From owner-svn-src-all@FreeBSD.ORG Tue Jan 14 19:42:34 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEC536B5; Tue, 14 Jan 2014 19:42:34 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A683C184C; Tue, 14 Jan 2014 19:42:34 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EJgYuV019637; Tue, 14 Jan 2014 19:42:34 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0EJgSVO019605; Tue, 14 Jan 2014 19:42:28 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201401141942.s0EJgSVO019605@svn.freebsd.org> From: Xin LI Date: Tue, 14 Jan 2014 19:42:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r260647 - in releng: 8.3 8.3/contrib/bind9/bin/named 8.3/contrib/bsnmp/lib 8.3/contrib/ntp/ntpd 8.3/sys/conf 8.3/sys/dev/random 8.3/sys/vm 8.4 8.4/contrib/bind9/bin/named 8.4/contrib/bs... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 19:42:34 -0000 Author: delphij Date: Tue Jan 14 19:42:28 2014 New Revision: 260647 URL: http://svnweb.freebsd.org/changeset/base/260647 Log: Fix bsnmpd remote denial of service vulnerability. [SA-14:01] Fix ntpd distributed reflection Denial of Service vulnerability. [SA-14:02] Fix BIND remote denial of service vulnerability. [SA-14:04] Disable hardware RNGs by default. [EN-14:01] Fix incorrect coalescing of stack entry with mmap. [EN-14:02] Approved by: so Modified: releng/8.3/UPDATING releng/8.3/contrib/bind9/bin/named/query.c releng/8.3/contrib/bsnmp/lib/snmpagent.c releng/8.3/contrib/ntp/ntpd/ntp_config.c releng/8.3/sys/conf/newvers.sh releng/8.3/sys/dev/random/probe.c releng/8.3/sys/vm/vm_map.c releng/8.4/UPDATING releng/8.4/contrib/bind9/bin/named/query.c releng/8.4/contrib/bsnmp/lib/snmpagent.c releng/8.4/contrib/ntp/ntpd/ntp_config.c releng/8.4/sys/conf/newvers.sh releng/8.4/sys/dev/random/probe.c releng/8.4/sys/vm/vm_map.c releng/9.1/UPDATING releng/9.1/contrib/bind9/bin/named/query.c releng/9.1/contrib/bsnmp/lib/snmpagent.c releng/9.1/contrib/ntp/ntpd/ntp_config.c releng/9.1/sys/conf/newvers.sh releng/9.1/sys/dev/random/probe.c releng/9.1/sys/vm/vm_map.c releng/9.2/UPDATING releng/9.2/contrib/bind9/bin/named/query.c releng/9.2/contrib/bsnmp/lib/snmpagent.c releng/9.2/contrib/ntp/ntpd/ntp_config.c releng/9.2/sys/conf/newvers.sh releng/9.2/sys/dev/random/probe.c releng/9.2/sys/vm/vm_map.c Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/UPDATING Tue Jan 14 19:42:28 2014 (r260647) @@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140114: p14 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p13 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. Modified: releng/8.3/contrib/bind9/bin/named/query.c ============================================================================== --- releng/8.3/contrib/bind9/bin/named/query.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/contrib/bind9/bin/named/query.c Tue Jan 14 19:42:28 2014 (r260647) @@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } Modified: releng/8.3/contrib/bsnmp/lib/snmpagent.c ============================================================================== --- releng/8.3/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:42:28 2014 (r260647) @@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); Modified: releng/8.3/contrib/ntp/ntpd/ntp_config.c ============================================================================== --- releng/8.3/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:42:28 2014 (r260647) @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/sys/conf/newvers.sh Tue Jan 14 19:42:28 2014 (r260647) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p13" +BRANCH="RELEASE-p14" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.3/sys/dev/random/probe.c ============================================================================== --- releng/8.3/sys/dev/random/probe.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/sys/dev/random/probe.c Tue Jan 14 19:42:28 2014 (r260647) @@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include #include #include #include @@ -57,7 +59,12 @@ random_ident_hardware(struct random_syst /* Then go looking for hardware */ #if defined(__i386__) && !defined(PC98) if (via_feature_rng & VIA_HAS_RNG) { - *systat = random_nehemiah; + int enable; + + enable = 0; + TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); + if (enable) + *systat = random_nehemiah; } #endif } Modified: releng/8.3/sys/vm/vm_map.c ============================================================================== --- releng/8.3/sys/vm/vm_map.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.3/sys/vm/vm_map.c Tue Jan 14 19:42:28 2014 (r260647) @@ -1215,6 +1215,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->uip == uip || @@ -3186,7 +3187,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) || Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/UPDATING Tue Jan 14 19:42:28 2014 (r260647) @@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20140114: p7 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p6 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. Modified: releng/8.4/contrib/bind9/bin/named/query.c ============================================================================== --- releng/8.4/contrib/bind9/bin/named/query.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/contrib/bind9/bin/named/query.c Tue Jan 14 19:42:28 2014 (r260647) @@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } Modified: releng/8.4/contrib/bsnmp/lib/snmpagent.c ============================================================================== --- releng/8.4/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:42:28 2014 (r260647) @@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); Modified: releng/8.4/contrib/ntp/ntpd/ntp_config.c ============================================================================== --- releng/8.4/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:42:28 2014 (r260647) @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/sys/conf/newvers.sh Tue Jan 14 19:42:28 2014 (r260647) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p6" +BRANCH="RELEASE-p7" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.4/sys/dev/random/probe.c ============================================================================== --- releng/8.4/sys/dev/random/probe.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/sys/dev/random/probe.c Tue Jan 14 19:42:28 2014 (r260647) @@ -73,7 +73,7 @@ random_ident_hardware(struct random_syst if (via_feature_rng & VIA_HAS_RNG) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); if (enable) *systat = random_nehemiah; @@ -83,7 +83,7 @@ random_ident_hardware(struct random_syst if (cpu_feature2 & CPUID2_RDRAND) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable); if (enable) *systat = random_ivy; Modified: releng/8.4/sys/vm/vm_map.c ============================================================================== --- releng/8.4/sys/vm/vm_map.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/8.4/sys/vm/vm_map.c Tue Jan 14 19:42:28 2014 (r260647) @@ -1217,6 +1217,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->uip == uip || @@ -3189,7 +3190,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) || Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/UPDATING Tue Jan 14 19:42:28 2014 (r260647) @@ -9,6 +9,22 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140114: p10 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p9 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. Modified: releng/9.1/contrib/bind9/bin/named/query.c ============================================================================== --- releng/9.1/contrib/bind9/bin/named/query.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/contrib/bind9/bin/named/query.c Tue Jan 14 19:42:28 2014 (r260647) @@ -5022,8 +5022,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5036,6 +5035,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5067,13 +5067,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5091,7 +5092,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } Modified: releng/9.1/contrib/bsnmp/lib/snmpagent.c ============================================================================== --- releng/9.1/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:42:28 2014 (r260647) @@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); Modified: releng/9.1/contrib/ntp/ntpd/ntp_config.c ============================================================================== --- releng/9.1/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:42:28 2014 (r260647) @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/sys/conf/newvers.sh Tue Jan 14 19:42:28 2014 (r260647) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/sys/dev/random/probe.c ============================================================================== --- releng/9.1/sys/dev/random/probe.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/sys/dev/random/probe.c Tue Jan 14 19:42:28 2014 (r260647) @@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include #include #include #include @@ -57,7 +59,12 @@ random_ident_hardware(struct random_syst /* Then go looking for hardware */ #if defined(__amd64__) || (defined(__i386__) && !defined(PC98)) if (via_feature_rng & VIA_HAS_RNG) { - *systat = random_nehemiah; + int enable; + + enable = 0; + TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); + if (enable) + *systat = random_nehemiah; } #endif } Modified: releng/9.1/sys/vm/vm_map.c ============================================================================== --- releng/9.1/sys/vm/vm_map.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.1/sys/vm/vm_map.c Tue Jan 14 19:42:28 2014 (r260647) @@ -1236,6 +1236,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->cred == cred || @@ -3256,7 +3257,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) || Modified: releng/9.2/UPDATING ============================================================================== --- releng/9.2/UPDATING Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/UPDATING Tue Jan 14 19:42:28 2014 (r260647) @@ -11,6 +11,22 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20140114: p3 FreeBSD-SA-14:01.bsnmpd + FreeBSD-SA-14:02.ntpd + FreeBSD-SA-14:04.bind + FreeBSD-EN-14:01.random + FreeBSD-EN-14:02.mmap + Fix bsnmpd remote denial of service vulnerability. [SA-14:01] + + Fix ntpd distributed reflection Denial of Service + vulnerability. [SA-14:02] + + Fix BIND remote denial of service vulnerability. [SA-14:04] + + Disable hardware RNGs by default. [EN-14:01] + + Fix incorrect coalescing of stack entry with mmap. [EN-14:02] + 20131128: p2 FreeBSD-EN-13:05.freebsd-update Fix error in patch for FreeBSD-EN-13:04.freebsd-update. Modified: releng/9.2/contrib/bind9/bin/named/query.c ============================================================================== --- releng/9.2/contrib/bind9/bin/named/query.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/contrib/bind9/bin/named/query.c Tue Jan 14 19:42:28 2014 (r260647) @@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; } Modified: releng/9.2/contrib/bsnmp/lib/snmpagent.c ============================================================================== --- releng/9.2/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/contrib/bsnmp/lib/snmpagent.c Tue Jan 14 19:42:28 2014 (r260647) @@ -499,6 +499,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struc for (cnt = 0; cnt < pdu->error_index; cnt++) { eomib = 1; for (i = non_rep; i < pdu->nbindings; i++) { + + if (resp->nbindings == SNMP_MAX_BINDINGS) + /* PDU is full */ + goto done; + if (cnt == 0) result = do_getnext(&context, &pdu->bindings[i], &resp->bindings[resp->nbindings], pdu); Modified: releng/9.2/contrib/ntp/ntpd/ntp_config.c ============================================================================== --- releng/9.2/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/contrib/ntp/ntpd/ntp_config.c Tue Jan 14 19:42:28 2014 (r260647) @@ -597,6 +597,8 @@ getconfig( #endif /* not SYS_WINNT */ } + proto_config(PROTO_MONITOR, 0, 0., NULL); + for (;;) { if (tok == CONFIG_END) break; Modified: releng/9.2/sys/conf/newvers.sh ============================================================================== --- releng/9.2/sys/conf/newvers.sh Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/sys/conf/newvers.sh Tue Jan 14 19:42:28 2014 (r260647) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.2/sys/dev/random/probe.c ============================================================================== --- releng/9.2/sys/dev/random/probe.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/sys/dev/random/probe.c Tue Jan 14 19:42:28 2014 (r260647) @@ -73,7 +73,7 @@ random_ident_hardware(struct random_syst if (via_feature_rng & VIA_HAS_RNG) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); if (enable) *systat = random_nehemiah; @@ -83,7 +83,7 @@ random_ident_hardware(struct random_syst if (cpu_feature2 & CPUID2_RDRAND) { int enable; - enable = 1; + enable = 0; TUNABLE_INT_FETCH("hw.ivy_rng_enable", &enable); if (enable) *systat = random_ivy; Modified: releng/9.2/sys/vm/vm_map.c ============================================================================== --- releng/9.2/sys/vm/vm_map.c Tue Jan 14 19:38:37 2014 (r260646) +++ releng/9.2/sys/vm/vm_map.c Tue Jan 14 19:42:28 2014 (r260647) @@ -1230,6 +1230,7 @@ charged: } else if ((prev_entry != &map->header) && (prev_entry->eflags == protoeflags) && + (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && (prev_entry->end == start) && (prev_entry->wired_count == 0) && (prev_entry->cred == cred || @@ -3260,7 +3261,6 @@ vm_map_stack(vm_map_t map, vm_offset_t a * NOTE: We explicitly allow bi-directional stacks. */ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); - cow &= ~orient; KASSERT(orient != 0, ("No stack grow direction")); if (addrbos < vm_map_min(map) ||