Gleb Smirnoff [Tue, 20 Feb 2024 18:31:05 +0000 (10:31 -0800)]
arp: fix arp -s/-S
When setting a permanent ARP entry, the route(4) would use
rtm->rtm_rmx.rmx_expire == 0 as a flag for installing a static entry, but
netlink(4) is looking for explicit NTF_STICKY flag in the request. The
arp(8) utility was adopted to use netlink(4) by default, but it has lots
of route-era guts internally. Specifically there is global variable 'opts'
that shares configuration for both protocols, and it is still initialized
with route(4) specific RTF_xxx flags. In set_nl() these flags are
translated to netlink(4) parameters. However, RTF_STATIC is a flag that is
never set by default, so attempt to use it as a proxy flag manifesting
-s/-S results in losing it. Use zero opts.expire_time as a manifest of
-s/-S operation. This is a minimal fix. A better one would be to fully
get rid of route(4) legacy.
The change also corrects the logic to set NUD_PERMANENT flag for
consistency. This flag is ignored by our kernel (now).
Ed Maste [Tue, 20 Feb 2024 16:43:00 +0000 (11:43 -0500)]
iwm.4: add iwlwifi cross-reference
iwlwifi(4) supports a superset of the devices supported by iwm(4). The
latter may be retired in the future (if there is no reason to prefer it
for the set of devices supported by both).
Stefan Eßer [Tue, 20 Feb 2024 12:02:24 +0000 (13:02 +0100)]
msdosfs: fix potential inode collision on FAT12 and FAT16
FAT file systems do not use inodes, instead all file meta-information
is stored in directory entries.
FAT12 and FAT16 use a fixed size area for root directories, with
typically 512 entries of 32 bytes each (for a total of 16 KB) on hard
disk formats. The file system data is stored in clusters of typically
512 to 4096 bytes, depending on the size of the file system.
The current code uses the offset of a DOS 8.3 style directory entry as
a pseudo-inode, which leads to inode values of 0 to 16368 for typical
root directories with 512 entries.
Sub-directories use 2 cluster length plus the byte offset of the
directory entry in the data area for the pseudo-inode, which may be
as low as 1024 in case of 512 byte clusters. A sub-directory in
cluster 2 and with 512 byte clusters will therefore lead to a
re-use of inode 1024 when there are at least 32 DOS 8.3 style
filenames in the root directory (or 11 14-character Windows
long file names, each of which takes up 3 directory entries).
FAT32 file systems are not affected by this issue and FAT12/FAT16
file systems with larger cluster sizes are unlikely to have as
many directory entries in the root directory as are required to
cause the collision.
This commit leads to inode numbers that are guaranteed to not collide
for all valid FAT12 and FAT16 file system parameters. It does also
provide a small speed-up due to more efficient use of the vnode cache.
Approved by: mckusick
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D43978
Kirk McKusick [Tue, 20 Feb 2024 00:16:07 +0000 (16:16 -0800)]
Eliminate unnecessary UFS1 integrity checks.
The UFS1 integrity checks added in FreeBSD 14 were too aggressive
for UFS1 filesystems created in FreeBSD 4 and 9 systems. This patch
removes those tests which can be done safely since they are not
relevant to the current implementation of UFS1.
This is a follow-on report to bug report 264450 (comments 21-28).
Xin LI [Mon, 19 Feb 2024 23:01:04 +0000 (15:01 -0800)]
zlib: use more memory for a small deflate speedup.
The LIT_MEM option uses slightly more memory (for base gzip(1),
about 16kiB; according to the author, about 6% for default deflate
settings) for a small speedup.
The performance gain is more noticeable for input data with higher
entropy and less significant for data that is highly compressible,
such as source code and logs.
Brooks Davis [Mon, 19 Feb 2024 22:44:08 +0000 (22:44 +0000)]
lib{c,thr}: add DT_RUNPATH for gcc -m32
To allow gcc -m32 to work, link libc and libthr with --rpath-/usr/lib32.
When called with -m32, gcc is currently unable to communicate to
the bfd linker that it should look in /usr/lib32 to resolve needed (as
opposed to explicitly linked) libraries so we need to provide a hint.
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=31395
Brooks Davis [Mon, 19 Feb 2024 22:44:08 +0000 (22:44 +0000)]
lib{c,sys}: move auxargs more firmly into libsys
Continue to filter the public interface (elf_aux_info()), but entierly
relocate the private interfaces (_elf_aux_info(),
__init_elf_aux_vector(), and __elf_aux_vector) to libsys.
This ensures that rtld updates the correct (only) copy of
__elf_aux_vector. After 968a18975adc9c2a619bb52aa2f009de99fc9e24
updates were confused and __getosreldate was failing, causing
the system to fall back to compat compat12 syscalls in some cases.
Return to explicitly linking libc to libsys and link libthr with libc
and libsys (in that order).
Andriy Gapon [Mon, 19 Feb 2024 10:16:47 +0000 (12:16 +0200)]
scsi_da: add 4K quirks for Samsung SSD 860 and 870
Although the actual flash page size is either 8K or 16K for those
devices (according to different sources of various reliability), they
seem to be optimized for the "industry-standard" emulated 4K block size.
To do: consolidate very similar Samsung SSD entries for 830 - 870
models.
Boris Lytochkin [Mon, 19 Feb 2024 07:44:52 +0000 (10:44 +0300)]
ndp(8): increase buffer size in rtsock mode
On a router with many connected devices (~10k+) `ndp -an` can fail
with ENOMEM because of some additional NDP records were added
between sysctl() buffer size estimate and data fetch calls.
Allocate more space based on size estimate: 1/64 (~2%) of additional
space, but not less that 4 m_rtmsg structures.
Currently there is no support for generating armv7 vm images in the
release artifacts. In fact in terms of release artifacts and
architecture there is no good reason to have a vm release artifact for
armv7 as those are mostly used in SOCs or embedded boards. However
considering that developers actually do need an easy way to test armv7
with a vm running this is really important. As part of pre-commit ci for
developers this can be really helpful for the end developers.
Approved by: cperciva, imp, re
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D43952
Bryan Drewery [Sun, 18 Feb 2024 18:55:11 +0000 (10:55 -0800)]
wc: Fix SIGINFO race with casper init.
If a file is specified then fileargs_init(3) may return [EINTR]. With
the SIGINFO handler not being SA_RESTART this causes an early exit
if a SIGINFO comes in. Rather than checking for [EINTR] or changing the
handler just move it later which resolves the problem.
Bjoern A. Zeeb [Sun, 18 Feb 2024 17:47:22 +0000 (17:47 +0000)]
net80211: increase number of spares in struct ieee80211_vap
Turns out MFCing 713db49d06deee90dd358b2e4b9ca05368a5eaf6 does not
leave us with enough spares. Given wireless will likely see more
changes in the near future add more spares.
This is especially necessary given 'struct ieee80211_vap' gets
allocated by drivers.
Bumps size of struct ieee80211_vap to (7 * 512) on 64bit.
unionfs: work around underlying FS failing to respect cn_namelen
unionfs_mkshadowdir() may be invoked on a non-leaf pathname component
during lookup, in which case the NUL terminator of the pathname buffer
will be well beyond the end of the current component. cn_namelen in
this case will still (correctly) indicate the length of only the
current component, but ZFS in particular does not currently respect
cn_namelen, leading to the creation on inacessible files with slashes
in their names. Work around this behavior by temporarily NUL-
terminating the current pathname component for the call to VOP_MKDIR().
https://github.com/openzfs/zfs/issues/15705 has been filed to track
a proper upstream fix for the issue at hand.
unionfs: upgrade the vnode lock during fsync() if necessary
If the underlying upper FS supports shared locking for write ops,
as is the case with ZFS, VOP_FSYNC() may only be called with the vnode
lock held shared. In this case, temporarily upgrade the lock for
those unionfs maintenance operations which require exclusive locking.
While here, make unionfs inherit the upper FS' support for shared
write locking. Since the upper FS is the target of VOP_GETWRITEMOUNT()
this is what will dictate the locking behavior of any unionfs caller
that uses vn_start_write() + vn_lktype_write(), so unionfs must be
prepared for the caller to only hold a shared vnode lock in these
cases.
Found in local testing of unionfs atop ZFS with DEBUG_VFS_LOCKS.
VFS: update VOP_FSYNC() debug check to reflect actual locking policy
Shared vs. exclusive locking is determined not by MNT_EXTENDED_SHARED
but by MNT_SHARED_WRITES (although there are several places that
ignore this and simply always use an exclusive lock). Also add a
comment on the possible difference between VOP_GETWRITEMOUNT(vp)
and vp->v_mount on this path.
Found by local testing of unionfs atop ZFS with DEBUG_VFS_LOCKS.
Store the upper/lower FS mount objects in unionfs per-mount data and
use these instead of the v_mount field of the upper/lower root
vnodes. As described in the referenced PR, it is unsafe to access this
field on the unionfs unmount path as ZFS rollback may have obliterated
the v_mount field of the upper or lower root vnode. Use these stored
objects to slightly simplify other code that needs access to the
upper/lower mount objects as well.
syscon_power: do reboot after shutdown_panic is executed
A syscon_power instance can handle either poweroff or reboot, but not
both. If the instance handles reboot then set its priority to be after
shutdown_panic.
This is to provide uniform experience with other platforms.
Andriy Gapon [Sun, 18 Feb 2024 13:57:34 +0000 (15:57 +0200)]
rk8xx_poweroff: enable power-cycling on support hardware
Previously, the function would return early if RB_POWERCYCLE was
specified without RB_POWEROFF. Those flags are exclusive at the moment,
that is, they are never set together.
Søren Schmidt (sos) uses a similar but extended patch locally.
Warner Losh [Sun, 18 Feb 2024 06:15:01 +0000 (23:15 -0700)]
loader: Make MK_LOADER_BIOS_TEXTONLY work
Select between text-only and graphical frame buffer consoles for the
BIOS boot loader. Pull one or the other in with #ifdef in conf.c. Add
gfx_bios.c for the few routines that are needed for the BIOS support of
gfx. These are stubbed out for text-only mode. Move bi_load_vbe_data
here since it's only used for the graphical frame buffer.
Note: This setup also allows us to build multiple BIOS loaders if we
have to, some with text-only and some graphical. We don't do this today.
We may be forced to turn this on in the future if ZFS keeps growing.
The size savings is 41k, which helps a lot with some of our users that
want to enable more options in the BIOS boot loader than are normally
safe to do, and they don't need graphics.
Warner Losh [Sun, 18 Feb 2024 06:14:50 +0000 (23:14 -0700)]
loader: Add new option WITH_LOADER_BIOS_TEXTONLY
This option will omit all the graphics support, the teken terminal
library, video mode support, etc and support a simple, basic, text-only
video console for the x86 BIOS boot loader. It uses the FreeBSD 12
version of vidconsole.c. It defaults to NO.
Warner Losh [Sun, 18 Feb 2024 06:14:44 +0000 (23:14 -0700)]
loader: bring back old text-only video console
Bring back vidconsole.c as textvidc.c from 2a0e2c88db20. This console
does no graphics stuff at all, supports no fancy logos, has known bugs
in the terminal emulation, etc. However, it is small. It will be a
build-time option to select between the two. The BIOS loader is running
out of space when too many options are selected, so this allows people
to select the smaller one to spend the space elsewhere. This is only the
verbatim copy of the old vidconsole.c. It's not yet connected to the
build.
Warner Losh [Sun, 18 Feb 2024 04:30:48 +0000 (21:30 -0700)]
reboot: Move extern for environ
envorin isn't defined in any header, and gcc is cranky with this inside
a function, so move it to global scope. Both clang and gcc are now happy
with this.
Stefan Eßer [Sat, 17 Feb 2024 21:04:49 +0000 (22:04 +0100)]
msdosfs: fix directory corruption after rename operation
The is a bug in MSDOSFS that can be triggered when the target of a
rename operation exists. It is caused by the lack of inodes in the
FAT file system, which are substituted by the location of the DOS 8.3
directory entry in the file system. This causes the "inode" of a file
to change when its directory entry is moved to a different location.
The rename operation wants to re-use the existing directory entry
position of an existing target file name (POS1). But the code does
instead locate the first position in the directory that provides
sufficient free directory slots (POS2) to hold the target file name
and fills it with the directory data.
The rename operation continues and at the end writes directory data to
the initially retrieved location (POS1) of the old target directory.
This leads to 2 directory entries for the target file, but with
inconsistent data in the directory and in the cached file system
state.
The location that should have been re-used (POS1) is marked as deleted
in the directory, and new directory data has been written to a
different location (POS2). But the VFS cache has the newly written
data stored under the inode number that corresponds to the initially
planned position (POS1).
If then a new file is written, it can allocate the deleted directory
entries (POS1) and when it queries the cache, it retrieves data that
is valid for the target of the prior rename operation, leading to a
corrupt directory entry (at POS1) being written (DOS file name of the
earlier rename target combined with the Windows long file name of the
newly written file).
Dimitry Andric [Sat, 17 Feb 2024 11:27:33 +0000 (12:27 +0100)]
Proactively remove /usr/lib/kgdb file that became a directory
This was already handled in ObsoleteFiles.inc (see the 20201215 entry),
but some people never run "make delete-old", or want to upgrade directly
from a revision that still had the file to the most recent revision.
They would then encounter a failure during installworld, similar to:
install: /usr/libexec/kgdb exists but is not a directory
Therefore, clean it up in the distrib-cleanup phase, similar to the
earlier instances of libc++ header files that became a directory.
John Baldwin [Sat, 17 Feb 2024 07:17:42 +0000 (23:17 -0800)]
powerpc psim: Fix infinite recursion in multiple bus methods
Similar to 68a3ff041129208ea98a3bd5142061176ab4165e, the default case
needs to call bus_generic_* to pass the request up the tree, not bus_*
which will just call this method again.
Fixes: d7c16b333455 powerpc psim: Use bus_generic_rman_*
John Baldwin [Sat, 17 Feb 2024 07:15:52 +0000 (23:15 -0800)]
powerpc mpc85xx: Fix infinite recursion in multiple bus methods
Similar to 68a3ff041129208ea98a3bd5142061176ab4165e, the default case
needs to call bus_generic_* to pass the request up the tree, not bus_*
which will just call this method again.
Fixes: 5a7e717fb790 powerpc mpc85xx: Use bus_generic_rman_*
Dimitry Andric [Sun, 11 Feb 2024 19:02:51 +0000 (20:02 +0100)]
Optionally create full debuginfo for llvm-related executables
Commit de6feefdb7cfd limited the amount of debuginfo generated for clang
and other llvm-related executables. This was done to save disk space and
memory during building, but it makes debugging any of these executables
much harder.
Add a new src.conf(5) setting, WITH_LLVM_FULL_DEBUGINFO, to generate
full debuginfo instead. This is off by default, but could for example be
enabled for release builds or snapshots, so llvm executables are easier
to debug.
Mitchell Horne [Tue, 25 May 2021 21:04:56 +0000 (18:04 -0300)]
busdma: fix page miscount for small segment sizes
For small segments (< PAGE_SIZE) there is a mismatch between how
required bounce pages are counted in _bus_dmamap_count_pages() and
bounce_bus_dmamap_load_buffer().
This problem has been observed on the RISC-V VisionFive v2 SoC (and
earlier revisions of the hardware) which has memory physically addressed
above 4GB. This requires some bouncing for the dwmmc driver, which has
has a maximum segment size of 2048 bytes. When attempting to load a
page-aligned 4-page buffer that requires bouncing, we can end up
counting 4 bounce pages for an 8-segment transfer. These pages will be
incorrectly configured to cover only the first half of the transfer (4 x
2048 bytes).
Fix the immediate issue by adding the maxsegsz check to
_bus_dmamap_count_pages(); this is what _bus_dmamap_count_phys() does
already. The result is that we will inefficiently allocate a separate
bounce page for each segment (8 pages for the example above), but the
transfer will proceed in its entirety.
The more complete fix is to address the shortcomings in how small
segments are assigned to bounce pages, so that we opportunistically
batch multiple segments to a page whenever they fit (e.g. two 2048 bytes
segments per 4096 page). This will be addressed more holistically in the
future. For now this change will prevent the (silent) incomplete
transfers that have been observed.
PR: 273694
Reported by: Jari Sihvola <jsihv@gmx.com>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34118
John Baldwin [Fri, 16 Feb 2024 17:42:30 +0000 (09:42 -0800)]
powerpc psim: Fix infinite recursion in bus_adjust_resource method
The default case needs to call bus_generic_adjust_resource to pass the
request up the tree, not bus_adjust_resource which will just call this
method again.
Fixes: d7c16b333455 powerpc psim: Use bus_generic_rman_*
John Baldwin [Fri, 16 Feb 2024 17:40:34 +0000 (09:40 -0800)]
powerpc mpc85xx: Fix infinite recursion in bus_adjust_resource method
The default case needs to call bus_generic_adjust_resource to pass the
request up the tree, not bus_adjust_resource which will just call this
method again.
Fixes: 5a7e717fb790 powerpc mpc85xx: Use bus_generic_rman_*
Bjoern A. Zeeb [Wed, 14 Feb 2024 21:56:48 +0000 (21:56 +0000)]
LinuxKPI: 802.11: lsta txq locking cleanup
Rename the LSTA lock to LSTA_TXQ lock as that is really what it is and
put down the full set of macros. Replace the init and destroy with the
macro invocation rather than direct code.
Put locking around the txq_ready unset and check. Move the taskq_enqueue
call under lock to be sure we do not call it anymore after txq_ready
got unset.
Leave a comment related to the node reference which is passed into the
TX path on the recvif mbuf pointer.
Mark Johnston [Thu, 15 Feb 2024 18:17:37 +0000 (13:17 -0500)]
pmc: Fix some problems with the makefile
- For some reason we don't build it as a PIE, but I don't have any
problems doing so with either clang or gcc.
- There is no apparent need to override WARNS, so don't.
- Some building with -O0, presumably that's left over from debugging.
Roger Pau Monné [Tue, 6 Feb 2024 08:16:44 +0000 (09:16 +0100)]
x86/xen: fix migration when ACPI suspend is not available
Xen PVH guests expose a very minimal set of ACPI tables, and due to the lack of
SCI interrupt FreeBSD doesn't allocate the suspend stacks for saving CPU and
FPU contexts.
Lack of allocated stacks would lead to a page-fault in cpususpend_handler() when
CPUs attempted to use the save context area as a result of a Xen suspend
request. However there's no need to save the CPU or the FPU registers in the
Xen case, as that's all handled by the hypervisor. Hence avoid saving all this
state if the suspend stacks are not allocated.
Note that this will currently only apply to PVH guests, HVM ones will still get
the stack allocated and the context saved even when not strictly required. I
find it easier rather that having to provide cpususpend_handler() with extra
information whether the context needs to be saved or not.
Michael Tuexen [Fri, 16 Feb 2024 11:19:24 +0000 (12:19 +0100)]
RACK, BBR: handle EACCES like EPERM for IP output handling
The FreeBSD TCP base stack handles them also the same way.
In case of packet filters dropping packets in the output path,
this avoids retranmitting the dropped packet every 10ms or so.
Warner Losh [Fri, 16 Feb 2024 03:55:05 +0000 (20:55 -0700)]
loader: Simplify build a little
Confine -DDISK_DEBUG to biosdisc.c, the only file it affects.
Use modern variable arrays instead of alloca and add a sanity
size minimum for biospnp nodes. These nodes are tiny enough that
we needn't do a malloc/free pair: the stack is fine.
Warner Losh [Fri, 16 Feb 2024 03:54:36 +0000 (20:54 -0700)]
flua: Add hash module
Add lua bindings to hashing functions. sha256 is available. sha256.new
craetes a new object. sha256.update updates the digest. sha256.digest
returns the digest as a binary string and resets the
context. sha256.hexdigest returns the digest as a string of hex digits
and then resets the cotnext.
Warner Losh [Fri, 16 Feb 2024 03:54:04 +0000 (20:54 -0700)]
loader: Move drawer.lua over to gfx table.
Drawer.lua is the only bit of lua code in the base that uses any of the
functons moved from the loader table to the gfx table. Move the main
code to using the gfx dispatch. Add compat code for running on old
loaders that creates the newer-style gfx table with the term_* functions
we call in it populated. This will even work on the super old versions
of the loader that don't have them (we'll still skip using them).
Warner Losh [Fri, 16 Feb 2024 03:53:55 +0000 (20:53 -0700)]
loader: Move gfx functions to gfx.lua.8
Now that the fb_* and term_* functions are available in the gfx table,
move the documentation to gfx.lua.8. Add information about backwards
compatibility.
Warner Losh [Fri, 16 Feb 2024 03:53:39 +0000 (20:53 -0700)]
loader: Remove gfx_fb_stub.c, it's no longer needed
Now that we draw in the gfx bindings for all our interpreters only when
graphics support is compiled in, we can eliminate this from all the
loaders that don't have graphics support.
Warner Losh [Fri, 16 Feb 2024 03:53:28 +0000 (20:53 -0700)]
loader: Only create gfx 4th bindings when gfx is available
Only create the gfx bindings for 4th when it's compiled into the
loader. We do this with a linker set that only gets brought in to those
loaders that call gfx_framework_init. This calls gfx_interp_md() will
will drag in gfx_loader.c which will add to the linker set that
registers these bindings.
Warner Losh [Fri, 16 Feb 2024 03:53:19 +0000 (20:53 -0700)]
loader: Add prototype for gfx_interp_md
This function will be used to draw in the graphics bindings when the
loader is compiled with graphics (gfx) support. Provide definitions
for lua and the simple interpreter. 4th support is forthcoming.
Warner Losh [Fri, 16 Feb 2024 03:53:07 +0000 (20:53 -0700)]
loader: Create new gfx table
Create a new gfx global table. Put into it all the graphics bindings
that we have in loader today. For now, have compatability binding for
loader. Remove them from loader.
Warner Losh [Fri, 16 Feb 2024 03:52:41 +0000 (20:52 -0700)]
loader: Simplify the loader.has_command
luaL_checkstring already checks for the right number of
arguments. There's no need to do that by hand here. Now an exception
will be thrown like any other function with the wrong args. Also,
push a boolean instead of an int.
ipfw: Skip to the start of the loop when following a keep-state rule
When a packet matches an existing dynamic rule for a keep-state rule,
the matching engine advances the "instruction pointer" to the action
portion of the rule skipping over the match conditions. However, the
code was merely breaking out of the switch statement rather than doing
a continue, so the remainder of the loop body after the switch was
still executed. If the first action opcode contains an F_NOT but not
an F_OR (such as an "untag" action), then match is toggled to 0, and
the code exits the inner loop via a break which aborts processing of
the actions.
John Baldwin [Fri, 16 Feb 2024 01:56:01 +0000 (17:56 -0800)]
pci_host_generic: Properly handle bus_release_resource of IRQ resources
Unlike other bus methods updated to use bus_generic_rman_* in commit d79b6b8ec267, the bus_release_resource method was using
bus_generic_rman_release_resource for all types other than
PCI_RES_BUS. Instead, bus_generic_rman_* should only be used for
memory and I/O port resources for this driver.
John Baldwin [Fri, 16 Feb 2024 00:05:09 +0000 (16:05 -0800)]
pci_host_generic: Set a valid error if allocating a range resource fails
Previously pci_host_generic_attach was returning 0 (success)
incorrectly if allocating a range failed. The error value was 0 from
the previously successful call to bus_set_resource in this case.
Fixes: d79b6b8ec267 pci_host_generic: Don't rewrite resource start address for translation
John Baldwin [Fri, 16 Feb 2024 00:04:50 +0000 (16:04 -0800)]
simplebus: Map SYS_RES_IOPORT to SYS_RES_MEMORY later in alloc_resource
Specifically, the set/get_resource methods do not currently remap
resource types, so remap the type in alloc_resource only after
looking for a matching resource list entry.
Fixes: 3cf553288b96 simplebus: Consistently map SYS_RES_IOPORT to SYS_RES_MEMORY
Warner Losh [Thu, 15 Feb 2024 21:28:54 +0000 (14:28 -0700)]
reboot: initialize howto
Make static analyzers happy by initialzing howto to 0. Coverity is
cranky that it could be used unused. But it's analysis is incomplete
because the args to getopt when it wasn't initialized preclude it from
being used.
Cy Schubert [Thu, 15 Feb 2024 15:41:07 +0000 (07:41 -0800)]
heimdal: Fix NULL deref
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.
Upstream notes:
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used. Failure to do so can
permit an active attacker to become a man-in-the-middle.
Cy Schubert [Thu, 15 Feb 2024 00:54:46 +0000 (16:54 -0800)]
heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()
Apply upstream 22749e918 to fix a buffer overflow.
Upstream notes:
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen