From c1aa4845e62bdcacf12fea5aad09170be85e434a Mon Sep 17 00:00:00 2001
From: glebius <glebius@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 16 Mar 2016 22:31:04 +0000
Subject: [PATCH] o Fix OpenSSH xauth(1) command injection. [SA-16:14] o Fix
 incorrect argument validation in sysarch(2). [SA-16:15] o Fix Hyper-V KVP
 (Key-Value Pair) daemon indefinite sleep. [EN-16:04] o Fix hv_netvsc(4)
 incorrect TCP/IP checksums. [EN-16:05]

Errata:         FreeBSD-EN-16:04.hyperv
Errata:         FreeBSD-EN-16:05.hv_netvsc
Security:       FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security:       FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by:    so


git-svn-id: https://svn.freebsd.org/base/releng/10.2@296955 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                                      | 10 ++++++
 crypto/openssh/session.c                      | 32 +++++++++++++++++--
 sys/amd64/amd64/sys_machdep.c                 |  4 +--
 sys/conf/newvers.sh                           |  2 +-
 sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c | 12 ++++++-
 sys/dev/hyperv/utilities/hv_kvp.c             | 11 ++++++-
 6 files changed, 64 insertions(+), 7 deletions(-)

diff --git a/UPDATING b/UPDATING
index 0ec21dd9c..a7ed8a678 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160316	p14	FreeBSD-SA-16:14.openssh-xauth
+			FreeBSD-SA-16:15.sysarch
+			FreeBSD-EN-16:04.hyperv
+			FreeBSD-EN-16:05.hv_netvsc
+
+	Fix OpenSSH xauth(1) command injection. [SA-16:14]
+	Fix incorrect argument validation in sysarch(2). [SA-16:15]
+	Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
+	Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05]
+
 20160303	p13	FreeBSD-SA-16:12.openssl
 
 	Fix multiple vulnerabilities of OpenSSL.
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 9fe6a1ad2..17397e6f8 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
 	do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+	size_t i;
+
+	for (i = 0; s[i] != '\0'; i++) {
+		if (!isalnum((u_char)s[i]) &&
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+		    s[i] != '-' && s[i] != '_')
+		return 0;
+	}
+	return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
 				s->screen = 0;
 			}
 			packet_check_eom();
-			success = session_setup_x11fwd(s);
+			if (xauth_valid_string(s->auth_proto) &&
+			    xauth_valid_string(s->auth_data))
+				success = session_setup_x11fwd(s);
+			else {
+				success = 0;
+				error("Invalid X11 forwarding data");
+			}
 			if (!success) {
 				free(s->auth_proto);
 				free(s->auth_data);
@@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
 	s->screen = packet_get_int();
 	packet_check_eom();
 
-	success = session_setup_x11fwd(s);
+	if (xauth_valid_string(s->auth_proto) &&
+	    xauth_valid_string(s->auth_data))
+		success = session_setup_x11fwd(s);
+	else {
+		success = 0;
+		error("Invalid X11 forwarding data");
+	}
 	if (!success) {
 		free(s->auth_proto);
 		free(s->auth_data);
diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
index 98d47b867..ff3bd3edc 100644
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs)
 	struct i386_ldt_args *uap;
 	struct user_segment_descriptor *descs;
 {
-	int error = 0, i;
-	int largest_ld;
+	int error = 0;
+	unsigned int largest_ld, i;
 	struct mdproc *mdp = &td->td_proc->p_md;
 	struct proc_ldt *pldt;
 	struct user_segment_descriptor *dp;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index c3cdf52a0..297159aec 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c b/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
index 5502d1bf4..33718a9e0 100644
--- a/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
+++ b/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
@@ -128,6 +128,15 @@ __FBSDID("$FreeBSD$");
 #define HV_NV_SC_PTR_OFFSET_IN_BUF         0
 #define HV_NV_PACKET_OFFSET_IN_BUF         16
 
+/*
+ * A unified flag for all outbound check sum flags is useful,
+ * and it helps avoiding unnecessary check sum calculation in
+ * network forwarding scenario.
+ */
+#define HV_CSUM_FOR_OUTBOUND						\
+    (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO|		\
+    CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP|		\
+    CSUM_IP6_TSO|CSUM_IP6_ISCSI)
 
 /*
  * Data types
@@ -570,7 +579,8 @@ hn_start_locked(struct ifnet *ifp)
 			    packet->vlan_tci & 0xfff;
 		}
 
-		if (0 == m_head->m_pkthdr.csum_flags) {
+		/* Only check the flags for outbound and ignore the ones for inbound */
+		if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
 			goto pre_send;
 		}
 
diff --git a/sys/dev/hyperv/utilities/hv_kvp.c b/sys/dev/hyperv/utilities/hv_kvp.c
index 4598510bb..58d565c44 100644
--- a/sys/dev/hyperv/utilities/hv_kvp.c
+++ b/sys/dev/hyperv/utilities/hv_kvp.c
@@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/reboot.h>
 #include <sys/lock.h>
 #include <sys/taskqueue.h>
+#include <sys/selinfo.h>
 #include <sys/sysctl.h>
 #include <sys/poll.h>
 #include <sys/proc.h>
@@ -114,6 +115,8 @@ static struct cdev *hv_kvp_dev;
 static struct hv_kvp_msg *hv_kvp_dev_buf;
 struct proc *daemon_task;
 
+static struct selinfo hv_kvp_selinfo;
+
 /*
  * Global state to track and synchronize multiple
  * KVP transaction requests from the host.
@@ -628,6 +631,9 @@ hv_kvp_send_msg_to_daemon(void)
 
 	/* Send the msg to user via function deamon_read - setting sema */
 	sema_post(&kvp_globals.dev_sema);
+
+	/* We should wake up the daemon, in case it's doing poll() */
+	selwakeup(&hv_kvp_selinfo);
 }
 
 
@@ -940,7 +946,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev __unused, struct uio *uio, int ioflag _
  * for daemon to read.
  */
 static int
-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
+hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
 {
 	int revents = 0;
 
@@ -953,6 +959,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td
 	 */
 	if (kvp_globals.daemon_busy == true)
 		revents = POLLIN;
+	else
+		selrecord(td, &hv_kvp_selinfo);
+
 	mtx_unlock(&kvp_globals.pending_mutex);
 
 	return (revents);
-- 
2.45.0