aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--UPDATING40
-rw-r--r--contrib/lib9p/pack.c18
-rw-r--r--lib/libpam/modules/pam_exec/pam_exec.c7
-rw-r--r--sys/cam/cam_periph.c1
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/imgact_elf.c11
-rw-r--r--sys/kern/vfs_aio.c4
-rw-r--r--sys/vm/vm_fault.c7
8 files changed, 77 insertions, 13 deletions
diff --git a/UPDATING b/UPDATING
index d23f307346a8..a2aab2959e0b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -11,6 +11,46 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20220726:
+ 13.0-RELEASE-p12 FreeBSD-SA-22:09.elf
+ FreeBSD-SA-22:10.aio
+ FreeBSD-SA-22:11.vm
+ FreeBSD-SA-22:12.lib9p
+ FreeBSD-EN-22:17.cam
+ FreeBSD-EN-22:19.pam_exec
+
+ Out of bounds read in elf_note_prpsinfo() [SA-22:09.elf]
+
+ AIO credential reference count leak [SA-22:10.aio]
+
+ Memory disclosure by stale virtual memory mapping [SA-22:11.vm]
+
+ Missing bounds check in 9p message handling [SA-22:12.lib9p]
+
+ Kernel memory corruption during SCSI error recovery [EN-22:17.cam]
+
+ NULL pointer dereference in pam_exec(8) [EN-22:19.pam_exec]
+
+20220405:
+ 13.0-RELEASE-p11 FreeBSD-EN-22:15.pf
+ FreeBSD-SA-22:04.netmap
+ FreeBSD-SA-22:05.bhyve
+ FreeBSD-SA-22:06.ioctl
+ FreeBSD-SA-22:07.wifi_meshid
+ FreeBSD-SA-22:08.zlib
+
+ pf(4) tables may fail to load [EN-22:15.pf]
+
+ Potential jail escape vulnerabilities in netmap [SA-22:04.netmap]
+
+ Bhyve e82545 device emulation out-of-bounds write [SA-22:05.bhyve]
+
+ mpr/mps/mpt driver ioctl heap out-of-bounds write [SA-22:06.ioctl]
+
+ 802.11 heap buffer overflow [SA-22:07.wifi_meshid]
+
+ zlib compression out-of-bounds write [SA-22:08.zlib]
+
20220322:
13.0-RELEASE-p10 FreeBSD-EN-22:14.tzdata
diff --git a/contrib/lib9p/pack.c b/contrib/lib9p/pack.c
index 88f0ccb4ad73..cf0ae9111b76 100644
--- a/contrib/lib9p/pack.c
+++ b/contrib/lib9p/pack.c
@@ -343,13 +343,17 @@ l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
ssize_t ret, r;
r = l9p_pu16(msg, num);
- if (r > 0) {
- for (i = 0, lim = *num; i < lim; i++) {
- ret = l9p_puqid(msg, &qids[i]);
- if (ret < 0)
- return (-1);
- r += ret;
- }
+ if (r <= 0)
+ return (r);
+
+ if (*num > L9P_MAX_WELEM)
+ return (-1);
+
+ for (i = 0, lim = *num; i < lim; i++) {
+ ret = l9p_puqid(msg, &qids[i]);
+ if (ret < 0)
+ return (-1);
+ r += ret;
}
return (r);
}
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index b8f2e1d8fdfc..ef2680d80525 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -261,6 +261,13 @@ _pam_exec(pam_handle_t *pamh,
/* don't prompt, only expose existing token */
rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
authtok = item;
+ if (authtok == NULL && rc == PAM_SUCCESS) {
+ openpam_log(PAM_LOG_ERROR,
+ "%s: pam_get_authtok(): %s",
+ func, "authentication token not available");
+ OUT(PAM_SYSTEM_ERR);
+ }
+
} else {
rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
}
diff --git a/sys/cam/cam_periph.c b/sys/cam/cam_periph.c
index 92f7c33cbc75..8c3956d641be 100644
--- a/sys/cam/cam_periph.c
+++ b/sys/cam/cam_periph.c
@@ -1416,6 +1416,7 @@ camperiphdone(struct cam_periph *periph, union ccb *done_ccb)
* and the result will be the final one returned to the CCB owher.
*/
saved_ccb = (union ccb *)done_ccb->ccb_h.saved_ccb_ptr;
+ saved_ccb->ccb_h.periph_links = done_ccb->ccb_h.periph_links;
bcopy(saved_ccb, done_ccb, sizeof(*done_ccb));
xpt_free_ccb(saved_ccb);
if (done_ccb->ccb_h.cbfcnp != camperiphdone)
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 5e25c3b9bd4e..a7efbf1ae889 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -54,7 +54,7 @@
TYPE="FreeBSD"
REVISION="13.0"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p12"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
index dae11ab92a6c..626a8a59c594 100644
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -2216,13 +2216,16 @@ __elfN(note_prpsinfo)(void *arg, struct sbuf *sb, size_t *sizep)
sizeof(psinfo->pr_psargs), SBUF_FIXEDLEN);
error = proc_getargv(curthread, p, &sbarg);
PRELE(p);
- if (sbuf_finish(&sbarg) == 0)
- len = sbuf_len(&sbarg) - 1;
- else
+ if (sbuf_finish(&sbarg) == 0) {
+ len = sbuf_len(&sbarg);
+ if (len > 0)
+ len--;
+ } else {
len = sizeof(psinfo->pr_psargs) - 1;
+ }
sbuf_delete(&sbarg);
}
- if (error || len == 0)
+ if (error != 0 || len == 0 || (ssize_t)len == -1)
strlcpy(psinfo->pr_psargs, p->p_comm,
sizeof(psinfo->pr_psargs));
else {
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 9b45a06c5f9f..80b7c3ac94e9 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1698,7 +1698,7 @@ no_kqueue:
else
error = fo_aio_queue(fp, job);
if (error)
- goto err3;
+ goto err4;
AIO_LOCK(ki);
job->jobflags &= ~KAIOCB_QUEUEING;
@@ -1719,6 +1719,8 @@ no_kqueue:
AIO_UNLOCK(ki);
return (0);
+err4:
+ crfree(job->cred);
err3:
if (fp)
fdrop(fp, td);
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 8b212f3f84e5..da15ed5f4254 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -2018,6 +2018,13 @@ again:
VM_OBJECT_WLOCK(dst_object);
goto again;
}
+
+ /*
+ * See the comment in vm_fault_cow().
+ */
+ if (src_object == dst_object &&
+ (object->flags & OBJ_ONEMAPPING) == 0)
+ pmap_remove_all(src_m);
pmap_copy_page(src_m, dst_m);
VM_OBJECT_RUNLOCK(object);
dst_m->dirty = dst_m->valid = src_m->valid;