From owner-svn-doc-all@freebsd.org Tue May 17 22:38:21 2016 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22F43B4096D; Tue, 17 May 2016 22:38:21 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E2D9F1E22; Tue, 17 May 2016 22:38:20 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4HMcKJP015374; Tue, 17 May 2016 22:38:20 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4HMcJU3015367; Tue, 17 May 2016 22:38:19 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201605172238.u4HMcJU3015367@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 17 May 2016 22:38:19 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48826 - in head/share: security/advisories security/patches/SA-16:18 security/patches/SA-16:19 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2016 22:38:21 -0000 Author: glebius (src committer) Date: Tue May 17 22:38:19 2016 New Revision: 48826 URL: https://svnweb.freebsd.org/changeset/doc/48826 Log: Publish SA-16:18 and SA-16:19. Added: head/share/security/advisories/FreeBSD-SA-16:18.atkbd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc (contents, props changed) head/share/security/patches/SA-16:18/ head/share/security/patches/SA-16:18/atkbd.patch (contents, props changed) head/share/security/patches/SA-16:18/atkbd.patch.asc (contents, props changed) head/share/security/patches/SA-16:19/ head/share/security/patches/SA-16:19/sendmsg.patch (contents, props changed) head/share/security/patches/SA-16:19/sendmsg.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-16:18.atkbd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:18.atkbd.asc Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:18.atkbd Security Advisory + The FreeBSD Project + +Topic: Buffer overflow in keyboard driver + +Category: core +Module: atkbd +Announced: 2016-05-17 +Credits: CTurt and the HardenedBSD team +Affects: All supported versions of FreeBSD. +Corrected: 2016-05-17 22:29:59 UTC (stable/10, 10.3-STABLE) + 2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3) + 2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17) + 2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34) + 2016-05-17 22:31:12 UTC (stable/9, 9.3-STABLE) + 2016-05-17 22:28:36 UTC (releng/9.3, 9.3-RELEASE-p42) +CVE Name: CVE-2016-1886 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The atkbd(4) driver, together with the atkbdc(4) driver, provides access +to the AT 84 keyboard or the AT enhanced keyboard which is connected to +the AT keyboard controller. The driver is required for the console driver +syscons(4) or vt(4). The driver exposes its own ioctl(2) interface to allow +it to be configured from userland through the kbdcontrol(1) utility. + +II. Problem Description + +Incorrect signedness comparison in the ioctl(2) handler allows a malicious +local user to overwrite a portion of the kernel memory. + +III. Impact + +A local user may crash the kernel, read a portion of kernel memory and +execute arbitrary code in kernel context. The result of executing an +arbitrary kernel code is privilege escalation. + +IV. Workaround + +Disallow keymap changes for non-privileged users: + +sysctl hw.kbd.keymap_restrict_change=4 + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Reboot is required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch +# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch.asc +# gpg --verify atkbd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r300093 +releng/9.3/ r300088 +stable/10/ r300091 +releng/10.1/ r300085 +releng/10.2/ r300086 +releng/10.3/ r300087 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXO5z8AAoJEO1n7NZdz2rns0MQAKaUrGjGn0nkFpx/PpiM6SHv +s/Fj/z/qTXTUmimZloiQd9bkMh5wFMymozihVqoQVX2jwzPFm4Cql+Ez8ihTl9YX +s+vMgQA8mUrinebwqXHRY+bZrwbJzsvLhAepL6vrSncPBaXM37smOmVlfjyUySWZ +61L1QPhDZIYSamAMDZFx4qkdv32nWTTaE6OImQOFWY19l2tAxUMrUsTM5zSUfSas +Tq2oP4BUvI58psapMgs38UY1Bjo33E/Gd7n6FS8gUQAX1OspN1wh981oX9GHU+U1 +bHY/Ihl+rqlh3Dmxp1JBP8ma2DSLXcuhrywNpE8i/dNQA4sxXXGQyuzVk24QNXbt +cnV7F3nTqBpB9evhNFuHk0Z/z2Lg4cCaId+xSJjX8eWfvfjP8q+c9SblC2LdJg6V +D0Gt0rbUNvSikCLDI/RYY1K5pWdjvtRN6ES+YO+sk2er9Uq/ZPrNj2SfNYguRkTV +Kfwut8aQW5AQ9JTr9YGFxfqEWOzgBWutE3ysWtx6bLoROY4/vUPRBrcVDOmsiiJt +QLPdf/m8VM/NH2lQoSQ44mUXvp+BdclrhM74C7GCc0RGmdEtuoC49esNKtZ+0349 +Sm7Tj/3ZWfwN0x+DQnbnDUeRmI5zaU3o4VycmhFcm3eWQ+je8O8aCLKI/iPTKYO7 +/OVeNnLKzp5Z7naKeHct +=6GJy +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:19.sendmsg Security Advisory + The FreeBSD Project + +Topic: Incorrect argument handling in sendmsg(2) + +Category: core +Module: kernel +Announced: 2016-05-17 +Credits: CTurt and the HardenedBSD team +Affects: FreeBSD 10.x +Corrected: 2016-05-17 22:30:43 UTC (stable/10, 10.3-STABLE) + 2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3) + 2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17) + 2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34) +CVE Name: CVE-2016-1887 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The sendmsg(2) system call allows to send data to a socket. The data +may be accompanied by optional ancillary data. + +II. Problem Description + +Incorrect argument handling in the socket code allows malicious local +user to overwrite large portion of the kernel memory. + +III. Impact + +Malicious local user may crash kernel or execute arbitrary code in the kernel, +potentially gaining superuser privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Reboot is required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch +# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch.asc +# gpg --verify sendmsg.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r300093 +releng/10.1/ r300085 +releng/10.2/ r300086 +releng/10.3/ r300087 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXO50VAAoJEO1n7NZdz2rnWOAP/RyUks4Xf30YVGra+bHUjOsw +gFQEJ7HNNJHkkaJ5l0LpVh87YQxr7VXnlddskDRcL6MDf7IjW5bkpw+875iEFz93 +VykCN+1l84D0WlXAi9YZwg1GWoQs3SBfNpT1dtr9GuqJYAAeBfvMydJI1jHbJzJJ +7inDzgvhfPOaq8wQBfjXbUN0GgYiz6dJc3xir4+4JRw0C9sgzh1pI14o1oREJbZ0 +glmHRCpuijndqluabl7rF19mSSDyF0AV7RqDCZIt7AkYHWvR1yLl4o0LGGBYCLXx +iArz2ayzbAqBVw1JktVHzGx0HuVpobxb/yOpDuYBcaxtSL6riuSYrkzHp0Dca+JT +0/qENdMnXDN98ZMBcvVR66uWUuTVEF3/T2LXCi6G+RllrcoavvLqrcjghqT5k84P +jmAjO3Q3rIeAinjArfyexHo/f/A5CHGJylsY0FZd41A35xWaYg/dd0cT+8qsoigD +65Ix+/6AOIjocqqQToFXiHKBCN5unwrn/UT5heU0K3ZqESGmxUrx+6yJ3mjDjtLh +C7zWcNaJu1whcT7e4eKx9vMlAFFt6OrSnr1V09KnqPiHPtIu95PZhGlrizlZVELQ +8fKHoycOkT5F+00CWzcQuZK+l9p5iT5aWGkhunwvR7EKzqvgEFbDDpaJ5QzKTNTl +lJXypb8SMlol4YY8Spdo +=wuhi +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:18/atkbd.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:18/atkbd.patch Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,11 @@ +--- sys/dev/kbd/kbd.c.orig ++++ sys/dev/kbd/kbd.c +@@ -996,7 +996,7 @@ + splx(s); + return (error); + } +- kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK); ++ kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK); + bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str, + kbd->kb_fkeytab[fkeyp->keynum].len); + break; Added: head/share/security/patches/SA-16:18/atkbd.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:18/atkbd.patch.asc Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXO2BtAAoJEO1n7NZdz2rnB6kP/R2dxR6o6GemMN2VjdgOp9rM +i3DEFEcimF1oGOfwF7kIDabr9XLubeU1l+NnJhuExnAdyrcVr+7+SvgFAzv6lZlS +47wDgw/HABsjeJSYE2+hcrOAOKTvC4qObBB7YuOJu4e1vW5MJKcqBYsLk7+ECwVr +sDhelLXLcvTunR2aLg5jEsgRwHEvOwB7GR1SQ6ABU7w+emCCabJLvYe3stMYKsFE +CxL6hKDjShN0Vyqx6d76Bja6ZsWmMo2SLgz3e/m072imHfmHaAhc5GlAvdOPihzJ +OsRlIGd7jR5+mTikmWZG0s3/IVoEf+udC/CJ/3JyL3NEywQXEogJpPY2Zjv6P8or +6vWvyoIqrXrKZ5k6DxUHJzJdAhmbxZHfCVlwidu+aTfp9M8x5W7tu711wPFwAcEW +/HSQ1mssj7GEzDy2kbhKiEXTRV0YXatVy1L2o/ckYiLFMk0HhYEqFXLV36VUPIRl +h2SOUpsaLbhVuUlT+XF1jXrTc1gOW5woLl8uQ6h84cfcdQj6tUk2ZBzobKjz+zEk +VP/julLL8cGUDemnWeMLWuBClsAuf5pLMg405m1uIBd9kxEHhGKprz/kGhFfGl/3 +PyESdLIq8VD9Grjzb8rgCfL0USepeiCnOTI8uYwRNUUrAFSMqtWrx4zvl1tWdHE9 +1SBJLfQgQKuIaBAtxnHV +=Ful4 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:19/sendmsg.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:19/sendmsg.patch Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,12 @@ +--- sys/kern/uipc_syscalls.c.orig ++++ sys/kern/uipc_syscalls.c +@@ -1699,6 +1699,9 @@ + struct mbuf *m; + int error; + ++ if (buflen < 0) ++ return (EINVAL); ++ + if (buflen > MLEN) { + #ifdef COMPAT_OLDSOCK + if (type == MT_SONAME && buflen <= 112) Added: head/share/security/patches/SA-16:19/sendmsg.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:19/sendmsg.patch.asc Tue May 17 22:38:19 2016 (r48826) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXO2CNAAoJEO1n7NZdz2rnuvcP/R501Yhdfqfmw1XDYqMkKS6L +ehQwFX8rnlbZVfKEhVcZL0kGgo43jyBvuHG55vk6iwC6EjHKE6BSgUVhbRaIdfJ5 +H0gRdUL9q9inTRGLEU7P2D7E0SMsRm+PtKW5F0uw5BfZw2LD1SIBBEKGBN0M48u0 +PhTzIXzgFsvSNFbZ85Un90hi2N67hrq3rOGtxC10/jAGBpGgRGCQKqr0lssIS+6r +7QT3fEH8MQGnYW0RP26rJHh0ae0Wd0DLBdnLG0cHx6bwYEGKb6/GH65Vvl1feMAU +61O6wL3BnrSXfJQmSx34sokhh3BT7pfEEwkw3xtsdqjP6h4PXxiI2l+UlB5eGCAY +kT0eLz7qyR1vXvJUZnXezBdllUu/nWtyMmuUnoM0xnytNYeHAqDoL4o6T4lMERmy +DUn6LvrC8oqdqDKtBpaWMCq2OMb4/mNUvVdn2oh67Tq4ZFLxsGOEMm+lTYJOZdkU +um+KG7LGiWkj9G08yPiayVhDcigvIK9v9/p9E3tv5rNVyCaOvpJsezM7Z+mMIS68 +IG72BvLh+idOaVW1tib9s9nXYQTc1V9u+Fp356/eDSE1h0uEd12l+swwRcz5NmBv +78Ki51E1ZQ87b9J4RacL31MauINyN0SIJI1QRu7lLe62tgGlGKQND6/Na993EdUM +ftK8gS0awc3Rr3Bw540N +=yry1 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue May 17 21:02:25 2016 (r48825) +++ head/share/xml/advisories.xml Tue May 17 22:38:19 2016 (r48826) @@ -11,6 +11,18 @@ 5 + 17 + + + FreeBSD-SA-16:19.sendmsg + + + + FreeBSD-SA-16:18.atkbd + + + + 4