Kyle Evans [Fri, 15 Mar 2024 01:19:18 +0000 (20:19 -0500)]
if_wg: use proper barriers around pkt->p_state
Without appropriate load-synchronization to pair with store barriers in
wg_encrypt() and wg_decrypt(), the compiler and hardware are often
allowed to reorder these loads in wg_deliver_out() and wg_deliver_in()
such that we end up with a garbage or intermediate mbuf that we try to
pass on. The issue is particularly prevalent with the weaker
memory models of !x86 platforms.
Switch from the big-hammer wmb() to more explicit acq/rel atomics to
both make it obvious what we're syncing up with, and to avoid somewhat
hefty fences on platforms that don't necessarily need this.
With this patch, my dual-iperf3 reproducer is dramatically more stable
than it is without on aarch64.
Philip Paeps [Thu, 7 Dec 2023 05:48:13 +0000 (13:48 +0800)]
rc.conf: correct $ntp_leapfile_sources
IETF is no longer serving leap-seconds.list. Update to the canonical place.
This fixes "service ntpd fetch".
IERS is the source of truth for leap seconds. Their leapsecond file is
updated most quickly and is always right (unlike the IANA one which
often lags). IERS operates this public service for the express purpose
of random people downloading it. Their terms of service are compatible
with open source (we could include this in our release). Rather than
fighting with questions around this because the IANA one changed
locations or the auto update script broken, just use this.
This is in preference to the NIST ftp copy. NIST is in the process of
retiring their FTP services.
There is a lack of proper visibility checking in kern.ttys sysctl handler
which leads to information leak about processes outside the current jail.
This can be demonstrated with pstat -t: when called from within a jail,
it will output all terminal devices including process groups and
session leader process IDs:
jail# pstat -t | grep pts/ | head
LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE
pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi
pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi
pts/5 0 0 0 0 0 0 0 25 17758 0 G
pts/16 0 0 0 0 0 0 0 0 52495 0 G
pts/15 0 0 0 0 0 0 0 25 53446 0 G
pts/17 0 0 0 0 0 0 0 6702 33230 0 G
pts/19 0 0 0 0 0 0 0 14 1116 0 G
pts/0 0 0 0 0 0 0 0 0 2241 0 G
pts/23 0 0 0 0 0 0 0 20 15639 0 G
pts/6 0 0 0 0 0 0 0 0 44062 93792 G
jail# pstat -t | grep pts/ | wc -l
85
Devfs does the filtering correctly and we get only one entry:
Kyle Evans [Wed, 3 Jan 2024 22:17:59 +0000 (16:17 -0600)]
bhyveload: use a dirfd to support -h
Don't allow lookups from the loader scripts, which in rare cases may be
in guest control depending on the setup, to leave the specified host
root. Open the root dir and strictly do RESOLVE_BENEATH lookups from
there.
cb_open() has been restructured a bit to work nicely with this, using
fdopendir() in the directory case and just using the fd we already
opened in the regular file case.
hostbase_open() was split out to provide an obvious place to apply
rights(4) if that's something we care to do.
Olivier Certner [Tue, 30 May 2023 16:35:08 +0000 (18:35 +0200)]
setusercontext(): Apply personal settings only on matching effective UID
Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
to getuid() before calling setlogincontext(). Doing so still allows
a setuid program to apply resource limits and priorities specified in
a user-controlled configuration file ('~/.login_conf') where
a non-setuid program could not. Plug the hole by checking instead that
the process' effective UID is the target one (which is likely what was
meant in the initial commit).
PR: 271750
Reviewed by: kib, des
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40351
Approved by: so
Security: FreeBSD-EN-24:02.libutil
Kristof Provost [Wed, 29 Nov 2023 18:06:31 +0000 (19:06 +0100)]
pf: remove incorrect fragmentation check
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.
Dimitry Andric [Wed, 22 Nov 2023 18:23:06 +0000 (19:23 +0100)]
compiler-rt: avoid segfaults when re-exec'ing with ASLR
The ReExec() function that re-executes the binary after
turning off ASLR should not call elf_aux_info(3) and realpath(3), since
these will also be intercepted. Instead, loop directly over the elf aux
info vector to find the executable path, and avoid calling realpath(3)
since it is actually unwanted for this use case.
Christos Zoulas [Wed, 30 Aug 2023 20:37:24 +0000 (20:37 +0000)]
regcomp: use unsigned char when testing for escapes
- cast GETNEXT to unsigned where it is being promoted to int to prevent
sign-extension (really it would have been better for PEEK*() and
GETNEXT() to return unsigned char; this would have removed a ton of
(uch) casts, but it is too intrusive for now).
- fix an isalpha that should have been iswalpha
Kyle Evans [Thu, 12 Oct 2023 02:51:07 +0000 (21:51 -0500)]
freebsd-update: create deep BEs by default
The -r flag to bectl needs to go away, and we need to just do the right
thing. In the meantime, we can apply an -r in freebsd-update as a
minimal fix to stop creating partial backups in these (non-default) deep
BE setups.
Mariusz Zaborski [Mon, 23 Oct 2023 21:03:51 +0000 (23:03 +0200)]
cap_net: correct capability name from addr2name to name2addr
Previously, while checking name2addr capabilities, we mistakenly used
the addr2name set. This error could cause a process to inadvertently
reset its limitations.
The commit that purported to fix CVE-2014-8611 (805288c2f062) only hid
it behind another bug. Two later commits, 86a16ada1ea6 and 44cf1e5eb470, attempted to address this new bug but mostly just confused
the issue. This commit rolls back the three previous changes and fixes
CVE-2014-8611 correctly.
The key to understanding the bug (and the fix) is that `_w` has
different meanings for different stream modes. If the stream is
unbuffered, it is always zero. If the stream is fully buffered, it is
the amount of space remaining in the buffer (equal to the buffer size
when the buffer is empty and zero when the buffer is full). If the
stream is line-buffered, it is a negative number reflecting the amount
of data in the buffer (zero when the buffer is empty and negative buffer
size when the buffer is full).
At the heart of `fflush()`, we call the stream's write function in a
loop, where `t` represents the return value from the last call and `n`
the amount of data that remains to be written. When the write function
fails, we need to move the unwritten data to the top of the buffer
(unless nothing was written) and adjust `_p` (which points to the next
free location in the buffer) and `_w` accordingly. These variables have
already been set to the values they should have after a successful
flush, so instead of adjusting them down to reflect what was written,
we're adjusting them up to reflect what remains.
The bug was that while `_p` was always adjusted, we only adjusted `_w`
if the stream was fully buffered. The fix is to also adjust `_w` for
line-buffered streams. Everything else is just noise.
Fixes: 805288c2f062 Fixes: 86a16ada1ea6 Fixes: 44cf1e5eb470
Sponsored by: Klara, Inc.
Andrew Turner [Mon, 18 Sep 2023 16:34:51 +0000 (17:34 +0100)]
arm64: Fix errata workarounds that depend on smccc
Some arm64 errata depend on calling into the firmware via the SMCCC
interface. This needs to happen after the psci driver has attached
as they share the interface.
Fix this by allowing the workarounds to mark when they depend on
device drivers attaching.
This is only an issue on CPU 0 as the workarounds are applied later
for the non-boot CPUs.
Reviewed by: emaste
Approved by: so
Security: FreeBSD-SA-23:14.smccc
Security: CVE-2023-5370
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D41916
When using copy_file_range(2) with an offset parameter,
the CAP_SEEK capability should be required.
This requirement is similar to the behavior observed with
pread(2)/pwrite(2).
Ed Maste [Wed, 27 Sep 2023 13:36:33 +0000 (09:36 -0400)]
freebsd-update: handle file -> directory on upgrade
Upgrading from FreeBSD 13.2 to 14.0 failed with
install: ///usr/include/c++/v1/__string exists but is not a directory
because __string changed from a file to a directory with an LLVM
upgrade.
Now, remove the existing file when the type conflicts. Note that this
is only an interim fix to facilitate upgrades from 13.2 for 14.0 BETA
testing. This change does not handle the directory -> file case and
further work is needed.
PR: 273661
Reviewed by: dim, gordon
Approved by: so
Security: FreeBSD-EN-23:12.freebsd-update
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41893
With 'scrub fragment reassemble' if a packet contains multiple IPv6
fragment headers we would reassemble the packet and immediately
continue processing it.
That is, we'd remove the first fragment header and expect the next
header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if
it's another fragment header we'd not treat the packet correctly.
That is, we'd fail to recognise the payload and treat it as if it were
an IPv6 fragment rather than as its actual payload.
Fix this by restarting the normalisation on the reassembled packet.
If there are multiple fragment headers drop the packet.
Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Approved by: so
Security: FreeBSD-SA-23:10.pf
Security: CVE-2023-4809
Colin Percival [Fri, 5 May 2023 03:00:58 +0000 (20:00 -0700)]
freebsd-update: Fix merging already-updated files
When performing an "upgrade" (moving between FreeBSD releases, as
opposed to "update" which merely applies security/errata updates
to the installed release) FreeBSD Update:
1. Generates a list of "files needing to be merged", namely those
files which don't match the version installed in the "old" release
and have paths matching the MergeChanges configuration directive
(by default, /boot/device.hints and everything under /etc/).
and later on,
2. Compares the currently-installed files to the versions in the
"new" release, removing index entries for files which "don't need
to be updated because they're not changing".
Unfortunately if a file falls into both of these categories -- that
is to say, if a file in /etc/ is the same as the version in the new
release and not the same as the version in the old release -- the
resulting "merge" step saw that the file was no longer listed as
being part of the new release, resulting in the file being deleted.
For the first 18 years of FreeBSD Update's existence, this never
happened, since $FreeBSD$ tags resulted in "new release" files
always being different from any files systems would already have
installed.
This commit fixes this behaviour by only placing a file into the
"files needing to be merged" list if it does not match the version
in the old release *or* the version in the new release.
Reported by: des
Reviewed by: delphij (earlier version), des, emaste
Approved by: so
Security: FreeBSD-EN-23:09.freebsd-update
Differential Revision: https://reviews.freebsd.org/D39973
John Baldwin [Thu, 29 Jun 2023 18:27:12 +0000 (11:27 -0700)]
bhyve: Fully reset the fwctl state machine if the guest requests a reset.
If a guest tries to reset the fwctl device while a pending request was
in flight, the fwctl state machine can be left in an incomplete state.
Specifically, rinfo is not cleared.
Normally the state machine for fwctl alternates between REQ (receiving
request) and RESP (sending response) and ignores port writes while in
RESP or port reads while in REQ. Once a guest completes the writes to
the port to send a request, the state machine transitions to RESP and
ignores future writes.
However, if a guest writes a full request and then resets the fwctl
device, the state would transition to REQ without draining the pending
response or discarding the received request. Instead, additional
port writes after the reset were treated as new payload bytes, but
were appended to the previously-received request and could overflow
the fget_str buffer.
To fix, fully reset the fwctl state machine if the guest requests a
reset.
admbugs: 998
Approved by: so
Reviewed by: markj
Reported by: Omri Ben Bassat <t-benbassato@microsoft.com>
Security: FreeBSD-SA-23:07.bhyve
Security: CVE-2023-3494
Cy Schubert [Wed, 31 May 2023 19:20:27 +0000 (12:20 -0700)]
pam_krb5: Fix spoofing vulnerability
An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.
If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for. Currently, without a keytab, pam_krb5 is
vulnerable to this attack.
Reported by: Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by: so
Approved by: so
Security: FreeBSD-SA-23:04.pam_krb5
Security: CVE-2023-3326
Before the commit 6cc44223cb6717795afdac4348bbe7e2a968a07d the
field event_mask was fully copied to the EventMasks field.
After this commit the event_mask (uint8_t) is 4 times casted to
EventMask (uint32_t). Because of that 24 bits of each event_mask array
is lost.
This commits brings back simple copying of field, and after words
converting 32 bits field to the requested endian.
I don't think we need more sophisticated method,
as the array is of size 4 (for 32 bits version).
loader: comconsole: don't unconditionally wipe out hw.uart.console
It may be the case that we need to set hw.uart.console manually in some
scenarios that comconsole can't necessarily support. Avoid clobbering
hw.uart.console unless we've actually selected comconsole so that one
could at least get kernel console output..
The tzdata 2023c release reverts all changes made in 2023b other than
commentary, as that appears to be the best of a bad set of short-notice
choices for modeling this week's daylight saving chaos in Lebanon.
Mark Johnston [Wed, 10 Nov 2021 21:57:12 +0000 (16:57 -0500)]
mbuf: Fix an offset calculation in m_apply_extpg_one()
We were not including the requested starting offset in the page offset.
Approved by: re (cperciva)
Reviewed by: jhb
Fixes: 3c7a01d773ac ("Extend m_apply() to support unmapped mbufs.")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32922
Warner Losh [Wed, 22 Mar 2023 02:25:58 +0000 (20:25 -0600)]
_endian.h: Include sys/cdefs.h for visibility macros
BYTE_ORDER, LITTLE_ENDIAN and BIG_ENDIAN will be required by the
forthcoming POSIX Issue 8. In addition, they are provided in the BSD
compilation environments. However, depending on the order includes
happend, sys/cdefs.h may or may not be included when endian.h is
included. Include it here so we can safely test __BSD_VISIBLE. Add
visibility when we're compiling in the future for issue 8, but since the
date number for issue 8 hasn't been fixed, use strictly greater than the
issue 7 date.of 200809.
This had the side effect of sometimes (in the traditional BSD
compliation environment)
#if BYTE_ORDER == LITTLE_ENDIAN
and
#if BYTE_ORDER == BIG_ENDIAN
both being true because none of these were defined. This fixes
that. It also fixes including it after <stdio.h> but not before.
Mark Johnston [Mon, 20 Mar 2023 18:16:00 +0000 (14:16 -0400)]
kerneldump: Inline dump_savectx() into its callers
The callers of dump_savectx() (i.e., doadump() and livedump_start())
subsequently call dumpsys()/minidumpsys(), which dump the calling
thread's stack when writing the dump. If dump_savectx() gets its own
stack frame, that frame might be clobbered when its caller later calls
dumpsys()/minidumpsys(), making it difficult for debuggers to unwind the
stack.
Fix this by making dump_savectx() a macro, so that savectx() is always
called directly by the function which subsequently calls
dumpsys()/minidumpsys().
This fixes stack unwinding for the panicking thread from arm64
minidumps. The same happened to work on amd64, but kgdb reports the
dump_savectx() calls as coming from dumpsys(), so in that case it
appears to work by accident.
Approved by: re (gjb)
Fixes: c9114f9f86f9 ("Add new vnode dumper to support live minidumps")
Reviewed by: mhorne, jhb
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D39151
Ed Maste [Thu, 16 Mar 2023 14:29:55 +0000 (10:29 -0400)]
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
Approved by: re (cperciva)
Sponsored by: The FreeBSD Foundation
Cy Schubert [Tue, 7 Feb 2023 15:46:59 +0000 (07:46 -0800)]
heimdal: Resolve hdb_free_entry() SIGSEGV/SIGILL
When the client sends kadmind a create principal (kadm_create) request
kadm_s_create_principal() returns an error before zeroing out ent (an
hdb entry structure wrapper -- hdb_entry_ex), resulting in a NULL
reference.
When CVE-2022-3437 was fixed by changing memcmp to be a constant
time and the workaround for th e compiler was to add "!=0". However
the logic implmented was inverted resulting in CVE-2022-4152.
Tom Hukins [Sat, 4 Mar 2023 15:59:02 +0000 (08:59 -0700)]
netlink: Fix "version introduced" documentation
netlink(4) and associated features will exist in FreeBSD 14.0 but they
will also exist in 13.2, an older version, from commits such as 02b958b1
and b309249b.
This commit needs merging to stable/13 and releng/13.2.
MFC after: 2days (needs to be in RC2)
Reviewed by: imp,melifaro
Pull Request: https://github.com/freebsd/freebsd-src/pull/651
Approved by: re@ (cperciva)
Warner Losh [Mon, 13 Mar 2023 20:28:51 +0000 (14:28 -0600)]
makefs: make msdos creation go fast
Add missing brelse(bp). Without it the cache grows and we have a n^2
lookup. I'm not entirely sure why we read the block before we write it
back out, since the only side effect of that is to allocate memory,
clear the memory, read it in from disk, throw it away with the contents
of the file being written out. We likely should just do a getblk() here
instead, but even with all that, this takes the time it takes to create
a 150MB msdos fs image down from 5 minutes to 30 seconds.
See code review for how we got this. tl;dr: netbsd move brelse
into bwrite and we picked up msdos code after that, but not the
move. That change should be picked up later.
Justin Hibbits [Sun, 12 Mar 2023 15:46:57 +0000 (11:46 -0400)]
powerpc/pmap: Add pmap_sync_icache() for radix pmap
DTrace pid provider writes to user space to set breakpoints. Failing to
sync the icache can lead to SIGTRAP. Radix pmap is the only one missing
a pmap_sync_icache() method, so the pid provider would only potentially
crash a process on a POWER9 or later system.
Justin Hibbits [Sat, 11 Mar 2023 16:30:00 +0000 (11:30 -0500)]
dtrace/powerpc: "Fix" stack traces across trap frames
In function boundary tracing the link register is not yet saved to the
save stack location, so the save point contains whatever the previous
'lr' save was, or even garbage, at the time the trap is taken. Address
this by explicitly loading the link register from the trap frame instead
of the stack, and propagate that out.
Mark Johnston [Wed, 1 Mar 2023 20:21:30 +0000 (15:21 -0500)]
epair: Simplify the transmit path and address lost wakeups
epairs currently shuttle all transmitted packets through a single global
taskqueue thread. To hand packets over to the taskqueue thread, each
epair maintains a pair of ring buffers and a lockless scheme for
notifying the thread of pending work. The implementation can lead to
lost wakeups, causing to-be-transmitted packets to end up stuck in the
queue.
Rather than extending the existing scheme, simply replace it with a
linked list protected by a mutex, and use the mutex to synchronize
wakeups of the taskqueue thread. This appears to give equivalent or
better throughput with >= 16 producer threads and eliminates the lost
wakeups.
Mark Johnston [Mon, 6 Mar 2023 14:39:17 +0000 (09:39 -0500)]
epair: Avoid loading m_flags into a short
The m_flags field of struct mbuf is 24 bits wide and so gets truncated
in a couple of places in the epair code. Instead of preserving the
entire flag set, just remember whether M_BCAST or M_MCAST is set.
Approved by: re (cperciva)
MFC after: 1 week
Sponsored by: Klara, Inc.
Gordon Bergling [Sun, 26 Feb 2023 13:33:58 +0000 (14:33 +0100)]
route.8: Fix mandoc warnings
- skipping end of block that is not open: Oc
- no blank before trailing delimiter
- remove useless TN macros
- remove commented out reference for esis(4)
Approved by: re (cperciva)
Differential Revision: https://reviews.freebsd.org/D38783
Gordon Bergling [Sun, 26 Feb 2023 13:15:34 +0000 (14:15 +0100)]
route.8: Add information about ROUTE_MPATH and FIB_ALGO
Since the kernel options ROUTE_MPATH and FIB_ALGO are enabled
per default for a while, it's good to have some user facing
documetation about the general functionality of multipath
routing and fib lookup algorithms.
Reviewed by: pauamma, Jose Luis Duran <jlduran at gmail dot com>
Approved by: re (cperciva)
Differential Revision: https://reviews.freebsd.org/D38783
Tijl Coosemans [Wed, 15 Feb 2023 20:09:51 +0000 (21:09 +0100)]
rc.d: Generate machine-id from hostid_save
rc.d/hostid_save saves a UUID generated by rc.d/hostid in /etc/hostid.
Store the same UUID, without hyphens, in /etc/machine-id. The hyphens
are removed with a shell function because hostid_save runs before file
systems are mounted so other tools may not be available yet.
This eliminates some duplication between hostid and machine-id and for
virtual machines machine-id now contains the UUID configured in the
hypervisor like it does on Linux.
projects / FreeBSD / FreeBSD.git / log