[Glibc-bsd-commits] r3746 - in branches/squeeze/kfreebsd-8/debian: . patches

Wed Oct 19 07:31:56 UTC 2011

Author: aurel32
Date: 2011-10-19 07:31:56 +0000 (Wed, 19 Oct 2011)
New Revision: 3746

Added:
   branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff
   branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff
Modified:
   branches/squeeze/kfreebsd-8/debian/changelog
   branches/squeeze/kfreebsd-8/debian/patches/series
Log:
  * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
    Fix for FreeBSD-SA-11:05.unix / CVE-2011-xxxx.  (Closes: #645377)



Modified: branches/squeeze/kfreebsd-8/debian/changelog
===================================================================

--- branches/squeeze/kfreebsd-8/debian/changelog	2011-10-19 07:26:17 UTC (rev 3745)
+++ branches/squeeze/kfreebsd-8/debian/changelog	2011-10-19 07:31:56 UTC (rev 3746)
@@ -1,3 +1,10 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
+
+  * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
+    Fix for FreeBSD-SA-11:05.unix / CVE-2011-xxxx.  (Closes: #645377)
+
+ -- Aurelien Jarno <aurel32 at debian.org>  Tue, 18 Oct 2011 00:08:38 +0200
+
 kfreebsd-8 (8.1+dfsg-8+squeeze1) stable; urgency=low
 
   * Fix net802.11 stack kernel memory disclosure (CVE-2011-2480).

Added: branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff	                        (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff	2011-10-19 07:31:56 UTC (rev 3746)
@@ -0,0 +1,51 @@
+--- a/sys/kern/uipc_usrreq.c
++++ b/sys/kern/uipc_usrreq.c
+@@ -419,6 +419,8 @@
+ 	unp = sotounpcb(so);
+ 	KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ 
++	if (soun->sun_len > sizeof(struct sockaddr_un))
++		return (EINVAL);
+ 	namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
+ 	if (namelen <= 0)
+ 		return (EINVAL);
+@@ -1165,6 +1167,8 @@
+ 	unp = sotounpcb(so);
+ 	KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ 
++	if (nam->sa_len > sizeof(struct sockaddr_un))
++		return (EINVAL);
+ 	len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
+ 	if (len <= 0)
+ 		return (EINVAL);
+--- a/sys/compat/linux/linux_socket.c
++++ b/sys/compat/linux/linux_socket.c
+@@ -103,6 +103,7 @@
+ 	int oldv6size;
+ 	struct sockaddr_in6 *sin6;
+ #endif
++	int namelen;
+ 
+ 	if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
+ 		return (EINVAL);
+@@ -165,6 +166,20 @@
+ 		}
+ 	}
+ 
++	if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
++		for (namelen = 0;
++		    namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
++		    namelen++)
++			if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
++				break;
++		if (namelen + offsetof(struct sockaddr_un, sun_path) >
++		    sizeof(struct sockaddr_un)) {
++			error = EINVAL;
++			goto out;
++		}
++		alloclen = sizeof(struct sockaddr_un);
++	}
++
+ 	sa = (struct sockaddr *) kosa;
+ 	sa->sa_family = bdom;
+ 	sa->sa_len = alloclen;

Added: branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff	                        (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff	2011-10-19 07:31:56 UTC (rev 3746)
@@ -0,0 +1,33 @@
+See #645527.
+
+Our former userspace allows 108 bytes in sun_path,
+but kernel restrict it to 104 bytes.
+
+--- a/sys/kern/uipc_usrreq.c
++++ b/sys/kern/uipc_usrreq.c
+@@ -420,7 +420,12 @@
+ 	KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+ 
+ 	if (soun->sun_len > sizeof(struct sockaddr_un))
++	{
++	    if (soun->sun_len <= (4 + sizeof(struct sockaddr_un)))
++	        soun->sun_len = sizeof(struct sockaddr_un);  	/* clip it */
++	    else
+ 		return (EINVAL);
++	};
+ 	namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
+ 	if (namelen <= 0)
+ 		return (EINVAL);
+@@ -1168,7 +1173,12 @@
+ 	KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+ 
+ 	if (nam->sa_len > sizeof(struct sockaddr_un))
++	{
++	    if (nam->sa_len <= (4 + sizeof(struct sockaddr_un)))
++	        nam->sa_len = sizeof(struct sockaddr_un);	/* clip it */
++	    else
+ 		return (EINVAL);
++	};
+ 	len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
+ 	if (len <= 0)
+ 		return (EINVAL);

Modified: branches/squeeze/kfreebsd-8/debian/patches/series
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/series	2011-10-19 07:26:17 UTC (rev 3745)
+++ branches/squeeze/kfreebsd-8/debian/patches/series	2011-10-19 07:31:56 UTC (rev 3746)
@@ -5,6 +5,7 @@
 000_tcp_usrreq.diff
 000_net80211_disclosure.diff
 000_msk_backport.diff
+000_unix_socket_overflow.diff
 001_misc.diff
 003_glibc_dev_aicasm.diff
 004_xargs.diff
@@ -35,6 +36,7 @@
 916_NKPT_amd64.diff
 917_track_alignment.diff
 #918_delete_key.diff
+919_unix_socket_overflow.diff
 950_no_stack_protector.diff
 999_config.diff
 999_firmware.diff


