From 859527c6a9c3326189ca70508b35abcfeda0808c Mon Sep 17 00:00:00 2001 From: glebius Date: Tue, 17 May 2016 22:28:36 +0000 Subject: [PATCH] - Use unsigned version of min() when handling arguments of SETFKEY ioctl. - Validate that user supplied control message length in sendmsg(2) is not negative. Security: SA-16:18 Security: CVE-2016-1886 Security: SA-16:19 Security: CVE-2016-1887 Submitted by: C Turt Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.3@300088 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 4 ++++ sys/conf/newvers.sh | 2 +- sys/dev/kbd/kbd.c | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/UPDATING b/UPDATING index 39ddac07b..8ba40af91 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,10 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20160517 p42 FreeBSD-SA-16:18.atkbd + + Fix buffer overflow in keyboard driver. [SA-16:18] + 20160504 p41 FreeBSD-SA-16:17.openssl FreeBSD-EN-16:08.zfs diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 26ded0b44..cdbce1481 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p41" +BRANCH="RELEASE-p42" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/kbd/kbd.c b/sys/dev/kbd/kbd.c index 803676288..f1a1b29ab 100644 --- a/sys/dev/kbd/kbd.c +++ b/sys/dev/kbd/kbd.c @@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_long cmd, caddr_t arg) splx(s); return (error); } - kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK); + kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK); bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str, kbd->kb_fkeytab[fkeyp->keynum].len); break; -- 2.42.0