From 2ce6eb6692346ec6e5d464e6f02e5f53ef8c66fc Mon Sep 17 00:00:00 2001 From: delphij Date: Tue, 14 Jan 2014 19:42:28 +0000 Subject: [PATCH] Fix bsnmpd remote denial of service vulnerability. [SA-14:01] Fix ntpd distributed reflection Denial of Service vulnerability. [SA-14:02] Fix BIND remote denial of service vulnerability. [SA-14:04] Disable hardware RNGs by default. [EN-14:01] Fix incorrect coalescing of stack entry with mmap. [EN-14:02] Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.2@260647 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 16 ++++++++++++++++ contrib/bind9/bin/named/query.c | 19 ++++++++++++------- contrib/bsnmp/lib/snmpagent.c | 5 +++++ contrib/ntp/ntpd/ntp_config.c | 2 ++ sys/conf/newvers.sh | 2 +- sys/dev/random/probe.c | 4 ++-- sys/vm/vm_map.c | 2 +- 7 files changed, 39 insertions(+), 11 deletions(-) diff --git a/UPDATING b/UPDATING index 16b40d37..d1ea8703 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,22 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140114: p3 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p2 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 9e67f2d2..6bde6fef 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } diff --git a/contrib/bsnmp/lib/snmpagent.c b/contrib/bsnmp/lib/snmpagent.c index 888d6225..865b9b6f 100644 --- a/contrib/bsnmp/lib/snmpagent.c +++ b/contrib/bsnmp/lib/snmpagent.c @@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf *resp_b, for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); diff --git a/contrib/ntp/ntpd/ntp_config.c b/contrib/ntp/ntpd/ntp_config.c index 99af999a..a28bd1b4 100644 --- a/contrib/ntp/ntpd/ntp_config.c +++ b/contrib/ntp/ntpd/ntp_config.c @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index d047e673..2e7b7f1b 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/random/probe.c b/sys/dev/random/probe.c index 4558db71..405eb951 100644 --- a/sys/dev/random/probe.c +++ b/sys/dev/random/probe.c @@ -73,7 +73,7 @@ random_ident_hardware(struct random_systat *systat) if (via_feature_rng & VIA_HAS_RNG) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); if (enable) *systat = random_nehemiah; @@ -83,7 +83,7 @@ random_ident_hardware(struct random_systat *systat) if (cpu_feature2 & CPUID2_RDRAND) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable); if (enable) *systat = random_ivy; diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 864aa7f8..dc6ed1e4 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -1230,6 +1230,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->cred == cred || @@ -3260,7 +3261,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm_size_t max_ssize, * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) || -- 2.42.0