From bb7dac4dad2c4bfd1b884c7afab577b0bc0e580b Mon Sep 17 00:00:00 2001 From: cperciva Date: Thu, 27 May 2010 03:15:04 +0000 Subject: [PATCH] Change the current working directory to be inside the jail created by the jail(8) command. [10:04] Fix a one-NUL-byte buffer overflow in libopie. [10:05] Correctly sanity-check a buffer length in nfs mount. [10:06] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-10:04.jail Security: FreeBSD-SA-10:05.opie Security: FreeBSD-SA-10:06.nfsclient git-svn-id: svn://svn.freebsd.org/base/releng/8.0@208586 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 9 +++++++++ contrib/opie/libopie/readrec.c | 4 +--- lib/libc/sys/mount.2 | 9 ++++++++- sys/conf/newvers.sh | 2 +- sys/nfsclient/nfs_vfsops.c | 5 +++++ usr.sbin/jail/jail.c | 4 ++++ 6 files changed, 28 insertions(+), 5 deletions(-) diff --git a/UPDATING b/UPDATING index a2a59f22..b326a711 100644 --- a/UPDATING +++ b/UPDATING @@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V: debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20100526: p3 FreeBSD-SA-10:04.jail, FreeBSD-SA-10:05.opie, + FreeBSD-SA-10:06.nfsclient + Change the current working directory to be inside the jail created by + the jail(8) command. [10:04] + + Fix a one-NUL-byte buffer overflow in libopie. [10:05] + + Correctly sanity-check a buffer length in nfs mount. [10:06] + 20100106: p2 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd, FreeBSD-SA-10:03.zfs, FreeBSD-EN-10:01.freebsd Fix BIND named(8) cache poisoning with DNSSEC validation. diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c index f56af7ff..4f204b92 100644 --- a/contrib/opie/libopie/readrec.c +++ b/contrib/opie/libopie/readrec.c @@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie) if (c = strchr(opie->opie_principal, ':')) *c = 0; - if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) - (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; - strcpy(principal, opie->opie_principal); + strlcpy(principal, opie->opie_principal, sizeof(principal)); do { if ((opie->opie_recstart = ftell(f)) < 0) diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2 index 6ce2d4d2..3d48f411 100644 --- a/lib/libc/sys/mount.2 +++ b/lib/libc/sys/mount.2 @@ -107,7 +107,7 @@ This restriction can be removed by setting the .Va vfs.usermount .Xr sysctl 8 variable -to a non-zero value. +to a non-zero value; see the BUGS section for more information. .Pp The following .Fa flags @@ -370,3 +370,10 @@ functions appeared in .At v6 . .Sh BUGS Some of the error codes need translation to more obvious messages. +.Pp +Allowing untrusted users to mount arbitrary media, e.g. by enabling +.Va vfs.usermount , +should not be considered safe. +Most file systems in +.Fx +were not built to safeguard against malicious devices. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index de53cd7f..e71b0516 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c index 17dc5d4b..c4366eb1 100644 --- a/sys/nfsclient/nfs_vfsops.c +++ b/sys/nfsclient/nfs_vfsops.c @@ -1054,6 +1054,11 @@ nfs_mount(struct mount *mp) error = EINVAL; goto out; } + if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) { + vfs_mount_error(mp, "Bad file handle"); + error = EINVAL; + goto out; + } if (mp->mnt_flag & MNT_UPDATE) { struct nfsmount *nmp = VFSTONFS(mp); diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index ca87796d..0722bfd2 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -511,6 +511,10 @@ set_param(const char *name, char *value) *value++ = '\0'; } + /* jail_set won't chdir along with its chroot, so do it here. */ + if (!strcmp(name, "path") && chdir(value) < 0) + err(1, "chdir: %s", value); + /* Check for repeat parameters */ for (i = 0; i < nparams; i++) if (!strcmp(name, params[i].jp_name)) { -- 2.45.0