From nobody@FreeBSD.org  Sat Aug 24 01:36:06 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTP id C1063319
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Aug 2013 01:36:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id AD9F221B4
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Aug 2013 01:36:06 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r7O1a6Vg098059
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Aug 2013 01:36:06 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r7O1a5fM098033;
	Sat, 24 Aug 2013 01:36:05 GMT
	(envelope-from nobody)
Message-Id: <201308240136.r7O1a5fM098033@oldred.freebsd.org>
Date: Sat, 24 Aug 2013 01:36:05 GMT
From: Steven Lee <steven@roothosts.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER) breaks dhclient
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         181496
>Category:       kern
>Synopsis:       Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER) breaks dhclient
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 24 01:40:00 UTC 2013
>Closed-Date:    Mon Sep 16 13:34:03 UTC 2013
>Last-Modified:  Mon Sep 16 13:34:03 UTC 2013
>Originator:     Steven Lee
>Release:        releng/9.2
>Organization:
Root Hosts
>Environment:
FreeBSD box.localnet 9.2-RC2 FreeBSD 9.2-RC2 #1 r254680M: Fri Aug 23 07:44:25 UTC 2013     root@box.localnet:/sys/amd64/compile/GENERIC  amd64
>Description:
After applying the security patch dhclient doesn't work. Reverting the patch fixes it again. Tested on 9.2-RC2 and 9.1-RELEASE-p*. Same behaviour.

A tcpdump shows the broadcast to 255.255.255.255 port 67 for the address request including my MAC address and the reply from the dhcp server, however dhclient just times every time.

>How-To-Repeat:
Apply the patch for CVE-2013-3077 to 9.1 or 9.2 and try to use dhclient to obtain an IP address.

>Fix:
Revert the patch (which is probably not what people really want).


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Aug 24 16:19:04 UTC 2013 
Responsible-Changed-Why:  
perhaps secteam can comment? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=181496 

From: Xin Li <delphij@delphij.net>
To: bug-followup@FreeBSD.org, steven@roothosts.com
Cc:  
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Sun, 25 Aug 2013 04:37:22 -0700

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
 Hi,
 
 Actually I'm quite surprised that the security patch could cause this
 because it's tested for quite long time and I use dhclient everyday,
 and more importantly dhclient should not use the affected code at all...
 
 Is there any other local changes than the security patch?  If not, can
 you send me the /var/run/dmesg.boot file?
 
 Thanks in advance!
 
 Cheers,
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAEBCAAGBQJSGexyAAoJEG80Jeu8UPuzEfsIAJ9mGDb0k3+HXvSKLY6dv2Je
 SmRd0GHmvP/LwcKsC1+oSFcJidUYFDil2H7627G4rb+pny/bT/9Ui+f4wetPFdiL
 gjf6ckbEgd6sqTQaAlY/4HEdB0bPu+awEwFHGQqHO8knjMdozwQiXIPWgWbQ2MMA
 +K6WGOHTxRUQCzOWiFLrNPCF3PB/QOeKywg4J5y1Pf2+KzcdSCb0CdnTO39lCNYt
 mPXhIZ5KktlY9Q0M6NLmLSdK256rsfeIdyNFY/ivlep7C+VkJwUn7m+WKnL/t+Au
 WNjonHxs/8lNmjU/oig3kvuSF8UU7Wv1LDzLbrnq/pb2FUNHI+lcLq8M6jOp4NY=
 =OCof
 -----END PGP SIGNATURE-----

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: freebsd-gnats-submit@freebsd.org 
Cc:  
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER) breaks dhclient
Date: Sun, 25 Aug 2013 13:53:48 +0200

 All the patch in question does is clip a counter to the size of the
 buffer it is used to iterate over, and as far as I know, dhclient
 shouldn't even exercise that codepath.  The only code in the base system
 that does exercise IP_MSFILTER (via {get,set}sourcefilter(3)) is
 mtest(1).
 
 What is the value of net.inet.ip.mcast.maxsocksrc?  Have you tried to
 increase it, with the patch applied?
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no

From: Steven Lee <steven@roothosts.com>
To: d@delphij.net
Cc: Xin Li <delphij@delphij.net>, bug-followup@FreeBSD.org
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Sun, 25 Aug 2013 16:52:19 -0600

 The NIC I use dhclient on is re1, none of the configs have been changed
 recently. All I did was svn to releng/9.2 after the security hole was
 announced. Previously I was using 9.1-STABLE on this box (9.1-RELEASE
 had some bugs that made these realtek cards not work quite right so I
 had to use STABLE).
 
 I'm wondering is this patch is somehow conflicting with the re driver now.
 
 # cat /var/run/dmesg.boot
 Copyright (c) 1992-2013 The FreeBSD Project.
 Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
 	The Regents of the University of California. All rights reserved.
 FreeBSD is a registered trademark of The FreeBSD Foundation.
 FreeBSD 9.2-RC2 #1 r254680M: Fri Aug 23 07:44:25 UTC 2013
     root@box.localnet:/sys/amd64/compile/GENERIC amd64
 FreeBSD clang version 3.3 (tags/RELEASE_33/final 183502) 20130610
 CPU: AMD FX(tm)-8120 Eight-Core Processor            (3888.07-MHz
 K8-class CPU)
   Origin = "AuthenticAMD"  Id = 0x600f12  Family = 0x15  Model = 0x1
 Stepping = 2
 
 Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
 
 Features2=0x1e98220b<SSE3,PCLMULQDQ,MON,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AESNI,XSAVE,OSXSAVE,AVX>
   AMD Features=0x2e500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM>
   AMD
 Features2=0x1c9bfff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,XOP,SKINIT,WDT,LWP,FMA4,NodeId,Topology,<b23>,<b24>>
   TSC: P-state invariant, performance statistics
 real memory  = 17179869184 (16384 MB)
 avail memory = 16424644608 (15663 MB)
 Event timer "LAPIC" quality 400
 ACPI APIC Table: <ALASKA A M I>
 FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
 FreeBSD/SMP: 1 package(s) x 8 core(s)
  cpu0 (BSP): APIC ID: 16
  cpu1 (AP): APIC ID: 17
  cpu2 (AP): APIC ID: 18
  cpu3 (AP): APIC ID: 19
  cpu4 (AP): APIC ID: 20
  cpu5 (AP): APIC ID: 21
  cpu6 (AP): APIC ID: 22
  cpu7 (AP): APIC ID: 23
 ACPI Warning: FADT (revision 5) is longer than ACPI 2.0 version,
 truncating length 268 to 244 (20110527/tbfadt-317)
 ACPI Warning: Optional field Pm2ControlBlock has zero address or length:
 0x0000000000000000/0x1 (20110527/tbfadt-583)
 ioapic0 <Version 2.1> irqs 0-23 on motherboard
 ioapic1 <Version 2.1> irqs 24-55 on motherboard
 kbd1 at kbdmux0
 aesni0: <AES-CBC,AES-XTS> on motherboard
 cryptosoft0: <software crypto> on motherboard
 acpi0: <ALASKA A M I> on motherboard
 ACPI Error: [RAMB] Namespace lookup failure, AE_NOT_FOUND
 (20110527/psargs-392)
 ACPI Exception: AE_NOT_FOUND, Could not execute arguments for [RAMW]
 (Region) (20110527/nsinit-378)
 acpi0: Power Button (fixed)
 cpu0: <ACPI CPU> on acpi0
 cpu1: <ACPI CPU> on acpi0
 cpu2: <ACPI CPU> on acpi0
 cpu3: <ACPI CPU> on acpi0
 cpu4: <ACPI CPU> on acpi0
 cpu5: <ACPI CPU> on acpi0
 cpu6: <ACPI CPU> on acpi0
 cpu7: <ACPI CPU> on acpi0
 attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0
 Timecounter "i8254" frequency 1193182 Hz quality 0
 Event timer "i8254" frequency 1193182 Hz quality 100
 atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
 Event timer "RTC" frequency 32768 Hz quality 0
 hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
 Timecounter "HPET" frequency 14318180 Hz quality 950
 Event timer "HPET" frequency 14318180 Hz quality 450
 Event timer "HPET1" frequency 14318180 Hz quality 450
 Event timer "HPET2" frequency 14318180 Hz quality 450
 Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
 acpi_ec0: <Embedded Controller: GPE 0xa> port 0x62,0x66 on acpi0
 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
 pci0: <ACPI PCI bus> on pcib0
 pcib1: <ACPI PCI-PCI bridge> irq 52 at device 2.0 on pci0
 pci1: <ACPI PCI bus> on pcib1
 vgapci0: <VGA-compatible display> port 0xe000-0xe0ff mem
 0xc0000000-0xcfffffff,0xfea20000-0xfea3ffff irq 24 at device 0.0 on pci1
 pci1: <multimedia, HDA> at device 0.1 (no driver attached)
 pcib2: <ACPI PCI-PCI bridge> irq 52 at device 4.0 on pci0
 pci2: <ACPI PCI bus> on pcib2
 re0: <RealTek 8168/8111 B/C/CP/D/DP/E/F PCIe Gigabit Ethernet> port
 0xd000-0xd0ff mem 0xd0004000-0xd0004fff,0xd0000000-0xd0003fff irq 44 at
 device 0.0 on pci2
 re0: Using 1 MSI-X message
 re0: Chip rev. 0x48000000
 re0: MAC rev. 0x00000000
 miibus0: <MII bus> on re0
 rgephy0: <RTL8169S/8110S/8211 1000BASE-T media interface> PHY 1 on miibus0
 rgephy0:  none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX,
 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT-FDX, 1000baseT-FDX-master,
 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow
 re0: Ethernet address: 30:85:a9:9f:b5:71
 pcib3: <ACPI PCI-PCI bridge> irq 53 at device 9.0 on pci0
 pci3: <ACPI PCI bus> on pcib3
 em0: <Intel(R) PRO/1000 Network Connection 7.3.8> port 0xc000-0xc01f mem
 0xfe9c0000-0xfe9dffff,0xfe900000-0xfe97ffff,0xfe9e0000-0xfe9e3fff irq 48
 at device 0.0 on pci3
 em0: Using MSIX interrupts with 3 vectors
 em0: Ethernet address: 68:05:ca:0e:83:33
 pcib4: <ACPI PCI-PCI bridge> irq 54 at device 10.0 on pci0
 pci4: <ACPI PCI bus> on pcib4
 re1: <RealTek 8168/8111 B/C/CP/D/DP/E/F PCIe Gigabit Ethernet> port
 0xb000-0xb0ff mem 0xfe800000-0xfe800fff irq 47 at device 0.0 on pci4
 re1: Using 1 MSI message
 re1: Chip rev. 0x38000000
 re1: MAC rev. 0x00000000
 miibus1: <MII bus> on re1
 rgephy1: <RTL8169S/8110S/8211 1000BASE-T media interface> PHY 1 on miibus1
 rgephy1:  none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX,
 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master,
 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow,
 1000baseT-FDX-flow-master, auto, auto-flow
 re1: Ethernet address: 90:f6:52:00:a5:10
 ahci0: <ATI IXP700 AHCI SATA controller> port
 0xf040-0xf047,0xf030-0xf033,0xf020-0xf027,0xf010-0xf013,0xf000-0xf00f
 mem 0xfeb07000-0xfeb073ff irq 19 at device 17.0 on pci0
 ahci0: AHCI v1.20 with 3 6Gbps ports, Port Multiplier supported
 ahcich1: <AHCI channel> at channel 1 on ahci0
 ahcich3: <AHCI channel> at channel 3 on ahci0
 ahcich4: <AHCI channel> at channel 4 on ahci0
 ohci0: <AMD SB7x0/SB8x0/SB9x0 USB controller> mem 0xfeb06000-0xfeb06fff
 irq 18 at device 18.0 on pci0
 usbus0 on ohci0
 ehci0: <AMD SB7x0/SB8x0/SB9x0 USB 2.0 controller> mem
 0xfeb05000-0xfeb050ff irq 17 at device 18.2 on pci0
 usbus1: EHCI version 1.0
 usbus1 on ehci0
 ohci1: <AMD SB7x0/SB8x0/SB9x0 USB controller> mem 0xfeb04000-0xfeb04fff
 irq 20 at device 19.0 on pci0
 usbus2 on ohci1
 ehci1: <AMD SB7x0/SB8x0/SB9x0 USB 2.0 controller> mem
 0xfeb03000-0xfeb030ff irq 21 at device 19.2 on pci0
 usbus3: EHCI version 1.0
 usbus3 on ehci1
 pci0: <serial bus, SMBus> at device 20.0 (no driver attached)
 isab0: <PCI-ISA bridge> at device 20.3 on pci0
 isa0: <ISA bus> on isab0
 pcib5: <ACPI PCI-PCI bridge> at device 20.4 on pci0
 pci5: <ACPI PCI bus> on pcib5
 ohci2: <AMD SB7x0/SB8x0/SB9x0 USB controller> mem 0xfeb02000-0xfeb02fff
 irq 18 at device 20.5 on pci0
 usbus4 on ohci2
 pcib6: <ACPI PCI-PCI bridge> at device 21.0 on pci0
 pci6: <ACPI PCI bus> on pcib6
 em1: <Intel(R) PRO/1000 Network Connection 7.3.8> port 0xa000-0xa01f mem
 0xfe7c0000-0xfe7dffff,0xfe700000-0xfe77ffff,0xfe7e0000-0xfe7e3fff irq 20
 at device 0.0 on pci6
 em1: Using MSIX interrupts with 3 vectors
 em1: Ethernet address: 68:05:ca:0f:d7:13
 ohci3: <AMD SB7x0/SB8x0/SB9x0 USB controller> mem 0xfeb01000-0xfeb01fff
 irq 22 at device 22.0 on pci0
 usbus5 on ohci3
 ehci2: <AMD SB7x0/SB8x0/SB9x0 USB 2.0 controller> mem
 0xfeb00000-0xfeb000ff irq 23 at device 22.2 on pci0
 usbus6: EHCI version 1.0
 usbus6 on ehci2
 acpi_button0: <Power Button> on acpi0
 orm0: <ISA Option ROMs> at iomem
 0xc0000-0xcffff,0xd0000-0xd0fff,0xd1000-0xd1fff on isa0
 sc0: <System console> at flags 0x100 on isa0
 sc0: VGA <16 virtual consoles, flags=0x300>
 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
 atkbd0: <AT Keyboard> irq 1 on atkbdc0
 kbd0 at atkbd0
 atkbd0: [GIANT-LOCKED]
 acpi_throttle0: <ACPI CPU Throttling> on cpu0
 hwpstate0: <Cool`n'Quiet 2.0> on cpu0
 acpi_throttle1: <ACPI CPU Throttling> on cpu1
 acpi_throttle1: failed to attach P_CNT
 device_attach: acpi_throttle1 attach returned 6
 acpi_throttle2: <ACPI CPU Throttling> on cpu2
 acpi_throttle2: failed to attach P_CNT
 device_attach: acpi_throttle2 attach returned 6
 acpi_throttle3: <ACPI CPU Throttling> on cpu3
 acpi_throttle3: failed to attach P_CNT
 device_attach: acpi_throttle3 attach returned 6
 acpi_throttle4: <ACPI CPU Throttling> on cpu4
 acpi_throttle4: failed to attach P_CNT
 device_attach: acpi_throttle4 attach returned 6
 acpi_throttle5: <ACPI CPU Throttling> on cpu5
 acpi_throttle5: failed to attach P_CNT
 device_attach: acpi_throttle5 attach returned 6
 acpi_throttle6: <ACPI CPU Throttling> on cpu6
 acpi_throttle6: failed to attach P_CNT
 device_attach: acpi_throttle6 attach returned 6
 acpi_throttle7: <ACPI CPU Throttling> on cpu7
 acpi_throttle7: failed to attach P_CNT
 device_attach: acpi_throttle7 attach returned 6
 ZFS filesystem version: 5
 ZFS storage pool version: features support (5000)
 Timecounters tick every 1.000 msec
 usbus0: 12Mbps Full Speed USB v1.0
 usbus1: 480Mbps High Speed USB v2.0
 usbus2: 12Mbps Full Speed USB v1.0
 usbus3: 480Mbps High Speed USB v2.0
 usbus4: 12Mbps Full Speed USB v1.0
 usbus5: 12Mbps Full Speed USB v1.0
 usbus6: 480Mbps High Speed USB v2.0
 ugen0.1: <ATI> at usbus0
 uhub0: <ATI OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
 ugen1.1: <ATI> at usbus1
 uhub1: <ATI EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
 ugen2.1: <ATI> at usbus2
 uhub2: <ATI OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
 ugen3.1: <ATI> at usbus3
 uhub3: <ATI EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
 ugen4.1: <ATI> at usbus4
 uhub4: <ATI OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus4
 ugen5.1: <ATI> at usbus5
 uhub5: <ATI OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus5
 ugen6.1: <ATI> at usbus6
 uhub6: <ATI EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus6
 ada0 at ahcich1 bus 0 scbus0 target 0 lun 0
 ada0: <OCZ-AGILITY4 1.5.2> ATA-9 SATA 3.x device
 ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
 ada0: Command Queueing enabled
 ada0: 122104MB (250069680 512 byte sectors: 16H 63S/T 16383C)
 ada0: Previously was known as ad4
 ada1 at ahcich3 bus 0 scbus1 target 0 lun 0
 ada1: <Samsung SSD 840 Series DXT08B0Q> ATA-9 SATA 3.x device
 ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
 ada1: Command Queueing enabled
 ada1: 114473MB (234441648 512 byte sectors: 16H 63S/T 16383C)
 ada1: Previously was known as ad6
 ada2 at ahcich4 bus 0 scbus2 target 0 lun 0
 ada2: <OCZ-AGILITY3 2.25> ATA-8 SATA 3.x device
 ada2: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
 ada2: Command Queueing enabled
 ada2: 114473MB (234441648 512 byte sectors: 16H 63S/T 16383C)
 ada2: quirks=0x1<4K>
 ada2: Previously was known as ad8
 SMP: AP CPU #1 Launched!
 SMP: AP CPU #5 Launched!
 SMP: AP CPU #3 Launched!
 SMP: AP CPU #7 Launched!
 SMP: AP CPU #2 Launched!
 SMP: AP CPU #4 Launched!
 SMP: AP CPU #6 Launched!
 Timecounter "TSC-low" frequency 1944036841 Hz quality 1000
 Root mount waiting for: usbus6 usbus5 usbus4 usbus3 usbus2 usbus1 usbus0
 uhub4: 2 ports with 2 removable, self powered
 uhub5: 4 ports with 4 removable, self powered
 uhub0: 5 ports with 5 removable, self powered
 uhub2: 5 ports with 5 removable, self powered
 Root mount waiting for: usbus6 usbus3 usbus1
 uhub6: 4 ports with 4 removable, self powered
 uhub1: 5 ports with 5 removable, self powered
 uhub3: 5 ports with 5 removable, self powered
 Root mount waiting for: usbus3
 ugen0.2: <Avocent> at usbus0
 ukbd0: <EP1 Interrupt> on usbus0
 kbd2 at ukbd0
 Root mount waiting for: usbus3
 Root mount waiting for: usbus3
 ugen3.2: <Generic> at usbus3
 umass0: <Generic Mass Storage Device, class 0/0, rev 2.00/1.00, addr 2>
 on usbus3
 Trying to mount root from zfs:zmirror []...
 da0 at umass-sim0 bus 0 scbus3 target 0 lun 0
 da0: <Generic USB  CF Reader 0.00> Removable Direct Access SCSI-2 device
 da0: 40.000MB/s transfers
 da0: Attempt to query device size failed: NOT READY, Medium not present
 da0: quirks=0x2<NO_6_BYTE>
 da1 at umass-sim0 bus 0 scbus3 target 0 lun 1
 da1: <Generic USB  SD Reader 0.00> Removable Direct Access SCSI-2 device
 da1: 40.000MB/s transfers
 da1: 7460MB (15278080 512 byte sectors: 255H 63S/T 951C)
 da1: quirks=0x2<NO_6_BYTE>
 da2 at umass-sim0 bus 0 scbus3 target 0 lun 2
 da2: <Generic USB  MS Reader 0.00> Removable Direct Access SCSI-2 device
 da2: 40.000MB/s transfers
 da2: Attempt to query device size failed: NOT READY, Medium not present
 da2: quirks=0x2<NO_6_BYTE>
 da3 at umass-sim0 bus 0 scbus3 target 0 lun 3
 da3: <Generic USB  SM Reader 0.00> Removable Direct Access SCSI-2 device
 da3: 40.000MB/s transfers
 da3: Attempt to query device size failed: NOT READY, Medium not present
 da3: quirks=0x2<NO_6_BYTE>
 GEOM_ELI: Device zvol/zmirror/swap.eli created.
 GEOM_ELI: Encryption: AES-XTS 256
 GEOM_ELI:     Crypto: hardware
 
 On 13-08-25 05:37 AM, Xin Li wrote:
 > Hi,
 > 
 > Actually I'm quite surprised that the security patch could cause this
 > because it's tested for quite long time and I use dhclient everyday,
 > and more importantly dhclient should not use the affected code at all...
 > 
 > Is there any other local changes than the security patch?  If not, can
 > you send me the /var/run/dmesg.boot file?
 > 
 > Thanks in advance!
 > 
 > Cheers,
 > 
 
 -- 
 Regards,
 Steven Lee
 

From: Steven Lee <steven@roothosts.com>
To: d@delphij.net
Cc: Xin Li <delphij@delphij.net>, bug-followup@FreeBSD.org
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Sun, 25 Aug 2013 17:00:39 -0600

 P.S.
 
 # sysctl net.inet.ip.mcast.maxsocksrc
 net.inet.ip.mcast.maxsocksrc: 128
 
 I'll try putting the patch back on and raising the default on
 net.inet.ip.mcast.maxsocksrc and get back to you.
 
 -- 
 Regards,
 Steven Lee
 

From: Xin Li <delphij@delphij.net>
To: Steven Lee <steven@roothosts.com>
Cc: d@delphij.net, bug-followup@FreeBSD.org
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Sun, 25 Aug 2013 18:57:53 -0700

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
 On 8/25/13 4:00 PM, Steven Lee wrote:
 > P.S.
 > 
 > # sysctl net.inet.ip.mcast.maxsocksrc net.inet.ip.mcast.maxsocksrc:
 > 128
 > 
 > I'll try putting the patch back on and raising the default on 
 > net.inet.ip.mcast.maxsocksrc and get back to you.
 
 Well, I'm still not convinced with dhclient would even use the API or
 in any way affected by the change and this is really bizarre.
 
 Will it be possible for you to do dhclient with just this changeset
 reverted and applied under 'ktrace -i dhclient -d re1' in single user
 mode?  (Note that you need to mount a volume read-write to do it, and
 dhclient itself requires writable /var/db)?  We may be able to get
 some clue with the ktrace dump...
 
 Cheers,
 
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAEBCAAGBQJSGrYhAAoJEG80Jeu8UPuzbGAH/jJyyAli8FFsm7AUFX8orZ52
 pDJ94PAPui0AbHDaEMkpcItMtzz+3b5w5TT8L4nsVKfiULpzZpgXCfot6TlHVhIS
 q35vrGzs8Poqh5CCuJS4BR0FBdY7fX/oy5ULSSVXJ5NivAsyLoL2euzahHsXGNrY
 Ws+VDxKa4Skf28394rOt5Wt5pczRQKlM+Z3NnnLmmLydIq9koIAIfbXJbky4eegu
 citGgak2z9vWXx3WzXkL3Rpj4PP8gzQD2DRZUVG4uE90bcUa/fFxpNJJiWHZmefD
 TymYqZi5AbVq/+IjwD6438XVbxVW89XvPbvnbEtX7jCXHGIyXIsieJZmQQp1J3A=
 =H2WC
 -----END PGP SIGNATURE-----

From: Steven Lee <steven@roothosts.com>
To: d@delphij.net
Cc: Xin Li <delphij@delphij.net>, bug-followup@FreeBSD.org
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Fri, 30 Aug 2013 19:51:33 -0600

 Okay, I put the patch back on and dhclient fails. I initially see it
 init the re1 NIC with "0.0.0.0" then it goes blank (no address at all).
 
 I see this in the dmesg (over and over): arpresolve: can't allocate
 llinfo for XXX.XXX.XXX.1 (gateway)
 
 I bumped the net.inet.ip.mcast.maxsocksrc from the default of 128 to 256
 and tried "dhclient re1" manually (after killing the background process
 from rc), AND IT WORKS!
 
 I looked at the kernel source and I don't fully understand what
 net.inet.ip.mcast.maxsocksrc does.

From: Steven Lee <steven@roothosts.com>
To: d@delphij.net
Cc: Xin Li <delphij@delphij.net>, bug-followup@FreeBSD.org
Subject: Re: kern/181496: Patch for CVE-2013-3077 (integer overflow in IP_MSFILTER)
 breaks dhclient
Date: Thu, 05 Sep 2013 02:56:44 -0600

 I can confirm that this is fixed and working properly in r255234M
 (9.2-PRERELEASE aka STABLE) using the default value of 128 on the sysctl
 net.inet.ip.mcast.maxsocksrc.
 
 I hope that whatever got fixed makes its way into 9.2-RELEASE. :)
 
 -- 
 Regards,
 Steven Lee
 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Sep 16 13:34:01 UTC 2013 
State-Changed-Why:  
Originator reports that the problem has been fixed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=181496 
>Unformatted:
