[Glibc-bsd-commits] r3746 - in branches/squeeze/kfreebsd-8/debian: . patches
Aurelien Jarno
aurel32 at alioth.debian.org
Wed Oct 19 07:31:56 UTC 2011
Author: aurel32
Date: 2011-10-19 07:31:56 +0000 (Wed, 19 Oct 2011)
New Revision: 3746
Added:
branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff
branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff
Modified:
branches/squeeze/kfreebsd-8/debian/changelog
branches/squeeze/kfreebsd-8/debian/patches/series
Log:
* Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
Fix for FreeBSD-SA-11:05.unix / CVE-2011-xxxx. (Closes: #645377)
Modified: branches/squeeze/kfreebsd-8/debian/changelog
===================================================================
--- branches/squeeze/kfreebsd-8/debian/changelog 2011-10-19 07:26:17 UTC (rev 3745)
+++ branches/squeeze/kfreebsd-8/debian/changelog 2011-10-19 07:31:56 UTC (rev 3746)
@@ -1,3 +1,10 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
+
+ * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
+ Fix for FreeBSD-SA-11:05.unix / CVE-2011-xxxx. (Closes: #645377)
+
+ -- Aurelien Jarno <aurel32 at debian.org> Tue, 18 Oct 2011 00:08:38 +0200
+
kfreebsd-8 (8.1+dfsg-8+squeeze1) stable; urgency=low
* Fix net802.11 stack kernel memory disclosure (CVE-2011-2480).
Added: branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/000_unix_socket_overflow.diff 2011-10-19 07:31:56 UTC (rev 3746)
@@ -0,0 +1,51 @@
+--- a/sys/kern/uipc_usrreq.c
++++ b/sys/kern/uipc_usrreq.c
+@@ -419,6 +419,8 @@
+ unp = sotounpcb(so);
+ KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+
++ if (soun->sun_len > sizeof(struct sockaddr_un))
++ return (EINVAL);
+ namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
+ if (namelen <= 0)
+ return (EINVAL);
+@@ -1165,6 +1167,8 @@
+ unp = sotounpcb(so);
+ KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+
++ if (nam->sa_len > sizeof(struct sockaddr_un))
++ return (EINVAL);
+ len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
+ if (len <= 0)
+ return (EINVAL);
+--- a/sys/compat/linux/linux_socket.c
++++ b/sys/compat/linux/linux_socket.c
+@@ -103,6 +103,7 @@
+ int oldv6size;
+ struct sockaddr_in6 *sin6;
+ #endif
++ int namelen;
+
+ if (*osalen < 2 || *osalen > UCHAR_MAX || !osa)
+ return (EINVAL);
+@@ -165,6 +166,20 @@
+ }
+ }
+
++ if ((bdom == AF_LOCAL) && (*osalen > sizeof(struct sockaddr_un))) {
++ for (namelen = 0;
++ namelen < *osalen - offsetof(struct sockaddr_un, sun_path);
++ namelen++)
++ if (!((struct sockaddr_un *)kosa)->sun_path[namelen])
++ break;
++ if (namelen + offsetof(struct sockaddr_un, sun_path) >
++ sizeof(struct sockaddr_un)) {
++ error = EINVAL;
++ goto out;
++ }
++ alloclen = sizeof(struct sockaddr_un);
++ }
++
+ sa = (struct sockaddr *) kosa;
+ sa->sa_family = bdom;
+ sa->sa_len = alloclen;
Added: branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff (rev 0)
+++ branches/squeeze/kfreebsd-8/debian/patches/919_unix_socket_overflow.diff 2011-10-19 07:31:56 UTC (rev 3746)
@@ -0,0 +1,33 @@
+See #645527.
+
+Our former userspace allows 108 bytes in sun_path,
+but kernel restrict it to 104 bytes.
+
+--- a/sys/kern/uipc_usrreq.c
++++ b/sys/kern/uipc_usrreq.c
+@@ -420,7 +420,12 @@
+ KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
+
+ if (soun->sun_len > sizeof(struct sockaddr_un))
++ {
++ if (soun->sun_len <= (4 + sizeof(struct sockaddr_un)))
++ soun->sun_len = sizeof(struct sockaddr_un); /* clip it */
++ else
+ return (EINVAL);
++ };
+ namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
+ if (namelen <= 0)
+ return (EINVAL);
+@@ -1168,7 +1173,12 @@
+ KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
+
+ if (nam->sa_len > sizeof(struct sockaddr_un))
++ {
++ if (nam->sa_len <= (4 + sizeof(struct sockaddr_un)))
++ nam->sa_len = sizeof(struct sockaddr_un); /* clip it */
++ else
+ return (EINVAL);
++ };
+ len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
+ if (len <= 0)
+ return (EINVAL);
Modified: branches/squeeze/kfreebsd-8/debian/patches/series
===================================================================
--- branches/squeeze/kfreebsd-8/debian/patches/series 2011-10-19 07:26:17 UTC (rev 3745)
+++ branches/squeeze/kfreebsd-8/debian/patches/series 2011-10-19 07:31:56 UTC (rev 3746)
@@ -5,6 +5,7 @@
000_tcp_usrreq.diff
000_net80211_disclosure.diff
000_msk_backport.diff
+000_unix_socket_overflow.diff
001_misc.diff
003_glibc_dev_aicasm.diff
004_xargs.diff
@@ -35,6 +36,7 @@
916_NKPT_amd64.diff
917_track_alignment.diff
#918_delete_key.diff
+919_unix_socket_overflow.diff
950_no_stack_protector.diff
999_config.diff
999_firmware.diff
More information about the Glibc-bsd-commits
mailing list