CVS commit: src/share/mk
Module Name:src Committed By: mrg Date: Thu Apr 5 22:38:58 UTC 2018 Modified Files: src/share/mk: bsd.own.mk Log Message: switch m68000 and m68k to GCC 6. ok mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.1053 -r1.1054 src/share/mk/bsd.own.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/mk/bsd.own.mk diff -u src/share/mk/bsd.own.mk:1.1053 src/share/mk/bsd.own.mk:1.1054 --- src/share/mk/bsd.own.mk:1.1053 Sun Apr 1 04:35:02 2018 +++ src/share/mk/bsd.own.mk Thu Apr 5 22:38:58 2018 @@ -1,4 +1,4 @@ -# $NetBSD: bsd.own.mk,v 1.1053 2018/04/01 04:35:02 ryo Exp $ +# $NetBSD: bsd.own.mk,v 1.1054 2018/04/05 22:38:58 mrg Exp $ # This needs to be before bsd.init.mk .if defined(BSD_MK_COMPAT_FILE) @@ -68,8 +68,6 @@ MKGCC?= no ${MACHINE_CPU} == "aarch64" HAVE_GCC?= 0 .elif \ -${MACHINE_CPU} == "m68000" || \ -${MACHINE_CPU} == "m68k" || \ ${MACHINE_CPU} == "vax" HAVE_GCC?= 5 .else
CVS commit: src/share/mk
Module Name:src Committed By: mrg Date: Thu Apr 5 22:38:58 UTC 2018 Modified Files: src/share/mk: bsd.own.mk Log Message: switch m68000 and m68k to GCC 6. ok mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.1053 -r1.1054 src/share/mk/bsd.own.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/patch
Module Name:src Committed By: christos Date: Thu Apr 5 18:50:10 UTC 2018 Modified Files: src/usr.bin/patch: pch.c Log Message: Pass -S to ed(1) so that patches containing ! commands don't run commands. Real cause of CVS-2018-0492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667) To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.bin/patch/pch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/patch
Module Name:src Committed By: christos Date: Thu Apr 5 18:50:10 UTC 2018 Modified Files: src/usr.bin/patch: pch.c Log Message: Pass -S to ed(1) so that patches containing ! commands don't run commands. Real cause of CVS-2018-0492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667) To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.bin/patch/pch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/patch/pch.c diff -u src/usr.bin/patch/pch.c:1.28 src/usr.bin/patch/pch.c:1.29 --- src/usr.bin/patch/pch.c:1.28 Thu Jul 30 17:47:51 2015 +++ src/usr.bin/patch/pch.c Thu Apr 5 14:50:10 2018 @@ -1,7 +1,7 @@ /* * $OpenBSD: pch.c,v 1.37 2007/09/02 15:19:33 deraadt Exp $ * $DragonFly: src/usr.bin/patch/pch.c,v 1.6 2008/08/10 23:35:40 joerg Exp $ - * $NetBSD: pch.c,v 1.28 2015/07/30 21:47:51 christos Exp $ + * $NetBSD: pch.c,v 1.29 2018/04/05 18:50:10 christos Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__RCSID("$NetBSD: pch.c,v 1.28 2015/07/30 21:47:51 christos Exp $"); +__RCSID("$NetBSD: pch.c,v 1.29 2018/04/05 18:50:10 christos Exp $"); #include #include @@ -1414,8 +1414,8 @@ do_ed_script(void) unlink(TMPOUTNAME); fatal("can't create temp file %s", TMPOUTNAME); } - snprintf(buf, buf_len, "%s%s%s", _PATH_ED, - verbose ? " " : " -s ", TMPOUTNAME); + snprintf(buf, buf_len, "%s -S%s %s", _PATH_ED, + verbose ? "" : "s", TMPOUTNAME); pipefp = popen(buf, "w"); } for (;;) {
CVS commit: src/bin/ed
Module Name:src Committed By: christos Date: Thu Apr 5 18:44:57 UTC 2018 Modified Files: src/bin/ed: ed.1 main.c Log Message: add -S to disable ! commands. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/bin/ed/ed.1 cvs rdiff -u -r1.28 -r1.29 src/bin/ed/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/bin/ed/ed.1 diff -u src/bin/ed/ed.1:1.31 src/bin/ed/ed.1:1.32 --- src/bin/ed/ed.1:1.31 Mon Jul 3 17:33:23 2017 +++ src/bin/ed/ed.1 Thu Apr 5 14:44:57 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: ed.1,v 1.31 2017/07/03 21:33:23 wiz Exp $ +.\" $NetBSD: ed.1,v 1.32 2018/04/05 18:44:57 christos Exp $ .\" $OpenBSD: ed.1,v 1.42 2003/07/27 13:25:43 jmc Exp $ .\" .\" Copyright (c) 1993 Andrew Moore, Talke Studio. @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 23, 2002 +.Dd April 23, 2002 .Dt ED 1 .Os .Sh NAME @@ -34,7 +34,7 @@ .Sh SYNOPSIS .Nm .Op Fl -.Op Fl Esx +.Op Fl ESsx .Op Fl p Ar string .Op Ar file .Sh DESCRIPTION @@ -130,6 +130,12 @@ option (deprecated). .It Fl E Enables the use of extended regular expressions instead of the basic regular expressions that are normally used. +.It Fl S +Disables using of the +.Dq ! +command (execuring a subshell). +Intended to be used by batch jobs like +.Xr patch 1 . .It Fl p Ar string Specifies a command prompt. This may be toggled on and off with the @@ -955,6 +961,7 @@ but any changes to the buffer are lost. .Xr sed 1 , .Xr sh 1 , .Xr vi 1 , +.Xr patch 1 , .Xr regex 3 .Pp USD:09-10 Index: src/bin/ed/main.c diff -u src/bin/ed/main.c:1.28 src/bin/ed/main.c:1.29 --- src/bin/ed/main.c:1.28 Wed Mar 2 14:11:28 2016 +++ src/bin/ed/main.c Thu Apr 5 14:44:57 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.28 2016/03/02 19:11:28 christos Exp $ */ +/* $NetBSD: main.c,v 1.29 2018/04/05 18:44:57 christos Exp $ */ /* main.c: This file contains the main control and user-interface routines for the ed line editor. */ @@ -39,7 +39,7 @@ __COPYRIGHT( #if 0 static char *rcsid = "@(#)main.c,v 1.1 1994/02/01 00:34:42 alm Exp"; #else -__RCSID("$NetBSD: main.c,v 1.28 2016/03/02 19:11:28 christos Exp $"); +__RCSID("$NetBSD: main.c,v 1.29 2018/04/05 18:44:57 christos Exp $"); #endif #endif /* not lint */ @@ -94,6 +94,7 @@ int mutex = 0; /* if set, signals set int red = 0; /* if set, restrict shell/directory access */ int ere = 0; /* if set, use extended regexes */ int scripted = 0; /* if set, suppress diagnostics */ +int secure = 0; /* is set, ! is not allowed */ int sigflags = 0; /* if set, signals received while mutex set */ int sigactive = 0; /* if set, signal handlers are enabled */ @@ -105,7 +106,7 @@ const char *prompt; /* command-line pr const char *dps = "*"; /* default command-line prompt */ -static const char usage[] = "Usage: %s [-] [-sxE] [-p string] [name]\n"; +static const char usage[] = "Usage: %s [-] [-ESsx] [-p string] [name]\n"; /* ed: line editor */ int @@ -118,7 +119,7 @@ main(int ac, char *av[]) red = (n = strlen(argv[0])) > 2 && argv[0][n - 3] == 'r'; top: - while ((c = getopt(argc, argv, "p:sxE")) != -1) + while ((c = getopt(argc, argv, "p:sxES")) != -1) switch(c) { case 'p':/* set prompt */ prompt = optarg; @@ -137,6 +138,9 @@ top: case 'E': ere = REG_EXTENDED; break; + case 'S':/* ! is not allowed */ + secure = 1; + break; default: fprintf(stderr, usage, getprogname()); exit(1); @@ -861,6 +865,10 @@ exec_command(void) printf("%ld\n", addr_cnt ? second_addr : addr_last); break; case '!': + if (secure) { + seterrmsg("'!' not allowed"); + return ERR; + } if (addr_cnt > 0) { seterrmsg("unexpected address"); return ERR;
CVS commit: src/bin/ed
Module Name:src Committed By: christos Date: Thu Apr 5 18:44:57 UTC 2018 Modified Files: src/bin/ed: ed.1 main.c Log Message: add -S to disable ! commands. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/bin/ed/ed.1 cvs rdiff -u -r1.28 -r1.29 src/bin/ed/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/usr.bin/make
On Wed, Apr 04, 2018 at 08:31:11PM -0400, Christos Zoulas wrote: > Module Name: src > Committed By:christos > Date:Thu Apr 5 00:31:11 UTC 2018 > > Modified Files: > src/usr.bin/make: parse.c > > Log Message: > Be more selective about detecting a SYSV include as opposed to a dependency > line. Dependency lines should contain a '::' operator or ':'. This is wrong: it's perfectly legal to write "foo.o:foo.c". It needs to scan for variables, or at least not look inside matching sets of () {}. -- David A. Holland dholl...@netbsd.org
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 18:18:00 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #696 To generate a diff of this commit: cvs rdiff -u -r1.1.2.164 -r1.1.2.165 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 18:18:00 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #696 To generate a diff of this commit: cvs rdiff -u -r1.1.2.164 -r1.1.2.165 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-8.0 diff -u src/doc/CHANGES-8.0:1.1.2.164 src/doc/CHANGES-8.0:1.1.2.165 --- src/doc/CHANGES-8.0:1.1.2.164 Thu Apr 5 14:42:36 2018 +++ src/doc/CHANGES-8.0 Thu Apr 5 18:18:00 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-8.0,v 1.1.2.164 2018/04/05 14:42:36 martin Exp $ +# $NetBSD: CHANGES-8.0,v 1.1.2.165 2018/04/05 18:18:00 martin Exp $ A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04 until the 8.0 release: @@ -10907,6 +10907,22 @@ sys/sys/mbuf.h 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. [maxv, ticket #695] +sys/arch/amd64/amd64/db_interface.c 1.33 (patch) +sys/arch/amd64/amd64/spl.S 1.34 (patch) +sys/arch/amd64/amd64/vector.S 1.62 (patch) +sys/arch/i386/i386/db_interface.c 1.82 (patch) +sys/arch/i386/i386/machdep.c 1.805 (patch) +sys/arch/i386/i386/spl.S 1.43 (patch) +sys/arch/i386/i386/vector.S 1.77 +sys/arch/x86/include/intr.h 1.55 +sys/arch/x86/x86/intr.c1.125 +sys/arch/x86/x86/lapic.c 1.66 (patch) + + Rename the DDB IPI IDT vectors for consistency. + Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt + so that they fit the pattern. + [christos, ticket #696] + sys/net/route.c 1.208 Kill remaining rt->rt_refcnt++
CVS commit: [netbsd-8] src/sys/arch
Module Name:src Committed By: martin Date: Thu Apr 5 18:15:03 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-8]: db_interface.c spl.S vector.S src/sys/arch/i386/i386 [netbsd-8]: db_interface.c machdep.c spl.S vector.S src/sys/arch/x86/include [netbsd-8]: intr.h src/sys/arch/x86/x86 [netbsd-8]: intr.c lapic.c Log Message: Pull up following revision(s) (requested by christos in ticket #696): sys/arch/amd64/amd64/vector.S: revision 1.62 (patch) sys/arch/x86/include/intr.h: revision 1.55 sys/arch/i386/i386/vector.S: revision 1.77 sys/arch/i386/i386/db_interface.c: revision 1.82 (patch) sys/arch/amd64/amd64/spl.S: revision 1.34 (patch) sys/arch/amd64/amd64/db_interface.c: revision 1.33 (patch) sys/arch/x86/x86/intr.c: revision 1.125 sys/arch/i386/i386/spl.S: revision 1.43 (patch) sys/arch/i386/i386/machdep.c: revision 1.805 (patch) sys/arch/x86/x86/lapic.c: revision 1.66 (patch) Rename the DDB IPI IDT vectors for consistency. ok maxv@ Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt so that they fit the pattern. Also the debugger trap sniffer matches them without adding special entries... XXX: pullup-8. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.2.1 src/sys/arch/amd64/amd64/db_interface.c cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/arch/amd64/amd64/spl.S cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/amd64/amd64/vector.S cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/arch/i386/i386/db_interface.c cvs rdiff -u -r1.782.6.4 -r1.782.6.5 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.40 -r1.40.22.1 src/sys/arch/i386/i386/spl.S cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/arch/i386/i386/vector.S cvs rdiff -u -r1.50.2.1 -r1.50.2.2 src/sys/arch/x86/include/intr.h cvs rdiff -u -r1.101.2.4 -r1.101.2.5 src/sys/arch/x86/x86/intr.c cvs rdiff -u -r1.58.2.4 -r1.58.2.5 src/sys/arch/x86/x86/lapic.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/db_interface.c diff -u src/sys/arch/amd64/amd64/db_interface.c:1.25 src/sys/arch/amd64/amd64/db_interface.c:1.25.2.1 --- src/sys/arch/amd64/amd64/db_interface.c:1.25 Tue May 23 08:54:38 2017 +++ src/sys/arch/amd64/amd64/db_interface.c Thu Apr 5 18:15:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: db_interface.c,v 1.25 2017/05/23 08:54:38 nonaka Exp $ */ +/* $NetBSD: db_interface.c,v 1.25.2.1 2018/04/05 18:15:02 martin Exp $ */ /* * Mach Operating System @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.25 2017/05/23 08:54:38 nonaka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.25.2.1 2018/04/05 18:15:02 martin Exp $"); #include "opt_ddb.h" #include "opt_multiprocessor.h" @@ -95,7 +95,7 @@ static bool ddb_mp_online; int ddb_cpu = NOCPU; typedef void (vector)(void); -extern vector Xintrddb, Xx2apic_intrddb; +extern vector Xintr_ddbipi, Xintr_x2apic_ddbipi; void db_machine_init(void) @@ -103,10 +103,10 @@ db_machine_init(void) #ifdef MULTIPROCESSOR #ifndef XEN - vector *handler = + vector *handler = _ddbipi; #if NLAPIC > 0 if (lapic_is_x2apic()) - handler = _intrddb; + handler = _x2apic_ddbipi; #endif ddb_vec = idt_vec_alloc(0xf0, 0xff); setgate([ddb_vec], handler, 1, SDT_SYS386IGT, SEL_KPL, Index: src/sys/arch/amd64/amd64/spl.S diff -u src/sys/arch/amd64/amd64/spl.S:1.30 src/sys/arch/amd64/amd64/spl.S:1.30.10.1 --- src/sys/arch/amd64/amd64/spl.S:1.30 Sun Nov 22 13:41:24 2015 +++ src/sys/arch/amd64/amd64/spl.S Thu Apr 5 18:15:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: spl.S,v 1.30 2015/11/22 13:41:24 maxv Exp $ */ +/* $NetBSD: spl.S,v 1.30.10.1 2018/04/05 18:15:02 martin Exp $ */ /* * Copyright (c) 2003 Wasabi Systems, Inc. @@ -116,7 +116,7 @@ IDTVEC(softintr) popq %r15 /* unwind switchframe */ addq $(5 * 8),%rsp jmp *%r13 /* back to Xspllower/Xdoreti */ -END(Xsoftintr) +IDTVEC_END(softintr) /* * softintr_ret() @@ -145,25 +145,25 @@ END(softint_trigger) /* - * Xpreemptrecurse() + * Xrecurse_preempt() * * Handles preemption interrupts via Xspllower(). */ -IDTVEC(preemptrecurse) +IDTVEC(recurse_preempt) movl $IPL_PREEMPT, CPUVAR(ILEVEL) sti xorq %rdi, %rdi call _C_LABEL(kpreempt) cli jmp *%r13 /* back to Xspllower */ -END(Xpreemptrecurse) +IDTVEC_END(recurse_preempt) /* - * Xpreemptresume() + * Xresume_preempt() * * Handles preemption interrupts via Xdoreti(). */ -IDTVEC(preemptresume) +IDTVEC(resume_preempt) movl $IPL_PREEMPT, CPUVAR(ILEVEL) sti testq $SEL_RPL, TF_CS(%rsp) @@ -176,7 +176,7 @@ IDTVEC(preemptresume) call _C_LABEL(preempt) # from user cli jmp *%r13 /* back to Xdoreti */ -END(Xpreemptresume) +IDTVEC_END(resume_preempt) /* * int splraise(int s); @@ -300,7 +300,7 @@ IDTVEC(spllower) popq %r13 popq %rbx ret -END(Xspllower) +IDTVEC_END(spllower) /*
CVS commit: [netbsd-8] src/sys/arch
Module Name:src Committed By: martin Date: Thu Apr 5 18:15:03 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-8]: db_interface.c spl.S vector.S src/sys/arch/i386/i386 [netbsd-8]: db_interface.c machdep.c spl.S vector.S src/sys/arch/x86/include [netbsd-8]: intr.h src/sys/arch/x86/x86 [netbsd-8]: intr.c lapic.c Log Message: Pull up following revision(s) (requested by christos in ticket #696): sys/arch/amd64/amd64/vector.S: revision 1.62 (patch) sys/arch/x86/include/intr.h: revision 1.55 sys/arch/i386/i386/vector.S: revision 1.77 sys/arch/i386/i386/db_interface.c: revision 1.82 (patch) sys/arch/amd64/amd64/spl.S: revision 1.34 (patch) sys/arch/amd64/amd64/db_interface.c: revision 1.33 (patch) sys/arch/x86/x86/intr.c: revision 1.125 sys/arch/i386/i386/spl.S: revision 1.43 (patch) sys/arch/i386/i386/machdep.c: revision 1.805 (patch) sys/arch/x86/x86/lapic.c: revision 1.66 (patch) Rename the DDB IPI IDT vectors for consistency. ok maxv@ Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt so that they fit the pattern. Also the debugger trap sniffer matches them without adding special entries... XXX: pullup-8. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.2.1 src/sys/arch/amd64/amd64/db_interface.c cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/arch/amd64/amd64/spl.S cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/amd64/amd64/vector.S cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/arch/i386/i386/db_interface.c cvs rdiff -u -r1.782.6.4 -r1.782.6.5 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.40 -r1.40.22.1 src/sys/arch/i386/i386/spl.S cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/arch/i386/i386/vector.S cvs rdiff -u -r1.50.2.1 -r1.50.2.2 src/sys/arch/x86/include/intr.h cvs rdiff -u -r1.101.2.4 -r1.101.2.5 src/sys/arch/x86/x86/intr.c cvs rdiff -u -r1.58.2.4 -r1.58.2.5 src/sys/arch/x86/x86/lapic.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/make
Module Name:src Committed By: christos Date: Thu Apr 5 16:31:54 UTC 2018 Modified Files: src/usr.bin/make: parse.c Log Message: Appease the compiler gods; yes I know what I am doing adding to a literal string. To generate a diff of this commit: cvs rdiff -u -r1.228 -r1.229 src/usr.bin/make/parse.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/make
Module Name:src Committed By: christos Date: Thu Apr 5 16:31:54 UTC 2018 Modified Files: src/usr.bin/make: parse.c Log Message: Appease the compiler gods; yes I know what I am doing adding to a literal string. To generate a diff of this commit: cvs rdiff -u -r1.228 -r1.229 src/usr.bin/make/parse.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.bin/make/parse.c diff -u src/usr.bin/make/parse.c:1.228 src/usr.bin/make/parse.c:1.229 --- src/usr.bin/make/parse.c:1.228 Wed Apr 4 20:31:10 2018 +++ src/usr.bin/make/parse.c Thu Apr 5 12:31:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $ */ +/* $NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,14 +69,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $"; +static char rcsid[] = "$NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)parse.c 8.3 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $"); +__RCSID("$NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $"); #endif #endif /* not lint */ #endif @@ -2521,7 +2521,7 @@ IsInclude(const char *line, Boolean sysv static const size_t inclen = sizeof(inc) - 1; // 'd' is not valid for sysv - int o = strchr("ds-" + sysv, *line) != NULL; + int o = strchr(&("ds-"[sysv]), *line) != NULL; if (strncmp(line + o, inc, inclen) != 0) return FALSE;
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 15:04:29 UTC 2018 Modified Files: src/sys/arch/x86/x86: spectre.c Log Message: Set the "method" string at boot time too. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/x86/spectre.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/x86/spectre.c diff -u src/sys/arch/x86/x86/spectre.c:1.9 src/sys/arch/x86/x86/spectre.c:1.10 --- src/sys/arch/x86/x86/spectre.c:1.9 Wed Apr 4 16:23:27 2018 +++ src/sys/arch/x86/x86/spectre.c Thu Apr 5 15:04:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: spectre.c,v 1.9 2018/04/04 16:23:27 maxv Exp $ */ +/* $NetBSD: spectre.c,v 1.10 2018/04/05 15:04:29 maxv Exp $ */ /* * Copyright (c) 2018 NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: spectre.c,v 1.9 2018/04/04 16:23:27 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: spectre.c,v 1.10 2018/04/05 15:04:29 maxv Exp $"); #include #include @@ -85,6 +85,29 @@ speculation_barrier(struct lwp *oldlwp, } static void +speculation_set_name(void) +{ + const char *name; + + if (!spec_mitigation_enabled) { + name = "(none)"; + } else { + switch (mitigation_method) { + case MITIGATION_AMD_DIS_IND: + name = "AMD DIS_IND"; + break; + case MITIGATION_INTEL_IBRS: + name = "Intel IBRS"; + break; + default: + panic("%s: impossible", __func__); + } + } + strlcpy(spec_mitigation_name, name, + sizeof(spec_mitigation_name)); +} + +static void speculation_detect_method(void) { struct cpu_info *ci = curcpu(); @@ -270,7 +293,6 @@ mitigation_change(bool enabled) struct cpu_info *ci = NULL; CPU_INFO_ITERATOR cii; uint64_t xc; - const char *name; speculation_detect_method(); @@ -308,17 +330,7 @@ mitigation_change(bool enabled) printf(" done!\n"); spec_mitigation_enabled = enabled; mutex_exit(_lock); - - if (!enabled) { - name = "(none)"; - } else if (mitigation_method == MITIGATION_AMD_DIS_IND) { - name = "AMD DIS_IND"; - } else { - name = "Intel IBRS"; - } - strlcpy(spec_mitigation_name, name, - sizeof(spec_mitigation_name)); - + speculation_set_name(); return 0; default: panic("impossible"); @@ -336,6 +348,7 @@ cpu_speculation_init(struct cpu_info *ci speculation_detect_method(); spec_mitigation_enabled = (mitigation_method != MITIGATION_NONE); + speculation_set_name(); } if (mitigation_method != MITIGATION_NONE) {
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 15:04:29 UTC 2018 Modified Files: src/sys/arch/x86/x86: spectre.c Log Message: Set the "method" string at boot time too. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/x86/spectre.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 14:42:36 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Tickets #694, #695, and #697 To generate a diff of this commit: cvs rdiff -u -r1.1.2.163 -r1.1.2.164 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-8.0 diff -u src/doc/CHANGES-8.0:1.1.2.163 src/doc/CHANGES-8.0:1.1.2.164 --- src/doc/CHANGES-8.0:1.1.2.163 Wed Apr 4 16:42:03 2018 +++ src/doc/CHANGES-8.0 Thu Apr 5 14:42:36 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-8.0,v 1.1.2.163 2018/04/04 16:42:03 martin Exp $ +# $NetBSD: CHANGES-8.0,v 1.1.2.164 2018/04/05 14:42:36 martin Exp $ A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04 until the 8.0 release: @@ -10889,3 +10889,26 @@ sys/net/npf/npf.h1.55 to bypass a certain number of filtering rules. [maxv, ticket #693] +sys/net/if_etherip.c1.41,1.42 +sys/netinet/ip_etherip.c 1.21 +sys/netinet6/ip6_etherip.c 1.22 + + Don't call if_attach, do if_initialize+if_register instead. + Style, and do not add M_PKTHDR again, instead assert that it + is already there. + Add a missing NULL check after m_pullup. + [maxv, ticket #694] + +sys/kern/uipc_mbuf.c1.182 +sys/netinet/ip_reass.c1.14 +sys/netinet6/frag6.c1.67 +sys/sys/mbuf.h 1.179 + + Remove M_PKTHDR from secondary mbufs when reassembling packets. + [maxv, ticket #695] + +sys/net/route.c 1.208 + + Kill remaining rt->rt_refcnt++ + [ozaki-r, ticket #697] +
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 14:42:36 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Tickets #694, #695, and #697 To generate a diff of this commit: cvs rdiff -u -r1.1.2.163 -r1.1.2.164 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/net
Module Name:src Committed By: martin Date: Thu Apr 5 14:41:07 UTC 2018 Modified Files: src/sys/net [netbsd-8]: route.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #697): sys/net/route.c: revision 1.208 Kill remaining rt->rt_refcnt++ To generate a diff of this commit: cvs rdiff -u -r1.194.6.7 -r1.194.6.8 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/net
Module Name:src Committed By: martin Date: Thu Apr 5 14:41:07 UTC 2018 Modified Files: src/sys/net [netbsd-8]: route.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #697): sys/net/route.c: revision 1.208 Kill remaining rt->rt_refcnt++ To generate a diff of this commit: cvs rdiff -u -r1.194.6.7 -r1.194.6.8 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.194.6.7 src/sys/net/route.c:1.194.6.8 --- src/sys/net/route.c:1.194.6.7 Tue Mar 13 13:27:10 2018 +++ src/sys/net/route.c Thu Apr 5 14:41:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.194.6.7 2018/03/13 13:27:10 martin Exp $ */ +/* $NetBSD: route.c,v 1.194.6.8 2018/04/05 14:41:07 martin Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -97,7 +97,7 @@ #endif #include -__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.194.6.7 2018/03/13 13:27:10 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.194.6.8 2018/04/05 14:41:07 martin Exp $"); #include #ifdef RTFLUSH_DEBUG @@ -2124,7 +2124,7 @@ rt_delete_matched_entries(sa_family_t fa RT_UNLOCK(); return; } - rt->rt_refcnt++; + rt_ref(rt); splx(s); RT_UNLOCK();
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:33:42 UTC 2018 Modified Files: src/sys/kern [netbsd-8]: uipc_mbuf.c src/sys/netinet [netbsd-8]: ip_reass.c src/sys/netinet6 [netbsd-8]: frag6.c src/sys/sys [netbsd-8]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #695): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.172.6.1 -r1.172.6.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.11.8.1 -r1.11.8.2 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.60.6.3 -r1.60.6.4 src/sys/netinet6/frag6.c cvs rdiff -u -r1.170.2.2 -r1.170.2.3 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:33:42 UTC 2018 Modified Files: src/sys/kern [netbsd-8]: uipc_mbuf.c src/sys/netinet [netbsd-8]: ip_reass.c src/sys/netinet6 [netbsd-8]: frag6.c src/sys/sys [netbsd-8]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #695): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.172.6.1 -r1.172.6.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.11.8.1 -r1.11.8.2 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.60.6.3 -r1.60.6.4 src/sys/netinet6/frag6.c cvs rdiff -u -r1.170.2.2 -r1.170.2.3 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.172.6.1 src/sys/kern/uipc_mbuf.c:1.172.6.2 --- src/sys/kern/uipc_mbuf.c:1.172.6.1 Tue Feb 27 09:07:32 2018 +++ src/sys/kern/uipc_mbuf.c Thu Apr 5 14:33:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.172.6.1 2018/02/27 09:07:32 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.172.6.2 2018/04/05 14:33:41 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.172.6.1 2018/02/27 09:07:32 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.172.6.2 2018/04/05 14:33:41 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_mbuftrace.h" @@ -455,6 +455,16 @@ mb_ctor(void *arg, void *object, int fla return (0); } +void +m_pkthdr_remove(struct mbuf *m) +{ + KASSERT(m->m_flags & M_PKTHDR); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + memset(>m_pkthdr, 0, sizeof(m->m_pkthdr)); +} + /* * Add mbuf to the end of a chain */ Index: src/sys/netinet/ip_reass.c diff -u src/sys/netinet/ip_reass.c:1.11.8.1 src/sys/netinet/ip_reass.c:1.11.8.2 --- src/sys/netinet/ip_reass.c:1.11.8.1 Fri Mar 30 11:10:14 2018 +++ src/sys/netinet/ip_reass.c Thu Apr 5 14:33:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $ */ +/* $NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -46,7 +46,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $"); #include #include @@ -389,6 +389,7 @@ insert: t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); pool_cache_put(ipfren_cache, q); + m_pkthdr_remove(t); m_cat(m, t); } @@ -406,7 +407,8 @@ insert: m->m_data -= (ip->ip_hl << 2); /* Fix up mbuf. XXX This should be done elsewhere. */ - if (m->m_flags & M_PKTHDR) { + { + KASSERT(m->m_flags & M_PKTHDR); int plen = 0; for (t = m; t; t = t->m_next) { plen += t->m_len; Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.3 src/sys/netinet6/frag6.c:1.60.6.4 --- src/sys/netinet6/frag6.c:1.60.6.3 Fri Mar 30 11:19:45 2018 +++ src/sys/netinet6/frag6.c Thu Apr 5 14:33:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.4 2018/04/05 14:33:41 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.4 2018/04/05 14:33:41 martin Exp $"); #ifdef _KERNEL_OPT
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:31:19 UTC 2018 Modified Files: src/sys/net [netbsd-8]: if_etherip.c src/sys/netinet [netbsd-8]: ip_etherip.c src/sys/netinet6 [netbsd-8]: ip6_etherip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #694): sys/netinet6/ip6_etherip.c: revision 1.22 sys/net/if_etherip.c: revision 1.41 sys/net/if_etherip.c: revision 1.42 sys/netinet/ip_etherip.c: revision 1.21 Don't call if_attach, do if_initialize+if_register, otherwise when an EtherIP packet is received the first KASSERT in if_input() fires. A few fixes: * Style. * Don't add M_PKTHDR manually, that's absolutely forbidden. Add a KASSERT to make sure it's already there. * Add a missing NULL check after m_pullup. To generate a diff of this commit: cvs rdiff -u -r1.38.10.2 -r1.38.10.3 src/sys/net/if_etherip.c cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet/ip_etherip.c cvs rdiff -u -r1.21 -r1.21.8.1 src/sys/netinet6/ip6_etherip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:31:19 UTC 2018 Modified Files: src/sys/net [netbsd-8]: if_etherip.c src/sys/netinet [netbsd-8]: ip_etherip.c src/sys/netinet6 [netbsd-8]: ip6_etherip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #694): sys/netinet6/ip6_etherip.c: revision 1.22 sys/net/if_etherip.c: revision 1.41 sys/net/if_etherip.c: revision 1.42 sys/netinet/ip_etherip.c: revision 1.21 Don't call if_attach, do if_initialize+if_register, otherwise when an EtherIP packet is received the first KASSERT in if_input() fires. A few fixes: * Style. * Don't add M_PKTHDR manually, that's absolutely forbidden. Add a KASSERT to make sure it's already there. * Add a missing NULL check after m_pullup. To generate a diff of this commit: cvs rdiff -u -r1.38.10.2 -r1.38.10.3 src/sys/net/if_etherip.c cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet/ip_etherip.c cvs rdiff -u -r1.21 -r1.21.8.1 src/sys/netinet6/ip6_etherip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_etherip.c diff -u src/sys/net/if_etherip.c:1.38.10.2 src/sys/net/if_etherip.c:1.38.10.3 --- src/sys/net/if_etherip.c:1.38.10.2 Tue Jan 2 10:20:33 2018 +++ src/sys/net/if_etherip.c Thu Apr 5 14:31:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_etherip.c,v 1.38.10.2 2018/01/02 10:20:33 snj Exp $*/ +/* $NetBSD: if_etherip.c,v 1.38.10.3 2018/04/05 14:31:19 martin Exp $*/ /* * Copyright (c) 2006, Hans Rosenfeld@@ -27,8 +27,9 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * + */ + +/* * Copyright (c) 2003, 2004, 2008 The NetBSD Foundation. * All rights reserved. * @@ -55,9 +56,9 @@ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. - * - * - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + */ + +/* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -86,7 +87,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_etherip.c,v 1.38.10.2 2018/01/02 10:20:33 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_etherip.c,v 1.38.10.3 2018/04/05 14:31:19 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -227,7 +228,7 @@ etherip_attach(device_t parent, device_t memcpy(enaddr+3, (uint8_t *), 3); aprint_verbose_dev(self, "Ethernet address %s\n", - ether_snprintf(enaddrstr, sizeof(enaddrstr), enaddr)); + ether_snprintf(enaddrstr, sizeof(enaddrstr), enaddr)); /* * Why 1000baseT? Why not? You can add more. @@ -266,14 +267,15 @@ etherip_attach(device_t parent, device_t * Those steps are mandatory for an Ethernet driver, the first call * being common to all network interface drivers. */ - error = if_attach(ifp); + error = if_initialize(ifp); if (error != 0) { - aprint_error_dev(self, "if_attach failed(%d)\n", error); + aprint_error_dev(self, "if_initialize failed(%d)\n", error); ifmedia_delete_instance(>sc_im, IFM_INST_ANY); pmf_device_deregister(self); return; } ether_ifattach(ifp, enaddr); + if_register(ifp); /* * Add a sysctl node for that interface. @@ -362,7 +364,7 @@ etherip_start(struct ifnet *ifp) { struct etherip_softc *sc = ifp->if_softc; - if(sc->sc_si) + if (sc->sc_si) softint_schedule(sc->sc_si); } @@ -399,10 +401,14 @@ etheripintr(void *arg) break; #endif default: +/* impossible */ +m_freem(m); error = ENETDOWN; } ifp->if_flags &= ~IFF_OACTIVE; - } else m_freem(m); + } else { + m_freem(m); + } } mutex_exit(softnet_lock); __USE(error); Index: src/sys/netinet/ip_etherip.c diff -u src/sys/netinet/ip_etherip.c:1.20 src/sys/netinet/ip_etherip.c:1.20.8.1 --- src/sys/netinet/ip_etherip.c:1.20 Wed Jan 11 13:08:29 2017 +++ src/sys/netinet/ip_etherip.c Thu Apr 5 14:31:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_etherip.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $*/ +/* $NetBSD: ip_etherip.c,v 1.20.8.1 2018/04/05 14:31:19 martin Exp $*/ /* * Copyright (c) 2006, Hans Rosenfeld @@ -27,8 +27,9 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * + */ + +/* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. * @@ -58,7 +59,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_etherip.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $"); +__KERNEL_RCSID(0,
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:14:27 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Hum, don't let userland set bit 13, because this can crash the kernel. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:14:27 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Hum, don't let userland set bit 13, because this can crash the kernel. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/x86/dbregs.c diff -u src/sys/arch/x86/x86/dbregs.c:1.7 src/sys/arch/x86/x86/dbregs.c:1.8 --- src/sys/arch/x86/x86/dbregs.c:1.7 Thu Apr 5 14:11:20 2018 +++ src/sys/arch/x86/x86/dbregs.c Thu Apr 5 14:14:27 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: dbregs.c,v 1.7 2018/04/05 14:11:20 maxv Exp $ */ +/* $NetBSD: dbregs.c,v 1.8 2018/04/05 14:14:27 maxv Exp $ */ /*- * Copyright (c) 2016 The NetBSD Foundation, Inc. @@ -191,6 +191,9 @@ x86_dbregs_validate(const struct dbreg * if (regs->dr[i] >= (vaddr_t)VM_MAXUSER_ADDRESS) return EINVAL; + if (regs->dr[7] & X86_DR7_GENERAL_DETECT_ENABLE) + return EINVAL; + /* * Skip checks for reserved registers (DR4-DR5, DR8-DR15). *
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:11:20 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Fix the check, should be >=. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/x86/dbregs.c diff -u src/sys/arch/x86/x86/dbregs.c:1.6 src/sys/arch/x86/x86/dbregs.c:1.7 --- src/sys/arch/x86/x86/dbregs.c:1.6 Thu Feb 23 12:01:12 2017 +++ src/sys/arch/x86/x86/dbregs.c Thu Apr 5 14:11:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: dbregs.c,v 1.6 2017/02/23 12:01:12 martin Exp $ */ +/* $NetBSD: dbregs.c,v 1.7 2018/04/05 14:11:20 maxv Exp $ */ /*- * Copyright (c) 2016 The NetBSD Foundation, Inc. @@ -188,7 +188,7 @@ x86_dbregs_validate(const struct dbreg * /* Check that DR0-DR3 contain user-space address */ for (i = 0; i < X86_DBREGS; i++) - if (regs->dr[i] > (vaddr_t)VM_MAXUSER_ADDRESS) + if (regs->dr[i] >= (vaddr_t)VM_MAXUSER_ADDRESS) return EINVAL; /*
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:11:20 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Fix the check, should be >=. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:54:36 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.98 -r1.1.2.99 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.0.3 diff -u src/doc/CHANGES-7.0.3:1.1.2.98 src/doc/CHANGES-7.0.3:1.1.2.99 --- src/doc/CHANGES-7.0.3:1.1.2.98 Thu Apr 5 11:44:57 2018 +++ src/doc/CHANGES-7.0.3 Thu Apr 5 11:54:36 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.0.3,v 1.1.2.98 2018/04/05 11:44:57 martin Exp $ +# $NetBSD: CHANGES-7.0.3,v 1.1.2.99 2018/04/05 11:54:36 martin Exp $ A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3 release: @@ -5372,3 +5372,12 @@ sys/net/npf/npf.h1.55 Fix an integer overflow that allows incoming IPv6 packets to bypass a certain number of filtering rules. [maxv, ticket #1593] + +sys/kern/uipc_mbuf.c1.182 +sys/netinet/ip_reass.c1.14 +sys/netinet6/frag6.c1.67 +sys/sys/mbuf.h 1.179 + + Remove M_PKTHDR from secondary mbufs when reassembling packets. + [maxv, ticket #1594] +
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:54:36 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.98 -r1.1.2.99 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:52:22 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.5 -r1.1.2.6 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.1.3 diff -u src/doc/CHANGES-7.1.3:1.1.2.5 src/doc/CHANGES-7.1.3:1.1.2.6 --- src/doc/CHANGES-7.1.3:1.1.2.5 Thu Apr 5 11:43:08 2018 +++ src/doc/CHANGES-7.1.3 Thu Apr 5 11:52:21 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.1.3,v 1.1.2.5 2018/04/05 11:43:08 martin Exp $ +# $NetBSD: CHANGES-7.1.3,v 1.1.2.6 2018/04/05 11:52:21 martin Exp $ A complete list of changes from the NetBSD 7.1.2 release to the NetBSD 7.1.3 release: @@ -64,3 +64,12 @@ sys/net/npf/npf.h1.55 Fix an integer overflow that allows incoming IPv6 packets to bypass a certain number of filtering rules. [maxv, ticket #1593] + +sys/kern/uipc_mbuf.c1.182 +sys/netinet/ip_reass.c1.14 +sys/netinet6/frag6.c1.67 +sys/sys/mbuf.h 1.179 + + Remove M_PKTHDR from secondary mbufs when reassembling packets. + [maxv, ticket #1594] +
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:52:22 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.5 -r1.1.2.6 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:53:03 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c src/sys/netinet [netbsd-7-0]: ip_reass.c src/sys/netinet6 [netbsd-7-0]: frag6.c src/sys/sys [netbsd-7-0]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:53:03 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c src/sys/netinet [netbsd-7-0]: ip_reass.c src/sys/netinet6 [netbsd-7-0]: frag6.c src/sys/sys [netbsd-7-0]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.1 --- src/sys/kern/uipc_mbuf.c:1.158.4.1 Mon Feb 9 09:46:01 2015 +++ src/sys/kern/uipc_mbuf.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla return (0); } +void +m_pkthdr_remove(struct mbuf *m) +{ + KASSERT(m->m_flags & M_PKTHDR); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + memset(>m_pkthdr, 0, sizeof(m->m_pkthdr)); +} + /* * Add mbuf to the end of a chain */ Index: src/sys/netinet/ip_reass.c diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.8.1 --- src/sys/netinet/ip_reass.c:1.9 Tue Feb 25 18:30:12 2014 +++ src/sys/netinet/ip_reass.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $ */ +/* $NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -46,7 +46,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $"); #include #include @@ -393,6 +393,7 @@ insert: t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); pool_cache_put(ipfren_cache, q); + m_pkthdr_remove(t); m_cat(m, t); } @@ -410,7 +411,8 @@ insert: m->m_data -= (ip->ip_hl << 2); /* Fix up mbuf. XXX This should be done elsewhere. */ - if (m->m_flags & M_PKTHDR) { + { + KASSERT(m->m_flags & M_PKTHDR); int plen = 0; for (t = m; t; t = t->m_next) { plen += t->m_len; Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55.6.1 src/sys/netinet6/frag6.c:1.55.6.2 --- src/sys/netinet6/frag6.c:1.55.6.1 Tue Jan 30 18:31:53 2018 +++ src/sys/netinet6/frag6.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $"); #include
CVS commit: [netbsd-7-1] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:50:17 UTC 2018 Modified Files: src/sys/kern [netbsd-7-1]: uipc_mbuf.c src/sys/netinet [netbsd-7-1]: ip_reass.c src/sys/netinet6 [netbsd-7-1]: frag6.c src/sys/sys [netbsd-7-1]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.6.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.10.1 -r1.55.10.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:50:17 UTC 2018 Modified Files: src/sys/kern [netbsd-7-1]: uipc_mbuf.c src/sys/netinet [netbsd-7-1]: ip_reass.c src/sys/netinet6 [netbsd-7-1]: frag6.c src/sys/sys [netbsd-7-1]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.6.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.10.1 -r1.55.10.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.6.1 --- src/sys/kern/uipc_mbuf.c:1.158.4.1 Mon Feb 9 09:46:01 2015 +++ src/sys/kern/uipc_mbuf.c Thu Apr 5 11:50:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.6.1 2018/04/05 11:50:17 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.6.1 2018/04/05 11:50:17 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla return (0); } +void +m_pkthdr_remove(struct mbuf *m) +{ + KASSERT(m->m_flags & M_PKTHDR); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + memset(>m_pkthdr, 0, sizeof(m->m_pkthdr)); +} + /* * Add mbuf to the end of a chain */ Index: src/sys/netinet/ip_reass.c diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.12.1 --- src/sys/netinet/ip_reass.c:1.9 Tue Feb 25 18:30:12 2014 +++ src/sys/netinet/ip_reass.c Thu Apr 5 11:50:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $ */ +/* $NetBSD: ip_reass.c,v 1.9.12.1 2018/04/05 11:50:17 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -46,7 +46,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.12.1 2018/04/05 11:50:17 martin Exp $"); #include #include @@ -393,6 +393,7 @@ insert: t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); pool_cache_put(ipfren_cache, q); + m_pkthdr_remove(t); m_cat(m, t); } @@ -410,7 +411,8 @@ insert: m->m_data -= (ip->ip_hl << 2); /* Fix up mbuf. XXX This should be done elsewhere. */ - if (m->m_flags & M_PKTHDR) { + { + KASSERT(m->m_flags & M_PKTHDR); int plen = 0; for (t = m; t; t = t->m_next) { plen += t->m_len; Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55.10.1 src/sys/netinet6/frag6.c:1.55.10.2 --- src/sys/netinet6/frag6.c:1.55.10.1 Tue Jan 30 18:30:31 2018 +++ src/sys/netinet6/frag6.c Thu Apr 5 11:50:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.55.10.2 2018/04/05 11:50:17 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.2 2018/04/05 11:50:17 martin Exp $");
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:49:19 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.82 -r1.1.2.83 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.2 diff -u src/doc/CHANGES-7.2:1.1.2.82 src/doc/CHANGES-7.2:1.1.2.83 --- src/doc/CHANGES-7.2:1.1.2.82 Thu Apr 5 11:42:03 2018 +++ src/doc/CHANGES-7.2 Thu Apr 5 11:49:19 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.2,v 1.1.2.82 2018/04/05 11:42:03 martin Exp $ +# $NetBSD: CHANGES-7.2,v 1.1.2.83 2018/04/05 11:49:19 martin Exp $ A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2 release: @@ -5404,3 +5404,12 @@ sys/net/npf/npf.h1.55 Fix an integer overflow that allows incoming IPv6 packets to bypass a certain number of filtering rules. [maxv, ticket #1593] + +sys/kern/uipc_mbuf.c1.182 +sys/netinet/ip_reass.c1.14 +sys/netinet6/frag6.c1.67 +sys/sys/mbuf.h 1.179 + + Remove M_PKTHDR from secondary mbufs when reassembling packets. + [maxv, ticket #1594] +
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:49:19 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.82 -r1.1.2.83 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:48:13 UTC 2018 Modified Files: src/sys/kern [netbsd-7]: uipc_mbuf.c src/sys/netinet [netbsd-7]: ip_reass.c src/sys/netinet6 [netbsd-7]: frag6.c src/sys/sys [netbsd-7]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.4.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.4.1 -r1.55.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155.2.1 -r1.155.2.2 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.2 --- src/sys/kern/uipc_mbuf.c:1.158.4.1 Mon Feb 9 09:46:01 2015 +++ src/sys/kern/uipc_mbuf.c Thu Apr 5 11:48:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.2 2018/04/05 11:48:13 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.2 2018/04/05 11:48:13 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla return (0); } +void +m_pkthdr_remove(struct mbuf *m) +{ + KASSERT(m->m_flags & M_PKTHDR); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + memset(>m_pkthdr, 0, sizeof(m->m_pkthdr)); +} + /* * Add mbuf to the end of a chain */ Index: src/sys/netinet/ip_reass.c diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.4.1 --- src/sys/netinet/ip_reass.c:1.9 Tue Feb 25 18:30:12 2014 +++ src/sys/netinet/ip_reass.c Thu Apr 5 11:48:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $ */ +/* $NetBSD: ip_reass.c,v 1.9.4.1 2018/04/05 11:48:13 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -46,7 +46,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.4.1 2018/04/05 11:48:13 martin Exp $"); #include #include @@ -393,6 +393,7 @@ insert: t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); pool_cache_put(ipfren_cache, q); + m_pkthdr_remove(t); m_cat(m, t); } @@ -410,7 +411,8 @@ insert: m->m_data -= (ip->ip_hl << 2); /* Fix up mbuf. XXX This should be done elsewhere. */ - if (m->m_flags & M_PKTHDR) { + { + KASSERT(m->m_flags & M_PKTHDR); int plen = 0; for (t = m; t; t = t->m_next) { plen += t->m_len; Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55.4.1 src/sys/netinet6/frag6.c:1.55.4.2 --- src/sys/netinet6/frag6.c:1.55.4.1 Tue Jan 30 18:28:45 2018 +++ src/sys/netinet6/frag6.c Thu Apr 5 11:48:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.55.4.2 2018/04/05 11:48:13 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.2 2018/04/05 11:48:13 martin Exp $"); #include #include @@ -405,6 +405,7
CVS commit: [netbsd-7] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:48:13 UTC 2018 Modified Files: src/sys/kern [netbsd-7]: uipc_mbuf.c src/sys/netinet [netbsd-7]: ip_reass.c src/sys/netinet6 [netbsd-7]: frag6.c src/sys/sys [netbsd-7]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.4.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.4.1 -r1.55.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155.2.1 -r1.155.2.2 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:44:57 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.97 -r1.1.2.98 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.0.3 diff -u src/doc/CHANGES-7.0.3:1.1.2.97 src/doc/CHANGES-7.0.3:1.1.2.98 --- src/doc/CHANGES-7.0.3:1.1.2.97 Sun Apr 1 09:15:43 2018 +++ src/doc/CHANGES-7.0.3 Thu Apr 5 11:44:57 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.0.3,v 1.1.2.97 2018/04/01 09:15:43 martin Exp $ +# $NetBSD: CHANGES-7.0.3,v 1.1.2.98 2018/04/05 11:44:57 martin Exp $ A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3 release: @@ -5367,3 +5367,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1591] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1593]
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:44:57 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.97 -r1.1.2.98 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:51 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.6.1 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Apr 5 11:43:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47.6.1 2018/04/05 11:43:51 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -150,7 +150,7 @@ typedef struct { uint8_t npc_alen; /* IP header length and L4 protocol. */ - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:51 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:08 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.1.3 diff -u src/doc/CHANGES-7.1.3:1.1.2.4 src/doc/CHANGES-7.1.3:1.1.2.5 --- src/doc/CHANGES-7.1.3:1.1.2.4 Sun Apr 1 09:14:15 2018 +++ src/doc/CHANGES-7.1.3 Thu Apr 5 11:43:08 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.1.3,v 1.1.2.4 2018/04/01 09:14:15 martin Exp $ +# $NetBSD: CHANGES-7.1.3,v 1.1.2.5 2018/04/05 11:43:08 martin Exp $ A complete list of changes from the NetBSD 7.1.2 release to the NetBSD 7.1.3 release: @@ -59,3 +59,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1591] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1593]
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:08 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.12.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.12.1 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Apr 5 11:42:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47.12.1 2018/04/05 11:42:36 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -150,7 +150,7 @@ typedef struct { uint8_t npc_alen; /* IP header length and L4 protocol. */ - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */
CVS commit: [netbsd-7-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.12.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:03 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.81 -r1.1.2.82 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:03 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.81 -r1.1.2.82 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.2 diff -u src/doc/CHANGES-7.2:1.1.2.81 src/doc/CHANGES-7.2:1.1.2.82 --- src/doc/CHANGES-7.2:1.1.2.81 Sun Apr 1 09:13:25 2018 +++ src/doc/CHANGES-7.2 Thu Apr 5 11:42:03 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.2,v 1.1.2.81 2018/04/01 09:13:25 martin Exp $ +# $NetBSD: CHANGES-7.2,v 1.1.2.82 2018/04/05 11:42:03 martin Exp $ A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2 release: @@ -5399,3 +5399,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1591] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1593]
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:41:28 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.2.1 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Apr 5 11:41:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47.2.1 2018/04/05 11:41:28 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -150,7 +150,7 @@ typedef struct { uint8_t npc_alen; /* IP header length and L4 protocol. */ - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:41:28 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:40:14 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.0.7 diff -u src/doc/CHANGES-6.0.7:1.1.2.137 src/doc/CHANGES-6.0.7:1.1.2.138 --- src/doc/CHANGES-6.0.7:1.1.2.137 Sun Apr 1 09:25:09 2018 +++ src/doc/CHANGES-6.0.7 Thu Apr 5 11:40:14 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.0.7,v 1.1.2.137 2018/04/01 09:25:09 martin Exp $ +# $NetBSD: CHANGES-6.0.7,v 1.1.2.138 2018/04/05 11:40:14 martin Exp $ A complete list of changes from the NetBSD 6.0.6 release to the NetBSD 6.0.7 release: @@ -15431,3 +15431,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1541] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1542]
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:40:14 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:38:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.6.4.1 -r1.14.2.6.4.2 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.14.2.6.4.1 src/sys/net/npf/npf.h:1.14.2.6.4.2 --- src/sys/net/npf/npf.h:1.14.2.6.4.1 Sun Dec 16 18:20:09 2012 +++ src/sys/net/npf/npf.h Thu Apr 5 11:38:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.14.2.6.4.1 2012/12/16 18:20:09 riz Exp $ */ +/* $NetBSD: npf.h,v 1.14.2.6.4.2 2018/04/05 11:38:36 martin Exp $ */ /*- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc. @@ -96,7 +96,7 @@ typedef struct { npf_addr_t * npc_dstip; /* Size (v4 or v6) of IP addresses. */ int npc_alen; - u_int npc_hlen; + uint32_t npc_hlen; int npc_next_proto; /* IPv4, IPv6. */ union {
CVS commit: [netbsd-6-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:38:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.6.4.1 -r1.14.2.6.4.2 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:36:31 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.1.6 diff -u src/doc/CHANGES-6.1.6:1.1.2.134 src/doc/CHANGES-6.1.6:1.1.2.135 --- src/doc/CHANGES-6.1.6:1.1.2.134 Sun Apr 1 09:24:07 2018 +++ src/doc/CHANGES-6.1.6 Thu Apr 5 11:36:31 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.1.6,v 1.1.2.134 2018/04/01 09:24:07 martin Exp $ +# $NetBSD: CHANGES-6.1.6,v 1.1.2.135 2018/04/05 11:36:31 martin Exp $ A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6 release: @@ -15100,3 +15100,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1541] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1542]
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:36:31 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:58 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:58 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.12.2.1 --- src/sys/net/npf/npf.h:1.14.2.12 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf.h Thu Apr 5 11:35:57 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf.h,v 1.14.2.12.2.1 2018/04/05 11:35:57 martin Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -99,7 +99,7 @@ typedef struct { npf_addr_t * npc_dstip; /* Size (v4 or v6) of IP addresses. */ uint8_t npc_alen; - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */ union {
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:09 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:09 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.330 src/doc/CHANGES-6.2:1.1.2.331 --- src/doc/CHANGES-6.2:1.1.2.330 Sun Apr 1 09:23:13 2018 +++ src/doc/CHANGES-6.2 Thu Apr 5 11:35:08 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.330 2018/04/01 09:23:13 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.331 2018/04/05 11:35:08 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21205,3 +21205,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1541] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1542]
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.13 --- src/sys/net/npf/npf.h:1.14.2.12 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf.h Thu Apr 5 11:34:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf.h,v 1.14.2.13 2018/04/05 11:34:17 martin Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -99,7 +99,7 @@ typedef struct { npf_addr_t * npc_dstip; /* Size (v4 or v6) of IP addresses. */ uint8_t npc_alen; - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */ union {
CVS commit: src/lib/libutil
Module Name:src Committed By: wiz Date: Thu Apr 5 11:07:00 UTC 2018 Modified Files: src/lib/libutil: opendisk.3 Log Message: Use mdoc macros. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libutil/opendisk.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libutil/opendisk.3 diff -u src/lib/libutil/opendisk.3:1.15 src/lib/libutil/opendisk.3:1.16 --- src/lib/libutil/opendisk.3:1.15 Wed Apr 4 04:43:46 2018 +++ src/lib/libutil/opendisk.3 Thu Apr 5 11:07:00 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: opendisk.3,v 1.15 2018/04/04 04:43:46 kre Exp $ +.\" $NetBSD: opendisk.3,v 1.16 2018/04/05 11:07:00 wiz Exp $ .\" .\" Copyright (c) 1997, 2001 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -200,7 +200,7 @@ may also set to any value specified by the .Xr open 2 function. -.PP +.Pp The .Fn opendisk1 function may also set @@ -216,7 +216,7 @@ The .Fn opendisk function first appeared in .Nx 1.3 . -.br +.Pp The .Fn opendisk1 function first appeared in
CVS commit: src/lib/libutil
Module Name:src Committed By: wiz Date: Thu Apr 5 11:07:00 UTC 2018 Modified Files: src/lib/libutil: opendisk.3 Log Message: Use mdoc macros. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libutil/opendisk.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:21:39 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove AWIN_DEBE_FWINIT blocks To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/arm/sunxi/sunxi_debe.c diff -u src/sys/arch/arm/sunxi/sunxi_debe.c:1.6 src/sys/arch/arm/sunxi/sunxi_debe.c:1.7 --- src/sys/arch/arm/sunxi/sunxi_debe.c:1.6 Thu Apr 5 10:19:25 2018 +++ src/sys/arch/arm/sunxi/sunxi_debe.c Thu Apr 5 10:21:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $ */ +/* $NetBSD: sunxi_debe.c,v 1.7 2018/04/05 10:21:39 jmcneill Exp $ */ /*- * Copyright (c) 2018 Manuel Bouyer@@ -38,7 +38,7 @@ #define SUNXI_DEBE_CURMAX 64 #include -__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.7 2018/04/05 10:21:39 jmcneill Exp $"); #include #include @@ -148,9 +148,6 @@ sunxi_debe_attach(device_t parent, devic bus_addr_t addr; bus_size_t size; struct fdtbus_reset *rst; -#ifdef AWIN_DEBE_FWINIT - struct videomode mode; -#endif int error; sc->sc_dev = self; @@ -216,32 +213,6 @@ sunxi_debe_attach(device_t parent, devic fdtbus_get_string(phandle, "name")); -#ifdef AWIN_DEBE_FWINIT - const uint32_t modctl = DEBE_READ(sc, SUNXI_DEBE_MODCTL_REG); - const uint32_t dissize = DEBE_READ(sc, SUNXI_DEBE_DISSIZE_REG); - if ((modctl & SUNXI_DEBE_MODCTL_EN) == 0) { - aprint_error_dev(sc->sc_dev, "disabled\n"); - return; - } - if ((modctl & SUNXI_DEBE_MODCTL_START_CTL) == 0) { - aprint_error_dev(sc->sc_dev, "stopped\n"); - return; - } - memset(, 0, sizeof(mode)); - mode.hdisplay = (dissize & 0x) + 1; - mode.vdisplay = ((dissize >> 16) & 0x) + 1; - - if (mode.hdisplay == 1 || mode.vdisplay == 1) { - aprint_error_dev(sc->sc_dev, - "couldn't determine video mode\n"); - return; - } - - aprint_verbose_dev(sc->sc_dev, "using %dx%d mode from firmware\n", - mode.hdisplay, mode.vdisplay); - - sc->sc_dmasize = mode.hdisplay * mode.vdisplay * 4; -#else for (unsigned int reg = 0x800; reg < 0x1000; reg += 4) { DEBE_WRITE(sc, reg, 0); } @@ -249,7 +220,6 @@ sunxi_debe_attach(device_t parent, devic DEBE_WRITE(sc, SUNXI_DEBE_MODCTL_REG, SUNXI_DEBE_MODCTL_EN); sc->sc_dmasize = SUNXI_DEBE_VIDEOMEM; -#endif DEBE_WRITE(sc, SUNXI_DEBE_HWC_PALETTE_TABLE, 0); @@ -265,16 +235,11 @@ sunxi_debe_attach(device_t parent, devic sc->sc_ports.dp_ep_enable = sunxi_debe_ep_enable; fdt_ports_register(>sc_ports, self, phandle, EP_OTHER); -#ifdef AWIN_DEBE_FWINIT - sunxi_debe_set_videomode(device_unit(self), ); - sunxi_debe_enable(device_unit(self), true); -#else if (clk_disable(sc->sc_clk_ahb) != 0 || clk_disable(sc->sc_clk_mod) != 0) { aprint_error(": couldn't disable clocks\n"); return; } -#endif }
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:21:39 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove AWIN_DEBE_FWINIT blocks To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:19:25 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove NAWIN_MP blocks (this code was experimental in the original driver and is not worth porting over) To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:19:25 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove NAWIN_MP blocks (this code was experimental in the original driver and is not worth porting over) To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/arm/sunxi/sunxi_debe.c diff -u src/sys/arch/arm/sunxi/sunxi_debe.c:1.5 src/sys/arch/arm/sunxi/sunxi_debe.c:1.6 --- src/sys/arch/arm/sunxi/sunxi_debe.c:1.5 Tue Apr 3 16:17:59 2018 +++ src/sys/arch/arm/sunxi/sunxi_debe.c Thu Apr 5 10:19:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: sunxi_debe.c,v 1.5 2018/04/03 16:17:59 bouyer Exp $ */ +/* $NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $ */ /*- * Copyright (c) 2018 Manuel Bouyer@@ -38,7 +38,7 @@ #define SUNXI_DEBE_CURMAX 64 #include -__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.5 2018/04/03 16:17:59 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $"); #include #include @@ -148,9 +148,6 @@ sunxi_debe_attach(device_t parent, devic bus_addr_t addr; bus_size_t size; struct fdtbus_reset *rst; -#if NAWIN_MP > 0 - device_t mpdev; -#endif #ifdef AWIN_DEBE_FWINIT struct videomode mode; #endif @@ -263,15 +260,6 @@ sunxi_debe_attach(device_t parent, devic return; } -#if NAWIN_MP > 0 - mpdev = device_find_by_driver_unit("sunximp", 0); - if (mpdev) { - paddr_t pa = sc->sc_dmamap->dm_segs[0].ds_addr; - if (pa >= SUNXI_SDRAM_PBASE) - pa -= SUNXI_SDRAM_PBASE; - sunxi_mp_setbase(mpdev, pa, sc->sc_dmasize); - } -#endif sc->sc_unit = -1; sc->sc_ports.dp_ep_connect = sunxi_debe_ep_connect; sc->sc_ports.dp_ep_enable = sunxi_debe_ep_enable; @@ -699,7 +687,6 @@ sunxi_debe_ioctl(device_t self, u_long c struct sunxi_befb_softc { struct genfb_softc sc_gen; device_t sc_debedev; - device_t sc_mpdev; bus_dma_tag_t sc_dmat; bus_dma_segment_t *sc_dmasegs; @@ -740,7 +727,6 @@ sunxi_befb_attach(device_t parent, devic sc->sc_dmat = afb->afb_dmat; sc->sc_dmasegs = afb->afb_dmasegs; sc->sc_ndmasegs = afb->afb_ndmasegs; - sc->sc_mpdev = device_find_by_driver_unit("sunximp", 0); prop_dictionary_set_uint32(cfg, "width", afb->afb_width); prop_dictionary_set_uint32(cfg, "height", afb->afb_height); @@ -800,10 +786,6 @@ sunxi_befb_ioctl(void *v, void *vs, u_lo if (error == 0) { fbi->fbi_flags |= WSFB_VRAM_IS_RAM; fbi->fbi_fbsize = sc->sc_dmasegs[0].ds_len; -#if NAWIN_MP > 0 - if (sc->sc_mpdev) -fbi->fbi_flags |= WSFB_ACCEL; -#endif } return error; case WSDISPLAYIO_SVIDEO: @@ -813,14 +795,6 @@ sunxi_befb_ioctl(void *v, void *vs, u_lo case WSDISPLAYIO_GCURMAX: case WSDISPLAYIO_SCURSOR: return sunxi_debe_ioctl(sc->sc_debedev, cmd, data); -#if NAWIN_MP > 0 - case WSDISPLAYIO_FILL: - case WSDISPLAYIO_COPY: - case WSDISPLAYIO_SYNC: - if (sc->sc_mpdev == NULL) - return EPASSTHROUGH; - return sunxi_mp_ioctl(sc->sc_mpdev, cmd, data); -#endif default: return EPASSTHROUGH; }
CVS commit: src/sys/arch
Module Name:src Committed By: maxv Date: Thu Apr 5 08:43:07 UTC 2018 Modified Files: src/sys/arch/i386/i386: machdep.c src/sys/arch/x86/x86: cpu.c Log Message: Call cpu_speculation_init on i386 too. We don't have IBRS for i386, but we do have the AMD DIS_IND method. To generate a diff of this commit: cvs rdiff -u -r1.805 -r1.806 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.154 -r1.155 src/sys/arch/x86/x86/cpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/i386/machdep.c diff -u src/sys/arch/i386/i386/machdep.c:1.805 src/sys/arch/i386/i386/machdep.c:1.806 --- src/sys/arch/i386/i386/machdep.c:1.805 Tue Apr 3 07:20:52 2018 +++ src/sys/arch/i386/i386/machdep.c Thu Apr 5 08:43:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.805 2018/04/03 07:20:52 christos Exp $ */ +/* $NetBSD: machdep.c,v 1.806 2018/04/05 08:43:07 maxv Exp $ */ /* * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009, 2017 @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.805 2018/04/03 07:20:52 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.806 2018/04/05 08:43:07 maxv Exp $"); #include "opt_beep.h" #include "opt_compat_freebsd.h" @@ -1168,6 +1168,9 @@ init386(paddr_t first_avail) cpu_probe(_info_primary); cpu_init_msrs(_info_primary, true); +#ifndef XEN + cpu_speculation_init(_info_primary); +#endif #ifdef PAE use_pae = 1; Index: src/sys/arch/x86/x86/cpu.c diff -u src/sys/arch/x86/x86/cpu.c:1.154 src/sys/arch/x86/x86/cpu.c:1.155 --- src/sys/arch/x86/x86/cpu.c:1.154 Wed Apr 4 12:59:49 2018 +++ src/sys/arch/x86/x86/cpu.c Thu Apr 5 08:43:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cpu.c,v 1.154 2018/04/04 12:59:49 maxv Exp $ */ +/* $NetBSD: cpu.c,v 1.155 2018/04/05 08:43:07 maxv Exp $ */ /* * Copyright (c) 2000-2012 NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.154 2018/04/04 12:59:49 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.155 2018/04/05 08:43:07 maxv Exp $"); #include "opt_ddb.h" #include "opt_mpbios.h" /* for MPDEBUG */ @@ -848,9 +848,7 @@ cpu_hatch(void *v) cpu_init_msrs(ci, true); cpu_probe(ci); -#ifdef __x86_64__ cpu_speculation_init(ci); -#endif ci->ci_data.cpu_cc_freq = cpu_info_primary.ci_data.cpu_cc_freq; /* cpu_get_tsc_freq(ci); */
CVS commit: src/sys/arch
Module Name:src Committed By: maxv Date: Thu Apr 5 08:43:07 UTC 2018 Modified Files: src/sys/arch/i386/i386: machdep.c src/sys/arch/x86/x86: cpu.c Log Message: Call cpu_speculation_init on i386 too. We don't have IBRS for i386, but we do have the AMD DIS_IND method. To generate a diff of this commit: cvs rdiff -u -r1.805 -r1.806 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.154 -r1.155 src/sys/arch/x86/x86/cpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.