aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2018-09-12 05:07:35 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2018-09-12 05:07:35 +0000
commitbd3035529c3c9257a04f4b2acffd0945246d68ec (patch)
treee368b33075ec2b74b6a1100a4da6df4a1ac5ca56
parentf69d7a5a946f625c5a0b449c398181d8c4c75f40 (diff)
downloadsrc-bd3035529c3c9257a04f4b2acffd0945246d68ec.tar.gz
src-bd3035529c3c9257a04f4b2acffd0945246d68ec.zip
Fix improper elf header parsing. [SA-18:12.elf]
Approved by: so Security: FreeBSD-SA-18:12.elf Security: CVE-2018-6924
Notes
Notes: svn path=/releng/11.1/; revision=338606
-rw-r--r--UPDATING7
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/imgact_elf.c8
-rw-r--r--sys/kern/vfs_vnops.c2
4 files changed, 17 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index a068eed8d3c6..0d19f12156cb 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20180912 p14 FreeBSD-SA-18:12.elf
+ FreeBSD-EN-18:08.lazyfpu
+
+ Fix improper elf header parsing. [SA-18:12.elf]
+
+ Fix regression in Lazy FPU remediation. [EN-18:08.lazyfpu]
+
20180814 p13 FreeBSD-SA-18:08.tcp [revised]
FreeBSD-SA-18:09.l1tf
FreeBSD-SA-18:10.ip
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 51b22e1a8f72..adfbb08214dd 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -44,7 +44,7 @@
TYPE="FreeBSD"
REVISION="11.1"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index f7bbdcf71526..01e3be5a339f 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -834,7 +834,8 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
break;
case PT_INTERP:
/* Path to interpreter */
- if (phdr[i].p_filesz > MAXPATHLEN) {
+ if (phdr[i].p_filesz < 2 ||
+ phdr[i].p_filesz > MAXPATHLEN) {
uprintf("Invalid PT_INTERP\n");
error = ENOEXEC;
goto ret;
@@ -864,6 +865,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
} else {
interp = __DECONST(char *, imgp->image_header) +
phdr[i].p_offset;
+ if (interp[interp_name_len - 1] != '\0') {
+ uprintf("Invalid PT_INTERP\n");
+ error = ENOEXEC;
+ goto ret;
+ }
}
break;
case PT_GNU_STACK:
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index 49af86d80401..fc98d83dd781 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -529,6 +529,8 @@ vn_rdwr(enum uio_rw rw, struct vnode *vp, void *base, int len, off_t offset,
struct vn_io_fault_args args;
int error, lock_flags;
+ if (offset < 0 && vp->v_type != VCHR)
+ return (EINVAL);
auio.uio_iov = &aiov;
auio.uio_iovcnt = 1;
aiov.iov_base = base;