[Midnightbsd-cvs] src [6927] stable/0.5: Fix two security issues:

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Nov 4 22:42:02 EST 2014 

Revision: 6927
          http://svnweb.midnightbsd.org/src/?rev=6927
Author:   laffer1
Date:     2014-11-04 22:42:01 -0500 (Tue, 04 Nov 2014)
Log Message:
-----------
Fix two security issues:

1. sshd may link libpthread in the wrong order, shadowing libc functions and causing a possible DOS attack for connecting clients.
2. getlogin may leak kernel memory via a buffer that is copied without clearing.

Modified Paths:
--------------
    stable/0.5/secure/usr.sbin/sshd/Makefile
    stable/0.5/sys/kern/kern_prot.c

Modified: stable/0.5/secure/usr.sbin/sshd/Makefile
===================================================================
--- stable/0.5/secure/usr.sbin/sshd/Makefile	2014-11-05 03:39:25 UTC (rev 6926)
+++ stable/0.5/secure/usr.sbin/sshd/Makefile	2014-11-05 03:42:01 UTC (rev 6927)
@@ -42,6 +42,16 @@
 DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
 LDADD+=	-lcrypto -lcrypt
 
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

Modified: stable/0.5/sys/kern/kern_prot.c
===================================================================
--- stable/0.5/sys/kern/kern_prot.c	2014-11-05 03:39:25 UTC (rev 6926)
+++ stable/0.5/sys/kern/kern_prot.c	2014-11-05 03:42:01 UTC (rev 6927)
@@ -2073,19 +2073,20 @@
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return(error);
+	if (len > uap->namelen)
+		return (ERANGE);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2104,21 +2105,23 @@
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

More information about the Midnightbsd-cvs mailing list