From laffer1 at midnightbsd.org  Wed Jul 24 18:49:33 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:49:33 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12212] stable/1.1: Fix some security issues
 in telnet client.
Message-ID: <201907242249.x6OMnXNI054554@stargazer.midnightbsd.org>

Revision: 12212
          http://svnweb.midnightbsd.org/src/?rev=12212
Author:   laffer1
Date:     2019-07-24 18:49:32 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
Fix some security issues in telnet client.

Modified Paths:
--------------
    stable/1.1/UPDATING
    stable/1.1/contrib/telnet/telnet/commands.c
    stable/1.1/contrib/telnet/telnet/telnet.c
    stable/1.1/contrib/telnet/telnet/utilities.c

Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING	2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/UPDATING	2019-07-24 22:49:32 UTC (rev 12212)
@@ -1,5 +1,8 @@
 Updating Information for MidnightBSD users.
 
+20190724:
+	Fix some buffer overflows in telnet client.
+
 20190223:
 	Update mport package tool with version from CURRENT. Supports
 	origin lookups with /usr/libexec/mport.query now, required for latest

Modified: stable/1.1/contrib/telnet/telnet/commands.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/commands.c	2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/commands.c	2019-07-24 22:49:32 UTC (rev 12212)
@@ -45,6 +45,7 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 
+#include <assert.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -1654,11 +1655,14 @@
 		|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
 		char hbuf[256+1];
 		char *cp2 = strchr((char *)ep->value, ':');
+                size_t buflen;
 
-		gethostname(hbuf, 256);
-		hbuf[256] = '\0';
-		cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
-		sprintf((char *)cp, "%s%s", hbuf, cp2);
+		gethostname(hbuf, sizeof(hbuf));
+		hbuf[sizeof(hbuf)-1] = '\0';
+ 		buflen = strlen(hbuf) + strlen(cp2) + 1;
+		cp = (char *)malloc(sizeof(char)*buflen);
+		assert(cp != NULL);
+		snprintf((char *)cp, buflen, "%s%s", hbuf, cp2);
 		free(ep->value);
 		ep->value = (unsigned char *)cp;
 	}

Modified: stable/1.1/contrib/telnet/telnet/telnet.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/telnet.c	2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/telnet.c	2019-07-24 22:49:32 UTC (rev 12212)
@@ -785,7 +785,7 @@
 	    name = gettermname();
 	    len = strlen(name) + 4 + 2;
 	    if (len < NETROOM()) {
-		sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+		snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
 				TELQUAL_IS, name, IAC, SE);
 		ring_supply_data(&netoring, temp, len);
 		printsub('>', &temp[2], len-2);
@@ -807,7 +807,7 @@
 
 	    TerminalSpeeds(&ispeed, &ospeed);
 
-	    sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
 		    TELQUAL_IS, ospeed, ispeed, IAC, SE);
 	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
 

Modified: stable/1.1/contrib/telnet/telnet/utilities.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/utilities.c	2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/utilities.c	2019-07-24 22:49:32 UTC (rev 12212)
@@ -629,7 +629,7 @@
 		}
 		{
 		    char tbuf[64];
-		    sprintf(tbuf, "%s%s%s%s%s",
+		    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
 			pointer[2]&MODE_EDIT ? "|EDIT" : "",
 			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
 			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",


From laffer1 at midnightbsd.org  Wed Jul 24 18:50:31 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:50:31 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12213] trunk: Fix some buffer overflows in
 telnet client.
Message-ID: <201907242250.x6OMoVAB054650@stargazer.midnightbsd.org>

Revision: 12213
          http://svnweb.midnightbsd.org/src/?rev=12213
Author:   laffer1
Date:     2019-07-24 18:50:31 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
Fix some buffer overflows in telnet client.

Modified Paths:
--------------
    trunk/UPDATING
    trunk/contrib/telnet/telnet/commands.c
    trunk/contrib/telnet/telnet/telnet.c
    trunk/contrib/telnet/telnet/utilities.c

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2019-07-24 22:49:32 UTC (rev 12212)
+++ trunk/UPDATING	2019-07-24 22:50:31 UTC (rev 12213)
@@ -1,5 +1,8 @@
 Updating Information for MidnightBSD users.
 
+20190724:
+	Fix some buffer overflows in telnet client
+
 20190417:
 	bring back deroff(1) to fix spell(1)
 

Modified: trunk/contrib/telnet/telnet/commands.c
===================================================================
--- trunk/contrib/telnet/telnet/commands.c	2019-07-24 22:49:32 UTC (rev 12212)
+++ trunk/contrib/telnet/telnet/commands.c	2019-07-24 22:50:31 UTC (rev 12213)
@@ -45,6 +45,7 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 
+#include <assert.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -1654,11 +1655,14 @@
 		|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
 		char hbuf[256+1];
 		char *cp2 = strchr((char *)ep->value, ':');
+                size_t buflen;
 
-		gethostname(hbuf, 256);
-		hbuf[256] = '\0';
-		cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
-		sprintf((char *)cp, "%s%s", hbuf, cp2);
+		gethostname(hbuf, sizeof(hbuf));
+		hbuf[sizeof(hbuf)-1] = '\0';
+ 		buflen = strlen(hbuf) + strlen(cp2) + 1;
+		cp = (char *)malloc(sizeof(char)*buflen);
+		assert(cp != NULL);
+		snprintf((char *)cp, buflen, "%s%s", hbuf, cp2);
 		free(ep->value);
 		ep->value = (unsigned char *)cp;
 	}

Modified: trunk/contrib/telnet/telnet/telnet.c
===================================================================
--- trunk/contrib/telnet/telnet/telnet.c	2019-07-24 22:49:32 UTC (rev 12212)
+++ trunk/contrib/telnet/telnet/telnet.c	2019-07-24 22:50:31 UTC (rev 12213)
@@ -785,7 +785,7 @@
 	    name = gettermname();
 	    len = strlen(name) + 4 + 2;
 	    if (len < NETROOM()) {
-		sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+		snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
 				TELQUAL_IS, name, IAC, SE);
 		ring_supply_data(&netoring, temp, len);
 		printsub('>', &temp[2], len-2);
@@ -807,7 +807,7 @@
 
 	    TerminalSpeeds(&ispeed, &ospeed);
 
-	    sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
 		    TELQUAL_IS, ospeed, ispeed, IAC, SE);
 	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
 

Modified: trunk/contrib/telnet/telnet/utilities.c
===================================================================
--- trunk/contrib/telnet/telnet/utilities.c	2019-07-24 22:49:32 UTC (rev 12212)
+++ trunk/contrib/telnet/telnet/utilities.c	2019-07-24 22:50:31 UTC (rev 12213)
@@ -629,7 +629,7 @@
 		}
 		{
 		    char tbuf[64];
-		    sprintf(tbuf, "%s%s%s%s%s",
+		    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
 			pointer[2]&MODE_EDIT ? "|EDIT" : "",
 			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
 			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",


From laffer1 at midnightbsd.org  Wed Jul 24 18:51:59 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:51:59 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12214] trunk: The code which handles a
 close(2) of a descriptor created by
Message-ID: <201907242251.x6OMpx9a054783@stargazer.midnightbsd.org>

Revision: 12214
          http://svnweb.midnightbsd.org/src/?rev=12214
Author:   laffer1
Date:     2019-07-24 18:51:58 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised.  This bug can lead to a write-after-free of kernel memory.

Modified Paths:
--------------
    trunk/UPDATING
    trunk/sys/kern/tty.c

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2019-07-24 22:50:31 UTC (rev 12213)
+++ trunk/UPDATING	2019-07-24 22:51:58 UTC (rev 12214)
@@ -3,6 +3,10 @@
 20190724:
 	Fix some buffer overflows in telnet client
 
+	The code which handles a close(2) of a descriptor created by
+	posix_openpt(2) fails to undo the configuration which causes SIGIO to be
+	raised.  This bug can lead to a write-after-free of kernel memory.
+
 20190417:
 	bring back deroff(1) to fix spell(1)
 

Modified: trunk/sys/kern/tty.c
===================================================================
--- trunk/sys/kern/tty.c	2019-07-24 22:50:31 UTC (rev 12213)
+++ trunk/sys/kern/tty.c	2019-07-24 22:51:58 UTC (rev 12214)
@@ -202,9 +202,6 @@
 
 	tp->t_flags |= TF_OPENCLOSE;
 
-	/* Stop asynchronous I/O. */
-	funsetown(&tp->t_sigio);
-
 	/* Remove console TTY. */
 	if (constty == tp)
 		constty_clear();
@@ -1093,6 +1090,9 @@
 		return;
 	}
 
+	/* Stop asynchronous I/O. */
+	funsetown(&tp->t_sigio);
+
 	/* TTY can be deallocated. */
 	dev = tp->t_dev;
 	tp->t_dev = NULL;


From laffer1 at midnightbsd.org  Wed Jul 24 18:52:35 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:52:35 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12215] stable/1.1: The code which handles a
 close(2) of a descriptor created by
Message-ID: <201907242252.x6OMqZJP054856@stargazer.midnightbsd.org>

Revision: 12215
          http://svnweb.midnightbsd.org/src/?rev=12215
Author:   laffer1
Date:     2019-07-24 18:52:34 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised.  This bug can lead to a write-after-free of kernel memory.

Modified Paths:
--------------
    stable/1.1/UPDATING
    stable/1.1/sys/kern/tty.c

Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING	2019-07-24 22:51:58 UTC (rev 12214)
+++ stable/1.1/UPDATING	2019-07-24 22:52:34 UTC (rev 12215)
@@ -3,6 +3,10 @@
 20190724:
 	Fix some buffer overflows in telnet client.
 
+	The code which handles a close(2) of a descriptor created by
+	posix_openpt(2) fails to undo the configuration which causes SIGIO to be
+	raised.  This bug can lead to a write-after-free of kernel memory.
+
 20190223:
 	Update mport package tool with version from CURRENT. Supports
 	origin lookups with /usr/libexec/mport.query now, required for latest

Modified: stable/1.1/sys/kern/tty.c
===================================================================
--- stable/1.1/sys/kern/tty.c	2019-07-24 22:51:58 UTC (rev 12214)
+++ stable/1.1/sys/kern/tty.c	2019-07-24 22:52:34 UTC (rev 12215)
@@ -202,9 +202,6 @@
 
 	tp->t_flags |= TF_OPENCLOSE;
 
-	/* Stop asynchronous I/O. */
-	funsetown(&tp->t_sigio);
-
 	/* Remove console TTY. */
 	if (constty == tp)
 		constty_clear();
@@ -1093,6 +1090,9 @@
 		return;
 	}
 
+	/* Stop asynchronous I/O. */
+	funsetown(&tp->t_sigio);
+
 	/* TTY can be deallocated. */
 	dev = tp->t_dev;
 	tp->t_dev = NULL;


From laffer1 at midnightbsd.org  Wed Jul 24 18:54:42 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:54:42 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12216]
 trunk/sys/compat/freebsd32/freebsd32_ioctl.c: Due to insufficient
 initialization of memory copied to userland in the
Message-ID: <201907242254.x6OMsgxL055002@stargazer.midnightbsd.org>

Revision: 12216
          http://svnweb.midnightbsd.org/src/?rev=12216
Author:   laffer1
Date:     2019-07-24 18:54:42 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
Due to insufficient initialization of memory copied to userland in the
components listed above small amounts of kernel memory may be disclosed
to userland processes.

Modified Paths:
--------------
    trunk/sys/compat/freebsd32/freebsd32_ioctl.c

Modified: trunk/sys/compat/freebsd32/freebsd32_ioctl.c
===================================================================
--- trunk/sys/compat/freebsd32/freebsd32_ioctl.c	2019-07-24 22:52:34 UTC (rev 12215)
+++ trunk/sys/compat/freebsd32/freebsd32_ioctl.c	2019-07-24 22:54:42 UTC (rev 12216)
@@ -263,6 +263,8 @@
 	vm_offset_t addr;
 	int error;
 
+	memset(&pmc, 0, sizeof(pmc));
+	memset(&pc32, 0, sizeof(pc32));
 	if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0)
 		return (error);
 


From laffer1 at midnightbsd.org  Wed Jul 24 18:55:11 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:55:11 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12217] trunk/UPDATING: document compat issue
Message-ID: <201907242255.x6OMtBkO055087@stargazer.midnightbsd.org>

Revision: 12217
          http://svnweb.midnightbsd.org/src/?rev=12217
Author:   laffer1
Date:     2019-07-24 18:55:10 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
document compat issue

Modified Paths:
--------------
    trunk/UPDATING

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2019-07-24 22:54:42 UTC (rev 12216)
+++ trunk/UPDATING	2019-07-24 22:55:10 UTC (rev 12217)
@@ -7,6 +7,10 @@
 	posix_openpt(2) fails to undo the configuration which causes SIGIO to be
 	raised.  This bug can lead to a write-after-free of kernel memory.
 
+	Due to insufficient initialization of memory copied to userland in the
+	components listed above small amounts of kernel memory may be disclosed
+	to userland processes.
+
 20190417:
 	bring back deroff(1) to fix spell(1)
 


From laffer1 at midnightbsd.org  Wed Jul 24 18:55:45 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 18:55:45 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12218] stable/1.1: Due to insufficient
 initialization of memory copied to userland in the
Message-ID: <201907242255.x6OMtj0J055156@stargazer.midnightbsd.org>

Revision: 12218
          http://svnweb.midnightbsd.org/src/?rev=12218
Author:   laffer1
Date:     2019-07-24 18:55:45 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
Due to insufficient initialization of memory copied to userland in the
components listed above small amounts of kernel memory may be disclosed
to userland processes.

Modified Paths:
--------------
    stable/1.1/UPDATING
    stable/1.1/sys/compat/freebsd32/freebsd32_ioctl.c

Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING	2019-07-24 22:55:10 UTC (rev 12217)
+++ stable/1.1/UPDATING	2019-07-24 22:55:45 UTC (rev 12218)
@@ -7,6 +7,10 @@
 	posix_openpt(2) fails to undo the configuration which causes SIGIO to be
 	raised.  This bug can lead to a write-after-free of kernel memory.
 
+	Due to insufficient initialization of memory copied to userland in the
+	components listed above small amounts of kernel memory may be disclosed
+	to userland processes.
+
 20190223:
 	Update mport package tool with version from CURRENT. Supports
 	origin lookups with /usr/libexec/mport.query now, required for latest

Modified: stable/1.1/sys/compat/freebsd32/freebsd32_ioctl.c
===================================================================
--- stable/1.1/sys/compat/freebsd32/freebsd32_ioctl.c	2019-07-24 22:55:10 UTC (rev 12217)
+++ stable/1.1/sys/compat/freebsd32/freebsd32_ioctl.c	2019-07-24 22:55:45 UTC (rev 12218)
@@ -263,6 +263,8 @@
 	vm_offset_t addr;
 	int error;
 
+	memset(&pmc, 0, sizeof(pmc));
+	memset(&pc32, 0, sizeof(pc32));
 	if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0)
 		return (error);
 


From laffer1 at midnightbsd.org  Wed Jul 24 23:18:13 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 23:18:13 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12219] trunk/sys/kern/uipc_mqueue.c: System
 calls operating on file descriptors obtain a reference to
Message-ID: <201907250318.x6P3IDPi066214@stargazer.midnightbsd.org>

Revision: 12219
          http://svnweb.midnightbsd.org/src/?rev=12219
Author:   laffer1
Date:     2019-07-24 23:18:12 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.

Modified Paths:
--------------
    trunk/sys/kern/uipc_mqueue.c

Modified: trunk/sys/kern/uipc_mqueue.c
===================================================================
--- trunk/sys/kern/uipc_mqueue.c	2019-07-24 22:55:45 UTC (rev 12218)
+++ trunk/sys/kern/uipc_mqueue.c	2019-07-25 03:18:12 UTC (rev 12219)
@@ -2266,7 +2266,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2273,6 +2273,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2291,7 +2292,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2298,6 +2299,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2835,7 +2837,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
 		if (error != 0)
-			return (error);
+			goto out;
 		CP(ets32, ets, tv_sec);
 		CP(ets32, ets, tv_nsec);
 		abs_timeout = &ets;
@@ -2844,6 +2846,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }


From laffer1 at midnightbsd.org  Wed Jul 24 23:18:44 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 23:18:44 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12220] stable/1.1/sys/kern/uipc_mqueue.c:
 System calls operating on file descriptors obtain a reference to
Message-ID: <201907250318.x6P3IiVe066281@stargazer.midnightbsd.org>

Revision: 12220
          http://svnweb.midnightbsd.org/src/?rev=12220
Author:   laffer1
Date:     2019-07-24 23:18:44 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.

Modified Paths:
--------------
    stable/1.1/sys/kern/uipc_mqueue.c

Modified: stable/1.1/sys/kern/uipc_mqueue.c
===================================================================
--- stable/1.1/sys/kern/uipc_mqueue.c	2019-07-25 03:18:12 UTC (rev 12219)
+++ stable/1.1/sys/kern/uipc_mqueue.c	2019-07-25 03:18:44 UTC (rev 12220)
@@ -2266,7 +2266,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2273,6 +2273,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2291,7 +2292,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2298,6 +2299,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2835,7 +2837,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
 		if (error != 0)
-			return (error);
+			goto out;
 		CP(ets32, ets, tv_sec);
 		CP(ets32, ets, tv_nsec);
 		abs_timeout = &ets;
@@ -2844,6 +2846,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }


From laffer1 at midnightbsd.org  Wed Jul 24 23:20:01 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 23:20:01 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12221] stable/1.1/UPDATING: document
 mqueuefs(5) issue
Message-ID: <201907250320.x6P3K1Cx066375@stargazer.midnightbsd.org>

Revision: 12221
          http://svnweb.midnightbsd.org/src/?rev=12221
Author:   laffer1
Date:     2019-07-24 23:20:00 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
document mqueuefs(5) issue

Modified Paths:
--------------
    stable/1.1/UPDATING

Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING	2019-07-25 03:18:44 UTC (rev 12220)
+++ stable/1.1/UPDATING	2019-07-25 03:20:00 UTC (rev 12221)
@@ -11,6 +11,12 @@
 	components listed above small amounts of kernel memory may be disclosed
 	to userland processes.
 
+	mqueuefs(5)
+	System calls operating on file descriptors obtain a reference to
+	relevant struct file which due to a programming error was not always put
+	back, which in turn could be used to overflow the counter of affected
+	struct file.
+
 20190223:
 	Update mport package tool with version from CURRENT. Supports
 	origin lookups with /usr/libexec/mport.query now, required for latest


From laffer1 at midnightbsd.org  Wed Jul 24 23:21:26 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 23:21:26 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12222] trunk/sys/kern/uipc_usrreq.c: If a
 process attempts to transmit rights over a UNIX-domain socket and
Message-ID: <201907250321.x6P3LQxY066470@stargazer.midnightbsd.org>

Revision: 12222
          http://svnweb.midnightbsd.org/src/?rev=12222
Author:   laffer1
Date:     2019-07-24 23:21:25 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
If a process attempts to transmit rights over a UNIX-domain socket and
an error causes the attempt to fail, references acquired on the rights
are not released and are leaked.  This bug can be used to cause the
reference counter to wrap around and free the corresponding file
structure.

Modified Paths:
--------------
    trunk/sys/kern/uipc_usrreq.c

Modified: trunk/sys/kern/uipc_usrreq.c
===================================================================
--- trunk/sys/kern/uipc_usrreq.c	2019-07-25 03:20:00 UTC (rev 12221)
+++ trunk/sys/kern/uipc_usrreq.c	2019-07-25 03:21:25 UTC (rev 12222)
@@ -1854,29 +1854,52 @@
 	UNP_DEFERRED_LOCK_INIT();
 }
 
+static void
+unp_internalize_cleanup_rights(struct mbuf *control)
+{
+	struct cmsghdr *cp;
+	struct mbuf *m;
+	void *data;
+	socklen_t datalen;
+
+	for (m = control; m != NULL; m = m->m_next) {
+		cp = mtod(m, struct cmsghdr *);
+		if (cp->cmsg_level != SOL_SOCKET ||
+		    cp->cmsg_type != SCM_RIGHTS)
+			continue;
+		data = CMSG_DATA(cp);
+		datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
+		unp_freerights(data, datalen / sizeof(struct filedesc *));
+	}
+}
+
 static int
 unp_internalize(struct mbuf **controlp, struct thread *td)
 {
-	struct mbuf *control = *controlp;
-	struct proc *p = td->td_proc;
-	struct filedesc *fdesc = p->p_fd;
+	struct mbuf *control, **initial_controlp;
+	struct proc *p;
+	struct filedesc *fdesc;
 	struct bintime *bt;
-	struct cmsghdr *cm = mtod(control, struct cmsghdr *);
+	struct cmsghdr *cm;
 	struct cmsgcred *cmcred;
 	struct filedescent *fde, **fdep, *fdev;
 	struct file *fp;
 	struct timeval *tv;
-	int i, *fdp;
 	void *data;
-	socklen_t clen = control->m_len, datalen;
-	int error, oldfds;
+	socklen_t clen, datalen;
+	int i, error, *fdp, oldfds;
 	u_int newlen;
 
 	UNP_LINK_UNLOCK_ASSERT();
 
+	p = td->td_proc;
+	fdesc = p->p_fd;
 	error = 0;
+	control = *controlp;
+	clen = control->m_len;
 	*controlp = NULL;
-	while (cm != NULL) {
+	initial_controlp = controlp;
+	for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
 		if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
 		    || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
 			error = EINVAL;
@@ -2003,6 +2026,8 @@
 	}
 
 out:
+	if (error != 0 && initial_controlp != NULL)
+		unp_internalize_cleanup_rights(*initial_controlp);
 	m_freem(control);
 	return (error);
 }


From laffer1 at midnightbsd.org  Wed Jul 24 23:22:28 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Wed, 24 Jul 2019 23:22:28 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12223] stable/1.1/sys/kern/uipc_usrreq.c: If
 a process attempts to transmit rights over a UNIX-domain socket and
Message-ID: <201907250322.x6P3MSpQ066563@stargazer.midnightbsd.org>

Revision: 12223
          http://svnweb.midnightbsd.org/src/?rev=12223
Author:   laffer1
Date:     2019-07-24 23:22:27 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
If a process attempts to transmit rights over a UNIX-domain socket and
an error causes the attempt to fail, references acquired on the rights
are not released and are leaked.  This bug can be used to cause the
reference counter to wrap around and free the corresponding file
structure.

Modified Paths:
--------------
    stable/1.1/sys/kern/uipc_usrreq.c

Modified: stable/1.1/sys/kern/uipc_usrreq.c
===================================================================
--- stable/1.1/sys/kern/uipc_usrreq.c	2019-07-25 03:21:25 UTC (rev 12222)
+++ stable/1.1/sys/kern/uipc_usrreq.c	2019-07-25 03:22:27 UTC (rev 12223)
@@ -1854,29 +1854,52 @@
 	UNP_DEFERRED_LOCK_INIT();
 }
 
+static void
+unp_internalize_cleanup_rights(struct mbuf *control)
+{
+	struct cmsghdr *cp;
+	struct mbuf *m;
+	void *data;
+	socklen_t datalen;
+
+	for (m = control; m != NULL; m = m->m_next) {
+		cp = mtod(m, struct cmsghdr *);
+		if (cp->cmsg_level != SOL_SOCKET ||
+		    cp->cmsg_type != SCM_RIGHTS)
+			continue;
+		data = CMSG_DATA(cp);
+		datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
+		unp_freerights(data, datalen / sizeof(struct filedesc *));
+	}
+}
+
 static int
 unp_internalize(struct mbuf **controlp, struct thread *td)
 {
-	struct mbuf *control = *controlp;
-	struct proc *p = td->td_proc;
-	struct filedesc *fdesc = p->p_fd;
+	struct mbuf *control, **initial_controlp;
+	struct proc *p;
+	struct filedesc *fdesc;
 	struct bintime *bt;
-	struct cmsghdr *cm = mtod(control, struct cmsghdr *);
+	struct cmsghdr *cm;
 	struct cmsgcred *cmcred;
 	struct filedescent *fde, **fdep, *fdev;
 	struct file *fp;
 	struct timeval *tv;
-	int i, *fdp;
 	void *data;
-	socklen_t clen = control->m_len, datalen;
-	int error, oldfds;
+	socklen_t clen, datalen;
+	int i, error, *fdp, oldfds;
 	u_int newlen;
 
 	UNP_LINK_UNLOCK_ASSERT();
 
+	p = td->td_proc;
+	fdesc = p->p_fd;
 	error = 0;
+	control = *controlp;
+	clen = control->m_len;
 	*controlp = NULL;
-	while (cm != NULL) {
+	initial_controlp = controlp;
+	for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
 		if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
 		    || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
 			error = EINVAL;
@@ -2003,6 +2026,8 @@
 	}
 
 out:
+	if (error != 0 && initial_controlp != NULL)
+		unp_internalize_cleanup_rights(*initial_controlp);
 	m_freem(control);
 	return (error);
 }


From laffer1 at midnightbsd.org  Sat Jul 27 12:12:39 2019
From: laffer1 at midnightbsd.org (laffer1 at midnightbsd.org)
Date: Sat, 27 Jul 2019 12:12:39 -0400 (EDT)
Subject: [Midnightbsd-cvs] src [12224] stable/1.1/sys/conf/newvers.sh: bump
 version for security patches
Message-ID: <201907271612.x6RGCdH1091414@stargazer.midnightbsd.org>

Revision: 12224
          http://svnweb.midnightbsd.org/src/?rev=12224
Author:   laffer1
Date:     2019-07-27 12:12:38 -0400 (Sat, 27 Jul 2019)
Log Message:
-----------
bump version for security patches

Modified Paths:
--------------
    stable/1.1/sys/conf/newvers.sh

Modified: stable/1.1/sys/conf/newvers.sh
===================================================================
--- stable/1.1/sys/conf/newvers.sh	2019-07-25 03:22:27 UTC (rev 12223)
+++ stable/1.1/sys/conf/newvers.sh	2019-07-27 16:12:38 UTC (rev 12224)
@@ -32,7 +32,7 @@
 # $MidnightBSD$
 
 TYPE="MidnightBSD"
-REVISION="1.1"
+REVISION="1.1.1"
 RELEASE="${REVISION}"
 VERSION="${TYPE} ${RELEASE}"