untrusted comment: signature from openbsd 6.0 base secret key

untrusted comment: signature from openbsd 6.0 base secret key
RWSho3oKSqgLQwi8ADWKm5MD49usniTW+3acahh4QRbBhir2p4OjstAS3G83AzLDhR9Oe//OJzpFMU7vNC81lVROFYgQGUWSFwQ=

OpenBSD 6.0 errata 031, August 3, 2017:

An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE)
may result in a kernel panic or info leak.

Apply by doing:
signify -Vep /etc/signify/openbsd-60-base.pub -x 031_fuse.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
cd /usr/src/sys/arch/`machine`/conf
KK=`sysctl -n kern.osversion | cut -d# -f1`
config $KK
cd ../compile/$KK
make
make install

Index: sys/kern/vfs_getcwd.c
===================================================================
RCS file: /cvs/src/sys/kern/vfs_getcwd.c,v
--- sys/kern/vfs_getcwd.c 19 Mar 2016 12:04:15 -0000 1.26
+++ sys/kern/vfs_getcwd.c 2 Aug 2017 16:27:05 -0000
@@ -102,18 +102,20 @@ vfs_getcwd_scandir(struct vnode **lvpp,

/* If we don't care about the pathname, we're done */
if (bufp == NULL) {
- vrele(lvp);
- *lvpp = NULL;
- return (0);
+ error = 0;
+ goto out;
}

fileno = va.va_fileid;

dirbuflen = DIRBLKSIZ;
-
if (dirbuflen < va.va_blocksize)
dirbuflen = va.va_blocksize;
-
+ /* XXX we need some limit for fuse, 1 MB should be enough */
+ if (dirbuflen > 0xfffff) {
+ error = EINVAL;
+ goto out;
+ }
dirbuf = malloc(dirbuflen, M_TEMP, M_WAITOK);

off = 0;
@@ -159,15 +161,20 @@ vfs_getcwd_scandir(struct vnode **lvpp,
reclen = dp->d_reclen;

/* Check for malformed directory */
- if (reclen < DIRENT_RECSIZE(1)) {
+ if (reclen < DIRENT_RECSIZE(1) || reclen > len) {
error = EINVAL;
goto out;
}

if (dp->d_fileno == fileno) {
char *bp = *bpp;
- bp -= dp->d_namlen;

+ if (offsetof(struct dirent, d_name) +
+ dp->d_namlen > reclen) {
+ error = EINVAL;
+ goto out;
+ }
+ bp -= dp->d_namlen;
if (bp <= bufp) {
error = ERANGE;
goto out;