xnu-517.12.7

Imported from https://opensource.apple.com/tarballs/xnu/xnu-517.12.7.tar.gz
strogo · Jun 4, 2017 · ac14b9b · ac14b9b
1 parent 06ca1aa
commit ac14b9b
Show file tree

Hide file tree

Showing 61 changed files with 675 additions and 553 deletions.
diff --git a/bsd/conf/version.minor b/bsd/conf/version.minor
@@ -1 +1 @@
-8
+9
diff --git a/bsd/hfs/hfs_vnops.c b/bsd/hfs/hfs_vnops.c
@@ -3722,10 +3722,14 @@ hfs_makenode(mode, dvp, vpp, cnp)
 		 * have the ASCII name of the userid.
 		 */
 		if (VFS_VGET(HFSTOVFS(hfsmp), &parid, &ddvp) == 0) {
-			if (VTOC(ddvp)->c_desc.cd_nameptr &&
-			    (cp->c_uid == strtoul(VTOC(ddvp)->c_desc.cd_nameptr, 0, 0))) {
+                       if (VTOC(ddvp)->c_desc.cd_nameptr) {
+                               uid_t uid;
+
+                               uid = strtoul(VTOC(ddvp)->c_desc.cd_nameptr, 0, 0);
+                               if (uid == cp->c_uid || uid == cnp->cn_cred->cr_uid) {
 				cp->c_flags |= UF_NODUMP;
 				cp->c_flag |= C_CHANGE;
+                               }
 			}
 			vput(ddvp);
 		}

diff --git a/bsd/kern/kern_audit.c b/bsd/kern/kern_audit.c
@@ -1019,10 +1019,6 @@ getauid(struct proc *p, struct getauid_args *uap, register_t *retval)
 	register struct pcred *pc = p->p_cred;
 	int error;
 
-	error = suser(pc->pc_ucred, &p->p_acflag);
-	if (error)
-		return (error);
-
 	error = copyout((void *)&p->p_au->ai_auid, (void *)uap->auid, 
 				sizeof(*uap->auid));
 	if (error)
@@ -1059,6 +1055,10 @@ setauid(struct proc *p, struct setauid_args *uap, register_t *retval)
 
 /*
  *  System calls to get and set process audit information.
+ *  If the caller is privileged, they get the whole set of
+ *  audit information.  Otherwise, the real audit mask is
+ *  filtered out - but the rest of the information is
+ *  returned.
  */
 struct getaudit_args {
 	struct auditinfo	*auditinfo;
@@ -1068,13 +1068,17 @@ int
 getaudit(struct proc *p, struct getaudit_args *uap, register_t *retval)
 {
 	register struct pcred *pc = p->p_cred;
+	struct auditinfo ai = *p->p_au;
 	int error;
 
+	/* only superuser gets to see the real mask */
 	error = suser(pc->pc_ucred, &p->p_acflag);
-	if (error)
-		return (error);
-	error = copyout((void *)p->p_au, (void *)uap->auditinfo, 
-				sizeof(*uap->auditinfo));
+	if (error) {
+		ai.ai_mask.am_success = ~0;
+		ai.ai_mask.am_failure = ~0;
+	}
+
+	error = copyout((void *)&ai, (void *)uap->auditinfo, sizeof(ai));
 	if (error)
 		return (error);
 
@@ -1115,12 +1119,6 @@ struct getaudit_addr_args {
 int
 getaudit_addr(struct proc *p, struct getaudit_addr_args *uap, register_t *retval)
 {
-	register struct pcred *pc = p->p_cred;
-	int error;
-
-	error = suser(pc->pc_ucred, &p->p_acflag);
-	if (error)
-		return (error);
 	return (ENOSYS);
 }
 

diff --git a/bsd/kern/kern_bsm_audit.c b/bsd/kern/kern_bsm_audit.c
@@ -814,6 +814,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		kau_write(rec, tok);
 		/* fall thru */
 
+	case AUE_OPEN:
 	case AUE_OPEN_R:
 	case AUE_OPEN_RT:
 	case AUE_OPEN_RW:
@@ -1047,6 +1048,7 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		break;
 
 	case AUE_SYSCTL:
+	case AUE_SYSCTL_NONADMIN:
 		if (ar->ar_valid_arg & (ARG_CTLNAME | ARG_LEN)) {
 			for (ctr = 0; ctr < ar->ar_arg_len; ctr++) {
 			  tok = au_to_arg32(1, "name", ar->ar_arg_ctlname[ctr]);

diff --git a/bsd/kern/kern_exec.c b/bsd/kern/kern_exec.c
@@ -127,6 +127,8 @@ static int load_return_to_errno(load_return_t lrtn);
 int execve(struct proc *p, struct execve_args *uap, register_t *retval);
 static int execargs_alloc(vm_offset_t *addrp);
 static int execargs_free(vm_offset_t addr);
+static int sugid_scripts = 0;
+SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW, &sugid_scripts, 0, "");
 
 int
 execv(p, args, retval)
@@ -409,6 +411,14 @@ execve(p, uap, retval)
 		  error = EBADARCH;
 		  goto bad;
 		}
+
+		/* Check to see if SUGID scripts are permitted.  If they aren't then
+		 * clear the SUGID bits.
+		 */
+	        if (sugid_scripts == 0) {
+		   origvattr.va_mode &= ~(VSUID | VSGID);
+        	}
+
 		cp = &exdata.ex_shell[2];		/* skip "#!" */
 		while (cp < &exdata.ex_shell[SHSIZE]) {
 			if (*cp == '\t')		/* convert all tabs to spaces */

diff --git a/bsd/kern/kern_fork.c b/bsd/kern/kern_fork.c
@@ -315,6 +315,7 @@ fork1(p1, flags, retval)
 	thread_dup(newth);
 	/* p2 = newth->task->proc; */
 	p2 = (struct proc *)(get_bsdtask_info(get_threadtask(newth)));
+	set_security_token(p2);         /* propagate change of PID */
 
 	AUDIT_ARG(pid, p2->p_pid);
 

diff --git a/bsd/kern/mach_loader.c b/bsd/kern/mach_loader.c
@@ -228,14 +228,15 @@ parse_machfile(
 )
 {
 	struct machine_slot	*ms;
-	int			ncmds;
+	uint32_t		ncmds;
 	struct load_command	*lcp, *next;
 	struct dylinker_command	*dlp = 0;
 	void *			pager;
 	load_return_t		ret = LOAD_SUCCESS;
 	vm_offset_t		addr, kl_addr;
 	vm_size_t		size,kl_size;
-	int			offset;
+	size_t			offset;
+	size_t			oldoffset;	/* for overflow check */
 	int			pass;
 	struct proc *p = current_proc();		/* XXXX */
 	int			error;
@@ -326,28 +327,40 @@ parse_machfile(
 	 *	Scan through the commands, processing each one as necessary.
 	 */
 	for (pass = 1; pass <= 2; pass++) {
+		/*
+		 * Loop through each of the load_commands indicated by the
+		 * Mach-O header; if an absurd value is provided, we just
+		 * run off the end of the reserved section by incrementing
+		 * the offset too far, so we are implicitly fail-safe.
+		 */
 		offset = sizeof(struct mach_header);
 		ncmds = header->ncmds;
 		while (ncmds--) {
 			/*
 			 *	Get a pointer to the command.
 			 */
 			lcp = (struct load_command *)(addr + offset);
+			oldoffset = offset;
 			offset += lcp->cmdsize;
 
 			/*
-			 *	Check for valid lcp pointer by checking
-			 *	next offset.
+			 * Perform prevalidation of the struct load_command
+			 * before we attempt to use its contents.  Invalid
+			 * values are ones which result in an overflow, or
+			 * which can not possibly be valid commands, or which
+			 * straddle or exist past the reserved section at the
+			 * start of the image.
 			 */
-			if (offset > header->sizeofcmds
-					+ sizeof(struct mach_header)) {
-				if (kl_addr )
-					kfree(kl_addr, kl_size);
-				return(LOAD_BADMACHO);
+			if (oldoffset > offset ||
+			    lcp->cmdsize < sizeof(struct load_command) ||
+			    offset > header->sizeofcmds + sizeof(struct mach_header)) {
+			    	ret = LOAD_BADMACHO;
+				break;
 			}
 
 			/*
-			 *	Check for valid command.
+			 * Act on struct load_command's for which kernel
+			 * intervention is required.
 			 */
 			switch(lcp->cmd) {
 			case LC_SEGMENT:
@@ -383,7 +396,8 @@ parse_machfile(
 					ret = LOAD_FAILURE;
 				break;
 			default:
-				ret = LOAD_SUCCESS;/* ignore other stuff */
+				/* Other commands are ignored by the kernel */
+				ret = LOAD_SUCCESS;
 			}
 			if (ret != LOAD_SUCCESS)
 				break;

diff --git a/bsd/kern/sysctl_init.c b/bsd/kern/sysctl_init.c
@@ -99,6 +99,7 @@ extern struct sysctl_oid sysctl__kern_ipc_somaxconn;
 extern struct sysctl_oid sysctl__kern_ipc_sosendminchain;
 extern struct sysctl_oid sysctl__kern_ipc_sorecvmincopy;
 extern struct sysctl_oid sysctl__kern_ipc_maxsockets;
+extern struct sysctl_oid sysctl__kern_sugid_scripts;
 extern struct sysctl_oid sysctl__net_inet_icmp_icmplim;
 extern struct sysctl_oid sysctl__net_inet_icmp_maskrepl;
 extern struct sysctl_oid sysctl__net_inet_icmp_timestamp;
@@ -462,6 +463,7 @@ struct sysctl_oid *newsysctl_list[] =
     ,&sysctl__kern_ipc_sosendminchain
     ,&sysctl__kern_ipc_sorecvmincopy
     ,&sysctl__kern_ipc_maxsockets
+    ,&sysctl__kern_sugid_scripts
 
     ,&sysctl__hw_machine
     ,&sysctl__hw_model

diff --git a/bsd/kern/sysv_sem.c b/bsd/kern/sysv_sem.c
@@ -990,7 +990,7 @@ semop(p, uap, retval)
 		UNLOCK_AND_RETURN(eval);
 	}
 
-	if (nsops > MAX_SOPS) {
+	if (nsops < 0 || nsops > MAX_SOPS) {
 #ifdef SEM_DEBUG
 		printf("too many sops (max=%d, nsops=%d)\n", MAX_SOPS, nsops);
 #endif

diff --git a/bsd/kern/uipc_socket.c b/bsd/kern/uipc_socket.c
@@ -126,6 +126,7 @@ MALLOC_DEFINE(M_PCB, "pcb", "protocol control block");
 #define DBG_FNC_SORECEIVE	NETDBG_CODE(DBG_NETSOCK, (8 << 8))
 #define DBG_FNC_SOSHUTDOWN      NETDBG_CODE(DBG_NETSOCK, (9 << 8))
 
+#define MAX_SOOPTGETM_SIZE	(128 * MCLBYTES)
 
 SYSCTL_DECL(_kern_ipc);
 
@@ -2316,6 +2317,9 @@ soopt_getm(struct sockopt *sopt, struct mbuf **mp)
 	struct mbuf *m, *m_prev;
 	int sopt_size = sopt->sopt_valsize;
 
+	if (sopt_size > MAX_SOOPTGETM_SIZE)
+		return EMSGSIZE;
+
 	MGET(m, sopt->sopt_p ? M_WAIT : M_DONTWAIT, MT_DATA);
 	if (m == 0)
 		return ENOBUFS;

diff --git a/bsd/netinet/ip_output.c b/bsd/netinet/ip_output.c
@@ -1410,6 +1410,11 @@ ip_ctloutput(so, sopt)
 			struct mbuf *m;
 			int optname;
 
+			if (sopt->sopt_valsize > MCLBYTES) {
+				error = EMSGSIZE;
+				break;
+			}
+
 			if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
 				break;
 			if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */

diff --git a/bsd/netinet6/ip6_mroute.c b/bsd/netinet6/ip6_mroute.c
@@ -233,6 +233,10 @@ ip6_mrouter_set(so, sopt)
 	if (so != ip6_mrouter && sopt->sopt_name != MRT6_INIT)
 		return (EACCES);
 
+	if (sopt->sopt_valsize > MCLBYTES)
+		return (EMSGSIZE);
+
+
 	if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
 		return (error);
 	if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */

diff --git a/bsd/netinet6/ip6_output.c b/bsd/netinet6/ip6_output.c
@@ -1289,6 +1289,10 @@ ip6_ctloutput(so, sopt)
 			{
 				struct mbuf *m;
 
+				if (sopt->sopt_valsize > MCLBYTES) {
+					error = EMSGSIZE;
+					break;
+				}
 				error = soopt_getm(sopt, &m); /* XXX */
 				if (error != NULL)
 					break;
@@ -1481,6 +1485,10 @@ do { \
 				size_t len = 0;
 				struct mbuf *m;
 
+				if (sopt->sopt_valsize > MCLBYTES) {
+					error = EMSGSIZE;
+					break;
+				}
 				if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
 					break;
 				if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
@@ -1628,6 +1636,10 @@ do { \
 				struct mbuf *m = NULL;
 				struct mbuf **mp = &m;
 
+				if (sopt->sopt_valsize > MCLBYTES) {
+					error = EMSGSIZE;
+					break;
+				}
 				error = soopt_getm(sopt, &m); /* XXX */
 				if (error != NULL)
 					break;

diff --git a/bsd/nfs/nfs_vfsops.c b/bsd/nfs/nfs_vfsops.c
@@ -755,7 +755,7 @@ nfs_mount(mp, path, data, ndp, p)
 		return (EPROGMISMATCH);
 #endif /* !NO_COMPAT_PRELITE2 */
 	}
-	if (args.fhsize > NFSX_V3FHMAX)
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX)
 		return (EINVAL);
 	error = copyin((caddr_t)args.fh, (caddr_t)nfh, args.fhsize);
 	if (error)

diff --git a/bsd/sys/attr.h b/bsd/sys/attr.h
@@ -48,6 +48,13 @@
 #define FSOPT_NOFOLLOW 		0x00000001
 #define FSOPT_NOINMEMUPDATE 0x00000002
 
+/* we currently aren't anywhere near this amount for a valid
+ * fssearchblock.sizeofsearchparams1 or fssearchblock.sizeofsearchparams2
+ * but we put a sanity check in to avoid abuse of the value passed in from
+ * user land.
+ */
+#define SEARCHFS_MAX_SEARCHPARMS  4096
+
 typedef u_int32_t text_encoding_t;
 
 typedef u_int32_t fsobj_type_t;

diff --git a/bsd/vfs/vfs_syscalls.c b/bsd/vfs/vfs_syscalls.c
@@ -3944,6 +3944,12 @@ searchfs (p,uap,retval)
 	if (error = copyin((caddr_t) uap->searchblock, (caddr_t) &searchblock,sizeof(struct fssearchblock)))
 		return(error);
 
+	/* Do a sanity check on sizeofsearchparams1 and sizeofsearchparams2.  
+	 */
+	if (searchblock.sizeofsearchparams1 > SEARCHFS_MAX_SEARCHPARMS || 
+		searchblock.sizeofsearchparams2 > SEARCHFS_MAX_SEARCHPARMS)
+		return(EINVAL);
+
 	/* Now malloc a big bunch of space to hold the search parameters, the attrlists and the search state. */
 	/* It all has to do into local memory and it's not that big so we might as well  put it all together. */
 	/* Searchparams1 shall be first so we might as well use that to hold the base address of the allocated*/

diff --git a/config/Mach.ppc.exports b/config/Mach.ppc.exports
@@ -340,6 +340,7 @@ _ml_set_translation_off
 _ml_thrm_init
 _ml_thrm_set
 _ml_throttle
+_ml_mem_backoff
 _mtdar
 _mtdec
 _mtmmcr0

diff --git a/config/System.kext/Info.plist b/config/System.kext/Info.plist
@@ -5,7 +5,7 @@
 	<key>CFBundleDevelopmentRegion</key>
 	<string>English</string>
 	<key>CFBundleGetInfoString</key>
-	<string>System Resource Pseudoextension, Apple Computer Inc, 7.8.0</string>
+	<string>System Resource Pseudoextension, Apple Computer Inc, 7.9.0</string>
 	<key>CFBundleIdentifier</key>
 	<string>com.apple.kernel</string>
 	<key>CFBundleInfoDictionaryVersion</key>
@@ -15,13 +15,13 @@
 	<key>CFBundlePackageType</key>
 	<string>KEXT</string>
 	<key>CFBundleShortVersionString</key>
-	<string>7.8.0</string>
+	<string>7.9.0</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>7.8.0</string>
+	<string>7.9.0</string>
 	<key>OSBundleCompatibleVersion</key>
-	<string>7.8.0</string>
+	<string>7.9.0</string>
 	<key>OSBundleRequired</key>
 	<string>Root</string>
 	<key>OSKernelResource</key>

diff --git a/config/System.kext/PlugIns/AppleNMI.kext/Info.plist b/config/System.kext/PlugIns/AppleNMI.kext/Info.plist
@@ -5,7 +5,7 @@
 	<key>CFBundleDevelopmentRegion</key>
 	<string>English</string>
 	<key>CFBundleGetInfoString</key>
-	<string>AppleNMI Pseudoextension, Apple Computer Inc, 7.8.0</string>
+	<string>AppleNMI Pseudoextension, Apple Computer Inc, 7.9.0</string>
 	<key>CFBundleIdentifier</key>
 	<string>com.apple.driver.AppleNMI</string>
 	<key>CFBundleInfoDictionaryVersion</key>
@@ -15,11 +15,11 @@
 	<key>CFBundlePackageType</key>
 	<string>KEXT</string>
 	<key>CFBundleShortVersionString</key>
-	<string>7.8.0</string>
+	<string>7.9.0</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>7.8.0</string>
+	<string>7.9.0</string>
 	<key>OSBundleRequired</key>
 	<string>Root</string>
 	<key>OSKernelResource</key>