Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-freebsd/freebsd-sources/files
diff options
context:
space:
mode:
Diffstat (limited to 'sys-freebsd/freebsd-sources/files')
-rw-r--r--sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-3077.patch26
-rw-r--r--sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5209.patch19
-rw-r--r--sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5691.patch89
-rw-r--r--sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5710.patch28
4 files changed, 162 insertions, 0 deletions
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-3077.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-3077.patch
new file mode 100644
index 000000000000..23f68ed9c3db
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-3077.patch
@@ -0,0 +1,26 @@
+Index: sys/netinet/in_mcast.c
+===================================================================
+--- sys/netinet/in_mcast.c (revision 254252)
++++ sys/netinet/in_mcast.c (working copy)
+@@ -1648,6 +1648,8 @@
+ * has asked for, but we always tell userland how big the
+ * buffer really needs to be.
+ */
++ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
++ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
+ tss = NULL;
+ if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
+Index: sys/netinet6/in6_mcast.c
+===================================================================
+--- sys/netinet6/in6_mcast.c (revision 254252)
++++ sys/netinet6/in6_mcast.c (working copy)
+@@ -1625,6 +1625,8 @@
+ * has asked for, but we always tell userland how big the
+ * buffer really needs to be.
+ */
++ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
++ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
+ tss = NULL;
+ if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5209.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5209.patch
new file mode 100644
index 000000000000..e6710e3bcb8b
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5209.patch
@@ -0,0 +1,19 @@
+Index: sys/netinet/sctp_output.c
+===================================================================
+--- sys/netinet/sctp_output.c (revision 254337)
++++ sys/netinet/sctp_output.c (revision 254338)
+@@ -5406,6 +5406,14 @@
+ }
+ SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+
++ /*
++ * We might not overwrite the identification[] completely and on
++ * some platforms time_entered will contain some padding. Therefore
++ * zero out the cookie to avoid putting uninitialized memory on the
++ * wire.
++ */
++ memset(&stc, 0, sizeof(struct sctp_state_cookie));
++
+ /* the time I built cookie */
+ (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
+
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5691.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5691.patch
new file mode 100644
index 000000000000..9aef1503f770
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5691.patch
@@ -0,0 +1,89 @@
+Index: sys/net/if.c
+===================================================================
+--- sys/net/if.c (revision 254941)
++++ sys/net/if.c (working copy)
+@@ -2553,11 +2553,23 @@
+ CURVNET_RESTORE();
+ return (EOPNOTSUPP);
+ }
++
++ /*
++ * Pass the request on to the socket control method, and if the
++ * latter returns EOPNOTSUPP, directly to the interface.
++ *
++ * Make an exception for the legacy SIOCSIF* requests. Drivers
++ * trust SIOCSIFADDR et al to come from an already privileged
++ * layer, and do not perform any credentials checks or input
++ * validation.
++ */
+ #ifndef COMPAT_43
+ error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
+ data,
+ ifp, td));
+- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
++ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ error = (*ifp->if_ioctl)(ifp, cmd, data);
+ #else
+ {
+@@ -2601,7 +2613,9 @@
+ data,
+ ifp, td));
+ if (error == EOPNOTSUPP && ifp != NULL &&
+- ifp->if_ioctl != NULL)
++ ifp->if_ioctl != NULL &&
++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ error = (*ifp->if_ioctl)(ifp, cmd, data);
+ switch (ocmd) {
+
+Index: sys/netinet6/in6.c
+===================================================================
+--- sys/netinet6/in6.c (revision 254941)
++++ sys/netinet6/in6.c (working copy)
+@@ -431,6 +431,18 @@
+ case SIOCGIFSTAT_ICMP6:
+ sa6 = &ifr->ifr_addr;
+ break;
++ case SIOCSIFADDR:
++ case SIOCSIFBRDADDR:
++ case SIOCSIFDSTADDR:
++ case SIOCSIFNETMASK:
++ /*
++ * Although we should pass any non-INET6 ioctl requests
++ * down to driver, we filter some legacy INET requests.
++ * Drivers trust SIOCSIFADDR et al to come from an already
++ * privileged layer, and do not perform any credentials
++ * checks or input validation.
++ */
++ return (EINVAL);
+ default:
+ sa6 = NULL;
+ break;
+Index: sys/netnatm/natm.c
+===================================================================
+--- sys/netnatm/natm.c (revision 254941)
++++ sys/netnatm/natm.c (working copy)
+@@ -339,6 +339,21 @@
+ npcb = (struct natmpcb *)so->so_pcb;
+ KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
+
++ switch (cmd) {
++ case SIOCSIFADDR:
++ case SIOCSIFBRDADDR:
++ case SIOCSIFDSTADDR:
++ case SIOCSIFNETMASK:
++ /*
++ * Although we should pass any non-ATM ioctl requests
++ * down to driver, we filter some legacy INET requests.
++ * Drivers trust SIOCSIFADDR et al to come from an already
++ * privileged layer, and do not perform any credentials
++ * checks or input validation.
++ */
++ return (EINVAL);
++ }
++
+ if (ifp == NULL || ifp->if_ioctl == NULL)
+ return (EOPNOTSUPP);
+ return ((*ifp->if_ioctl)(ifp, cmd, arg));
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5710.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5710.patch
new file mode 100644
index 000000000000..83f30e84fe9e
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-9.1-cve-2013-5710.patch
@@ -0,0 +1,28 @@
+Index: sys/fs/nullfs/null_vnops.c
+===================================================================
+--- sys/fs/nullfs/null_vnops.c (revision 254941)
++++ sys/fs/nullfs/null_vnops.c (working copy)
+@@ -858,6 +858,15 @@
+ return (error);
+ }
+
++static int
++null_link(struct vop_link_args *ap)
++{
++
++ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
++ return (EXDEV);
++ return (null_bypass((struct vop_generic_args *)ap));
++}
++
+ /*
+ * Global vfs data structures
+ */
+@@ -871,6 +880,7 @@
+ .vop_getwritemount = null_getwritemount,
+ .vop_inactive = null_inactive,
+ .vop_islocked = vop_stdislocked,
++ .vop_link = null_link,
+ .vop_lock1 = null_lock,
+ .vop_lookup = null_lookup,
+ .vop_open = null_open,