Ed Maste [Thu, 17 Nov 2022 14:15:20 +0000 (09:15 -0500)]
pkgbase: report type for duplicated METALOG entries
Duplicate METALOG file entries are more of a concern than duplicate
directories. The metalog check tool previously did not include the
entry type in the warnings, making it hard to find the ones of concern.
Ed Maste [Wed, 16 Nov 2022 19:53:42 +0000 (14:53 -0500)]
pkgbase: examine METALOG files relative to stage root directory
Previously we stripped the '.' from the beginning of each METALOG entry
to determine the path to stat. This meant that we examined files on the
build host, not the staged files.
Instead, strip off the last part of the specified METALOG pathname to
find the stage root directory, and stat files relative to that.
Reviewed by: bapt
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37412
Ed Maste [Mon, 24 Oct 2022 18:06:41 +0000 (14:06 -0400)]
build: Use `rm -fv` for BATCH_DELETE_OLD_FILES
It's possible to have files with odd permissions in the tmproot (or
sysroot), causing rm to prompt for each one during e.g. buildworld.
Add -f to forcibly delete these.
Reviewed by: brooks
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37111
Chuck Tuffli [Sun, 14 Aug 2022 14:45:21 +0000 (07:45 -0700)]
bhyve nvme: Check return value of mapped memory
Fuzzing of bhyve using hyfuzz discovered a way to cause a segmentation
fault in the NVMe emulation. If a guest specifies a physical address in
either the PRP1 or PRP2 field of a command that cannot be mapped from
guest to host, the function paddr_guest2host() returns a NULL pointer.
The NVMe emulation did not check for this error case, which allowed for
the segmentation fault to occur.
Fix is to check for a return value of NULL and indicate an error back to
the guest (Data Transfer error). While in the area, slightly refactor
the write/read blockif function to use a common error exit path.
Chuck Tuffli [Tue, 16 Aug 2022 16:15:53 +0000 (09:15 -0700)]
bhyve nvme: Support minimal Controller list
Controllers must support the Identify Controller list if they support
Namespace Management. But the UNH NVMe tests use this command regardless
of whether the device under test supports Namespace Management.
This implementation returns an empty Controller list (i.e., Number of
Identifiers is zero).
Chuck Tuffli [Tue, 16 Aug 2022 16:14:43 +0000 (09:14 -0700)]
bhyve nvme: Fix reported SANICAP value
The NVMe specification only allows Controllers compliant with the
revision 1.3 and earlier specification to report a value of 0x0 in the
No-Deallocate Modifies Media After Sanitize (NODMMAS) field.
For our revision 1.4 Controller, report that media is not modified after
Sanitize as the implementation does not implement Sanitize.
WanpengQian [Sun, 14 Aug 2022 15:26:42 +0000 (08:26 -0700)]
bhyve: Fix Number of Power States Supported value
Summary:
Set Number of Power States Supported to indicate 1 power state. Keep the
Power State Descriptor data structures as zero to indicate "Not
reported".
Test Plan:
Within FreeBSD/Linux guests, list the number of power states and check
the Max Power value.
Chuck Tuffli [Thu, 9 Jun 2022 18:19:32 +0000 (11:19 -0700)]
bhyve nvme: Fix out-of-bound IOV array access
Summary:
NVMe operations indicate the memory region(s) associated with a command
via physical region pages (PRPs). Since each PRP has a fixed size,
contiguous memory regions larger than the PRP size require multiple PRP
entries.
Instead of issuing a blockif call for each PRP, the NVMe emulation
concatenates multiple contiguous PRP entries into a single blockif
request. The test for contiguous regions has a bug such that it
mistakenly treats an initial PRP address of zero as a contiguous range
and concatenates it with the previous. But because there is no previous
IOV, the concatenation code corrupts the IO request structure and leads
to a segmentation fault when the blockif request completes.
Fix is to test for the existence of a previous range before trying to
concatenate the current range with the previous one.
While in the area, rename pci_nvme_append_iov_req()'s lba parameter to
offset to match its usage.
Chuck Tuffli [Fri, 5 Mar 2021 16:13:23 +0000 (08:13 -0800)]
wait for device mounts in zpool and dumpon
If the root file system is composed from multiple devices, wait for
devices to be ready before running zpool and dumpon rc scripts.
An example of this is if the bulk of the root file system exists on a
fast device (e.g. NVMe) but the /var directory comes from a ZFS dataset
on a slower device (e.g. SATA). In this case, it is possible that the
zpool import may run before the slower device has finished being probed,
leaving the system in an intermediate state.
Fix is to add root_hold_wait to the zpool and dumpon (which has a
similar issue) rc scripts.
Warner Losh [Fri, 12 Aug 2022 17:08:36 +0000 (11:08 -0600)]
stand: Compile out the extensive superblock diagnostic messages for BIOS loader
The BIOS loader operates in a very constrained environment. The messages
for the super block integrity tests take up about 12k of space. Compile
them out for the BIOS loader, while leaving it intact for all other
loaders that aren't space constrained. These aren't used in the 'super
tiny' *boot* programs, so no adjustment is needed there.
We reply on the fact that (a) i386 doesn't support 32-bit UEFI booting
and (b) LIBSA_CPUARCH is "i386" when building on both i386 and when
we're building the 32-bit libsa32 library.
This saves about 12k of space for this constrained envrionment and will
take a bit of the pressure off some machines where the loader has grown
too big for their BIOS (see comments in i386/loader/Makefile for
details).
Kirk McKusick [Fri, 27 May 2022 19:21:11 +0000 (12:21 -0700)]
Do comprehensive UFS/FFS superblock integrity checks when reading a superblock.
Historically only minimal checks were made of a superblock when it
was read in as it was assumed that fsck would have been run to
correct any errors before attempting to use the filesystem. Recently
several bug reports have been submitted reporting kernel panics
that can be triggered by deliberately corrupting filesystem superblocks,
see Bug 263979 - [meta] UFS / FFS / GEOM crash (panic) tracking
which is tracking the reported corruption bugs.
This change upgrades the checks that are performed. These additional
checks should prevent panics from a corrupted superblock. Although
it appears in only one place, the new code will apply to the kernel
modules and (through libufs) user applications that read in superblocks.
Reported by: Robert Morris and Neeraj
Reviewed by: kib
Tested by: Peter Holm
PR: 263979
Differential Revision: https://reviews.freebsd.org/D35219
Cy Schubert [Thu, 17 Nov 2022 15:43:29 +0000 (07:43 -0800)]
heimdal: Fix: Too large time skew, client time 1970-01-01T01:00:00
Part of ed549cb0c53f zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.
PR: 267827
Reported by: Peter Much <pmc@citylink.dinoex.sub.org>
Tested by: Peter Much <pmc@citylink.dinoex.sub.org>
Fixes: ed549cb0c53f
ixgbe: workaround errata about UDP frames with zero checksum
Intel 82599 has errata related to IPv4 UDP frames with zero checksum.
It reports such datagrams with L4 integrity errors in IXGBE_XEC
register. And after afb1aa4e6df2 commit such errors are reported
via IFCOUNTER_IERRORS. This confuses users, since actually all frames
are handled correctly by the system.
To workaround the problem, let's ignore the XEC register value for
82599 cards for now.
Rick Macklem [Tue, 18 Oct 2022 22:47:07 +0000 (15:47 -0700)]
nfsd: Make the pNFS server update Change for Setxattr/Rmxattr
When the NFS server does the Setxattr or Rmxattr operation,
the Change attribute (va_filerev) needs to be updated.
Without this patch, that was not happening for the
pNFS server configuration. This patch does a Setattr
against the DS file to make the Change attribute
change.
This bug was discovered during a recent IETF NFSv4 testing
event, where the Change attribute wasn't changed in the
operation reply.
Rick Macklem [Sun, 16 Oct 2022 20:27:32 +0000 (13:27 -0700)]
nfsd: Make Setxattr/Removexattr NFSv4.2 ops IO_SYNC
When the NFS server does Setxattr or Removexattr, the
operations must be done IO_SYNC. If a server
crashes/reboots immediately after replying it must
have the extended attribute changes.
Since UFS does extended attributes asynchronously
by default and there is no "ioflag" argument in
the VOP calls, follow the VOP calls with VOP_FSYNC(),
to ensure the operation has been done synchronously.
This was found by inspection while investigating a
bug discovered during a recent IETF NFSv4 testing
event, where the Change attribute wasn't changed
in the operation reply.
This bug will take further work for ZFS and the
pNFS server configuration, but is now fixed for
a non-pNFS UFS exported file system.
Cy Schubert [Tue, 8 Nov 2022 08:53:29 +0000 (00:53 -0800)]
heimdal: Fix multiple security vulnerabilities
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
John Baldwin [Tue, 15 Nov 2022 01:24:56 +0000 (17:24 -0800)]
<crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.
In head, the inline ChaCha20+Poly1305 API is implemented using the
software implementation backing OCF, but that requires API changes
that can't be MFC'd. As a result, this API in stable/13 uses
libsodium directly.
However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce
uses a different construction for the Poly1305 hash than is used for
the standard IETF AEAD cipher used for TLS and IPsec. WireGuard's use
of an 8 byte nonce also uses the more standard construction.
Since the verison in stable/13 was using libsodium directly for the 8
byte nonce case, it was generating incorrect MACs for if_wg(4). As a
workaround, change the direct API to always use the IETF API from
libsodium which uses 12 byte nonces. This can be done by
zero-extending the provided 8 byte nonce to 12 bytes so long as the
passed in buffers are sufficiently small to not overflow a 4 byte
counter.
This fixes key negotiation for if_wg(4) on stable/13. This is also
a direct commit to stable/13.
Reported by: Marek Zarychta <mzar@bpine64.dom.potoki.eu>
Mark Johnston [Mon, 19 Jul 2021 20:09:42 +0000 (16:09 -0400)]
Simplify kernel sanitizer interceptors
KASAN and KCSAN implement interceptors for various primitive operations
that are not instrumented by the compiler. KMSAN requires them as well.
Rather than adding new cases for each sanitizer which requires
interceptors, implement the following protocol:
- When interceptor definitions are required, define
SAN_NEEDS_INTERCEPTORS and SANITIZER_INTERCEPTOR_PREFIX.
- In headers that declare functions which need to be intercepted by a
sanitizer runtime, use SANITIZER_INTERCEPTOR_PREFIX to provide
declarations.
- When SAN_RUNTIME is defined, do not redefine the names of intercepted
functions. This is typically the case in files which implement
sanitizer runtimes but is also needed in, for example, files which
define ifunc selectors for intercepted operations.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Mitchell Horne [Fri, 11 Nov 2022 18:23:11 +0000 (14:23 -0400)]
ddb: don't limit pindex output in 'show vmopag'
This command already prints a tremendous amount of output, and properly
obeys the pager. It no longer makes sense to arbitrarily limit the pages
that are printed, as the reader will not be aware that this has
happened.
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37361
Mitchell Horne [Fri, 11 Nov 2022 18:20:31 +0000 (14:20 -0400)]
netgdb(4): update list of required kernel options
The man page claims that netgdb will be enabled automatically with the
presence of the DDB, GDB, and INET options. Based on the logic in
conf/files, this is not the case. Update the manpage to list all
of the options required to include netgdb.
* Avoid unnecessary use of `unsigned char *`
* Use explicit casts when assigning `unsigned char *` to `char *` or vice versa
* Drop unused global variables (and fix memory leak in `gettable()`)
* Use `snprintf()` instead of `strcpy()` + `strcat()`
* Drop spurious braces in switch
Sponsored by: Klara, Inc.
Obtained from: Apple OSS Distributions (in part)
Differential Revision: https://reviews.freebsd.org/D37263
The system call returns the head of the robust futex list. The list head is stored
in the location pointed to by the head argument. When copying data between address
spaces use proper head storage size as it depends on an emulated ABI.
Gordon Bergling [Mon, 7 Nov 2022 10:23:33 +0000 (11:23 +0100)]
Update HISTORY and AUTHORS sections for cut(1) and paste(1)
In an e-mail Brian Walden wrote that:
"GWRL stands for Gottfried W. R. Luderer, the author of cut(1) and
paste(1), probably around 1978. Those came either from PWB or USG,
as he worked with, or for, Berkley Tague. Thus they made their way
into AT&T commercial UNIX, first into System III and the into System
V, and that's why they are missing from early BSD releases as they
didn't get into Research UNIX until the 8th Edition."
So update the HISTORY and AUTHORS sections for cut(1) and paste(1).
Kyle Evans [Thu, 10 Nov 2022 04:20:34 +0000 (22:20 -0600)]
include: put includes into -dev packages
The includes build is kind of funky, as we support either copying or
symlinking files into /usr/include. For `copies`, we were supplying
the include/ ${TAG_ARGS}, which puts packages into `FreeBSD-runtime`,
without any consideration to the fact that we're installing headers.
Let's copy the approach that the `symlinks` target uses for now, and
add ",dev" to the TAG_ARGS so that headers at least end up in
FreeBSD-runtime-dev, which is more appropriate. Some of these includes
are actually technically supposed to be in *other* packages and their
INCSGROUP's PACKAGE setting is actually correct, but this is less
trivial to solve. This is a bandaid to fix the immediate problem of
some headers ending up in two different packages.
PR: 267526
Reviewed by: dfr, manu
Differential Revision: https://reviews.freebsd.org/D37256
Kyle Evans [Wed, 2 Nov 2022 20:29:16 +0000 (15:29 -0500)]
mktemp: don't double up on trailing slashes for -t paths
This is a minor cosmetic change; re-organize slightly to set tmpdir to
_PATH_TMP if we didn't otherwise have a tmpdir candidate, then check the
trailing char before appending another slash.
While we're here, remove some bogus whitespace and add a test case for
this change.
Obtained from: https://github.com/apple-oss-distributions/shell_cmds
Sponsored by: Klara, Inc.
Kyle Evans [Mon, 31 Oct 2022 03:55:46 +0000 (22:55 -0500)]
mktemp: add -p/--tmpdir argument
This matches other mktemp implementations, including OpenBSD and GNU.
The -p option can be used to provide a tmpdir prefix for specified
templates. Precedence works out like so:
-t flag:
- $TMPDIR
- -p directory
- /tmp
Implied -t flag (no arguments or only -d flag):
- -p directory
- $TMPDIR
- /tmp
Some tests have been added for mktemp(1) in the process.
Reviewed by: imp (earlier version), wosch
Sponsored by: Klara, Inc.
Warner Losh [Fri, 12 Mar 2021 00:11:28 +0000 (17:11 -0700)]
Remove README in favor of README.md
Complete the transition to README.md I started 3 years ago. Remove the
now-redundant README file. It's currently just README.md w/o the light markup
and adds no real value. This also allows us to use additional MarkDown
markup as we see fit w/o worrying about keeping things in sync.
List of changes:
- Use integer multiplication instead of long multiplication, because the result is an integer.
- Remove multiple if-statements and predict new if-statements.
- Rename local variable name, "ticks" into "retval" to avoid shadowing
the system "ticks" global variable.
time(3): Align fast clock times to avoid firing multiple timers.
In non-periodic mode absolute timers fire at exactly the time given.
When specifying a fast clock, align the firing time so that less
timer interrupt events are needed.
Alexander Motin [Mon, 21 Mar 2022 23:43:39 +0000 (19:43 -0400)]
Fix umtxq_sleep() regression caused by 56070dd2e4d.
umtxq_requeue() moves the queue to a different hash chain and different
lock, so we can't rely on msleep_sbt() reacquiring the same old lock.
We have to use PDROP and update the queue chain and so lock pointer.
Alexander Motin [Fri, 4 Mar 2022 03:03:09 +0000 (22:03 -0500)]
Improve timeout precision of pthread_cond_timedwait().
This code was not touched when all other user-space sleep functions were
switched to sbintime_t and decoupled from hardclock. When it is possible,
convert supplied times into sbinuptime to supply directly to msleep_sbt()
with C_ABSOLUTE. This provides the timeout resolution of few microseconds
instead of 2 milliseconds, plus avoids few clock reads and conversions.
Gordon Bergling [Sun, 30 Oct 2022 12:59:37 +0000 (13:59 +0100)]
wg.4: Add some enhancements
- add a SPDX-License-Identifier
- rename the title of the man page
- use better grammar in some places
- reword 'IPs' to 'IP addresses'
- add a missing word in the AUTHORS section
- use '.An -nosplit' in the AUTHORS section
- Xr ipsec and ovpn
Relative to upstream this commit includes a few other small fixes such
as additional INET and INET6 #ifdef's, #include cleanups, and updates
for recent API changes in main.
Reviewed by: pauamma, gbe, kevans, emaste
Obtained from: git@git.zx2c4.com:wireguard-freebsd @ 3cc22b2
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36909
John Baldwin [Wed, 5 Oct 2022 23:48:05 +0000 (16:48 -0700)]
rs: Fix some pointer arith UB.
If the next column was blank, then the length of the following entry
was computed as the end of the following entry minus a global variable
"blank" which is not in the same string or allocation. Instead, save
the start value of 'p' explicitly instead of abusing '*ep'. Possibly
we should just increment p before saving it in sp in the 'blank' case,
but at worst that would just mean maxlen might be one char too large
which should be harmless.
John Baldwin [Wed, 5 Oct 2022 23:47:40 +0000 (16:47 -0700)]
rs: Fix a use after free.
Using a pointer passed to realloc() after realloc() even for pointer
arithmetic is UB. It also breaks in practice on CHERI systems as
the updated value of 'sp' in this case would have had the bounds from
the old allocation.
This would be much cleaner if elem were a std::vector<char *>.
John Baldwin [Wed, 5 Oct 2022 23:46:01 +0000 (16:46 -0700)]
msk: Use a void cast to mark values of dummy reads as unused.
Note that this required adding missing ()'s around the outermost level
of MSK_READ_MIB*. Otherwise, the void cast was only applied to the
first register read. This also meant that MSK_READ_MIB64 was pretty
broken as the uint64_t cast only applied to the first 16-bit register
read in each MSK_READ_MIB32 invocation and the 32-bit shift was only
applied to the second register read of the pair.
John Baldwin [Mon, 3 Oct 2022 23:10:44 +0000 (16:10 -0700)]
nvmecontrol wdc: Don't pass a bogus pointer to free().
wdc_get_dui_log_size allocates a buffer and then advances the
returned pointer. Passing this advanced pointer to free() is UB,
so save the original pointer to pass to free() instead.
John Baldwin [Mon, 3 Oct 2022 23:10:43 +0000 (16:10 -0700)]
libfetch: Use memcpy in place of an odd strncpy.
The length passed to strncpy is the length of the source string, not
the destination buffer. This triggers a non-fatal warning in GCC 12.
Hoewver, the code is also odd. It is really just a memcpy of the
string without its nul terminator. For that use case, memcpy is
clearer.
John Baldwin [Mon, 3 Oct 2022 23:10:43 +0000 (16:10 -0700)]
diff: Fix a use after free as well as a memory leak in change().
When -B or -I are used, change() evaluates the lines in a hunk to
determine if it is a hunk that should be ignored. It does this by
reading each candidate line into a mallocated buffer via preadline()
and then calling ignoreline(). Previously the buffer was freed as a
side effect of ignoreline_pattern() called from ignoreline().
However, if only -B was specified, then ignoreline_pattern() was not
called and the lines were leaked. If both options were specified,
then ignoreline_pattern() was called before checking for a blank line
so that the second check was a use after free.
To fix, pull the free() out of ignoreline_pattern() and instead do it
up in change() so that is paired with preadline().
While here, simplify ignoreline() by checking for the -B and -I cases
individually without a separate clause for when both are set. Also,
do the cheaper check (-B) first, and remove a false comment (this
function is only called if at least one of -I or -B are specified).