pf: Avoid integer overflow issues by using mallocarray() iso. malloc()
pfioctl() handles several ioctl that takes variable length input, these
include:
- DIOCRADDTABLES
- DIOCRDELTABLES
- DIOCRGETTABLES
- DIOCRGETTSTATS
- DIOCRCLRTSTATS
- DIOCRSETTFLAGS
All of them take a pfioc_table struct as input from userland. One of
its elements (pfrio_size) is used in a buffer length calculation.
The calculation contains an integer overflow which if triggered can lead
to out of bound reads and writes later on.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Similar to calloc() the mallocarray() function checks for integer
overflows before allocating memory.
It does not zero memory, unless the M_ZERO flag is set.
kevans [Sun, 7 Jan 2018 04:59:28 +0000 (04:59 +0000)]
aw_sid(4): Add support for Allwinner H3
The sid controller on the H3 is generally identical in location, size, and
efuse offset to the a64 and the a83t. The main difference is that the H3 has
a silicon bug that sometimes causes the rootkey (at least) to be garbled
unless first read by the prctl registers.
This device is currently not in our DTS and, as of now, is not yet present
in mainline Linux DTS.
kevans [Sun, 7 Jan 2018 03:31:55 +0000 (03:31 +0000)]
aw_sid: Add method for reading keys via prctl registers
Technically supported on the later SoCs, this will only really be used to
add support for the H3 sid. The H3 has a silicon bug that manifests itself
by returning garbled rootkeys unless first read via the prctl registers.
asomers [Sun, 7 Jan 2018 02:30:08 +0000 (02:30 +0000)]
geli: fix parallel execution of tests
The trick is not to destroy an md(4) device during a test. That can create
a "double-free" situation, because we also destroy md devices during test
cleanup.
kevans [Sun, 7 Jan 2018 02:19:54 +0000 (02:19 +0000)]
Fix bogus pass for syscon_generic introduced in r327621
ian@ pointed out that BUS_PASS_DEFAULT + $anything is bogus, given that
BUS_PASS_DEFAULT is defined as __INT_MAX. Instead, we take a page out of
imx6_usbphy's book and use BUS_PASS_DEFAULT - 1000 to achieve the desired
effect of syscon_generic attaching before if_awg and other potential
consumers, but late enough that more specialized implementations should have
no problem attaching instead.
asomers [Sun, 7 Jan 2018 00:44:22 +0000 (00:44 +0000)]
geli: convert most tests from TAP to ATF
I'm leaving readonly_test and nokey_test alone for now. In a future commit
they should be broken up into several smaller test cases and distributed
between multiple files.
kevans [Sat, 6 Jan 2018 14:21:32 +0000 (14:21 +0000)]
Move syscon_generic to attach much later
It still needs to be before if_awg at least in order to be available for
other operations, but it should not be attaching before interrupt
controllers at the very least.
This should make errors involving syscon register space colliding with other
devices a little more innocent, but these conflicts should really be tracked
down and resolved. One such conflict is with the Raspberry Pi 3 local
interrupt controller, noticed by tuexen@
imp [Sat, 6 Jan 2018 12:46:04 +0000 (12:46 +0000)]
The source strings are from the password database which guarantees
that the data going into it is sane. Out of an abundance of caution,
limit the string copies to prevent an overflow.
imp [Sat, 6 Jan 2018 12:45:59 +0000 (12:45 +0000)]
Sanity check sysconf return value to ensure it's positive before we
use it. Use proper cast to convert long to size_t (instead of
blksize_t) to preclude sign extension issues.
jhb [Fri, 5 Jan 2018 22:26:23 +0000 (22:26 +0000)]
Remove LINK_MAX.
After recent changes to change filesystems to use filesystem-specific
limits, LINK_MAX is no longer used in the base system. Applications
should in theory be able to cope with a lack of LINK_MAX by using
pathconf().
kib [Fri, 5 Jan 2018 21:06:19 +0000 (21:06 +0000)]
Make it possible to re-evaluate cpu_features.
Add cpuctl(4) ioctl CPUCTL_EVAL_CPU_FEATURES which forces re-read of
cpu_features, cpu_features2, cpu_stdext_features, and
std_stdext_features2.
The intent is to allow the kernel to see the changes in the CPU
features after micocode update. Of course, the update is not atomic
across variables and not synchronized with readers. See the man page
warning as well.
Reviewed by: imp (previous version), jilles
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D13770
imp [Fri, 5 Jan 2018 07:09:40 +0000 (07:09 +0000)]
Add a number of sanity checks to the data that we're handling from the
CIS. Coverity has tagged it as tainted. While this data is more
trusted than your average data, we still need to do some basic
validation on it. Check ioctl return value to ensure we switch memory
targets between common and attribute as well as the lseek.
imp [Fri, 5 Jan 2018 07:09:29 +0000 (07:09 +0000)]
Need to convert '/' back to '\' when creating a path. Ideally, this
would be filesystem type dependent, but that's difficult to accomplish
and it's unclear how the UEFI firmware will cope. Be conservative and
make boot loaders cope instead.
imp [Fri, 5 Jan 2018 07:09:24 +0000 (07:09 +0000)]
Set dp to NULL when we free it, and tree a NULL dp as an error
condition. This should prevent a double free. In addition, prevent a
leak by freeing dp each loop and when we're done.
kevans [Fri, 5 Jan 2018 01:46:41 +0000 (01:46 +0000)]
hexdump(1): Speed up -s flag on devices
Using the -s flag on devices is extraordinarily slow due to using fseek(3) a
little too conservatively. Address this by using fseek on character/block
devices as well, falling back to getchar(3) only if we fail to seek or we're
operating on tape drives, where fseek may succeed while not actually being
supported.
PR: 86485
Submitted by: arundel (originally; modified since then)
Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D10939
kevans [Thu, 4 Jan 2018 22:37:15 +0000 (22:37 +0000)]
if_awg: Use syscon prop if it exists
The emac bindings that are landing in Linux 4.15 specify a syscon property
on the emac node that point to /soc/syscon. Use this property if it's
specified, but maintain backwards compatibility with the old method.
The older method is still used for boards that we get .dtb from u-boot, such
as pine64, that did not yet have stable emac bindings.
Tested on: Banana Pi-M3 (a83t)
Tested on: Pine64 (a64)
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D13296
jhb [Thu, 4 Jan 2018 22:07:58 +0000 (22:07 +0000)]
Always use atomic_fetchadd() when updating per-user accounting values.
This avoids re-reading a variable after it has been updated via an
atomic op. It is just a cosmetic cleanup as the read value was only
used to control a diagnostic printf that should rarely occur (if ever).
jhb [Thu, 4 Jan 2018 21:59:34 +0000 (21:59 +0000)]
Report offset relative to the backing object for kinfo_vmentry structures.
For the pathname reported in kinfo_vmentry structures (kve_path), the
sysctl handlers walk the object chain to find the bottom-most VM object.
This permits a COW mapping of a file with dirty pages to report the
pathname of the originally mapped file. Do the same for the object
offset (kve_offset) computing a cumulative offset during the same object
walk so that the reported offset is relative to the reported pathname.
Note that ptrace(PT_VM_ENTRY) already returns a cumulative offset
rather than the raw offset of the VM map entry.
Note also that this does not affect procstat -v output (even structured
output) since that output does not include the kve_offset field.
Allow timed waits with relative timeouts on locks and condvars.
Even though pthreads doesn't support this, there are various alternative
APIs that use this. For example, uv_cond_timedwait() accepts a relative
timeout. So does Rust's std::sync::Condvar::wait_timeout().
Though I personally think that relative timeouts are bad (due to
imprecision for repeated operations), it does seem that people want
this. Extend the existing futex functions to keep track of whether an
absolute timeout is used in a boolean flag.
smh [Thu, 4 Jan 2018 20:05:47 +0000 (20:05 +0000)]
Disabled the use of flowid for lagg by default
Disabled the use of RSS hash from the network card aka flowid for
lagg(4) interfaces by default as it's currently incompatible with
the lacp and loadbalance protocols.
The incompatibility is due to the fact that the flowid isn't know
for the first packet of a new outbound stream which can result in
the hash calculation method changing and hence a stream being
incorrectly split across multiple interfaces during normal
operation.
This can be re-enabled by setting the following in loader.conf:
net.link.lagg.default_use_flowid="1"
The default 80MHz clock speed returned by bhnd_pmu_si_clock() was already
correct; this just prevents the "No backplane clock specified" warning
printf from being emitted when querying backplane clock speed.
kib [Thu, 4 Jan 2018 18:14:58 +0000 (18:14 +0000)]
Restructure swapout tests after vm map locking was removed.
Consolidate the regions covered by the process lock.
Combine similar conditions tests into one, e.g. all process flags can
be test with one logical operation.
Add check for in-exec state, since p_vmspace is dererenced.
Remove labels and goto by explicitly tracking state.
Update comments.
junovitch [Thu, 4 Jan 2018 17:58:48 +0000 (17:58 +0000)]
Remove myself from ports-secteam
I will be moving on to other life commitments this year and will not have
the time to support contributions as a ports committer, if able, until life
settles at the end of the year.
alc [Thu, 4 Jan 2018 03:16:32 +0000 (03:16 +0000)]
Once we have decided to swap out a process, don't delay the laundering of
its per-thread kernel stack pages by making them pass through the inactive
queue first. Instead, immediately place them in the laundry so that they
might be cleaned and made available for reclamation sooner.
jhb [Wed, 3 Jan 2018 17:40:51 +0000 (17:40 +0000)]
Use 'extern uint8_t' instead of 'extern void' for external symbols.
The beri boot loaders depend on symbols defined in linker scripts or
assembly files. The boot loaders do not care about the type of these
symbols but just want to extract a pointer to them. Older versions of
GCC permitted external symbols to be declared of type 'void' and then
'&foo' generated a void pointer to the memory at the symbol's address.
However, void objects are not valid C and newer versions of GCC error if
these are used. Instead, declare these symbols as being bytes (or
an array of bytes in the cheri_sdcard_vaddr case).
jhb [Wed, 3 Jan 2018 17:35:38 +0000 (17:35 +0000)]
Don't clobber system LDFLAGS for beri boot loaders.
Prior to r325114, bsd.init.mk was included after assignments to CFLAGS and
LDFLAGS in these Makefiles. After r325114, bare assignments (= rather than
+=) lost system-assigned default values that are needed when compiling with
an external toolchain. CFLAGS in both Makefiles already uses +=. This
commit changes LDFLAGS to use +=. While here, depend on the LDFLAGS update
in the parent Makefile.inc to set -nostdlib.
kib [Wed, 3 Jan 2018 11:23:47 +0000 (11:23 +0000)]
Use the new SDM-approved way to serialize x2APIC MSR writes.
SDM editions 64 and below stated that it is enough to use MFENCe or
LFENCE to serialize x2APIC register writes. New edition 65 requires
either full serialization instruction or MFENCE;LFENCE sequence. Use
the later, FreeBSD needs serialization to ensure that writes done
before IPI request are visible to the target IPI CPU.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
karels [Wed, 3 Jan 2018 00:56:30 +0000 (00:56 +0000)]
make SW_WATCHDOG dynamic
Enable the hardclock-based watchdog previously conditional on the
SW_WATCHDOG option whenever hardware watchdogs are not found, and
watchdogd attempts to enable the watchdog. The SW_WATCHDOG option
still causes the sofware watchdog to be enabled even if there is a
hardware watchdog. This does not change the other software-based
watchdog enabled by the --softtimeout option to watchdogd.
Note that the code to reprime the watchdog during kernel core dumps is
no longer conditional on SW_WATCHDOG. I think this was previously a bug.
markj [Tue, 2 Jan 2018 18:11:54 +0000 (18:11 +0000)]
Fix some I/O ordering issues in gmirror.
- BIO_FLUSH requests were dispatched to the disks directly from
g_mirror_start() rather than going through the mirror's I/O request
queue, so they could have been reordered with preceding writes.
Address this by processing such requests from the queue, avoiding
direct dispatch.
- Handling for collisions with synchronization requests was too
fine-grained and could cause reordering of writes. In particular,
BIO_ORDERED was not being honoured. Address this by effectively
freezing the request queue any time a collision with a synchronization
request occurs. The queue is unfrozen once the collision with the
first frozen request is over.
- The above-mentioned collision handling allowed reads to jump ahead
of writes to the same offset. Address this by freezing all request
types when a collision occurs, not just BIO_WRITEs and BIO_DELETEs.
Also add some more fail points for use in testing error handling.
cem [Tue, 2 Jan 2018 17:25:13 +0000 (17:25 +0000)]
rpcbind: Fix race in signal termination
If a signal was delivered while the main thread was not in poll(2) and after
check was performed, we could reenter poll and never detect termination. Fix
this with the pipefd trick. (This race was introduced very recently, in
r327482.)
bapt [Tue, 2 Jan 2018 16:50:57 +0000 (16:50 +0000)]
Revert r326844
There has been some fallout from the change. The change itself was not valueable
enough to spend time investigating the corner cases, let's just back it out.
emaste [Tue, 2 Jan 2018 14:07:55 +0000 (14:07 +0000)]
elfcopy: copy raw (untranslated) contents to binary output
Previously elfcopy used elf_getdata to obtain data from ELF sections
being copied to binary output, but elf_getdata returns data that has
been translated - that is, data is in host byte order. When the host and
target differ in endianness (e.g., converting a big-endian MIPS ELF
object to binary on an x86 host) this resulted in byte-swapped data in
certain sections such as .dynamic.
Instead use elf_rawdata to keep data in the original, target endianness.
Reported by: Hiroki Mori <yamori83@yahoo.co.jp>, Bill Yuan
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
nwhitehorn [Tue, 2 Jan 2018 05:27:24 +0000 (05:27 +0000)]
Add installer support for PS3 and PowerNV systems, also laying the
foundation for invoking efibootmgr as part of new-style EFI booting on
x86. On PS3 and PowerNV, which are booted using Linux kexec from petitboot
rather than by loader(8), install the kernel and the rest of /boot to a
FAT partition and set up the appropriate petitboot configuration file
there.
The new bootconfig installer stage can do platform-dependent modifications
more complex than partition layout and installation of boot blocks and can
be used to (as here) set up some special configuration files, run efibootmgr,
or boot0cfg.
nwhitehorn [Tue, 2 Jan 2018 05:22:54 +0000 (05:22 +0000)]
Skip errors from being unable to set modification and creation times. If
one of the directories in the filesystem hierarchy is a FAT mountpoint,
settings its times will fail, which would cause installation to abort.
Instead, make this a best-effort thing.
Handling this error is a hack and a better internal scheme for handling
this should be added to libarchive.