Fix vt console memory disclosure. [SA-18:04.vt]

Bump newvers.sh and UPDATING for today's patches.

Submitted by:	emaste
Reported by:	Dr Silvio Cesare of InfoSect
Approved by:	so
Security:	CVE-2018-6917
Security:	FreeBSD-SA-18:04.vt
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit ec50e7cb61)

UPDATING

@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20180404	p9	FreeBSD-SA-18:04.vt
+			FreeBSD-SA-18:05.ipsec
+			FreeBSD-EN-18:03.tzdata
+			FreeBSD-EN-18:04.mem
+
+	Fix vt console memory disclosure. [SA-18:04.vt]
+
+	Fix ipsec crash or denial of service. [SA-18:05.ipsec]
+
+	Update timezone database information. [EN-18:03.tzdata]
+
+	Fix multiple small kernel memory disclosures. [EN-18:04.mem]
+
 20180314	p8	FreeBSD-SA-18:03.speculative_execution
 
 	Add mitigations for two classes of speculative execution vulnerabilities

sys/conf/newvers.sh

@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.1"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

sys/dev/vt/vt_font.c

@@ -42,6 +42,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font");
 
 /* Some limits to prevent abnormal fonts from being loaded. */
 #define	VTFONT_MAXMAPPINGS	65536
+#define	VTFONT_MAXGLYPHS	131072
 #define	VTFONT_MAXGLYPHSIZE	2097152
 #define	VTFONT_MAXDIMENSION	128
 
@@ -171,7 +172,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret)
 	/* Make sure the dimensions are valid. */
 	if (f->width < 1 || f->height < 1)
 		return (EINVAL);
-	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION)
+	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION ||
+	    f->glyph_count > VTFONT_MAXGLYPHS)
 		return (E2BIG);
 
 	/* Not too many mappings. */