From owner-svn-src-releng@freebsd.org Tue Aug 18 19:30:20 2015 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ECEB99BCB98; Tue, 18 Aug 2015 19:30:19 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B65171CB8; Tue, 18 Aug 2015 19:30:19 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7IJUJDr089535; Tue, 18 Aug 2015 19:30:19 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7IJUIBl089529; Tue, 18 Aug 2015 19:30:18 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508181930.t7IJUIBl089529@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 18 Aug 2015 19:30:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r286901 - in releng/10.2: . contrib/expat/lib sys/conf usr.bin/netstat usr.sbin/vidcontrol X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 19:30:20 -0000 Author: delphij Date: Tue Aug 18 19:30:17 2015 New Revision: 286901 URL: https://svnweb.freebsd.org/changeset/base/286901 Log: Fix multiple integer overflows in expat. Security: CVE-2015-1283 Security: FreeBSD-SA-15:20.expat Fix make(1) syntax errors when upgrading from 9.x and earlier. [EN-15:11] Fix incorrect netstat(1) data handling on 32-bit systems. [EN-15:12] Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13] Approved by: so Modified: releng/10.2/Makefile.inc1 releng/10.2/UPDATING releng/10.2/contrib/expat/lib/xmlparse.c releng/10.2/sys/conf/newvers.sh releng/10.2/usr.bin/netstat/main.c releng/10.2/usr.sbin/vidcontrol/vidcontrol.c Modified: releng/10.2/Makefile.inc1 ============================================================================== --- releng/10.2/Makefile.inc1 Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/Makefile.inc1 Tue Aug 18 19:30:17 2015 (r286901) @@ -133,8 +133,8 @@ OSRELDATE= 0 .endif .if !defined(VERSION) -REVISION!= make -C ${SRCDIR}/release -V REVISION -BRANCH!= make -C ${SRCDIR}/release -V BRANCH +REVISION!= ${MAKE} -C ${SRCDIR}/release -V REVISION +BRANCH!= ${MAKE} -C ${SRCDIR}/release -V BRANCH SRCRELDATE!= awk '/^\#define[[:space:]]*__FreeBSD_version/ { print $$3 }' \ ${SRCDIR}/sys/sys/param.h VERSION= FreeBSD ${REVISION}-${BRANCH:C/-p[0-9]+$//} ${TARGET_ARCH} ${SRCRELDATE} Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/UPDATING Tue Aug 18 19:30:17 2015 (r286901) @@ -16,7 +16,23 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. -20150817: +20150818: p1 FreeBSD-SA-15:20.expat + FreeBSD-EN-15:11.toolchain + FreeBSD-EN-15:12.netstat + FreeBSD-EN-15:13.vidcontrol + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + + Fix make(1) syntax errors when upgrading from 9.x and earlier. + [EN-15:11] + + Fix incorrect netstat(1) data handling on 32-bit systems. + [EN-15:12] + + Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13] + +20150813: 10.2-RELEASE. 20150703: Modified: releng/10.2/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/10.2/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE" +BRANCH="RELEASE-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.2/usr.bin/netstat/main.c ============================================================================== --- releng/10.2/usr.bin/netstat/main.c Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/usr.bin/netstat/main.c Tue Aug 18 19:30:17 2015 (r286901) @@ -785,19 +785,31 @@ kread_counter(u_long addr) int kread_counters(u_long addr, void *buf, size_t size) { - uint64_t *c = buf; + uint64_t *c; + u_long *counters; + size_t i, n; if (kvmd_init() < 0) return (-1); - if (kread(addr, buf, size) < 0) + if (size % sizeof(uint64_t) != 0) { + warnx("kread_counters: invalid counter set size"); return (-1); + } - while (size != 0) { - *c = kvm_counter_u64_fetch(kvmd, *c); - size -= sizeof(*c); - c++; + n = size / sizeof(uint64_t); + if ((counters = malloc(n * sizeof(u_long))) == NULL) + err(-1, "malloc"); + if (kread(addr, counters, n * sizeof(u_long)) < 0) { + free(counters); + return (-1); } + + c = buf; + for (i = 0; i < n; i++) + c[i] = kvm_counter_u64_fetch(kvmd, counters[i]); + + free(counters); return (0); } Modified: releng/10.2/usr.sbin/vidcontrol/vidcontrol.c ============================================================================== --- releng/10.2/usr.sbin/vidcontrol/vidcontrol.c Tue Aug 18 19:30:05 2015 (r286900) +++ releng/10.2/usr.sbin/vidcontrol/vidcontrol.c Tue Aug 18 19:30:17 2015 (r286901) @@ -1343,7 +1343,7 @@ main(int argc, char **argv) if (vt4_mode) opts = "b:Cc:fg:h:Hi:M:m:pPr:S:s:T:t:x"; else - opts = "b:Cc:df:g:h:Hi:l:LM:m:pPr:S:s:T:t:x"; + opts = "b:Cc:dfg:h:Hi:l:LM:m:pPr:S:s:T:t:x"; while ((opt = getopt(argc, argv, opts)) != -1) switch(opt) { From owner-svn-src-releng@freebsd.org Tue Aug 18 19:30:38 2015 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D4959BCBCF; Tue, 18 Aug 2015 19:30:38 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC0D1E79; Tue, 18 Aug 2015 19:30:38 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7IJUcLW089596; Tue, 18 Aug 2015 19:30:38 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7IJUagT089590; Tue, 18 Aug 2015 19:30:36 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508181930.t7IJUagT089590@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 18 Aug 2015 19:30:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r286902 - in releng: 10.1 10.1/contrib/expat/lib 10.1/sys/conf 9.3 9.3/contrib/expat/lib 9.3/sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 19:30:38 -0000 Author: delphij Date: Tue Aug 18 19:30:35 2015 New Revision: 286902 URL: https://svnweb.freebsd.org/changeset/base/286902 Log: Fix multiple integer overflows in expat. Security: CVE-2015-1283 Security: FreeBSD-SA-15:20.expat Approved by: so Modified: releng/10.1/UPDATING releng/10.1/contrib/expat/lib/xmlparse.c releng/10.1/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/contrib/expat/lib/xmlparse.c releng/9.3/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150818: p1 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p17 FreeBSD-SA-15:18.bsdpatch FreeBSD-SA-15:19.routed Modified: releng/10.1/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/10.1/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p17" +BRANCH="RELEASE-p18" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/UPDATING Tue Aug 18 19:30:35 2015 (r286902) @@ -11,6 +11,11 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20150818: p23 FreeBSD-SA-15:20.expat + + Fix multiple integer overflows in expat (libbsdxml) XML parser. + [SA-15:20] + 20150805: p22 FreeBSD-SA-15:19.routed Fix routed remote denial of service vulnerability. Modified: releng/9.3/contrib/expat/lib/xmlparse.c ============================================================================== --- releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:35 2015 (r286902) @@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l void * XMLCALL XML_GetBuffer(XML_Parser parser, int len) { +/* BEGIN MOZILLA CHANGE (sanity check len) */ + if (len < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ switch (ps_parsing) { case XML_SUSPENDED: errorCode = XML_ERROR_SUSPENDED; @@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - /* FIXME avoid integer overflow */ int neededSize = len + (int)(bufferEnd - bufferPtr); +/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ #ifdef XML_CONTEXT_BYTES int keep = (int)(bufferPtr - buffer); @@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; - } while (bufferSize < neededSize); +/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ + } while (bufferSize < neededSize && bufferSize > 0); +/* END MOZILLA CHANGE */ +/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } +/* END MOZILLA CHANGE */ newBuf = (char *)MALLOC(bufferSize); if (newBuf == 0) { errorCode = XML_ERROR_NO_MEMORY; Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901) +++ releng/9.3/sys/conf/newvers.sh Tue Aug 18 19:30:35 2015 (r286902) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p22" +BRANCH="RELEASE-p23" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Aug 18 20:21:46 2015 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 566739BDE8B; Tue, 18 Aug 2015 20:21:46 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46FC81DED; Tue, 18 Aug 2015 20:21:46 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7IKLk9E015783; Tue, 18 Aug 2015 20:21:46 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7IKLkT3015782; Tue, 18 Aug 2015 20:21:46 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508182021.t7IKLkT3015782@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 18 Aug 2015 20:21:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r286905 - releng/10.1 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 20:21:46 -0000 Author: delphij Date: Tue Aug 18 20:21:45 2015 New Revision: 286905 URL: https://svnweb.freebsd.org/changeset/base/286905 Log: Fix patchlevel in UPDATING. Spotted by: pluknet Approved by: so Modified: releng/10.1/UPDATING Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Tue Aug 18 20:19:48 2015 (r286904) +++ releng/10.1/UPDATING Tue Aug 18 20:21:45 2015 (r286905) @@ -16,7 +16,7 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. -20150818: p1 FreeBSD-SA-15:20.expat +20150818: p18 FreeBSD-SA-15:20.expat Fix multiple integer overflows in expat (libbsdxml) XML parser. [SA-15:20]