Re: malloc.conf: better docs and impl for J/J

[Otto Moerbeek]

On Sun, Jul 03, 2016 at 09:31:11AM +0200, Otto Moerbeek wrote:

> On Sat, Jul 02, 2016 at 01:17:10PM -0400, Ted Unangst wrote:
> 
> > Otto Moerbeek wrote:
> > > Hi,
> > > 
> > > J/j is actually a three valued var. So document that and make it
> > > possible to set all three values. Default is still 1.
> > 
> > I initially left the default as is deliberately. I would like for there to 
> > be
> > fewer options, because I think people spend too much mental effort picking 
> > the
> > "right" setting. We should be spending that effort making the default the 
> > best
> > it can be.
> > 
> > In this case, I'm not sure how or why the user would want to set it 1. It
> > starts at 1. If you like it, don't change it. If you don't like it, change 
> > it
> > to 0 or 2. 
> 
> A case is: you have a malloc.conf with S or J, and you want to run a
> single program with the default using MALLOC_OPTIONS to hunt a bug.
> Currently there's no way to do that.
> 
>   -Otto

So what about the diff?

-Otto

Re: pledge bpf + 32bit arch unbreak

[Sebastien Marie]

On Tue, Jul 05, 2016 at 08:12:05PM +0200, Martin Pelikan wrote:
> 
> The uint64_t part still stands.
> 

ok semarie@

-- 
Sebastien Marie

Add libtls functionality for OCSP, and OCSP stapling support

[Bob Beck]

Ok, so this work was done by Marko Kreen, all as the result of a very long 
discussion in:

https://github.com/libressl-portable/openbsd/pull/47

In a nutshell, I threw down a glove that libtls could have functions to support 
OCSP, and
make it where a client could write ocsp stuff, but I would resist making libtls 
be
and http library that does that for you.  I challenged him to add the necessary 
support
functions so it was possible to write a client. 

He delivered, and I've cleaned a few things up in it. (after a long delay which
I apologize for)

Attached to this message is marko's test program, which uses libcurl - The diff 
is
for our libtls, and I've been able to compile and use his test program with it:

$ ./oc amazon.com
libssl: LibreSSL 2.4.1
OCSP stapling: good
  req_status=0 cert_status=0 crl_reason=0
  this update: Mon Jul  4 08:17:21 2016
  next update: Mon Jul 11 08:17:21 2016
  revocation: --
OCSP URL: http://ss.symcd.com
OCSP responder: good
  req_status=0 cert_status=0 crl_reason=0
  this update: Mon Jul  4 08:17:21 2016
  next update: Mon Jul 11 08:17:21 2016
  revocation: --
$ ./oc google.com
libssl: LibreSSL 2.4.1
OCSP stapling: no-ocsp
OCSP URL: http://clients1.google.com/ocsp
OCSP responder: good
  req_status=0 cert_status=0 crl_reason=0
  this update: Tue Jul  5 13:00:28 2016
  next update: Tue Jul 12 13:00:28 2016
  revocation: --
$ 

Discussion, OK's

diff --git lib/libtls/Makefile lib/libtls/Makefile
index ca2f00b..461bf44 100644
--- lib/libtls/Makefile
+++ lib/libtls/Makefile
@@ -19,6 +19,7 @@ SRCS= tls.c \
tls_peer.c \
tls_server.c \
tls_util.c \
+   tls_ocsp.c \
tls_verify.c
 
 MAN=   tls_init.3
diff --git lib/libtls/tls.c lib/libtls/tls.c
index 76d00e5..b00bea8 100644
--- lib/libtls/tls.c
+++ lib/libtls/tls.c
@@ -393,6 +393,13 @@ tls_reset(struct tls *ctx)
tls_free_conninfo(ctx->conninfo);
free(ctx->conninfo);
ctx->conninfo = NULL;
+
+   tls_ocsp_info_free(ctx->ocsp_info);
+   ctx->ocsp_info = NULL;
+   ctx->ocsp_result = NULL;
+
+   if (ctx->flags & TLS_OCSP_CLIENT)
+   tls_ocsp_client_free(ctx);
 }
 
 int
diff --git lib/libtls/tls.h lib/libtls/tls.h
index 75c46c1..da6cd69 100644
--- lib/libtls/tls.h
+++ lib/libtls/tls.h
@@ -40,6 +40,29 @@ extern "C" {
 
 #define TLS_WANT_POLLIN-2
 #define TLS_WANT_POLLOUT   -3
+#define TLS_NO_OCSP-4
+
+#define TLS_OCSP_RESPONSE_SUCCESSFUL   0
+#define TLS_OCSP_RESPONSE_MALFORMED1
+#define TLS_OCSP_RESPONSE_INTERNALERR  2
+#define TLS_OCSP_RESPONSE_TRYLATER 3
+#define TLS_OCSP_RESPONSE_SIGREQUIRED  5
+#define TLS_OCSP_RESPONSE_UNAUTHORIZED 6
+
+#define TLS_OCSP_CERT_GOOD 0
+#define TLS_OCSP_CERT_REVOKED  1
+#define TLS_OCSP_CERT_UNKNOWN  2
+
+#define TLS_CRL_REASON_UNPSECIFIED 0
+#define TLS_CRL_REASON_KEY_COMPROMISE  1
+#define TLS_CRL_REASON_CA_COMPROMISE   2
+#define TLS_CRL_REASON_AFFILIATION_CHANGED 3
+#define TLS_CRL_REASON_SUPERSEDED  4
+#define TLS_CRL_REASON_CESSATION_OF_OPERATION  5
+#define TLS_CRL_REASON_CERTIFICATE_HOLD6
+#define TLS_CRL_REASON_REMOVE_FROM_CRL 8
+#define TLS_CRL_REASON_PRIVILEGE_WITH_DRAWN9
+#define TLS_CRL_REASON_AA_COMPROMISE   10
 
 struct tls;
 struct tls_config;
@@ -70,6 +93,8 @@ int tls_config_set_keypair_file(struct tls_config *_config,
 const char *_cert_file, const char *_key_file);
 int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t 
*_cert,
 size_t _cert_len, const uint8_t *_key, size_t _key_len);
+int tls_config_set_ocsp_stapling_file(struct tls_config *_config, const char 
*_blob_file);
+int tls_config_set_ocsp_stapling_mem(struct tls_config *_config, const uint8_t 
*_blob, size_t _len);
 void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 void tls_config_set_verify_depth(struct tls_config *_config, int 
_verify_depth);
 
@@ -121,6 +146,18 @@ const char *tls_conn_cipher(struct tls *_ctx);
 
 uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
 
+int tls_get_ocsp_info(struct tls *ctx, int *response_status, int *cert_status, 
int *crl_reason,
+ time_t *this_update, time_t *next_update, time_t 
*revoction_time,
+ const char **result_text);
+
+int tls_ocsp_check_peer_request(struct tls **ocsp_ctx_p, struct tls *target,
+   char **ocsp_url, void **request_blob, size_t 
*request_size);
+
+int tls_ocsp_refresh_stapling_request(struct tls **ocsp_ctx_p, struct 
tls_config *config,
+   char **ocsp_url, void **request_blob, size_t *request_size);
+
+int tls_ocsp_process_response(struct tls *ctx, const void *response_blob, 
size_t size);
+
 #ifdef __cplusplus
 }
 #endif
diff --git lib/libtls/tls_client.c lib/libtls/tls_client.c
index 3847f4c..86dd9a8 

Re: Root can panic kernel with mknod on a tmpfs filesystem

[Marc Espie]

On Tue, Jul 05, 2016 at 07:21:57PM -0400, Ted Unangst wrote:
> Tim Newsham wrote:
> > Recommendation:
> > Validate the device number vap->va_rdev in tmpfs_mknod() and return
> > an error if it is VNOVAL (-1).
> 
> Sounds about right to me.
> 
> Index: tmpfs_vnops.c
> ===
> RCS file: /cvs/src/sys/tmpfs/tmpfs_vnops.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 tmpfs_vnops.c
> --- tmpfs_vnops.c 19 Jun 2016 11:54:33 -  1.27
> +++ tmpfs_vnops.c 5 Jul 2016 23:20:33 -
> @@ -343,6 +343,10 @@ tmpfs_mknod(void *v)
>   vput(dvp);
>   return EINVAL;
>   }
> + if ((vt == VBLK || vt == VCHR) && vap->va_rdev == VNOVAL) {
> + vput(dvp);
> + return EINVAL;
> + }
>  
>   /* tmpfs_alloc_file() will unlock 'dvp'. */
>   error = tmpfs_alloc_file(dvp, vpp, vap, cnp, NULL);
Better than what I had. I missed the VFIFO case.

Fold both tests together though, so that the same error path is more
apparent ?

Re: Root can panic kernel with mknod on a tmpfs filesystem

[Ted Unangst]

Tim Newsham wrote:
> Recommendation:
> Validate the device number vap->va_rdev in tmpfs_mknod() and return
> an error if it is VNOVAL (-1).

Sounds about right to me.

Index: tmpfs_vnops.c
===
RCS file: /cvs/src/sys/tmpfs/tmpfs_vnops.c,v
retrieving revision 1.27
diff -u -p -r1.27 tmpfs_vnops.c
--- tmpfs_vnops.c   19 Jun 2016 11:54:33 -  1.27
+++ tmpfs_vnops.c   5 Jul 2016 23:20:33 -
@@ -343,6 +343,10 @@ tmpfs_mknod(void *v)
vput(dvp);
return EINVAL;
}
+   if ((vt == VBLK || vt == VCHR) && vap->va_rdev == VNOVAL) {
+   vput(dvp);
+   return EINVAL;
+   }
 
/* tmpfs_alloc_file() will unlock 'dvp'. */
error = tmpfs_alloc_file(dvp, vpp, vap, cnp, NULL);

route6d summer cleanup

[Jeremie Courreges-Anglas]

Nobody cares about route6d, and it shows: runas as root, not chrooted.
Also it uses wide pledge(2) permissions.

I have diffs to switch the logging to log.c and use it to support the -R
option and /var/run/route6d_dump.  The end goal is to use a tighter
pledge(2) call:
+   if (pledge("stdio inet route mcast", NULL) == -1)

But first I'd like to get rid of a few "nits".

- nuke util.h, not needed since pidfile(3) went away
- nuke the rrt_same member of struct riprt, "future use" since import
- mark rtdexit as __dead
- nuke progname handling
- fix pid handling: cache the pid *after* calling daemon(3)
- nuke the useless myseq variable

ok?


Index: route6d.c
===
RCS file: /cvs/src/usr.sbin/route6d/route6d.c,v
retrieving revision 1.86
diff -u -p -p -u -r1.86 route6d.c
--- route6d.c   25 Jan 2016 05:15:43 -  1.86
+++ route6d.c   5 Jul 2016 22:26:36 -
@@ -58,7 +58,6 @@
 #include 
 #include 
 #include 
-#include 
 
 #include "route6d.h"
 
@@ -142,7 +141,6 @@ struct  rip6 *ripbuf;   /* packet buffer fo
 
 struct riprt {
struct  riprt *rrt_next;/* next destination */
-   struct  riprt *rrt_same;/* same destination - future use */
struct  netinfo6 rrt_info;  /* network info */
struct  in6_addr rrt_gw;/* gateway */
u_long  rrt_flags;  /* kernel routing table flags */
@@ -215,7 +213,7 @@ void ifdump(int);
 void ifdump0(FILE *, const struct ifc *);
 void rtdump(int);
 void rt_entry(struct rt_msghdr *, int);
-void rtdexit(void);
+__dead void rtdexit(void);
 void riprequest(struct ifc *, struct netinfo6 *, int, struct sockaddr_in6 *);
 void ripflush(struct ifc *, struct sockaddr_in6 *);
 void sendrequest(struct ifc *);
@@ -253,16 +251,8 @@ main(int argc, char *argv[])
int error = 0;
struct  ifc *ifcp;
sigset_t mask, omask;
-   char *progname;
char *ep;
 
-   progname = strrchr(*argv, '/');
-   if (progname)
-   progname++;
-   else
-   progname = *argv;
-
-   pid = getpid();
while ((ch = getopt(argc, argv, "A:N:O:R:T:L:t:adDhlnqsS")) != -1) {
switch (ch) {
case 'A':
@@ -326,7 +316,9 @@ main(int argc, char *argv[])
}
}
 
-   openlog(progname, LOG_NDELAY|LOG_PID, LOG_DAEMON);
+   openlog("route6d", LOG_NDELAY|LOG_PID, LOG_DAEMON);
+
+   pid = getpid();
 
if ((ripbuf = calloc(RIP6_MAXMTU, 1)) == NULL)
fatal("calloc");
@@ -1268,7 +1260,6 @@ riprecv(void)
}
nq = >rrt_info;
 
-   rrt->rrt_same = NULL;
rrt->rrt_index = ifcp->ifc_index;
rrt->rrt_flags = RTF_UP|RTF_GATEWAY;
rrt->rrt_gw = nh;
@@ -1989,7 +1980,6 @@ ifrt(struct ifc *ifcp, int again)
if (ifcp->ifc_flags & IFF_UP) {
if ((rrt = calloc(1, sizeof(struct riprt))) == NULL)
fatal("calloc: struct riprt");
-   rrt->rrt_same = NULL;
rrt->rrt_index = ifcp->ifc_index;
rrt->rrt_t = 0; /* don't age */
rrt->rrt_info.rip6_dest = ifa->ifa_addr;
@@ -2145,7 +2135,6 @@ ifrt_p2p(struct ifc *ifcp, int again)
fatal("calloc: struct riprt");
/*NOTREACHED*/
}
-   rrt->rrt_same = NULL;
rrt->rrt_index = ifcp->ifc_index;
rrt->rrt_t = 0; /* don't age */
switch (i) {
@@ -2518,7 +2507,6 @@ rt_entry(struct rt_msghdr *rtm, int agai
/*NOTREACHED*/
}
np = >rrt_info;
-   rrt->rrt_same = NULL;
rrt->rrt_t = time(NULL);
if (aflag == 0 && (rtm->rtm_flags & RTF_STATIC))
rrt->rrt_t = 0; /* Don't age static routes */
@@ -2630,7 +2618,6 @@ addroute(struct riprt *rrt, const struct
rtm->rtm_type = RTM_ADD;
rtm->rtm_version = RTM_VERSION;
rtm->rtm_seq = ++seq;
-   rtm->rtm_pid = pid;
rtm->rtm_flags = rrt->rrt_flags;
rtm->rtm_addrs = RTA_DST | RTA_GATEWAY | RTA_NETMASK;
rtm->rtm_inits = RTV_HOPCOUNT;
@@ -2694,7 +2681,6 @@ delroute(struct netinfo6 *np, struct in6
rtm->rtm_type = RTM_DELETE;
rtm->rtm_version = RTM_VERSION;
rtm->rtm_seq = ++seq;
-   rtm->rtm_pid = pid;
rtm->rtm_flags = RTF_UP | RTF_GATEWAY;
if (np->rip6_plen == sizeof(struct in6_addr) * 8)
rtm->rtm_flags |= RTF_HOST;
@@ -2741,7 +2727,6 @@ struct in6_addr *
 getroute(struct netinfo6 *np, struct in6_addr *gw)
 {
u_char buf[BUFSIZ];
-   int myseq;
int len;
struct rt_msghdr *rtm;
struct sockaddr_in6 *sin6;
@@ -2751,8 +2736,7 @@ 

Root can panic kernel with mknod on a tmpfs filesystem

[Tim Newsham]

Hi, While fuzzing the openbsd system call interface we came across a
low severity issue.  The details are below in our proof-of-concept that
includes a writeup with recommendations.

Tim & Jesse @ NCC Group


/*
 * tmpfs_mknod_panic.c:
 *Demonstrate a panic in tmpfs when performing mknod
 *
 * gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic
 */

#ifdef BUG_WRITEUP //---
Root can panic kernel with mknod on a tmpfs filesystem

Impact:
Root can panic the kernel.

Description:
When performing a mknod system call on a tmpfs filesystem,
the tmpfs_alloc_node() function asserts that the rdev parameter
is not VNOVAL (-1):

/* Type-specific initialization. */
switch (nnode->tn_type) {
case VBLK:
case VCHR:
/* Character/block special device. */
KASSERT(rdev != VNOVAL);
nnode->tn_spec.tn_dev.tn_rdev = rdev;
break;

However, the value or rdev is never validated previous to this.
Users that can perform mknod() calls on a tmpfs (i.e. root)
can trigger this condition to panic the kernel.

Reproduction:
Compile the attached test program and execute it as root with a path
to a non-existance filename on a tmpfs filesystem:

  # mount -o rw,-s16M -t tmpfs swap /mnt
  # gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic
  # ./tmpfs_mknod_panic /mnt/boom

This should cause the kernel to panic in tmpfs_alloc_node().

Recommendation:
Validate the device number vap->va_rdev in tmpfs_mknod() and return
an error if it is VNOVAL (-1).

Reported: 2016-07-05
Fixed:notyet
#endif // BUG_WRITEUP ---

#include 
#include 

int
main(int argc, char **argv)
{
char *fn;
int i, x;


for(i = 1; i < argc; i++) {
fn = argv[i];
x = mknod(fn, S_IFBLK | 0666, -1);
if(x == -1)
perror(fn);
}
printf("nothing happened!\n");
return 0;
}

-- 
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: [armv7] introducing tipru(4)

[Ian Sutton]

On Tue, Jul 5, 2016 at 12:56 AM, Jonathan Gray  wrote:
> I don't have time to look into how tied to the rest of the
> system the pru is at the moment.

I can save you the trouble; page 198 of am335x TRM:

"The PRUs have access to all resources on the SoC through the
Interface/OCP Master port"

> Perhaps it could only permit access at a particular securelevel
> like gpio or be disabled by default.

I'm willing to modify the design to fit whichever security model you
find appropriate. I like the idea of locking it to a securelevel. I'm
taking 'disabled by default' to mean you would have to add a specific
option to config(8) infile, which I'm less thrilled about.

Re: pledge bpf + 32bit arch unbreak

[Jeremie Courreges-Anglas]

Martin Pelikan  writes:

[...]

> The uint64_t part still stands.

ok jca@

-- 
jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: pledge bpf + 32bit arch unbreak

[Martin Pelikan]

> In many bpf-using programs, bpf is setup before privs are droppped,
> then locked, and then no significant ioctl's are done after that.
> 
> So please show the userland diffs that use this.

You're right.  I was thinking of arp(8) but that code path is write only.
I wrote it for the GSoC dhcpd which keeps a routing socket for interfaces
arriving/departing (plugging USB NICs or adding vlan(4)s into your router
really shouldn't make the dhcpd process die; even deleting interfaces will
keep the rest of the system serving happily).

It probably doesn't have to be there; the privileged part of the code fits
on a screen anyway and only does the bare minimum.

The uint64_t part still stands.


Index: kern/kern_pledge.c
===
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.174
diff -u -p -r1.174 kern_pledge.c
--- kern/kern_pledge.c  3 Jul 2016 04:36:08 -   1.174
+++ kern/kern_pledge.c  5 Jul 2016 17:35:04 -
@@ -79,7 +79,7 @@
 #include "drm.h"
 #endif
 
-int pledgereq_flags(const char *req);
+uint64_t pledgereq_flags(const char *req);
 int canonpath(const char *input, char *buf, size_t bufsize);
 int substrcmp(const char *p1, size_t s1, const char *p2, size_t s2);
 int resolvpath(struct proc *p, char **rdir, size_t *rdirlen, char **cwd,
@@ -404,7 +405,7 @@ sys_pledge(struct proc *p, void *v, regi
if (SCARG(uap, request)) {
size_t rbuflen;
char *rbuf, *rp, *pn;
-   int f;
+   uint64_t f;
 
rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
error = copyinstr(SCARG(uap, request), rbuf, MAXPATHLEN,
@@ -1514,7 +1534,7 @@ pledge_swapctl(struct proc *p)
 }
 
 /* bsearch over pledgereq. return flags value if found, 0 else */
-int
+uint64_t
 pledgereq_flags(const char *req_name)
 {
int base = 0, cmp, i, lim;

Re: pledge bpf + 32bit arch unbreak

[Theo de Raadt]

In many bpf-using programs, bpf is setup before privs are droppped,
then locked, and then no significant ioctl's are done after that.
Meaning, which bpf is being setup -- the program is still fully
root, has no lockdown, etc, and the bpf programming component is
probably not the riskiest aspect...

So please show the userland diffs that use this.

pledge bpf + 32bit arch unbreak

[Martin Pelikan]

Only the bits necessary to set up a filter and lock down an incoming interface.


Index: kern/kern_pledge.c
===
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.174
diff -u -p -r1.174 kern_pledge.c
--- kern/kern_pledge.c  3 Jul 2016 04:36:08 -   1.174
+++ kern/kern_pledge.c  5 Jul 2016 17:35:04 -
@@ -79,7 +79,7 @@
 #include "drm.h"
 #endif
 
-int pledgereq_flags(const char *req);
+uint64_t pledgereq_flags(const char *req);
 int canonpath(const char *input, char *buf, size_t bufsize);
 int substrcmp(const char *p1, size_t s1, const char *p2, size_t s2);
 int resolvpath(struct proc *p, char **rdir, size_t *rdirlen, char **cwd,
@@ -359,6 +359,7 @@ static const struct {
uint64_t flags;
 } pledgereq[] = {
{ "audio",  PLEDGE_AUDIO },
+   { "bpf",PLEDGE_BPF },
{ "chown",  PLEDGE_CHOWN | PLEDGE_CHOWNUID },
{ "cpath",  PLEDGE_CPATH },
{ "disklabel",  PLEDGE_DISKLABEL },
@@ -404,7 +405,7 @@ sys_pledge(struct proc *p, void *v, regi
if (SCARG(uap, request)) {
size_t rbuflen;
char *rbuf, *rp, *pn;
-   int f;
+   uint64_t f;
 
rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
error = copyinstr(SCARG(uap, request), rbuf, MAXPATHLEN,
@@ -1198,6 +1199,25 @@ pledge_ioctl(struct proc *p, long com, s
 #endif /* NAUDIO > 0 */
}
 
+   if ((p->p_p->ps_pledge & PLEDGE_BPF)) {
+   switch (com) {
+   case BIOCGBLEN:
+   case BIOCVERSION:
+   case BIOCIMMEDIATE:
+   case BIOCSFILDROP:
+   case BIOCSHDRCMPLT:
+   case BIOCSETF:
+   case BIOCSETIF:
+   case BIOCSETWF:
+   case BIOCLOCK:
+   if ((fp->f_type == DTYPE_VNODE) &&
+   (vp->v_type == VCHR) &&
+   (cdevsw[major(vp->v_rdev)].d_open == bpfopen))
+   return (0);
+   break;
+   }
+   }
+
if ((p->p_p->ps_pledge & PLEDGE_DISKLABEL)) {
switch (com) {
case DIOCGDINFO:
@@ -1514,7 +1534,7 @@ pledge_swapctl(struct proc *p)
 }
 
 /* bsearch over pledgereq. return flags value if found, 0 else */
-int
+uint64_t
 pledgereq_flags(const char *req_name)
 {
int base = 0, cmp, i, lim;
Index: sys/pledge.h
===
RCS file: /cvs/src/sys/sys/pledge.h,v
retrieving revision 1.29
diff -u -p -r1.29 pledge.h
--- sys/pledge.h3 Jul 2016 04:36:08 -   1.29
+++ sys/pledge.h5 Jul 2016 17:35:04 -
@@ -58,6 +58,7 @@
 #define PLEDGE_VMM 0x4000ULL   /* vmm ioctls */
 #define PLEDGE_CHOWN   0x8000ULL   /* chown(2) family */
 #define PLEDGE_CHOWNUID0x0001ULL   /* allow owner/group 
changes */
+#define PLEDGE_BPF 0x0002ULL   /* bpf ioctls */
 
 /*
  * Bits outside PLEDGE_USERSET are used by the kernel itself
@@ -103,6 +104,7 @@ static struct {
{ PLEDGE_DRM,   "drm" },
{ PLEDGE_VMM,   "vmm" },
{ PLEDGE_CHOWNUID,  "chown" },
+   { PLEDGE_BPF,   "bpf" },
{ 0, NULL },
 };
 #endif

Re: [PATCH] dont increase the size of socket buffers in low memory situations

[Simon Mages]

2016-07-05 15:36 GMT+02:00, Claudio Jeker :
> On Tue, Jul 05, 2016 at 07:22:27AM -0600, Bob Beck wrote:
>> Makes sense to me.  Others?
>>
>>
>> On Tue, Jul 5, 2016 at 4:08 AM, Simon Mages 
>> wrote:
>> > At the moment the buffersize will be set to the default even if the
>> > current value
>> > is smaller.
>> >
>> > The following diff fixes this problem.
>> >
>> > Index: netinet/tcp_usrreq.c
>> > ===
>> > RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
>> > retrieving revision 1.131
>> > diff -u -p -u -p -r1.131 tcp_usrreq.c
>> > --- netinet/tcp_usrreq.c18 Jun 2016 10:36:13 -  1.131
>> > +++ netinet/tcp_usrreq.c5 Jul 2016 09:26:24 -
>> > @@ -979,10 +979,11 @@ tcp_update_sndspace(struct tcpcb *tp)
>> > struct socket *so = tp->t_inpcb->inp_socket;
>> > u_long nmax;
>> >
>> > -   if (sbchecklowmem())
>> > +   if (sbchecklowmem()) {
>> > /* low on memory try to get rid of some */
>> > -   nmax = tcp_sendspace;
>> > -   else if (so->so_snd.sb_wat != tcp_sendspace)
>> > +   if (so->so_snd.sb_hiwat < nmax)
>> > +   nmax = tcp_sendspace;
>> > +   } else if (so->so_snd.sb_wat != tcp_sendspace)
>> > /* user requested buffer size, auto-scaling disabled */
>> > nmax = so->so_snd.sb_wat;
>> > else
>
> Here, nmax can be used uninitialized now.
> It needs be initialized to something maybe sb_hiwat?

Thats true, i found also another bug in this diff, the new one follows.

>
>> > @@ -1017,10 +1018,11 @@ tcp_update_rcvspace(struct tcpcb *tp)
>> > struct socket *so = tp->t_inpcb->inp_socket;
>> > u_long nmax = so->so_rcv.sb_hiwat;
>> >
>> > -   if (sbchecklowmem())
>> > +   if (sbchecklowmem()) {
>> > /* low on memory try to get rid of some */
>> > -   nmax = tcp_recvspace;
>> > -   else if (so->so_rcv.sb_wat != tcp_recvspace)
>> > +   if (tcp_recvspace < nmax)
>> > +   nmax = tcp_recvspace;
>> > +   } else if (so->so_rcv.sb_wat != tcp_recvspace)
>> > /* user requested buffer size, auto-scaling disabled */
>> > nmax = so->so_rcv.sb_wat;
>> > else {
>> >
>
> Here there is no issue.
>
> --
> :wq Claudio
>

Index: netinet/tcp_usrreq.c
===
RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
retrieving revision 1.131
diff -u -p -u -p -r1.131 tcp_usrreq.c
--- netinet/tcp_usrreq.c18 Jun 2016 10:36:13 -  1.131
+++ netinet/tcp_usrreq.c5 Jul 2016 13:41:49 -
@@ -977,12 +977,13 @@ void
 tcp_update_sndspace(struct tcpcb *tp)
 {
struct socket *so = tp->t_inpcb->inp_socket;
-   u_long nmax;
+   u_long nmax = so->so_snd.sb_hiwat;

-   if (sbchecklowmem())
+   if (sbchecklowmem()) {
/* low on memory try to get rid of some */
-   nmax = tcp_sendspace;
-   else if (so->so_snd.sb_wat != tcp_sendspace)
+   if (tcp_sendspace < nmax)
+   nmax = tcp_sendspace;
+   } else if (so->so_snd.sb_wat != tcp_sendspace)
/* user requested buffer size, auto-scaling disabled */
nmax = so->so_snd.sb_wat;
else
@@ -1017,10 +1018,11 @@ tcp_update_rcvspace(struct tcpcb *tp)
struct socket *so = tp->t_inpcb->inp_socket;
u_long nmax = so->so_rcv.sb_hiwat;

-   if (sbchecklowmem())
+   if (sbchecklowmem()) {
/* low on memory try to get rid of some */
-   nmax = tcp_recvspace;
-   else if (so->so_rcv.sb_wat != tcp_recvspace)
+   if (tcp_recvspace < nmax)
+   nmax = tcp_recvspace;
+   } else if (so->so_rcv.sb_wat != tcp_recvspace)
/* user requested buffer size, auto-scaling disabled */
nmax = so->so_rcv.sb_wat;
else {

Re: [PATCH] dont increase the size of socket buffers in low memory situations

[Claudio Jeker]

On Tue, Jul 05, 2016 at 07:22:27AM -0600, Bob Beck wrote:
> Makes sense to me.  Others?
> 
> 
> On Tue, Jul 5, 2016 at 4:08 AM, Simon Mages  
> wrote:
> > At the moment the buffersize will be set to the default even if the
> > current value
> > is smaller.
> >
> > The following diff fixes this problem.
> >
> > Index: netinet/tcp_usrreq.c
> > ===
> > RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
> > retrieving revision 1.131
> > diff -u -p -u -p -r1.131 tcp_usrreq.c
> > --- netinet/tcp_usrreq.c18 Jun 2016 10:36:13 -  1.131
> > +++ netinet/tcp_usrreq.c5 Jul 2016 09:26:24 -
> > @@ -979,10 +979,11 @@ tcp_update_sndspace(struct tcpcb *tp)
> > struct socket *so = tp->t_inpcb->inp_socket;
> > u_long nmax;
> >
> > -   if (sbchecklowmem())
> > +   if (sbchecklowmem()) {
> > /* low on memory try to get rid of some */
> > -   nmax = tcp_sendspace;
> > -   else if (so->so_snd.sb_wat != tcp_sendspace)
> > +   if (so->so_snd.sb_hiwat < nmax)
> > +   nmax = tcp_sendspace;
> > +   } else if (so->so_snd.sb_wat != tcp_sendspace)
> > /* user requested buffer size, auto-scaling disabled */
> > nmax = so->so_snd.sb_wat;
> > else

Here, nmax can be used uninitialized now.
It needs be initialized to something maybe sb_hiwat?

> > @@ -1017,10 +1018,11 @@ tcp_update_rcvspace(struct tcpcb *tp)
> > struct socket *so = tp->t_inpcb->inp_socket;
> > u_long nmax = so->so_rcv.sb_hiwat;
> >
> > -   if (sbchecklowmem())
> > +   if (sbchecklowmem()) {
> > /* low on memory try to get rid of some */
> > -   nmax = tcp_recvspace;
> > -   else if (so->so_rcv.sb_wat != tcp_recvspace)
> > +   if (tcp_recvspace < nmax)
> > +   nmax = tcp_recvspace;
> > +   } else if (so->so_rcv.sb_wat != tcp_recvspace)
> > /* user requested buffer size, auto-scaling disabled */
> > nmax = so->so_rcv.sb_wat;
> > else {
> >

Here there is no issue. 

-- 
:wq Claudio

Re: [PATCH] dont increase the size of socket buffers in low memory situations

[Bob Beck]

Makes sense to me.  Others?


On Tue, Jul 5, 2016 at 4:08 AM, Simon Mages  wrote:
> At the moment the buffersize will be set to the default even if the
> current value
> is smaller.
>
> The following diff fixes this problem.
>
> Index: netinet/tcp_usrreq.c
> ===
> RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
> retrieving revision 1.131
> diff -u -p -u -p -r1.131 tcp_usrreq.c
> --- netinet/tcp_usrreq.c18 Jun 2016 10:36:13 -  1.131
> +++ netinet/tcp_usrreq.c5 Jul 2016 09:26:24 -
> @@ -979,10 +979,11 @@ tcp_update_sndspace(struct tcpcb *tp)
> struct socket *so = tp->t_inpcb->inp_socket;
> u_long nmax;
>
> -   if (sbchecklowmem())
> +   if (sbchecklowmem()) {
> /* low on memory try to get rid of some */
> -   nmax = tcp_sendspace;
> -   else if (so->so_snd.sb_wat != tcp_sendspace)
> +   if (so->so_snd.sb_hiwat < nmax)
> +   nmax = tcp_sendspace;
> +   } else if (so->so_snd.sb_wat != tcp_sendspace)
> /* user requested buffer size, auto-scaling disabled */
> nmax = so->so_snd.sb_wat;
> else
> @@ -1017,10 +1018,11 @@ tcp_update_rcvspace(struct tcpcb *tp)
> struct socket *so = tp->t_inpcb->inp_socket;
> u_long nmax = so->so_rcv.sb_hiwat;
>
> -   if (sbchecklowmem())
> +   if (sbchecklowmem()) {
> /* low on memory try to get rid of some */
> -   nmax = tcp_recvspace;
> -   else if (so->so_rcv.sb_wat != tcp_recvspace)
> +   if (tcp_recvspace < nmax)
> +   nmax = tcp_recvspace;
> +   } else if (so->so_rcv.sb_wat != tcp_recvspace)
> /* user requested buffer size, auto-scaling disabled */
> nmax = so->so_rcv.sb_wat;
> else {
>

Re: syslogd: accept space-deliminated fields

[Rob Pierce]

- Original Message -
> From: "Todd C. Miller" 
> To: "tech" 
> Sent: Friday, July 1, 2016 12:55:11 PM
> Subject: syslogd: accept space-deliminated fields

> Linux, Net and Free also support space-deliminated fields. Maybe
> we should too...

> - todd

> Index: usr.sbin/syslogd/syslog.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/syslogd/syslog.conf.5,v
> retrieving revision 1.33
> diff -u -p -u -r1.33 syslog.conf.5
> --- usr.sbin/syslogd/syslog.conf.5 10 Sep 2015 15:16:44 - 1.33
> +++ usr.sbin/syslogd/syslog.conf.5 1 Jul 2016 16:50:37 -
> @@ -55,7 +55,7 @@ The
> .Em selector
> field is separated from the
> .Em action
> -field by one or more tab characters.
> +field by one or more tab or space characters.
> .Pp
> The
> .Em selectors
> @@ -334,6 +334,10 @@ file appeared in
> .Bx 4.3 ,
> along with
> .Xr syslogd 8 .
> +.Pp
> +Historic versions of
> +.Xr syslogd 8
> +did not support space-delimited fields.
> .Sh BUGS
> The effects of multiple selectors are sometimes not intuitive.
> For example
> Index: usr.sbin/syslogd/syslogd.c
> ===
> RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.207
> diff -u -p -u -r1.207 syslogd.c
> --- usr.sbin/syslogd/syslogd.c 1 Jul 2016 15:47:15 - 1.207
> +++ usr.sbin/syslogd/syslogd.c 1 Jul 2016 16:50:37 -
> @@ -2454,19 +2454,19 @@ cfline(char *line, char *progblock, char
> f->f_hostname = strdup(hostblock);

> /* scan through the list of selectors */
> - for (p = line; *p && *p != '\t';) {
> + for (p = line; *p && *p != '\t' && *p != ' ';) {

> /* find the end of this facility name list */
> - for (q = p; *q && *q != '\t' && *q++ != '.'; )
> + for (q = p; *q && *q != '\t' && *q != ' ' && *q++ != '.'; )
> continue;

> /* collect priority name */
> - for (bp = buf; *q && !strchr("\t,;", *q); )
> + for (bp = buf; *q && !strchr("\t,; ", *q); )
> *bp++ = *q++;
> *bp = '\0';

> /* skip cruft */
> - while (*q && strchr(", ;", *q))
> + while (*q && strchr(",;", *q))
> q++;

> /* decode priority name */
> @@ -2489,8 +2489,8 @@ cfline(char *line, char *progblock, char
> }

> /* scan facilities */
> - while (*p && !strchr("\t.;", *p)) {
> - for (bp = buf; *p && !strchr("\t,;.", *p); )
> + while (*p && !strchr("\t.; ", *p)) {
> + for (bp = buf; *p && !strchr("\t,;. ", *p); )
> *bp++ = *p++;
> *bp = '\0';
> if (*buf == '*')
> @@ -2516,7 +2516,7 @@ cfline(char *line, char *progblock, char
> }

> /* skip to action part */
> - while (*p == '\t')
> + while (*p == '\t' || *p == ' ')
> p++;

> switch (*p) {

This passed some basic testing on my end. Thanks!

Rob

Re: does true.c need command line arguments?

[Simon Ruderich]

On Mon, Jul 04, 2016 at 03:04:32PM -0600, Theo de Raadt wrote:
> Because main() is specified to take those arguments.

For what it's worth, the C-standard [1] specifies both versions:
int main(void) and int main(int argc, char *argv[]).

Regards
Simon

[1]: C11-draft, section 5.1.2.2.1
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9


signature.asc
Description: PGP signature

Re: ypbind: convert from select to poll

[Todd C. Miller]

On Tue, 05 Jul 2016 07:32:19 +0200, Jeremie Courreges-Anglas wrote:

> Updated diff:
> - ignore EINTR
> - add a comment about POLLHUP, for people that could be tempted to copy
>   the code.

Looks great, OK millert@

 - todd

Re: libc: simplify devname() fallback

[Todd C. Miller]

On Mon, 04 Jul 2016 22:24:02 -0700, Philip Guenther wrote:

> Yep.  Too much programming in a garbage collected language recently, I 
> guess.  :-)
> 
> Revised diff below.

OK millert@

 - todd

Re: IPv6 forwarding path without KERNEL_LOCK

[Martin Pieuchot]

On 04/07/16(Mon) 15:52, Alexander Bluhm wrote:
> On Mon, Jul 04, 2016 at 01:03:22PM +0200, Martin Pieuchot wrote:
> > +   if (ip6_hbhchcheck(m, , , )) {
> > +   if_put(ifp);
> > +   return; /* m have already been freed */
> > }
> 
> As ip6_hbhchcheck() does ip6 = mtod(m, struct ip6_hdr *) after
> ip6_hopopts_input() you have to add this here, too.
> 
>   /* adjust pointer */
>   ip6 = mtod(m, struct ip6_hdr *);

Updated thanks!

> > +int
> > +ip6_hbhchcheck(struct mbuf *m, int *offp, int *nxtp, int *oursp)
> > +{
> > +   struct ip6_hdr *ip6;
> > +   u_int32_t plen, rtalert = ~0;
> > +   int ours, off, nxt;
> 
> ours may be used uninitialized.
> 
> > +   *offp = off;
> > +   *nxtp = nxt;
> > +   *oursp = ours;
> 
> I would prefer to use the passed values as *off, *nxt, *ours directly
> than to use another set of local variables.  This also fixes
> initialization problem.

Fine, new diff doing that.

Index: netinet6/ip6_input.c
===
RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.161
diff -u -p -r1.161 ip6_input.c
--- netinet6/ip6_input.c5 Jul 2016 10:17:14 -   1.161
+++ netinet6/ip6_input.c5 Jul 2016 10:21:10 -
@@ -122,6 +122,7 @@ struct ip6stat ip6stat;
 void ip6_init2(void *);
 int ip6_check_rh0hdr(struct mbuf *, int *);
 
+int ip6_hbhchcheck(struct mbuf *, int *, int *, int *);
 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
 
@@ -192,7 +193,6 @@ ip6_input(struct mbuf *m)
struct ip6_hdr *ip6;
int off, nest;
u_int16_t src_scope, dst_scope;
-   u_int32_t plen, rtalert = ~0;
int nxt, ours = 0;
 #if NPF > 0
struct in6_addr odst;
@@ -495,78 +495,15 @@ ip6_input(struct mbuf *m)
}
 
   hbhcheck:
-   /*
-* Process Hop-by-Hop options header if it's contained.
-* m may be modified in ip6_hopopts_input().
-* If a JumboPayload option is included, plen will also be modified.
-*/
-   plen = (u_int32_t)ntohs(ip6->ip6_plen);
-   off = sizeof(struct ip6_hdr);
-   if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
-   struct ip6_hbh *hbh;
-
-   if (ip6_hopopts_input(, , , )) {
-   if_put(ifp);
-   return; /* m have already been freed */
-   }
-
-   /* adjust pointer */
-   ip6 = mtod(m, struct ip6_hdr *);
-
-   /*
-* if the payload length field is 0 and the next header field
-* indicates Hop-by-Hop Options header, then a Jumbo Payload
-* option MUST be included.
-*/
-   if (ip6->ip6_plen == 0 && plen == 0) {
-   /*
-* Note that if a valid jumbo payload option is
-* contained, ip6_hopopts_input() must set a valid
-* (non-zero) payload length to the variable plen.
-*/
-   ip6stat.ip6s_badoptions++;
-   icmp6_error(m, ICMP6_PARAM_PROB,
-   ICMP6_PARAMPROB_HEADER,
-   (caddr_t)>ip6_plen - (caddr_t)ip6);
-   if_put(ifp);
-   return;
-   }
-   IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
-   sizeof(struct ip6_hbh));
-   if (hbh == NULL) {
-   ip6stat.ip6s_tooshort++;
-   if_put(ifp);
-   return;
-   }
-   nxt = hbh->ip6h_nxt;
 
-   /*
-* accept the packet if a router alert option is included
-* and we act as an IPv6 router.
-*/
-   if (rtalert != ~0 && ip6_forwarding)
-   ours = 1;
-   } else
-   nxt = ip6->ip6_nxt;
-
-   /*
-* Check that the amount of data in the buffers
-* is as at least much as the IPv6 header would have us expect.
-* Trim mbufs if longer than we expect.
-* Drop packet if shorter than we expect.
-*/
-   if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
-   ip6stat.ip6s_tooshort++;
-   goto bad;
-   }
-   if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
-   if (m->m_len == m->m_pkthdr.len) {
-   m->m_len = sizeof(struct ip6_hdr) + plen;
-   m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
-   } else
-   m_adj(m, sizeof(struct ip6_hdr) + plen - 
m->m_pkthdr.len);
+   if (ip6_hbhchcheck(m, , , )) {
+   if_put(ifp);
+   return; /* m have already been freed */
}
 
+   /* adjust pointer */
+  

[PATCH] dont increase the size of socket buffers in low memory situations

[Simon Mages]

At the moment the buffersize will be set to the default even if the
current value
is smaller.

The following diff fixes this problem.

Index: netinet/tcp_usrreq.c
===
RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
retrieving revision 1.131
diff -u -p -u -p -r1.131 tcp_usrreq.c
--- netinet/tcp_usrreq.c18 Jun 2016 10:36:13 -  1.131
+++ netinet/tcp_usrreq.c5 Jul 2016 09:26:24 -
@@ -979,10 +979,11 @@ tcp_update_sndspace(struct tcpcb *tp)
struct socket *so = tp->t_inpcb->inp_socket;
u_long nmax;

-   if (sbchecklowmem())
+   if (sbchecklowmem()) {
/* low on memory try to get rid of some */
-   nmax = tcp_sendspace;
-   else if (so->so_snd.sb_wat != tcp_sendspace)
+   if (so->so_snd.sb_hiwat < nmax)
+   nmax = tcp_sendspace;
+   } else if (so->so_snd.sb_wat != tcp_sendspace)
/* user requested buffer size, auto-scaling disabled */
nmax = so->so_snd.sb_wat;
else
@@ -1017,10 +1018,11 @@ tcp_update_rcvspace(struct tcpcb *tp)
struct socket *so = tp->t_inpcb->inp_socket;
u_long nmax = so->so_rcv.sb_hiwat;

-   if (sbchecklowmem())
+   if (sbchecklowmem()) {
/* low on memory try to get rid of some */
-   nmax = tcp_recvspace;
-   else if (so->so_rcv.sb_wat != tcp_recvspace)
+   if (tcp_recvspace < nmax)
+   nmax = tcp_recvspace;
+   } else if (so->so_rcv.sb_wat != tcp_recvspace)
/* user requested buffer size, auto-scaling disabled */
nmax = so->so_rcv.sb_wat;
else {