Ensure that multiplications for memory allocations cannot overflow, and
that we'll not try to allocate M_WAITOK for potentially overly large
allocations.
pf: Improve ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and DIOCRSETTFLAGS
These ioctls can process a number of items at a time, which puts us at
risk of overflow in mallocarray() and of impossibly large allocations
even if we don't overflow.
Limit the allocation to required size (or the user allocation, if that's
smaller). That does mean we need to do the allocation with the rules
lock held (so the number doesn't change while we're doing this), so it
can't M_WAITOK.
pf: Improve ioctl validation for DIOCIGETIFACES and DIOCXCOMMIT
These ioctls can process a number of items at a time, which puts us at
risk of overflow in mallocarray() and of impossibly large allocations
even if we don't overflow.
There's no obvious limit to the request size for these, so we limit the
requests to something which won't overflow. Change the memory allocation
to M_NOWAIT so excessive requests will fail rather than stall forever.
pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES
The DIOCRADDTABLES and DIOCRDELTABLES ioctls can process a number of
tables at a time, and as such try to allocate <number of tables> *
sizeof(struct pfr_table). This multiplication can overflow. Thanks to
mallocarray() this is not exploitable, but an overflow does panic the
system.
Arbitrarily limit this to 65535 tables. pfctl only ever processes one
table at a time, so it presents no issues there.
Exit with usage when extra arguments are on command line
preventing mistakes such as "halt 0p" for "halt -p".
Approved by: bde (mentor, implicit), phk (mentor,implicit)
MFC after: 1 week
ifconf(): correct handling of sockaddrs smaller than struct sockaddr.
Portable programs that use SIOCGIFCONF (e.g. traceroute) assume
that each pseudo ifreq is of length MAX(sizeof(struct ifreq),
sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied
too much from the source sockaddr resulting in a heap leak.
I believe only one such sockaddr exists (struct sockaddr_sco which
is 8 bytes) and it is unclear if such sockaddrs end up on interfaces
in practice. If it did, the result would be an 8 byte heap leak on
current architectures.
If a user attempts to add two tables with the same name the duplicate table
will not be added, but we forgot to free the duplicate table, leaking memory.
Ensure we free the duplicate table in the error path.
The previous split of zeroing ifr_name and ifr_addr seperately is safe
on current architectures, but would be unsafe if pointers were larger
than 8 bytes. Combining the zeroing adds no real cost (a few
instructions) and makes the security property easier to verify.
GC never enabled support for SIOCGADDRROM and SIOCGCHIPID.
When de(4) was imported in 1997 the world was not ready for these ioctls.
In over 20 years that hasn't changed so it seems safe to assume their
time will never come.
r331654:
Don't access userspace directly from the kernel in nxge(4).
Update to what the previous code seemed to be doing via the correct
interfaces. Further issues exist in xge_ioctl_registers(), but this is
debugging code in a driver that has few users and they don't appear to
be crashes or leaks.
r331869:
Fix the build on arches with default unsigned char. Capture the fubyte()
return value in an int as well as the char, and test the full int value
for fubyte() failure.
The original implementation used a reference to ifr_data and a cast to
do the equivalent of accessing ifr_addr. This was copied multiple
times since 1996.
MFC r332042: Fix kernel memory disclosure in linux_ioctl_socket
strlcpy is used to copy a string into a buffer to be copied to userland,
previously leaving uninitialized data after the terminating NUL. Zero
the buffer first to avoid a kernel memory disclosure.
admbugs: 765, 811
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reported by: Vlad Tsyrklevich
Sponsored by: The FreeBSD Foundation
MFC r331739
1. Add additional debug prints.
2. Break transmit when IFF_DRV_RUNNING is OFF.
3. set desc_count=0 for default case in switch in ql_rcv_isr()
gordon [Wed, 4 Apr 2018 05:26:33 +0000 (05:26 +0000)]
MFC r331981:
Limit glyph count in vtfont_load to avoid integer overflow.
Invalid font data passed to PIO_VFONT can result in an integer overflow
in glyphsize. Characters may then be drawn on the console using glyph
map entries that point beyond the end of allocated glyph memory,
resulting in a kernel memory disclosure.
Submitted by: emaste
Reported by: Dr. Silvio Cesare of InfoSect
Security: CVE-2018-6917
Security: FreeBSD-SA-18:04.vt
Sponsored by: The FreeBSD Foundation
eugen [Tue, 3 Apr 2018 14:09:34 +0000 (14:09 +0000)]
MFC r331630: Fix instructions in the zfsboot manual page.
zfsloader(8) fails to probe a slice containing ZFS pool if its second sector
contains traces of BSD label (DISKMAGIC == 0x82564557).
Fix manual page to show working example erasing such traces.
MFC r331806:
Add logic for "families" for GCE images.
This allows for GCE consumers to easily detect the latest major
version of FreeBSD when using the gcloud command line utility.
To ensure snapshot builds do not conflict with release-style
builds (ALPHA, BETA, RC, RELEASE), the '-snap' suffix is appended
to the GCE image family name.
gjb [Sat, 31 Mar 2018 01:37:14 +0000 (01:37 +0000)]
MFC r331696, r331697:
r331696:
Update the Release Engineering article URL to the modern version.
r331697:
Add an example for building SD card images for the RPI-B and RPI3.
Note, this commit manually fixes a merge conflict caused by r325096,
which does a seemingly recursive http -> https update, which this
commit was never marked for MFC.
emaste [Thu, 29 Mar 2018 22:31:14 +0000 (22:31 +0000)]
MF11 r331330: Fix kernel memory disclosure in svr4_sys_getdents64
svr4_sys_getdents64() copies a dirent structure to userland. When
calculating the record length for any given dirent entry alignment is
performed. However, the aligned bytes are not cleared, this will
trigger an info leak.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Security: Kernel memory disclosure (801)
Sponsored by: The FreeBSD Foundation
gjb [Thu, 29 Mar 2018 19:29:12 +0000 (19:29 +0000)]
MFC r331562 (manu):
release: arm: Copy boot.scr from ports
Latest u-boot update need u-boot script to load and start ubldr.
(See D14230 for more details)
Copy this file for our arm release on the fat partition.
emaste [Wed, 28 Mar 2018 13:44:02 +0000 (13:44 +0000)]
MFC r331329: Fix kernel memory disclosure in ibcs2_getdents
ibcs2_getdents() copies a dirent structure to userland. The ibcs2
dirent structure contains a 2 byte pad element. This element is never
initialized, but copied to userland none-the-less.
Note that ibcs2 has not built on HEAD since r302095.
Submitted by: Domagoj Stolfa <ds815@cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Security: Kernel memory disclosure (803)
Sponsored by: The FreeBSD Foundation
brooks [Tue, 27 Mar 2018 17:48:39 +0000 (17:48 +0000)]
MFC r330876, r330945
r330876:
Fix ISP_FC_LIP and ISP_RESCAN on big-endian 64-bit systems.
For _IO() ioctls, addr is a pointer to uap->data which is a caddr_t.
When the caddr_t stores an int, dereferencing addr as an (int *) results
in truncation on little-endian 64-bit systems and corruption (owing to
extracting top bits) on big-endian 64-bit systems. In practice the
value of chan was probably always zero on systems of the latter type as
all such FreeBSD platforms use a register-based calling convention.
brooks [Tue, 27 Mar 2018 17:43:03 +0000 (17:43 +0000)]
MFC r330820:
Reject ioctls to SCSI enclosures from 32-bit compat processes.
The ioctl objects contain pointers and require translation and some
refactoring of the infrastructure to work. For now prevent opertion
on garbage values. This is very slightly overbroad in that ENCIOC_INIT
is safe.
brooks [Tue, 27 Mar 2018 17:42:04 +0000 (17:42 +0000)]
MFC r330819, r330885, r330934
r330819:
Reject CAMIOGET and CAMIOQUEUE ioctl's on pass(4) in 32-bit compat mode.
These take a union ccb argument which is full of kernel pointers.
Substantial translation efforts would be required to make this work.
By rejecting the request we avoid processing or returning entierly
wrong data.
sevan [Sun, 25 Mar 2018 01:33:51 +0000 (01:33 +0000)]
MFC r322665
Add caveat to kinfo_getvmmap(3) explaining high CPU utilisation.
Based on kib's reply on https://lists.freebsd.org/pipermail/freebsd-hackers/2016-July/049710.html
sevan [Sun, 25 Mar 2018 01:24:02 +0000 (01:24 +0000)]
MFC 321881
For the udp-client example, instruct user to add an entry for a udp based
service.
For tcp-client & udp-client, use the same port in configuration snippet as used
in the comment prior to remove any ambiguity on the port number which needs to
be specified.
sevan [Sun, 25 Mar 2018 01:17:40 +0000 (01:17 +0000)]
MFC r316721 r331274
Most wireless drivers don't support altq(4).
Extend the description of ALTQ to call it a system which is a framework in
altq(4) to match altq(9). This makes preserving the history section as the
author of ALTQ easier in the history section, rather than calling it a framework
in the description & a system in the history.
Add a history section to altq(4) and extend the history section in altq(9)
emaste [Fri, 23 Mar 2018 02:38:31 +0000 (02:38 +0000)]
MFC r331333: Fix kernel memory disclosure in drm_infobufs
drm_infobufs() has a structure on the stack, fills it out and copies it
to userland. There are 2 elements in the struct that are not filled out
and left uninitialized. This will leak uninitialized kernel stack data
to userland.
emaste [Fri, 23 Mar 2018 02:34:45 +0000 (02:34 +0000)]
MFC r331339: Correct signedness bug in drm_modeset_ctl
drm_modeset_ctl() takes a signed in from userland, does a boundscheck,
and then uses it to index into a structure and write to it. The
boundscheck only checks upper bound, and never checks for nagative
values. If the int coming from userland is negative [after conversion]
it will bypass the boundscheck, perform a negative index into an array
and write to it, causing memory corruption.
Note that this is in the "old" drm driver; this issue does not exist
in drm2.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by: cem
Sponsored by: The FreeBSD Foundation
kp [Wed, 21 Mar 2018 09:57:29 +0000 (09:57 +0000)]
MFC 330105:
pf: Do not flush on reload
pfctl only takes the last '-F' argument into account, so this never did what
was intended.
Moreover, there is no reason to flush rules before reloading, because pf keeps
track of the rule which created a given state. That means that existing
connections will keep being processed according to the rule which originally
created them. Simply reloading the (new) rules suffices. The new rules will
apply to new connections.
PR: 127814
Submitted by: Andreas Longwitz <longwitz at incore.de>
kp [Wed, 21 Mar 2018 09:55:49 +0000 (09:55 +0000)]
MFC r330108:
pf: Apply $pf_flags when verifying the pf.conf file
When checking the validity of the pf.conf file also include the user supplied
pf_flags. These flags might overrule macros or specify anchors, which we will
apply when actually applying the pf.conf file, so we must also take them into
account when verifying the validity.
Submitted by: Andreas Longwitz <longwitz at incore.de>
ian [Tue, 20 Mar 2018 22:57:14 +0000 (22:57 +0000)]
MFC r330745:
Make root mount timeout logic work for filesystems other than ufs.
The vfs.mountroot.timeout tunable and .timeout directive in a mount.conf(5)
file allow specifying a wait timeout for the device(s) hosting the root
filesystem to become usable. The current mechanism for waiting for devices
and detecting their availability can't be used for zfs-hosted filesystems.
See the comment #20 in the PR for some expanded detail on these points.
This change adds retry logic to the actual root filesystem mount. That is,
insted of relying on device availability using device name lookups, it uses
the kernel_mount() call itself to detect whether the filesystem can be
mounted, and loops until it succeeds or the configured timeout is exceeded.
These changes are based on the patch attached to the PR, but it's rewritten
enough that all mistakes belong to me.
dab [Mon, 19 Mar 2018 17:38:35 +0000 (17:38 +0000)]
MFC r331015:
Modify rc.d/fsck to handle new status from fsck/fsck_ffs
r328013 introduced a new error code from fsck_ffs that indicates that
it could not completely fix the file system; this happens when it
prints the message PLEASE RERUN FSCK. However, this status can happen
when fsck is run in "preen" mode and the rc.d/fsck script does not
handle that error code. Modify rc.d/fsck so that if "fsck -p"
("preen") returns the new status code (16) it will run "fsck -y", as
it currently does for a status code of 8 (the "standard error exit").
marius [Mon, 19 Mar 2018 14:28:58 +0000 (14:28 +0000)]
MFC: r328834
o Let rtld(1) set up psABI user trap handlers prior to executing the
objects' init functions instead of doing the setup via a constructor
in libc as the init functions may already depend on these handlers
to be in place. This gets us rid of:
- the undefined order in which libc constructors as __guard_setup()
and jemalloc_constructor() are executed WRT __sparc_utrap_setup(),
- the requirement to link libc last so __sparc_utrap_setup() gets
called prior to constructors in other libraries (see r122883).
For static binaries, crt1.o still sets up the user trap handlers.
o Move misplaced prototypes for MD functions in to the MD prototype
section of rtld.h.
o Sprinkle nitems().
ae [Mon, 19 Mar 2018 09:54:16 +0000 (09:54 +0000)]
MFC r330792:
Do not try to reassemble IPv6 fragments in "reass" rule.
ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
that it gets. Until proper IPv6 fragments handling function will be
implemented, pass IPv6 packets to next rule.
kp [Sun, 18 Mar 2018 11:26:07 +0000 (11:26 +0000)]
MFC r329950:
pf: Cope with overly large net.pf.states_hashsize
If the user configures a states_hashsize or source_nodes_hashsize value we may
not have enough memory to allocate this. This used to lock up pf, because these
allocations used M_WAITOK.
Cope with this by attempting the allocation with M_NOWAIT and falling back to
the default sizes (with M_WAITOK) if these fail.
PR: 209475
Submitted by: Fehmi Noyan Isi <fnoyanisi AT yahoo.com>
marius [Thu, 15 Mar 2018 23:02:52 +0000 (23:02 +0000)]
MFC: r327929
Use the correct revision specifier (EXT_CSD revision rather than
system specification version) for deciding whether the EXT_CSD
register includes the EXT_CSD_GEN_CMD6_TIME field.
marius [Thu, 15 Mar 2018 23:01:04 +0000 (23:01 +0000)]
MFC: r327355, r327926
- Don't allow userland to switch partitions; it's next to impossible
to recover from that, especially when something goes wrong.
- When userland changes EXT_CSD, update the kernel copy before using
relevant EXT_CSD bits in mmcsd_switch_part().
marius [Thu, 15 Mar 2018 22:58:34 +0000 (22:58 +0000)]
MFC: r327339, r327924
- There is no need to keep the tuning error and re-tuning interrupts
enabled (though, no interrupt generation enabled for them) all the
time as soon as (re-)tuning is supported; only enable them and let
them generate interrupts when actually using (re-)tuning.
- Also disable all interrupts except SDHCI_INT_DATA_AVAIL ones while
executing tuning and not just their signaling.
- Set the tuning error and re-tuning interrupt enable bits based on
the SDHCI_TUNING_ENABLED rather than the SDHCI_TUNING_SUPPORTED flag,
i. e. only when (re-)tuning is actually used. Currently, this change
makes no net difference, though.
marius [Thu, 15 Mar 2018 22:42:28 +0000 (22:42 +0000)]
MFC: r287805
Unconditionally build CTF tools in the bootstrap-tools phase of the build.
Stale CTF tools are a frequent source of DTrace issues, and they compile
quickly enough that the increase in build time is negligible.
Apart from what's described in the original commit message above, this
change also fixes building GENERIC kernels, i. e. kernel configurations
having "makeoptions WITH_CTF=1", when the host world has been built with
WITHOUT_CDDL.
marius [Wed, 14 Mar 2018 23:59:52 +0000 (23:59 +0000)]
MFC: 327314
With the advent of interrupt remapping, Intel has repurposed bit 11
(now: Interrupt_Index[15]) and assigned the previously reserved bits
55:48 (Interrupt_Index[14:0] goes into 63:49 while Destination Field
used 63:56 and bit 48 now is Interrupt_Format) in the IO redirection
tables (see the VT-d specification, "5.1.5.1 I/OxAPIC Programming").
Thus, when not using interrupt remapping, ensure that all previously
reserved bits in the high part of the RTEs are zero instead of doing
a read-modify-write for their Destination Field bits only.
Otherwise, on machines based on Apollo Lake and its derivatives such
as Denverton, typically some of the previously preserved bits remain
set after boot when not employing interrupt remapping. The result is
that INTx interrupts are not getting delivered.
Note: With an AMD IOMMU, interrupt remapping apparently bypasses the
IO APIC altogether.
jhb [Wed, 14 Mar 2018 19:04:40 +0000 (19:04 +0000)]
Convert pci_delete_child() to a bus_child_deleted() method.
Instead of providing a wrapper around device_delete_child() that the PCI
bus and child bus drivers must call explicitly, move the bulk of the logic
from pci_delete_child() into a bus_child_deleted() method
(pci_child_deleted()). This allows PCI devices to be safely deleted via
device_delete_child().
- Add a bus_child_deleted method to the ACPI PCI bus which clears the
device_t associated with the corresponding ACPI handle in addition to
the normal PCI bus cleanup.
- Change cardbus_detach_card to call device_delete_children() and move
CardBus-specific delete logic into a new cardbus_child_deleted() method.
- Use device_delete_child() instead of pci_delete_child() in the SRIOV code.
- Add a bus_child_deleted method to the OpenFirmware PCI bus drivers which
frees the OpenFirmware device info for each PCI device.
To preserve KBI, a pci_delete_child() function is left in place that
just calls device_delete_child().
Fix several cases when long buffer is copied to shorter one
using snprintf that results in contents truncation and
clobbering unsaved errno value and creation of misleading logs.
asomers [Sat, 10 Mar 2018 04:17:01 +0000 (04:17 +0000)]
MFC r323314, r323338, r328849
r323314:
Audit userspace geom code for leaking memory to disk
Any geom class using g_metadata_store, as well as geom_virstor which
duplicated g_metadata_store internally, would dump sectorsize - mdsize bytes
of userspace memory following the metadata block stored. This is most or all
geom classes (gcache, gconcat, geli, gjournal, glabel, gmirror, gmultipath,
graid3, gshsec, gstripe, and geom_virstor).
r323338:
Fix information leak in geli(8) integrity mode
In integrity mode, a larger logical sector (e.g., 4096 bytes) spans several
physical sectors (e.g., 512 bytes) on the backing device. Due to hash
overhead, a 4096 byte logical sector takes 8.5625 512-byte physical sectors.
This means that only 288 bytes (256 data + 32 hash) of the last 512 byte
sector are used.
The memory allocation used to store the encrypted data to be written to the
physical sectors comes from malloc(9) and does not use M_ZERO.
Previously, nothing initialized the final physical sector backing each
logical sector, aside from the hash + encrypted data portion. So 224 bytes
of kernel heap memory was leaked to every block :-(.
This patch addresses the issue by initializing the trailing portion of the
physical sector in every logical sector to zeros before use. A much simpler
but higher overhead fix would be to tag the entire allocation M_ZERO.
r328849:
geom: don't write stack garbage in disk labels
Most consumers of g_metadata_store were passing in partially unallocated
memory, resulting in stack garbage being written to disk labels. Fix them by
zeroing the memory first.
gvirstor repeated the same mistake, but in the kernel.
Also, glabel's label contained a fixed-size string that wasn't
initialized to zero.
asomers [Sat, 10 Mar 2018 04:10:57 +0000 (04:10 +0000)]
MFC r329265, r329384
r329265:
Implement .vop_pathconf and .vop_getacl for the .zfs ctldir
zfsctl_common_pathconf will report all the same variables that regular ZFS
volumes report. zfsctl_common_getacl will report an ACL equivalent to 555,
except that you can't read xattrs or edit attributes.
Fixes a bug where "ls .zfs" will occasionally print something like:
ls: .zfs/.: Operation not supported
tychon [Sat, 10 Mar 2018 00:44:33 +0000 (00:44 +0000)]
MFC r328011,329162
r328011:
Provide some mitigation against CVE-2017-5715 by clearing registers
upon returning from the guest which aren't immediately clobbered by
the host. This eradicates any remaining guest contents limiting their
usefulness in an exploit gadget.
r329162:
Provide further mitigation against CVE-2017-5715 by flushing the
return stack buffer (RSB) upon returning from the guest.
dab [Fri, 9 Mar 2018 14:45:47 +0000 (14:45 +0000)]
MFC r330245:
Allow the "@" and "!" characters in passwd file GECOS fields.
Two PRs (152084 & 210187) request allowing the "@" and/or "!"
characters in the passwd file GECOS field. The man page for pw does
not mention that those characters are disallowed, Linux supports those
characters in this field, and the "@" character in particular would be
useful for storing email addresses in that field.
PR: 152084, 210187
Submitted by: jschauma@netmeister.org, Dave Cottlehuber <dch@freebsd.org>
Reported by: jschauma@netmeister.org, Dave Cottlehuber <dch@freebsd.org>
Sponsored by: Dell EMC
dab [Fri, 9 Mar 2018 14:39:28 +0000 (14:39 +0000)]
MFC r330085:
dhclient violates RFC2131 when sending early DHCPREQUEST message to re-obtain old IP
When dhclient first starts, if an old IP address exists in the
dhclient.leases file, dhclient(8) sends early DHCPREQUEST message(s)
in an attempt to re-obtain the old IP address again. These messages
contain the old IP as a requested-IP-address option in the message
body (correct) but also use the old IP address as the packet's source
IP (incorrect).
RFC2131 sec 4.1 states:
DHCP messages broadcast by a client prior to that client obtaining
its IP address must have the source address field in the IP header
set to 0.
The use of the old IP as the packet's source address is incorrect if
(a) the computer is now on a different network or (b) it is on the
same network, but the old IP has been reallocated to another host.
Fix dhclient to use 0.0.0.0 as the source IP in this circumstance
without removing any existing functionality. Any previously-used old
IP is still requested in the body of an early DHCPREQUEST message.
imcsmb(4) provides smbus(4) support for the SMBus controller functionality
in the integrated Memory Controllers (iMCs) embedded in Intel Sandybridge-
Xeon, Ivybridge-Xeon, Haswell-Xeon, and Broadwell-Xeon CPUs. Each CPU
implements one or more iMCs, depending on the number of cores; each iMC
implements two SMBus controllers (iMC-SMBs).
*** IMPORTANT NOTE ***
Because motherboard firmware or the BMC might try to use the iMC-SMBs for
monitoring DIMM temperatures and/or managing an NVDIMM, the driver might
need to temporarily disable those functions, or take a hardware interlock,
before using the iMC-SMBs. Details on how to do this may vary from board to
board, and the procedure may be proprietary. It is strongly suggested that
anyone wishing to use this driver contact their motherboard vendor, and
modify the driver as described in the manual page and in the driver itself.
(For what it's worth, the driver as-is has been tested on various SuperMicro
motherboards.)