Tom Jones [Thu, 17 Nov 2022 10:31:38 +0000 (10:31 +0000)]
ping: Fix handling of IP packet sizes
Ping reads raw IP packets to parse ICMP responses. When reading the
IP Header Len (IHL) ping was was taking the value from the provided
packet without any validation. This could lead to remotely triggerable
stack corruption.
Validate the IHL against expected and recieved data sizes when reading
from the received packet and when reading any quoted packets from within
the ICMP response.
Approved by: so
Reviewed by: markj, asomers
Security: FreeBSD-SA-22:15.ping
Security: CVE-2022-23093
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #77
Differential Revision: https://reviews.freebsd.org/D37195
The use of volatile appears to be inherited from the kernel driver's
definitions of the same structures. It makes some sense, since USB TRBs
and related structures live in guest memory, but bhyve device models
generally don't volatile-qualify accesses to guest memory and I can't
see how they are required for correctness here. Moreover, XHCI_GADDR
does not return volatile pointers so we're already being inconsistent.
Just drop the qualifiers to address the warning.
Mark Johnston [Fri, 11 Nov 2022 15:02:42 +0000 (10:02 -0500)]
bhyve: Cast away const when fetching a config nvlist
Silence a warning from the compiler about "const" being discarded. The
warning is correct: nvlist values are supposed to be immutable.
However, fixing this properly will require some contortions on behalf of
consumers who look up a subtree of the config and modify it. Per a
discussion on freebsd-virtualization@, the solution will probably be to
outright replace the use of nvlists for VM configuration, but until that
happens let's document the problem and silence the warning.
Mark Johnston [Fri, 11 Nov 2022 15:02:10 +0000 (10:02 -0500)]
bhyve: Drop volatile qualifiers from virtio rings
The qualifiers are there presumably because these rings are mapped into
the guest, but they do not appear to be required for correctness, and
bhyve generally doesn't qualify accesses to guest memory this way.
Moreover, the qualifiers are discarded by snapshot code, causing clang
to emit warnings. Just stop using volatile here.
Some ACPI tables like XSDT contain pointers to other ACPI tables. When
an ACPI table is loaded by qemu's loader, the address in the guest
memory is unknown. For that reason, the qemu loader supports patching
those pointers. Basl keeps track of all pointers and causes the qemu
loader to patch all pointers.
The qemu ACPI table loader is unsupport yet. However, in a future commit
bhyve will use dynamic ACPI table offsets based on the size and
alignment requirements of each ACPI table. Therefore, tracking ACPI
table pointer is required too.
The qemu ACPI table loader patches the ACPI tables. After patching them,
checksums aren't correct any more. It has to calculate a new checksum
for the ACPI table. For that reason, basl has to keep track of checksums
and has to cause the qemu loader to create new checksums for the tables.
The qemu ACPI table loader isn't supported yet. However, the address of
all tables is unknown as long as bhyve hasn't finished ACPI table
creation. So, the checksum of tables which include pointer to other
tables are unknown too. This requires tracking of checksums too.
ACPI tables have different layouts. So, there's no common position for
the length field. When tables are build by basl, the length is unknown
at the beginning. It has to be set after building the table.
Corvin Köhne [Fri, 4 Nov 2022 13:30:53 +0000 (14:30 +0100)]
bhyve: add basl support for generic addresses
In upcoming commits, bhyve will build some ACPI tables by it's own.
Therefore, it should be capable of appending GENERIC_ADDRESS structs to
ACPI tables.
Corvin Köhne [Fri, 4 Nov 2022 11:24:49 +0000 (12:24 +0100)]
bhyve: add basic basl implementation
Basl is the bhyve ASL compiler. At the moment, it's just a small wrapper
to call iasl, the Intel ASL compiler. As bhyve will gain support for
qemu's ACPI table loader in the future, it has to create ACPI tables on
it's own. Therefore, it makes sense to create a new file which keeps the
code for basl.
This first implementation of basl supports creating an ACPI table by
appending raw bytes to it. It's also capable of loading all tables into
guest memory.
Corvin Köhne [Thu, 17 Nov 2022 06:51:51 +0000 (07:51 +0100)]
vmm: remove unneccessary rendezvous assertion
When a vcpu sees that a rendezvous is in progress, it exits and tries to
handle the rendezvous. The vcpu doesn't check if it's part of the
rendezvous or not. If the vcpu isn't part of the rendezvous, the
rendezvous could be done before it reaches the assertion. This will
cause a panic.
The assertion isn't needed at all because vm_handle_rendezvous properly
handles a spurious rendezvous. So, we can just remove it.
linuxkpi: Resolve duplicate global symbol name to fix LINT kernel build.
seq_printf() is defined in both spl_procfs_list.c and linux_seq_file.c .
Fix this by renaming the LinuxKPI ones and use macros to invoke the
correct function.
This diff extends LinuxKPI to support simple attribute files in debugfs.
These simple attributes are an essential component for compiling drm-kmod
with CONFIG_DEBUG_FS enabled.
This will allow for easier graphics driver debugging using
Intel's igt-gpu-tools.
Bjoern A. Zeeb [Tue, 22 Nov 2022 17:29:41 +0000 (17:29 +0000)]
iwlwifi: fix hang on unloading driver
f808c43ad9234670770601ba32a7426b00bbf528 introduced a FreeBSD specific
behaviour to wait for firmware load completion before returning from
loading the driver. This does no longer allow iwl_drv_stop to detect
that startup has completed and it will wait indefinitely for a
completion event that will not happen.
We could change the complete() call to a complete_all() but to avoid
confusion, future side effects, and for simplicity daisy-chain two
complete events in FreeBSD.
PR: 267869
Reported by: Peter Much (pmc citylink.dinoex.sub.org)
Tested by: Peter Much (pmc citylink.dinoex.sub.org)
Sponsored by: The FreeBSD Foundation
Bjoern A. Zeeb [Mon, 31 Oct 2022 14:33:58 +0000 (14:33 +0000)]
LinuxKPI: implement cpumask_of()
Add a static set of cpumasks for all (possible) cpus with only the one
indexed cpu enabled in each set.
This is needed for cpumask_of(_cpuid) which returns a cpumask (cpuset)
with only cpu _cpuid enabled and is used by one wireless driver at least.
Bjoern A. Zeeb [Mon, 7 Nov 2022 12:39:46 +0000 (12:39 +0000)]
LinuxKPI: 802.11: enable WME support
Most of the WME code has been there disabled for months. One of the
reasons was that it lead to crashes early on. It is now understood
that the crashes are independent event and we can enable WME.
Update the code and deal with the calls from net80211 and adjust the
updates to when mac80211 drivers expect them, coherently put it under
LKPI_80211_WME and enable the define locally.
Bjoern A. Zeeb [Sun, 30 Oct 2022 17:05:52 +0000 (17:05 +0000)]
LinuxKPI: add linux/leds.h
This is just a dummy enum and struct in order to make drivers compile
more happily as some parts are simply not hidden behind #ifdefs and
this avoids a longer-term maintenance problem.
Bjoern A. Zeeb [Mon, 31 Oct 2022 22:17:00 +0000 (22:17 +0000)]
LinuxKPI: string.h implement memcpy_and_pad()
Add a memcpy variant which takes length of source and destination
buffers and a padding character in case there is free space in the
destination. This is used by a wireless driver.
Bjoern A. Zeeb [Mon, 31 Oct 2022 23:53:26 +0000 (23:53 +0000)]
LinuxKPI: 802.11: pass internal variable to lkpi_80211_mo_sta_state()
With mac80211 operations (MO) tracing on we have seen some ill-ordered
executions of MO functions. In order to limit visibility of the mac80211
sta, pass the internal version into lkpi_80211_mo_sta_state() and only
there convert to the argument needed. This mostly eases tracing and
debugging.
Bjoern A. Zeeb [Sun, 23 Oct 2022 21:48:22 +0000 (21:48 +0000)]
LinuxKPI: 802.11: add MO tracing
Add a macro to each implemented mac80211 operation. This currently
turns into a printf if LINUXKPI_80211_DEBUG is defined but in the
future could become a different probe as well.
This is helpful for quick analysis and boot-time problem debugging
when DTrace and other frameworks may be harder to use.
Bjoern A. Zeeb [Sat, 22 Oct 2022 17:40:17 +0000 (17:40 +0000)]
iwlwifi: prepare to support debugfs
Import two files left out initially from the driver needed for debugfs
support [1]. Adjust the driver further to make it compile on FreeBSD.
This is currently turned off and needs more LinuxKPI/lindebugfs work.
Being in the tree will allow us to collaboratively work on it and
then we can enable it for good.
Justin Hibbits [Fri, 13 May 2022 22:18:25 +0000 (17:18 -0500)]
libm: Add feenableexcept and fedisableexcept to library on powerpc
Summary:
These functions are missing from the library itself, and exist solely in
the header. This breaks a few ports that expect libm to have the
symbols in the library itself.
Justin Hibbits [Wed, 5 May 2021 14:20:56 +0000 (09:20 -0500)]
msun fixes for SPE
Summary:
Fix FPU exception management for powerpcspe. Bits are in a different place from
the standard FPSCR, so we need to handle the shifting differences. Also,
there's no concept of a "software exception" raise, so we need to do exceptional
math to trigger the exception from software.
Alan Somers [Wed, 12 Oct 2022 22:44:09 +0000 (16:44 -0600)]
ctld: if adding a target fails, retry it on the next reload
If the admin creates more CTL ports than kern.cam.ctl.max_ports, then
adding some will fail. If he then removes some ports and does
"service ctld reload", he would expect that the new ports would get
added in the newly-freed port space. But they don't, because ctld
assigned them port numbers during their first creation attempts.
Fix this bug by removing newly created ports from ctld's internal list
if the kernel rejects them for any reason. That way, a subsequent
config reload will attempt to add them again, possibly with new port
numbers.
Mark Johnston [Sat, 22 Oct 2022 17:35:40 +0000 (13:35 -0400)]
bhyve: Fix some warnings in the ps2 emulation code
- Include headers containing prototypes for exported functions.
- Initialize all fields of the extended translation table.
- Qualify an unexported translation table as static.
- Fix error handling for a read(2).
- Fix some style bugs.
Append Keyboard Layout specified option for using VNC.
Part two: Append bhyve -K option for specified keyboard layout
with layout setting files every languages.
Since the cmd option '-k' was used in the meantime
it was changed to '-K'
Wanpeng Qian [Mon, 14 Nov 2022 12:59:11 +0000 (13:59 +0100)]
nvmecontrol: Fix condition when print number of Firmware Slots and Firmware Slot1 Readonly.
The Number of Firmware Slots should never be zero. So, a Firmware Slot 1
should always exist. For that reason, always print the Number of
Firmware Slots and the Firmware Slot 1 Read-Only value.
Wanpeng Qian [Mon, 14 Nov 2022 13:02:44 +0000 (14:02 +0100)]
bhyve: abort and return FEATURE_NOT_SAVEABLE while set feature with a save flag for NVMe controller.
Currently bhyve's NVMe controller cannot save feature values cross
reboot. It should return a FEATURE_NOT_SAVEABLE error when the command
specifies a save flag.
If the Feature Identifier specified in the Set Features command is not
saveable by the controller and the controller receives a Set Features
command with the Save bit set to one, then the command shall be aborted
with a status of Feature Identifier Not Saveable.
Wanpeng Qian [Mon, 14 Nov 2022 13:06:34 +0000 (14:06 +0100)]
bhyve: return FEATURE_NOT_CHANGEABLE for unimplemented feature of NVMe controller
Set Feature is a feature specified function. Currently only some
features have the set procedure. For features that are not handled by
the controller, we should return a FEATURE_NOT_CHANGEABLE error message.
Wanpeng Qian [Mon, 14 Nov 2022 13:08:52 +0000 (14:08 +0100)]
bhyve: nvme controller obey async event setting when reporting critical temperature
Async event report is controlled by async event configuration feature
setting. When reporting a critical temperature warning, check the async
event configuration.
dhclient(8): Verify lease-, renewal- and rebinding-time option sizes.
Else out-of-bound reads and undefined behaviour may happen.
The current code only checked for the presence of the first of four bytes.
Make sure the fields in question have the minium size required.
Zhenlei Huang [Tue, 18 Oct 2022 15:03:02 +0000 (11:03 -0400)]
geom_part: Check number of GPT entries and size of GPT entry
Current specification does not have upper limit of the number of
partition entries and the size of partition entry. In 799eac8c3df597179bbb3b078362f3ff03993a1a Andrey V. Elsukov introduced a
limit maximum number of GPT entries to 4k, but that is for write routine
(gpart create) only. When attaching disks that have large number of GPT
entries exceeding the limit, or disks with large size of partition
entry, it is still possible to exhaust kernel memory.
1. Reuse the limit of the maximum number of partition entries.
2. Limit the maximum size of GPT entry to 1k.
In current specification (2.10) the size of GPT entry is 128 *
2^n while n >= 0, and the size - 128 is reserved. 1k should be
sufficient enough for foreseen future.
Mark Johnston [Mon, 14 Nov 2022 20:08:45 +0000 (15:08 -0500)]
bhyve: Simplify control flow in the xhci device model
We only need to call pci_xhci_xfer_complete() when handling a transfer
to the control endpoint, so move that code into the epid == 1 block and
eliminate a goto. Also remove an unneeded reinitialization of
setup_trb.
Mark Johnston [Mon, 7 Nov 2022 21:07:26 +0000 (16:07 -0500)]
ksan: Build sanitizer runtimes without stack-smashing protection
On arm64 with per-thread stack canaries enabled (the PERTHREAD_SSP
option), the compiler may load curthread->td_md.md_canary in function
prologues. This is not safe in data_abort(); see commit 2c10be9e06d4.
Thus, sanitizer runtimes must also avoid accessing the current thread's
canary.
Since SSP has limited utility in sanitizer runtimes, simply disable it
unconditionally to avoid unpleasant surprises in the future.
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Doug Moore [Sat, 29 Oct 2022 05:50:44 +0000 (00:50 -0500)]
iommu_gas: start space search from 1st free space
Maintain a pointer to an element in the domain map that is left of any
sufficiently large free gap in the tree and start the search for free
space there, rather than at the root of the tree. On find_space, move
that pointer to the leftmost leaf in the subtree of nodes with
free_down greater than or equal to the minimum allocation size before
starting the search for space from that pointer. On removal of a node
with address less than that pointer, update that pointer to point to
the predecessor or successor of the removed node.
In experiments with netperf streaming, this reduces by about 40% the
number of map entries examined in first-fit allocation.
Kirk McKusick [Sat, 12 Nov 2022 23:36:07 +0000 (15:36 -0800)]
Fix for tunefs(8) unable to add a UFS/FFS soft update journal.
The reported bug is UFS: bad file descriptor: soft update journaling
can not be enabled on some FreeBSD-provided disk images – failed
to write updated cg.
The UFS library (libufs(3)) failed to reopen its disk descriptor
when first attempting to update a cylinder group. The error only
occurred when trying to add journaling to a filesystem whose first
cylinder group was too full to hold the journal.
PR: 259090
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Ed Maste [Thu, 17 Nov 2022 14:15:20 +0000 (09:15 -0500)]
pkgbase: report type for duplicated METALOG entries
Duplicate METALOG file entries are more of a concern than duplicate
directories. The metalog check tool previously did not include the
entry type in the warnings, making it hard to find the ones of concern.
Ed Maste [Wed, 16 Nov 2022 19:53:42 +0000 (14:53 -0500)]
pkgbase: examine METALOG files relative to stage root directory
Previously we stripped the '.' from the beginning of each METALOG entry
to determine the path to stat. This meant that we examined files on the
build host, not the staged files.
Instead, strip off the last part of the specified METALOG pathname to
find the stage root directory, and stat files relative to that.
Reviewed by: bapt
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37412
Ed Maste [Mon, 24 Oct 2022 18:06:41 +0000 (14:06 -0400)]
build: Use `rm -fv` for BATCH_DELETE_OLD_FILES
It's possible to have files with odd permissions in the tmproot (or
sysroot), causing rm to prompt for each one during e.g. buildworld.
Add -f to forcibly delete these.
Reviewed by: brooks
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37111
Chuck Tuffli [Sun, 14 Aug 2022 14:45:21 +0000 (07:45 -0700)]
bhyve nvme: Check return value of mapped memory
Fuzzing of bhyve using hyfuzz discovered a way to cause a segmentation
fault in the NVMe emulation. If a guest specifies a physical address in
either the PRP1 or PRP2 field of a command that cannot be mapped from
guest to host, the function paddr_guest2host() returns a NULL pointer.
The NVMe emulation did not check for this error case, which allowed for
the segmentation fault to occur.
Fix is to check for a return value of NULL and indicate an error back to
the guest (Data Transfer error). While in the area, slightly refactor
the write/read blockif function to use a common error exit path.
Chuck Tuffli [Tue, 16 Aug 2022 16:15:53 +0000 (09:15 -0700)]
bhyve nvme: Support minimal Controller list
Controllers must support the Identify Controller list if they support
Namespace Management. But the UNH NVMe tests use this command regardless
of whether the device under test supports Namespace Management.
This implementation returns an empty Controller list (i.e., Number of
Identifiers is zero).
Chuck Tuffli [Tue, 16 Aug 2022 16:14:43 +0000 (09:14 -0700)]
bhyve nvme: Fix reported SANICAP value
The NVMe specification only allows Controllers compliant with the
revision 1.3 and earlier specification to report a value of 0x0 in the
No-Deallocate Modifies Media After Sanitize (NODMMAS) field.
For our revision 1.4 Controller, report that media is not modified after
Sanitize as the implementation does not implement Sanitize.
WanpengQian [Sun, 14 Aug 2022 15:26:42 +0000 (08:26 -0700)]
bhyve: Fix Number of Power States Supported value
Summary:
Set Number of Power States Supported to indicate 1 power state. Keep the
Power State Descriptor data structures as zero to indicate "Not
reported".
Test Plan:
Within FreeBSD/Linux guests, list the number of power states and check
the Max Power value.
Chuck Tuffli [Thu, 9 Jun 2022 18:19:32 +0000 (11:19 -0700)]
bhyve nvme: Fix out-of-bound IOV array access
Summary:
NVMe operations indicate the memory region(s) associated with a command
via physical region pages (PRPs). Since each PRP has a fixed size,
contiguous memory regions larger than the PRP size require multiple PRP
entries.
Instead of issuing a blockif call for each PRP, the NVMe emulation
concatenates multiple contiguous PRP entries into a single blockif
request. The test for contiguous regions has a bug such that it
mistakenly treats an initial PRP address of zero as a contiguous range
and concatenates it with the previous. But because there is no previous
IOV, the concatenation code corrupts the IO request structure and leads
to a segmentation fault when the blockif request completes.
Fix is to test for the existence of a previous range before trying to
concatenate the current range with the previous one.
While in the area, rename pci_nvme_append_iov_req()'s lba parameter to
offset to match its usage.
Chuck Tuffli [Fri, 5 Mar 2021 16:13:23 +0000 (08:13 -0800)]
wait for device mounts in zpool and dumpon
If the root file system is composed from multiple devices, wait for
devices to be ready before running zpool and dumpon rc scripts.
An example of this is if the bulk of the root file system exists on a
fast device (e.g. NVMe) but the /var directory comes from a ZFS dataset
on a slower device (e.g. SATA). In this case, it is possible that the
zpool import may run before the slower device has finished being probed,
leaving the system in an intermediate state.
Fix is to add root_hold_wait to the zpool and dumpon (which has a
similar issue) rc scripts.
Warner Losh [Fri, 12 Aug 2022 17:08:36 +0000 (11:08 -0600)]
stand: Compile out the extensive superblock diagnostic messages for BIOS loader
The BIOS loader operates in a very constrained environment. The messages
for the super block integrity tests take up about 12k of space. Compile
them out for the BIOS loader, while leaving it intact for all other
loaders that aren't space constrained. These aren't used in the 'super
tiny' *boot* programs, so no adjustment is needed there.
We reply on the fact that (a) i386 doesn't support 32-bit UEFI booting
and (b) LIBSA_CPUARCH is "i386" when building on both i386 and when
we're building the 32-bit libsa32 library.
This saves about 12k of space for this constrained envrionment and will
take a bit of the pressure off some machines where the loader has grown
too big for their BIOS (see comments in i386/loader/Makefile for
details).
Kirk McKusick [Fri, 27 May 2022 19:21:11 +0000 (12:21 -0700)]
Do comprehensive UFS/FFS superblock integrity checks when reading a superblock.
Historically only minimal checks were made of a superblock when it
was read in as it was assumed that fsck would have been run to
correct any errors before attempting to use the filesystem. Recently
several bug reports have been submitted reporting kernel panics
that can be triggered by deliberately corrupting filesystem superblocks,
see Bug 263979 - [meta] UFS / FFS / GEOM crash (panic) tracking
which is tracking the reported corruption bugs.
This change upgrades the checks that are performed. These additional
checks should prevent panics from a corrupted superblock. Although
it appears in only one place, the new code will apply to the kernel
modules and (through libufs) user applications that read in superblocks.
Reported by: Robert Morris and Neeraj
Reviewed by: kib
Tested by: Peter Holm
PR: 263979
Differential Revision: https://reviews.freebsd.org/D35219
Cy Schubert [Thu, 17 Nov 2022 15:43:29 +0000 (07:43 -0800)]
heimdal: Fix: Too large time skew, client time 1970-01-01T01:00:00
Part of ed549cb0c53f zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.
PR: 267827
Reported by: Peter Much <pmc@citylink.dinoex.sub.org>
Tested by: Peter Much <pmc@citylink.dinoex.sub.org>
Fixes: ed549cb0c53f
ixgbe: workaround errata about UDP frames with zero checksum
Intel 82599 has errata related to IPv4 UDP frames with zero checksum.
It reports such datagrams with L4 integrity errors in IXGBE_XEC
register. And after afb1aa4e6df2 commit such errors are reported
via IFCOUNTER_IERRORS. This confuses users, since actually all frames
are handled correctly by the system.
To workaround the problem, let's ignore the XEC register value for
82599 cards for now.
Rick Macklem [Tue, 18 Oct 2022 22:47:07 +0000 (15:47 -0700)]
nfsd: Make the pNFS server update Change for Setxattr/Rmxattr
When the NFS server does the Setxattr or Rmxattr operation,
the Change attribute (va_filerev) needs to be updated.
Without this patch, that was not happening for the
pNFS server configuration. This patch does a Setattr
against the DS file to make the Change attribute
change.
This bug was discovered during a recent IETF NFSv4 testing
event, where the Change attribute wasn't changed in the
operation reply.
Rick Macklem [Sun, 16 Oct 2022 20:27:32 +0000 (13:27 -0700)]
nfsd: Make Setxattr/Removexattr NFSv4.2 ops IO_SYNC
When the NFS server does Setxattr or Removexattr, the
operations must be done IO_SYNC. If a server
crashes/reboots immediately after replying it must
have the extended attribute changes.
Since UFS does extended attributes asynchronously
by default and there is no "ioflag" argument in
the VOP calls, follow the VOP calls with VOP_FSYNC(),
to ensure the operation has been done synchronously.
This was found by inspection while investigating a
bug discovered during a recent IETF NFSv4 testing
event, where the Change attribute wasn't changed
in the operation reply.
This bug will take further work for ZFS and the
pNFS server configuration, but is now fixed for
a non-pNFS UFS exported file system.
Cy Schubert [Tue, 8 Nov 2022 08:53:29 +0000 (00:53 -0800)]
heimdal: Fix multiple security vulnerabilities
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
John Baldwin [Tue, 15 Nov 2022 01:24:56 +0000 (17:24 -0800)]
<crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.
In head, the inline ChaCha20+Poly1305 API is implemented using the
software implementation backing OCF, but that requires API changes
that can't be MFC'd. As a result, this API in stable/13 uses
libsodium directly.
However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce
uses a different construction for the Poly1305 hash than is used for
the standard IETF AEAD cipher used for TLS and IPsec. WireGuard's use
of an 8 byte nonce also uses the more standard construction.
Since the verison in stable/13 was using libsodium directly for the 8
byte nonce case, it was generating incorrect MACs for if_wg(4). As a
workaround, change the direct API to always use the IETF API from
libsodium which uses 12 byte nonces. This can be done by
zero-extending the provided 8 byte nonce to 12 bytes so long as the
passed in buffers are sufficiently small to not overflow a 4 byte
counter.
This fixes key negotiation for if_wg(4) on stable/13. This is also
a direct commit to stable/13.
Reported by: Marek Zarychta <mzar@bpine64.dom.potoki.eu>
Mark Johnston [Mon, 19 Jul 2021 20:09:42 +0000 (16:09 -0400)]
Simplify kernel sanitizer interceptors
KASAN and KCSAN implement interceptors for various primitive operations
that are not instrumented by the compiler. KMSAN requires them as well.
Rather than adding new cases for each sanitizer which requires
interceptors, implement the following protocol:
- When interceptor definitions are required, define
SAN_NEEDS_INTERCEPTORS and SANITIZER_INTERCEPTOR_PREFIX.
- In headers that declare functions which need to be intercepted by a
sanitizer runtime, use SANITIZER_INTERCEPTOR_PREFIX to provide
declarations.
- When SAN_RUNTIME is defined, do not redefine the names of intercepted
functions. This is typically the case in files which implement
sanitizer runtimes but is also needed in, for example, files which
define ifunc selectors for intercepted operations.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Mitchell Horne [Fri, 11 Nov 2022 18:23:11 +0000 (14:23 -0400)]
ddb: don't limit pindex output in 'show vmopag'
This command already prints a tremendous amount of output, and properly
obeys the pager. It no longer makes sense to arbitrarily limit the pages
that are printed, as the reader will not be aware that this has
happened.
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37361
Mitchell Horne [Fri, 11 Nov 2022 18:20:31 +0000 (14:20 -0400)]
netgdb(4): update list of required kernel options
The man page claims that netgdb will be enabled automatically with the
presence of the DDB, GDB, and INET options. Based on the logic in
conf/files, this is not the case. Update the manpage to list all
of the options required to include netgdb.