From laffer1 at midnightbsd.org Wed Aug 21 09:20:13 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Wed, 21 Aug 2019 09:20:13 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12255] trunk/sys/kern/uipc_mbuf2.c: Due do a missing check in the code of m_pulldown(9) data returned may not be Message-ID: <201908211320.x7LDKDrB066681@stargazer.midnightbsd.org> Revision: 12255 http://svnweb.midnightbsd.org/src/?rev=12255 Author: laffer1 Date: 2019-08-21 09:20:12 -0400 (Wed, 21 Aug 2019) Log Message: ----------- Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. Modified Paths: -------------- trunk/sys/kern/uipc_mbuf2.c Modified: trunk/sys/kern/uipc_mbuf2.c =================================================================== --- trunk/sys/kern/uipc_mbuf2.c 2019-08-18 19:35:40 UTC (rev 12254) +++ trunk/sys/kern/uipc_mbuf2.c 2019-08-21 13:20:12 UTC (rev 12255) @@ -217,7 +217,7 @@ goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); From laffer1 at midnightbsd.org Wed Aug 21 09:20:28 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Wed, 21 Aug 2019 09:20:28 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12256] stable/1.1/sys/kern/uipc_mbuf2.c: Due do a missing check in the code of m_pulldown(9) data returned may not be Message-ID: <201908211320.x7LDKS6k066738@stargazer.midnightbsd.org> Revision: 12256 http://svnweb.midnightbsd.org/src/?rev=12256 Author: laffer1 Date: 2019-08-21 09:20:27 -0400 (Wed, 21 Aug 2019) Log Message: ----------- Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. Modified Paths: -------------- stable/1.1/sys/kern/uipc_mbuf2.c Modified: stable/1.1/sys/kern/uipc_mbuf2.c =================================================================== --- stable/1.1/sys/kern/uipc_mbuf2.c 2019-08-21 13:20:12 UTC (rev 12255) +++ stable/1.1/sys/kern/uipc_mbuf2.c 2019-08-21 13:20:27 UTC (rev 12256) @@ -217,7 +217,7 @@ goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); From laffer1 at midnightbsd.org Thu Aug 22 08:31:36 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 08:31:36 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12257] stable/1.1/UPDATING: document patch Message-ID: <201908221231.x7MCVakB096688@stargazer.midnightbsd.org> Revision: 12257 http://svnweb.midnightbsd.org/src/?rev=12257 Author: laffer1 Date: 2019-08-22 08:31:35 -0400 (Thu, 22 Aug 2019) Log Message: ----------- document patch Modified Paths: -------------- stable/1.1/UPDATING Modified: stable/1.1/UPDATING =================================================================== --- stable/1.1/UPDATING 2019-08-21 13:20:27 UTC (rev 12256) +++ stable/1.1/UPDATING 2019-08-22 12:31:35 UTC (rev 12257) @@ -1,5 +1,11 @@ Updating Information for MidnightBSD users. +20190821: + Security patch for CVE-2019-5611. + + Due do a missing check in the code of m_pulldown(9) data returned may not be + contiguous as requested by the caller. + 20190808: bsnmp A function extracting the length from type-length-value encoding is not From laffer1 at midnightbsd.org Thu Aug 22 08:32:21 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 08:32:21 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12258] stable/1.1/UPDATING: document releases vs patches Message-ID: <201908221232.x7MCWLpN096774@stargazer.midnightbsd.org> Revision: 12258 http://svnweb.midnightbsd.org/src/?rev=12258 Author: laffer1 Date: 2019-08-22 08:32:20 -0400 (Thu, 22 Aug 2019) Log Message: ----------- document releases vs patches Modified Paths: -------------- stable/1.1/UPDATING Modified: stable/1.1/UPDATING =================================================================== --- stable/1.1/UPDATING 2019-08-22 12:31:35 UTC (rev 12257) +++ stable/1.1/UPDATING 2019-08-22 12:32:20 UTC (rev 12258) @@ -7,6 +7,8 @@ contiguous as requested by the caller. 20190808: + 1.0.2-RELEASE + bsnmp A function extracting the length from type-length-value encoding is not ` properly validating the submitted length. @@ -14,6 +16,8 @@ bzip2 1.0.7 - fix a security issue 20190724: + 1.0.1-RELEASE + Fix some buffer overflows in telnet client. The code which handles a close(2) of a descriptor created by From laffer1 at midnightbsd.org Thu Aug 22 08:32:49 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 08:32:49 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12259] trunk/UPDATING: document patch for CVE-2019-5611 Message-ID: <201908221232.x7MCWntr096838@stargazer.midnightbsd.org> Revision: 12259 http://svnweb.midnightbsd.org/src/?rev=12259 Author: laffer1 Date: 2019-08-22 08:32:48 -0400 (Thu, 22 Aug 2019) Log Message: ----------- document patch for CVE-2019-5611 Modified Paths: -------------- trunk/UPDATING Modified: trunk/UPDATING =================================================================== --- trunk/UPDATING 2019-08-22 12:32:20 UTC (rev 12258) +++ trunk/UPDATING 2019-08-22 12:32:48 UTC (rev 12259) @@ -1,5 +1,11 @@ Updating Information for MidnightBSD users. +20190821: + Security patch for CVE-2019-5611. + + Due do a missing check in the code of m_pulldown(9) data returned may not be + contiguous as requested by the caller. + 20190808: OpenSSH 7.9p1 From laffer1 at midnightbsd.org Thu Aug 22 18:44:46 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 18:44:46 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12260] trunk: The kernel driver for /dev/midistat implements a handler for read(2). Message-ID: <201908222244.x7MMik5c023600@stargazer.midnightbsd.org> Revision: 12260 http://svnweb.midnightbsd.org/src/?rev=12260 Author: laffer1 Date: 2019-08-22 18:44:45 -0400 (Thu, 22 Aug 2019) Log Message: ----------- The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. Modified Paths: -------------- trunk/UPDATING trunk/sys/dev/sound/midi/midi.c Modified: trunk/UPDATING =================================================================== --- trunk/UPDATING 2019-08-22 12:32:48 UTC (rev 12259) +++ trunk/UPDATING 2019-08-22 22:44:45 UTC (rev 12260) @@ -1,5 +1,11 @@ Updating Information for MidnightBSD users. +20190822: + The kernel driver for /dev/midistat implements a handler for read(2). + This handler is not thread-safe, and a multi-threaded program can + exploit races in the handler to cause it to copy out kernel memory + outside the boundaries of midistat's data buffer. + 20190821: Security patch for CVE-2019-5611. Modified: trunk/sys/dev/sound/midi/midi.c =================================================================== --- trunk/sys/dev/sound/midi/midi.c 2019-08-22 12:32:48 UTC (rev 12259) +++ trunk/sys/dev/sound/midi/midi.c 2019-08-22 22:44:45 UTC (rev 12260) @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD: stable/10/sys/dev/sound/midi/midi.c 299632 2016-05-13 09:01:20Z ngie $"); #include +#include #include #include #include @@ -48,10 +49,8 @@ #include #include #include -#include #include -#include -#include +#include #include #include #include @@ -186,10 +185,9 @@ * /dev/midistat variables and declarations, protected by midistat_lock */ -static struct mtx midistat_lock; +static struct sx midistat_lock; static int midistat_isopen = 0; static struct sbuf midistat_sbuf; -static int midistat_bufptr; static struct cdev *midistat_dev; /* @@ -288,7 +286,7 @@ MIDI_TYPE *buf; MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel)); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); /* * Protect against call with existing unit/channel or auto-allocate a * new unit number. @@ -315,13 +313,8 @@ unit = i + 1; MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel)); - m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO); - if (m == NULL) - goto err0; - - m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO); - if (m->synth == NULL) - goto err1; + m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO); + m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO); kobj_init((kobj_t)m->synth, &midisynth_class); m->synth->m = m; kobj_init((kobj_t)m, cls); @@ -330,7 +323,7 @@ MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize)); if (!inqsize && !outqsize) - goto err2; + goto err1; mtx_init(&m->lock, "raw midi", NULL, 0); mtx_init(&m->qlock, "q raw midi", NULL, 0); @@ -355,9 +348,8 @@ if ((inqsize && !MIDIQ_BUF(m->inq)) || (outqsize && !MIDIQ_BUF(m->outq))) - goto err3; + goto err2; - m->busy = 0; m->flags = 0; m->unit = unit; @@ -365,7 +357,7 @@ m->cookie = cookie; if (MPU_INIT(m, cookie)) - goto err3; + goto err2; mtx_unlock(&m->lock); mtx_unlock(&m->qlock); @@ -372,7 +364,7 @@ TAILQ_INSERT_TAIL(&midi_devs, m, link); - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); m->dev = make_dev(&midi_cdevsw, MIDIMKMINOR(unit, MIDI_DEV_RAW, channel), @@ -381,7 +373,8 @@ return m; -err3: mtx_destroy(&m->qlock); +err2: + mtx_destroy(&m->qlock); mtx_destroy(&m->lock); if (MIDIQ_BUF(m->inq)) @@ -388,9 +381,11 @@ free(MIDIQ_BUF(m->inq), M_MIDI); if (MIDIQ_BUF(m->outq)) free(MIDIQ_BUF(m->outq), M_MIDI); -err2: free(m->synth, M_MIDI); -err1: free(m, M_MIDI); -err0: mtx_unlock(&midistat_lock); +err1: + free(m->synth, M_MIDI); + free(m, M_MIDI); +err0: + sx_xunlock(&midistat_lock); MIDI_DEBUG(1, printf("midi_init ended in error\n")); return NULL; } @@ -408,7 +403,7 @@ int err; err = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); mtx_lock(&m->lock); if (m->busy) { if (!(m->rchan || m->wchan)) @@ -427,8 +422,10 @@ if (!err) goto exit; -err: mtx_unlock(&m->lock); -exit: mtx_unlock(&midistat_lock); +err: + mtx_unlock(&m->lock); +exit: + sx_xunlock(&midistat_lock); return err; } @@ -940,27 +937,22 @@ int error; MIDI_DEBUG(1, printf("midistat_open\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBUSY; } midistat_isopen = 1; - mtx_unlock(&midistat_lock); - if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) { error = ENXIO; - mtx_lock(&midistat_lock); goto out; } - mtx_lock(&midistat_lock); - midistat_bufptr = 0; error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM; - -out: if (error) +out: + if (error) midistat_isopen = 0; - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return error; } @@ -968,40 +960,40 @@ midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td) { MIDI_DEBUG(1, printf("midistat_close\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } sbuf_delete(&midistat_sbuf); midistat_isopen = 0; - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return 0; } static int -midistat_read(struct cdev *i_dev, struct uio *buf, int flag) +midistat_read(struct cdev *i_dev, struct uio *uio, int flag) { - int l, err; + long l; + int err; MIDI_DEBUG(4, printf("midistat_read\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } - l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr); + if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) { + sx_xunlock(&midistat_lock); + return EINVAL; + } err = 0; + l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset); if (l > 0) { - mtx_unlock(&midistat_lock); - err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l, - buf); - mtx_lock(&midistat_lock); - } else - l = 0; - midistat_bufptr += l; - mtx_unlock(&midistat_lock); + err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l, + uio); + } + sx_xunlock(&midistat_lock); return err; } @@ -1014,7 +1006,7 @@ { struct snd_midi *m; - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n"); if (TAILQ_EMPTY(&midi_devs)) { @@ -1377,8 +1369,7 @@ static int midi_destroy(struct snd_midi *m, int midiuninit) { - - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); mtx_assert(&m->lock, MA_OWNED); MIDI_DEBUG(3, printf("midi_destroy\n")); @@ -1404,8 +1395,8 @@ static int midi_load(void) { - mtx_init(&midistat_lock, "midistat lock", NULL, 0); - TAILQ_INIT(&midi_devs); /* Initialize the queue. */ + sx_init(&midistat_lock, "midistat lock"); + TAILQ_INIT(&midi_devs); midistat_dev = make_dev(&midistat_cdevsw, MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0), @@ -1422,7 +1413,7 @@ MIDI_DEBUG(1, printf("midi_unload()\n")); retval = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) goto exit0; @@ -1435,20 +1426,19 @@ if (retval) goto exit1; } + sx_xunlock(&midistat_lock); + destroy_dev(midistat_dev); - mtx_unlock(&midistat_lock); /* XXX */ - - destroy_dev(midistat_dev); /* * Made it here then unload is complete */ - mtx_destroy(&midistat_lock); + sx_destroy(&midistat_lock); return 0; exit1: mtx_unlock(&m->lock); exit0: - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); if (retval) MIDI_DEBUG(2, printf("midi_unload: failed\n")); return retval; @@ -1501,13 +1491,11 @@ int retval = 0; struct snd_midi *m; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return retval; } @@ -1523,17 +1511,15 @@ struct snd_midi *m; int retval = 0; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { if (unit == retval) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return (kobj_t)m->synth; } retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return NULL; } From laffer1 at midnightbsd.org Thu Aug 22 18:45:12 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 18:45:12 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12261] stable/1.1: The kernel driver for /dev/midistat implements a handler for read(2). Message-ID: <201908222245.x7MMjCqF023678@stargazer.midnightbsd.org> Revision: 12261 http://svnweb.midnightbsd.org/src/?rev=12261 Author: laffer1 Date: 2019-08-22 18:45:11 -0400 (Thu, 22 Aug 2019) Log Message: ----------- The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. Modified Paths: -------------- stable/1.1/UPDATING stable/1.1/sys/dev/sound/midi/midi.c Modified: stable/1.1/UPDATING =================================================================== --- stable/1.1/UPDATING 2019-08-22 22:44:45 UTC (rev 12260) +++ stable/1.1/UPDATING 2019-08-22 22:45:11 UTC (rev 12261) @@ -1,5 +1,11 @@ Updating Information for MidnightBSD users. +20190822: + The kernel driver for /dev/midistat implements a handler for read(2). + This handler is not thread-safe, and a multi-threaded program can + exploit races in the handler to cause it to copy out kernel memory + outside the boundaries of midistat's data buffer. + 20190821: Security patch for CVE-2019-5611. Modified: stable/1.1/sys/dev/sound/midi/midi.c =================================================================== --- stable/1.1/sys/dev/sound/midi/midi.c 2019-08-22 22:44:45 UTC (rev 12260) +++ stable/1.1/sys/dev/sound/midi/midi.c 2019-08-22 22:45:11 UTC (rev 12261) @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD: stable/10/sys/dev/sound/midi/midi.c 299632 2016-05-13 09:01:20Z ngie $"); #include +#include #include #include #include @@ -48,10 +49,8 @@ #include #include #include -#include #include -#include -#include +#include #include #include #include @@ -186,10 +185,9 @@ * /dev/midistat variables and declarations, protected by midistat_lock */ -static struct mtx midistat_lock; +static struct sx midistat_lock; static int midistat_isopen = 0; static struct sbuf midistat_sbuf; -static int midistat_bufptr; static struct cdev *midistat_dev; /* @@ -288,7 +286,7 @@ MIDI_TYPE *buf; MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel)); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); /* * Protect against call with existing unit/channel or auto-allocate a * new unit number. @@ -315,13 +313,8 @@ unit = i + 1; MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel)); - m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO); - if (m == NULL) - goto err0; - - m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO); - if (m->synth == NULL) - goto err1; + m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO); + m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO); kobj_init((kobj_t)m->synth, &midisynth_class); m->synth->m = m; kobj_init((kobj_t)m, cls); @@ -330,7 +323,7 @@ MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize)); if (!inqsize && !outqsize) - goto err2; + goto err1; mtx_init(&m->lock, "raw midi", NULL, 0); mtx_init(&m->qlock, "q raw midi", NULL, 0); @@ -355,9 +348,8 @@ if ((inqsize && !MIDIQ_BUF(m->inq)) || (outqsize && !MIDIQ_BUF(m->outq))) - goto err3; + goto err2; - m->busy = 0; m->flags = 0; m->unit = unit; @@ -365,7 +357,7 @@ m->cookie = cookie; if (MPU_INIT(m, cookie)) - goto err3; + goto err2; mtx_unlock(&m->lock); mtx_unlock(&m->qlock); @@ -372,7 +364,7 @@ TAILQ_INSERT_TAIL(&midi_devs, m, link); - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); m->dev = make_dev(&midi_cdevsw, MIDIMKMINOR(unit, MIDI_DEV_RAW, channel), @@ -381,7 +373,8 @@ return m; -err3: mtx_destroy(&m->qlock); +err2: + mtx_destroy(&m->qlock); mtx_destroy(&m->lock); if (MIDIQ_BUF(m->inq)) @@ -388,9 +381,11 @@ free(MIDIQ_BUF(m->inq), M_MIDI); if (MIDIQ_BUF(m->outq)) free(MIDIQ_BUF(m->outq), M_MIDI); -err2: free(m->synth, M_MIDI); -err1: free(m, M_MIDI); -err0: mtx_unlock(&midistat_lock); +err1: + free(m->synth, M_MIDI); + free(m, M_MIDI); +err0: + sx_xunlock(&midistat_lock); MIDI_DEBUG(1, printf("midi_init ended in error\n")); return NULL; } @@ -408,7 +403,7 @@ int err; err = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); mtx_lock(&m->lock); if (m->busy) { if (!(m->rchan || m->wchan)) @@ -427,8 +422,10 @@ if (!err) goto exit; -err: mtx_unlock(&m->lock); -exit: mtx_unlock(&midistat_lock); +err: + mtx_unlock(&m->lock); +exit: + sx_xunlock(&midistat_lock); return err; } @@ -940,27 +937,22 @@ int error; MIDI_DEBUG(1, printf("midistat_open\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBUSY; } midistat_isopen = 1; - mtx_unlock(&midistat_lock); - if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) { error = ENXIO; - mtx_lock(&midistat_lock); goto out; } - mtx_lock(&midistat_lock); - midistat_bufptr = 0; error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM; - -out: if (error) +out: + if (error) midistat_isopen = 0; - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return error; } @@ -968,40 +960,40 @@ midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td) { MIDI_DEBUG(1, printf("midistat_close\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } sbuf_delete(&midistat_sbuf); midistat_isopen = 0; - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return 0; } static int -midistat_read(struct cdev *i_dev, struct uio *buf, int flag) +midistat_read(struct cdev *i_dev, struct uio *uio, int flag) { - int l, err; + long l; + int err; MIDI_DEBUG(4, printf("midistat_read\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } - l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr); + if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) { + sx_xunlock(&midistat_lock); + return EINVAL; + } err = 0; + l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset); if (l > 0) { - mtx_unlock(&midistat_lock); - err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l, - buf); - mtx_lock(&midistat_lock); - } else - l = 0; - midistat_bufptr += l; - mtx_unlock(&midistat_lock); + err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l, + uio); + } + sx_xunlock(&midistat_lock); return err; } @@ -1014,7 +1006,7 @@ { struct snd_midi *m; - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n"); if (TAILQ_EMPTY(&midi_devs)) { @@ -1377,8 +1369,7 @@ static int midi_destroy(struct snd_midi *m, int midiuninit) { - - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); mtx_assert(&m->lock, MA_OWNED); MIDI_DEBUG(3, printf("midi_destroy\n")); @@ -1404,8 +1395,8 @@ static int midi_load(void) { - mtx_init(&midistat_lock, "midistat lock", NULL, 0); - TAILQ_INIT(&midi_devs); /* Initialize the queue. */ + sx_init(&midistat_lock, "midistat lock"); + TAILQ_INIT(&midi_devs); midistat_dev = make_dev(&midistat_cdevsw, MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0), @@ -1422,7 +1413,7 @@ MIDI_DEBUG(1, printf("midi_unload()\n")); retval = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) goto exit0; @@ -1435,20 +1426,19 @@ if (retval) goto exit1; } + sx_xunlock(&midistat_lock); + destroy_dev(midistat_dev); - mtx_unlock(&midistat_lock); /* XXX */ - - destroy_dev(midistat_dev); /* * Made it here then unload is complete */ - mtx_destroy(&midistat_lock); + sx_destroy(&midistat_lock); return 0; exit1: mtx_unlock(&m->lock); exit0: - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); if (retval) MIDI_DEBUG(2, printf("midi_unload: failed\n")); return retval; @@ -1501,13 +1491,11 @@ int retval = 0; struct snd_midi *m; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return retval; } @@ -1523,17 +1511,15 @@ struct snd_midi *m; int retval = 0; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { if (unit == retval) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return (kobj_t)m->synth; } retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return NULL; } From laffer1 at midnightbsd.org Thu Aug 22 18:47:42 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 18:47:42 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12262] trunk: System calls operating on file descriptors obtain a reference to Message-ID: <201908222247.x7MMlgUw023837@stargazer.midnightbsd.org> Revision: 12262 http://svnweb.midnightbsd.org/src/?rev=12262 Author: laffer1 Date: 2019-08-22 18:47:41 -0400 (Thu, 22 Aug 2019) Log Message: ----------- System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. Modified Paths: -------------- trunk/UPDATING trunk/sys/kern/uipc_mqueue.c Modified: trunk/UPDATING =================================================================== --- trunk/UPDATING 2019-08-22 22:45:11 UTC (rev 12261) +++ trunk/UPDATING 2019-08-22 22:47:41 UTC (rev 12262) @@ -6,6 +6,11 @@ exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. + System calls operating on file descriptors obtain a reference to + relevant struct file which due to a programming error was not always put + back, which in turn could be used to overflow the counter of affected + struct file. + 20190821: Security patch for CVE-2019-5611. Modified: trunk/sys/kern/uipc_mqueue.c =================================================================== --- trunk/sys/kern/uipc_mqueue.c 2019-08-22 22:45:11 UTC (rev 12261) +++ trunk/sys/kern/uipc_mqueue.c 2019-08-22 22:47:41 UTC (rev 12262) @@ -2808,7 +2808,7 @@ if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2817,6 +2817,7 @@ waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } From laffer1 at midnightbsd.org Thu Aug 22 18:48:42 2019 From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org) Date: Thu, 22 Aug 2019 18:48:42 -0400 (EDT) Subject: [Midnightbsd-cvs] src [12263] stable/1.1: System calls operating on file descriptors obtain a reference to Message-ID: <201908222248.x7MMmggO023923@stargazer.midnightbsd.org> Revision: 12263 http://svnweb.midnightbsd.org/src/?rev=12263 Author: laffer1 Date: 2019-08-22 18:48:41 -0400 (Thu, 22 Aug 2019) Log Message: ----------- System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. Modified Paths: -------------- stable/1.1/UPDATING stable/1.1/sys/kern/uipc_mqueue.c Modified: stable/1.1/UPDATING =================================================================== --- stable/1.1/UPDATING 2019-08-22 22:47:41 UTC (rev 12262) +++ stable/1.1/UPDATING 2019-08-22 22:48:41 UTC (rev 12263) @@ -6,6 +6,11 @@ exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. + System calls operating on file descriptors obtain a reference to + relevant struct file which due to a programming error was not always put + back, which in turn could be used to overflow the counter of affected + struct file. + 20190821: Security patch for CVE-2019-5611. Modified: stable/1.1/sys/kern/uipc_mqueue.c =================================================================== --- stable/1.1/sys/kern/uipc_mqueue.c 2019-08-22 22:47:41 UTC (rev 12262) +++ stable/1.1/sys/kern/uipc_mqueue.c 2019-08-22 22:48:41 UTC (rev 12263) @@ -2808,7 +2808,7 @@ if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2817,6 +2817,7 @@ waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); }