From 8824f0dbe941fde313892ffd1e44a7bfe987d9e8 Mon Sep 17 00:00:00 2001 From: bz Date: Tue, 12 Jun 2012 12:10:10 +0000 Subject: [PATCH] Fix a problem where zero-length RDATA fields can cause named(8) to crash. [12:03] Correct a privilege escalation when returning from kernel if running FreeBSD/amd64 on non-AMD processors. [12:04] Fix reference count errors in IPv6 code. [EN-12:02] Security: CVE-2012-1667 Security: FreeBSD-SA-12:03.bind Security: CVE-2012-0217 Security: FreeBSD-SA-12:04.sysret Security: FreeBSD-EN-12:02.ipv6refcount Approved by: so (simon, bz) git-svn-id: svn://svn.freebsd.org/base/releng/9.0@236953 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 11 +++++++++++ contrib/bind9/lib/dns/rdata.c | 8 ++++---- contrib/bind9/lib/dns/rdataslab.c | 11 ++++++++--- sys/amd64/amd64/trap.c | 17 +++++++++++++++++ sys/conf/newvers.sh | 2 +- sys/netinet/tcp_input.c | 5 ++++- sys/netinet6/in6.c | 23 +++++++++++++++++------ sys/netinet6/ip6_input.c | 24 ++++++++++++++---------- 8 files changed, 76 insertions(+), 25 deletions(-) diff --git a/UPDATING b/UPDATING index a5c3286d..ffc6a942 100644 --- a/UPDATING +++ b/UPDATING @@ -9,6 +9,17 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20120612: p3 FreeBSD-SA-12:03.bind + FreeBSD-SA-12:04.sysret + FreeBSD-EN-12:02.ipv6refcount + Fix a problem where zero-length RDATA fields can cause named to crash. + [12:03] + + Correct a privilege escalation when returning from kernel if + running FreeBSD/amd64 on non-AMD processors. [12:04] + + Fix reference count errors in IPv6 code. [EN-12:02] + 20120530: p2 FreeBSD-SA-12:01.openssl (revised), FreeBSD-SA-12:02.crypt Update the previous openssl fix. [12:01] diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c index 063b1f66..9337a801 100644 --- a/contrib/bind9/lib/dns/rdata.c +++ b/contrib/bind9/lib/dns/rdata.c @@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { REQUIRE(rdata1 != NULL); REQUIRE(rdata2 != NULL); - REQUIRE(rdata1->data != NULL); - REQUIRE(rdata2->data != NULL); + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); @@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) { REQUIRE(rdata1 != NULL); REQUIRE(rdata2 != NULL); - REQUIRE(rdata1->data != NULL); - REQUIRE(rdata2->data != NULL); + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c index a41f16f7..ed13b30c 100644 --- a/contrib/bind9/lib/dns/rdataslab.c +++ b/contrib/bind9/lib/dns/rdataslab.c @@ -125,6 +125,11 @@ isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, unsigned int reservelen) { + /* + * Use &removed as a sentinal pointer for duplicate + * rdata as rdata.data == NULL is valid. + */ + static unsigned char removed; struct xrdata *x; unsigned char *rawbuf; #if DNS_RDATASET_FIXED @@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, INSIST(result == ISC_R_SUCCESS); dns_rdata_init(&x[i].rdata); dns_rdataset_current(rdataset, &x[i].rdata); + INSIST(x[i].rdata.data != &removed); #if DNS_RDATASET_FIXED x[i].order = i; #endif @@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, */ for (i = 1; i < nalloc; i++) { if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { - x[i-1].rdata.data = NULL; - x[i-1].rdata.length = 0; + x[i-1].rdata.data = &removed; #if DNS_RDATASET_FIXED /* * Preserve the least order so A, B, A -> A, B @@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, #endif for (i = 0; i < nalloc; i++) { - if (x[i].rdata.data == NULL) + if (x[i].rdata.data == &removed) continue; #if DNS_RDATASET_FIXED offsettable[x[i].order] = rawbuf - offsetbase; diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c index c5f0a71e..fc920aea 100644 --- a/sys/amd64/amd64/trap.c +++ b/sys/amd64/amd64/trap.c @@ -939,4 +939,21 @@ amd64_syscall(struct thread *td, int traced) syscallname(td->td_proc, sa.code))); syscallret(td, error, &sa); + + /* + * If the user-supplied value of %rip is not a canonical + * address, then some CPUs will trigger a ring 0 #GP during + * the sysret instruction. However, the fault handler would + * execute with the user's %gs and %rsp in ring 0 which would + * not be safe. Instead, preemptively kill the thread with a + * SIGBUS. + */ + if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) { + ksiginfo_init_trap(&ksi); + ksi.ksi_signo = SIGBUS; + ksi.ksi_code = BUS_OBJERR; + ksi.ksi_trapno = T_PROTFLT; + ksi.ksi_addr = (void *)td->td_frame->tf_rip; + trapsignal(td, &ksi); + } } diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 794c720a..8cbb6852 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 91517b37..8f49596a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -543,6 +543,8 @@ tcp6_input(struct mbuf **mp, int *offp, int proto) (caddr_t)&ip6->ip6_dst - (caddr_t)ip6); return IPPROTO_DONE; } + if (ia6) + ifa_free(&ia6->ia_ifa); tcp_input(m, *offp); return IPPROTO_DONE; @@ -1253,7 +1255,8 @@ relocked: rstreason = BANDLIM_RST_OPENPORT; goto dropwithreset; } - ifa_free(&ia6->ia_ifa); + if (ia6) + ifa_free(&ia6->ia_ifa); } #endif /* INET6 */ /* diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 1e6cb948..71c5ffe8 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -1453,6 +1453,8 @@ in6_purgeaddr(struct ifaddr *ifa) } cleanup: + if (ifa0 != NULL) + ifa_free(ifa0); plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); /* XXX */ if ((ia->ia_flags & IFA_ROUTE) && plen == 128) { @@ -1477,8 +1479,6 @@ cleanup: return; ia->ia_flags &= ~IFA_ROUTE; } - if (ifa0 != NULL) - ifa_free(ifa0); in6_unlink_ifa(ia, ifp); } @@ -1632,14 +1632,19 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data, hostid = IFA_IN6(ifa); /* prefixlen must be <= 64. */ - if (64 < iflr->prefixlen) + if (64 < iflr->prefixlen) { + if (ifa != NULL) + ifa_free(ifa); return EINVAL; + } prefixlen = iflr->prefixlen; /* hostid part must be zero. */ sin6 = (struct sockaddr_in6 *)&iflr->addr; if (sin6->sin6_addr.s6_addr32[2] != 0 || sin6->sin6_addr.s6_addr32[3] != 0) { + if (ifa != NULL) + ifa_free(ifa); return EINVAL; } } else @@ -2230,14 +2235,20 @@ in6_ifawithifp(struct ifnet *ifp, struct in6_addr *dst) IN6_IFADDR_RUNLOCK(); return (struct in6_ifaddr *)ifa; } - IN6_IFADDR_RUNLOCK(); /* use the last-resort values, that are, deprecated addresses */ - if (dep[0]) + if (dep[0]) { + ifa_ref((struct ifaddr *)dep[0]); + IN6_IFADDR_RUNLOCK(); return dep[0]; - if (dep[1]) + } + if (dep[1]) { + ifa_ref((struct ifaddr *)dep[1]); + IN6_IFADDR_RUNLOCK(); return dep[1]; + } + IN6_IFADDR_RUNLOCK(); return NULL; } diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 1fdde166..fddc60e1 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -797,19 +797,23 @@ passin: * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ - if (deliverifp && !ip6_getdstifaddr(m)) { + if (deliverifp) { struct in6_ifaddr *ia6; - ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); - if (ia6) { - if (!ip6_setdstifaddr(m, ia6)) { - /* - * XXX maybe we should drop the packet here, - * as we could not provide enough information - * to the upper layers. - */ - } + if ((ia6 = ip6_getdstifaddr(m)) != NULL) { ifa_free(&ia6->ia_ifa); + } else { + ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); + if (ia6) { + if (!ip6_setdstifaddr(m, ia6)) { + /* + * XXX maybe we should drop the packet here, + * as we could not provide enough information + * to the upper layers. + */ + } + ifa_free(&ia6->ia_ifa); + } } } -- 2.42.0