[Glibc-bsd-commits] r5657 - in branches/wheezy/kfreebsd-9/debian: . patches

Tue Oct 21 21:43:40 UTC 2014

Author: stevenc-guest
Date: 2014-10-21 21:43:40 +0000 (Tue, 21 Oct 2014)
New Revision: 5657

Added:
   branches/wheezy/kfreebsd-9/debian/patches/SA-14_22.namei.patch
Modified:
   branches/wheezy/kfreebsd-9/debian/changelog
   branches/wheezy/kfreebsd-9/debian/patches/series
Log:
Pick SVN 273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711:
Memory leak in sandboxed namei lookup (Closes: #766275)


Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================

--- branches/wheezy/kfreebsd-9/debian/changelog	2014-10-21 21:06:03 UTC (rev 5656)
+++ branches/wheezy/kfreebsd-9/debian/changelog	2014-10-21 21:43:40 UTC (rev 5657)
@@ -1,11 +1,12 @@
-kfreebsd-9 (9.0-10+deb70.8) UNRELEASED; urgency=low
+kfreebsd-9 (9.0-10+deb70.8) UNRELEASED; urgency=high
 
   * Team upload.
-  * Pick SVN 268432 from FreeBSD 9-STABLE to fix SA-14:17:
-    - kernel memory disclosure in sockbuf control message
-      (CVE-2014-3952) (Closes: #754236))
+  * Pick SVN 268432 from FreeBSD 9-STABLE to fix SA-14:17 / CVE-2014-3952:
+    kernel memory disclosure in sockbuf control message (Closes: #754236)
   * Disable SCTP since it was unsupported yet in userland and has
     security issues (CVE-2014-3953)
+  * Pick SVN 273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711:
+    Memory leak in sandboxed namei lookup (Closes: #766275)
  -- Steven Chamberlain <steven at pyro.eu.org>  Tue, 08 Jul 2014 23:03:16 +0000
 
 kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high

Added: branches/wheezy/kfreebsd-9/debian/patches/SA-14_22.namei.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-14_22.namei.patch	                        (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-14_22.namei.patch	2014-10-21 21:43:40 UTC (rev 5657)
@@ -0,0 +1,104 @@
+Description:
+ Fix memory leak in sandboxed namei lookup. [SA-14:22]
+ (CVE-2014-3711)
+Origin: vendor, http://security.freebsd.org/patches/SA-14:22/namei-9.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:22.namei.asc
+Bug-Debian: http://bugs.debian.org/766275
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=273412
+
+--- a/sys/kern/vfs_lookup.c
++++ b/sys/kern/vfs_lookup.c
+@@ -121,6 +121,16 @@
+  *		if symbolic link, massage name in buffer and continue
+  *	}
+  */
++static void
++namei_cleanup_cnp(struct componentname *cnp)
++{
++	uma_zfree(namei_zone, cnp->cn_pnbuf);
++#ifdef DIAGNOSTIC
++	cnp->cn_pnbuf = NULL;
++	cnp->cn_nameptr = NULL;
++#endif
++}
++
+ int
+ namei(struct nameidata *ndp)
+ {
+@@ -193,11 +203,7 @@
+ 	}
+ #endif
+ 	if (error) {
+-		uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+-		cnp->cn_pnbuf = NULL;
+-		cnp->cn_nameptr = NULL;
+-#endif
++		namei_cleanup_cnp(cnp);
+ 		ndp->ni_vp = NULL;
+ 		return (error);
+ 	}
+@@ -251,11 +257,7 @@
+ 			}
+ 		}
+ 		if (error) {
+-			uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+-			cnp->cn_pnbuf = NULL;
+-			cnp->cn_nameptr = NULL;
+-#endif
++			namei_cleanup_cnp(cnp);
+ 			return (error);
+ 		}
+ 	}
+@@ -281,8 +283,10 @@
+ 		if (*(cnp->cn_nameptr) == '/') {
+ 			vrele(dp);
+ 			VFS_UNLOCK_GIANT(vfslocked);
+-			if (ndp->ni_strictrelative != 0)
++			if (ndp->ni_strictrelative != 0) {
++				namei_cleanup_cnp(cnp);
+ 				return (ENOTCAPABLE);
++			}
+ 			while (*(cnp->cn_nameptr) == '/') {
+ 				cnp->cn_nameptr++;
+ 				ndp->ni_pathlen--;
+@@ -296,11 +300,7 @@
+ 		ndp->ni_startdir = dp;
+ 		error = lookup(ndp);
+ 		if (error) {
+-			uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+-			cnp->cn_pnbuf = NULL;
+-			cnp->cn_nameptr = NULL;
+-#endif
++			namei_cleanup_cnp(cnp);
+ 			SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
+ 			    0, 0);
+ 			return (error);
+@@ -312,11 +312,7 @@
+ 		 */
+ 		if ((cnp->cn_flags & ISSYMLINK) == 0) {
+ 			if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
+-				uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+-				cnp->cn_pnbuf = NULL;
+-				cnp->cn_nameptr = NULL;
+-#endif
++				namei_cleanup_cnp(cnp);
+ 			} else
+ 				cnp->cn_flags |= HASBUF;
+ 
+@@ -382,11 +378,7 @@
+ 		vput(ndp->ni_vp);
+ 		dp = ndp->ni_dvp;
+ 	}
+-	uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+-	cnp->cn_pnbuf = NULL;
+-	cnp->cn_nameptr = NULL;
+-#endif
++	namei_cleanup_cnp(cnp);
+ 	vput(ndp->ni_vp);
+ 	ndp->ni_vp = NULL;
+ 	vrele(ndp->ni_dvp);

Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series	2014-10-21 21:06:03 UTC (rev 5656)
+++ branches/wheezy/kfreebsd-9/debian/patches/series	2014-10-21 21:43:40 UTC (rev 5657)
@@ -22,6 +22,7 @@
 SA-14_08.tcp.patch
 EN-14_06.exec.patch
 SA-14_17.kern.patch
+SA-14_22.namei.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff


