[Glibc-bsd-commits] r5693 - in trunk/kfreebsd-10/debian: . patches

stevenc-guest at alioth.debian.org stevenc-guest at alioth.debian.org
Tue Jan 27 20:40:22 UTC 2015 

Author: stevenc-guest
Date: 2015-01-27 20:40:22 +0000 (Tue, 27 Jan 2015)
New Revision: 5693

Added:
   trunk/kfreebsd-10/debian/patches/SA-15_02.kmem.patch
   trunk/kfreebsd-10/debian/patches/SA-15_03.sctp.patch
Modified:
   trunk/kfreebsd-10/debian/changelog
   trunk/kfreebsd-10/debian/patches/series
Log:
Pick SVN r277808 from FreeBSD 10.1-RELEASE to fix:
- SA-15:02: SCTP SCTP_SS_VALUE kernel memory corruption and
  disclosure vulnerability (CVE-2014-8612) (Closes: #776415)
- SA-15:03: SCTP stream reset vulnerability (CVE-2014-8613)
  (Closes: #776416)


Modified: trunk/kfreebsd-10/debian/changelog
===================================================================
--- trunk/kfreebsd-10/debian/changelog	2015-01-27 20:06:31 UTC (rev 5692)
+++ trunk/kfreebsd-10/debian/changelog	2015-01-27 20:40:22 UTC (rev 5693)
@@ -1,5 +1,10 @@
 kfreebsd-10 (10.1~svn274115-2) UNRELEASED; urgency=medium
 
+  * Pick SVN r277808 from FreeBSD 10.1-RELEASE to fix:
+    - SA-15:02: SCTP SCTP_SS_VALUE kernel memory corruption and
+      disclosure vulnerability (CVE-2014-8612) (Closes: #776415)
+    - SA-15:03: SCTP stream reset vulnerability (CVE-2014-8613)
+      (Closes: #776416)
   * Build kernel images only on kfreebsd-any arches, so that any
     security or other RC-severity kernel bugs will not affect the
     official jessie release

Added: trunk/kfreebsd-10/debian/patches/SA-15_02.kmem.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-15_02.kmem.patch	                        (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-15_02.kmem.patch	2015-01-27 20:40:22 UTC (rev 5693)
@@ -0,0 +1,51 @@
+Description:
+ Fix SCTP SCTP_SS_VALUE kernel memory corruption and
+ disclosure vulnerability [SA-15:02] (CVE-2014-8612)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:02/sctp.patch
+Bug: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc
+Bug-Debian: https://bugs.debian.org/776415
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808
+
+--- a/sys/netinet/sctp_usrreq.c
++++ b/sys/netinet/sctp_usrreq.c
+@@ -1854,8 +1854,9 @@
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    &av->stream_value) < 0) {
++				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++				    (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++				    &av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				} else {
+@@ -3915,8 +3916,9 @@
+ 			SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
+ 			SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ 			if (stcb) {
+-				if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+-				    av->stream_value) < 0) {
++				if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++				    (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++				    av->stream_value) < 0)) {
+ 					SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ 					error = EINVAL;
+ 				}
+@@ -3926,10 +3928,12 @@
+ 					SCTP_INP_RLOCK(inp);
+ 					LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
+ 						SCTP_TCB_LOCK(stcb);
+-						stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+-						    &stcb->asoc,
+-						    &stcb->asoc.strmout[av->stream_id],
+-						    av->stream_value);
++						if (av->stream_id < stcb->asoc.streamoutcnt) {
++							stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
++							    &stcb->asoc,
++							    &stcb->asoc.strmout[av->stream_id],
++							    av->stream_value);
++						}
+ 						SCTP_TCB_UNLOCK(stcb);
+ 					}
+ 					SCTP_INP_RUNLOCK(inp);

Added: trunk/kfreebsd-10/debian/patches/SA-15_03.sctp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-15_03.sctp.patch	                        (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-15_03.sctp.patch	2015-01-27 20:40:22 UTC (rev 5693)
@@ -0,0 +1,123 @@
+Description:
+ Fix SCTP stream reset vulnerability [SA-15:03] (CVE-2014-8613)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:03/sctp.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc
+Bug-Debian: https://bugs.debian.org/776416
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808
+
+--- a/sys/netinet/sctp_input.c	2015/01/27 19:36:08	277807
++++ b/sys/netinet/sctp_input.c	2015/01/27 19:37:02	277808
+@@ -3664,6 +3664,9 @@
+ 					/* huh ? */
+ 					return (0);
+ 				}
++				if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
++					return (0);
++				}
+ 				if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
+ 					resp = (struct sctp_stream_reset_response_tsn *)respin;
+ 					asoc->stream_reset_outstanding--;
+@@ -4052,7 +4055,7 @@
+ 	    sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
+         struct sctp_chunkhdr *ch_req)
+ {
+-	int chk_length, param_len, ptype;
++	uint16_t remaining_length, param_len, ptype;
+ 	struct sctp_paramhdr pstore;
+ 	uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
+ 	uint32_t seq = 0;
+@@ -4065,7 +4068,7 @@
+ 	int num_param = 0;
+ 
+ 	/* now it may be a reset or a reset-response */
+-	chk_length = ntohs(ch_req->chunk_length);
++	remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
+ 
+ 	/* setup for adding the response */
+ 	sctp_alloc_a_chunk(stcb, chk);
+@@ -4103,20 +4106,27 @@
+ 	ch->chunk_length = htons(chk->send_size);
+ 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
+ 	offset += sizeof(struct sctp_chunkhdr);
+-	while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
++	while (remaining_length >= sizeof(struct sctp_paramhdr)) {
+ 		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
+-		if (ph == NULL)
++		if (ph == NULL) {
++			/* TSNH */
+ 			break;
++		}
+ 		param_len = ntohs(ph->param_length);
+-		if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
+-			/* bad param */
++		if ((param_len > remaining_length) ||
++		    (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
++			/* bad parameter length */
+ 			break;
+ 		}
+-		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
++		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
+ 		    (uint8_t *) & cstore);
++		if (ph == NULL) {
++			/* TSNH */
++			break;
++		}
+ 		ptype = ntohs(ph->param_type);
+ 		num_param++;
+-		if (param_len > (int)sizeof(cstore)) {
++		if (param_len > sizeof(cstore)) {
+ 			trunc = 1;
+ 		} else {
+ 			trunc = 0;
+@@ -4128,6 +4138,9 @@
+ 		if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
+ 			struct sctp_stream_reset_out_request *req_out;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
++				break;
++			}
+ 			req_out = (struct sctp_stream_reset_out_request *)ph;
+ 			num_req++;
+ 			if (stcb->asoc.stream_reset_outstanding) {
+@@ -4141,12 +4154,18 @@
+ 		} else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
+ 			struct sctp_stream_reset_add_strm *str_add;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++				break;
++			}
+ 			str_add = (struct sctp_stream_reset_add_strm *)ph;
+ 			num_req++;
+ 			sctp_handle_str_reset_add_strm(stcb, chk, str_add);
+ 		} else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
+ 			struct sctp_stream_reset_add_strm *str_add;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++				break;
++			}
+ 			str_add = (struct sctp_stream_reset_add_strm *)ph;
+ 			num_req++;
+ 			sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
+@@ -4171,6 +4190,9 @@
+ 			struct sctp_stream_reset_response *resp;
+ 			uint32_t result;
+ 
++			if (param_len < sizeof(struct sctp_stream_reset_response)) {
++				break;
++			}
+ 			resp = (struct sctp_stream_reset_response *)ph;
+ 			seq = ntohl(resp->response_seq);
+ 			result = ntohl(resp->result);
+@@ -4182,7 +4204,11 @@
+ 			break;
+ 		}
+ 		offset += SCTP_SIZE32(param_len);
+-		chk_length -= SCTP_SIZE32(param_len);
++		if (remaining_length >= SCTP_SIZE32(param_len)) {
++			remaining_length -= SCTP_SIZE32(param_len);
++		} else {
++			remaining_length = 0;
++		}
+ 	}
+ 	if (num_req == 0) {
+ 		/* we have no response free the stuff */

Modified: trunk/kfreebsd-10/debian/patches/series
===================================================================
--- trunk/kfreebsd-10/debian/patches/series	2015-01-27 20:06:31 UTC (rev 5692)
+++ trunk/kfreebsd-10/debian/patches/series	2015-01-27 20:40:22 UTC (rev 5693)
@@ -36,3 +36,7 @@
 999_config.diff
 aicasm-parallel-build-dependencies.diff
 ath9k-linux.diff
+
+# Security patches
+SA-15_02.kmem.patch
+SA-15_03.sctp.patch

More information about the Glibc-bsd-commits mailing list