[Glibc-bsd-commits] r5864 - in branches/jessie/kfreebsd-10/debian: . patches
stevenc-guest at alioth.debian.org
stevenc-guest at alioth.debian.org
Mon Jan 18 02:41:20 UTC 2016
Author: stevenc-guest
Date: 2016-01-18 02:41:20 +0000 (Mon, 18 Jan 2016)
New Revision: 5864
Added:
branches/jessie/kfreebsd-10/debian/patches/EN-16_02.pf.patch
branches/jessie/kfreebsd-10/debian/patches/SA-16_01.sctp.patch
branches/jessie/kfreebsd-10/debian/patches/SA-16_03.linux.patch
branches/jessie/kfreebsd-10/debian/patches/SA-16_04.linux.patch
branches/jessie/kfreebsd-10/debian/patches/SA-16_05.tcp.patch
Modified:
branches/jessie/kfreebsd-10/debian/changelog
branches/jessie/kfreebsd-10/debian/patches/series
Log:
Pick SVN r293894 from FreeBSD 10.1-RELEASE:
- EN-16:02: Fix invalid TCP checksums with pf(4). (Closes: #811282)
- SA-16:01: Fix SCTP ICMPv6 error message vulnerability.
(CVE-2016-1879) (Closes: #811277)
- SA-16:03: Fix Linux compatibility layer incorrect futex handling.
(CVE-2016-1880) (Closes: #811278)
- SA-16:04: Fix Linux compatibility layer setgroups(2) system call.
(CVE-2016-1881) (Closes: #811279)
- SA-16:05: Fix TCP MD5 signature denial of service.
(CVE-2016-1882) (Closes: #811280)
Modified: branches/jessie/kfreebsd-10/debian/changelog
===================================================================
--- branches/jessie/kfreebsd-10/debian/changelog 2015-12-15 02:33:04 UTC (rev 5863)
+++ branches/jessie/kfreebsd-10/debian/changelog 2016-01-18 02:41:20 UTC (rev 5864)
@@ -1,3 +1,18 @@
+kfreebsd-10 (10.1~svn274115-4+kbsd8u2) UNRELEASED; urgency=high
+
+ * Pick SVN r293894 from FreeBSD 10.1-RELEASE:
+ - EN-16:02: Fix invalid TCP checksums with pf(4). (Closes: #811282)
+ - SA-16:01: Fix SCTP ICMPv6 error message vulnerability.
+ (CVE-2016-1879) (Closes: #811277)
+ - SA-16:03: Fix Linux compatibility layer incorrect futex handling.
+ (CVE-2016-1880) (Closes: #811278)
+ - SA-16:04: Fix Linux compatibility layer setgroups(2) system call.
+ (CVE-2016-1881) (Closes: #811279)
+ - SA-16:05: Fix TCP MD5 signature denial of service.
+ (CVE-2016-1882) (Closes: #811280)
+
+ -- Steven Chamberlain <steven at pyro.eu.org> Mon, 18 Jan 2016 02:35:16 +0000
+
kfreebsd-10 (10.1~svn274115-4+kbsd8u1) jessie-kfreebsd; urgency=high
* Create tarballs of upstream source, and of the kfreebsd-source
Added: branches/jessie/kfreebsd-10/debian/patches/EN-16_02.pf.patch
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/EN-16_02.pf.patch (rev 0)
+++ branches/jessie/kfreebsd-10/debian/patches/EN-16_02.pf.patch 2016-01-18 02:41:20 UTC (rev 5864)
@@ -0,0 +1,399 @@
+Description:
+ Fix invalid TCP checksums with pf(4).
+ Errata: FreeBSD-EN-16:02.pf
+Origin: vendor
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-EN-16:02.pf.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=293894
+
+--- a/sys/net/pfvar.h
++++ b/sys/net/pfvar.h
+@@ -1558,6 +1558,8 @@
+ extern void pf_print_flags(u_int8_t);
+ extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
+ u_int8_t);
++extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
++ u_int16_t, u_int16_t, u_int8_t);
+
+ VNET_DECLARE(struct ifnet *, sync_ifp);
+ #define V_sync_ifp VNET(sync_ifp);
+@@ -1582,6 +1584,9 @@
+ void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
+ sa_family_t);
+ void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
++void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t,
++ u_int8_t);
++void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t);
+ void pf_send_deferred_syn(struct pf_state *);
+ int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
+ struct pf_addr *, sa_family_t);
+--- a/sys/netinet6/ip6_output.c
++++ b/sys/netinet6/ip6_output.c
+@@ -184,7 +184,7 @@
+ }\
+ } while (/*CONSTCOND*/ 0)
+
+-static void
++void
+ in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
+ {
+ u_short csum;
+--- a/sys/netinet6/ip6_var.h
++++ b/sys/netinet6/ip6_var.h
+@@ -456,6 +456,7 @@
+ struct rtentry **, u_int);
+ u_int32_t ip6_randomid(void);
+ u_int32_t ip6_randomflowlabel(void);
++void in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset);
+ #endif /* _KERNEL */
+
+ #endif /* !_NETINET6_IP6_VAR_H_ */
+--- a/sys/netpfil/pf/pf.c
++++ b/sys/netpfil/pf/pf.c
+@@ -203,7 +203,7 @@
+ static void pf_add_threshold(struct pf_threshold *);
+ static int pf_check_threshold(struct pf_threshold *);
+
+-static void pf_change_ap(struct pf_addr *, u_int16_t *,
++static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *,
+ u_int16_t *, u_int16_t *, struct pf_addr *,
+ u_int16_t, u_int8_t, sa_family_t);
+ static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
+@@ -1966,6 +1966,22 @@
+ }
+ }
+
++/**
++ * Checksum updates are a little complicated because the checksum in the TCP/UDP
++ * header isn't always a full checksum. In some cases (i.e. output) it's a
++ * pseudo-header checksum, which is a partial checksum over src/dst IP
++ * addresses, protocol number and length.
++ *
++ * That means we have the following cases:
++ * * Input or forwarding: we don't have TSO, the checksum fields are full
++ * checksums, we need to update the checksum whenever we change anything.
++ * * Output (i.e. the checksum is a pseudo-header checksum):
++ * x The field being updated is src/dst address or affects the length of
++ * the packet. We need to update the pseudo-header checksum (note that this
++ * checksum is not ones' complement).
++ * x Some other field is being modified (e.g. src/dst port numbers): We
++ * don't have to update anything.
++ **/
+ u_int16_t
+ pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
+ {
+@@ -1981,9 +1997,20 @@
+ return (l);
+ }
+
++u_int16_t
++pf_proto_cksum_fixup(struct mbuf *m, u_int16_t cksum, u_int16_t old,
++ u_int16_t new, u_int8_t udp)
++{
++ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
++ return (cksum);
++
++ return (pf_cksum_fixup(cksum, old, new, udp));
++}
++
+ static void
+-pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
+- struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
++pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic,
++ u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u,
++ sa_family_t af)
+ {
+ struct pf_addr ao;
+ u_int16_t po = *p;
+@@ -1991,6 +2018,9 @@
+ PF_ACPY(&ao, a, af);
+ PF_ACPY(a, an, af);
+
++ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
++ *pc = ~*pc;
++
+ *p = pn;
+
+ switch (af) {
+@@ -2000,10 +2030,12 @@
+ ao.addr16[0], an->addr16[0], 0),
+ ao.addr16[1], an->addr16[1], 0);
+ *p = pn;
+- *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
++
++ *pc = pf_cksum_fixup(pf_cksum_fixup(*pc,
+ ao.addr16[0], an->addr16[0], u),
+- ao.addr16[1], an->addr16[1], u),
+- po, pn, u);
++ ao.addr16[1], an->addr16[1], u);
++
++ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
+ break;
+ #endif /* INET */
+ #ifdef INET6
+@@ -2010,7 +2042,7 @@
+ case AF_INET6:
+ *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
+ pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
+- pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
++ pf_cksum_fixup(pf_cksum_fixup(*pc,
+ ao.addr16[0], an->addr16[0], u),
+ ao.addr16[1], an->addr16[1], u),
+ ao.addr16[2], an->addr16[2], u),
+@@ -2018,14 +2050,21 @@
+ ao.addr16[4], an->addr16[4], u),
+ ao.addr16[5], an->addr16[5], u),
+ ao.addr16[6], an->addr16[6], u),
+- ao.addr16[7], an->addr16[7], u),
+- po, pn, u);
++ ao.addr16[7], an->addr16[7], u);
++
++ *pc = pf_proto_cksum_fixup(m, *pc, po, pn, u);
+ break;
+ #endif /* INET6 */
+ }
++
++ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA |
++ CSUM_DELAY_DATA_IPV6)) {
++ *pc = ~*pc;
++ if (! *pc)
++ *pc = 0xffff;
++ }
+ }
+
+-
+ /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
+ void
+ pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
+@@ -2038,6 +2077,19 @@
+ ao % 65536, an % 65536, u);
+ }
+
++void
++pf_change_proto_a(struct mbuf *m, void *a, u_int16_t *c, u_int32_t an, u_int8_t udp)
++{
++ u_int32_t ao;
++
++ memcpy(&ao, a, sizeof(ao));
++ memcpy(a, &an, sizeof(u_int32_t));
++
++ *c = pf_proto_cksum_fixup(m,
++ pf_proto_cksum_fixup(m, *c, ao / 65536, an / 65536, udp),
++ ao % 65536, an % 65536, udp);
++}
++
+ #ifdef INET6
+ static void
+ pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
+@@ -2183,12 +2235,10 @@
+ for (i = 2; i + TCPOLEN_SACK <= olen;
+ i += TCPOLEN_SACK) {
+ memcpy(&sack, &opt[i], sizeof(sack));
+- pf_change_a(&sack.start, &th->th_sum,
+- htonl(ntohl(sack.start) -
+- dst->seqdiff), 0);
+- pf_change_a(&sack.end, &th->th_sum,
+- htonl(ntohl(sack.end) -
+- dst->seqdiff), 0);
++ pf_change_proto_a(m, &sack.start, &th->th_sum,
++ htonl(ntohl(sack.start) - dst->seqdiff), 0);
++ pf_change_proto_a(m, &sack.end, &th->th_sum,
++ htonl(ntohl(sack.end) - dst->seqdiff), 0);
+ memcpy(&opt[i], &sack, sizeof(sack));
+ }
+ copyback = 1;
+@@ -3092,7 +3142,7 @@
+
+ if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
+ nk->port[pd->sidx] != sport) {
+- pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
++ pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
+ &th->th_sum, &nk->addr[pd->sidx],
+ nk->port[pd->sidx], 0, af);
+ pd->sport = &th->th_sport;
+@@ -3101,7 +3151,7 @@
+
+ if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
+ nk->port[pd->didx] != dport) {
+- pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
++ pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
+ &th->th_sum, &nk->addr[pd->didx],
+ nk->port[pd->didx], 0, af);
+ dport = th->th_dport;
+@@ -3115,7 +3165,7 @@
+
+ if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) ||
+ nk->port[pd->sidx] != sport) {
+- pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
++ pf_change_ap(m, saddr, &pd->hdr.udp->uh_sport,
+ pd->ip_sum, &pd->hdr.udp->uh_sum,
+ &nk->addr[pd->sidx],
+ nk->port[pd->sidx], 1, af);
+@@ -3125,7 +3175,7 @@
+
+ if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) ||
+ nk->port[pd->didx] != dport) {
+- pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
++ pf_change_ap(m, daddr, &pd->hdr.udp->uh_dport,
+ pd->ip_sum, &pd->hdr.udp->uh_sum,
+ &nk->addr[pd->didx],
+ nk->port[pd->didx], 1, af);
+@@ -3477,7 +3527,7 @@
+ if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
+ 0)
+ s->src.seqdiff = 1;
+- pf_change_a(&th->th_seq, &th->th_sum,
++ pf_change_proto_a(m, &th->th_seq, &th->th_sum,
+ htonl(s->src.seqlo + s->src.seqdiff), 0);
+ *rewrite = 1;
+ } else
+@@ -3786,9 +3836,9 @@
+ while ((src->seqdiff = arc4random() - seq) == 0)
+ ;
+ ack = ntohl(th->th_ack) - dst->seqdiff;
+- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
++ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
+ src->seqdiff), 0);
+- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
++ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
+ *copyback = 1;
+ } else {
+ ack = ntohl(th->th_ack);
+@@ -3838,9 +3888,9 @@
+ ack = ntohl(th->th_ack) - dst->seqdiff;
+ if (src->seqdiff) {
+ /* Modulate sequence numbers */
+- pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
++ pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
+ src->seqdiff), 0);
+- pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
++ pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
+ *copyback = 1;
+ }
+ end = seq + pd->p_len;
+@@ -4294,14 +4344,14 @@
+
+ if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
+ nk->port[pd->sidx] != th->th_sport)
+- pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
+- &th->th_sum, &nk->addr[pd->sidx],
++ pf_change_ap(m, pd->src, &th->th_sport,
++ pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
+ nk->port[pd->sidx], 0, pd->af);
+
+ if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
+ nk->port[pd->didx] != th->th_dport)
+- pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
+- &th->th_sum, &nk->addr[pd->didx],
++ pf_change_ap(m, pd->dst, &th->th_dport,
++ pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
+ nk->port[pd->didx], 0, pd->af);
+ copyback = 1;
+ }
+@@ -4365,13 +4415,13 @@
+
+ if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
+ nk->port[pd->sidx] != uh->uh_sport)
+- pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
++ pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
+ &uh->uh_sum, &nk->addr[pd->sidx],
+ nk->port[pd->sidx], 1, pd->af);
+
+ if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
+ nk->port[pd->didx] != uh->uh_dport)
+- pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
++ pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
+ &uh->uh_sum, &nk->addr[pd->didx],
+ nk->port[pd->didx], 1, pd->af);
+ m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
+@@ -5487,6 +5537,13 @@
+ if (ifp->if_flags & IFF_LOOPBACK)
+ m0->m_flags |= M_SKIP_FIREWALL;
+
++ if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
++ ~ifp->if_hwassist) {
++ uint32_t plen = m0->m_pkthdr.len - sizeof(*ip6);
++ in6_delayed_cksum(m0, plen, sizeof(struct ip6_hdr));
++ m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
++ }
++
+ /*
+ * If the packet is too large for the outgoing interface,
+ * send back an icmp6 error.
+--- a/sys/netpfil/pf/pf_ioctl.c
++++ b/sys/netpfil/pf/pf_ioctl.c
+@@ -3571,12 +3571,6 @@
+ {
+ int chk;
+
+- /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
+- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+- in_delayed_cksum(*m);
+- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+- }
+-
+ chk = pf_test(PF_OUT, ifp, m, inp);
+ if (chk && *m) {
+ m_freem(*m);
+@@ -3615,14 +3609,6 @@
+ {
+ int chk;
+
+- /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
+- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+-#ifdef INET
+- /* XXX-BZ copy&paste error from r126261? */
+- in_delayed_cksum(*m);
+-#endif
+- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+- }
+ CURVNET_SET(ifp->if_vnet);
+ chk = pf_test6(PF_OUT, ifp, m, inp);
+ CURVNET_RESTORE();
+--- a/sys/netpfil/pf/pf_norm.c
++++ b/sys/netpfil/pf/pf_norm.c
+@@ -1374,13 +1374,14 @@
+ th->th_x2 = 0;
+ nv = *(u_int16_t *)(&th->th_ack + 1);
+
+- th->th_sum = pf_cksum_fixup(th->th_sum, ov, nv, 0);
++ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
+ rewrite = 1;
+ }
+
+ /* Remove urgent pointer, if TH_URG is not set */
+ if (!(flags & TH_URG) && th->th_urp) {
+- th->th_sum = pf_cksum_fixup(th->th_sum, th->th_urp, 0, 0);
++ th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp,
++ 0, 0);
+ th->th_urp = 0;
+ rewrite = 1;
+ }
+@@ -1581,7 +1582,7 @@
+ (src->scrub->pfss_flags &
+ PFSS_TIMESTAMP)) {
+ tsval = ntohl(tsval);
+- pf_change_a(&opt[2],
++ pf_change_proto_a(m, &opt[2],
+ &th->th_sum,
+ htonl(tsval +
+ src->scrub->pfss_ts_mod),
+@@ -1597,7 +1598,7 @@
+ PFSS_TIMESTAMP)) {
+ tsecr = ntohl(tsecr)
+ - dst->scrub->pfss_ts_mod;
+- pf_change_a(&opt[6],
++ pf_change_proto_a(m, &opt[6],
+ &th->th_sum, htonl(tsecr),
+ 0);
+ copyback = 1;
+@@ -1924,8 +1925,8 @@
+ case TCPOPT_MAXSEG:
+ mss = (u_int16_t *)(optp + 2);
+ if ((ntohs(*mss)) > r->max_mss) {
+- th->th_sum = pf_cksum_fixup(th->th_sum,
+- *mss, htons(r->max_mss), 0);
++ th->th_sum = pf_proto_cksum_fixup(m,
++ th->th_sum, *mss, htons(r->max_mss), 0);
+ *mss = htons(r->max_mss);
+ rewrite = 1;
+ }
Added: branches/jessie/kfreebsd-10/debian/patches/SA-16_01.sctp.patch
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/SA-16_01.sctp.patch (rev 0)
+++ branches/jessie/kfreebsd-10/debian/patches/SA-16_01.sctp.patch 2016-01-18 02:41:20 UTC (rev 5864)
@@ -0,0 +1,28 @@
+Description:
+ Fix SCTP ICMPv6 error message vulnerability.
+ Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
+Origin: vendor
+Bug: https://security.freebsd.org/advisories/FreeBSD-SA-16:01.sctp.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=293894
+
+--- a/sys/netinet6/sctp6_usrreq.c
++++ b/sys/netinet6/sctp6_usrreq.c
+@@ -393,7 +393,6 @@
+ * XXX: We assume that when IPV6 is non NULL, M and OFF are
+ * valid.
+ */
+- /* check if we can safely examine src and dst ports */
+ struct sctp_inpcb *inp = NULL;
+ struct sctp_tcb *stcb = NULL;
+ struct sctp_nets *net = NULL;
+@@ -402,6 +401,10 @@
+ if (ip6cp->ip6c_m == NULL)
+ return;
+
++ /* Check if we can safely examine the SCTP header. */
++ if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
++ return;
++
+ bzero(&sh, sizeof(sh));
+ bzero(&final, sizeof(final));
+ inp = NULL;
Added: branches/jessie/kfreebsd-10/debian/patches/SA-16_03.linux.patch
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/SA-16_03.linux.patch (rev 0)
+++ branches/jessie/kfreebsd-10/debian/patches/SA-16_03.linux.patch 2016-01-18 02:41:20 UTC (rev 5864)
@@ -0,0 +1,75 @@
+Description:
+ Fix Linux compatibility layer incorrect futex handling.
+ Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
+Origin: vendor
+Bug: https://security.freebsd.org/advisories/FreeBSD-SA-16:03.linux.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=293894
+
+--- a/sys/amd64/linux32/linux32_proto.h
++++ b/sys/amd64/linux32/linux32_proto.h
+@@ -992,7 +992,7 @@
+ };
+ struct linux_get_robust_list_args {
+ char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
+- char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
++ char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
+ char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
+ };
+ struct linux_splice_args {
+--- a/sys/amd64/linux32/linux32_systrace_args.c
++++ b/sys/amd64/linux32/linux32_systrace_args.c
+@@ -2088,7 +2088,7 @@
+ case 312: {
+ struct linux_get_robust_list_args *p = params;
+ iarg[0] = p->pid; /* l_int */
+- uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
++ uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
+ uarg[2] = (intptr_t) p->len; /* l_size_t * */
+ *n_args = 3;
+ break;
+@@ -5363,7 +5363,7 @@
+ p = "l_int";
+ break;
+ case 1:
+- p = "struct linux_robust_list_head *";
++ p = "struct linux_robust_list_head **";
+ break;
+ case 2:
+ p = "l_size_t *";
+--- a/sys/amd64/linux32/syscalls.master
++++ b/sys/amd64/linux32/syscalls.master
+@@ -512,8 +512,8 @@
+ ; linux 2.6.17:
+ 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \
+ l_size_t len); }
+-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
+- l_size_t *len); }
++312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
++ struct linux_robust_list_head **head, l_size_t *len); }
+ 313 AUE_NULL STD { int linux_splice(void); }
+ 314 AUE_NULL STD { int linux_sync_file_range(void); }
+ 315 AUE_NULL STD { int linux_tee(void); }
+--- a/sys/compat/linux/linux_futex.c
++++ b/sys/compat/linux/linux_futex.c
+@@ -1090,7 +1090,7 @@
+ return (EFAULT);
+ }
+
+- error = copyout(head, args->head, sizeof(struct linux_robust_list_head));
++ error = copyout(&head, args->head, sizeof(head));
+ if (error) {
+ LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error,
+ error);
+--- a/sys/i386/linux/syscalls.master
++++ b/sys/i386/linux/syscalls.master
+@@ -520,8 +520,8 @@
+ ; linux 2.6.17:
+ 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \
+ l_size_t len); }
+-312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \
+- l_size_t *len); }
++312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \
++ struct linux_robust_list_head **head, l_size_t *len); }
+ 313 AUE_NULL STD { int linux_splice(void); }
+ 314 AUE_NULL STD { int linux_sync_file_range(void); }
+ 315 AUE_NULL STD { int linux_tee(void); }
Added: branches/jessie/kfreebsd-10/debian/patches/SA-16_04.linux.patch
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/SA-16_04.linux.patch (rev 0)
+++ branches/jessie/kfreebsd-10/debian/patches/SA-16_04.linux.patch 2016-01-18 02:41:20 UTC (rev 5864)
@@ -0,0 +1,52 @@
+Description:
+ Fix Linux compatibility layer setgroups(2) system call.
+ Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
+Origin: vendor
+Bug: https://security.freebsd.org/advisories/FreeBSD-SA-16:04.linux.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=293894
+
+--- a/sys/compat/linux/linux_misc.c
++++ b/sys/compat/linux/linux_misc.c
+@@ -1107,9 +1107,11 @@
+ if (error)
+ goto out;
+ newcred = crget();
++ crextend(newcred, ngrp + 1);
+ p = td->td_proc;
+ PROC_LOCK(p);
+- oldcred = crcopysafe(p, newcred);
++ oldcred = p->p_ucred;
++ crcopy(newcred, oldcred);
+
+ /*
+ * cr_groups[0] holds egid. Setting the whole set from
+--- a/sys/kern/kern_prot.c
++++ b/sys/kern/kern_prot.c
+@@ -88,7 +88,6 @@
+
+ SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
+
+-static void crextend(struct ucred *cr, int n);
+ static void crsetgroups_locked(struct ucred *cr, int ngrp,
+ gid_t *groups);
+
+@@ -1974,7 +1973,7 @@
+ /*
+ * Extend the passed in credential to hold n items.
+ */
+-static void
++void
+ crextend(struct ucred *cr, int n)
+ {
+ int cnt;
+--- a/sys/sys/ucred.h
++++ b/sys/sys/ucred.h
+@@ -104,6 +104,7 @@
+ void crcopy(struct ucred *dest, struct ucred *src);
+ struct ucred *crcopysafe(struct proc *p, struct ucred *cr);
+ struct ucred *crdup(struct ucred *cr);
++void crextend(struct ucred *cr, int n);
+ void cred_update_thread(struct thread *td);
+ void crfree(struct ucred *cr);
+ struct ucred *crget(void);
+
Added: branches/jessie/kfreebsd-10/debian/patches/SA-16_05.tcp.patch
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/SA-16_05.tcp.patch (rev 0)
+++ branches/jessie/kfreebsd-10/debian/patches/SA-16_05.tcp.patch 2016-01-18 02:41:20 UTC (rev 5864)
@@ -0,0 +1,44 @@
+Description:
+ Fix TCP MD5 signature denial of service.
+ Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
+Origin: vendor
+Bug: https://security.freebsd.org/advisories/FreeBSD-SA-16:05.tcp.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=293894
+
+--- a/sys/netinet/tcp_output.c
++++ b/sys/netinet/tcp_output.c
+@@ -705,8 +705,8 @@
+ * segments. Options for SYN-ACK segments are handled in TCP
+ * syncache.
+ */
++ to.to_flags = 0;
+ if ((tp->t_flags & TF_NOOPT) == 0) {
+- to.to_flags = 0;
+ /* Maximum segment size. */
+ if (flags & TH_SYN) {
+ tp->snd_nxt = tp->iss;
+@@ -1076,7 +1076,7 @@
+ tp->snd_up = tp->snd_una; /* drag it along */
+
+ #ifdef TCP_SIGNATURE
+- if (tp->t_flags & TF_SIGNATURE) {
++ if (to.to_flags & TOF_SIGNATURE) {
+ int sigoff = to.to_signature - opt;
+ tcp_signature_compute(m, 0, len, optlen,
+ (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
+@@ -1513,6 +1513,7 @@
+ bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
+ optp += sizeof(to->to_tsecr);
+ break;
++#ifdef TCP_SIGNATURE
+ case TOF_SIGNATURE:
+ {
+ int siglen = TCPOLEN_SIGNATURE - 2;
+@@ -1531,6 +1532,7 @@
+ *optp++ = 0;
+ break;
+ }
++#endif
+ case TOF_SACK:
+ {
+ int sackblks = 0;
Modified: branches/jessie/kfreebsd-10/debian/patches/series
===================================================================
--- branches/jessie/kfreebsd-10/debian/patches/series 2015-12-15 02:33:04 UTC (rev 5863)
+++ branches/jessie/kfreebsd-10/debian/patches/series 2016-01-18 02:41:20 UTC (rev 5864)
@@ -48,3 +48,8 @@
SA-15_21.amd64.patch
EN-15_19.kqueue.patch
EN-15_20.vm.patch
+EN-16_02.pf.patch
+SA-16_01.sctp.patch
+SA-16_03.linux.patch
+SA-16_04.linux.patch
+SA-16_05.tcp.patch
More information about the Glibc-bsd-commits
mailing list