Fix improper elf header parsing. [SA-18:12.elf]

Approved by:	so
Security:	FreeBSD-SA-18:12.elf
Security:	CVE-2018-6924

UPDATING

@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20180912	p14	FreeBSD-SA-18:12.elf
+			FreeBSD-EN-18:08.lazyfpu
+
+	Fix improper elf header parsing. [SA-18:12.elf]
+
+	Fix regression in Lazy FPU remediation. [EN-18:08.lazyfpu]
+
 20180814	p13	FreeBSD-SA-18:08.tcp [revised]
 			FreeBSD-SA-18:09.l1tf
 			FreeBSD-SA-18:10.ip

sys/conf/newvers.sh

@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.1"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

sys/kern/imgact_elf.c

@@ -836,7 +836,8 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 			break;
 		case PT_INTERP:
 			/* Path to interpreter */
-			if (phdr[i].p_filesz > MAXPATHLEN) {
+			if (phdr[i].p_filesz < 2 ||
+			    phdr[i].p_filesz > MAXPATHLEN) {
 				uprintf("Invalid PT_INTERP\n");
 				error = ENOEXEC;
 				goto ret;
@@ -866,6 +867,11 @@ __CONCAT(exec_, __elfN(imgact))(struct image_params *imgp)
 			} else {
 				interp = __DECONST(char *, imgp->image_header) +
 				    phdr[i].p_offset;
+				if (interp[interp_name_len - 1] != '\0') {
+					uprintf("Invalid PT_INTERP\n");
+					error = ENOEXEC;
+					goto ret;
+				}
 			}
 			break;
 		case PT_GNU_STACK:

sys/kern/vfs_vnops.c

@@ -529,6 +529,8 @@ vn_rdwr(enum uio_rw rw, struct vnode *vp, void *base, int len, off_t offset,
 	struct vn_io_fault_args args;
 	int error, lock_flags;
 
+	if (offset < 0 && vp->v_type != VCHR)
+		return (EINVAL);
 	auio.uio_iov = &aiov;
 	auio.uio_iovcnt = 1;
 	aiov.iov_base = base;