svn commit: r286901 - in releng/10.2: . contrib/expat/lib sys/conf usr.bin/netstat usr.sbin/vidcontrol
Xin LI
delphij at FreeBSD.org
Tue Aug 18 19:30:20 UTC 2015
Author: delphij
Date: Tue Aug 18 19:30:17 2015
New Revision: 286901
URL: https://svnweb.freebsd.org/changeset/base/286901
Log:
Fix multiple integer overflows in expat.
Security: CVE-2015-1283
Security: FreeBSD-SA-15:20.expat
Fix make(1) syntax errors when upgrading from 9.x and earlier.
[EN-15:11]
Fix incorrect netstat(1) data handling on 32-bit systems.
[EN-15:12]
Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13]
Approved by: so
Modified:
releng/10.2/Makefile.inc1
releng/10.2/UPDATING
releng/10.2/contrib/expat/lib/xmlparse.c
releng/10.2/sys/conf/newvers.sh
releng/10.2/usr.bin/netstat/main.c
releng/10.2/usr.sbin/vidcontrol/vidcontrol.c
Modified: releng/10.2/Makefile.inc1
==============================================================================
--- releng/10.2/Makefile.inc1 Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/Makefile.inc1 Tue Aug 18 19:30:17 2015 (r286901)
@@ -133,8 +133,8 @@ OSRELDATE= 0
.endif
.if !defined(VERSION)
-REVISION!= make -C ${SRCDIR}/release -V REVISION
-BRANCH!= make -C ${SRCDIR}/release -V BRANCH
+REVISION!= ${MAKE} -C ${SRCDIR}/release -V REVISION
+BRANCH!= ${MAKE} -C ${SRCDIR}/release -V BRANCH
SRCRELDATE!= awk '/^\#define[[:space:]]*__FreeBSD_version/ { print $$3 }' \
${SRCDIR}/sys/sys/param.h
VERSION= FreeBSD ${REVISION}-${BRANCH:C/-p[0-9]+$//} ${TARGET_ARCH} ${SRCRELDATE}
Modified: releng/10.2/UPDATING
==============================================================================
--- releng/10.2/UPDATING Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/UPDATING Tue Aug 18 19:30:17 2015 (r286901)
@@ -16,7 +16,23 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
-20150817:
+20150818: p1 FreeBSD-SA-15:20.expat
+ FreeBSD-EN-15:11.toolchain
+ FreeBSD-EN-15:12.netstat
+ FreeBSD-EN-15:13.vidcontrol
+
+ Fix multiple integer overflows in expat (libbsdxml) XML parser.
+ [SA-15:20]
+
+ Fix make(1) syntax errors when upgrading from 9.x and earlier.
+ [EN-15:11]
+
+ Fix incorrect netstat(1) data handling on 32-bit systems.
+ [EN-15:12]
+
+ Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13]
+
+20150813:
10.2-RELEASE.
20150703:
Modified: releng/10.2/contrib/expat/lib/xmlparse.c
==============================================================================
--- releng/10.2/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/contrib/expat/lib/xmlparse.c Tue Aug 18 19:30:17 2015 (r286901)
@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int l
void * XMLCALL
XML_GetBuffer(XML_Parser parser, int len)
{
+/* BEGIN MOZILLA CHANGE (sanity check len) */
+ if (len < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
switch (ps_parsing) {
case XML_SUSPENDED:
errorCode = XML_ERROR_SUSPENDED;
@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len
}
if (len > bufferLim - bufferEnd) {
- /* FIXME avoid integer overflow */
int neededSize = len + (int)(bufferEnd - bufferPtr);
+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
+ if (neededSize < 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
#ifdef XML_CONTEXT_BYTES
int keep = (int)(bufferPtr - buffer);
@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len
bufferSize = INIT_BUFFER_SIZE;
do {
bufferSize *= 2;
- } while (bufferSize < neededSize);
+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
+ } while (bufferSize < neededSize && bufferSize > 0);
+/* END MOZILLA CHANGE */
+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
+ if (bufferSize <= 0) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return NULL;
+ }
+/* END MOZILLA CHANGE */
newBuf = (char *)MALLOC(bufferSize);
if (newBuf == 0) {
errorCode = XML_ERROR_NO_MEMORY;
Modified: releng/10.2/sys/conf/newvers.sh
==============================================================================
--- releng/10.2/sys/conf/newvers.sh Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/sys/conf/newvers.sh Tue Aug 18 19:30:17 2015 (r286901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.2"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/10.2/usr.bin/netstat/main.c
==============================================================================
--- releng/10.2/usr.bin/netstat/main.c Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/usr.bin/netstat/main.c Tue Aug 18 19:30:17 2015 (r286901)
@@ -785,19 +785,31 @@ kread_counter(u_long addr)
int
kread_counters(u_long addr, void *buf, size_t size)
{
- uint64_t *c = buf;
+ uint64_t *c;
+ u_long *counters;
+ size_t i, n;
if (kvmd_init() < 0)
return (-1);
- if (kread(addr, buf, size) < 0)
+ if (size % sizeof(uint64_t) != 0) {
+ warnx("kread_counters: invalid counter set size");
return (-1);
+ }
- while (size != 0) {
- *c = kvm_counter_u64_fetch(kvmd, *c);
- size -= sizeof(*c);
- c++;
+ n = size / sizeof(uint64_t);
+ if ((counters = malloc(n * sizeof(u_long))) == NULL)
+ err(-1, "malloc");
+ if (kread(addr, counters, n * sizeof(u_long)) < 0) {
+ free(counters);
+ return (-1);
}
+
+ c = buf;
+ for (i = 0; i < n; i++)
+ c[i] = kvm_counter_u64_fetch(kvmd, counters[i]);
+
+ free(counters);
return (0);
}
Modified: releng/10.2/usr.sbin/vidcontrol/vidcontrol.c
==============================================================================
--- releng/10.2/usr.sbin/vidcontrol/vidcontrol.c Tue Aug 18 19:30:05 2015 (r286900)
+++ releng/10.2/usr.sbin/vidcontrol/vidcontrol.c Tue Aug 18 19:30:17 2015 (r286901)
@@ -1343,7 +1343,7 @@ main(int argc, char **argv)
if (vt4_mode)
opts = "b:Cc:fg:h:Hi:M:m:pPr:S:s:T:t:x";
else
- opts = "b:Cc:df:g:h:Hi:l:LM:m:pPr:S:s:T:t:x";
+ opts = "b:Cc:dfg:h:Hi:l:LM:m:pPr:S:s:T:t:x";
while ((opt = getopt(argc, argv, opts)) != -1)
switch(opt) {
More information about the svn-src-all
mailing list