqu/vHzqzRW8zkjUOoRJ4CkwLjHqhxKJcJoG2x8nwCKYpKpF47/6Ys1
UGfGva42YjEKqtK9vK7PjMUSFyvJVNQSEsj3kYBPW3cJdx7monF9kcLYpBRBFO4W
9RVT8xjHtJv76aWqnsyA5DIlNfIg3x7lMLnXE1hR+jifyZ1mDJxHYIaDzxq/klBt
cWIRlfCvtar8bGgNR1O/qncSNgn+3k32861AsfS/F0ca4lYdTAkE/5xXA2YesfyS
hWqjchvI6v36JyeshEqL68RXKsnoaB0SxJ3z19Qam0m3QSHNNANyQackPsiTZRxe
hLYgXohMz/V8yjbEgOOP
=rwun
-----END PGP SIGNATURE-----

121
share/security/patches/EN-16:03/yplib.patch Normal file
View file

@ -0,0 +1,121 @@
--- lib/libc/yp/yplib.c.orig
+++ lib/libc/yp/yplib.c
@@ -655,7 +655,7 @@
struct timeval tv;
struct ypreq_key yprk;
int r;
-
+ int retries = 0;
*outval = NULL;
*outvallen = 0;
@@ -700,6 +700,11 @@
#endif
again:
+ if (retries > MAX_RETRIES) {
+ YPUNLOCK();
+ return (YPERR_RPC);
+ }
+
if (_yp_dobind(indomain, &ysd) != 0) {
YPUNLOCK();
return (YPERR_DOMAIN);
@@ -716,6 +721,7 @@
if (r != RPC_SUCCESS) {
clnt_perror(ysd->dom_client, "yp_match: clnt_call");
_yp_unbind(ysd);
+ retries++;
goto again;
}
@@ -772,7 +778,7 @@
struct dom_binding *ysd;
struct timeval tv;
int r;
-
+ int retries = 0;
/* Sanity check */
if (indomain == NULL || !strlen(indomain) ||
@@ -784,6 +790,11 @@
YPLOCK();
again:
+ if (retries > MAX_RETRIES) {
+ YPUNLOCK();
+ return (YPERR_RPC);
+ }
+
if (_yp_dobind(indomain, &ysd) != 0) {
YPUNLOCK();
return (YPERR_DOMAIN);
@@ -802,6 +813,7 @@
if (r != RPC_SUCCESS) {
clnt_perror(ysd->dom_client, "yp_first: clnt_call");
_yp_unbind(ysd);
+ retries++;
goto again;
}
if (!(r = ypprot_err(yprkv.stat))) {
@@ -844,7 +856,7 @@
struct dom_binding *ysd;
struct timeval tv;
int r;
-
+ int retries = 0;
/* Sanity check */
if (inkey == NULL || !strlen(inkey) || inkeylen <= 0 ||
@@ -857,6 +869,11 @@
YPLOCK();
again:
+ if (retries > MAX_RETRIES) {
+ YPUNLOCK();
+ return (YPERR_RPC);
+ }
+
if (_yp_dobind(indomain, &ysd) != 0) {
YPUNLOCK();
return (YPERR_DOMAIN);
@@ -877,6 +894,7 @@
if (r != RPC_SUCCESS) {
clnt_perror(ysd->dom_client, "yp_next: clnt_call");
_yp_unbind(ysd);
+ retries++;
goto again;
}
if (!(r = ypprot_err(yprkv.stat))) {
@@ -920,7 +938,7 @@
CLIENT *clnt;
u_long status, savstat;
int clnt_sock;
-
+ int retries = 0;
/* Sanity check */
if (indomain == NULL || !strlen(indomain) ||
@@ -929,6 +947,10 @@
YPLOCK();
again:
+ if (retries > MAX_RETRIES) {
+ YPUNLOCK();
+ return (YPERR_RPC);
+ }
if (_yp_dobind(indomain, &ysd) != 0) {
YPUNLOCK();
@@ -958,9 +980,10 @@
if (clnt_call(clnt, YPPROC_ALL,
(xdrproc_t)xdr_ypreq_nokey, &yprnk,
(xdrproc_t)xdr_ypresp_all_seq, &status, tv) != RPC_SUCCESS) {
- clnt_perror(ysd->dom_client, "yp_all: clnt_call");
+ clnt_perror(clnt, "yp_all: clnt_call");
clnt_destroy(clnt);
_yp_unbind(ysd);
+ retries++;
goto again;
}

16
share/security/patches/EN-16:03/yplib.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vYAAoJEO1n7NZdz2rnxbYQAKxlkBfJnArM/ESwHCi9dvbC
Q4dsDErwVo2uIaxyB29Tl2uy2qR7npiXOCbuaKZHnFr87lTwi0zsELQ3OJEFbzsF
XTkRteKfM4el/s4UUzj0IIYnR7w97UvLM5stgrilIegg4yg0okOiGDDpentv/iPb
EGzt9PbWncsminLR0bbwMygE3Pb/5NVcdEUzZSEVVFjWt+8N4j1DMQolLIs/pgvh
TSWlztQqEFntia5LjBx05WOlg5cnM9NZGYW4ruQ2hVOjVdb/qEYyDKRzDOIkYIGl
vHjWltGQNAmB3+EpCg1m4dENBhQPwkmXI9x87c+M3MsgZafOwY9C/igjWyUngDjP
lquCAQq8pMk0OvtUctbjp3jMGVOUwhi4x3ZtknnHcR33/PCBTGIi7eekNdXp9g1G
0Iu/0meA1HEN3Zll+J4iGUoMIDPj247Lcqp3k/+V7sWDuHRszjW1Thk07OLS/+E4
iJ1vLy9FuwBoVOuc5h3P2hc2dAR49rlSh/DC+CIosRWtBN3K5kEi3zGyTPx1jCb9
KZnJLRjRsp7Pc8ttCXHprUn1EqqxeIsDHLAJ4v2FjieKawQXfeJPnzhUKL5W1B8F
N6GkwxhwwksHfwqOF6Lt7i4Zfy3+HSqO5sJlAvZ0H95in6/rdkC/au0FTYfoowkW
XCERr6GWLn+OElTN0zP6
=m8uJ
-----END PGP SIGNATURE-----

21
share/security/patches/SA-16:01/sctp.patch Normal file
View file

@ -0,0 +1,21 @@
--- sys/netinet6/sctp6_usrreq.c.orig
+++ sys/netinet6/sctp6_usrreq.c
@@ -379,7 +379,6 @@
* XXX: We assume that when IPV6 is non NULL, M and OFF are
* valid.
*/
- /* check if we can safely examine src and dst ports */
struct sctp_inpcb *inp = NULL;
struct sctp_tcb *stcb = NULL;
struct sctp_nets *net = NULL;
@@ -388,6 +387,10 @@
if (ip6cp->ip6c_m == NULL)
return;
+ /* Check if we can safely examine the SCTP header. */
+ if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
+ return;
+
bzero(&sh, sizeof(sh));
bzero(&final, sizeof(final));
inp = NULL;

16
share/security/patches/SA-16:01/sctp.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vZAAoJEO1n7NZdz2rnhLcQAKcsskSsuiYk43iZ3r+xYTxW
rnKNXWsg07vvgGTt7SuSieW+U+QJG7tlneksjFdOMlubaEzxhpSptsWYWy+jkR8U
revnF2SW1BItKYmXLtYAtyzvHxIuOlJKiyUKflA/MdrNdgPBpLcOgxJw1EJcaY6u
5YUTIg3N4KLNSNFlvOVPi9PtM8uf7gR+8rvvbPW/v9ni28qsp8un5biPtgr/ESuV
ya4nTFwYi6221na3dB/PyA97WKd7rvkDyZvUA5IDeNGDm1mT15YPRPaknAmlBsa6
9vEnObj9oODKsdwsPS+Ov0By3X9CsW2dJlcLIHmC/DW89My3x/Q1pbquqTc5P8DF
eu4i0TuYgPlukjWqASi04zoOPibRxNadLaqPr6BKMDX4daUXmP6G+wnWAp89tj/3
t1rAsB/z/OXq136vIEgRnEIVYMBk0Ie9Jc5wsm9ZA8WQ7w4+1NJOmhmR5V4hD+IX
m0FueELyEKje57ArwryjoBgHUgODQtI1QARPPAvvN1x81J76dQVT+fzBWychWzzk
OvvF2mbxwxfIQBB47OQVrrqctxfLZyekmpY6Ma6eCY5dzFdmI3ncHnkmXE2HHklU
Oi7NtuwkxQfARKDON3CWU9PBYQkV9aciTDYMO1Lk24ojwye0XL7XWGMPR+/GjT3v
cacygRjuFTVLcLIka2w+
=AqPl
-----END PGP SIGNATURE-----

15927
share/security/patches/SA-16:02/ntp-10.patch Normal file
View file

File diff suppressed because it is too large Load diff

16
share/security/patches/SA-16:02/ntp-10.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vZAAoJEO1n7NZdz2rnza8P/i0CWpBBRnXvnA7OgD6Xq9Im
W9uB8Hca47QOoyZXIJ45u5KUxD4wd5urJTG6SPnxrme1Nevg74yIXQFPatYC1lwS
gGFMNLR9n7BP/NldYqnCyraf7r0sX4pTHR6oS2D+Ttg9C18OwDeGM04Q/hiMROVJ
RdiFYiOzKU4r5EEhFGaMnEmWYYQw5u1VrKKrWJajOnOpIixzcz596xudpraa3AP5
Tr0RytKTaHfd5QeP8vRANZSPI5lBpKahoYRJNhmURyiOKXxdOp8A2HjvXk0hdEIk
6U6XgQSE1fVpMyoWRB1hm5sVlwH0kD2q7mYdb+TgCdR0tWS3nJRKbrThjP/CYxAy
GOVYuIWI6qjI46V6TFi7AyyFrBCEHnkNjtRk4EUwUp1s3ZAsK9qZNxpJfM/QF1wq
w4LzNBEsMBrgKv2QJ6PqUP9OXDQJD9p83/W9Tnd97TFt/1VnhzBj6AaOzQd0l0X5
c5+Suk80l0dTokP1rjblE6FzZkteOUGY16E3fjK4vXu9c76jujM0YvmqKpyL3ZEN
dWw4XwcBgmp1MYCew+HW/kqrzAZYkOk+2PyEsUrrmAqHbLAGqdH5odmrVA7NRPR5
YMLynC+4D0tfDaurugMbtgNkycgCvuyd7aULUYjv4Rt+s+lGbZzC7EscZOGO+k/c
AzMdAudjDsGdnyEHCIDE
=Cnml
-----END PGP SIGNATURE-----

15928
share/security/patches/SA-16:02/ntp-9.patch Normal file
View file

File diff suppressed because it is too large Load diff

16
share/security/patches/SA-16:02/ntp-9.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vaAAoJEO1n7NZdz2rnV8gQALVsnYTaTxO/MUewSFss7+i2
z5dc+BvS0e5jW+klAvTsgcNdsG1SLsydAW4G89IUJ5QC0wFAIOVcWM7fez+8SERh
FyQeY7xHiK5Ek6yO4SUb7pL5pHeDM1kCQMkFK/6SiE2WBEtYMzvjtInnSk+wCphP
YWZPpmiAQibLPQebnvJP6IDJ87VUV6jsilAfikexXPXK6MYDNDTyaniKw83dyfAk
2+50sTs32aUSgprziqEAAOOD+M1smqD/lutD5UbkdvfTHCopk889idoKVAdC5eLJ
z9Xi9IJa7BlTrHV/0jBdM+rtXh9gCUkcwPrB0VJVe8gib93RQA/Y700cnsMLkL+O
/aeHTrmXwLj6rS4DsqwW+Dit/4y8PReVyihR5A3zIKqA9MgU8QjHU2aA2PnQ6hyD
0dd1ey+hKIQ/S7HDO8tBym5o7sGSkkelFjRxy5NRu5Uz/oz5IguYpFeBsLjYFWre
hvsNvmMeIabXk5Cpc+QwAJ1EssAjoJzuGXr6AbIwoHJvoqxKCMmuW1Fxr5+0zuDA
ebBU2Kvg6pVVSFSFizBq5/e/krhBM/SbcrGgzj9E4YcLs+/i+lI0LS8gEK1iQ3BA
TK4CSJVsVq9a/HPf2GrHqVyurj39r439jq21JT6NgnkHGgf2QzT9UoD8QJ35coa0
9Xt31rra4FlY4zzd8D4+
=EMVn
-----END PGP SIGNATURE-----

68
share/security/patches/SA-16:03/linux.patch Normal file
View file

@ -0,0 +1,68 @@
--- sys/amd64/linux32/linux32_proto.h.orig
+++ sys/amd64/linux32/linux32_proto.h
@@ -992,7 +992,7 @@
};
struct linux_get_robust_list_args {
char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
- char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
+ char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
};
struct linux_splice_args {
--- sys/amd64/linux32/linux32_systrace_args.c.orig
+++ sys/amd64/linux32/linux32_systrace_args.c
@@ -2088,7 +2088,7 @@
case 312: {
struct linux_get_robust_list_args *p = params;
iarg[0] = p->pid; /* l_int */
- uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
+ uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
uarg[2] = (intptr_t) p->len; /* l_size_t * */
*n_args = 3;
break;
@@ -5363,7 +5363,7 @@
p = "l_int";
break;
case 1:
- p = "struct linux_robust_list_head *";
+ p = "struct linux_robust_list_head **";
break;
case 2:
p = "l_size_t *";
--- sys/amd64/linux32/syscalls.master.orig
+++ sys/amd64/linux32/syscalls.master
@@ -512,8 +512,8 @@
; linux 2.6.17:
311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \
l_size_t len); }
-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
- l_size_t *len); }
+312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
+ struct linux_robust_list_head **head, l_size_t *len); }
313 AUE_NULL STD { int linux_splice(void); }
314 AUE_NULL STD { int linux_sync_file_range(void); }
315 AUE_NULL STD { int linux_tee(void); }
--- sys/compat/linux/linux_futex.c.orig
+++ sys/compat/linux/linux_futex.c
@@ -1090,7 +1090,7 @@
return (EFAULT);
}
- error = copyout(head, args->head, sizeof(struct linux_robust_list_head));
+ error = copyout(&head, args->head, sizeof(head));
if (error) {
LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error,
error);
--- sys/i386/linux/syscalls.master.orig
+++ sys/i386/linux/syscalls.master
@@ -520,8 +520,8 @@
; linux 2.6.17:
311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \
l_size_t len); }
-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \
- l_size_t *len); }
+312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
+ struct linux_robust_list_head **head, l_size_t *len); }
313 AUE_NULL STD { int linux_splice(void); }
314 AUE_NULL STD { int linux_sync_file_range(void); }
315 AUE_NULL STD { int linux_tee(void); }

16
share/security/patches/SA-16:03/linux.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vaAAoJEO1n7NZdz2rn550QAOExAQn5tPNJatXxB7TemVBa
NYz7vuSJInrAph8Q3g0ArFDMPxundFsqhc/T1Xd934fcxsjIL0gNKvlZYJaUDLWo
0AuBlMmuO5YuVr5Ziy6UxZRgBp+LtpBlTbP4QY9YUB8VT2ijsZkKfjabGLuBpBPT
tyoSt6NOrU+aFY7pRhDqiu8C9X1PSkv7xMCPIaR6eNfIi5Oq2uAahNHHi3RJxNqw
DAvufZszMsggUXvSqJI+1ymQSqjW//LRchOp7Svqgkt+MTJKTUikgezey7Ovspsm
lMW0DPUSUVJIo2KZBCnOJe9DrIlpTfsrfzF1VEb7ASQ/GNhdnnkDa2mB/r5QvCVI
KtS9/nnF3+aOyCAriH1qeWH0gDSvunx9/wq7E1mH4CILPNRN0rI/06xpTV2ay7jD
xOHoSMsCiIPrMN0o/DpmWiZN3X+elizXNiOqdKkUHz3kkjcYNlhVEUpLSDLUN9v+
hAmdC4OQrrAnsAnhi2jILeCO4soFyOSQ/RUDomHJSUBGtLtVpkFTZM200I0fG1bY
jDOF2mjren7cBNhtXA9M5oSRLPnaIVABPR62f2Og3+OVnwCvYNufN+U4kOVBAohX
8Y8NfFE8TiKKk4XgBNK1PFzm4ebwRNkupLfLLayMA7aJJdfLW+dPg7vLHc5n9c6F
Fy1m3f8+DhXt6aFjCbHG
=3x4+
-----END PGP SIGNATURE-----

44
share/security/patches/SA-16:04/linux.patch Normal file
View file

@ -0,0 +1,44 @@
--- sys/compat/linux/linux_misc.c.orig
+++ sys/compat/linux/linux_misc.c
@@ -1304,9 +1304,11 @@
if (error)
goto out;
newcred = crget();
+ crextend(newcred, ngrp + 1);
p = td->td_proc;
PROC_LOCK(p);
- oldcred = crcopysafe(p, newcred);
+ oldcred = p->p_ucred;
+ crcopy(newcred, oldcred);
/*
* cr_groups[0] holds egid. Setting the whole set from
--- sys/kern/kern_prot.c.orig
+++ sys/kern/kern_prot.c
@@ -88,7 +88,6 @@
SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
-static void crextend(struct ucred *cr, int n);
static void crsetgroups_locked(struct ucred *cr, int ngrp,
gid_t *groups);
@@ -1997,7 +1996,7 @@
/*
* Extend the passed in credential to hold n items.
*/
-static void
+void
crextend(struct ucred *cr, int n)
{
int cnt;
--- sys/sys/ucred.h.orig
+++ sys/sys/ucred.h
@@ -105,6 +105,7 @@
void crcopy(struct ucred *dest, struct ucred *src);
struct ucred *crcopysafe(struct proc *p, struct ucred *cr);
struct ucred *crdup(struct ucred *cr);
+void crextend(struct ucred *cr, int n);
void cred_update_thread(struct thread *td);
void crfree(struct ucred *cr);
struct ucred *crget(void);

16
share/security/patches/SA-16:04/linux.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vbAAoJEO1n7NZdz2rn0XIQALbLH5z0mI06+5Zhc6rUXUa3
ctXum7safaMN/xNlgfOY0LexKdc0zoIDbnVicvdKiao64iSkYROXHWk3GxQInvir
KYyr2C9gAFf0l8q8ZE4rFmNxoaKjamIWupGqBudLKd8dID3pZENXuzzuIoCHReBs
hFFuyIOGHcarVXq3EalF5J1uUoyRcSrJQ+dX1bpt4c22b1g82aCCmKewmrXbYST0
GdrE/YTkMZ8AS3KZBpYLOBO62qmHF1WvK3map1vqMGvTBVUsWc+ls6ihdEadot93
owhRWf8kH1ldXZKfKSoQNtTcDpxZWstigCE+r7G5SkaywScymQx16Y0ghpyry5mP
yalk0vHKVZ0gejf15Q4FCI6BQavOWhhFYpNFzfIjAA0rorCgZTdZ7HQrWShY1giA
7muCuRH6OZ3UgSV8HNiOHQiqLi1FaGU5qkHro1Gz1a4osnsRFGaqCAIgBle2SZUF
TXlaJdxpwxDNpp0qUljNb0Y77H4S46FudNFYY0wCuMyfz8iNiayhG5Rz+HTMxiDb
fNXU0773x3EP/IbIkYWjsySlcWDfCA2czoze3wLidoCred6WJKyGyHT7jDdxXgWK
WP4/rkJK8cNZ3Tfpem5KpeYDQHwKIgo1ZcxjR3t1eFc7+CiAd1Gxpxe1nva6Snek
UcwwLM1F5FbxafFI6cMV
=qmE4
-----END PGP SIGNATURE-----

37
share/security/patches/SA-16:05/tcp.patch Normal file
View file

@ -0,0 +1,37 @@
--- sys/netinet/tcp_output.c.orig
+++ sys/netinet/tcp_output.c
@@ -752,8 +752,8 @@
* segments. Options for SYN-ACK segments are handled in TCP
* syncache.
*/
+ to.to_flags = 0;
if ((tp->t_flags & TF_NOOPT) == 0) {
- to.to_flags = 0;
/* Maximum segment size. */
if (flags & TH_SYN) {
tp->snd_nxt = tp->iss;
@@ -1233,7 +1233,7 @@
tp->snd_up = tp->snd_una; /* drag it along */
#ifdef TCP_SIGNATURE
- if (tp->t_flags & TF_SIGNATURE) {
+ if (to.to_flags & TOF_SIGNATURE) {
int sigoff = to.to_signature - opt;
tcp_signature_compute(m, 0, len, optlen,
(u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1713,6 +1713,7 @@
bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
optp += sizeof(to->to_tsecr);
break;
+#ifdef TCP_SIGNATURE
case TOF_SIGNATURE:
{
int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1731,6 +1732,7 @@
*optp++ = 0;
break;
}
+#endif
case TOF_SACK:
{
int sackblks = 0;

16
share/security/patches/SA-16:05/tcp.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vcAAoJEO1n7NZdz2rnEmwQALGiV/fnzTqk82xoivjx7BYJ
ku4OuN+ymATe2hMQfsVPvpnri6b+3W9alp0H3pvLmUmmpMSacMU5QbTyR6IRx+XN
QNIb/ZC8xeB0zyRagsMh2sU6g+vizC/+ZrjCc9M694cVyYjEoDUHGxQJ/KtZ5fBG
kGY4xfwxWP+NMZOcikXxEVm2t01vF3kvtEvb86FJ0wJaEqg3DXMGk2c/m/NB7yJ1
C/5BVSAwApWOypXIHV6GrqyFoCNqTijgGF9JhFb2SsY1ADcYWmLPgiy32y405It8
jZt2lYT6bS5xYO+O3SCTkocUvrO+GLL7NYhdHLiSZIUuT43/DUUdHESASLDDEzsx
qzy91Q/zSMbVKlrdYND2XbCwA4EeCBswfdyKclWHIknqpFGvFSsOkq7s4vsa1zuR
k2IG+lE4zSfVoOKbB696MQC60MNeg1S1C6hrGMq2p0EtlK5yrKdCGS8dYnV3sDXa
u52GKTLgqnh9WdJpY/8VEXf53Sc91BojRB18gh3xAesq6/n4LK8JbpqK15Y7Ity9
kPeZtHJuKFgZNqTVINHtcLihiAGccx7AK0zOlNvMwN2G8pLM5YYmkF7Vo/+n78pq
/kxWMK9qyn5BFTTwd2XLKRAnKA0gT0wtMWYBOTDuDr1ZjV/zjjQf3ZPH4Zo1YDZf
GHUAHT3j0QSi2Hquz9zf
=25K+
-----END PGP SIGNATURE-----

25
share/security/patches/SA-16:06/bsnmpd.patch Normal file
View file

@ -0,0 +1,25 @@
--- etc/Makefile.orig
+++ etc/Makefile
@@ -82,10 +82,6 @@
BIN1+= auto_master
.endif
-.if ${MK_BSNMP} != "no"
-BIN1+= snmpd.config
-.endif
-
.if ${MK_FREEBSD_UPDATE} != "no"
BIN1+= freebsd-update.conf
.endif
@@ -219,6 +215,11 @@
${BIN2} ${DESTDIR}/etc; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
+.if ${MK_BSNMP} != "no"
+ cd ${.CURDIR}; \
+ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
+ snmpd.config ${DESTDIR}/etc;
+.endif
.if ${MK_AT} == "no"
sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
.endif

16
share/security/patches/SA-16:06/bsnmpd.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJWl2vcAAoJEO1n7NZdz2rnVo4P/RzvYHiNx14BHX39eX9nxJO/
9oGg/dTSBPeTv+nOpievz9o3AGnOqXLnWEwjvBDgJAt5147WQP5FIASusQ2exYfg
POww/Vnk36gSYxuAqsiwQOJl7nGC78rZNSjb06npmPp4AjVosGav+pNSLmA6uo+d
RqsErPbSo+2i1bsuLhnfoT1L9u/pySzMzJfB2lRGBY4XbyeOp7XQAZ2gM4hQXloT
gEQrfmuzXE0s9196pK7DxZqmGtsl7tl23lAJfKuyYuNjAEJ/KTuvp7PYj+t9rGYW
pEFa1/5ICREs1cWJeFpv6LywWmB8P0dfPYxFS3zBR+mjYN04Cep+pLBS947srDkg
Spkz3HQTibNvpuooPI+AHv+5PdGWMJDytZW5hk2t9bpMXAXfegV2zQD8dYSbjCOK
lOZb7HlbSMrGKOUdr+uB+fihabRvKgfEpvwkmRM8+gwlhdTO+k0sOQEwKznvSvZV
66vMkySs6rqemG5vPD9sgWPNqP9BTqqz0RGe2ZDim3yqkuqYAxLOY2510PfXHXH5
+2GMbf3fY8ZqcmcZeERzluvYTMpi4wWCrf2ekELIvBRp8TC29R3hI8SE38f2DcoW
HyR3rz6IiktyQ/QVmibhLZjpveQ08yPZb5qLFcgbJh7u5Nbyn2mdbbtnsHjYwJY4
abQlvZo/4G8SbEhCsLs0
=6rgy
-----END PGP SIGNATURE-----