OpenBSD src changes summary for 2016-07-14 ==========================================
distrib/sets lib/libc regress/sys regress/usr.bin sbin/mount sys/arch/amd64/amd64 sys/arch/armv7/imx sys/arch/armv7/vexpress sys/dev/pci sys/kern sys/net sys/netinet sys/netinet6 sys/sys sys/ufs/ufs sys/uvm usr.bin/compress usr.bin/mg usr.bin/sed usr.bin/sort == distrib =========================================================== 01/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib sets ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.hppa ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) == lib =============================================================== 02/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ gen/sysctl.3 > kern.usermount is currently a no-op; > ok deraadt (jmc@) == regress =========================================================== 03/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress sys ~ kern/kqueue/kqueue-process.c ~ kern/kqueue/kqueue-signal.c > Prevent silly states via knotes on pids > 2^32 and on nonexistent signals. > ok tedu@ (guenther@) usr.bin ~ ssh/sshcfgparse.sh > Correct equal in test. (dtucker@) == sbin ============================================================== 04/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin mount ~ mount.8 > kern.usermount is currently a no-op; > ok deraadt (jmc@) == sys =============================================================== 05/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/amd64/amd64 ~ vmm.c TAGGED OPENBSD_5_9 > Add the vmm bits of previous commit to 5.9 -stable branch: > Make sure that amap slot calculation does not overflow > This prevents too small amaps from being allocated by > forcing the allocation of a large number of slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > This is a different patch for 5.9 that addresses the same > issue as r1.75 of uvm/uvm_amap.c. It also makes sure that > vmm(4) cannot make such large amap allocation requests. (stefan@) arch/armv7/imx ~ if_fec.c > Do board-specific delay/skew corrections for the Micrel KSZ9021 and KSZ9031 > PHYs based on device tree properties instead of the board ID. Untested as > I don't have the hardware. > ok jsg@, patrick@ (kettenis@) arch/armv7/vexpress ~ virtio_mmio.c > virtio: Move interrupt handler into transport specific code > For MSI-X (and also possibly for other transports), the interrupt > handler must do different things. Move it out of virtio.c and into > virtio_pci. > ARM part tested by patrick@ (sf@) dev/pci ~ if_vio.c ~ vioblk.c ~ viomb.c ~ viornd.c ~ vioscsi.c ~ virtio.c ~ virtio_pci.c ~ virtiovar.h > virtio: Move interrupt handler into transport specific code > For MSI-X (and also possibly for other transports), the interrupt > handler must do different things. Move it out of virtio.c and into > virtio_pci. > ARM part tested by patrick@ (sf@) ~ vioblk.c ~ vioscsi.c ~ virtiovar.h > rename virtio_ops.intr to poll_intr > This describes more accurately what it is good for. > Also introduce a virtio_poll_intr macro. (sf@) ~ vioblk.c > vioblk: Properly handle poll timeout > The only way to ensure that the device does not do DMA for the timed out > request is a device reset. > Also increase the timeout to 15s (sf@) kern ~ kern_event.c > kevent validates that ident is a valid fd by getting the file. one sad > quirk: uint64 to int32 truncation can lead to false positives, and then > later in the array sizing code, very big mallocs panic the kernel. > add a check that the ident isn't larger than INT_MAX in the fd case. > reported by Tim Newsham (tedu@) ~ kern_event.c TAGGED OPENBSD_5_9 > backport 1.73 > kevent validates that ident is a valid fd by getting the file. one sad > quirk: uint64 to int32 truncation can lead to false positives, and then > later in the array sizing code, very big mallocs panic the kernel. > add a check that the ident isn't larger than INT_MAX in the fd case. > reported by Tim Newsham (tedu@) ~ kern_event.c TAGGED OPENBSD_5_8 > backport 1.73 > kevent validates that ident is a valid fd by getting the file. one sad > quirk: uint64 to int32 truncation can lead to false positives, and then > later in the array sizing code, very big mallocs panic the kernel. > add a check that the ident isn't larger than INT_MAX in the fd case. > reported by Tim Newsham (tedu@) ~ kern_sig.c ~ kern_synch.c ~ kern_tc.c ~ kern_timeout.c TAGGED OPENBSD_5_9 > backport timeout overflow fixes: > fix several places where calculating ticks could overflow. > it's not enough to assign to an unsigned type because if the arithmetic > overflows the compiler may decide to do anything. so change all the > long long casts to uint64_t so that we start with the right type. > reported by Tim Newsham of NCC. > ok deraadt (tedu@) ~ kern_sig.c ~ kern_synch.c ~ kern_tc.c ~ kern_timeout.c TAGGED OPENBSD_5_8 > backport timeout overflow fixes: > fix several places where calculating ticks could overflow. > it's not enough to assign to an unsigned type because if the arithmetic > overflows the compiler may decide to do anything. so change all the > long long casts to uint64_t so that we start with the right type. > reported by Tim Newsham of NCC. > ok deraadt (tedu@) ~ uipc_mbuf.c ~ uipc_socket.c TAGGED OPENBSD_5_9 > backport splice loop fix: > On localhost a user program may create a socket splicing loop. > After writing data into this loop, it was spinning forever causing > a kernel hang. Detect the loop by counting how often the same mbuf > is spliced. If that happens 128 times, assume that there is a loop > and abort the splicing with ELOOP. > Bug found by tedu@; OK tedu@ millert@ benno@ (tedu@) ~ uipc_usrreq.c TAGGED OPENBSD_5_9 > backport 1.99: > in the great unp_gc rewrite, a null check was lost. we have spent some > time investigating and arguing about whether a NULL fp is a bug or not, > but what has become clear is that NULL fps get passed to unp_discard > and have been for quite some time. > restore old accomodating behavior by checking for null in unp_gc. > ok deraadt kettenis (tedu@) ~ kern_event.c ~ kern_sig.c TAGGED OPENBSD_5_9 > Prevent silly states via knotes on pids > 2^32 and on nonexistent signals. > ok tedu@ (guenther@) ~ vfs_syscalls.c ~ kern_sysctl.c TAGGED OPENBSD_5_9 > kern.usermount=1 is unsafe for everyone, since it allows any non-pledged > program to call the mount/umount system calls. There is no way any user > can be expected to keep their system safe / reliable with this feature. > Ignore setting to =1, and after release we'll delete the sysctl entirely. > ok lots of people (deraadt@) net ~ netisr.c ~ netisr.h TAGGED OPENBSD_5_9 > Backport ARP race fix: > Move ARP processing back to the KERNEL_LOCK()ed task until the race > triggered by updating a cached, but removed from the table, entry is > properly fixed. > Diff from dlg@, prodding deraadt@ (mpi@) netinet ~ tcp_output.c TAGGED OPENBSD_5_9 > backport splice loop fix: > On localhost a user program may create a socket splicing loop. > After writing data into this loop, it was spinning forever causing > a kernel hang. Detect the loop by counting how often the same mbuf > is spliced. If that happens 128 times, assume that there is a loop > and abort the splicing with ELOOP. > Bug found by tedu@; OK tedu@ millert@ benno@ (tedu@) ~ if_ether.c TAGGED OPENBSD_5_9 > Backport ARP race fix: > Move ARP processing back to the KERNEL_LOCK()ed task until the race > triggered by updating a cached, but removed from the table, entry is > properly fixed. > Diff from dlg@, prodding deraadt@ (mpi@) ~ if_ether.c TAGGED OPENBSD_5_9 > Prevent a use-after-free by not updating an ARP entry that has been > removed from the table. > Currently the storage for L2 addresses is freed when an entry is > removed from the table. That means that we cannot access this > chunk of memory between RTM_DELETE and rtfree(9). > Note that this doesn't apply to MPLS because the associated storage > is currently released by the last rtfree(9). > ok mikeb@ (mpi@) netinet6 ~ ip6_input.c > Drop received packets with an IPv4-compatible address as source or > destination as per RFC4213. > We're not in 1999 anymore, what was earlier a "stronger check than > RFC1933" is now a best practice. This matches the behavior of the > reject (R) routes added by default by netstart(8). > ok jca@, florian@, claudio@, bluhm@ (mpi@) sys ~ mbuf.h TAGGED OPENBSD_5_9 > backport splice loop fix: > On localhost a user program may create a socket splicing loop. > After writing data into this loop, it was spinning forever causing > a kernel hang. Detect the loop by counting how often the same mbuf > is spliced. If that happens 128 times, assume that there is a loop > and abort the splicing with ELOOP. > Bug found by tedu@; OK tedu@ millert@ benno@ (tedu@) ~ exec_elf.h TAGGED OPENBSD_5_9 > Add PT_GNU_RELRO, for ld.so work > ok millert@ kettenis@ (guenther@) ufs/ufs ~ ufs_vnops.c > ufs_readdir() buffer was meant to be limited to 64kB; reversed test > permitted very big mallocs to panic the kernel. > reported by Tim Newsham > ok millert@ (guenther@) ~ ufs_vnops.c TAGGED OPENBSD_5_8 > backport 1.129 > ufs_readdir() buffer was meant to be limited to 64kB; reversed test > permitted very big mallocs to panic the kernel. > reported by Tim Newsham > ok millert@ (guenther@) ~ ufs_vnops.c TAGGED OPENBSD_5_9 > backport 1.129 > ufs_readdir() buffer was meant to be limited to 64kB; reversed test > permitted very big mallocs to panic the kernel. > reported by Tim Newsham > ok millert@ (guenther@) uvm ~ uvm_mmap.c TAGGED OPENBSD_5_9 > backport 1.137: > Since mappings established using __MAP_NOFAULT will be converted into > anonymous > memory if the file backing the mapping is truncated, we should check > resource > limits. This prevents callers from triggering a kernel panic and a > potential > integer overflow in the amap code by forcing the allocation of too many > slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > ok deraadt@ (tedu@) ~ uvm_mmap.c TAGGED OPENBSD_5_8 > backport 1.137: > Since mappings established using __MAP_NOFAULT will be converted into > anonymous > memory if the file backing the mapping is truncated, we should check > resource > limits. This prevents callers from triggering a kernel panic and a > potential > integer overflow in the amap code by forcing the allocation of too many > slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > ok deraadt@ (tedu@) ~ uvm_amap.c TAGGED OPENBSD_5_8 > Make sure that amap slot calculation does not overflow > This prevents from too small amaps being allocated by > forcing the allocation of a large number of slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > ok kettenis@ (stefan@) ~ uvm_amap.c TAGGED OPENBSD_5_9 > backport r1.75: > Make sure that amap slot calculation does not overflow > This prevents too small amaps from being allocated by > forcing the allocation of a large number of slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > This is a different patch for 5.9 that addresses the same > issue as r1.75 of uvm/uvm_amap.c. It also makes sure that > vmm(4) cannot make such large amap allocation requests. (stefan@) ~ uvm_amap.c TAGGED OPENBSD_5_8 > backport r1.75: > Make sure that amap slot calculation does not overflow > This prevents too small amaps from being allocated by > forcing the allocation of a large number of slots. > Based on an analysis from Jesse Hertz and Tim Newsham. > This is a different patch for 5.8 that addresses the same > issue as r1.75 (stefan@) == usr.bin =========================================================== 06/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin compress ~ main.c > make several program to use "chown" promise. > it allows chown(2) call to change the user or group on a file. > - usr.bin/compress : aka gzip > - usr.bin/mg : open a file for writing > - usr.bin/sed : inplace editing > - usr.bin/sort : if outfile equals one of the input files > ok deraadt@ tb@ > (and a reminder from Remi Locherer) > warning: in order to use it, you must have a recent kernel with the new > promise. (semarie@) mg ~ main.c > make several program to use "chown" promise. > it allows chown(2) call to change the user or group on a file. > - usr.bin/compress : aka gzip > - usr.bin/mg : open a file for writing > - usr.bin/sed : inplace editing > - usr.bin/sort : if outfile equals one of the input files > ok deraadt@ tb@ > (and a reminder from Remi Locherer) > warning: in order to use it, you must have a recent kernel with the new > promise. (semarie@) sed ~ main.c > make several program to use "chown" promise. > it allows chown(2) call to change the user or group on a file. > - usr.bin/compress : aka gzip > - usr.bin/mg : open a file for writing > - usr.bin/sed : inplace editing > - usr.bin/sort : if outfile equals one of the input files > ok deraadt@ tb@ > (and a reminder from Remi Locherer) > warning: in order to use it, you must have a recent kernel with the new > promise. (semarie@) sort ~ sort.c > make several program to use "chown" promise. > it allows chown(2) call to change the user or group on a file. > - usr.bin/compress : aka gzip > - usr.bin/mg : open a file for writing > - usr.bin/sed : inplace editing > - usr.bin/sort : if outfile equals one of the input files > ok deraadt@ tb@ > (and a reminder from Remi Locherer) > warning: in order to use it, you must have a recent kernel with the new > promise. (semarie@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
