[Glibc-bsd-commits] r5483 - in branches/wheezy/kfreebsd-9/debian: . patches

Mon Jun 2 13:14:58 UTC 2014

Author: stevenc-guest
Date: 2014-06-02 13:14:58 +0000 (Mon, 02 Jun 2014)
New Revision: 5483

Added:
   branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch
   branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch
Modified:
   branches/wheezy/kfreebsd-9/debian/changelog
   branches/wheezy/kfreebsd-9/debian/patches/series
Log:
Amend proposed 9.0-10+deb70.7 wheezy-security upload to add:
* SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
  TCP reassembly vulnerability (Closes: #746951)
* SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
  Triple fault on execve from 64-bit thread to 32-bit process
  (Closes: 743141)


Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================

--- branches/wheezy/kfreebsd-9/debian/changelog	2014-05-25 01:47:07 UTC (rev 5482)
+++ branches/wheezy/kfreebsd-9/debian/changelog	2014-06-02 13:14:58 UTC (rev 5483)
@@ -1,8 +1,14 @@
 kfreebsd-9 (9.0-10+deb70.7) UNRELEASED; urgency=high
 
   * Team upload.
+  * Upload for wheezy-security
   * Pick SVN 264285 from FreeBSD 9-STABLE to fix SA-14:05 / CVE-2014-1453:
-    Deadlock in the NFS server
+    Deadlock in the NFS server (Closes: #743984)
+  * Pick SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
+    TCP reassembly vulnerability (Closes: #746951)
+  * Pick SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
+    Triple fault on execve from 64-bit thread to 32-bit process
+    (Closes: 743141)
 
  -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 08 Apr 2014 23:41:22 +0000
 

Added: branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch	                        (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch	2014-06-02 13:14:58 UTC (rev 5483)
@@ -0,0 +1,69 @@
+Description:
+ Fix triple fault on execve from 64-bit thread to 32-bit process. [EN-14:06]
+ (CVE-2014-3880)
+Origin: backport, commit:266585
+Bug-Debian: http://bugs.debian.org/743141
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=266585
+
+--- kfreebsd-9-9.0.orig/sys/sys/proc.h
++++ kfreebsd-9-9.0/sys/sys/proc.h
+@@ -412,6 +412,7 @@
+ #define	TDP_CALLCHAIN	0x00400000 /* Capture thread's callchain */
+ #define	TDP_IGNSUSP	0x00800000 /* Permission to ignore the MNTK_SUSPEND* */
+ #define	TDP_AUDITREC	0x01000000 /* Audit record pending on thread */
++#define	TDP_EXECVMSPC	0x40000000 /* Execve destroyed old vmspace */
+ 
+ /*
+  * Reasons that the current thread can not be run yet.
+--- kfreebsd-9-9.0.orig/sys/kern/kern_exec.c
++++ kfreebsd-9-9.0/sys/kern/kern_exec.c
+@@ -279,6 +279,7 @@
+ 	struct mac *mac_p;
+ {
+ 	struct proc *p = td->td_proc;
++	struct vmspace *oldvmspace;
+ 	int error;
+ 
+ 	AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -295,6 +296,8 @@
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++	oldvmspace = td->td_proc->p_vmspace;
+ 	error = do_execve(td, args, mac_p);
+ 
+ 	if (p->p_flag & P_HADTHREADS) {
+@@ -309,6 +312,12 @@
+ 			thread_single_end();
+ 		PROC_UNLOCK(p);
+ 	}
++	if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++		KASSERT(td->td_proc->p_vmspace != oldvmspace,
++		    ("oldvmspace still used"));
++		vmspace_free(oldvmspace);
++		td->td_pflags &= ~TDP_EXECVMSPC;
++	}
+ 
+ 	return (error);
+ }
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c
++++ kfreebsd-9-9.0/sys/vm/vm_map.c
+@@ -3574,6 +3574,8 @@
+ 	struct vmspace *oldvmspace = p->p_vmspace;
+ 	struct vmspace *newvmspace;
+ 
++	KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++	    ("vmspace_exec recursed"));
+ 	newvmspace = vmspace_alloc(minuser, maxuser);
+ 	if (newvmspace == NULL)
+ 		return (ENOMEM);
+@@ -3590,7 +3592,7 @@
+ 	PROC_VMSPACE_UNLOCK(p);
+ 	if (p == curthread->td_proc)
+ 		pmap_activate(curthread);
+-	vmspace_free(oldvmspace);
++	curthread->td_pflags |= TDP_EXECVMSPC;
+ 	return (0);
+ }
+ 

Added: branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch	                        (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch	2014-06-02 13:14:58 UTC (rev 5483)
@@ -0,0 +1,37 @@
+Description:
+ Fix TCP reassembly vulnerability. [SA-14:08] (CVE-2014-3000)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc
+Bug-Debian: http://bugs.debian.org/746951
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=265123
+
+--- kfreebsd-9-9.0.orig/sys/netinet/tcp_reass.c
++++ kfreebsd-9-9.0/sys/netinet/tcp_reass.c
+@@ -211,7 +211,7 @@
+ 	 * Investigate why and re-evaluate the below limit after the behaviour
+ 	 * is understood.
+ 	 */
+-	if (th->th_seq != tp->rcv_nxt &&
++	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ 		V_tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@
+ 	 */
+ 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+-		if (th->th_seq != tp->rcv_nxt) {
++		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+ 			m_freem(m);
+ 			*tlenp = 0;
+@@ -282,7 +282,8 @@
+ 				TCPSTAT_INC(tcps_rcvduppack);
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+-				uma_zfree(V_tcp_reass_zone, te);
++				if (te != &tqs)
++					uma_zfree(V_tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data

Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series	2014-05-25 01:47:07 UTC (rev 5482)
+++ branches/wheezy/kfreebsd-9/debian/patches/series	2014-06-02 13:14:58 UTC (rev 5483)
@@ -19,6 +19,8 @@
 EN-14_02.mmap.patch
 fix_lseek_zfs.diff
 SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
+EN-14_06.execve.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff


