svn commit: r341088 - in releng/11.2: . sys/conf sys/fs/nfs sys/fs/nfsserver

Tue Nov 27 19:42:18 UTC 2018

Author: gordon
Date: Tue Nov 27 19:42:16 2018
New Revision: 341088
URL: https://svnweb.freebsd.org/changeset/base/341088

Log:
  Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs]
  
  Reported by:	Jakub Jirasek, Secunia Research at Flexera
  Approved by:	so
  Security:	FreeBSD-SA-18:13.nfs
  Security:	CVE-2018-17157
  Security:	CVE-2018-17158
  Security:	CVE-2018-17159

Modified:
  releng/11.2/UPDATING
  releng/11.2/sys/conf/newvers.sh
  releng/11.2/sys/fs/nfs/nfs_commonsubs.c
  releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c
  releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c

Modified: releng/11.2/UPDATING
==============================================================================

--- releng/11.2/UPDATING	Tue Nov 27 19:40:18 2018	(r341087)
+++ releng/11.2/UPDATING	Tue Nov 27 19:42:16 2018	(r341088)
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and 
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20181127	p5	FreeBSD-SA-18:13.nfs
+			FreeBSD-EN-18:13.icmp
+			FreeBSD-EN-18:14.tzdata
+			FreeBSD-EN-18:15.loader
+
+	Fix multiple vulnerabilities in NFS server code. [SA-18:13.nfs]
+
+	Fix ICMP buffer underwrite. [EN-18:13.icmp]
+
+	Timezone database information update. [EN-18:14.tzdata]
+
+	Fix deferred kernel loading breaks loader password. [EN-18:15.loader]
+
 20180927	p4	FreeBSD-EN-18:09.ip
 			FreeBSD-EN-18:10.syscall
 			FreeBSD-EN-18:11.listen

Modified: releng/11.2/sys/conf/newvers.sh
==============================================================================
--- releng/11.2/sys/conf/newvers.sh	Tue Nov 27 19:40:18 2018	(r341087)
+++ releng/11.2/sys/conf/newvers.sh	Tue Nov 27 19:42:16 2018	(r341088)
@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.2"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/11.2/sys/fs/nfs/nfs_commonsubs.c
==============================================================================
--- releng/11.2/sys/fs/nfs/nfs_commonsubs.c	Tue Nov 27 19:40:18 2018	(r341087)
+++ releng/11.2/sys/fs/nfs/nfs_commonsubs.c	Tue Nov 27 19:42:16 2018	(r341088)
@@ -360,10 +360,14 @@ nfsm_advance(struct nfsrv_descript *nd, int offs, int 
 	if (offs == 0)
 		goto out;
 	/*
-	 * A negative offs should be considered a serious problem.
+	 * A negative offs might indicate a corrupted mbuf chain and,
+	 * as such, a printf is logged.
 	 */
-	if (offs < 0)
-		panic("nfsrv_advance");
+	if (offs < 0) {
+		printf("nfsrv_advance: negative offs\n");
+		error = EBADRPC;
+		goto out;
+	}
 
 	/*
 	 * If left == -1, calculate it here.

Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c	Tue Nov 27 19:40:18 2018	(r341087)
+++ releng/11.2/sys/fs/nfsserver/nfs_nfsdport.c	Tue Nov 27 19:42:16 2018	(r341088)
@@ -1858,9 +1858,15 @@ nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdg
 	 * cookie) should be in the reply. At least one client "hints" 0,
 	 * so I set it to cnt for that case. I also round it up to the
 	 * next multiple of DIRBLKSIZ.
+	 * Since the size of a Readdirplus directory entry reply will always
+	 * be greater than a directory entry returned by VOP_READDIR(), it
+	 * does not make sense to read more than NFS_SRVMAXDATA() via
+	 * VOP_READDIR().
 	 */
 	if (siz <= 0)
 		siz = cnt;
+	else if (siz > NFS_SRVMAXDATA(nd))
+		siz = NFS_SRVMAXDATA(nd);
 	siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
 
 	if (nd->nd_flag & ND_NFSV4) {

Modified: releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c
==============================================================================
--- releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c	Tue Nov 27 19:40:18 2018	(r341087)
+++ releng/11.2/sys/fs/nfsserver/nfs_nfsdsocket.c	Tue Nov 27 19:42:16 2018	(r341088)
@@ -758,11 +758,6 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram
 		*repp = *tl;
 		op = fxdr_unsigned(int, *tl);
 		NFSD_DEBUG(4, "op=%d\n", op);
-
-		binuptime(&start_time);
-		nfsrvd_statstart(op, &start_time);
-		statsinprog = 1;
-
 		if (op < NFSV4OP_ACCESS ||
 		    (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) ||
 		    (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) {
@@ -774,6 +769,11 @@ nfsrvd_compound(struct nfsrv_descript *nd, int isdgram
 		} else {
 			repp++;
 		}
+
+		binuptime(&start_time);
+		nfsrvd_statstart(op, &start_time);
+		statsinprog = 1;
+
 		if (i == 0)
 			op0 = op;
 		if (i == numops - 1)
