[Glibc-bsd-commits] r5483 - in branches/wheezy/kfreebsd-9/debian: . patches
stevenc-guest at alioth.debian.org
stevenc-guest at alioth.debian.org
Mon Jun 2 13:14:58 UTC 2014
Author: stevenc-guest
Date: 2014-06-02 13:14:58 +0000 (Mon, 02 Jun 2014)
New Revision: 5483
Added:
branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch
branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch
Modified:
branches/wheezy/kfreebsd-9/debian/changelog
branches/wheezy/kfreebsd-9/debian/patches/series
Log:
Amend proposed 9.0-10+deb70.7 wheezy-security upload to add:
* SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
TCP reassembly vulnerability (Closes: #746951)
* SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
Triple fault on execve from 64-bit thread to 32-bit process
(Closes: 743141)
Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog 2014-05-25 01:47:07 UTC (rev 5482)
+++ branches/wheezy/kfreebsd-9/debian/changelog 2014-06-02 13:14:58 UTC (rev 5483)
@@ -1,8 +1,14 @@
kfreebsd-9 (9.0-10+deb70.7) UNRELEASED; urgency=high
* Team upload.
+ * Upload for wheezy-security
* Pick SVN 264285 from FreeBSD 9-STABLE to fix SA-14:05 / CVE-2014-1453:
- Deadlock in the NFS server
+ Deadlock in the NFS server (Closes: #743984)
+ * Pick SVN 265123 from FreeBSD 9-STABLE to fix SA-14:08 / CVE-2014-3000:
+ TCP reassembly vulnerability (Closes: #746951)
+ * Pick SVN 266585 from FreeBSD 9-STABLE to fix EN-14:06 / CVE-2014-3880:
+ Triple fault on execve from 64-bit thread to 32-bit process
+ (Closes: 743141)
-- Steven Chamberlain <steven at pyro.eu.org> Tue, 08 Apr 2014 23:41:22 +0000
Added: branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/EN-14_06.execve.patch 2014-06-02 13:14:58 UTC (rev 5483)
@@ -0,0 +1,69 @@
+Description:
+ Fix triple fault on execve from 64-bit thread to 32-bit process. [EN-14:06]
+ (CVE-2014-3880)
+Origin: backport, commit:266585
+Bug-Debian: http://bugs.debian.org/743141
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=266585
+
+--- kfreebsd-9-9.0.orig/sys/sys/proc.h
++++ kfreebsd-9-9.0/sys/sys/proc.h
+@@ -412,6 +412,7 @@
+ #define TDP_CALLCHAIN 0x00400000 /* Capture thread's callchain */
+ #define TDP_IGNSUSP 0x00800000 /* Permission to ignore the MNTK_SUSPEND* */
+ #define TDP_AUDITREC 0x01000000 /* Audit record pending on thread */
++#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
+
+ /*
+ * Reasons that the current thread can not be run yet.
+--- kfreebsd-9-9.0.orig/sys/kern/kern_exec.c
++++ kfreebsd-9-9.0/sys/kern/kern_exec.c
+@@ -279,6 +279,7 @@
+ struct mac *mac_p;
+ {
+ struct proc *p = td->td_proc;
++ struct vmspace *oldvmspace;
+ int error;
+
+ AUDIT_ARG_ARGV(args->begin_argv, args->argc,
+@@ -295,6 +296,8 @@
+ PROC_UNLOCK(p);
+ }
+
++ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
++ oldvmspace = td->td_proc->p_vmspace;
+ error = do_execve(td, args, mac_p);
+
+ if (p->p_flag & P_HADTHREADS) {
+@@ -309,6 +312,12 @@
+ thread_single_end();
+ PROC_UNLOCK(p);
+ }
++ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
++ KASSERT(td->td_proc->p_vmspace != oldvmspace,
++ ("oldvmspace still used"));
++ vmspace_free(oldvmspace);
++ td->td_pflags &= ~TDP_EXECVMSPC;
++ }
+
+ return (error);
+ }
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c
++++ kfreebsd-9-9.0/sys/vm/vm_map.c
+@@ -3574,6 +3574,8 @@
+ struct vmspace *oldvmspace = p->p_vmspace;
+ struct vmspace *newvmspace;
+
++ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
++ ("vmspace_exec recursed"));
+ newvmspace = vmspace_alloc(minuser, maxuser);
+ if (newvmspace == NULL)
+ return (ENOMEM);
+@@ -3590,7 +3592,7 @@
+ PROC_VMSPACE_UNLOCK(p);
+ if (p == curthread->td_proc)
+ pmap_activate(curthread);
+- vmspace_free(oldvmspace);
++ curthread->td_pflags |= TDP_EXECVMSPC;
+ return (0);
+ }
+
Added: branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-14_08.tcp.patch 2014-06-02 13:14:58 UTC (rev 5483)
@@ -0,0 +1,37 @@
+Description:
+ Fix TCP reassembly vulnerability. [SA-14:08] (CVE-2014-3000)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc
+Bug-Debian: http://bugs.debian.org/746951
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=265123
+
+--- kfreebsd-9-9.0.orig/sys/netinet/tcp_reass.c
++++ kfreebsd-9-9.0/sys/netinet/tcp_reass.c
+@@ -211,7 +211,7 @@
+ * Investigate why and re-evaluate the below limit after the behaviour
+ * is understood.
+ */
+- if (th->th_seq != tp->rcv_nxt &&
++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ V_tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@
+ */
+ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+- if (th->th_seq != tp->rcv_nxt) {
++ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -282,7 +282,8 @@
+ TCPSTAT_INC(tcps_rcvduppack);
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+- uma_zfree(V_tcp_reass_zone, te);
++ if (te != &tqs)
++ uma_zfree(V_tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series 2014-05-25 01:47:07 UTC (rev 5482)
+++ branches/wheezy/kfreebsd-9/debian/patches/series 2014-06-02 13:14:58 UTC (rev 5483)
@@ -19,6 +19,8 @@
EN-14_02.mmap.patch
fix_lseek_zfs.diff
SA-14_05.nfsserver.patch
+SA-14_08.tcp.patch
+EN-14_06.execve.patch
# Other patches that might or might not be mergeable
001_misc.diff
More information about the Glibc-bsd-commits
mailing list