Re: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

[Steven Chamberlain <steven@pyro.eu.org>]

On 05/07/12 07:00, Yves-Alexis Perez wrote:
> Can you show us a debdiff for the package you intend to upload to
> stable-security?

Hi,  Please find debdiff attached.

Thank you!
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

diff -u kfreebsd-8-8.1+dfsg/debian/changelog kfreebsd-8-8.1+dfsg/debian/changelog
--- kfreebsd-8-8.1+dfsg/debian/changelog
+++ kfreebsd-8-8.1+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze3) stable-security; urgency=medium
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+    - Include correction from upstream (r237241)
+  * Apply upstream EN-12:02.ipv6refcount patch (Closes: #677738)
+
+ -- GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>  Tue, 19 Jun 2012 13:18:39 +0100
+
 kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
 
   * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
diff -u kfreebsd-8-8.1+dfsg/debian/patches/series kfreebsd-8-8.1+dfsg/debian/patches/series
--- kfreebsd-8-8.1+dfsg/debian/patches/series
+++ kfreebsd-8-8.1+dfsg/debian/patches/series
@@ -1,3 +1,5 @@
+SA-12_04.sysret.patch
+EN-12_02.ipv6refcount.patch
 000_adaptive_machine_arch.diff 
 000_ata.diff
 000_coda.diff
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/SA-12_04.sysret.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/SA-12_04.sysret.patch
@@ -0,0 +1,37 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+ .
+ Includes a corrected patch from upstream, as the original commit to
+ RELENG_8_1 accidentally applied it to the wrong location.
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=237241
+
+Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c	2012-06-17 13:55:31.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c	2012-06-19 12:44:37.299956401 +0100
+@@ -1010,4 +1010,21 @@
+ 	STOPEVENT(p, S_SCX, sa.code);
+ 
+ 	PTRACESTOP_SC(p, td, S_PT_SCX);
++
++	/*
++	 * If the user-supplied value of %rip is not a canonical
++	 * address, then some CPUs will trigger a ring 0 #GP during
++	 * the sysret instruction.  However, the fault handler would
++	 * execute with the user's %gs and %rsp in ring 0 which would
++	 * not be safe.  Instead, preemptively kill the thread with a
++	 * SIGBUS.
++	 */
++	if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) {
++		ksiginfo_init_trap(&ksi);
++		ksi.ksi_signo = SIGBUS;
++		ksi.ksi_code = BUS_OBJERR;
++		ksi.ksi_trapno = T_PROTFLT;
++		ksi.ksi_addr = (void *)td->td_frame->tf_rip;
++		trapsignal(td, &ksi);
++	}
+ }
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/EN-12_02.ipv6refcount.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/EN-12_02.ipv6refcount.patch
@@ -0,0 +1,134 @@
+Description:
+ Fix reference count errors in IPv6 code. [EN-12:02]
+Origin: vendor, http://security.freebsd.org/patches/EN-12:02/ipv6refcount.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-EN-12:02.ipv6refcount.asc
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=236953
+
+Index: kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/in6.c	2012-06-16 19:00:59.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c	2012-06-16 19:03:42.829835350 +0100
+@@ -1370,6 +1370,8 @@
+ 	}
+ 
+ cleanup:
++	if (ifa0 != NULL)
++		ifa_free(ifa0);
+ 
+ 	plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); /* XXX */
+ 	if ((ia->ia_flags & IFA_ROUTE) && plen == 128) {
+@@ -1394,8 +1396,6 @@
+ 			return;
+ 		ia->ia_flags &= ~IFA_ROUTE;
+ 	}
+-	if (ifa0 != NULL)
+-		ifa_free(ifa0);
+ 
+ 	in6_unlink_ifa(ia, ifp);
+ }
+@@ -1549,14 +1549,19 @@
+ 			hostid = IFA_IN6(ifa);
+ 
+ 			/* prefixlen must be <= 64. */
+-			if (64 < iflr->prefixlen)
++			if (64 < iflr->prefixlen) {
++				if (ifa != NULL)
++					ifa_free(ifa);
+ 				return EINVAL;
++			}
+ 			prefixlen = iflr->prefixlen;
+ 
+ 			/* hostid part must be zero. */
+ 			sin6 = (struct sockaddr_in6 *)&iflr->addr;
+ 			if (sin6->sin6_addr.s6_addr32[2] != 0 ||
+ 			    sin6->sin6_addr.s6_addr32[3] != 0) {
++				if (ifa != NULL)
++					ifa_free(ifa);
+ 				return EINVAL;
+ 			}
+ 		} else
+@@ -2144,14 +2149,20 @@
+ 		IN6_IFADDR_RUNLOCK();
+ 		return (struct in6_ifaddr *)ifa;
+ 	}
+-	IN6_IFADDR_RUNLOCK();
+ 
+ 	/* use the last-resort values, that are, deprecated addresses */
+-	if (dep[0])
++	if (dep[0]) {
++		ifa_ref((struct ifaddr *)dep[0]);
++		IN6_IFADDR_RUNLOCK();
+ 		return dep[0];
+-	if (dep[1])
++	}
++	if (dep[1]) {
++		ifa_ref((struct ifaddr *)dep[1]);
++		IN6_IFADDR_RUNLOCK();
+ 		return dep[1];
++	}
+ 
++	IN6_IFADDR_RUNLOCK();
+ 	return NULL;
+ }
+ 
+Index: kfreebsd-8-8.1+dfsg/sys/netinet6/ip6_input.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/ip6_input.c	2012-06-16 19:00:59.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/netinet6/ip6_input.c	2012-06-16 19:03:42.838808064 +0100
+@@ -632,19 +632,23 @@
+ 	 * as our interface address (e.g. multicast addresses, addresses
+ 	 * within FAITH prefixes and such).
+ 	 */
+-	if (deliverifp && !ip6_getdstifaddr(m)) {
++	if (deliverifp) {
+ 		struct in6_ifaddr *ia6;
+ 
+-		ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
+-		if (ia6) {
+-			if (!ip6_setdstifaddr(m, ia6)) {
+-				/*
+-				 * XXX maybe we should drop the packet here,
+-				 * as we could not provide enough information
+-				 * to the upper layers.
+-				 */
+-			}
++ 		if ((ia6 = ip6_getdstifaddr(m)) != NULL) {
+ 			ifa_free(&ia6->ia_ifa);
++		} else {
++			ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
++			if (ia6) {
++				if (!ip6_setdstifaddr(m, ia6)) {
++					/*
++					 * XXX maybe we should drop the packet here,
++					 * as we could not provide enough information
++					 * to the upper layers.
++					 */
++				}
++				ifa_free(&ia6->ia_ifa);
++			}
+ 		}
+ 	}
+ 
+Index: kfreebsd-8-8.1+dfsg/sys/netinet/tcp_input.c
+===================================================================
+--- kfreebsd-8-8.1+dfsg.orig/sys/netinet/tcp_input.c	2012-06-16 19:00:59.000000000 +0100
++++ kfreebsd-8-8.1+dfsg/sys/netinet/tcp_input.c	2012-06-16 19:03:42.849828260 +0100
+@@ -293,6 +293,8 @@
+ 			    (caddr_t)&ip6->ip6_dst - (caddr_t)ip6);
+ 		return IPPROTO_DONE;
+ 	}
++	if (ia6)
++		ifa_free(&ia6->ia_ifa);
+ 
+ 	tcp_input(m, *offp);
+ 	return IPPROTO_DONE;
+@@ -941,7 +943,8 @@
+ 				rstreason = BANDLIM_RST_OPENPORT;
+ 				goto dropwithreset;
+ 			}
+-			ifa_free(&ia6->ia_ifa);
++			if (ia6)
++				ifa_free(&ia6->ia_ifa);
+ 		}
+ #endif
+ 		/*