imp [Fri, 26 Oct 2018 23:08:22 +0000 (23:08 +0000)]
Ensure we have a full EFI_DEVICE_PATH header before we try to look at
its length. Some BIOSes pad the length of the device path to an even
amount. When we had a device path that was somehow an odd length, we'd
wind up having 1 byte left that we were bogusly interpreting as a full
device path. We'd then dereference 2 bytes into that to get a length
of the node, which had undefined (and quite undesired) effects.
will take the value from Boot0001.bin file and then decode it as if it
were a load-option. This is useful for debugging handling of such
variables that may be hanging the boot for some people.
markj [Fri, 26 Oct 2018 21:17:06 +0000 (21:17 +0000)]
Don't set NFSv4 ACL inheritance flags on non-directories.
They only make sense in the context of directory ACLs, and attempting
to set them on regular files results in errors, causing a recursive
setfacl invocation to abort.
This is derived from patches by Shawn Webb <shawn.webb@hardenedbsd.org>
and Mitchell Horne <mhorne063@gmail.com>.
PR: 155163
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D15061
cem [Fri, 26 Oct 2018 21:03:57 +0000 (21:03 +0000)]
Fortuna: Add failpoints to simulate initial seeding conditions
Set debug.fail_point.random_fortuna_pre_read=return(1) and
debug.fail_point.random_fortuna_seeded=return(1) to return to unseeded
status (sort of). See the Differential URL for more detail.
The goal is to reproduce e.g. Lev's recent CURRENT report[1] about failing
newfs arc4random(3) usage (fixed in r338542).
cem [Fri, 26 Oct 2018 20:55:01 +0000 (20:55 +0000)]
Fortuna: fix a correctness issue in reseed (fortuna_pre_read)
'i' counts the number of pools included in the array 's'. Passing 'i+1' to
reseed_internal() as the number of blocks in 's' is a bogus overrun of the
initialized portion of 's' -- technically UB.
I found this via code inspection, referencing ยง9.5.2 "Pools" of the Fortuna
chapter, but I would expect Coverity to notice the same issue.
Unfortunately, it doesn't appear to.
cem [Fri, 26 Oct 2018 20:53:01 +0000 (20:53 +0000)]
rijndael (AES): Avoid leaking sensitive data on kernel stack
Noticed this investigating Fortuna. Remove useless duplicate stack copies
of sensitive contents when possible, or if not possible, be sure to zero
them out when we're finished.
cem [Fri, 26 Oct 2018 20:07:46 +0000 (20:07 +0000)]
poll: Unify userspace pollfd pointer name
Some of the poll code used 'fds' and some used 'ufds' to refer to the
uap->fds userspace pointer that was passed around to subroutines. Some of
the poll code used 'fds' to refer to the kernel memory pollfd arrays, which
seemed unnecessarily confusing.
Unify on 'ufds' to refer to the userspace pollfd array.
Additionally, 'bits' is not an accurate description of the kernel pollfd
array in kern_poll, so rename that to 'kfds'. Finally, clean up some logic
with mallocarray() and nitems().
cem [Fri, 26 Oct 2018 19:53:59 +0000 (19:53 +0000)]
dumpon(8): Provide seatbelt against weak RSA keys
The premise of dumpon -k foo.pem is that dump contents will be confidential
except to anyone holding the corresponding RSA private key.
This guarantee breaks down when weak RSA keys are used. Small RSA keys
(e.g. 512 bits) can be broken on a single personal computer in tractible
time. Marginal RSA keys (768 bits) can be broken by EC2 and a few dollars.
Even 1024 bit keys can probably be broken by sophisticated and wealthy
attackers.
NIST SP800-57 (2016) recommends a minimum of 2048 bit RSA keys, and
estimates this provides 112 bits of security.
It would also be good to protect users from weak values of 'e' (i.e., 3) and
perhaps sanity check that their public key .pem does not accidentally
contain their private key as well. These considerations are left as future
work.
Reviewed by: markj, darius AT dons.net.au (previous version)
Discussed with: bjk
Differential Revision: https://reviews.freebsd.org/D17678
dteske [Fri, 26 Oct 2018 19:16:17 +0000 (19:16 +0000)]
Add blank line after each item in "ngctl ls -l"
The output of "ngctl ls -l" is hard to read. To make it easier, add a blank
line after each listed item much how traditional "ls -l" does when listing
the contents of multiple directories.
brooks [Fri, 26 Oct 2018 17:59:25 +0000 (17:59 +0000)]
Move 32-bit compat support for FIODGNAME to the right place.
ioctl(2) commands only have meaning in the context of a file descriptor
so translating them in the syscall layer is incorrect.
The new handler users an accessor to retrieve/construct a pointer from
the last member of the passed structure and relies on type punning to
access the other member which requires no translation.
Unlike r339174 this change supports both places FIODGNAME is handled.
imp [Fri, 26 Oct 2018 16:03:30 +0000 (16:03 +0000)]
Redo r339563: Remove joy(4) driver.
This driver was marked as gone in 12. We're at 13 now. Remove it.
Data from nycbug's dmesg cache shows only one potential user,
suggesting it never was used much. However, even though this device
has been obsolete for 15 years at least, sys/joystick.h is included in
a number of graphics packages still, so that remains. A full exprun
is needed before that can be removed.
imp [Fri, 26 Oct 2018 14:27:37 +0000 (14:27 +0000)]
Put a workaround in for command timeout malfunctioning
At least one NVMe drive has a bug that makeing the Command Time Out
PCIe feature unreliable. The workaround is to disable this
feature. The driver wouldn't deal correctly with a timeout anyway.
Only do this for drives that are known bad.
br [Fri, 26 Oct 2018 12:27:07 +0000 (12:27 +0000)]
o Add pmap lock around pmap_fault_fixup() to ensure other thread will not
modify l3 pte after we loaded old value and before we stored new value.
o Preset A(accessed), D(dirty) bits for kernel mappings.
imp [Fri, 26 Oct 2018 04:10:32 +0000 (04:10 +0000)]
Revert r339563.
I held the mistaken belief this was completely unused. While the
driver is unused and likely not relevant for a long time,
sys/joystick.h lives on in maybe half a dozen ports, even though
hardware to use it hasn't been widely used in maybe 15 years.
np [Thu, 25 Oct 2018 22:55:18 +0000 (22:55 +0000)]
cxgbe(4): Add a knob to split the rx queues for a netmap enabled
interface into two groups. Filters can be used to match traffic
and distribute it across a group.
kib [Thu, 25 Oct 2018 22:16:34 +0000 (22:16 +0000)]
Implement O_BENEATH and AT_BENEATH.
Flags prevent open(2) and *at(2) vfs syscalls name lookup from
escaping the starting directory. Supposedly the interface is similar
to the same proposed Linux flags.
Reviewed by: jilles (code, previous version of manpages), 0mp (manpages)
Discussed with: allanjude, emaste, jonathan
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D17547
mm [Thu, 25 Oct 2018 21:44:17 +0000 (21:44 +0000)]
MFV r339640,339641,339644:
Sync libarchive with vendor
Relevant vendor changes:
PR #1013: Add missing h_base offset when performing absolute seeks in
xar decompression
PR #1061: Add support for extraction of RAR v5 archives
PR #1066: Fix out of bounds read on empty string filename for gnutar, pax
and v7tar
PR #1067: Fix temporary file path buffer overflow in tests
IS #1068: Correctly process and verify integer arguments passed to
bsdcpio and bsdtar
PR #1070: Don't default XAR entry atime/mtime to the current time
andrew [Thu, 25 Oct 2018 17:39:41 +0000 (17:39 +0000)]
Implement a BSD licensed crtbegin/crtend
These are needed for .ctors/.dtors and .jcr handling. The former needs
all the function pointers to be called in the correct order from the
.init/.fini section. The latter just needs to call a gcj specific function
if it exists with a pointer to the start of the .jcr section.
This is currently disabled until __dso_handle support is added.
imp [Thu, 25 Oct 2018 17:17:11 +0000 (17:17 +0000)]
Update comment for AMI00[12]0 override.
The AML is even stupider than always returning 0. It will only return
non-zero for an OS that reports itself as "Windows 2015", at least
on the Threadripper board's AML that I've examined.
Those AMLs also suggest we may need this quirk for AMI0030 as well.
There may be other cases where we need to override the _STA in a
generic way, so we should consider writing code to do that.
0mp [Thu, 25 Oct 2018 15:41:19 +0000 (15:41 +0000)]
efivar(3): Fix some typos and improve style
- Fix some typos.
- Remove redundant semicolons from the synopsis section.
- Stylize variable names and types with Vt and Va respectively.
- Use a list to present non-implemented functions.
- Sort the order of the sections.
- Add a history section.
- Use Nm when "libefivar" is mentioned.
np [Thu, 25 Oct 2018 14:37:26 +0000 (14:37 +0000)]
cxgbe(4): Allow "pass" filters to distribute matching traffic using a
subset of a VI's RSS indirection table.
This makes it possible to make groups out of rx queues and steer
different kinds of traffic to different groups. For example, an
interface with 8 rx queues could have all non-TCP traffic delivered to
queues 0-3 and all TCP traffic to queues 4-7.
Note that it is already possible for filters to steer traffic to a
particular queue or to distribute it using the full indirection table
(much like normal rx does).
brooks [Thu, 25 Oct 2018 04:10:41 +0000 (04:10 +0000)]
Deprecate a number of less used 10 and 10/100 Ethernet devices.
The current deprecated list is: ae, bm, cs, de, dme, ed, ep, ex, fe,
pcn, sf, sn, tl, tx, txp, vx, wb, xe
The list as refined as part of FCP-0101. Per the FCP, devices may be
removed from the deprecation list if enough users are found or they are
converted to iflib.
kevans [Thu, 25 Oct 2018 02:14:35 +0000 (02:14 +0000)]
lualoader: Improve module loading diagnostics
Some fixes:
- Maintain historical behavior more accurately w.r.t verbose_loading;
verbose_loading strictly prints "${module_name...}" and later "failed!"
or "ok" based on load success
- With or without verbose_loading, dump command_errbuf on load failure.
This usually happens prior to ok/failed if we're verbose_loading
Reviewed by: imp
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D17694
kevans [Thu, 25 Oct 2018 02:04:01 +0000 (02:04 +0000)]
Update lualoader test script a little bit
Use userboot.so from the test directory if possible, fall back to .OBJDIR.
This avoids a problem that we've had since userboot coexistence was added,
where userboot.so alone no longer exists in the .OBJDIR but is instead just
a link installed later.
markj [Wed, 24 Oct 2018 16:41:47 +0000 (16:41 +0000)]
Use a vm_domainset iterator in keg_fetch_slab().
Previously, it used a hand-rolled round-robin iterator. This meant that
the minskip logic in r338507 didn't apply to UMA allocations, and also
meant that we would call vm_wait() for individual domains rather than
permitting an allocation from any domain with sufficient free pages.
Discussed with: jeff
Tested by: pho
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17420
bz [Wed, 24 Oct 2018 08:45:33 +0000 (08:45 +0000)]
Allow the bhyve VNC server to listen on IPv6 for incoming connections.
Alternatively to IPv4 address:port this will allow to listen on IPv6
link-local (incl. scope), a specific address, or ::. Addresses have
to be given in RFC2732 format so that [::]:port parsing will work.
This patch also starts to introduce WITH_INET/INET6_SUPPORT to bhyve.
PR: 232018
Submitted by: Dave Rush (northwoodlogic.free gmail.com) (original)
Reviewed by: Dave Rush (updated verison)
MFC after: 3 days
kevans [Wed, 24 Oct 2018 03:14:10 +0000 (03:14 +0000)]
menu.lua: Abort autoboot sequence on failed command
Currently, a timeout in the menu autoboot sequence would effectively do
nothing. We would return from the autoboot handling, then begin processing
the menu without redrawing it.
This change makes the behavior a little more friendly. Returning the user to
the menu can't have any good effects, so abort the autoboot sequence and
drop to the loader prompt.
kevans [Wed, 24 Oct 2018 02:02:37 +0000 (02:02 +0000)]
lualoader: unload upon kernel change if a kernel was previously loaded
In the majority of cases, a kernel is not loaded before we hit the menu.
However, if a password is set, we'll trigger autoboot and have loadelf'd
beforehand. We also need to take into account one dropping to the loader
prompt and twiddling with things manually; if they try to toggle through
kernels, we'll assume they mean it.
kp [Wed, 24 Oct 2018 00:19:44 +0000 (00:19 +0000)]
pf: Fix copy/paste error in IPv6 address rewriting
We checked the destination address, but replaced the source address. This was
fixed in OpenBSD as part of their NAT rework, which we don't want to import
right now.
kib [Tue, 23 Oct 2018 23:11:38 +0000 (23:11 +0000)]
Fix stand/ build after r339671.
ffs_subr.c requires calculate_crc32c() from libkern. Unfortunately we
cannot just add libkern/crc32.c to libstand because crc32.o is already
compiled from contrib/zlib/crc32.c. Use the include trick to rename
the source.
Note that libstand also provides crc32.c which seems to be unused.
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D17677
kib [Tue, 23 Oct 2018 21:43:41 +0000 (21:43 +0000)]
Only call sigdeferstop() for NFS.
Use bypass to catch any NFS VOP dispatch and route it through the
wrapper which does sigdeferstop() and then dispatches original
VOP. NFS does not need a bypass below it, which is not supported.
The vop offset in the vop_vector is added since otherwise it is
impossible to get vop_op_t from the internal table, and I did not
wanted to create the layered fs only to wrap NFS VOPs.
VFS_OP()s wrap is straightforward.
Requested and reviewed by: mjg (previous version)
Tested by: pho
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D17658
mckusick [Tue, 23 Oct 2018 21:10:06 +0000 (21:10 +0000)]
Continuing efforts to provide hardening of FFS, this change adds a
check hash to the superblock. If a check hash fails when an attempt
is made to mount a filesystem, the mount fails with EINVAL (Invalid
argument). This avoids a class of filesystem panics related to
corrupted superblocks. The hash is done using crc32c.
Check hases are added only to UFS2 and not to UFS1 as UFS1 is primarily
used in embedded systems with small memories and low-powered processors
which need as light-weight a filesystem as possible.
Reviewed by: kib
Tested by: Peter Holm
Sponsored by: Netflix
markj [Tue, 23 Oct 2018 16:35:58 +0000 (16:35 +0000)]
Refactor domainset iterators for use by malloc(9) and UMA.
Before this change we had two flavours of vm_domainset iterators: "page"
and "malloc". The latter was only used for kmem_*() and hard-coded its
behaviour based on kernel_object's policy. Moreover, its use contained
a race similar to that fixed by r338755 since the kernel_object's
iterator was being run without the object lock.
In some cases it is useful to be able to explicitly specify a policy
(domainset) or policy+iterator (domainset_ref) when performing memory
allocations. To that end, refactor the vm_dominset_* KPI to permit
this, and get rid of the "malloc" domainset_iter KPI in the process.
Reviewed by: jeff (previous version)
Tested by: pho (part of a larger patch)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17417
tsoome [Tue, 23 Oct 2018 14:44:32 +0000 (14:44 +0000)]
loader: biosdisk interface should be able to cope with 4k sectors
The 4kn support in current bios specific biosdisk.c is broken, as the code
is only implementing the support for the 512B sector size.
This work is building the support for custom size sectors, we still do assume
the requested data to be multiple of 512B blocks and we only do address the
biosdisk.c interface here.
For reference, see also:
https://www.illumos.org/issues/8303
https://www.illumos.org/rb/r/547
As the GELI is moved above biosdisk "layer", the GELI should just work
gjb [Tue, 23 Oct 2018 14:38:08 +0000 (14:38 +0000)]
Add debug.witness.trace=0 back to the installer sysctl.conf(5),
incorrectly removed from head when it should have been removed
from stable/12 post-branch.
Reported by: bdrewery
Sponsored by: The FreeBSD Foundation