Skip to content

Commit

Permalink
o Fix OpenSSH xauth(1) command injection. [SA-16:14]
Browse files Browse the repository at this point in the history
o Fix incorrect argument validation in sysarch(2). [SA-16:15]
o Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
o Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05]

Errata:         FreeBSD-EN-16:04.hyperv
Errata:         FreeBSD-EN-16:05.hv_netvsc
Security:       FreeBSD-SA-16:14.openssh-xauth, CVE-2016-3115
Security:       FreeBSD-SA-16:15.sysarch, CVE-2016-1885
Approved by:    so
  • Loading branch information
glebius committed Mar 16, 2016
1 parent 7d8d4cb commit 8938078
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 7 deletions.
10 changes: 10 additions & 0 deletions UPDATING
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.

20160316 p14 FreeBSD-SA-16:14.openssh-xauth
FreeBSD-SA-16:15.sysarch
FreeBSD-EN-16:04.hyperv
FreeBSD-EN-16:05.hv_netvsc

Fix OpenSSH xauth(1) command injection. [SA-16:14]
Fix incorrect argument validation in sysarch(2). [SA-16:15]
Fix Hyper-V KVP (Key-Value Pair) daemon indefinite sleep. [EN-16:04]
Fix hv_netvsc(4) incorrect TCP/IP checksums. [EN-16:05]

20160303 p13 FreeBSD-SA-16:12.openssl

Fix multiple vulnerabilities of OpenSSL.
Expand Down
32 changes: 30 additions & 2 deletions crypto/openssh/session.c
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ __RCSID("$FreeBSD$");

#include <arpa/inet.h>

#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
Expand Down Expand Up @@ -294,6 +295,21 @@ do_authenticated(Authctxt *authctxt)
do_cleanup(authctxt);
}

/* Check untrusted xauth strings for metacharacters */
static int
xauth_valid_string(const char *s)
{
size_t i;

for (i = 0; s[i] != '\0'; i++) {
if (!isalnum((u_char)s[i]) &&
s[i] != '.' && s[i] != ':' && s[i] != '/' &&
s[i] != '-' && s[i] != '_')
return 0;
}
return 1;
}

/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
Expand Down Expand Up @@ -367,7 +383,13 @@ do_authenticated1(Authctxt *authctxt)
s->screen = 0;
}
packet_check_eom();
success = session_setup_x11fwd(s);
if (xauth_valid_string(s->auth_proto) &&
xauth_valid_string(s->auth_data))
success = session_setup_x11fwd(s);
else {
success = 0;
error("Invalid X11 forwarding data");
}
if (!success) {
free(s->auth_proto);
free(s->auth_data);
Expand Down Expand Up @@ -2199,7 +2221,13 @@ session_x11_req(Session *s)
s->screen = packet_get_int();
packet_check_eom();

success = session_setup_x11fwd(s);
if (xauth_valid_string(s->auth_proto) &&
xauth_valid_string(s->auth_data))
success = session_setup_x11fwd(s);
else {
success = 0;
error("Invalid X11 forwarding data");
}
if (!success) {
free(s->auth_proto);
free(s->auth_data);
Expand Down
4 changes: 2 additions & 2 deletions sys/amd64/amd64/sys_machdep.c
Original file line number Diff line number Diff line change
Expand Up @@ -591,8 +591,8 @@ amd64_set_ldt(td, uap, descs)
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
int error = 0, i;
int largest_ld;
int error = 0;
unsigned int largest_ld, i;
struct mdproc *mdp = &td->td_proc->p_md;
struct proc_ldt *pldt;
struct user_segment_descriptor *dp;
Expand Down
2 changes: 1 addition & 1 deletion sys/conf/newvers.sh
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@

TYPE="FreeBSD"
REVISION="10.2"
BRANCH="RELEASE-p13"
BRANCH="RELEASE-p14"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Expand Down
12 changes: 11 additions & 1 deletion sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,15 @@ __FBSDID("$FreeBSD$");
#define HV_NV_SC_PTR_OFFSET_IN_BUF 0
#define HV_NV_PACKET_OFFSET_IN_BUF 16

/*
* A unified flag for all outbound check sum flags is useful,
* and it helps avoiding unnecessary check sum calculation in
* network forwarding scenario.
*/
#define HV_CSUM_FOR_OUTBOUND \
(CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO| \
CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP| \
CSUM_IP6_TSO|CSUM_IP6_ISCSI)

/*
* Data types
Expand Down Expand Up @@ -570,7 +579,8 @@ hn_start_locked(struct ifnet *ifp)
packet->vlan_tci & 0xfff;
}

if (0 == m_head->m_pkthdr.csum_flags) {
/* Only check the flags for outbound and ignore the ones for inbound */
if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
goto pre_send;
}

Expand Down
11 changes: 10 additions & 1 deletion sys/dev/hyperv/utilities/hv_kvp.c
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
#include <sys/reboot.h>
#include <sys/lock.h>
#include <sys/taskqueue.h>
#include <sys/selinfo.h>
#include <sys/sysctl.h>
#include <sys/poll.h>
#include <sys/proc.h>
Expand Down Expand Up @@ -114,6 +115,8 @@ static struct cdev *hv_kvp_dev;
static struct hv_kvp_msg *hv_kvp_dev_buf;
struct proc *daemon_task;

static struct selinfo hv_kvp_selinfo;

/*
* Global state to track and synchronize multiple
* KVP transaction requests from the host.
Expand Down Expand Up @@ -628,6 +631,9 @@ hv_kvp_send_msg_to_daemon(void)

/* Send the msg to user via function deamon_read - setting sema */
sema_post(&kvp_globals.dev_sema);

/* We should wake up the daemon, in case it's doing poll() */
selwakeup(&hv_kvp_selinfo);
}


Expand Down Expand Up @@ -940,7 +946,7 @@ hv_kvp_dev_daemon_write(struct cdev *dev __unused, struct uio *uio, int ioflag _
* for daemon to read.
*/
static int
hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td __unused)
hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
{
int revents = 0;

Expand All @@ -953,6 +959,9 @@ hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td
*/
if (kvp_globals.daemon_busy == true)
revents = POLLIN;
else
selrecord(td, &hv_kvp_selinfo);

mtx_unlock(&kvp_globals.pending_mutex);

return (revents);
Expand Down

0 comments on commit 8938078

Please sign in to comment.