From 73f33de6885fc3818adaeb90f15749dc55ef22b2 Mon Sep 17 00:00:00 2001 From: delphij Date: Tue, 14 Jan 2014 19:42:28 +0000 Subject: [PATCH] Fix bsnmpd remote denial of service vulnerability. [SA-14:01] Fix ntpd distributed reflection Denial of Service vulnerability. [SA-14:02] Fix BIND remote denial of service vulnerability. [SA-14:04] Disable hardware RNGs by default. [EN-14:01] Fix incorrect coalescing of stack entry with mmap. [EN-14:02] Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.1@260647 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 16 ++++++++++++++++ contrib/bind9/bin/named/query.c | 19 ++++++++++++------- contrib/bsnmp/lib/snmpagent.c | 5 +++++ contrib/ntp/ntpd/ntp_config.c | 2 ++ sys/conf/newvers.sh | 2 +- sys/dev/random/probe.c | 9 ++++++++- sys/vm/vm_map.c | 2 +- 7 files changed, 45 insertions(+), 10 deletions(-) diff --git a/UPDATING b/UPDATING index caf3c28e..a7a9767c 100644 --- a/UPDATING +++ b/UPDATING @@ -9,6 +9,22 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140114: p10 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p9 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index ccf54358..0228f515 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -5022,8 +5022,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5036,6 +5035,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5067,13 +5067,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5091,7 +5092,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } diff --git a/contrib/bsnmp/lib/snmpagent.c b/contrib/bsnmp/lib/snmpagent.c index 888d6225..865b9b6f 100644 --- a/contrib/bsnmp/lib/snmpagent.c +++ b/contrib/bsnmp/lib/snmpagent.c @@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf *resp_b, for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); diff --git a/contrib/ntp/ntpd/ntp_config.c b/contrib/ntp/ntpd/ntp_config.c index 99af999a..a28bd1b4 100644 --- a/contrib/ntp/ntpd/ntp_config.c +++ b/contrib/ntp/ntpd/ntp_config.c @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index b2b9bb56..f58f0970 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/random/probe.c b/sys/dev/random/probe.c index 0bbfd95c..3436f5e5 100644 --- a/sys/dev/random/probe.c +++ b/sys/dev/random/probe.c @@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include #include #include #include @@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat) /* Then go looking for hardware */ #if defined(__amd64__) || (defined(__i386__) && !defined(PC98)) if (via_feature_rng & VIA_HAS_RNG) { - *systat = random_nehemiah; + int enable; + + enable = 0; + TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); + if (enable) + *systat = random_nehemiah; } #endif } diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 0b93fb51..4f40e15a 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -1236,6 +1236,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->cred == cred || @@ -3256,7 +3257,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm_size_t max_ssize, * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) || -- 2.44.0