OpenBSD src changes summary for 2015-09-27 to 2015-10-04 inclusive ==================================================================
bin/cat bin/chmod bin/csh bin/dd bin/df bin/echo bin/ed bin/expr bin/ksh bin/ls bin/md5 bin/sleep bin/systrace bin/test distrib/miniroot distrib/sets distrib/sgi etc/Makefile etc/changelist etc/etc.sgi/disktab etc/examples/eigrpd.conf etc/group etc/mail/aliases etc/master.passwd etc/netstart etc/rc etc/rc.conf etc/rc.d/eigrpd games/bs games/hack games/hunt games/sail include/Makefile include/rpcsvc/yp_prot.h lib/libc lib/libcrypto lib/libcurses lib/libpcap lib/libsndio lib/libssl lib/libtls libexec/ftpd libexec/login_radius regress/lib regress/sbin regress/sys regress/usr.bin sbin/dmesg sbin/fsck sbin/fsck_msdos sbin/ifconfig sbin/iked sbin/newfs sbin/nfsd sbin/pfctl sbin/ping sbin/ping6 sbin/sysctl share/man share/zoneinfo sys/arch/alpha/alpha sys/arch/alpha/include sys/arch/alpha/isa sys/arch/alpha/stand/boot sys/arch/amd64/amd64 sys/arch/amd64/conf sys/arch/amd64/include sys/arch/amd64/isa sys/arch/amd64/stand/efiboot sys/arch/amd64/stand/libsa sys/arch/arm/arm sys/arch/arm/include sys/arch/armish/stand/boot sys/arch/aviion/aviion sys/arch/aviion/include sys/arch/aviion/stand/boot sys/arch/hppa/hppa sys/arch/hppa/include sys/arch/hppa/stand/libsa sys/arch/hppa64/hppa64 sys/arch/hppa64/include sys/arch/hppa64/stand/libsa sys/arch/i386/conf sys/arch/i386/i386 sys/arch/i386/include sys/arch/i386/isa sys/arch/i386/stand/libsa sys/arch/landisk/landisk sys/arch/loongson/dev sys/arch/loongson/include sys/arch/loongson/loongson sys/arch/loongson/stand/boot sys/arch/luna88k/include sys/arch/luna88k/luna88k sys/arch/macppc/include sys/arch/macppc/macppc sys/arch/mips64/include sys/arch/mips64/mips64 sys/arch/octeon/dev sys/arch/octeon/include sys/arch/octeon/octeon sys/arch/sgi/include sys/arch/sgi/sgi sys/arch/sgi/stand/boot sys/arch/sgi/stand/boot64 sys/arch/sgi/xbow sys/arch/sh/include sys/arch/socppc/include sys/arch/socppc/socppc sys/arch/socppc/stand/boot sys/arch/sparc/include sys/arch/sparc/sparc sys/arch/sparc64/dev sys/arch/sparc64/include sys/arch/sparc64/sparc64 sys/arch/sparc64/stand/ofwboot sys/arch/vax/include sys/arch/vax/stand/boot sys/arch/vax/vax sys/arch/zaurus/dev sys/conf sys/dev/acpi sys/dev/ic sys/dev/isa sys/dev/pci sys/dev/usb sys/kern sys/lib/libkern sys/net sys/net80211 sys/netinet sys/netinet6 sys/sys sys/ufs/ffs sys/uvm usr.bin/basename usr.bin/compress usr.bin/ctags usr.bin/dc usr.bin/file usr.bin/finger usr.bin/ftp usr.bin/grep usr.bin/indent usr.bin/kdump usr.bin/ktrace usr.bin/leave usr.bin/make usr.bin/mg usr.bin/openssl usr.bin/patch usr.bin/script usr.bin/sed usr.bin/skeyinit usr.bin/sndiod usr.bin/ssh usr.bin/uname usr.bin/unifdef usr.bin/uniq usr.bin/units usr.bin/wall usr.bin/wc usr.bin/whois usr.sbin usr.sbin/acpidump usr.sbin/arp usr.sbin/bind usr.sbin/cron usr.sbin/dvmrpctl usr.sbin/dvmrpd usr.sbin/eigrpctl usr.sbin/eigrpd usr.sbin/installboot usr.sbin/ldpctl usr.sbin/ldpd usr.sbin/lpr usr.sbin/netgroup_mkdb usr.sbin/ntpd usr.sbin/ospf6ctl usr.sbin/ospf6d usr.sbin/ospfctl usr.sbin/ospfd usr.sbin/rcctl usr.sbin/relayd usr.sbin/ripctl usr.sbin/ripd usr.sbin/smtpd usr.sbin/snmpd usr.sbin/syslogd usr.sbin/tcpdump usr.sbin/traceroute == bin =============================================================== 01/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin cat ~ cat.c > obvious tame "stdio rpath" > ok semarie (deraadt@) chmod ~ chmod.c > KNF (deraadt@) ~ chmod.c > the chmod & chflags codepaths can use tame "stdio rpath fattr". the > chown codepath obviously cannot use tame -- once tame is activated > the kernel prohibits changing uid/gid on a fd/file. > ok guenther (deraadt@) ~ chmod.c > oops! cannot tame the chmod case, because the kernel drops the > setuid/setgid bits. (deraadt@) csh ~ func.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) ~ set.c > Score a hat trick in code cleanup: #ifdef pdp11, /* confuse lint */, > and recursive formatting of integers. Just use snprintf() and a hammer. > ok beck@ deraadt@ miod@ (guenther@) dd ~ dd.c > after dd has opened it's files and done the tape positioning ioctl, we > can tame "stdio" it. > ok semarie (deraadt@) df ~ df.c > df is a tame "stdio rpath" program, the rpath due to getfsstat and statfs. > those two system calls were put into the "rpath" catagory because they > expose pathname information. (deraadt@) echo ~ echo.c > hard to think of a simple program to add tame to. tame "stdio", obviously. > (deraadt@) ed ~ ed.h ~ main.c > Remove #ifdefs for non-POSIX systems. Also remove #ifdef for > SIGWINCH, it is not POSIX but it is a defacto standard. > OK deraadt@ (millert@) ~ ed.h ~ glbl.c ~ main.c ~ re.c ~ sub.c > Remove useless pattern_t typedef, POSIX regex is here to stay so > just use regex_t directly. (millert@) expr ~ expr.c > expr can use tame "stdio" > ok semarie (deraadt@) ksh ~ tree.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) ~ lex.c > fix error message for csh-history. the lexer needs to back up more. > from Michael McConville (tedu@) ls ~ ls.c > ls can use tame "stdio rpath getpw". It does uid/gid lookups, using > the 4.4bsd libc caching varients called user_from_uid/group_from_uid, > which are backed by getpw*/getgr* type functions. > ok semarie (deraadt@) md5 ~ md5.c > right at startup, this can tame "stdio cpath rpath wpath". after getopt > -h has handled write/creating a file, we can drop to tame "stdio rpath" > since md5 will only read files after that. > i believe i involved lteo for this. (deraadt@) ~ md5.c > Repair tame() error check to be == -1 (deraadt@) sleep ~ sleep.c > So you'd love me to say sleep() can be tighter than tame "stdio". OK, > there is that pesky usage message... We could tame "something" in the > non-usage codepath.. but pop quiz, anyone know what happens after main > returns or if exit(3) is called? atexit completion.. our atexit is > very paranoid with structure management and uses mprotect. So current > minimum a normal program needs is tame "malloc". > tame "stdio" done before the usage codepath splits is just as good; > tame placement before getopt provides a strong hint about program > behaviour. > I am still hoping someone comes up with a nice solution for atexit, > or a nice tame subset between "" (pure computation) and "malloc". > Ideas have been floated to expose "self", but it lacks mprotect also, > and should continue to lack it (see the ssh tame sandbox). (deraadt@) systrace ~ cradle.c ~ util.c > unifdef support for other operating systems. sorry OS/2 cultists. > ok deraadt (tedu@) ~ intercept.c > Eliminate the last of the LINTEDn and PRINTFLIKEn comments. In one > case, by deleting some useless '& of an array' we also eliminate the need > for the casts which prompted the original lint warnings > ok deraadt@ (guenther@) test ~ test.c > tame "stdio rpath" is sufficient for all the operations done by test(1) > (deraadt@) == distrib =========================================================== 02/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib miniroot ~ install.sub > HEAD is past 5.8 now, so remove /var/tmp removal tweak. > ok krw@ (halex@) sets ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.aviion ~ lists/base/md.hppa ~ lists/base/md.hppa64 ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.vax ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.aviion ~ lists/base/md.hppa ~ lists/base/md.hppa64 ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.vax ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.aviion ~ lists/base/md.hppa ~ lists/base/md.hppa64 ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.vax ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.aviion ~ lists/base/md.hppa ~ lists/base/md.hppa64 ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.vax ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armish ~ lists/base/md.armv7 ~ lists/base/md.aviion ~ lists/base/md.hppa ~ lists/base/md.hppa64 ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc ~ lists/base/md.sparc64 ~ lists/base/md.vax ~ lists/base/md.zaurus ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.sgi > sync (deraadt@) ~ lists/base/md.loongson > sync (deraadt@) ~ lists/man/mi > sync (deraadt@) ~ lists/base/mi > sync (deraadt@) ~ lists/base/mi ~ lists/man/mi > sync (deraadt@) sgi ~ cdfs/Makefile ~ iso/Makefile > Add IP26 kernels and boot blocks to the installation media. (miod@) == etc =============================================================== 03/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc Makefile ~ Makefile > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) changelist ~ changelist > add Ed25519 SSH host key; ok deraadt@ (naddy@) ~ changelist > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) etc.sgi/disktab ~ etc.sgi/disktab > Add IP26 kernels and boot blocks to the installation media. (miod@) examples/eigrpd.conf + examples/eigrpd.conf > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) group ~ group > add _eigrpd user/group (deraadt@) mail/aliases ~ mail/aliases > add _eigrpd user/group (deraadt@) master.passwd ~ master.passwd > add _eigrpd user/group (deraadt@) netstart ~ netstart > Don't print output when setting autoconf on interfaces. Suggested by > deraadt, > ok florian@ rpe@ (sthen@) rc ~ rc > Besides the usual style changes: > - verify that kbd is executable and kbdtype is not empty > - use safer 'print --' to pipe the initial pf ruleset to pfctl > - simplify the ipsecctl if-block > Feedback and OK halex@ > OK krw@ (rpe@) ~ rc > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) rc.conf ~ rc.conf > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) rc.d/eigrpd + rc.d/eigrpd > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) == games ============================================================= 04/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games bs ~ bs.c > Make prompt() properly printf-like, eliminating empty dummy args > (guenther@) hack ~ hack.apply.c ~ hack.eat.c ~ hack.h ~ hack.invent.c ~ hack.lev.c ~ hack.main.c ~ hack.options.c ~ hack.pager.c ~ hack.potion.c ~ hack.pri.c ~ hack.rip.c ~ hack.rumors.c ~ hack.timeout.c ~ hack.topl.c ~ hack.tty.c > Annotate funcs with __attribute__((printf(...))) and clean up the fallout: > * lots of foo(str) --> foo("%s", str) transformations > * one totally insane foo(fmt, ap) --> vfoo(fmt, ap) conversion: how did > this ever work? > * prefer const char[] over char* for static format strings, as it lets > gcc check the format and eliminates an unnecessary pointer > ok beck@ (guenther@) hunt ~ huntd/execute.c ~ huntd/expl.c > Delete pointless NOSTRICT comments (guenther@) sail ~ assorted.c > Make -Wformat=2 happier with a few foo(str) -> foo("%s", str) fixes > ok beck@ (guenther@) ~ pl_7.c ~ sync.c > Delete obsolete lint comments > ok beck@ (guenther@) == include =========================================================== 05/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/include Makefile ~ Makefile > Stop installing any header files in /usr/include/dev/pci/drm. > Userland should get these from /usr/X11R6/include/libdrm. > ok deraadt@ (and suggested by jsg@) (kettenis@) rpcsvc/yp_prot.h ~ rpcsvc/yp_prot.h > delete xdr_ypresp_all_seq prototype (deraadt@) == lib =============================================================== 06/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ Symbols.list ~ yp/yp_all.c > xdr_ypresp_all_seq() does not need to be exported by libc, we can make it > local static. (Does not need to be exported by librpcsvc either, since it > is pre-rpcgen and simply %-commented). A few callers use this via > yp_all() -- that interface remains untouched. > ports trawl by sthen > guenther watched me gnash my teeth in croatia (deraadt@) ~ Symbols.list > seperate random functions into their own block (deraadt@) ~ stdio/vfprintf.c ~ stdio/vfwprintf.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) ~ sys/tame.2 > implement new "prot_exec" tame(2) request: > - by default, a tamed-program don't have the possibility to use PROT_EXEC > for > mmap(2) or mprotect(2) > - for that, use the request "prot_exec" (that could be dropped later) > initial idea from deraadt@ and kettenis@ > "make complete sense" beck@ > ok deraadt@ (semarie@) ~ locale/runeglue.c ~ locale/_wcstod.h ~ locale/_wcstol.h ~ locale/_wcstoul.h ~ stdio/fputwc.c ~ stdio/sprintf.c ~ quad/ashrdi3.c ~ stdlib/getopt_long.c ~ string/wcschr.c ~ string/wcspbrk.c ~ string/wcsrchr.c ~ string/wcsstr.c ~ string/wmemchr.c ~ gen/setproctitle.c > Eliminate the last of the LINTEDn and PRINTFLIKEn comments. In one > case, by deleting some useless '& of an array' we also eliminate the need > for the casts which prompted the original lint warnings > ok deraadt@ (guenther@) ~ asr/getnameinfo.c > make a && && & block more readable. no binary change. > discussed with otto (deraadt@) ~ asr/asr.c ~ asr/asr_debug.c ~ asr/asr_private.h > missing asr* -> _asr* symbol rename for building with debug code > ok jca@ (eric@) ~ asr/asr.c ~ asr/asr_private.h > Initially eric developers asr as a side-load style library for async DNS. > When it was integrated as the main resolver, a bunch of strange > initialization > code remained. Start whittling away at this, piece by piece, to make it > more clear. > ok eric (deraadt@) ~ arch/mips64/sys/sigpending.S > Delete an inexplicable comment (guenther@) ~ rpc/xdr_rec.c > __xdrrec_getrec is in the reserved namespace, so it doesn't need to be weak > (guenther@) ~ gen/nlist.c > __fdnlist() is exported for libkvm, but the internal call can go direct > (guenther@) ~ hidden/sys/socket.h > getpeereid() and sockatmark() are neither used in libc nor in ISO C, so > mark > them deprecated and weak (guenther@) ~ hidden/sys/socket.h ~ net/recv.c ~ net/send.c > recv() and send() aren't overriden by libpthread (vs recvfrom() and > sendto()!) > so wrap them to make internal calls go direct (guenther@) ~ stdio/fwalk.c ~ stdio/local.h > wrap _fwalk() so internal calls are direct (at least until we stop > exporting it) (guenther@) ~ net/ruserok.c > wrap __ivaliduser_sa() so the internal call is direct (at least until we > stop exporting it) (guenther@) + hidden/spawn.h > Wrap <spawn.h> to make all the symbols there weak (guenther@) + hidden/search.h > Wrap <search.h> to make all the symbols there weak (guenther@) ~ Symbols.list > Clarify a point. Adjust punctuation after discussion w/ jmc@ (guenther@) ~ sys/tame.2 > mention sendto(2) destination address restriction for "rw" > subset; ok deraadt, feedback & ok jmc (djm@) libcrypto ~ crypto/Makefile > Flense the greasy black guts of unreadble string parsing code out of three > areas > in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the > parsing > together in one function that converts into a struct tm. While we are at it > this > also brings us into conformance with RFC 5280 for times allowed in an X509 > cert, > as OpenSSL is very liberal with what it allows. > input and fixes from deraadt@ jsing@ guethther@ and others. > ok krw@, guenther@, jsing@ (beck@) libcurses ~ base/vsscanf.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) libpcap ~ gencode.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) ~ pcap-bpf.c > remove the #if bsdi path from here as well (jsg@) libsndio ~ aucat.c ~ sndio.7 > Remove support for the AUCAT_COOKIE environment variable. (ratchov@) ~ amsg.h > remove unused DEFAULT_OPT macro (ratchov@) ~ debug.h > fix spacing (ratchov@) ~ amsg.h ~ aucat.c > use macros instead of hard-coded strings for unix sockets paths (ratchov@) ~ mio_rmidi.c > fix typo in debug message (ratchov@) ~ amsg.h ~ aucat.c > As the socket path is known, use its size rather that PATH_MAX. (ratchov@) ~ mio_rmidi.c ~ sio_sun.c > Use macros for audio and midi device paths rather than hardcoded > strings. No object change. (ratchov@) ~ debug.c ~ debug.h ~ mio_rmidi.c ~ sio_sun.c > Validate that midi and audio device numbers are integers. (ratchov@) ~ mio_rmidi.c ~ sio_sun.c > As device path is known, use its size instead of PATH_MAX (ratchov@) ~ aucat.c > use macros for cookie path and temp file template instead > of hardcoded strings. no object change. (ratchov@) libssl ~ src/crypto/opensslv.h > bump to 2.3.1 (bcook@) ~ src/crypto/bn/bn_print.c > Redo 1.25, without the NULL deref. > ok sthen@ bcook@ (miod@) ~ src/crypto/bn/bn_print.c > remove excessive brackets on pointer math (deraadt@) ~ src/crypto/asn1/a_bitstr.c ~ src/crypto/ec/ec_asn1.c ~ src/crypto/x509v3/v3_bitst.c > Replace remaining M_ASN1_BIT_STRING_(new|free) macros with calls to > ASN1_BIT_STRING_(new|free). > ok beck@ doug@ (jsing@) ~ src/ssl/bio_ssl.c > convert "last_time" to a time_t, to handle beyond Y2038 > ok guenther miod (deraadt@) ~ src/crypto/ossl_typ.h > Remove support for NO_ASN1_TYPEDEFS. > This ifdef was introduced 15 years ago and was known to cause problems > with STACK_OF() back then. > ok jsing@, beck@, jca@ (doug@) ~ src/doc/crypto/ui_compat.pod > fix two typos. (sobrado@) ~ src/crypto/asn1/a_int.c > Remove unnecessary type assignments - M_ASN1_INTEGER_new() already sets > the type to V_ASN1_INTEGER. > ok doug@ (jsing@) ~ src/crypto/asn1/a_int.c ~ src/crypto/asn1/asn1_par.c ~ src/crypto/asn1/evp_asn1.c ~ src/crypto/asn1/p5_pbev2.c ~ src/crypto/pkcs12/p12_mutl.c ~ src/crypto/pkcs7/pk7_lib.c ~ src/crypto/x509/x509_r2x.c ~ src/crypto/x509/x509_req.c ~ src/crypto/x509/x509_set.c ~ src/crypto/x509/x509cset.c ~ src/crypto/x509v3/v3_akey.c ~ src/crypto/x509v3/v3_sxnet.c > Replace M_ASN1_INTEGER_(new|free) with ASN1_INTEGER_(new|free) - this is > different from the macro expansion, but the result is the same. Also > replace some ASN1_STRING_dup() with ASN1_INTEGER_dup(). > ok beck@ doug@ (jsing@) ~ src/crypto/x509/x509_set.c ~ src/crypto/x509/x509cset.c > s/M_ASN1_TIME_free/ASN1_TIME_free/ (jsing@) ~ src/crypto/asn1/a_gentm.c ~ src/crypto/asn1/a_time.c ~ src/crypto/ts/ts_rsp_sign.c > Replace M_ASN1_GENERALIZEDTIME_(new|free) with > ASN1_GENERALIZEDTIME_(new|free). (jsing@) ~ src/crypto/x509v3/v3_alt.c ~ src/crypto/x509v3/v3_cpols.c ~ src/crypto/x509v3/v3_ia5.c > Replace M_ASN1_IA5STRING_(new|free) with ASN1_IA5STRING_(new|free). Same > with one s/M_ASN1_VISIBLESTRING_new/ASN1_VISIBLESTRING_new/. (jsing@) ~ src/crypto/asn1/a_utctm.c > Replace M_ASN1_UTCTIME_(new|free) with ASN1_UTCTIME_(new|free). (jsing@) ~ src/crypto/asn1/asn1_par.c ~ src/crypto/asn1/evp_asn1.c ~ src/crypto/asn1/p5_pbev2.c ~ src/crypto/asn1/x_pkey.c ~ src/crypto/pkcs12/p12_add.c ~ src/crypto/pkcs12/p12_decr.c ~ src/crypto/pkcs12/p12_init.c ~ src/crypto/pkcs12/p12_p8e.c ~ src/crypto/pkcs7/pk7_doit.c ~ src/crypto/pkcs7/pk7_lib.c ~ src/crypto/rsa/rsa_saos.c ~ src/crypto/x509v3/v3_akey.c ~ src/crypto/x509v3/v3_conf.c ~ src/crypto/x509v3/v3_ocsp.c ~ src/crypto/x509v3/v3_skey.c > Replace M_ASN1_OCTET_STRING_(free|new) with ASN1_OCTET_STRING_(free|new). > (jsing@) ~ src/crypto/asn1/a_enum.c > Replace M_ASN1_ENUMERATED_(free|new) with ASN1_ENUMERATED_(free|new). > (jsing@) ~ src/crypto/asn1/asn1_par.c > s/M_ASN1_ENUMERATED_free/ASN1_ENUMERATED_free/ (jsing@) ~ src/crypto/asn1/evp_asn1.c > Expand M_i2d_ASN1_OCTET_STRING macros - no change in generated assembly, > aside from line numbers. (jsing@) ~ src/crypto/asn1/asn1.h > Place all of the ASN1 M_ macros under #ifndef LIBRESSL_INTERNAL. (jsing@) ~ src/ssl/s3_clnt.c > s/ssl3_client_kex/ssl3_send_client_kex/ for consistency with the caller. > (jsing@) ~ src/crypto/asn1/a_gentm.c ~ src/crypto/asn1/a_time.c ~ src/crypto/asn1/a_utctm.c ~ src/crypto/asn1/asn1_locl.h ~ src/crypto/x509/x509_lcl.h ~ src/crypto/x509/x509_vfy.c + src/crypto/asn1/a_time_tm.c > Flense the greasy black guts of unreadble string parsing code out of three > areas > in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the > parsing > together in one function that converts into a struct tm. While we are at it > this > also brings us into conformance with RFC 5280 for times allowed in an X509 > cert, > as OpenSSL is very liberal with what it allows. > input and fixes from deraadt@ jsing@ guethther@ and others. > ok krw@, guenther@, jsing@ (beck@) ~ src/ssl/ssl_lib.c > SSL_new(): fix ref counting and memory leak in error path. > Rather than a half-hearted attempt to free up resources and fix > ref counting at the SSL_CTX level, let SSL_free() do its job. > This diff got lost in the shuffle somewhere. It's from last year. > Ref counting error reported by Parakleta in github ticket #51. Thanks! > ok jsing@, beck@ (doug@) ~ src/crypto/asn1/a_time_tm.c > Apply some style(9), tweak a few things for readability and add some > additional bounds checks. > ok beck@ (jsing@) libtls ~ tls_conninfo.c > Explicit NULL checks and style(9) tweaks. (jsing@) ~ tls.c ~ tls_client.c ~ tls_config.c ~ tls_server.c ~ tls_verify.c > clean some ugly intendation warts (deraadt@) ~ tls_client.c ~ tls_internal.h ~ tls_verify.c > Instead of declaring a union in multiple places, move it to tls_internal.h. > ok deraadt@ (jsing@) ~ tls.h > include <sys/types.h> for ssize_t > ok jsing@, deraadt@ (bcook@) == libexec =========================================================== 07/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec ftpd ~ extern.h ~ ftpd.c ~ popen.c > fix custom popen to return pid to caller instead of tracking in a giant > array. this implies we can't use a function pointer for close, but also > means we get to repair some abuse of the comma operator. > ok miod (tedu@) login_radius ~ login_radius.8 > some radiusd updates, from theo buehler (jmc@) ~ login_radius.8 > Talk about 'RADIUS server' in most cases, rather than referring > specifically > to radiusd(8) (which doesn't support everything that login_radius(8) talks > about) - theo buehler (who provided previous diff) agrees with this. > Capitalise RADIUS as per the naming in the RFC. Add STANDARDS section > referring to the RFC. Discussed with/suggestions from jmc. (sthen@) == regress =========================================================== 08/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress lib ~ libssl/ssl/testssl > check if openssl(1) actually works before proceeding > It was possible for this test to pass even if the openssl command itself > was > missing. (bcook@) ~ libcrypto/sha2/Makefile > Fix sha2 regression test for libcrypto. > By default, "openssl sha" used SHA-0. However, it was possible to use > the form "openssl sha -sha256" to run SHA-256 instead. The regression > test used this form. Since we removed SHA-0 support, the regress tests > should now call "openssl <digest>". > ok guenther@, bcook@ (doug@) ~ libcrypto/asn1/Makefile + libcrypto/asn1/rfc5280time.c > Add an rfc5280 test suite to test x509_cmp_time. > Note some of these will yet fail with the current libcrypto as the current > X509_cmp_time is not RFC5280 compliant > ok jsing@ (beck@) ~ libcrypto/asn1/rfc5280time.c > Fix a bug in the regress, and be much more pedantic about what is allowed > per RFC 5380 in an X509. RFC 5280 states that all times before 2050 must > be specified as a UTCtime, not a Generalized time, and all times after must > be a UTC time. By extension this also means the smallest time allowed > per RFC 5280 is 500101000000Z and the largest is 99991231235959Z.. (beck@) ~ libcrypto/asn1/asn1time.c > Add another invalid time, which is currently accepted. (jsing@) sbin ~ route/rttest8.ok > Sync with recent changes, local routes are now always UP. (mpi@) sys ~ kern/tame/generic/main.c ~ kern/tame/generic/tests.out > add a tame(2) regress for stat(2) and realpath(3) (semarie@) ~ kern/tame/generic/main.c ~ kern/tame/generic/tests.out > make using tame path "/" work. > and add a regress test for that. > ok deraadt@ (semarie@) ~ kern/tame/generic/main.c ~ kern/tame/generic/tests.out > implement new "prot_exec" tame(2) request: > - by default, a tamed-program don't have the possibility to use PROT_EXEC > for > mmap(2) or mprotect(2) > - for that, use the request "prot_exec" (that could be dropped later) > initial idea from deraadt@ and kettenis@ > "make complete sense" beck@ > ok deraadt@ (semarie@) usr.bin ~ dc/t1.in ~ dc/t1.out > adapt to the removal of ! (otto@) == sbin ============================================================== 09/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin dmesg ~ dmesg.c > dmesg has two modes. The normal sysctl mode, and the -M/-N kvm searcher. > In both cases once the relevant setup is done, it can drop to tame "stdio". > (deraadt@) fsck ~ fsutil.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) fsck_msdos ~ ext.h ~ fat.c ~ main.c > Mark ask() as printf-like; split up a pwarn() with variable number of > specifiers > ok beck@ millert@ (guenther@) ifconfig ~ ifconfig.8 ~ ifconfig.c > IPv6 transport for pflow data. > Input deraadt@ > Bug fix & OK benno@ (florian@) iked ~ ca.c ~ iked.h ~ ikev2.c ~ ikev2_pld.c ~ policy.c > Fix interoperability with Apple iOS9: If we don't get a (valid) > CERTREQ but a CERT, respond with a local CERT that was selected based > on our own policy instead of leaving it out. This seems to be valid > with the RFC that makes the CERTREQ optional and allows to ignore it > or to apply an own policy. > OK mikeb@ sthen@ (reyk@) ~ ikev2_pld.c > Don't reject an "empty" CERTREQ (one with no CA hashes), instead treat it > as > if no CERTREQ were received. In conjunction with the previous iOS9 interop > fix, > this may fix an interop problem seen by Denis Lapshin with BlackBerry OS > 10.3.1 > and one of a number with firebrick.co.uk's IKEv2 implementation diagnosed > by > their developer Cliff Hones. ok reyk@ (sthen@) ~ ikev2.c > If the policy certreqtype is 0, use the global one instead. > This fixes EAP (user-based auth) with IKEv2 in El Capitan. > OK mikeb@ (reyk@) ~ parse.y > Remove MD5 from the default proposals. At least SHA1 seems to be the > minimum out there. Even El Capitan announces 3DES and SHA1 instead of MD5. > OK mikeb@ (reyk@) ~ ikev2.h > RFC7634 specifies ChaCha20-Poly1305 for IKEv2 and IPsec and IANA > assigned an official ID 28 for it. This is good news, and we should > really support it as well. Just add the ID for now. > Discussed with mikeb@ (reyk@) ~ ikev2.h > Curve25519 is now specified in draft-ietf-ipsecme-safecurves-00 (along > with Curve448). And we already support it. Mention it here to update > the Id when it was assigned by IANA. (reyk@) newfs ~ newfs.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) nfsd ~ Makefile > oh no, a KERBEROS lefover; from Ilya Kaliman (deraadt@) pfctl ~ pfctl.c > Make 'pfctl -s all' show queues. pfctl(8) says it does, and 5.4 > pfctl(8) did for the old queues. > ok sashan@ sthen@ (krw@) ping ~ ping.c > ping is a setuid root priv-drop which holds a sockraw. we can tame it > substantially with "stdio inet", plus "dns" if the -n option is missing. > a successful exploit against it then cannot create files, or perform a > variety of other operations, as described in the tame(2) man page. > work with florian a while back > ok doug (deraadt@) ping6 ~ ping6.c > remove old self-kill() in the signal handler. must predate the > signal handler audit. found while adapting ping6 to tame. > ok kettenis (deraadt@) ~ ping6.c > ping6 is a setuid root priv-drop which holds a sockraw. we can tame it > substantially with "stdio inet", plus "dns" if the -n option is missing. > a successful exploit against it then cannot create files, or perform a > variety of other operations, as described in the tame(2) man page. > ping6 is a bit trickier than ping, because it uses recvmsg() with CMSG > types of IPV6_HOPOPTS, IPV6_DSTOPTS, IPV6_RTHDRDSTOPTS, IPV6_RTHDR. > there is further work to do in the kernel, with claudio! > work with florian a while back, which involved hoisting lots of initization > code upwards. > ok doug (deraadt@) ~ ping6.c > Repair tame() error check to be == -1 (deraadt@) sysctl ~ sysctl.8 > If we care about placing core files from SUID programs in a safe place, > lets do not suggest to provoke races and use -m option of mkdir(1). > ok guenther@, "don't care" deraadt@ :) (zhuk@) == share ============================================================= 10/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man7/packages.7 > check-conflicts was replaced with check-problems; from Theo Buehler > (sthen@) ~ man7/library-specs.7 > typo, resolve_lib->resolve-lib; from Theo Buehler (sthen@) ~ man4/iwm.4 > ifconfig iwm0 lladdr ... works now. Remove entry from BUGS section. (stsp@) ~ man7/packages.7 > basic grammar fixes; (jmc@) ~ man4/isa.4 + man4/asmc.4 > add a (disabled) driver for the Apple System Management Controller (SMC) as > found in Apple Intel based devices > "go at it" deraadt@ (jung@) ~ man4/Makefile > build asmc.4 (deraadt@) ~ man4/Makefile > right place in order (deraadt@) ~ man8/afterboot.8 > fix typo; cross-reference smtpd(8). (sobrado@) ~ man4/asmc.4 > trailing whitespace; (jmc@) ~ man5/pf.conf.5 > fix some spelling messes. > ok jmc@ (sobrado@) ~ man5/login.conf.5 > some radiusd updates, from theo buehler (jmc@) ~ man4/options.4 > no more INET option, apparently; from ilya kaliman (jmc@) ~ man5/files.conf.5 > change the option INET example to INET6, since we no longer have INET; > (jmc@) ~ man5/mk.conf.5 > zap an unneccessary Ev; from michael reed (jmc@) ~ man9/ml_init.9 > fix typo. (sobrado@) ~ man9/srp_enter.9 > typos. (sobrado@) ~ man4/tsl.4 > fix typo. (sobrado@) ~ man4/vxlan.4 > replace vxlan port number by its official service name; while here, > use a comma to separate entries hold in the vxlan tunnel endpoint > table as it is the style most commonly used in base. > ok reyk@; henning@ agrees. (sobrado@) ~ man8/man8.sparc64/boot_sparc64.8 > Restore description of the sparc64 boot process which was lost when > MD installboot was moved to the attic. Put it into boot_sparc64(8), > which still pointed readers at installboot(8) for this information. > With some markup tweaks from schwarze@ (stsp@) zoneinfo ~ datfiles/asia ~ datfiles/australasia ~ datfiles/europe ~ datfiles/northamerica ~ datfiles/zone.tab ~ datfiles/zone1970.tab > Update to tzdata2015g from ftp.iana.org (millert@) == sys =============================================================== 11/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/alpha/alpha ~ disksubr.c > Mechanical changes from manual buf set up to readdisksector(). > ok deraadt@ (krw@) ~ pmap.c > Make the alpha pmap (more) mpsafe by protecting both the pmap itself and > the > pv lists with a mutex. This should make pmap_enter(9), pmap_remove(9) and > pmap_page_protect(9) safe to use without holding the kernel lock. This > largely reverts rev. 1.75, but now of course the pmap locks are defined > to actually call mtx_enter(9) and mtx_leave(9). > ok visa@ (kettenis@) arch/alpha/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ pmap.h > Make the alpha pmap (more) mpsafe by protecting both the pmap itself and > the > pv lists with a mutex. This should make pmap_enter(9), pmap_remove(9) and > pmap_page_protect(9) safe to use without holding the kernel lock. This > largely reverts rev. 1.75, but now of course the pmap locks are defined > to actually call mtx_enter(9) and mtx_leave(9). > ok visa@ (kettenis@) arch/alpha/isa ~ isadma_bounce.c > free(x, 0) cleanup: > - set size argument of free() > - remove pointless if expression around free() call > ok guenther@ (semarie@) arch/alpha/stand/boot ~ disk.c > Remove more blinding trailing whitespace. (krw@) arch/amd64/amd64 ~ disksubr.c > Use readdisksector() instead of manual buf initialization. > ok deraadt@ (krw@) ~ disksubr.c > Add missing prototype for bios_getdiskinfo() to amd64/disksubr.c. > Include systm.h inside #ifdef DEBUG in i386/disksubr.c, as > amd64/disksubr.c. > Makes amd64 and i386 disksubr.c identical once more. (krw@) arch/amd64/conf ~ GENERIC > add a (disabled) driver for the Apple System Management Controller (SMC) as > found in Apple Intel based devices > "go at it" deraadt@ (jung@) ~ GENERIC > enable new asmc(4) driver on amd64 > "go at it" deraadt@ (jung@) arch/amd64/include ~ segments.h > How about I delete _all_ the BITFIELDTYPE comments? (guenther@) ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/amd64/isa ~ isa_machdep.c > free(x, 0) cleanup: > - set size argument of free() > - remove pointless if expression around free() call > ok guenther@ (semarie@) arch/amd64/stand/efiboot ~ efidev.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/amd64/stand/libsa ~ biosdev.c > Remove more blinding trailing whitespace. (krw@) ~ biosdev.c > Remove yet more blinding whitespace. (krw@) ~ biosdev.c ~ softraid.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/arm/arm ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) arch/arm/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Use #ifndef _MACHINE_DISKLABEL_H_ everywhere. Replace _ARM_DISKLABEL_H_ > and _SH_DISKLABEL_H_ with _MACHINE_DISKLABEL_H_. Add the guard to > loongson and octeon. The #defines are not used anywhere else in the > tree so no functional change. (krw@) arch/armish/stand/boot ~ wd.c > Remove more blinding trailing whitespace. (krw@) ~ wd.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/aviion/aviion ~ disksubr.c > Mechanical changes from manual buf set up to readdisksector(). > ok deraadt@ (krw@) ~ disksubr.c > More mechanical switching to readdisksector(), although this is a > slightly different pattern. hppa/macppc compile and boot so > hppa64/aviion surely do too! > ok deraadt@ (krw@) ~ disksubr.c > Remove some annoying trailing whitespace. (krw@) arch/aviion/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/aviion/stand/boot ~ sd.c > Remove more blinding trailing whitespace. (krw@) arch/hppa/hppa ~ disksubr.c > Eliminate unneeded 2nd buf (dbp). One is enough for any i/o needed during > disklabel processing. Especially when the 2nd one was not asking for a > disk sector worth of buffer space. > ok kettenis@ (krw@) ~ disksubr.c > Use readdisksector() instead of manual buf initialization. hppa compiles > and boots, so the identical hppa64 should too! > ok deraadt@ (krw@) ~ disksubr.c > More mechanical switching to readdisksector(), although this is a > slightly different pattern. hppa/macppc compile and boot so > hppa64/aviion surely do too! > ok deraadt@ (krw@) arch/hppa/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Remove some trailing whitespace. (krw@) arch/hppa/stand/libsa ~ dk.c > Remove more blinding trailing whitespace. (krw@) arch/hppa64/hppa64 ~ disksubr.c > Eliminate unneeded 2nd buf (dbp). One is enough for any i/o needed during > disklabel processing. Especially when the 2nd one was not asking for a > disk sector worth of buffer space. > ok kettenis@ (krw@) ~ disksubr.c > Tweak a bit of daddr_t goodness and make hppa64 disksubr.c identical to > hppa disksubr.c. > ok kettenis@ (krw@) ~ disksubr.c > Use readdisksector() instead of manual buf initialization. hppa compiles > and boots, so the identical hppa64 should too! > ok deraadt@ (krw@) ~ disksubr.c > More mechanical switching to readdisksector(), although this is a > slightly different pattern. hppa/macppc compile and boot so > hppa64/aviion surely do too! > ok deraadt@ (krw@) arch/hppa64/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Remove some trailing whitespace. (krw@) arch/hppa64/stand/libsa ~ dk.c > Remove more blinding trailing whitespace. (krw@) arch/i386/conf ~ GENERIC > add a (disabled) driver for the Apple System Management Controller (SMC) as > found in Apple Intel based devices > "go at it" deraadt@ (jung@) arch/i386/i386 ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) ~ apm.c > In low-level suspend routines, set cold=2. In tsleep(), use this to > spit out a ddb trace to console. This should allow us to find suspend > or resume routines which break the rules. It depends on the console > output function being non-sleeping.... but that's another codepath which > should try to be safe when cold is set. > ok kettenis (deraadt@) ~ disksubr.c > Add missing prototype for bios_getdiskinfo() to amd64/disksubr.c. > Include systm.h inside #ifdef DEBUG in i386/disksubr.c, as > amd64/disksubr.c. > Makes amd64 and i386 disksubr.c identical once more. (krw@) arch/i386/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/i386/isa ~ isa_machdep.c > free(x, 0) cleanup: > - set size argument of free() > - remove pointless if expression around free() call > ok guenther@ (semarie@) arch/i386/stand/libsa ~ biosdev.c ~ softraid.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/landisk/landisk ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) arch/loongson/dev ~ apm.c > In low-level suspend routines, set cold=2. In tsleep(), use this to > spit out a ddb trace to console. This should allow us to find suspend > or resume routines which break the rules. It depends on the console > output function being non-sleeping.... but that's another codepath which > should try to be safe when cold is set. > ok kettenis (deraadt@) arch/loongson/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Use #ifndef _MACHINE_DISKLABEL_H_ everywhere. Replace _ARM_DISKLABEL_H_ > and _SH_DISKLABEL_H_ with _MACHINE_DISKLABEL_H_. Add the guard to > loongson and octeon. The #defines are not used anywhere else in the > tree so no functional change. (krw@) arch/loongson/loongson ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) arch/loongson/stand/boot ~ dev.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/luna88k/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/luna88k/luna88k ~ disksubr.c > Mechanical changes from manual buf set up to readdisksector(). > ok deraadt@ (krw@) arch/macppc/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Remove some trailing whitespace. (krw@) arch/macppc/macppc ~ disksubr.c > Use readdisksector() instead of manual buf initialization. > ok deraadt@ (krw@) ~ disksubr.c > More mechanical switching to readdisksector(), although this is a > slightly different pattern. hppa/macppc compile and boot so > hppa64/aviion surely do too! > ok deraadt@ (krw@) arch/mips64/include ~ cpustate.h > Don't forget to put the necessary MFC0_HAZARD in SAVE_CPU. For some reason > I > had put the MTC0_HAZARD in RESTORE_CPU years ago but forgot their > counterparts. (miod@) arch/mips64/mips64 ~ trap.c > On R8000, make trap() behave closer to interrupt() when servicing a real > interrupt by not invoking refreshcreds(), but closer to itsa() when > servicing > a trap-reported-as-interrupt by invoking userret() in that case. > No change on !defined(CPU_R8000) kernels. (miod@) ~ context.S > Use the DMTC0 macro and MTC0_HAZARD in the UPAGES > 1 case. Now R8000 > kernel > have all their m[ft]c0 instructions correctly wrapped. (miod@) arch/octeon/dev ~ octeon_pcibus.c > correct a memory leak in error code path. > noticed by miod@ > ok visa@ (semarie@) arch/octeon/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Use #ifndef _MACHINE_DISKLABEL_H_ everywhere. Replace _ARM_DISKLABEL_H_ > and _SH_DISKLABEL_H_ with _MACHINE_DISKLABEL_H_. Add the guard to > loongson and octeon. The #defines are not used anywhere else in the > tree so no functional change. (krw@) arch/octeon/octeon ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) arch/sgi/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/sgi/sgi ~ disksubr.c > Mechanical changes from manual buf set up to readdisksector(). > ok deraadt@ (krw@) arch/sgi/stand/boot ~ diskio.c > Nuke a #if 0/#endif block and a related variable. No plans to ever make > this work better than it does now. Eliminates a stray use of LABELSECTOR. > ok miod@ (krw@) arch/sgi/stand/boot64 ~ Makefile > Add IP26 kernels and boot blocks to the installation media. (miod@) arch/sgi/xbow ~ xbridge.c > free(x, 0) cleanup: > - set size argument of free() > - remove pointless if expression around free() call > ok guenther@ (semarie@) arch/sh/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) ~ disklabel.h > Use #ifndef _MACHINE_DISKLABEL_H_ everywhere. Replace _ARM_DISKLABEL_H_ > and _SH_DISKLABEL_H_ with _MACHINE_DISKLABEL_H_. Add the guard to > loongson and octeon. The #defines are not used anywhere else in the > tree so no functional change. (krw@) arch/socppc/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/socppc/socppc ~ disksubr.c > Use readdisksector() instead of manual buf initialization. These are > identical to the amd64 change already committed. > ok deraadt@ (krw@) arch/socppc/stand/boot ~ wd.c > Remove more blinding trailing whitespace. (krw@) ~ wd.c > Use DOS_LABELSECTOR rather than LABELSECTOR to indicate offset into an > OpenBSD partition when accessing the disklabel. For these files both > are '1', but this makes the usage consistent across all archs. > ok guenther@ miod@ (krw@) arch/sparc/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/sparc/sparc ~ disksubr.c > Use readdisksector() instead of manual buf initialization. sparc64 > compiles and boots, so the identical sparc code must too! > ok deraadt@ (krw@) ~ disksubr.c > Keep sparc/disksubr.c and sparc64/disksubr.c as close as possible. > Some whitespace/comment tweaks, fix a memcpy() parameter, use the > sparc64 idiom when invoking [iso|udf]_disklabelspoof() functions. > ok deraadt@ (krw@) arch/sparc64/dev ~ cbus.c ~ ebus_mainbus.c ~ vbus.c ~ vpci.c > Store the target CPU in "struct intrhand" and use it in intr_barrier(). > Also use it wherever we configure the hardware to direct interrupts to the > right CPU. (kettenis@) arch/sparc64/include ~ intr.h > Store the target CPU in "struct intrhand" and use it in intr_barrier(). > Also use it wherever we configure the hardware to direct interrupts to the > right CPU. (kettenis@) ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/sparc64/sparc64 ~ intr.c > Store the target CPU in "struct intrhand" and use it in intr_barrier(). > Also use it wherever we configure the hardware to direct interrupts to the > right CPU. (kettenis@) ~ disksubr.c > Use readdisksector() instead of manual buf initialization. sparc64 > compiles and boots, so the identical sparc code must too! > ok deraadt@ (krw@) ~ disksubr.c > Oops. sparc64/disksubr.c was overlooked when all the other disksubr.c's > got 'disk_change = 1;' to keep the DUID cache up to date in Feb. > 2011. Bad krw@. > ok deraadt@ (krw@) arch/sparc64/stand/ofwboot ~ ofdev.c > Remove more blinding trailing whitespace. (krw@) arch/vax/include ~ disklabel.h > Use consistant whitespace/comments for #define'ing LABELSECTOR, > LABELOFFSET and MAXPARTITIONS. Easier on the eye when scanning > through all these files. No functional change. (krw@) arch/vax/stand/boot ~ ra.c ~ rom.c > Remove more blinding trailing whitespace. (krw@) arch/vax/vax ~ disksubr.c > Mechanical changes from manual buf set up to readdisksector(). > ok deraadt@ (krw@) arch/zaurus/dev ~ zaurus_flash.c > free(x, 0) cleanup: > - set size argument of free() > - remove pointless if expression around free() call > ok guenther@ (semarie@) ~ zaurus_apm.c > In low-level suspend routines, set cold=2. In tsleep(), use this to > spit out a ddb trace to console. This should allow us to find suspend > or resume routines which break the rules. It depends on the console > output function being non-sleeping.... but that's another codepath which > should try to be safe when cold is set. > ok kettenis (deraadt@) conf ~ files > Merge gif(4)'s tentacles in a single file. > Tested by <mxb AT alumni DOT chalmers DOT se>. > ok dlg@ (mpi@) dev/acpi ~ acpi.c > In low-level suspend routines, set cold=2. In tsleep(), use this to > spit out a ddb trace to console. This should allow us to find suspend > or resume routines which break the rules. It depends on the console > output function being non-sleeping.... but that's another codepath which > should try to be safe when cold is set. > ok kettenis (deraadt@) dev/ic ~ ahci.c > Fix memory leak in error path. > From Benjamin Baier, found by llvm/scan-build. (jmatthew@) dev/isa ~ files.isa + asmc.c > add a (disabled) driver for the Apple System Management Controller (SMC) as > found in Apple Intel based devices > "go at it" deraadt@ (jung@) ~ asmc.c > fix semicolon after if statement > ok jung@ (jsg@) ~ asmc.c > remove superfluous sensor_attach() added for debug reasons (jung@) ~ asmc.c > add const, prodded by mpi (jung@) ~ asmc.c > relax vendor comparison to match variations found in older > models for example macmini1,1 (jung@) ~ asmc.c > remove duplicate key, found by kettenis (jung@) ~ asmc.c > a macmini has no light sensor, but reading from light sensor keys is > successful, while info/type reading from same keys fails and avoids > initialization; > so check the validity flag earlier and do not try to attach invalid > (non-existing) keys > debugged with help from kettenis (jung@) ~ asmc.c > tweak initial output a bit: do not show number of light sensors, just show > if > some is found or not, also remove kbdled output as there is no (known) way > to > test if (not) available at all (jung@) dev/pci - drm/refcount.h ~ drm/drm_crtc.c ~ drm/drm_crtc.h ~ drm/drm_linux.h ~ drm/radeon/radeon.h ~ drm/radeon/radeon_fence.c ~ drm/ttm/ttm_bo.c ~ drm/ttm/ttm_bo_api.h ~ drm/ttm/ttm_bo_driver.h ~ drm/ttm/ttm_bo_util.c ~ drm/ttm/ttm_bo_vm.c ~ drm/ttm/ttm_memory.c ~ drm/ttm/ttm_memory.h ~ drm/ttm/ttm_object.c ~ drm/ttm/ttm_object.h ~ drm/ttm/ttm_page_alloc.c > Switch remaining users of the FreeBSD refcount apis back to the original > linux kref/kobject use. > ok kettenis@ (jsg@) ~ pcidevs > Add another AMD RS780 PCIE found in a dmesg from tobiasu@ (kettenis@) ~ pcidevs.h ~ pcidevs_data.h > regen (kettenis@) ~ drm/radeon/radeon_kms.c > Use drm_fb_helper_restore_fbdev_mode() to restore the wscons framebuffer > whenever we need to. Apologies for the ugly cast. > Should fix the locking warnings reported by tobiasu@ (kettenis@) ~ if_iwm.c > Fix bsd.rd upgrades over iwm(4), and fix `ifconfig iwm0 lladdr random`. > The bsd.rd problems happened because of the net80211 detach/attach hack > which ran when the firmware is loaded for the first time. > Do the minimum of what needs to be done instead. > To fix lladdr random pick up a changing MAC address in the ioctl handler > and don't overwrite a custom MAC address while loading the firmware. > ok kettenis@ (stsp@) ~ if_iwm.c > Align the way iwm(4) adds the MAC context with how it's done in Linux > iwlwifi. > Noted by Adrian Chadd (FreeBSD). > ok kettenis@ (stsp@) ~ drm/drm_fb_helper.c ~ drm/drm_linux.h ~ drm/i915/intel_fbdev.c ~ drm/radeon/radeon_fb.c > Enable monitor hot plugging for the framebuffer console. > Tested on the VGA port of a Radeon 7500 and Radeon 9250 (aka 9200 PRO). > Hopefully this works on Intel Graphics as well. (kettenis@) ~ drm/i915/i915_drv.c > Remove the "Quanta Transcode" device from the list of supported hardware. > It's only supposed to match certain subvendor/subdevice IDs, but our code > doesn't check those. The result is that it (incorrectly) overrides the > generic match for the HD Graphics P4000 as found on some Xeon E3 CPUs. > This device is supposedly a castrated version of that device with the > display output parts fused off. According to the original Linux commit > it is "some HW being used for a demo", and there have been proposals to > remove it from the Linux tree as well. It is unlikely that OpenBSD will > ever run on this particular hardware. (kettenis@) ~ drm/i915/i915_devlist.h > remove duplicate entry caused by the "Quanta Transcode" device (jsg@) ~ drm/i915/i915_drv.c ~ drm/i915/i915_drv.h > The Linux code that handles the DPMS mode for inteldrm(4) can sleep now. > Adopt the approach taken by radeondrm(4) and hand the "burner" work off > to a task. > Avoids the panic reported by Gerald Hanuer, who also tested this fix. > (kettenis@) ~ if_myx.c > get rid of the mutex between access to the status block and myx_down > myx is unusual in that it has an explicit command to shut down the > chip that gets an interrupt when it's done. so myx_down sends the > command and has to sleep until it gets that interrupt. this moves > to using a single int to represent that state (so loads and stores > are atomic), and sleep_setup/sleep_finish in myx_down to wait for > it to change. > this has been running in production at work for a few months now > tested by chris@ (dlg@) ~ if_oce.c > Unlock interrupt handler rx path with intr_barrier > ok mikeb@ (chris@) ~ drm/i915/i915_gem.c > I missed an #ifdef notyet when enabling the aliasing ppgtt code. > Hopefully this fixes the stability problems people have been seeing on > sandybridge and up after the ppgtt code got enabled. (kettenis@) ~ if_em.c ~ if_em.h > Run the tx completion path without the kernel held. This makes the > "fast path" through the interrupt handler not grab the kernel lock anymore. > This removes the code that attempts to reclaim tx descriptors from > em_start(). > Keeping that code would have complicated the locking. The need to reclaim > tx descriptors that way should have largely disappeared now that the > interrupt > handler doesn't have to wait on the kernel lock. > ok mpi@ > tested by many (kettenis@) dev/usb ~ usbdevs > Huawei K4511 3G modem. > From phil AT unita.com.au (mpi@) ~ usbdevs.h ~ usbdevs_data.h > regen (mpi@) ~ umsm.c > Huawei K4511 3G modem. > From phil AT unita.com.au (mpi@) ~ usbdevs > add keyboard/trackpad IDs found in recent MacBooks (12" retina) > ok mpi@ (jung@) ~ usbdevs.h ~ usbdevs_data.h > regen (jung@) ~ upd.c > No need to wakeup(9) the sensor thread because upd_refresh() does not > sleep. > Discussed with deraadt@ (mpi@) kern ~ kern_tame.c > make using tame path "/" work. > and add a regress test for that. > ok deraadt@ (semarie@) ~ kern_sysctl.c > track sizes for free in sysctl_diskinit(); ok krw (deraadt@) ~ kern_synch.c > In low-level suspend routines, set cold=2. In tsleep(), use this to > spit out a ddb trace to console. This should allow us to find suspend > or resume routines which break the rules. It depends on the console > output function being non-sleeping.... but that's another codepath which > should try to be safe when cold is set. > ok kettenis (deraadt@) ~ tty_pty.c > easy size for free(); ok beck (deraadt@) ~ exec_elf.c ~ kern_exec.c > Track size of an opaque allocation to pass to free() later > ok guenther tedu (deraadt@) ~ kern_synch.c > satisfy RAMDISK by placing cold == 2 case inside #ifdef DDB (deraadt@) ~ subr_prf.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) ~ kern_tame.c > Reluctantly classify statfs and fstatfs as RPATH for now, because they > leak system path information. Should be reconsidered in the future. > (deraadt@) ~ uipc_syscalls.c > Save a lot of people grief. tame()'d CMSG reception is busted and it > will take some time to fix it. Problem appears to be that the control mbuf > is not normalized into flat memory. (deraadt@) ~ kern_tame.c > implement new "prot_exec" tame(2) request: > - by default, a tamed-program don't have the possibility to use PROT_EXEC > for > mmap(2) or mprotect(2) > - for that, use the request "prot_exec" (that could be dropped later) > initial idea from deraadt@ and kettenis@ > "make complete sense" beck@ > ok deraadt@ (semarie@) ~ kern_tame.c > add IPv6 equivalents for the permitted IPv4 setsockopts, noticed by doug@, > ok semarie@ (sthen@) ~ kern_tame.c > Fix tame(2) setsockopt check for TCP level. > ok deraadt@, semarie@ (doug@) ~ kern_tame.c > changed my mind; block spwd.db, force drop-through to pwd.db for processes > under tame (deraadt@) ~ kern_tame.c > remove some debug printf no longer needed (deraadt@) ~ kern_tame.c > mention these pathname calls are checked in namei (deraadt@) ~ kern_exec.c ~ kern_ktrace.c > Add ktracing of argv and envp to execve(2), with envp not traced by default > ok tedu@ deraadt@ (guenther@) ~ kern_tame.c > Actually, open of /etc/spwd.db must be handled by returning EPERM, not > dropping through to to the kill path. The best way to understand this > is id(1). It calls getpwuid, which tries /etc/spwd.db before > /etc/pwd.db ... (deraadt@) ~ kern_exec.c > missing ) in COMPAT_LINUX block (deraadt@) ~ syscalls.master > Revert previous commit; something is not quite right yet in the bowels of > uvm > as Theo is seeing vnode-related panics on several architectures in the > codepath that implements mmap(2). (kettenis@) ~ init_sysent.c ~ syscalls.c > regen (kettenis@) ~ kern_tame.c > kern_tame.c (deraadt@) ~ kern_tame.c > I see no evidence that lstat() is being done for /etc/resolv.conf, nor > can I figure out why I added this in the past... (deraadt@) ~ vfs_cluster.c > Track a size in the scary area of cluster_collectbufs, so that we know > what to free. > ok beck (deraadt@) ~ kern_tame.c > Add ktracing of tame()'s arguments' values > "every tool helps" deraadt@ (guenther@) ~ kern_tame.c > spelling (deraadt@) ~ kern_tame.c > Allow sysctl read of vm.vm_psstrings, as setproctitle() uses this to > find the ps buffer. Few programs want to do their first setproctitle() > rather late... (deraadt@) ~ kern_tame.c > Move getcwd to a seperate area, with a hand-waving explanation for why > it is RPATH|WPATH... nothing changes, just the new explanation. (deraadt@) lib/libkern ~ ashrdi3.c > Eliminate the last of the LINTEDn and PRINTFLIKEn comments. In one > case, by deleting some useless '& of an array' we also eliminate the need > for the casts which prompted the original lint warnings > ok deraadt@ (guenther@) net ~ hfsc.c ~ if_var.h > pull the m_freem calls out of hfsc_enqueue by having IFQ_ENQUEUE free > the mbuf in both the hfsc and priq error paths. > ok mikeb@ mpi@ claudio@ henning@ (dlg@) ~ if_ethersubr.c > Welcome etheranyaddr, cousin of etherbroadcastaddr. > Can be used to check if a MAC address is all zeros. > Will be used by iwm(4) soon. > ok kettenis@ (stsp@) ~ if.c ~ if.h > Add if_setlladdr(), factored out from ifioctl(). Will be used by iwm(4) > soon. > With suggestions from tedu@ and guenther@ > ok kettenis@ (stsp@) ~ if_var.h ~ if_trunk.c > Remove "if_tp" from the "struct ifnet". > Instead of violating a layer of abstraction by keeping per pseudo-driver > informations in "struct ifnet", the port trunk is now passed as a cookie > to the interface input handler (ifih). > The time of per pseudo-driver hack in the network stack is over! > ok mikeb@ (mpi@) ~ if_gif.c ~ if_gif.h > Merge gif(4)'s tentacles in a single file. > Tested by <mxb AT alumni DOT chalmers DOT se>. > ok dlg@ (mpi@) ~ radix_mpath.c ~ radix_mpath.h ~ route.c ~ rtable.c ~ rtable.h > Factors ou the route hashing code to implement Equal-Cost Multi-Path > for ART. > While here sync the two remaining mix() macros. > ok chris@, dlg@ (mpi@) ~ rtable.c > Use the radix-tree API instead of function pointers. (mpi@) ~ bpf.c ~ bridgestp.c ~ if_bridge.c ~ if_ethersubr.c ~ if_media.c ~ if_trunk.c ~ if_vlan.c > add sizes to some of the simpler free calls > ok mpi (deraadt@) ~ bpf.c > make the bpf filters a bpf_program instead of an array of bpf_insn. > bpf_program contains a pointer to that same array, but also the > number of elements in it. this allows us to know the size when we > want to free them. > ok deraadt@ (dlg@) ~ if_sppp.h ~ if_spppsubr.c > remove cisco hdlc code from sppp(4), it's no longer used - pppoe(4) only > uses > ppp framing, and the drivers for sync serial cards have been removed so the > sppp code is now only used to support pppoe(4). ok mpi@, kill it chris@ > (sthen@) ~ route.c > Do not try to refetch a route at the L2 layer if the given one is DOWN > and always return EHOSTUNREACH. > Please let me know if you find any new "No route to host" error. > ok claudio@ (mpi@) ~ if.c ~ if_var.h > sleep until all references to an interface have been released during > detach. > this is done by moving to the refcnt api and using refcnt_finalize. > tested by Hrjove Popovski > ok mpi@ (dlg@) ~ hfsc.c ~ hfsc.h > provide a hfsc_requeue() > this will allow packets to taken off an interfaces send queue, and > requeued if space didnt exist on the hardware. > the internal names are a bit ugly, i want to change them in the > next commit. > ok henning@ mpi@ (dlg@) ~ if_spppsubr.c > Remove remnants of sppp's special queue handling for telnet/rlogin/ftp, > the rest was done in r1.96. ok mikeb@ (sthen@) ~ hfsc.c > rename the internal functions that do ml_foo ops on classes to hfsc_cl_foo. > this avoids confusion with the public functions (hfsc_enqueue, > hfsc_dequeue, etc), and maps almost 1:1 to the mbuf list ops they > now use. > ok mpi@ henning@ mikeb@ (dlg@) ~ route.c > Revert previous, it also breaks naddy@'s nested NFS setup. (mpi@) ~ if_vxlan.c > When multiple vxlan interfaces are configured with same VNI, select the > interface whose tunnel destination corresponded to the incoming packets' > source address. > ok reyk (yasuoka@) ~ if_pflow.c ~ if_pflow.h > IPv6 transport for pflow data. > Input deraadt@ > Bug fix & OK benno@ (florian@) ~ route.h > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) net80211 ~ ieee80211.c ~ ieee80211_var.h > Add ieee80211_channel_init(), factored out from ieee80211_ifattach(). > Will be used by iwm(4) soon. > ok kettenis@ (stsp@) netinet ~ ip_carp.c > make carp_input mpsafe. > there are three data structures involved here: > the list of carp interfaces on a parent interface (struct carp_if) > is now accessed via the if_ih cookie. its lifetime is managed by > the if_ih_insert and if_ih_remove calls. > the second is the interfaces (struct carp_softc) in the list above. > these has been moved from being access via a TAILQ to an SRPL. > modifications to the list are serialised by the kernel lock. > the third is the list of vhost entries (struct carp_vhost_entry). > these used to be in a LIST on each carp_softc, but have been moved > to being accessed vian an SRPL. modifications to the list are > serialised by the kernel lock. > written at l2k15 > tested by mpi@ and hrvoje popovski > ok mpi@ (dlg@) ~ if_ether.h > Welcome etheranyaddr, cousin of etherbroadcastaddr. > Can be used to check if a MAC address is all zeros. > Will be used by iwm(4) soon. > ok kettenis@ (stsp@) ~ if_ether.c > Do not manually decrement rt's refcounter in arplookup() and let the > callers rtfree(9) it. > ok bluhm@ (mpi@) - in_gif.c - in_gif.h ~ in_proto.c > Merge gif(4)'s tentacles in a single file. > Tested by <mxb AT alumni DOT chalmers DOT se>. > ok dlg@ (mpi@) ~ ip_carp.c > Factors ou the route hashing code to implement Equal-Cost Multi-Path > for ART. > While here sync the two remaining mix() macros. > ok chris@, dlg@ (mpi@) ~ tcp_subr.c > add a comment above the rfc1948 code that mentions the rfc so it's easy to > find (tedu@) netinet6 - in6_gif.c - in6_gif.h ~ in6_proto.c > Merge gif(4)'s tentacles in a single file. > Tested by <mxb AT alumni DOT chalmers DOT se>. > ok dlg@ (mpi@) ~ nd6.c > Use rtdeletemsg() in nd6_free() to align it with arptfree(). > This gives us userland notification for free and get rid of a > rtrequest1(9) call. > ok phessler@, mikeb@, sthen@ (mpi@) sys ~ exec.h > Track size of an opaque allocation to pass to free() later > ok guenther tedu (deraadt@) ~ tame.h > implement new "prot_exec" tame(2) request: > - by default, a tamed-program don't have the possibility to use PROT_EXEC > for > mmap(2) or mprotect(2) > - for that, use the request "prot_exec" (that could be dropped later) > initial idea from deraadt@ and kettenis@ > "make complete sense" beck@ > ok deraadt@ (semarie@) ~ ktrace.h > Add ktracing of argv and envp to execve(2), with envp not traced by default > ok tedu@ deraadt@ (guenther@) ~ syscall.h ~ syscallargs.h > regen (kettenis@) ufs/ffs ~ ffs_alloc.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) uvm ~ uvm_km.c TAGGED OPENBSD_5_7 > backport 1.127 by kettenis, the remainder of the 1.125 reversion. > solves panics resulting from queue corruption (tedu@) ~ uvm_km.c TAGGED OPENBSD_5_8 > backport 1.127 by kettenis, the remainder of the 1.125 reversion. > solves panics resulting from queue corruption (tedu@) ~ uvm_extern.h ~ uvm_map.c ~ uvm_mmap.c TAGGED OPENBSD_5_8 > add a flag to indicate to uvm_map that it should unmap to make space. > this pulls all the relevant operations under the same map locking, and > relieves calling code from responsibility. > ok kettenis matthew (tedu@) ~ uvm_mmap.c TAGGED OPENBSD_5_8 > the kernel lock is no longer needed in the fixed case since uvm_map > will perform the unmap as necessary, holding the vm lock. > reminded by kettenis (tedu@) ~ uvm_mmap.c TAGGED OPENBSD_5_8 > implement new "prot_exec" tame(2) request: > - by default, a tamed-program don't have the possibility to use PROT_EXEC > for > mmap(2) or mprotect(2) > - for that, use the request "prot_exec" (that could be dropped later) > initial idea from deraadt@ and kettenis@ > "make complete sense" beck@ > ok deraadt@ (semarie@) ~ uvm_map.c TAGGED OPENBSD_5_8 > In uvm_map_splitentry(), grab the kernel lock before calling into the amap > or pager code. We may end up here without holding the kernel lock from > uvm_unmap(). > "ja ja" tedu@ (kettenis@) == usr.bin =========================================================== 12/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin basename ~ basename.c > even before it reaches getopt(), this program will never do more than > talk to stdio. tame "stdio" is a no-brainer. > reviewed a while ago by doug (deraadt@) compress ~ main.c > gzip can use tame "stdio wpath cpath fattr". this blocks a lot of > system behaviours such as forking, execve, sockets, etc. > in theory this extended by parsing the arguments first, and creating > the whitepathlist. the pathlist probably needs to be directory-oriented, > rather than exact path of files, because a gzip file may specify the > filename it wants (and that won't be available until it is opened, and > partially parsed). anyone want to give this a try? > gzip was an early goal for capsicum. who is running a capsicum gzip? > (deraadt@) ~ main.c > Also needs "rpath" for some circumstances. (deraadt@) ctags ~ tree.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) dc ~ bcode.c > disable ! command, makes dc(1) more tameable (otto@) ~ dc.1 > delete documentation for ! command (deraadt@) file ~ file.c ~ magic.h > use limits.h instead of sys/param.h to get PATH_MAX (deraadt@) - sandbox.c ~ Makefile ~ file.c > Add tame(2) to file(1) and drop the old systrace(4) sandbox. tame(2) is > only applied to the child process, which requires the parent to not pass > directory file descriptors (tame("cmsg") does not allow it). Because > file(1) is already privsep, the permissions in the child can be quickly > restricted: first to "stdio cmsg getpw proc" then after the privdrop to > "stdio cmsg". (nicm@) finger ~ finger.c > finger can either do local users only, or in in remote users. (who > still runs fingerd? not many places, it took a while to find a server) > tame "stdio getpw rpath inet" is possible early on, then later when > the network lookups list is consumed, tame "stddio getpw rpath" (deraadt@) ftp ~ ftp.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) grep ~ grep.c > grep only opens files read-only, reads via stdio or other methods, performs > computation, and outputs result to stdout. (note: in the tame model, > malloc is implicit because stdio needs it, and mmap is implicit since > malloc needs it; libz is satisfied by this environment also). > this tame change consists of 1 line, setting "stdio rpath" before > getopt. this protection is fairly strict. grep could be improved > further by computing a wpathlist based on argv, keeping -R in mind. > feel free to take a shot at it. > grep was an early target of capsicum also. know anyone running capsicum > grep? > ok doug (deraadt@) indent ~ indent_globs.h ~ io.c > Mark diag() as printf-like > ok millert@ (guenther@) kdump ~ kdump.1 ~ kdump.c > Add ktracing of argv and envp to execve(2), with envp not traced by default > ok tedu@ deraadt@ (guenther@) ~ kdump.1 ~ kdump.c > update the -t args list; ok guenther (jmc@) ~ kdump.c > tame "stdio getpw rpath" can be done quite early after the getopt. > it might seem we can hoist the open above tame and then drop "rpath", > but guenther found getprotobynumber can be called much later. > ok guenther (deraadt@) ~ kdump.c > Fix wrong cast. > This one should be an unsigned long in theory, but the formatter function > argument we're printing from is already an int (being casted from > register_t > at the formatter call time). So lets fix one bug at a time. > authoritative okay from guenther@ (zhuk@) ~ kdump.c > option LFS is dead, but we missed option ACCOUNTING here (guenther@) ~ kdump.c ~ kdump.h ~ kdump_subr.h ~ ktrstruct.c > Add ktracing of tame()'s arguments' values > "every tool helps" deraadt@ (guenther@) ktrace ~ ktrace.1 ~ ktrace.h ~ subr.c > Add ktracing of argv and envp to execve(2), with envp not traced by default > ok tedu@ deraadt@ (guenther@) leave ~ leave.c > leave does a fork, but other than that it is boring stdio. > tame "stdio proc" satisfies it. > ok doug (deraadt@) make ~ error.c ~ error.h ~ var.c > Mark all the error printing functions as printf-like; fix two format > mismatches this revealed > ok espie@ (guenther@) mg ~ dired.c > Make dired mode treat a double '/' in a path like fundamental mode. > Problem reported by jasper@ and ok jasper@ (lum@) ~ cscope.c ~ def.h ~ echo.c ~ extend.c ~ line.c > Mark eread(), veread(), and eformat() as printf-like and > Convert eread(buf, a2, a3, a4) to eread("%s", a2, a3, a4, buf) > ok millert@ lum@ (guenther@) ~ random.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) - random.c ~ Makefile > rename random.c to util.c so it doesn't look scary. (util.c repo copied) > ok deraadt guenther (tedu@) ~ file.c > Check to see if the file to be opened is a directory as soon as is > feasible. Currently, mg does this check much later on which means some > functions (e.g showbuffer()) are called multiple times. This fixes the > location of the cursor when opening a directory using filevisit, > findvisitalt and poptofile. ok jasper@ (lum@) openssl ~ x509.c > Another s/M_ASN1_INTEGER_free/ASN1_INTEGER_free/. > Found the hard way by Mark Patruck. (jsing@) ~ certhash.c > avoid sys/param.h, by using PATH_MAX (deraadt@) ~ ocsp.c > BIO_get_fd() could return fd 0; fix error condition. Found at > http://marc.info/?l=openssl-dev&m=144374015404899&w=2 > ok doug (deraadt@) patch ~ patch.c > patch appears to work fully with tame "stdio rpath wpath cpath tmppath > fattr". > in case of exploitation, no more network access, fork, execve, etc. > I wonder if we could use whitepath lists here - if it is reasonable to > limit operation in directories known early on? (deraadt@) ~ patch.c > As pointed out by tobiasu, ed-style patches still use popen() and execute > /bin/ed. This is RETARDED. Nothing learned from the last year? > Add tame "proc" until that is fixed, to allow fork+exec. > I beg for someone to cross-link the guts of ed directly into patch, or > write a ed-subset which can do the job. (deraadt@) ~ patch.c > remove tame "proc". it is not useful, because the "ed" diffs require > fork+execve, and execve is not going to become available in this fashion. > ed diffs should be handled using a built-in handler, and various folks > have been discussing this behind the scenes. (deraadt@) script ~ script.c > script is two processes. the main io-loop process can be locked down with > tame "stdio" since all it does is move data back and forth, while the > master > process needs "stdio ioctl" to use TCSAFLUSH at the very end. TCSAFLUSH is > included in the kernel's rather restrictive ioctl feature lists made > available with the "ioctl" ability. (deraadt@) ~ script.c > Repair tame() error check to be == -1 (deraadt@) sed ~ main.c > sed only works on files, so the obvious goal is to remove it's network > access in case it is exploited. tame with "stdio wpath rpath cpath" > seesms to covers all usage cases, except -i performs a fchmod() on the > in-place file, so conditionally also needs "fattr". > ok sthen (deraadt@) skeyinit ~ skeyinit.c > - Simplify use of ctype functions. > - Replace arc4random with arc4random_uniform. > - Replace memset with explicit_bzero. > OK millert@ (tim@) sndiod ~ sndiod.c > use macros instead of hard-coded strings for unix sockets paths (ratchov@) ~ sndiod.c > As the socket path is known, use its size rather that PATH_MAX. (ratchov@) ~ sndiod.c > Replace %s in the format string, with its value (macro). (ratchov@) ssh ~ sandbox-systrace.c > re-order system calls in order of risk, ok i'll be honest, ordered this > way they look like tame... > ok djm (deraadt@) + sandbox-tame.c > a sandbox using tame > ok djm (deraadt@) ~ sandbox-tame.c > fix email (deraadt@) ~ sshd/Makefile > switch from using the systrace-based sandbox to the tame-based sandbox. > discussed it at length with djm -- i think it is time to give this a > trial in snapshots. (deraadt@) uname ~ uname.c > tame "stdio" right between setlocale and getopt, it is easy to review > this program and see it does uname(3) and stdio printf. uname(3) is > backed by a cluster of sysctl() reads, all permitted by the kernel > in tame_sysctl_check() (deraadt@) unifdef ~ unifdef.c > you can't edit stdin in place. check for this before the hack that > increments argc when run with no arguments, causing a read past the end > of argv. (tedu@) uniq ~ uniq.c > uniq has a complicated initialization around getopt. beforehands, we > can tame "stdio rpath wpath cpath"; all three paths abilities are needed > for it to setup the right files (worst case spotted by sthen). later > once the files are opened, the program is only looking at strings and > outputing via stdio functions, so we can tame "stdio". (deraadt@) ~ uniq.c > Repair tame() error check to be == -1 (deraadt@) units ~ units.lib > update currency exchange rates; (jmc@) wall ~ wall.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) wc ~ wc.c > wc only opens files read-only, proceses them, and spits results to stdout. > tame "stdio rpath" works, right before calling getopt() (deraadt@) whois ~ whois.c > whois uses dns to lookup whois servers, and then opens sockets to them. > it does not need to open any files, so we can tame with "stdio dns inet". > i think florian and i did this about 2 months ago. (deraadt@) == usr.sbin ========================================================== 13/13 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin usr.sbin ~ Makefile > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) acpidump ~ acpidump.c > acpidump is used as root and opens /dev/mem readonly, to dig out > the AML tables. (If this offends you, feel free to submit a diff > with a better extraction mechanism). > After hoisting the /dev/mem-opening code earlier, we can tame this > nasty program with "stdio wpath cpath". (deraadt@) ~ acpidump.c > add "usage: " to usage(); from michael reed (jmc@) arp ~ arp.c > arp uses a non-privileged sockraw to look at the kernel arp tables. > the function to do that is called a number of times, but as needed. > hoist it upwards into initization, then tame "stdio dns inet" is > possible in most code paths. (there may be further work to do here here) > i believe florian helped me with this. (deraadt@) bind ~ bin/dig/dighost.c > strcat -> strlcat. last time i checked, this was the last remaining > strcat in non-toolchain base, and inside #if not reached during compile. > ok beck krw brynet (deraadt@) cron ~ atrun.c ~ cron.c ~ do_command.c ~ entry.c ~ popen.c > unifdef some features we will always have. ok benno zhuk (tedu@) ~ atrun.c ~ do_command.c ~ funcs.h ~ popen.c > There is no need to keep a global array of sysconf(_SC_OPEN_MAX) elements > just to keep track of a single pid. Return it to the caller and make it > their problem. > ok deraadt millert (tedu@) ~ popen.c > remove stale comment. there is no need to avoid side effects from a "list" > command, because this is not the ftp daemon (tedu@) dvmrpctl ~ dvmrpctl.c > As done for bgpd recently, rename if_mediatype to if_type in dvrmpd. > Remove unused function get_ifms_type(). No ifmedia in here anymore. > "move forward" deraadt@ (stsp@) dvmrpd ~ dvmrpd.h ~ interface.c ~ kroute.c > As done for bgpd recently, rename if_mediatype to if_type in dvrmpd. > Remove unused function get_ifms_type(). No ifmedia in here anymore. > "move forward" deraadt@ (stsp@) eigrpctl + Makefile + eigrpctl.8 + eigrpctl.c + parser.c + parser.h > Controller for the recently imported eigrpd(8) daemon. > Not yet connected to the builds. > ok deraadt@ claudio@ (renato@) ~ eigrpctl.8 > add missing El; (jmc@) eigrpd + Makefile + control.c + control.h + eigrp.h + eigrpd.8 + eigrpd.c + eigrpd.conf.5 + eigrpd.h + eigrpe.c + eigrpe.h + hello.c + in_cksum.c + interface.c + kroute.c + log.c + log.h + neighbor.c + packet.c + parse.y + printconf.c + query.c + rde.c + rde.h + rde_dual.c + reply.c + rtp.c + tlv.c + update.c + util.c > Welcome eigrpd > The eigrpd daemon will support the Enhanced Interior Gateway Routing > Protocol. > Built using the imsg/three process framework and heavily based on ospfd(8), > ospf6d(8) and ldpd(8). > The current status of eigrpd(8) is as follows: > * Almost full compliance with the specification: DUAL FSM, RTP, CR mode, > SIA, etc > * Support for both IPv4 and IPv6 > * Support for multiple instances (different ASes/AFs) within the same > process > * Support for rdomains (one process per rdomain) > * RIB/FIB synchronization > * Basic redistribution support > Not implemented features (yet): > * Configuration reload support (partially implemented) > * Route summarization > * Advanced route redistribution/filtering > * Carp integration > * Authentication (draft is missing information) > * Stub (not released by Cisco) > Not yet connected to the builds. > ok deraadt@ claudio@ (renato@) ~ eigrpd.h > Enable eigrpd(8) and eigrpctl(8) in the builds > ok deraadt@ (renato@) ~ eigrp.h ~ eigrpd.h ~ parse.y ~ printconf.c ~ rde_dual.c > Add option to configure or disable the DUAL active timeout. (renato@) ~ eigrpe.c ~ interface.c ~ neighbor.c ~ packet.c ~ query.c ~ rde.c ~ rde_dual.c ~ reply.c ~ tlv.c ~ update.c ~ util.c > Fix warnings and add safeguards to protect against corrupted data. > (renato@) ~ eigrpe.h ~ packet.c ~ tlv.c > Ignore IPv4 TLVs in IPv6 instances and vice-versa. (renato@) installboot ~ i386_installboot.c ~ i386_softraid.c ~ installboot.c ~ softraid.c ~ sparc64_softraid.c > Nuke trailing whitespace to avoid cluttering possible upcoming diffs. > (krw@) ldpctl ~ ldpctl.c > As done for bgpd recently, rename if_mediatype to if_type in ldpd. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) ldpd ~ interface.c ~ kroute.c ~ ldpd.h ~ parse.y > As done for bgpd recently, rename if_mediatype to if_type in ldpd. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) lpr ~ lpd/Makefile ~ lpd/extern.h ~ lpd/lpd.c > Replace call to __ivaliduser_sa() with a pared down version that > only checks the host name. This clears the way for removal of > __ivaliduser_sa() and __ivaliduser() from libc. OK deraadt@ (millert@) + lpd/allowedhost.c > unbreak tree. > add file millert missed, from a previous diff he mailed me. > millert, please check if this is the right one. (deraadt@) netgroup_mkdb ~ stringlist.c > include ctype.h for the isspace(3) using _NG_ISSPACE (jsg@) ntpd ~ ntpd.c > In the ntpctl(1) case, after it has connect()'d to ntpd we can tame "stdio" > since that is all it will do till termination. (deraadt@) ~ ntp_dns.c > the ntp dns process only needs tame "dns rw" to operate. at least, > that's the case after kernel code got fixed to handle inet6 for dns... > (deraadt@) ospf6ctl ~ ospf6ctl.c > As done for bgpd recently, rename if_mediatype to if_type in ospfd/ospf6d. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) ospf6d ~ interface.c ~ ospf6d.c ~ ospf6d.h ~ ospfe.c ~ rde.c > As done for bgpd recently, rename if_mediatype to if_type in ospfd/ospf6d. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) ospfctl ~ ospfctl.c > As done for bgpd recently, rename if_mediatype to if_type in ospfd/ospf6d. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) ospfd ~ interface.c ~ kroute.c ~ ospfd.c ~ ospfd.h ~ ospfe.c > As done for bgpd recently, rename if_mediatype to if_type in ospfd/ospf6d. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) rcctl ~ rcctl.sh > Properly indent usage() output. (ajacoutot@) ~ rcctl.sh > Make it possible to give the same action to several daemons at once. > e.g. > # rcctl restart sshd ntpd > from Martijn van Duren with tweaks > ok sthen@ (ajacoutot@) ~ rcctl.8 > Plural. (ajacoutot@) relayd ~ relay_http.c > include <unistd.h> unconditionally > ok benno (deraadt@) ~ proc.c > sync proc.c with httpd. no functional change, only switching to C99 types. > (reyk@) ripctl ~ ripctl.c > As done for bgpd recently, rename if_mediatype to if_type in ripd. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) ripd ~ interface.c ~ kroute.c ~ ripd.h > As done for bgpd recently, rename if_mediatype to if_type in ripd. > And some ifmedia64 fixes. > "move forward" deraadt@ (stsp@) smtpd ~ makemap.8 > makemap(8) should Xr table(5); OK gilles@ (millert@) ~ control.c > do not allow connid to wrap and collide with another active connection id. > this allows a local user to trigger a fatal() and exit the daemon. > reported by Qualys Security (gilles@) ~ lka.c > reset static pointer to NULL after we free it, just in case another bug > leads us to reuse it. (gilles@) ~ lka_session.c > fix a stack-based buffer overflow in the token expansion code of the lookup > process (unprivileged), allowing a local user to crash the server or > potentially execute arbitrary code. > reported by Qualys Security (gilles@) ~ mproc.c > introduce imsg_read_nofd() to allow reading imsg while discarding fd's when > reading from a context where we don't expect/want to receive one. > this prevents a local user from exhausting resources and causing smtpd to > hang by crafting valid imsg that don't expect a descriptor but passing one > anyways. > reported by Qualys Security (gilles@) ~ smtpd.c > prevent users from playing hardlink/symlink/mkfifo games with their offline > messages and ~/.forward files. this allowed a local user to hang smtpd or > even reset chflags and read first line of any arbitrary file. > while at it, do not fatal() on unexpected cause of SIGCHLD as this allows a > specially crafted mda to cause smtpd to exit. > reporte by Qualys Security (gilles@) ~ util.c > in secure_file(), make uid checking on .forward files more strict to avoid > users creating hardlink to root-owned files and leaking first line. > reported by Qualys Security (gilles@) ~ mta_session.c ~ smtp_session.c > detect that a certificate chain will not fit in imsg calls before passing > part of it and failing others, this may leave the lookup process in a weird > state and cause use-after-free and out-of-bounds memory reads, leading to > crashes or potential arbitrary code execution in unprivileged process. > reported by Qualys Security (gilles@) ~ control.c ~ lka.c ~ lka_session.c ~ mproc.c ~ mta_session.c ~ smtp_session.c ~ smtpd.c ~ util.c TAGGED OPENBSD_5_8 > Errata 004: > fix multiple security and reliability issues found during an audit by > Qualys Security (gilles@) ~ control.c ~ lka.c ~ lka_session.c ~ mproc.c ~ mta_session.c ~ smtp_session.c ~ smtpd.c ~ util.c TAGGED OPENBSD_5_7 > Errata 017: > fix multiple security and reliability issues found during an audit by > Qualys Security (gilles@) ~ control.c ~ lka.c ~ lka_session.c ~ mproc.c ~ mta_session.c ~ smtp_session.c ~ smtpd.c ~ util.c TAGGED OPENBSD_5_6 > Errata 031: > fix multiple security and reliability issues found during an audit by > Qualys Security (gilles@) snmpd ~ control.c > Adopt smtpd's imsg_read_nofd() to mitigate the risk of user-injected > file descriptor leakage from the optional world-writable _restricted_ > control socket. > OK gilles@ blambert@ (reyk@) syslogd ~ syslogd.c > Delete the final, inscrutable NOSTRICT and VARARGS lint comments > ok millert@ (guenther@) tcpdump ~ util.c > lint is dead: delete the trivial uses of /* VARARGS[0-9]+ */ > (others require more care) (guenther@) ~ privsep_pcap.c > remove a bsdi ifdef path > "kill it with fire" deraadt@ (jsg@) ~ privsep.c ~ tcpdump.c > tcpdump is two-process privsep. > the packet processor pid is initialized on a socketpair, and then only > does byte analysis. it can be protected using a "stdio" tame request. > an successfull attack against it will find it cannot open files nor > sockets, and faces various other limitations described in the tame(2) > manual page. > the monitor process can be restricted to "malloc cmsg inet ioctl dns > rpath". > that sounds like a large subset, but notice it cannot create or write > files. > maybe this set can be wittled down by hoisting more initialization code > upwards? > with help from canacar a while back. (deraadt@) traceroute ~ traceroute.c > like ping, traceroute is a setuid root priv-drop which holds a sockraw. > we can tame it substantially with "stdio inet", plus "dns" if the -n option > is missing. a successful exploit against it then cannot create files, or > perform a variety of other operations, as described in the tame(2) man > page. > florian helped me a fair bit hoisting initization code upwards in ping, > ping6, and traceroute, to make tame work here. (deraadt@) =============================================================================== _______________________________________________ owc mailing list [email protected] http://www.squish.net/mailman/listinfo/owc
