aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaxim Konovalov <maxim@FreeBSD.org>2005-05-12 15:25:07 +0000
committerMaxim Konovalov <maxim@FreeBSD.org>2005-05-12 15:25:07 +0000
commit195deabf744128e6305e9d0926a7567d99b020ff (patch)
treeb126f3624a81d02e983fd988212ab86633feab88
parentd09f5ff51ce68f6593e7e588a2f527becbf2e1e8 (diff)
downloadsrc-195deabf744128e6305e9d0926a7567d99b020ff.tar.gz
src-195deabf744128e6305e9d0926a7567d99b020ff.zip
Merge SA-05:06.iir, SA-05:07.ldt and SA-05:08.kmem.
Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.9/; revision=146151
-rw-r--r--UPDATING8
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/dev/iir/iir_ctrl.c4
-rw-r--r--sys/i386/i386/sys_machdep.c9
-rw-r--r--sys/kern/uipc_usrreq.c2
-rw-r--r--sys/kern/vfs_subr.c1
-rw-r--r--sys/net/if_mib.c1
-rw-r--r--sys/netinet/ip_divert.c1
-rw-r--r--sys/netinet/raw_ip.c1
-rw-r--r--sys/netinet/tcp_subr.c2
-rw-r--r--sys/netinet/udp_usrreq.c1
11 files changed, 24 insertions, 8 deletions
diff --git a/UPDATING b/UPDATING
index d17d27cd1f57..a0fc60583253 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,14 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050512: p17 FreeBSD-SA-05:06.iir, FreeBSD-SA-05:07.ldt,
+ FreeBSD-SA-05:08.kmem
+ Correct overly liberal permissions on /dev/iir.
+
+ Correctly validate inputs to the i386_get_ldt syscall.
+
+ Correct several local kernel memory disclosure bugs.
+
20050426: p16 FreeBSD-SA-05:05.cvs
Correct several vulnerabilities in CVS.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 6c0d8b4fcb0f..4831756be276 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.9"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/dev/iir/iir_ctrl.c b/sys/dev/iir/iir_ctrl.c
index 30c2ed6a6e75..91f97b07b1a0 100644
--- a/sys/dev/iir/iir_ctrl.c
+++ b/sys/dev/iir/iir_ctrl.c
@@ -104,12 +104,12 @@ gdt_make_dev(int unit)
#ifdef SDEV_PER_HBA
dev = make_dev(&iir_cdevsw, hba2minor(unit), UID_ROOT, GID_OPERATOR,
- S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH, "iir%d", unit);
+ S_IRUSR | S_IWUSR, "iir%d", unit);
#else
if (sdev_made)
return (0);
dev = make_dev(&iir_cdevsw, 0, UID_ROOT, GID_OPERATOR,
- S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH, "iir");
+ S_IRUSR | S_IWUSR, "iir");
sdev_made = 1;
#endif
return (dev);
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index f87e333cbf88..a9dcf48254a3 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -342,10 +342,6 @@ i386_get_ldt(p, args)
uap->start, uap->num, (void *)uap->descs);
#endif
- /* verify range of LDTs exist */
- if ((uap->start < 0) || (uap->num <= 0))
- return(EINVAL);
-
s = splhigh();
if (pcb_ldt) {
@@ -357,7 +353,10 @@ i386_get_ldt(p, args)
num = min(uap->num, nldt);
lp = &ldt[uap->start];
}
- if (uap->start + num > nldt) {
+
+ if ((uap->start > (unsigned int)nldt) ||
+ ((unsigned int)num > (unsigned int)nldt) ||
+ ((unsigned int)(uap->start + num) > (unsigned int)nldt)) {
splx(s);
return(EINVAL);
}
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index f8ac2630eaee..22851f1f1a30 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -849,6 +849,8 @@ unp_pcblist(SYSCTL_HANDLER_ARGS)
unp = unp_list[i];
if (unp->unp_gencnt <= gencnt) {
struct xunpcb xu;
+
+ bzero(&xu, sizeof(xu));
xu.xu_len = sizeof xu;
xu.xu_unpp = unp;
/*
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index a4105d342ceb..1a8c526dd421 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2302,6 +2302,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
struct ovfsconf ovfs;
for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) {
+ bzero(&ovfs, sizeof(ovfs));
ovfs.vfc_vfsops = vfsp->vfc_vfsops; /* XXX used as flag */
strcpy(ovfs.vfc_name, vfsp->vfc_name);
ovfs.vfc_index = vfsp->vfc_typenum;
diff --git a/sys/net/if_mib.c b/sys/net/if_mib.c
index ee497a62f367..18f176f0dc8b 100644
--- a/sys/net/if_mib.c
+++ b/sys/net/if_mib.c
@@ -90,6 +90,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */
return ENOENT;
case IFDATA_GENERAL:
+ bzero(&ifmd, sizeof(ifmd));
ifnlen = snprintf(workbuf, sizeof(workbuf),
"%s%d", ifp->if_name, ifp->if_unit);
if(ifnlen + 1 > sizeof ifmd.ifmd_name) {
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 320c8f813d02..e24022d76450 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -496,6 +496,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 2d8e06b0cbda..cc1815ecb0ef 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -681,6 +681,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index dc6300467666..f58153cdfebc 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -895,6 +895,8 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
if (inp->inp_gencnt <= gencnt) {
struct xtcpcb xt;
caddr_t inp_ppcb;
+
+ bzero(&xt, sizeof(xt));
xt.xt_len = sizeof xt;
/* XXX should avoid extra copy */
bcopy(inp, &xt.xt_inp, sizeof *inp);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index eb401502b683..ff504502e628 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -612,6 +612,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);