Date: Wed, 7 Mar 2018 05:53:35 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r330566 - in releng: 10.3 10.3/sys/conf 10.3/sys/netipsec 10.4 10.4/sys/conf 10.4/sys/netipsec 11.1 11.1/sys/conf 11.1/sys/netipsec Message-ID: <201803070553.w275rZaw087939@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Wed Mar 7 05:53:35 2018 New Revision: 330566 URL: https://svnweb.freebsd.org/changeset/base/330566 Log: Fix ipsec validation and use-after-free. [SA-18:01.ipsec] Approved by: so Security: FreeBSD-SA-18:01.ipsec Security: CVE-2018-6916 Modified: releng/10.3/UPDATING releng/10.3/sys/conf/newvers.sh releng/10.3/sys/netipsec/xform_ah.c releng/10.4/UPDATING releng/10.4/sys/conf/newvers.sh releng/10.4/sys/netipsec/xform_ah.c releng/11.1/UPDATING releng/11.1/sys/conf/newvers.sh releng/11.1/sys/netipsec/xform_ah.c Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20180307 p27 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p26 FreeBSD-SA-17:12.openssl Fix OpenSSL error state vulnerability. Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p26" +BRANCH="RELEASE-p27" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.3/sys/netipsec/xform_ah.c ============================================================================== --- releng/10.3/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.3/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -615,6 +615,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -680,6 +690,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -704,7 +717,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = hl; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ Modified: releng/10.4/UPDATING ============================================================================== --- releng/10.4/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to b stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20180307 p6 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p5 FreeBSD-SA-17:12.openssl Fix OpenSSL error state vulnerability. Modified: releng/10.4/sys/conf/newvers.sh ============================================================================== --- releng/10.4/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.4" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.4/sys/netipsec/xform_ah.c ============================================================================== --- releng/10.4/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/10.4/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -615,6 +615,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -680,6 +690,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -704,7 +717,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = hl; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ Modified: releng/11.1/UPDATING ============================================================================== --- releng/11.1/UPDATING Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/UPDATING Wed Mar 7 05:53:35 2018 (r330566) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180307 p7 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p6 FreeBSD-SA-17:12.openssl Fix multiple vulnerabilities of OpenSSL. Modified: releng/11.1/sys/conf/newvers.sh ============================================================================== --- releng/11.1/sys/conf/newvers.sh Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/sys/conf/newvers.sh Wed Mar 7 05:53:35 2018 (r330566) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p6" +BRANCH="RELEASE-p7" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.1/sys/netipsec/xform_ah.c ============================================================================== --- releng/11.1/sys/netipsec/xform_ah.c Wed Mar 7 05:47:48 2018 (r330565) +++ releng/11.1/sys/netipsec/xform_ah.c Wed Mar 7 05:53:35 2018 (r330566) @@ -598,6 +598,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -642,6 +652,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -664,7 +677,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int ski /* These are passed as-is to the callback. */ xd->sav = sav; - xd->nxt = ah->ah_nxt; + xd->nxt = hl; xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803070553.w275rZaw087939>