From 69bda30fc7a7553edb78915c4c9c28450aed4328 Mon Sep 17 00:00:00 2001 From: bz Date: Tue, 12 Jun 2012 12:10:10 +0000 Subject: [PATCH] Fix a problem where zero-length RDATA fields can cause named(8) to crash. [12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz) git-svn-id: svn://svn.freebsd.org/base/releng/8.2@236953 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 11 +++++++++++ contrib/bind9/lib/dns/rdata.c | 4 ++-- contrib/bind9/lib/dns/rdataslab.c | 11 ++++++++--- sys/amd64/amd64/trap.c | 17 +++++++++++++++++ sys/conf/newvers.sh | 2 +- sys/netinet/tcp_input.c | 5 ++++- sys/netinet6/in6.c | 23 +++++++++++++++++------ sys/netinet6/ip6_input.c | 24 ++++++++++++++---------- 8 files changed, 74 insertions(+), 23 deletions(-) diff --git a/UPDATING b/UPDATING index 4818968a..b2e26c69 100644 --- a/UPDATING +++ b/UPDATING @@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V: debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20120612: p9 FreeBSD-SA-12:03.bind + FreeBSD-SA-12:04.sysret + FreeBSD-EN-12:02.ipv6refcount + Fix a problem where zero-length RDATA fields can cause named to crash. + [12:03] + + Correct a privilege escalation when returning from kernel if + running FreeBSD/amd64 on non-AMD processors. [12:04] + + Fix reference count errors in IPv6 code. [EN-12:02] + 20120530: p8 FreeBSD-SA-12:01.openssl (revised), FreeBSD-SA-12:02.crypt Update the previous openssl fix. [12:01] diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c index ab9df8b7..ef59ea19 100644 --- a/contrib/bind9/lib/dns/rdata.c +++ b/contrib/bind9/lib/dns/rdata.c @@ -341,8 +341,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { REQUIRE(rdata1 != NULL); REQUIRE(rdata2 != NULL); - REQUIRE(rdata1->data != NULL); - REQUIRE(rdata2->data != NULL); + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c index 8d12eb8c..7516741f 100644 --- a/contrib/bind9/lib/dns/rdataslab.c +++ b/contrib/bind9/lib/dns/rdataslab.c @@ -125,6 +125,11 @@ isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, unsigned int reservelen) { + /* + * Use &removed as a sentinal pointer for duplicate + * rdata as rdata.data == NULL is valid. + */ + static unsigned char removed; struct xrdata *x; unsigned char *rawbuf; #if DNS_RDATASET_FIXED @@ -164,6 +169,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, INSIST(result == ISC_R_SUCCESS); dns_rdata_init(&x[i].rdata); dns_rdataset_current(rdataset, &x[i].rdata); + INSIST(x[i].rdata.data != &removed); #if DNS_RDATASET_FIXED x[i].order = i; #endif @@ -196,8 +202,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, */ for (i = 1; i < nalloc; i++) { if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { - x[i-1].rdata.data = NULL; - x[i-1].rdata.length = 0; + x[i-1].rdata.data = &removed; #if DNS_RDATASET_FIXED /* * Preserve the least order so A, B, A -> A, B @@ -284,7 +289,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, #endif for (i = 0; i < nalloc; i++) { - if (x[i].rdata.data == NULL) + if (x[i].rdata.data == &removed) continue; #if DNS_RDATASET_FIXED offsettable[x[i].order] = rawbuf - offsetbase; diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c index 722dcdc3..99a92519 100644 --- a/sys/amd64/amd64/trap.c +++ b/sys/amd64/amd64/trap.c @@ -907,4 +907,21 @@ syscall(struct trapframe *frame) syscallname(td->td_proc, sa.code))); syscallret(td, error, &sa); + + /* + * If the user-supplied value of %rip is not a canonical + * address, then some CPUs will trigger a ring 0 #GP during + * the sysret instruction. However, the fault handler would + * execute with the user's %gs and %rsp in ring 0 which would + * not be safe. Instead, preemptively kill the thread with a + * SIGBUS. + */ + if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) { + ksiginfo_init_trap(&ksi); + ksi.ksi_signo = SIGBUS; + ksi.ksi_code = BUS_OBJERR; + ksi.ksi_trapno = T_PROTFLT; + ksi.ksi_addr = (void *)td->td_frame->tf_rip; + trapsignal(td, &ksi); + } } diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index c45fce47..fd6a33e1 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.2" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 58eac745..b25ad157 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -293,6 +293,8 @@ tcp6_input(struct mbuf **mp, int *offp, int proto) (caddr_t)&ip6->ip6_dst - (caddr_t)ip6); return IPPROTO_DONE; } + if (ia6) + ifa_free(&ia6->ia_ifa); tcp_input(m, *offp); return IPPROTO_DONE; @@ -941,7 +943,8 @@ relocked: rstreason = BANDLIM_RST_OPENPORT; goto dropwithreset; } - ifa_free(&ia6->ia_ifa); + if (ia6) + ifa_free(&ia6->ia_ifa); } #endif /* diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 3acc74ee..f33bcfb0 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -1370,6 +1370,8 @@ in6_purgeaddr(struct ifaddr *ifa) } cleanup: + if (ifa0 != NULL) + ifa_free(ifa0); plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); /* XXX */ if ((ia->ia_flags & IFA_ROUTE) && plen == 128) { @@ -1394,8 +1396,6 @@ cleanup: return; ia->ia_flags &= ~IFA_ROUTE; } - if (ifa0 != NULL) - ifa_free(ifa0); in6_unlink_ifa(ia, ifp); } @@ -1549,14 +1549,19 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data, hostid = IFA_IN6(ifa); /* prefixlen must be <= 64. */ - if (64 < iflr->prefixlen) + if (64 < iflr->prefixlen) { + if (ifa != NULL) + ifa_free(ifa); return EINVAL; + } prefixlen = iflr->prefixlen; /* hostid part must be zero. */ sin6 = (struct sockaddr_in6 *)&iflr->addr; if (sin6->sin6_addr.s6_addr32[2] != 0 || sin6->sin6_addr.s6_addr32[3] != 0) { + if (ifa != NULL) + ifa_free(ifa); return EINVAL; } } else @@ -2144,14 +2149,20 @@ in6_ifawithifp(struct ifnet *ifp, struct in6_addr *dst) IN6_IFADDR_RUNLOCK(); return (struct in6_ifaddr *)ifa; } - IN6_IFADDR_RUNLOCK(); /* use the last-resort values, that are, deprecated addresses */ - if (dep[0]) + if (dep[0]) { + ifa_ref((struct ifaddr *)dep[0]); + IN6_IFADDR_RUNLOCK(); return dep[0]; - if (dep[1]) + } + if (dep[1]) { + ifa_ref((struct ifaddr *)dep[1]); + IN6_IFADDR_RUNLOCK(); return dep[1]; + } + IN6_IFADDR_RUNLOCK(); return NULL; } diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 089cee18..86f5721b 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -734,19 +734,23 @@ passin: * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ - if (deliverifp && !ip6_getdstifaddr(m)) { + if (deliverifp) { struct in6_ifaddr *ia6; - ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); - if (ia6) { - if (!ip6_setdstifaddr(m, ia6)) { - /* - * XXX maybe we should drop the packet here, - * as we could not provide enough information - * to the upper layers. - */ - } + if ((ia6 = ip6_getdstifaddr(m)) != NULL) { ifa_free(&ia6->ia_ifa); + } else { + ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); + if (ia6) { + if (!ip6_setdstifaddr(m, ia6)) { + /* + * XXX maybe we should drop the packet here, + * as we could not provide enough information + * to the upper layers. + */ + } + ifa_free(&ia6->ia_ifa); + } } } -- 2.42.0