This fixes an assertion ('Assertion failed: ((LHSExpr->containsErrors()
|| RHSExpr->containsErrors()) && "Should only occur in error-recovery
path."), function BuildBinOp') when building parts of dtrace in certain
scenarios.
Ed Maste [Wed, 19 Jul 2023 17:02:33 +0000 (13:02 -0400)]
ssh: Update to OpenSSH 9.3p2
From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
CVE: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
Using per-CPU and per-thread trampolines is expensive and error-prone,
since we're rewriting the same memory blocks constantly. Per-probe
trampolines solve this problem by giving each probe its own block of
executable memory, which more or less remains the same after the initial
write.
What this patch does, is get rid of the initialization code which
allocates a trampoline for each thread, and instead let each port of
kinst allocate a trampoline for each new probe created. It also sets up
the infrastructure needed to support the new trampoline scheme.
This change is not currently supported on amd64, as the amd64 port needs
further changes to work, so this is a temporary/gradual patch to fix the
riscv and arm64 ports.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40962
kinst: check for 'push %rbp' anywhere in the function
Currently kinst checks if only the first instruction is 'push %rbp',
essentially excluding functions that do push RBP, but not in the first
instruction. This patch modifies kinst to check for 'push %rbp', as
well, as a following 'pop %rbp', anywhere in the function. This behavior
also matches that of FBT.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40283
Doug Moore [Wed, 19 Jul 2023 14:43:31 +0000 (09:43 -0500)]
radix_trie: simplify ge, le lookups
Replace the implementations of lookup_le and lookup_ge with ones
that do not use a stack or climb back up the tree, and instead
exploit the popmap field to quickly identify the place to resume
searching if the straightforward indexed search fails.
The code size of the original functions shrinks by a combined 160
bytes on amd64, and the cumulative cycle count per invocation of
the two functions together is reduced 20% in a buildworld test.
linux(4): Properly allocate buffer for kern_getdirentries in readdir
Looks like prior to ino64 project the size of the struct linux_dirent
was greater (or equal) to the size of the native struct dirent so the
native dirent fit into the buffer. After ino64 project the size of the
native struct dirent has increased.
- Change -g (ignored for BSD 4.3 compatibility since BSD 4.4)
to use POSIX semantics of implying -l but omitting the owner's
name.
- Change -n to imply -l.
The -o option remains unchanged (POSIX defines -o as a complement to
-g that implies -l but omits group names whereas BSD defines -o to add
file flags to -l). This compromise is the same used by both NetBSD
and OpenBSD.
PR: 70813
Reviewed by: jhb, Pau Amma <pauamma@gundo.com>
Co-authored-by: John Baldwin <jhb@FreeBSD.org>
Differential Revision: https://reviews.freebsd.org/D34747
Ed Maste [Tue, 18 Jul 2023 16:23:31 +0000 (12:23 -0400)]
openssh: document a locally-applied workaround
We have a local hacky workaround for an issue caused by a hacky
upstream autoconf test. Reported upstream on the OpenSSH mailing list:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html
As it turns out having autotrim default to 'on' on FreeBSD never really
worked due to mess with defines where userland and kernel module were
getting different default values (userland was defaulting to 'off',
module was thinking it's 'on').
The lang/python3 port had failed to properly install because
it did in fact already exist and FORCE_PKG_REGISTER was not
set. So, behaviorally everything here was correct. However,
installing lang/python3 is in fact not correct and not needed,
so only install the lang/python port to provide symbolic links.
beadm will recursively promote deep BE datasets. In order to match the
beadm behavior, we need to recursively iterate over child filesystems
and promote them along the way.
This patch further refines the work from D40903, completing the fix for
promotion.
Steve Kargl [Mon, 17 Jul 2023 05:19:28 +0000 (08:19 +0300)]
libm: correctly test for for NaN and Infinity in sinpi(), cospi(), and tanpi()
The current versions of lib/msun/src/s_cospi.c, s_sinpi.c and s_tanpi.c
all exhibit the same defect. After checking for various numeric ranges,
they check to see whether the input argument is a NaN or an Infinity.
However, the code uses a value of 0x7f80000 instead of the correct value
of 0x7ff00000.
If you review s_cospif.c, s_sinpif.c, and s_tanpif.c, you will see that
the equivalent statements in these functions are accurate and have
appropriate source comments.
The impact of these defects is to flag some valid input values as
invalid and raise a pole error (divide by zero).
Reported by: Paul Green <Paul.Green@stratus.com>
PR: 272539
MFC after: 1 week
Merge commit 8757ce490130 from llvm-project (by Simon Pilgrim):
[PowerPC] Replace PPCISD::VABSD cases with generic ISD::ABDU(X,Y) node
A move towards using the generic ISD::ABDU nodes on more backends
Also support ISD::ABDS for v4i32 types using the existing signbit flip trick
PowerPC has a select(icmp_ugt(x,y),sub(x,y),sub(y,x)) -> abdu(x,y) combine that I intend to move to DAGCombiner in a future patch.
The ABS(SUB(X,Y)) -> PPCISD::VABSD(X,Y,1) v4i32 combine wasn't legal (https://alive2.llvm.org/ce/z/jc2hLU) - so I've removed it, having already added the legal sub nsw tests equivalent.
bcmp() returned the number of remaining bytes when the main loop exits.
In case of a match, this is zero, else a positive integer. On systems
where SIZE_MAX > INT_MAX, the implicit conversion from size_t to int in
the return value may cause the number of remaining bytes to overflow,
becoming zero and falsely indicating a successful comparison.
Fix the bug by always returning 0 on equality, 1 otherwise.
PR: 272474
Approved by: emaste
Reviewed by: imp
MFC After: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41011
libexec/rtld-elf/rtld-libc/Makefile.inc: do not use machdep string functions
With ifunc based SIMD dispatch, we cannot use the amd64 assembly
implementations of string functions. Modify rtld to instead use
the generic functions. To avoid an architecture-specific special
case, this change is applied to all architectures.
This change is a prerequisite to and formerly part of D40693.
Sponsored by: FreeBSD Foundation
Approved by: kib
See also: D40693
Differential Revision: https://reviews.freebsd.org/D41050
rtld: fix dlopen() for an object that is already mapped but not yet initialized
For instance, dso might be mapped as needed but not yet initialized from
the other subtree of needed objects, while current object' constructor
does dlopen() for the dso. Right now rtld does relocations and other
processing based on the arrival of new objects in the global list, which
is not happens there. Directly check for the initialization state of
the object, for which we would return the handle.
One practical use case of this support is e.g. dlopen("libthr.so",
RTLD_NOLOAD) by libraries that are threading-aware but happy to live
with libc pthread shims if the program is not multithreaded.
Reviewed by: tijl
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Gcc warns of infinite recursion if we use __builtin_ffs*() to
implement ffs*(). This is because gcc uses ffs() to implement
these on some platforms. Sidestep the warning by using
__builtin_ctz*() for these.
John Baldwin [Fri, 14 Jul 2023 18:31:42 +0000 (11:31 -0700)]
memdesc: Add a MEMDESC_VMPAGES descriptor type.
This memory descriptor is backed by an array of VM pages. This type
requires adding a new field to 'struct memdesc' to hold the offset
within the first page. For LP64 systems, this new field is added in
an existing padding hole so does not increase the size. For ILP32
systems, this grows 'struct memdesc' from 12 to 16 bytes.
John Baldwin [Fri, 14 Jul 2023 17:27:40 +0000 (10:27 -0700)]
PCI DEN0115: Reliably check for a memory resource during probe.
rid was stack garbage, so the bus_alloc_resource_any() call could fail
and fall through to the SMCCC version check even if a bridge had a
memory resource.
Debugging help: jrtc27
Reviewed by: jrtc27
Fixes: c9a05c072270 Add a PCI driver that follows the Arm DEN0115 spec
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D41025
John Baldwin [Fri, 14 Jul 2023 17:25:54 +0000 (10:25 -0700)]
Obsoletefiles.inc: A few OpenSSL 3 cleanups.
- Treat old engine DSOs from OpenSSL 1.1.1 as OLD_LIBS, not OLD_FILES.
These should only be deleted by make delete-old-libs similar to how
PAM modules are treated.
- Add /usr/lib32/engines to OLD_DIRS. lib32 automation does not apply
to OLD_DIRS.
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Differential Revision: https://reviews.freebsd.org/D41034
Since this function ultimately calls vn_lock() or VOP_LOCK1(), allows it to
receive and pass this flag which is used in the lookup code and doesn't
interfere with the function's operation.
Doug Rabson [Wed, 21 Jun 2023 12:26:17 +0000 (13:26 +0100)]
/etc/rc.subr: add support for kld sysctl variables
For kernel modules loaded by scripts in /etc/rc.d and
/usr/local/etc/rc.d, if there is a file in /etc/sysctl.conf.d named <kld
name>.conf, then this will be loaded using the sysctl(8) utility. For
instance, sysctl variable changes for the pf kernel module would be
placed in the file /etc/sysctl.conf.d/pf.conf.
Include systm.h in i386's counter.h, so it can use critical_*().
In file included from /usr/src/sys/netinet6/ip6_var.h:250:
In file included from /usr/src/sys/sys/counter.h:37:
./machine/counter.h:191:3: error: call to undeclared function 'critical_enter'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
critical_enter();
^
./machine/counter.h:193:3: error: call to undeclared function 'critical_exit'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
critical_exit();
^
Pre-declare struct ucred, to fix build issues on the MINIMAL config:
In file included from /usr/src/sys/netpfil/pf/pfsync_nv.c:40:
/usr/src/sys/netinet6/ip6_var.h:384:31: error: declaration of 'struct ucred' will not be visible outside of this function [-Werror,-Wvisibility]
struct ip6_pktopts *, struct ucred *, int);
^
/usr/src/sys/netinet6/ip6_var.h:408:28: error: declaration of 'struct ucred' will not be visible outside of this function [-Werror,-Wvisibility]
struct inpcb *, struct ucred *, int, struct in6_addr *, int *);
^
2 errors generated.
Doug Moore [Fri, 14 Jul 2023 06:49:55 +0000 (01:49 -0500)]
vm_radix_init: use initializer
Several vm_radix tries are not initialized with vm_radix_init. That
works, for now, since static initialization zeroes the root field
anyway, but if initialization changes, these tries will fail. Add
missing initializer calls.
Makefile.libcompat: Make quoting for CC/CXX/CPP more future-proof
bmake's :Q is for quoting outside of double quotes, but here is inside
double quotes, and as a result it ends up quoting characters that don't
have a special meaning inside double quotes. On the surface this would
seem harmless, but POSIX sh has a strange behaviour (differing from
outside double quotes) that, inside double quotes, a backslash before a
character that never has a special meaning inside double quotes is
passed through. As a result, should LIB${_LIBCOMPAT}CFLAGS contain
something like -DFOO\(x\)=x, we would form "... -DFOO\\\(x\\\)=x ...",
which would be parsed as -DFOO\\(x\\)=x, since the parentheses are never
special inside double quotes (but the backslash itself is), not the
original -DFOO\(x\)=x as intended.
Instead, construct the whole string as a bmake expression and use :Q on
that, without the manual double quotes around everything. Note that the
:L modifier lets you treat an expression like a variable expansion and
apply modifiers to it, i.e. ${expr:L:...} is the same as tmp=expr
${tmp:...} (in essence, ignoring possible differences due to deferred
substitution).
Improves: 537f945fc89f ("Makefile.libcompat: Quote CFLAGS and CXXFLAGS for sub-make")
Makefile.libcompat: Be consistent about not installing includes
Currently we only pass MK_INCLUDES=no for distribute and install, since
it's only in LIB${_LIBCOMPAT}IMAKE, which means that we enable includes
during libraries and thus install includes into worldtmp, despite it
being shared these days across native and libcompats. This also means
we're at risk of having headers needed for building against a libcompat
that don't get installed to the system, but do end up being installed to
worldtmp. In particular, lib/msun has different fenv.h for aarch64 and
arm, so aarch64 will need arm's copy when it grows lib32 support, and
this would be installed to worldtmp, but not to the system, meaning any
programs that use fenv.h wouldn't be able to be built.
Instead, be consistent, and don't install includes at all during any of
the libcompat phases, so that we can detect these issues and ensure any
needed headers are installed for both worldtmp and the system.
rpcgen: Perform shell-style word expansion on RPCGEN_CPP
Up until recently, CPP has been a list of space-separated words, with no
quotes, backslashes or other characters with special meaning to a shell.
However, as of 8fad2cda93c7, (escaped) quotes appear in CPP, and the
rudimentary parser in rpcgen is insufficient, since it will leave the
escaped quotes as escaped rather than performing one level of expansion
as would be done by a shell (whether in a script or a Makefile).
Rather than hack around this in all the places RPCGEN_CPP gets set,
implement proper expansion inside rpcgen. Note that this only deals with
a subset of shell syntax, since we don't handle any of:
| & ; < > ( ) $ ` * ? [ # ˜ = %
having special meaning (with the exception of how a backslash behaves
inside double quotes, where \$ means a literal $ inside double quotes
but \a means a literal \a), instead using their literal value, but those
are all reasonable restrictions, and can be worked around by avoiding
their use; what's important is that we get the quoting and splitting
right.
This fixes -Winvalid-pp-token spew during build${libcompat}.
Reviewed by: brooks
Fixes: 8fad2cda93c7 ("bsd.compat.mk: Provide new CPP and sub-make variables")
Differential Revision: https://reviews.freebsd.org/D41013
Daniel Tameling [Thu, 13 Jul 2023 20:06:31 +0000 (20:06 +0000)]
xargs: disallow -R0 and -L0
Both cases were interpreted as these flags are unset. This meant that
-R0 got converted to -R5 and that -L0 didn't have any effect at all.
Since make at most 0 replacements isn't useful and since call utility
for every 0 lines read doesn't make sense, throw an error for these
two cases.
Daniel Tameling [Thu, 13 Jul 2023 20:06:14 +0000 (20:06 +0000)]
xargs: fix -R so that it accepts negative numbers again
fbc445addf9 converted the parsing of arguments to strtonum but made
the accepted range for -R too restrictive. As documented in the man
page, it should accept negative numbers.
Added a test for this, which was provided by Jose Luis Duran.
Michael Tuexen [Thu, 13 Jul 2023 16:56:25 +0000 (18:56 +0200)]
tcp: fix build issue for some cc modules
The TCP_HHOOK option was moved from opt_inet.h to opt_global.h in
https://cgit.FreeBSD.org/src/commit/?id=e68b3792440cac248347afe08ba5881a00ba6523
The corresponding changes in two Makefiles were missed, which resulted
in not building cc_cdg, cc_chd, cc_hd, and cc_vegas anymore.
Merge commit fde5924dcc69 from llvm-project (by Serge Pavlov):
[clang] Reset FP options before template instantiation
AST nodes that may depend on FP options keep them as a difference
relative to the options outside the AST node. At the moment of
instantiation the FP options may be different from the default values,
defined by command-line option. In such case FP attributes would have
unexpected values. For example, the code:
template <class C> void func_01(int last, C) {
func_01(last, int());
}
void func_02() { func_01(0, 1); }
#pragma STDC FENV_ACCESS ON
caused compiler crash, because template instantiation takes place at the
end of translation unit, where pragma STDC FENV_ACCESS is in effect. As
a result, code in the template instantiation would use constrained
intrinsics while the function does not have StrictFP attribute.
To solve this problem, FP attributes in Sema must be set to default
values, defined by command line options.
This change resolves https://github.com/llvm/llvm-project/issues/63542.
Doug Moore [Thu, 13 Jul 2023 18:28:21 +0000 (13:28 -0500)]
vfs_bio: initialize pctries
bufobj_init depends on fields bo_dirty.bv_root and bo_clean.bv_root
being zeroed on entry and pctrie_init zeroing whatever is passed to
them, and so does not call pctrie_init for either of them. That fails
if pctrie_init ever changes to do something other that zeroing data,
so add explicit calls to them.
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D40978
Actions applied to a processed packet come in case of stateless
firewalling from a rule or in case of statefull firewalling from a
state. The state obtains the actions from a rule when it is created by a
rule or by pfsync. The logic for deciding if actions come from a rule or
a state is spread across many places in pf.
There already is struct pf_rule_actions in struct pf_pdesc and thus it
can be used as a central place for storing actions and their parameters.
OpenBSD does something similar: they also store the actions in struct
pf_pdesc and have no variables in pf_test() but they use separate
variables instead of a structure. By using struct pf_rule_actions we can
simplify the code even further. Applying of actions is done *only* in
pf_rule_to_actions() no matter if for the legacy scrub rules or for the
normal match / pass rules. The logic of choosing if rule or state
actions are used is applied only once in pf_test() by copying the whole
struct.
The re-initialisation of idx in the later else branch is a bit hidden,
and results in deviation from the earlier two paths. Use more consistent
code instead to make it abundantly clear what's going on.
The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc which also contains the direction. By using the one
in struct pf_pdesc we can reduce the amount of arguments passed around.
amd64 pmap: Fix compilation when superpage reservations are disabled
The function pmap_pde_ept_executable() should not be conditionally
compiled based on VM_NRESERVLEVEL. It is required indirectly by
pmap_enter(..., psind=1) even when reservation-based allocation is
disabled at compile time.
Eric van Gyzen [Tue, 11 Jul 2023 17:58:29 +0000 (12:58 -0500)]
dtrace: prevent forked child from running after an error condition
The pid/killonerror test uses an invalid probe specifier to verify that
the child process is killed. It occasionally fails because the "date"
command is allowed to run long enough to print the date. This is harmless
in this case, but is clearly not ideal.
When the dt_proc_control thread is about to exit, and the dtrace command
forked the child, do not make the child runnable.
getlocalbase: Make default path actually configurable
We include paths.h in getlocalbase.c, which defines _PATH_LOCALBASE.
This will override a definition on the command line, meaning it is
impossible to override like how the manpage says you can, and it means
the code to provide a fallback default is dead as the macro is always
defined.
Instead, introduce a new LOCALBASE_PATH macro like LOCALBASE_CTL_LEN
that can be set on the command line and will default to the system's
existing _PATH_LOCALBASE to avoid duplicating the default here.