aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2017-08-10 06:59:07 +0000
committerXin LI <delphij@FreeBSD.org>2017-08-10 06:59:07 +0000
commit230a19376f9badb3f2ca623d1b648e95c21f042b (patch)
tree42938bf2e6e785a0b129322177b5ff0a1ddeeba9
parente1b2281799bf1cab48b112204fef079e6835cde5 (diff)
downloadsrc-230a19376f9badb3f2ca623d1b648e95c21f042b.tar.gz
src-230a19376f9badb3f2ca623d1b648e95c21f042b.zip
Fix OpenSSH Denial of Service vulnerability. [SA-17:06]
Fix VNET kernel panic with asynchronous I/O. [EN-17:07] Fix pf(4) housekeeping thread causes kernel panic. [EN-17:08] Approved by: so
Notes
Notes: svn path=/releng/11.1/; revision=322342
-rw-r--r--UPDATING10
-rw-r--r--crypto/openssh/auth-passwd.c5
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/sys_socket.c2
-rw-r--r--sys/netpfil/pf/pf.c8
5 files changed, 26 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 8344740e95df..6da5f243654d 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20170810 p1 FreeBSD-SA-17:06.openssh
+ FreeBSD-EN-17:07.vnet
+ FreeBSD-EN-17:08.pf
+
+ Fix OpenSSH Denial of Service vulnerability. [SA-17:06]
+
+ Fix VNET kernel panic with asynchronous I/O. [EN-17:07]
+
+ Fix pf(4) housekeeping thread causes kernel panic. [EN-17:08]
+
20170725:
11.1-RELEASE.
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
index 63ccf3cabe7d..f6825ecc0655 100644
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@@ -66,6 +66,8 @@ extern login_cap_t *lc;
#define DAY (24L * 60 * 60) /* 1 day in seconds */
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
+#define MAX_PASSWORD_LEN 1024
+
void
disable_forwarding(void)
{
@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
static int expire_checked = 0;
#endif
+ if (strlen(password) > MAX_PASSWORD_LEN)
+ return 0;
+
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ec9e12989028..5ba2ab293479 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -44,7 +44,7 @@
TYPE="FreeBSD"
REVISION="11.1"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c
index da5f8e843929..edc64aac8043 100644
--- a/sys/kern/sys_socket.c
+++ b/sys/kern/sys_socket.c
@@ -675,6 +675,7 @@ soaio_process_sb(struct socket *so, struct sockbuf *sb)
{
struct kaiocb *job;
+ CURVNET_SET(so->so_vnet);
SOCKBUF_LOCK(sb);
while (!TAILQ_EMPTY(&sb->sb_aiojobq) && soaio_ready(so, sb)) {
job = TAILQ_FIRST(&sb->sb_aiojobq);
@@ -698,6 +699,7 @@ soaio_process_sb(struct socket *so, struct sockbuf *sb)
ACCEPT_LOCK();
SOCK_LOCK(so);
sorele(so);
+ CURVNET_RESTORE();
}
void
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 8dc89a8ce78b..1fa0b7a5a93d 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -129,6 +129,8 @@ VNET_DEFINE(int, pf_tcp_secret_init);
#define V_pf_tcp_secret_init VNET(pf_tcp_secret_init)
VNET_DEFINE(int, pf_tcp_iss_off);
#define V_pf_tcp_iss_off VNET(pf_tcp_iss_off)
+VNET_DECLARE(int, pf_vnet_active);
+#define V_pf_vnet_active VNET(pf_vnet_active)
/*
* Queue for pf_intr() sends.
@@ -1441,6 +1443,12 @@ pf_purge_thread(void *unused __unused)
kproc_exit(0);
}
+ /* Wait while V_pf_default_rule.timeout is initialized. */
+ if (V_pf_vnet_active == 0) {
+ CURVNET_RESTORE();
+ continue;
+ }
+
/* Process 1/interval fraction of the state table every run. */
idx = pf_purge_expired_states(idx, pf_hashmask /
(V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));