| Index: UPDATING |
| =================================================================== |
| --- UPDATING (版本 337828) |
| +++ UPDATING (版本 338606) |
| @@ -16,6 +16,13 @@ |
| the tip of head, and then rebuild without this option. The bootstrap process |
| from older version of current across the gcc/clang cutover is a bit fragile. |
| |
| +20180912 p14 FreeBSD-SA-18:12.elf |
| + FreeBSD-EN-18:08.lazyfpu |
| + |
| + Fix improper elf header parsing. [SA-18:12.elf] |
| + |
| + Fix regression in Lazy FPU remediation. [EN-18:08.lazyfpu] |
| + |
| 20180814 p13 FreeBSD-SA-18:08.tcp [revised] |
| FreeBSD-SA-18:09.l1tf |
| FreeBSD-SA-18:10.ip |
| Index: sys/conf/newvers.sh |
| =================================================================== |
| --- sys/conf/newvers.sh (版本 337828) |
| +++ sys/conf/newvers.sh (版本 338606) |
| @@ -44,7 +44,7 @@ |
| |
| TYPE="FreeBSD" |
| REVISION="11.1" |
| -BRANCH="RELEASE-p13" |
| +BRANCH="RELEASE-p14" |
| if [ -n "${BRANCH_OVERRIDE}" ]; then |
| BRANCH=${BRANCH_OVERRIDE} |
| fi |
| Index: sys/kern/imgact_elf.c |
| =================================================================== |
| --- sys/kern/imgact_elf.c (版本 337828) |
| +++ sys/kern/imgact_elf.c (版本 338606) |
| @@ -834,7 +834,8 @@ |
| break; |
| case PT_INTERP: |
| /* Path to interpreter */ |
| - if (phdr[i].p_filesz > MAXPATHLEN) { |
| + if (phdr[i].p_filesz < 2 || |
| + phdr[i].p_filesz > MAXPATHLEN) { |
| uprintf("Invalid PT_INTERP\n"); |
| error = ENOEXEC; |
| goto ret; |
| @@ -864,6 +865,11 @@ |
| } else { |
| interp = __DECONST(char *, imgp->image_header) + |
| phdr[i].p_offset; |
| + if (interp[interp_name_len - 1] != '\0') { |
| + uprintf("Invalid PT_INTERP\n"); |
| + error = ENOEXEC; |
| + goto ret; |
| + } |
| } |
| break; |
| case PT_GNU_STACK: |
| Index: sys/kern/vfs_vnops.c |
| =================================================================== |
| --- sys/kern/vfs_vnops.c (版本 337828) |
| +++ sys/kern/vfs_vnops.c (版本 338606) |
| @@ -529,6 +529,8 @@ |
| struct vn_io_fault_args args; |
| int error, lock_flags; |
| |
| + if (offset < 0 && vp->v_type != VCHR) |
| + return (EINVAL); |
| auio.uio_iov = &aiov; |
| auio.uio_iovcnt = 1; |
| aiov.iov_base = base; |