Cy Schubert [Tue, 8 Nov 2022 08:53:29 +0000 (00:53 -0800)]
heimdal: Fix multiple security vulnerabilities
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
John Baldwin [Tue, 15 Nov 2022 01:24:56 +0000 (17:24 -0800)]
<crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.
In head, the inline ChaCha20+Poly1305 API is implemented using the
software implementation backing OCF, but that requires API changes
that can't be MFC'd. As a result, this API in stable/13 uses
libsodium directly.
However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce
uses a different construction for the Poly1305 hash than is used for
the standard IETF AEAD cipher used for TLS and IPsec. WireGuard's use
of an 8 byte nonce also uses the more standard construction.
Since the verison in stable/13 was using libsodium directly for the 8
byte nonce case, it was generating incorrect MACs for if_wg(4). As a
workaround, change the direct API to always use the IETF API from
libsodium which uses 12 byte nonces. This can be done by
zero-extending the provided 8 byte nonce to 12 bytes so long as the
passed in buffers are sufficiently small to not overflow a 4 byte
counter.
This fixes key negotiation for if_wg(4) on stable/13. This is also
a direct commit to stable/13.
Reported by: Marek Zarychta <mzar@bpine64.dom.potoki.eu>
Mark Johnston [Mon, 19 Jul 2021 20:09:42 +0000 (16:09 -0400)]
Simplify kernel sanitizer interceptors
KASAN and KCSAN implement interceptors for various primitive operations
that are not instrumented by the compiler. KMSAN requires them as well.
Rather than adding new cases for each sanitizer which requires
interceptors, implement the following protocol:
- When interceptor definitions are required, define
SAN_NEEDS_INTERCEPTORS and SANITIZER_INTERCEPTOR_PREFIX.
- In headers that declare functions which need to be intercepted by a
sanitizer runtime, use SANITIZER_INTERCEPTOR_PREFIX to provide
declarations.
- When SAN_RUNTIME is defined, do not redefine the names of intercepted
functions. This is typically the case in files which implement
sanitizer runtimes but is also needed in, for example, files which
define ifunc selectors for intercepted operations.
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Mitchell Horne [Fri, 11 Nov 2022 18:23:11 +0000 (14:23 -0400)]
ddb: don't limit pindex output in 'show vmopag'
This command already prints a tremendous amount of output, and properly
obeys the pager. It no longer makes sense to arbitrarily limit the pages
that are printed, as the reader will not be aware that this has
happened.
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D37361
Mitchell Horne [Fri, 11 Nov 2022 18:20:31 +0000 (14:20 -0400)]
netgdb(4): update list of required kernel options
The man page claims that netgdb will be enabled automatically with the
presence of the DDB, GDB, and INET options. Based on the logic in
conf/files, this is not the case. Update the manpage to list all
of the options required to include netgdb.
* Avoid unnecessary use of `unsigned char *`
* Use explicit casts when assigning `unsigned char *` to `char *` or vice versa
* Drop unused global variables (and fix memory leak in `gettable()`)
* Use `snprintf()` instead of `strcpy()` + `strcat()`
* Drop spurious braces in switch
Sponsored by: Klara, Inc.
Obtained from: Apple OSS Distributions (in part)
Differential Revision: https://reviews.freebsd.org/D37263
The system call returns the head of the robust futex list. The list head is stored
in the location pointed to by the head argument. When copying data between address
spaces use proper head storage size as it depends on an emulated ABI.
Gordon Bergling [Mon, 7 Nov 2022 10:23:33 +0000 (11:23 +0100)]
Update HISTORY and AUTHORS sections for cut(1) and paste(1)
In an e-mail Brian Walden wrote that:
"GWRL stands for Gottfried W. R. Luderer, the author of cut(1) and
paste(1), probably around 1978. Those came either from PWB or USG,
as he worked with, or for, Berkley Tague. Thus they made their way
into AT&T commercial UNIX, first into System III and the into System
V, and that's why they are missing from early BSD releases as they
didn't get into Research UNIX until the 8th Edition."
So update the HISTORY and AUTHORS sections for cut(1) and paste(1).
Kyle Evans [Thu, 10 Nov 2022 04:20:34 +0000 (22:20 -0600)]
include: put includes into -dev packages
The includes build is kind of funky, as we support either copying or
symlinking files into /usr/include. For `copies`, we were supplying
the include/ ${TAG_ARGS}, which puts packages into `FreeBSD-runtime`,
without any consideration to the fact that we're installing headers.
Let's copy the approach that the `symlinks` target uses for now, and
add ",dev" to the TAG_ARGS so that headers at least end up in
FreeBSD-runtime-dev, which is more appropriate. Some of these includes
are actually technically supposed to be in *other* packages and their
INCSGROUP's PACKAGE setting is actually correct, but this is less
trivial to solve. This is a bandaid to fix the immediate problem of
some headers ending up in two different packages.
PR: 267526
Reviewed by: dfr, manu
Differential Revision: https://reviews.freebsd.org/D37256
Kyle Evans [Wed, 2 Nov 2022 20:29:16 +0000 (15:29 -0500)]
mktemp: don't double up on trailing slashes for -t paths
This is a minor cosmetic change; re-organize slightly to set tmpdir to
_PATH_TMP if we didn't otherwise have a tmpdir candidate, then check the
trailing char before appending another slash.
While we're here, remove some bogus whitespace and add a test case for
this change.
Obtained from: https://github.com/apple-oss-distributions/shell_cmds
Sponsored by: Klara, Inc.
Kyle Evans [Mon, 31 Oct 2022 03:55:46 +0000 (22:55 -0500)]
mktemp: add -p/--tmpdir argument
This matches other mktemp implementations, including OpenBSD and GNU.
The -p option can be used to provide a tmpdir prefix for specified
templates. Precedence works out like so:
-t flag:
- $TMPDIR
- -p directory
- /tmp
Implied -t flag (no arguments or only -d flag):
- -p directory
- $TMPDIR
- /tmp
Some tests have been added for mktemp(1) in the process.
Reviewed by: imp (earlier version), wosch
Sponsored by: Klara, Inc.
Warner Losh [Fri, 12 Mar 2021 00:11:28 +0000 (17:11 -0700)]
Remove README in favor of README.md
Complete the transition to README.md I started 3 years ago. Remove the
now-redundant README file. It's currently just README.md w/o the light markup
and adds no real value. This also allows us to use additional MarkDown
markup as we see fit w/o worrying about keeping things in sync.
List of changes:
- Use integer multiplication instead of long multiplication, because the result is an integer.
- Remove multiple if-statements and predict new if-statements.
- Rename local variable name, "ticks" into "retval" to avoid shadowing
the system "ticks" global variable.
time(3): Align fast clock times to avoid firing multiple timers.
In non-periodic mode absolute timers fire at exactly the time given.
When specifying a fast clock, align the firing time so that less
timer interrupt events are needed.
Alexander Motin [Mon, 21 Mar 2022 23:43:39 +0000 (19:43 -0400)]
Fix umtxq_sleep() regression caused by 56070dd2e4d.
umtxq_requeue() moves the queue to a different hash chain and different
lock, so we can't rely on msleep_sbt() reacquiring the same old lock.
We have to use PDROP and update the queue chain and so lock pointer.
Alexander Motin [Fri, 4 Mar 2022 03:03:09 +0000 (22:03 -0500)]
Improve timeout precision of pthread_cond_timedwait().
This code was not touched when all other user-space sleep functions were
switched to sbintime_t and decoupled from hardclock. When it is possible,
convert supplied times into sbinuptime to supply directly to msleep_sbt()
with C_ABSOLUTE. This provides the timeout resolution of few microseconds
instead of 2 milliseconds, plus avoids few clock reads and conversions.
Gordon Bergling [Sun, 30 Oct 2022 12:59:37 +0000 (13:59 +0100)]
wg.4: Add some enhancements
- add a SPDX-License-Identifier
- rename the title of the man page
- use better grammar in some places
- reword 'IPs' to 'IP addresses'
- add a missing word in the AUTHORS section
- use '.An -nosplit' in the AUTHORS section
- Xr ipsec and ovpn
Relative to upstream this commit includes a few other small fixes such
as additional INET and INET6 #ifdef's, #include cleanups, and updates
for recent API changes in main.
Reviewed by: pauamma, gbe, kevans, emaste
Obtained from: git@git.zx2c4.com:wireguard-freebsd @ 3cc22b2
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36909
John Baldwin [Wed, 5 Oct 2022 23:48:05 +0000 (16:48 -0700)]
rs: Fix some pointer arith UB.
If the next column was blank, then the length of the following entry
was computed as the end of the following entry minus a global variable
"blank" which is not in the same string or allocation. Instead, save
the start value of 'p' explicitly instead of abusing '*ep'. Possibly
we should just increment p before saving it in sp in the 'blank' case,
but at worst that would just mean maxlen might be one char too large
which should be harmless.
John Baldwin [Wed, 5 Oct 2022 23:47:40 +0000 (16:47 -0700)]
rs: Fix a use after free.
Using a pointer passed to realloc() after realloc() even for pointer
arithmetic is UB. It also breaks in practice on CHERI systems as
the updated value of 'sp' in this case would have had the bounds from
the old allocation.
This would be much cleaner if elem were a std::vector<char *>.
John Baldwin [Wed, 5 Oct 2022 23:46:01 +0000 (16:46 -0700)]
msk: Use a void cast to mark values of dummy reads as unused.
Note that this required adding missing ()'s around the outermost level
of MSK_READ_MIB*. Otherwise, the void cast was only applied to the
first register read. This also meant that MSK_READ_MIB64 was pretty
broken as the uint64_t cast only applied to the first 16-bit register
read in each MSK_READ_MIB32 invocation and the 32-bit shift was only
applied to the second register read of the pair.
John Baldwin [Mon, 3 Oct 2022 23:10:44 +0000 (16:10 -0700)]
nvmecontrol wdc: Don't pass a bogus pointer to free().
wdc_get_dui_log_size allocates a buffer and then advances the
returned pointer. Passing this advanced pointer to free() is UB,
so save the original pointer to pass to free() instead.
John Baldwin [Mon, 3 Oct 2022 23:10:43 +0000 (16:10 -0700)]
libfetch: Use memcpy in place of an odd strncpy.
The length passed to strncpy is the length of the source string, not
the destination buffer. This triggers a non-fatal warning in GCC 12.
Hoewver, the code is also odd. It is really just a memcpy of the
string without its nul terminator. For that use case, memcpy is
clearer.
John Baldwin [Mon, 3 Oct 2022 23:10:43 +0000 (16:10 -0700)]
diff: Fix a use after free as well as a memory leak in change().
When -B or -I are used, change() evaluates the lines in a hunk to
determine if it is a hunk that should be ignored. It does this by
reading each candidate line into a mallocated buffer via preadline()
and then calling ignoreline(). Previously the buffer was freed as a
side effect of ignoreline_pattern() called from ignoreline().
However, if only -B was specified, then ignoreline_pattern() was not
called and the lines were leaked. If both options were specified,
then ignoreline_pattern() was called before checking for a blank line
so that the second check was a use after free.
To fix, pull the free() out of ignoreline_pattern() and instead do it
up in change() so that is paired with preadline().
While here, simplify ignoreline() by checking for the -B and -I cases
individually without a separate clause for when both are set. Also,
do the cheaper check (-B) first, and remove a false comment (this
function is only called if at least one of -I or -B are specified).
John Baldwin [Mon, 3 Oct 2022 23:10:41 +0000 (16:10 -0700)]
powerpc_nvram: Fix a bug in the adler32 checksum.
The Adler32 digest consists of two 16-bit words whose values are
calculated modulo 65521 (largest prime < 2^16). To avoid two division
instructions per byte, this version copies an optimization found in
zlib which defers the modulus until close to the point that the
intermediate sums can overflow 2^32. (zlib uses NMAX == 5552 for
this, this version uses 5000)
The bug is that in the deferred modulus case, the modulus was
only applied to the high word (and twice at that) but not to
the low word. The fix is to apply it to both words.
John Baldwin [Wed, 28 Sep 2022 21:01:36 +0000 (14:01 -0700)]
libc rpc: Fix mismatches in prototypes for array bounds.
Various RPC functions used a bare pointer in function prototypes to
describe fixed-length buffer arguments but used a fixed-length array
in the function definition. The manual page for these functions
describes the parameters as being fixed-length buffers, so update
the prototypes to match the definitions.
John Baldwin [Wed, 28 Sep 2022 21:00:27 +0000 (14:00 -0700)]
zlib crc32: Add prototypes for recently-added static functions.
This appeases -Wstrict-prototypes with GCC. Using a separate
prototype using the OF macro seems to be consistent with the rest of
this file which still supports pre-ANSI C.
Math Ieu [Thu, 27 Oct 2022 17:01:57 +0000 (12:01 -0500)]
split: reset errno prior to getline()
Something else may have set errno, breaking the post-getline() logic
that tries to detect the getline() error. This was initially noted in
a jail on a system that has HPET, in a jail that does not expose
/dev/hpet0 -- we see an earlier error in libc's vdso bits.
Kyle Evans [Tue, 23 Aug 2022 02:08:03 +0000 (21:08 -0500)]
split: add some tests
This should cover all of the basic functionality, as well as the recent
enhancement to use a dynamic buffer size rather than limiting patterns
and lines to MAXBSIZE.
Kyle Evans [Tue, 23 Aug 2022 02:05:58 +0000 (21:05 -0500)]
split: switch to getline() for line/pattern matching
Get rid of split's home-grown logic for growing the buffer; arbitrarily
breaking at LONG_MAX bytes instead of 65536 bytes gives us much more
wiggle room. Additionally, we'll actually fail out entirely if we can't
fit a line, which makes noticing this class of problem much easier.
Reviewed by: bapt, emaste, pauamma
Sponsored by: Klara, Inc.
13361 bhyve should mask RDT cpuid info
Reviewed by: Andy Fiddaman <andy@omnios.org>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>
John Baldwin [Mon, 26 Sep 2022 21:58:06 +0000 (14:58 -0700)]
cxgbe: Use secq(9) to manage the timestamp generations.
This is mostly cosmetic, but it also doesn't leave a gap of time where
no structures are valid. Instead, we permit the ISR to continue to
use the previous structure if the write to update cal_current isn't
yet visible.
John Baldwin [Mon, 26 Sep 2022 21:57:26 +0000 (14:57 -0700)]
cxgbe: Compute timestamps via sbintime_t.
This uses fixed-point math already used elsewhere in the kernel for
sub-second time values. To avoid overflows this does require updating
the calibration once a second rather than once every 30 seconds. Note
that the cxgbe driver already queries multiple registers once a second
for the statistics timers. This version also uses fewer instructions
with no branches (for the math portion) in the per-packet fast path.