Re: CVS: cvs.openbsd.org: src

Thu, 01 Jun 2017 14:11:38 -0700 

On 2017/06/01 14:54, Todd C. Miller wrote:
> On Thu, 01 Jun 2017 21:21:46 +0100, Stuart Henderson wrote:
> 
> > I've backed this out because it SIGABRTs for me and for others who tested.
> > e.g.:
> > 
> > nslookup(90023): sysctl 2: 1 13 16 0 -178384 32639
> > nslookup(90023): syscall 202 ""
> 
> Whoops, pledge does not allow KERN_DNSJACKPORT, even read-only.
> This requires an addition to kern_pledge.c to work.
> 
>  - todd
> 

like so..(with the revert of the revert included).

Index: sys/kern/kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.210
diff -u -p -u -7 -r1.210 kern_pledge.c
--- sys/kern/kern_pledge.c      30 May 2017 15:04:45 -0000      1.210
+++ sys/kern/kern_pledge.c      1 Jun 2017 21:09:39 -0000
@@ -973,14 +973,17 @@ pledge_sysctl(struct proc *p, int miblen
        if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) {
                if (miblen == 6 &&              /* getifaddrs() */
                    mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
                    mib[2] == 0 &&
                    (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) &&
                    mib[4] == NET_RT_IFLIST)
                        return (0);
+               if (miblen == 2 &&              /* kern.dnsjackport */
+                   mib[0] == CTL_KERN && mib[1] == KERN_DNSJACKPORT)
+                       return (0);
        }
 
        if ((p->p_p->ps_pledge & PLEDGE_DISKLABEL)) {
                if (miblen == 2 &&              /* kern.rawpartition */
                    mib[0] == CTL_KERN &&
                    mib[1] == KERN_RAWPARTITION)
                        return (0);
Index: usr.sbin/bind/bin/dig/dighost.c
===================================================================
RCS file: /cvs/src/usr.sbin/bind/bin/dig/dighost.c,v
retrieving revision 1.17
diff -u -p -r1.17 dighost.c
--- usr.sbin/bind/bin/dig/dighost.c     1 Jun 2017 20:18:44 -0000       1.17
+++ usr.sbin/bind/bin/dig/dighost.c     1 Jun 2017 21:09:59 -0000
@@ -34,6 +34,8 @@
 #include <string.h>
 #include <limits.h>
 
+#include <sys/sysctl.h>
+
 #ifdef HAVE_LOCALE_H
 #include <locale.h>
 #endif
@@ -2778,6 +2780,15 @@ recv_done(isc_task_t *task, isc_event_t 
        isc_region_t r;
        isc_buffer_t *buf = NULL;
 #endif
+       static int checked_jackport;
+       static int jackport;
+
+       if (!checked_jackport) {
+               int dnsjacking[2] = { CTL_KERN, KERN_DNSJACKPORT };
+               size_t portlen = sizeof(jackport);
+               sysctl(dnsjacking, 2, &jackport, &portlen, NULL, 0);
+               checked_jackport = 1;
+       }
 
        UNUSED(task);
        INSIST(!free_now);
@@ -2854,6 +2865,7 @@ recv_done(isc_task_t *task, isc_event_t 
                * sent to 0.0.0.0, :: or to a multicast addresses.
                * XXXMPA broadcast needs to be handled here as well.
                */
+               if (jackport == 0)
                if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
                     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
                    isc_sockaddr_getport(&query->sockaddr) !=

Reply via email to