Date: Wed, 12 Sep 2018 05:22:58 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52250 - in head/share: security/advisories security/patches/EN-18:08 security/patches/SA-18:12 xml Message-ID: <201809120522.w8C5MwJh031147@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src,ports committer) Date: Wed Sep 12 05:22:58 2018 New Revision: 52250 URL: https://svnweb.freebsd.org/changeset/doc/52250 Log: Add SA-18:12, EN-18:08. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:12.elf.asc (contents, props changed) head/share/security/patches/EN-18:08/ head/share/security/patches/EN-18:08/lazyfpu-11.patch (contents, props changed) head/share/security/patches/EN-18:08/lazyfpu-11.patch.asc (contents, props changed) head/share/security/patches/SA-18:12/ head/share/security/patches/SA-18:12/elf.patch (contents, props changed) head/share/security/patches/SA-18:12/elf.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:08.lazyfpu Errata Notice + The FreeBSD Project + +Topic: LazyFPU remediation causes potential data corruption + +Category: core +Module: kernel +Announced: 2018-09-12 +Credits: Gleb Kurtsou +Affects: FreeBSD 10.4-STABLE, 11.1 and later. +Corrected: 2018-07-31 10:18:30 UTC (stable/11, 11.1-STABLE) + 2018-09-12 05:08:49 UTC (releng/11.2, 11.2-RELEASE-p3) + 2018-09-12 05:08:49 UTC (releng/11.1, 11.1-RELEASE-p14) + 2018-08-03 14:12:37 UTC (stable/10, 10.4-STABLE) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +Special Note: While SA-18:07.lazyfpu has been fixed in 10.4-STABLE, it has +yet to be released for 10.4-RELEASE. As such, this EN does not apply for +that release. Once SA-18:07.lazyfpu has been updated for 10.4-RELEASE, +this EN will be incorporated at that time. + +I. Background + +The recent security advisory titled SA-18:07.lazyfpu resolved an issue in the +floating point unit (FPU) state handling. + +II. Problem Description + +As a result of fixing the issue described in SA-18:07.lazyfpu, a regression +was introduced. FPU state manipulation did not sufficiently prevent context +switches potentially allowing partially modified FPU context to be switched +out. Upon returning the thread to a running state, stale FPU context could +be reloaded. + +III. Impact + +The regression could potentially cause an inconsistent FPU state, leading to +data corruption. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch +# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch.asc +# gpg --verify lazyfpu-11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r337254 +stable/11/ r336963 +releng/11.1/ r338607 +releng/11.2/ r338607 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The security advisory that introduced the regression is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:08.lazyfpu.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoL5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJovBAAl+BCwCwWy57TzqtYmYYaJlsKi461suiv2KjQWOAddFFPMgmEgRzLtmdu +hj4Ix5xMMH1efyWGZCk0zs9bN/2bL59P5NMFTC38Fg18fVUHC3u9SYYILvh+eTeH +s9/mkTO5nJ0LXZi3RrS4fi12Zqkiu3JuT9lcADdg8dtqRK4L0l77NZ7HD9p/mPX0 +LkLtZNTQz3Fv0LsFxwtdlljGOuJF+YYTKsC87ZHuwATDq7wTHOAmA46LVambxvxM +JQZrzUE3kDblz1sOIbMD8uW/tQ0gG4mvA3mVkuBX0yokhl7SJ4gFltjLiOEJ+n3y +7VkIcSN/5uZdjk2yWOoZuZojLLWmF0TnNrLYjIw5vacWvX25iIu+f6s9mavjZXTZ +TdtHKv+IFZfaDcaZ+mzYN87e/J7nTbe6mFwUXqG1D7ptQ3m4BP68PhtzfGrbFn/z +KXBDhaFP6MDPIMIfnP0r2HufBBlox9kcH8CKAektxVoiGAWD93+AoKVWbaR1nguQ +9k9Feo3EeS4gFQ+Jz3MQIl57nhI2FZO2SxcFowHvIqk/diXlhNhjHOy+pwSWlVH+ +8vtVlxcmFyjJBa+59QCix6PzHUn74YxRvP0NDA0zZ5WV1MwEi8J+SWaEbZMVKwJo +eJxWp1KTylk86vhaxzbRCrCzreHr6jf+Ljzn2HQPQ7rC3mRUdw0= +=+nM+ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:12.elf.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:12.elf.asc Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:12.elf Security Advisory + The FreeBSD Project + +Topic: Improper ELF header parsing + +Category: core +Module: kernel +Announced: 2018-09-12 +Credits: Thomas Barabosch, Fraunhofer FKIE; Mark Johnston +Affects: All supported versions of FreeBSD. +Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE) + 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3) + 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14) + 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE) + 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12) +CVE Name: CVE-2018-6924 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +To execute a binary the kernel must parse the ELF header to determine the +entry point address, the program interpreter, and other parameters. + +II. Problem Description + +Insufficient validation was performed in the ELF header parser, and malformed +or otherwise invalid ELF binaries were not rejected as they should be. + +III. Impact + +Execution of a malicious ELF binary may result in a kernel crash or may +disclose kernel memory. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +30 "Rebooting for security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch +# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc +# gpg --verify elf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r338605 +releng/10.4/ r338606 +stable/11/ r338604 +releng/11.1/ r338606 +releng/11.2/ r338606 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l +hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8 +sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY +PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT +vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh +nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy +mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY +1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH +uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv +e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC +IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw= +=J/a5 +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:08/lazyfpu-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:08/lazyfpu-11.patch Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,272 @@ +--- sys/amd64/amd64/fpu.c.orig ++++ sys/amd64/amd64/fpu.c +@@ -744,6 +744,7 @@ + int max_ext_n, i, owned; + + pcb = td->td_pcb; ++ critical_enter(); + if ((pcb->pcb_flags & PCB_USERFPUINITDONE) == 0) { + bcopy(fpu_initialstate, get_pcb_user_save_pcb(pcb), + cpu_max_ext_state_size); +@@ -750,9 +751,9 @@ + get_pcb_user_save_pcb(pcb)->sv_env.en_cw = + pcb->pcb_initial_fpucw; + fpuuserinited(td); ++ critical_exit(); + return (_MC_FPOWNED_PCB); + } +- critical_enter(); + if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) { + fpusave(get_pcb_user_save_pcb(pcb)); + owned = _MC_FPOWNED_FPU; +@@ -759,7 +760,6 @@ + } else { + owned = _MC_FPOWNED_PCB; + } +- critical_exit(); + if (use_xsave) { + /* + * Handle partially saved state. +@@ -779,6 +779,7 @@ + *xstate_bv |= bit; + } + } ++ critical_exit(); + return (owned); + } + +@@ -787,6 +788,7 @@ + { + struct pcb *pcb; + ++ CRITICAL_ASSERT(td); + pcb = td->td_pcb; + if (PCB_USER_FPU(pcb)) + set_pcb_flags(pcb, +@@ -845,26 +847,25 @@ + + addr->sv_env.en_mxcsr &= cpu_mxcsr_mask; + pcb = td->td_pcb; ++ error = 0; + critical_enter(); + if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) { + error = fpusetxstate(td, xfpustate, xfpustate_size); +- if (error != 0) { +- critical_exit(); +- return (error); ++ if (error == 0) { ++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); ++ fpurestore(get_pcb_user_save_td(td)); ++ set_pcb_flags(pcb, PCB_FPUINITDONE | ++ PCB_USERFPUINITDONE); + } +- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); +- fpurestore(get_pcb_user_save_td(td)); +- critical_exit(); +- set_pcb_flags(pcb, PCB_FPUINITDONE | PCB_USERFPUINITDONE); + } else { +- critical_exit(); + error = fpusetxstate(td, xfpustate, xfpustate_size); +- if (error != 0) +- return (error); +- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); +- fpuuserinited(td); ++ if (error == 0) { ++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); ++ fpuuserinited(td); ++ } + } +- return (0); ++ critical_exit(); ++ return (error); + } + + /* +@@ -1037,6 +1038,7 @@ + ctx->flags = FPU_KERN_CTX_DUMMY | FPU_KERN_CTX_INUSE; + return (0); + } ++ critical_enter(); + KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save == + get_pcb_user_save_pcb(pcb), ("mangled pcb_save")); + ctx->flags = FPU_KERN_CTX_INUSE; +@@ -1047,6 +1049,7 @@ + pcb->pcb_save = fpu_kern_ctx_savefpu(ctx); + set_pcb_flags(pcb, PCB_KERNFPU); + clear_pcb_flags(pcb, PCB_FPUINITDONE); ++ critical_exit(); + return (0); + } + +@@ -1065,7 +1068,6 @@ + + clear_pcb_flags(pcb, PCB_FPUNOSAVE | PCB_FPUINITDONE); + start_emulating(); +- critical_exit(); + } else { + KASSERT((ctx->flags & FPU_KERN_CTX_INUSE) != 0, + ("leaving not inuse ctx")); +@@ -1079,7 +1081,6 @@ + critical_enter(); + if (curthread == PCPU_GET(fpcurthread)) + fpudrop(); +- critical_exit(); + pcb->pcb_save = ctx->prev; + } + +@@ -1096,6 +1097,7 @@ + clear_pcb_flags(pcb, PCB_FPUINITDONE); + KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave")); + } ++ critical_exit(); + return (0); + } + +--- sys/amd64/amd64/machdep.c.orig ++++ sys/amd64/amd64/machdep.c +@@ -2158,8 +2158,10 @@ + set_fpregs(struct thread *td, struct fpreg *fpregs) + { + ++ critical_enter(); + set_fpregs_xmm(fpregs, get_pcb_user_save_td(td)); + fpuuserinited(td); ++ critical_exit(); + return (0); + } + +--- sys/i386/i386/machdep.c.orig ++++ sys/i386/i386/machdep.c +@@ -3004,6 +3004,7 @@ + set_fpregs(struct thread *td, struct fpreg *fpregs) + { + ++ critical_enter(); + if (cpu_fxsr) + npx_set_fpregs_xmm((struct save87 *)fpregs, + &get_pcb_user_save_td(td)->sv_xmm); +@@ -3011,6 +3012,7 @@ + bcopy(fpregs, &get_pcb_user_save_td(td)->sv_87, + sizeof(*fpregs)); + npxuserinited(td); ++ critical_exit(); + return (0); + } + +--- sys/i386/isa/npx.c.orig ++++ sys/i386/isa/npx.c +@@ -974,14 +974,15 @@ + return (_MC_FPOWNED_NONE); + + pcb = td->td_pcb; ++ critical_enter(); + if ((pcb->pcb_flags & PCB_NPXINITDONE) == 0) { + bcopy(npx_initialstate, get_pcb_user_save_pcb(pcb), + cpu_max_ext_state_size); + SET_FPU_CW(get_pcb_user_save_pcb(pcb), pcb->pcb_initial_npxcw); + npxuserinited(td); ++ critical_exit(); + return (_MC_FPOWNED_PCB); + } +- critical_enter(); + if (td == PCPU_GET(fpcurthread)) { + fpusave(get_pcb_user_save_pcb(pcb)); + if (!cpu_fxsr) +@@ -995,7 +996,6 @@ + } else { + owned = _MC_FPOWNED_PCB; + } +- critical_exit(); + if (use_xsave) { + /* + * Handle partially saved state. +@@ -1018,6 +1018,7 @@ + *xstate_bv |= bit; + } + } ++ critical_exit(); + return (owned); + } + +@@ -1026,6 +1027,7 @@ + { + struct pcb *pcb; + ++ CRITICAL_ASSERT(td); + pcb = td->td_pcb; + if (PCB_USER_FPU(pcb)) + pcb->pcb_flags |= PCB_NPXINITDONE; +@@ -1083,28 +1085,26 @@ + if (cpu_fxsr) + addr->sv_xmm.sv_env.en_mxcsr &= cpu_mxcsr_mask; + pcb = td->td_pcb; ++ error = 0; + critical_enter(); + if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) { + error = npxsetxstate(td, xfpustate, xfpustate_size); +- if (error != 0) { +- critical_exit(); +- return (error); ++ if (error == 0) { ++ if (!cpu_fxsr) ++ fnclex(); /* As in npxdrop(). */ ++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); ++ fpurstor(get_pcb_user_save_td(td)); ++ pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE; + } +- if (!cpu_fxsr) +- fnclex(); /* As in npxdrop(). */ +- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); +- fpurstor(get_pcb_user_save_td(td)); +- critical_exit(); +- pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE; + } else { +- critical_exit(); + error = npxsetxstate(td, xfpustate, xfpustate_size); +- if (error != 0) +- return (error); +- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); +- npxuserinited(td); ++ if (error == 0) { ++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr)); ++ npxuserinited(td); ++ } + } +- return (0); ++ critical_exit(); ++ return (error); + } + + static void +@@ -1373,6 +1373,7 @@ + return (0); + } + pcb = td->td_pcb; ++ critical_enter(); + KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save == + get_pcb_user_save_pcb(pcb), ("mangled pcb_save")); + ctx->flags = FPU_KERN_CTX_INUSE; +@@ -1383,6 +1384,7 @@ + pcb->pcb_save = fpu_kern_ctx_savefpu(ctx); + pcb->pcb_flags |= PCB_KERNNPX; + pcb->pcb_flags &= ~PCB_NPXINITDONE; ++ critical_exit(); + return (0); + } + +@@ -1401,7 +1403,6 @@ + critical_enter(); + if (curthread == PCPU_GET(fpcurthread)) + npxdrop(); +- critical_exit(); + pcb->pcb_save = ctx->prev; + if (pcb->pcb_save == get_pcb_user_save_pcb(pcb)) { + if ((pcb->pcb_flags & PCB_NPXUSERINITDONE) != 0) +@@ -1416,6 +1417,7 @@ + pcb->pcb_flags &= ~PCB_NPXINITDONE; + KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave")); + } ++ critical_exit(); + return (0); + } + Added: head/share/security/patches/EN-18:08/lazyfpu-11.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:08/lazyfpu-11.patch.asc Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoMlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJigg/+OvQriZe3uQx6A8cjJExzxVTmctmIcAfIxX992E3gKYW8PpomMsIoXnqm +HCBB7QPKg6k1agIegg38j1zGeLY7LU1pbLQbzJAXx1vtacILx03XpgdPutiHTUty +NhNl3S71Pk2nFik4pVC2Zqf3qQ3jsauhfItH9Z3Dgasp50/6353upvRAmALUQ/J4 +ffa/xXqcHjL3ZnNyH5oU56s9f287I89iqxz83Q2aw3jhOqoQoseeeRtg78ysWkgx +KLgvRa2FApxq3LBrjDKmEbV9ph5qHvXzLGP5/FZUN/X0RzLmGD+J6458BHpw1tJW +ZOu2NHNl79KLl5qsPtp44vwQwLYe33xKHRFBXbT83MmnDnN0qwxhzkKN/txZcbWB +KEaOo/6MnpHO3YOaw9TWJdmaV/ETT3MS276rzxEXpiJYB50exlgelfTDrKW8wiMX +WRGUgc1Mmfex0UWEQ48l0d67XpWmoQPUCLDwNks9P6qkMehlhFQZWiv4l9ZGRJp4 +6BkliNGaBBP2raMU9neMJhmd0/24AZ2vPlH2SuRvjLBCRoNA70GfvL5/9h21cQIh +7UEs5p5spDEle7B3EzJrovMs7eTl89bHKhOx76+WHpmiXpFbFKL3eiEpVYlJYrrU +zT2hI4B/mOAlHqqfgt9ygFJ4Zlbwh2rrQdioeCZTMEM4VpXLFz8= +=EN9Q +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:12/elf.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:12/elf.patch Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,35 @@ +--- sys/kern/imgact_elf.c.orig ++++ sys/kern/imgact_elf.c +@@ -839,7 +839,8 @@ + break; + case PT_INTERP: + /* Path to interpreter */ +- if (phdr[i].p_filesz > MAXPATHLEN) { ++ if (phdr[i].p_filesz < 2 || ++ phdr[i].p_filesz > MAXPATHLEN) { + uprintf("Invalid PT_INTERP\n"); + error = ENOEXEC; + goto ret; +@@ -870,6 +871,11 @@ + } else { + interp = __DECONST(char *, imgp->image_header) + + phdr[i].p_offset; ++ if (interp[interp_name_len - 1] != '\0') { ++ uprintf("Invalid PT_INTERP\n"); ++ error = ENOEXEC; ++ goto ret; ++ } + } + break; + case PT_GNU_STACK: +--- sys/kern/vfs_vnops.c.orig ++++ sys/kern/vfs_vnops.c +@@ -528,6 +528,8 @@ + struct vn_io_fault_args args; + int error, lock_flags; + ++ if (offset < 0 && vp->v_type != VCHR) ++ return (EINVAL); + auio.uio_iov = &aiov; + auio.uio_iovcnt = 1; + aiov.iov_base = base; Added: head/share/security/patches/SA-18:12/elf.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:12/elf.patch.asc Wed Sep 12 05:22:58 2018 (r52250) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoM1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL1Yw//VW6p5rRPB6mCxSZP+svZcvOlkz6pBBoMn+Ym2t7SFNYbNuVcD8GFr7F2 +a55U0LaQ9XoePdgwC7XFTfNv4Qeya1gmHvH6el93+MFFWLJV1zryN8mS4ny6oOwP +PGPINqsS1eOmbs52n1U0ANujj8KvyghgojsqbhhpQtsa6W40/klMmvKGmnq1So5B +YV8X9uOp6tB8ahkG0S+EbfH7X3o8MC/Q5hlQavmh/biQP44EU/QwqC47DudSpG3m +S5wZtz6QNwwrtRdbJeBf+HMjfxZaMO/Lw2wC3FjwfysXL14zrCEuZROGT5Qtjd+p +LQHNrzbK4qDT5c//Tuw7KBVAeOBj2a7Sl6SCt+6wu+WZe4QCbvuE5iC/vmXzQY/7 +2oGvxDLl9yOtu49vf/EQHpo3Als6ILnpz+o2FQ3s3PsDSpjmU8YK2ADRJ2lKuAcE ++i5UAcehcC2wlVI7w7dKJicDz5+4trTpRvfBh1bEjgvk1UY/uYvkwXapUo58CFUZ +xZyBOaSprjaSyzRCuTlgE7s36mJkNV0QkRCRHutb/qCm0CY2UKcWmG4hf/Wld99m +Qpr7wdydVdObQhDISqvBi1EPJ0ZSHwdvg2Pbvm10leal0azEEhVm/tGm8ENgLIh3 +5795BkrH+49PoCvUCATlsZOr1qWEtTYdK2DWjj+6rWZL7BYSMdY= +=KOL2 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Sep 12 02:22:29 2018 (r52249) +++ head/share/xml/advisories.xml Wed Sep 12 05:22:58 2018 (r52250) @@ -8,6 +8,19 @@ <name>2018</name> <month> + <name>9</name> + + <day> + <name>12</name> + + <advisory> + <name>FreeBSD-SA-18:12.elf</name> + </advisory> + + </day> + </month> + + <month> <name>8</name> <day> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Sep 12 02:22:29 2018 (r52249) +++ head/share/xml/notices.xml Wed Sep 12 05:22:58 2018 (r52250) @@ -8,6 +8,19 @@ <name>2018</name> <month> + <name>9</name> + + <day> + <name>12</name> + + <notice> + <name>FreeBSD-EN-18:08.lazyfpu</name> + </notice> + + </day> + </month> + + <month> <name>6</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809120522.w8C5MwJh031147>