[Midnightbsd-cvs] src [6927] stable/0.5: Fix two security issues:
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Nov 4 22:42:02 EST 2014
Revision: 6927
http://svnweb.midnightbsd.org/src/?rev=6927
Author: laffer1
Date: 2014-11-04 22:42:01 -0500 (Tue, 04 Nov 2014)
Log Message:
-----------
Fix two security issues:
1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.
2. getlogin may leak kernel memory via a buffer that is copied without clearing.
Modified Paths:
--------------
stable/0.5/secure/usr.sbin/sshd/Makefile
stable/0.5/sys/kern/kern_prot.c
Modified: stable/0.5/secure/usr.sbin/sshd/Makefile
===================================================================
--- stable/0.5/secure/usr.sbin/sshd/Makefile 2014-11-05 03:39:25 UTC (rev 6926)
+++ stable/0.5/secure/usr.sbin/sshd/Makefile 2014-11-05 03:42:01 UTC (rev 6927)
@@ -42,6 +42,16 @@
DPADD+= ${LIBCRYPTO} ${LIBCRYPT}
LDADD+= -lcrypto -lcrypt
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
.if defined(LOCALBASE)
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
.endif
Modified: stable/0.5/sys/kern/kern_prot.c
===================================================================
--- stable/0.5/sys/kern/kern_prot.c 2014-11-05 03:39:25 UTC (rev 6926)
+++ stable/0.5/sys/kern/kern_prot.c 2014-11-05 03:42:01 UTC (rev 6927)
@@ -2073,19 +2073,20 @@
int
sys_getlogin(struct thread *td, struct getlogin_args *uap)
{
- int error;
char login[MAXLOGNAME];
struct proc *p = td->td_proc;
+ size_t len;
if (uap->namelen > MAXLOGNAME)
uap->namelen = MAXLOGNAME;
PROC_LOCK(p);
SESS_LOCK(p->p_session);
- bcopy(p->p_session->s_login, login, uap->namelen);
+ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
SESS_UNLOCK(p->p_session);
PROC_UNLOCK(p);
- error = copyout(login, uap->namebuf, uap->namelen);
- return(error);
+ if (len > uap->namelen)
+ return (ERANGE);
+ return (copyout(login, uap->namebuf, len));
}
/*
@@ -2104,21 +2105,23 @@
int error;
char logintmp[MAXLOGNAME];
+ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
error = priv_check(td, PRIV_PROC_SETLOGIN);
if (error)
return (error);
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
- if (error == ENAMETOOLONG)
- error = EINVAL;
- else if (!error) {
- PROC_LOCK(p);
- SESS_LOCK(p->p_session);
- (void) memcpy(p->p_session->s_login, logintmp,
- sizeof(logintmp));
- SESS_UNLOCK(p->p_session);
- PROC_UNLOCK(p);
+ if (error != 0) {
+ if (error == ENAMETOOLONG)
+ error = EINVAL;
+ return (error);
}
- return (error);
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+ strcpy(p->p_session->s_login, logintmp);
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+ return (0);
}
void
More information about the Midnightbsd-cvs
mailing list