From 97b1fca39ed487704269b69bebf040899c6d1a02 Mon Sep 17 00:00:00 2001
From: glebius <glebius@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Thu, 14 Jan 2016 09:11:48 +0000
Subject: [PATCH] o Fix SCTP ICMPv6 error message vulnerability.
 [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability.
 [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling.
 [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call.
 [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o
 Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]

Security:	FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security:	FreeBSD-SA-16:03.linux, CVE-2016-1880
Security:	FreeBSD-SA-16:04.linux, CVE-2016-1881
Security:	FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security:	FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677


git-svn-id: svn://svn.freebsd.org/base/stable/9@293898 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 etc/Makefile                              | 9 +++++----
 sys/amd64/linux32/linux32_proto.h         | 2 +-
 sys/amd64/linux32/linux32_systrace_args.c | 4 ++--
 sys/amd64/linux32/syscalls.master         | 4 ++--
 sys/compat/linux/linux_futex.c            | 2 +-
 sys/compat/linux/linux_misc.c             | 4 +++-
 sys/i386/linux/syscalls.master            | 4 ++--
 sys/kern/kern_prot.c                      | 3 +--
 sys/netinet/tcp_output.c                  | 6 ++++--
 sys/netinet6/sctp6_usrreq.c               | 5 ++++-
 sys/sys/ucred.h                           | 1 +
 11 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/etc/Makefile b/etc/Makefile
index caa11401a..ff258a7d1 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -82,10 +82,6 @@ BIN1+= amd.map
 BIN1+= apmd.conf
 .endif
 
-.if ${MK_BSNMP} != "no"
-BIN1+= snmpd.config
-.endif
-
 .if ${MK_FREEBSD_UPDATE} != "no"
 BIN1+= freebsd-update.conf
 .endif
@@ -217,6 +213,11 @@ distribution:
 		${BIN2} ${DESTDIR}/etc; \
 	    ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
 		master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
+.if ${MK_BSNMP} != "no"
+	cd ${.CURDIR}; \
+	    ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
+		snmpd.config ${DESTDIR}/etc;
+.endif
 .if ${MK_AT} == "no"
 	sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
 .endif
diff --git a/sys/amd64/linux32/linux32_proto.h b/sys/amd64/linux32/linux32_proto.h
index 88de1b595..cdea17c0e 100644
--- a/sys/amd64/linux32/linux32_proto.h
+++ b/sys/amd64/linux32/linux32_proto.h
@@ -993,7 +993,7 @@ struct linux_set_robust_list_args {
 };
 struct linux_get_robust_list_args {
 	char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
-	char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
+	char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
 	char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
 };
 struct linux_splice_args {
diff --git a/sys/amd64/linux32/linux32_systrace_args.c b/sys/amd64/linux32/linux32_systrace_args.c
index f01cfddae..86a09fdbd 100644
--- a/sys/amd64/linux32/linux32_systrace_args.c
+++ b/sys/amd64/linux32/linux32_systrace_args.c
@@ -2090,7 +2090,7 @@ systrace_args(int sysnum, void *params, uint64_t *uarg, int *n_args)
 	case 312: {
 		struct linux_get_robust_list_args *p = params;
 		iarg[0] = p->pid; /* l_int */
-		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
+		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
 		uarg[2] = (intptr_t) p->len; /* l_size_t * */
 		*n_args = 3;
 		break;
@@ -5371,7 +5371,7 @@ systrace_setargdesc(int sysnum, int ndx, char *desc, size_t descsz)
 			p = "l_int";
 			break;
 		case 1:
-			p = "struct linux_robust_list_head *";
+			p = "struct linux_robust_list_head **";
 			break;
 		case 2:
 			p = "l_size_t *";
diff --git a/sys/amd64/linux32/syscalls.master b/sys/amd64/linux32/syscalls.master
index 79a980958..c02ccd1b1 100644
--- a/sys/amd64/linux32/syscalls.master
+++ b/sys/amd64/linux32/syscalls.master
@@ -512,8 +512,8 @@
 ; linux 2.6.17:
 311	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 					l_size_t len); }
-312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
-					l_size_t *len); }
+312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 313	AUE_NULL	STD	{ int linux_splice(void); }
 314	AUE_NULL	STD	{ int linux_sync_file_range(void); }
 315	AUE_NULL	STD	{ int linux_tee(void); }
diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c
index e903e74db..f03d066fb 100644
--- a/sys/compat/linux/linux_futex.c
+++ b/sys/compat/linux/linux_futex.c
@@ -1090,7 +1090,7 @@ linux_get_robust_list(struct thread *td, struct linux_get_robust_list_args *args
 		return (EFAULT);
 	}
 
-	error = copyout(head, args->head, sizeof(struct linux_robust_list_head));
+	error = copyout(&head, args->head, sizeof(head));
 	if (error) {
 		LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error,
 		    error);
diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c
index 9ef5bd6b7..857297a90 100644
--- a/sys/compat/linux/linux_misc.c
+++ b/sys/compat/linux/linux_misc.c
@@ -1111,9 +1111,11 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args)
 	if (error)
 		goto out;
 	newcred = crget();
+	crextend(newcred, ngrp + 1);
 	p = td->td_proc;
 	PROC_LOCK(p);
-	oldcred = crcopysafe(p, newcred);
+	oldcred = p->p_ucred;
+	crcopy(newcred, oldcred);
 
 	/*
 	 * cr_groups[0] holds egid. Setting the whole set from
diff --git a/sys/i386/linux/syscalls.master b/sys/i386/linux/syscalls.master
index 827e2bb75..20d721a2a 100644
--- a/sys/i386/linux/syscalls.master
+++ b/sys/i386/linux/syscalls.master
@@ -520,8 +520,8 @@
 ; linux 2.6.17:
 311	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 					l_size_t len); }
-312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \
-					l_size_t *len); }
+312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 313	AUE_NULL	STD	{ int linux_splice(void); }
 314	AUE_NULL	STD	{ int linux_sync_file_range(void); }
 315	AUE_NULL	STD	{ int linux_tee(void); }
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index c658755bc..17be44104 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -88,7 +88,6 @@ static MALLOC_DEFINE(M_CRED, "cred", "credentials");
 
 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
 
-static void crextend(struct ucred *cr, int n);
 static void crsetgroups_locked(struct ucred *cr, int ngrp,
     gid_t *groups);
 
@@ -1974,7 +1973,7 @@ crcopysafe(struct proc *p, struct ucred *cr)
 /*
  * Extend the passed in credential to hold n items.
  */
-static void
+void
 crextend(struct ucred *cr, int n)
 {
 	int cnt;
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 31a019284..36a24f77b 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -702,8 +702,8 @@ send:
 	 * segments.  Options for SYN-ACK segments are handled in TCP
 	 * syncache.
 	 */
+	to.to_flags = 0;
 	if ((tp->t_flags & TF_NOOPT) == 0) {
-		to.to_flags = 0;
 		/* Maximum segment size. */
 		if (flags & TH_SYN) {
 			tp->snd_nxt = tp->iss;
@@ -1168,7 +1168,7 @@ send:
 		tp->snd_up = tp->snd_una;		/* drag it along */
 
 #ifdef TCP_SIGNATURE
-	if (tp->t_flags & TF_SIGNATURE) {
+	if (to.to_flags & TOF_SIGNATURE) {
 		int sigoff = to.to_signature - opt;
 		tcp_signature_compute(m, 0, len, optlen,
 		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1587,6 +1587,7 @@ tcp_addoptions(struct tcpopt *to, u_char *optp)
 			bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
 			optp += sizeof(to->to_tsecr);
 			break;
+#ifdef TCP_SIGNATURE
 		case TOF_SIGNATURE:
 			{
 			int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1605,6 +1606,7 @@ tcp_addoptions(struct tcpopt *to, u_char *optp)
 				 *optp++ = 0;
 			break;
 			}
+#endif
 		case TOF_SACK:
 			{
 			int sackblks = 0;
diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c
index c3375dc5b..4b25fd50f 100644
--- a/sys/netinet6/sctp6_usrreq.c
+++ b/sys/netinet6/sctp6_usrreq.c
@@ -393,7 +393,6 @@ sctp6_ctlinput(int cmd, struct sockaddr *pktdst, void *d)
 		 * XXX: We assume that when IPV6 is non NULL, M and OFF are
 		 * valid.
 		 */
-		/* check if we can safely examine src and dst ports */
 		struct sctp_inpcb *inp = NULL;
 		struct sctp_tcb *stcb = NULL;
 		struct sctp_nets *net = NULL;
@@ -402,6 +401,10 @@ sctp6_ctlinput(int cmd, struct sockaddr *pktdst, void *d)
 		if (ip6cp->ip6c_m == NULL)
 			return;
 
+		/* Check if we can safely examine the SCTP header. */
+		if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
+			return;
+
 		bzero(&sh, sizeof(sh));
 		bzero(&final, sizeof(final));
 		inp = NULL;
diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h
index e1648d4b3..45ed0d53f 100644
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@@ -104,6 +104,7 @@ void	change_svuid(struct ucred *newcred, uid_t svuid);
 void	crcopy(struct ucred *dest, struct ucred *src);
 struct ucred	*crcopysafe(struct proc *p, struct ucred *cr);
 struct ucred	*crdup(struct ucred *cr);
+void	crextend(struct ucred *cr, int n);
 void	cred_update_thread(struct thread *td);
 void	crfree(struct ucred *cr);
 struct ucred	*crget(void);
-- 
2.45.0