date:20180405

CVS commit: src/share/mk

2018-04-05 Thread matthew green

Module Name:src
Committed By:   mrg
Date:   Thu Apr  5 22:38:58 UTC 2018

Modified Files:
src/share/mk: bsd.own.mk

Log Message:
switch m68000 and m68k to GCC 6.  ok mlelstv.


To generate a diff of this commit:
cvs rdiff -u -r1.1053 -r1.1054 src/share/mk/bsd.own.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/mk/bsd.own.mk
diff -u src/share/mk/bsd.own.mk:1.1053 src/share/mk/bsd.own.mk:1.1054
--- src/share/mk/bsd.own.mk:1.1053	Sun Apr  1 04:35:02 2018
+++ src/share/mk/bsd.own.mk	Thu Apr  5 22:38:58 2018
@@ -1,4 +1,4 @@
-#	$NetBSD: bsd.own.mk,v 1.1053 2018/04/01 04:35:02 ryo Exp $
+#	$NetBSD: bsd.own.mk,v 1.1054 2018/04/05 22:38:58 mrg Exp $
 
 # This needs to be before bsd.init.mk
 .if defined(BSD_MK_COMPAT_FILE)
@@ -68,8 +68,6 @@ MKGCC?=		no
 ${MACHINE_CPU} == "aarch64"
 HAVE_GCC?=	0
 .elif \
-${MACHINE_CPU} == "m68000" || \
-${MACHINE_CPU} == "m68k" || \
 ${MACHINE_CPU} == "vax"
 HAVE_GCC?=	5
 .else

CVS commit: src/share/mk

2018-04-05 Thread matthew green

Module Name:src
Committed By:   mrg
Date:   Thu Apr  5 22:38:58 UTC 2018

Modified Files:
src/share/mk: bsd.own.mk

Log Message:
switch m68000 and m68k to GCC 6.  ok mlelstv.


To generate a diff of this commit:
cvs rdiff -u -r1.1053 -r1.1054 src/share/mk/bsd.own.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.bin/patch

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 18:50:10 UTC 2018

Modified Files:
src/usr.bin/patch: pch.c

Log Message:
Pass -S to ed(1) so that patches containing ! commands don't run commands.
Real cause of CVS-2018-0492:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667)


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.bin/patch/pch.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.bin/patch

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 18:50:10 UTC 2018

Modified Files:
src/usr.bin/patch: pch.c

Log Message:
Pass -S to ed(1) so that patches containing ! commands don't run commands.
Real cause of CVS-2018-0492:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667)


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.bin/patch/pch.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.bin/patch/pch.c
diff -u src/usr.bin/patch/pch.c:1.28 src/usr.bin/patch/pch.c:1.29
--- src/usr.bin/patch/pch.c:1.28	Thu Jul 30 17:47:51 2015
+++ src/usr.bin/patch/pch.c	Thu Apr  5 14:50:10 2018
@@ -1,7 +1,7 @@
 /*
  * $OpenBSD: pch.c,v 1.37 2007/09/02 15:19:33 deraadt Exp $
  * $DragonFly: src/usr.bin/patch/pch.c,v 1.6 2008/08/10 23:35:40 joerg Exp $
- * $NetBSD: pch.c,v 1.28 2015/07/30 21:47:51 christos Exp $
+ * $NetBSD: pch.c,v 1.29 2018/04/05 18:50:10 christos Exp $
  */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__RCSID("$NetBSD: pch.c,v 1.28 2015/07/30 21:47:51 christos Exp $");
+__RCSID("$NetBSD: pch.c,v 1.29 2018/04/05 18:50:10 christos Exp $");
 
 #include 
 #include 
@@ -1414,8 +1414,8 @@ do_ed_script(void)
 			unlink(TMPOUTNAME);
 			fatal("can't create temp file %s", TMPOUTNAME);
 		}
-		snprintf(buf, buf_len, "%s%s%s", _PATH_ED,
-		verbose ? " " : " -s ", TMPOUTNAME);
+		snprintf(buf, buf_len, "%s -S%s %s", _PATH_ED,
+		verbose ? "" : "s", TMPOUTNAME);
 		pipefp = popen(buf, "w");
 	}
 	for (;;) {

CVS commit: src/bin/ed

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 18:44:57 UTC 2018

Modified Files:
src/bin/ed: ed.1 main.c

Log Message:
add -S to disable ! commands.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/bin/ed/ed.1
cvs rdiff -u -r1.28 -r1.29 src/bin/ed/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/bin/ed/ed.1
diff -u src/bin/ed/ed.1:1.31 src/bin/ed/ed.1:1.32
--- src/bin/ed/ed.1:1.31	Mon Jul  3 17:33:23 2017
+++ src/bin/ed/ed.1	Thu Apr  5 14:44:57 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ed.1,v 1.31 2017/07/03 21:33:23 wiz Exp $
+.\"	$NetBSD: ed.1,v 1.32 2018/04/05 18:44:57 christos Exp $
 .\"	$OpenBSD: ed.1,v 1.42 2003/07/27 13:25:43 jmc Exp $
 .\"
 .\" Copyright (c) 1993 Andrew Moore, Talke Studio.
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 23, 2002
+.Dd April 23, 2002
 .Dt ED 1
 .Os
 .Sh NAME
@@ -34,7 +34,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl
-.Op Fl Esx
+.Op Fl ESsx
 .Op Fl p Ar string
 .Op Ar file
 .Sh DESCRIPTION
@@ -130,6 +130,12 @@ option (deprecated).
 .It Fl E
 Enables the use of extended regular expressions instead of the basic
 regular expressions that are normally used.
+.It Fl S
+Disables using of the
+.Dq !
+command (execuring a subshell).
+Intended to be used by batch jobs like
+.Xr patch 1 .
 .It Fl p Ar string
 Specifies a command prompt.
 This may be toggled on and off with the
@@ -955,6 +961,7 @@ but any changes to the buffer are lost.
 .Xr sed 1 ,
 .Xr sh 1 ,
 .Xr vi 1 ,
+.Xr patch 1 ,
 .Xr regex 3
 .Pp
 USD:09-10

Index: src/bin/ed/main.c
diff -u src/bin/ed/main.c:1.28 src/bin/ed/main.c:1.29
--- src/bin/ed/main.c:1.28	Wed Mar  2 14:11:28 2016
+++ src/bin/ed/main.c	Thu Apr  5 14:44:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.28 2016/03/02 19:11:28 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.29 2018/04/05 18:44:57 christos Exp $	*/
 
 /* main.c: This file contains the main control and user-interface routines
for the ed line editor. */
@@ -39,7 +39,7 @@ __COPYRIGHT(
 #if 0
 static char *rcsid = "@(#)main.c,v 1.1 1994/02/01 00:34:42 alm Exp";
 #else
-__RCSID("$NetBSD: main.c,v 1.28 2016/03/02 19:11:28 christos Exp $");
+__RCSID("$NetBSD: main.c,v 1.29 2018/04/05 18:44:57 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -94,6 +94,7 @@ int mutex = 0;			/* if set, signals set 
 int red = 0;			/* if set, restrict shell/directory access */
 int ere = 0;			/* if set, use extended regexes */
 int scripted = 0;		/* if set, suppress diagnostics */
+int secure = 0;			/* is set, ! is not allowed */
 int sigflags = 0;		/* if set, signals received while mutex set */
 int sigactive = 0;		/* if set, signal handlers are enabled */
 
@@ -105,7 +106,7 @@ const char *prompt;			/* command-line pr
 const char *dps = "*";		/* default command-line prompt */
 
 
-static const char usage[] = "Usage: %s [-] [-sxE] [-p string] [name]\n";
+static const char usage[] = "Usage: %s [-] [-ESsx] [-p string] [name]\n";
 
 /* ed: line editor */
 int
@@ -118,7 +119,7 @@ main(int ac, char *av[])
 
 	red = (n = strlen(argv[0])) > 2 && argv[0][n - 3] == 'r';
 top:
-	while ((c = getopt(argc, argv, "p:sxE")) != -1)
+	while ((c = getopt(argc, argv, "p:sxES")) != -1)
 		switch(c) {
 		case 'p':/* set prompt */
 			prompt = optarg;
@@ -137,6 +138,9 @@ top:
 		case 'E':
 			ere = REG_EXTENDED;
 			break;
+		case 'S':/* ! is not allowed */
+			secure = 1;
+			break;
 		default:
 			fprintf(stderr, usage, getprogname());
 			exit(1);
@@ -861,6 +865,10 @@ exec_command(void)
 		printf("%ld\n", addr_cnt ? second_addr : addr_last);
 		break;
 	case '!':
+		if (secure) {
+			seterrmsg("'!' not allowed");
+			return ERR;
+		}
 		if (addr_cnt > 0) {
 			seterrmsg("unexpected address");
 			return ERR;

CVS commit: src/bin/ed

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 18:44:57 UTC 2018

Modified Files:
src/bin/ed: ed.1 main.c

Log Message:
add -S to disable ! commands.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/bin/ed/ed.1
cvs rdiff -u -r1.28 -r1.29 src/bin/ed/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: src/usr.bin/make

2018-04-05 Thread David Holland

On Wed, Apr 04, 2018 at 08:31:11PM -0400, Christos Zoulas wrote:
 > Module Name: src
 > Committed By:christos
 > Date:Thu Apr  5 00:31:11 UTC 2018
 > 
 > Modified Files:
 >  src/usr.bin/make: parse.c
 > 
 > Log Message:
 > Be more selective about detecting a SYSV include as opposed to a dependency
 > line. Dependency lines should contain a '::' operator or ':'.

This is wrong: it's perfectly legal to write "foo.o:foo.c".

It needs to scan for variables, or at least not look inside matching
sets of () {}.

-- 
David A. Holland
dholl...@netbsd.org

CVS commit: [netbsd-8] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 18:18:00 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Ticket #696


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.164 -r1.1.2.165 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 18:18:00 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Ticket #696


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.164 -r1.1.2.165 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-8.0
diff -u src/doc/CHANGES-8.0:1.1.2.164 src/doc/CHANGES-8.0:1.1.2.165
--- src/doc/CHANGES-8.0:1.1.2.164	Thu Apr  5 14:42:36 2018
+++ src/doc/CHANGES-8.0	Thu Apr  5 18:18:00 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-8.0,v 1.1.2.164 2018/04/05 14:42:36 martin Exp $
+# $NetBSD: CHANGES-8.0,v 1.1.2.165 2018/04/05 18:18:00 martin Exp $
 
 A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04
 until the 8.0 release:
@@ -10907,6 +10907,22 @@ sys/sys/mbuf.h	1.179
 	Remove M_PKTHDR from secondary mbufs when reassembling packets.
 	[maxv, ticket #695]
 
+sys/arch/amd64/amd64/db_interface.c		1.33 (patch)
+sys/arch/amd64/amd64/spl.S			1.34 (patch)
+sys/arch/amd64/amd64/vector.S			1.62 (patch)
+sys/arch/i386/i386/db_interface.c		1.82 (patch)
+sys/arch/i386/i386/machdep.c			1.805 (patch)
+sys/arch/i386/i386/spl.S			1.43 (patch)
+sys/arch/i386/i386/vector.S			1.77
+sys/arch/x86/include/intr.h			1.55
+sys/arch/x86/x86/intr.c1.125
+sys/arch/x86/x86/lapic.c			1.66 (patch)
+
+	Rename the DDB IPI IDT vectors for consistency.
+	Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt
+	so that they fit the pattern.
+	[christos, ticket #696]
+
 sys/net/route.c	1.208
 
 	Kill remaining rt->rt_refcnt++

CVS commit: [netbsd-8] src/sys/arch

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 18:15:03 UTC 2018

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-8]: db_interface.c spl.S vector.S
src/sys/arch/i386/i386 [netbsd-8]: db_interface.c machdep.c spl.S
vector.S
src/sys/arch/x86/include [netbsd-8]: intr.h
src/sys/arch/x86/x86 [netbsd-8]: intr.c lapic.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #696):

sys/arch/amd64/amd64/vector.S: revision 1.62 (patch)
sys/arch/x86/include/intr.h: revision 1.55
sys/arch/i386/i386/vector.S: revision 1.77
sys/arch/i386/i386/db_interface.c: revision 1.82 (patch)
sys/arch/amd64/amd64/spl.S: revision 1.34 (patch)
sys/arch/amd64/amd64/db_interface.c: revision 1.33 (patch)
sys/arch/x86/x86/intr.c: revision 1.125
sys/arch/i386/i386/spl.S: revision 1.43 (patch)
sys/arch/i386/i386/machdep.c: revision 1.805 (patch)
sys/arch/x86/x86/lapic.c: revision 1.66 (patch)

Rename the DDB IPI IDT vectors for consistency. ok maxv@

Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt so that
they fit the pattern. Also the debugger trap sniffer matches them
without adding special entries...

XXX: pullup-8.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.2.1 src/sys/arch/amd64/amd64/db_interface.c
cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/arch/amd64/amd64/spl.S
cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/amd64/amd64/vector.S
cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/arch/i386/i386/db_interface.c
cvs rdiff -u -r1.782.6.4 -r1.782.6.5 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.40 -r1.40.22.1 src/sys/arch/i386/i386/spl.S
cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/arch/i386/i386/vector.S
cvs rdiff -u -r1.50.2.1 -r1.50.2.2 src/sys/arch/x86/include/intr.h
cvs rdiff -u -r1.101.2.4 -r1.101.2.5 src/sys/arch/x86/x86/intr.c
cvs rdiff -u -r1.58.2.4 -r1.58.2.5 src/sys/arch/x86/x86/lapic.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/db_interface.c
diff -u src/sys/arch/amd64/amd64/db_interface.c:1.25 src/sys/arch/amd64/amd64/db_interface.c:1.25.2.1
--- src/sys/arch/amd64/amd64/db_interface.c:1.25	Tue May 23 08:54:38 2017
+++ src/sys/arch/amd64/amd64/db_interface.c	Thu Apr  5 18:15:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: db_interface.c,v 1.25 2017/05/23 08:54:38 nonaka Exp $	*/
+/*	$NetBSD: db_interface.c,v 1.25.2.1 2018/04/05 18:15:02 martin Exp $	*/
 
 /*
  * Mach Operating System
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.25 2017/05/23 08:54:38 nonaka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: db_interface.c,v 1.25.2.1 2018/04/05 18:15:02 martin Exp $");
 
 #include "opt_ddb.h"
 #include "opt_multiprocessor.h"
@@ -95,7 +95,7 @@ static bool ddb_mp_online;
 int ddb_cpu = NOCPU;
 
 typedef void (vector)(void);
-extern vector Xintrddb, Xx2apic_intrddb;
+extern vector Xintr_ddbipi, Xintr_x2apic_ddbipi;
 
 void
 db_machine_init(void)
@@ -103,10 +103,10 @@ db_machine_init(void)
 
 #ifdef MULTIPROCESSOR
 #ifndef XEN
-	vector *handler = 
+	vector *handler = _ddbipi;
 #if NLAPIC > 0
 	if (lapic_is_x2apic())
-		handler = _intrddb;
+		handler = _x2apic_ddbipi;
 #endif
 	ddb_vec = idt_vec_alloc(0xf0, 0xff);
 	setgate([ddb_vec], handler, 1, SDT_SYS386IGT, SEL_KPL,

Index: src/sys/arch/amd64/amd64/spl.S
diff -u src/sys/arch/amd64/amd64/spl.S:1.30 src/sys/arch/amd64/amd64/spl.S:1.30.10.1
--- src/sys/arch/amd64/amd64/spl.S:1.30	Sun Nov 22 13:41:24 2015
+++ src/sys/arch/amd64/amd64/spl.S	Thu Apr  5 18:15:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: spl.S,v 1.30 2015/11/22 13:41:24 maxv Exp $	*/
+/*	$NetBSD: spl.S,v 1.30.10.1 2018/04/05 18:15:02 martin Exp $	*/
 
 /*
  * Copyright (c) 2003 Wasabi Systems, Inc.
@@ -116,7 +116,7 @@ IDTVEC(softintr)
 	popq	%r15			/* unwind switchframe */
 	addq	$(5 * 8),%rsp
 	jmp	*%r13			/* back to Xspllower/Xdoreti */
-END(Xsoftintr)
+IDTVEC_END(softintr)
 
 /*
  * softintr_ret()
@@ -145,25 +145,25 @@ END(softint_trigger)
 
 
 /*
- * Xpreemptrecurse()
+ * Xrecurse_preempt()
  *
  * Handles preemption interrupts via Xspllower().
  */
-IDTVEC(preemptrecurse)
+IDTVEC(recurse_preempt)
 	movl	$IPL_PREEMPT, CPUVAR(ILEVEL)
 	sti
 	xorq	%rdi, %rdi
 	call	_C_LABEL(kpreempt)
 	cli
 	jmp	*%r13			/* back to Xspllower */
-END(Xpreemptrecurse)
+IDTVEC_END(recurse_preempt)
 
 /*
- * Xpreemptresume()
+ * Xresume_preempt()
  *
  * Handles preemption interrupts via Xdoreti().
  */
-IDTVEC(preemptresume)
+IDTVEC(resume_preempt)
 	movl	$IPL_PREEMPT, CPUVAR(ILEVEL)
 	sti
 	testq	$SEL_RPL, TF_CS(%rsp)
@@ -176,7 +176,7 @@ IDTVEC(preemptresume)
 	call	_C_LABEL(preempt)		# from user
 	cli
 	jmp	*%r13			/* back to Xdoreti */
-END(Xpreemptresume)
+IDTVEC_END(resume_preempt)
 
 /*
  * int splraise(int s);
@@ -300,7 +300,7 @@ IDTVEC(spllower)
 	popq	%r13
 	popq	%rbx
 	ret
-END(Xspllower)
+IDTVEC_END(spllower)
 
 /*

CVS commit: [netbsd-8] src/sys/arch

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 18:15:03 UTC 2018

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-8]: db_interface.c spl.S vector.S
src/sys/arch/i386/i386 [netbsd-8]: db_interface.c machdep.c spl.S
vector.S
src/sys/arch/x86/include [netbsd-8]: intr.h
src/sys/arch/x86/x86 [netbsd-8]: intr.c lapic.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #696):

sys/arch/amd64/amd64/vector.S: revision 1.62 (patch)
sys/arch/x86/include/intr.h: revision 1.55
sys/arch/i386/i386/vector.S: revision 1.77
sys/arch/i386/i386/db_interface.c: revision 1.82 (patch)
sys/arch/amd64/amd64/spl.S: revision 1.34 (patch)
sys/arch/amd64/amd64/db_interface.c: revision 1.33 (patch)
sys/arch/x86/x86/intr.c: revision 1.125
sys/arch/i386/i386/spl.S: revision 1.43 (patch)
sys/arch/i386/i386/machdep.c: revision 1.805 (patch)
sys/arch/x86/x86/lapic.c: revision 1.66 (patch)

Rename the DDB IPI IDT vectors for consistency. ok maxv@

Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt so that
they fit the pattern. Also the debugger trap sniffer matches them
without adding special entries...

XXX: pullup-8.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.2.1 src/sys/arch/amd64/amd64/db_interface.c
cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/arch/amd64/amd64/spl.S
cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/amd64/amd64/vector.S
cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/arch/i386/i386/db_interface.c
cvs rdiff -u -r1.782.6.4 -r1.782.6.5 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.40 -r1.40.22.1 src/sys/arch/i386/i386/spl.S
cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/arch/i386/i386/vector.S
cvs rdiff -u -r1.50.2.1 -r1.50.2.2 src/sys/arch/x86/include/intr.h
cvs rdiff -u -r1.101.2.4 -r1.101.2.5 src/sys/arch/x86/x86/intr.c
cvs rdiff -u -r1.58.2.4 -r1.58.2.5 src/sys/arch/x86/x86/lapic.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.bin/make

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 16:31:54 UTC 2018

Modified Files:
src/usr.bin/make: parse.c

Log Message:
Appease the compiler gods; yes I know what I am doing adding to a literal
string.


To generate a diff of this commit:
cvs rdiff -u -r1.228 -r1.229 src/usr.bin/make/parse.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/usr.bin/make

2018-04-05 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Thu Apr  5 16:31:54 UTC 2018

Modified Files:
src/usr.bin/make: parse.c

Log Message:
Appease the compiler gods; yes I know what I am doing adding to a literal
string.


To generate a diff of this commit:
cvs rdiff -u -r1.228 -r1.229 src/usr.bin/make/parse.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.bin/make/parse.c
diff -u src/usr.bin/make/parse.c:1.228 src/usr.bin/make/parse.c:1.229
--- src/usr.bin/make/parse.c:1.228	Wed Apr  4 20:31:10 2018
+++ src/usr.bin/make/parse.c	Thu Apr  5 12:31:54 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $	*/
+/*	$NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1993
@@ -69,14 +69,14 @@
  */
 
 #ifndef MAKE_NATIVE
-static char rcsid[] = "$NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $";
+static char rcsid[] = "$NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $";
 #else
 #include 
 #ifndef lint
 #if 0
 static char sccsid[] = "@(#)parse.c	8.3 (Berkeley) 3/19/94";
 #else
-__RCSID("$NetBSD: parse.c,v 1.228 2018/04/05 00:31:10 christos Exp $");
+__RCSID("$NetBSD: parse.c,v 1.229 2018/04/05 16:31:54 christos Exp $");
 #endif
 #endif /* not lint */
 #endif
@@ -2521,7 +2521,7 @@ IsInclude(const char *line, Boolean sysv
 	static const size_t inclen = sizeof(inc) - 1;
 
 	// 'd' is not valid for sysv
-	int o = strchr("ds-" + sysv, *line) != NULL;
+	int o = strchr(&("ds-"[sysv]), *line) != NULL;
 
 	if (strncmp(line + o, inc, inclen) != 0)
 		return FALSE;

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 15:04:29 UTC 2018

Modified Files:
src/sys/arch/x86/x86: spectre.c

Log Message:
Set the "method" string at boot time too.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/x86/spectre.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/spectre.c
diff -u src/sys/arch/x86/x86/spectre.c:1.9 src/sys/arch/x86/x86/spectre.c:1.10
--- src/sys/arch/x86/x86/spectre.c:1.9	Wed Apr  4 16:23:27 2018
+++ src/sys/arch/x86/x86/spectre.c	Thu Apr  5 15:04:29 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: spectre.c,v 1.9 2018/04/04 16:23:27 maxv Exp $	*/
+/*	$NetBSD: spectre.c,v 1.10 2018/04/05 15:04:29 maxv Exp $	*/
 
 /*
  * Copyright (c) 2018 NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: spectre.c,v 1.9 2018/04/04 16:23:27 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: spectre.c,v 1.10 2018/04/05 15:04:29 maxv Exp $");
 
 #include 
 #include 
@@ -85,6 +85,29 @@ speculation_barrier(struct lwp *oldlwp, 
 }
 
 static void
+speculation_set_name(void)
+{
+	const char *name;
+
+	if (!spec_mitigation_enabled) {
+		name = "(none)";
+	} else {
+		switch (mitigation_method) {
+		case MITIGATION_AMD_DIS_IND:
+			name = "AMD DIS_IND";
+			break;
+		case MITIGATION_INTEL_IBRS:
+			name = "Intel IBRS";
+			break;
+		default:
+			panic("%s: impossible", __func__);
+		}
+	}
+	strlcpy(spec_mitigation_name, name,
+	sizeof(spec_mitigation_name));
+}
+
+static void
 speculation_detect_method(void)
 {
 	struct cpu_info *ci = curcpu();
@@ -270,7 +293,6 @@ mitigation_change(bool enabled)
 	struct cpu_info *ci = NULL;
 	CPU_INFO_ITERATOR cii;
 	uint64_t xc;
-	const char *name;
 
 	speculation_detect_method();
 
@@ -308,17 +330,7 @@ mitigation_change(bool enabled)
 		printf(" done!\n");
 		spec_mitigation_enabled = enabled;
 		mutex_exit(_lock);
-
-		if (!enabled) {
-			name = "(none)";
-		} else if (mitigation_method == MITIGATION_AMD_DIS_IND) {
-			name = "AMD DIS_IND";
-		} else {
-			name = "Intel IBRS";
-		}
-		strlcpy(spec_mitigation_name, name,
-		sizeof(spec_mitigation_name));
-
+		speculation_set_name();
 		return 0;
 	default:
 		panic("impossible");
@@ -336,6 +348,7 @@ cpu_speculation_init(struct cpu_info *ci
 		speculation_detect_method();
 		spec_mitigation_enabled =
 		(mitigation_method != MITIGATION_NONE);
+		speculation_set_name();
 	}
 
 	if (mitigation_method != MITIGATION_NONE) {

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 15:04:29 UTC 2018

Modified Files:
src/sys/arch/x86/x86: spectre.c

Log Message:
Set the "method" string at boot time too.


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/x86/spectre.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:42:36 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Tickets #694, #695, and #697


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.163 -r1.1.2.164 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-8.0
diff -u src/doc/CHANGES-8.0:1.1.2.163 src/doc/CHANGES-8.0:1.1.2.164
--- src/doc/CHANGES-8.0:1.1.2.163	Wed Apr  4 16:42:03 2018
+++ src/doc/CHANGES-8.0	Thu Apr  5 14:42:36 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-8.0,v 1.1.2.163 2018/04/04 16:42:03 martin Exp $
+# $NetBSD: CHANGES-8.0,v 1.1.2.164 2018/04/05 14:42:36 martin Exp $
 
 A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04
 until the 8.0 release:
@@ -10889,3 +10889,26 @@ sys/net/npf/npf.h1.55
 	to bypass a certain number of filtering rules.
 	[maxv, ticket #693]
 
+sys/net/if_etherip.c1.41,1.42
+sys/netinet/ip_etherip.c			1.21
+sys/netinet6/ip6_etherip.c			1.22
+
+	Don't call if_attach, do if_initialize+if_register instead.
+	Style, and do not add M_PKTHDR again, instead assert that it
+	is already there.
+	Add a missing NULL check after m_pullup.
+	[maxv, ticket #694]
+
+sys/kern/uipc_mbuf.c1.182
+sys/netinet/ip_reass.c1.14
+sys/netinet6/frag6.c1.67
+sys/sys/mbuf.h	1.179
+
+	Remove M_PKTHDR from secondary mbufs when reassembling packets.
+	[maxv, ticket #695]
+
+sys/net/route.c	1.208
+
+	Kill remaining rt->rt_refcnt++
+	[ozaki-r, ticket #697]
+

CVS commit: [netbsd-8] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:42:36 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Tickets #694, #695, and #697


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.163 -r1.1.2.164 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/sys/net

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:41:07 UTC 2018

Modified Files:
src/sys/net [netbsd-8]: route.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #697):

sys/net/route.c: revision 1.208

Kill remaining rt->rt_refcnt++


To generate a diff of this commit:
cvs rdiff -u -r1.194.6.7 -r1.194.6.8 src/sys/net/route.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/sys/net

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:41:07 UTC 2018

Modified Files:
src/sys/net [netbsd-8]: route.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #697):

sys/net/route.c: revision 1.208

Kill remaining rt->rt_refcnt++


To generate a diff of this commit:
cvs rdiff -u -r1.194.6.7 -r1.194.6.8 src/sys/net/route.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/route.c
diff -u src/sys/net/route.c:1.194.6.7 src/sys/net/route.c:1.194.6.8
--- src/sys/net/route.c:1.194.6.7	Tue Mar 13 13:27:10 2018
+++ src/sys/net/route.c	Thu Apr  5 14:41:07 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: route.c,v 1.194.6.7 2018/03/13 13:27:10 martin Exp $	*/
+/*	$NetBSD: route.c,v 1.194.6.8 2018/04/05 14:41:07 martin Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
 #endif
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.194.6.7 2018/03/13 13:27:10 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.194.6.8 2018/04/05 14:41:07 martin Exp $");
 
 #include 
 #ifdef RTFLUSH_DEBUG
@@ -2124,7 +2124,7 @@ rt_delete_matched_entries(sa_family_t fa
 			RT_UNLOCK();
 			return;
 		}
-		rt->rt_refcnt++;
+		rt_ref(rt);
 		splx(s);
 		RT_UNLOCK();

CVS commit: [netbsd-8] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:33:42 UTC 2018

Modified Files:
src/sys/kern [netbsd-8]: uipc_mbuf.c
src/sys/netinet [netbsd-8]: ip_reass.c
src/sys/netinet6 [netbsd-8]: frag6.c
src/sys/sys [netbsd-8]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #695):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.172.6.1 -r1.172.6.2 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.11.8.1 -r1.11.8.2 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.60.6.3 -r1.60.6.4 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.170.2.2 -r1.170.2.3 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:33:42 UTC 2018

Modified Files:
src/sys/kern [netbsd-8]: uipc_mbuf.c
src/sys/netinet [netbsd-8]: ip_reass.c
src/sys/netinet6 [netbsd-8]: frag6.c
src/sys/sys [netbsd-8]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #695):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.172.6.1 -r1.172.6.2 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.11.8.1 -r1.11.8.2 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.60.6.3 -r1.60.6.4 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.170.2.2 -r1.170.2.3 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.172.6.1 src/sys/kern/uipc_mbuf.c:1.172.6.2
--- src/sys/kern/uipc_mbuf.c:1.172.6.1	Tue Feb 27 09:07:32 2018
+++ src/sys/kern/uipc_mbuf.c	Thu Apr  5 14:33:41 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.172.6.1 2018/02/27 09:07:32 martin Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.172.6.2 2018/04/05 14:33:41 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.172.6.1 2018/02/27 09:07:32 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.172.6.2 2018/04/05 14:33:41 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_mbuftrace.h"
@@ -455,6 +455,16 @@ mb_ctor(void *arg, void *object, int fla
 	return (0);
 }
 
+void
+m_pkthdr_remove(struct mbuf *m)
+{
+	KASSERT(m->m_flags & M_PKTHDR);
+
+	m_tag_delete_chain(m, NULL);
+	m->m_flags &= ~M_PKTHDR;
+	memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
+}
+
 /*
  * Add mbuf to the end of a chain
  */

Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11.8.1 src/sys/netinet/ip_reass.c:1.11.8.2
--- src/sys/netinet/ip_reass.c:1.11.8.1	Fri Mar 30 11:10:14 2018
+++ src/sys/netinet/ip_reass.c	Thu Apr  5 14:33:41 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $	*/
+/*	$NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $");
 
 #include 
 #include 
@@ -389,6 +389,7 @@ insert:
 		t = q->ipqe_m;
 		nq = TAILQ_NEXT(q, ipqe_q);
 		pool_cache_put(ipfren_cache, q);
+		m_pkthdr_remove(t);
 		m_cat(m, t);
 	}
 
@@ -406,7 +407,8 @@ insert:
 	m->m_data -= (ip->ip_hl << 2);
 
 	/* Fix up mbuf.  XXX This should be done elsewhere. */
-	if (m->m_flags & M_PKTHDR) {
+	{
+		KASSERT(m->m_flags & M_PKTHDR);
 		int plen = 0;
 		for (t = m; t; t = t->m_next) {
 			plen += t->m_len;

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.60.6.3 src/sys/netinet6/frag6.c:1.60.6.4
--- src/sys/netinet6/frag6.c:1.60.6.3	Fri Mar 30 11:19:45 2018
+++ src/sys/netinet6/frag6.c	Thu Apr  5 14:33:41 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $	*/
+/*	$NetBSD: frag6.c,v 1.60.6.4 2018/04/05 14:33:41 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.4 2018/04/05 14:33:41 martin Exp $");
 
 #ifdef _KERNEL_OPT

CVS commit: [netbsd-8] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:31:19 UTC 2018

Modified Files:
src/sys/net [netbsd-8]: if_etherip.c
src/sys/netinet [netbsd-8]: ip_etherip.c
src/sys/netinet6 [netbsd-8]: ip6_etherip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #694):

sys/netinet6/ip6_etherip.c: revision 1.22
sys/net/if_etherip.c: revision 1.41
sys/net/if_etherip.c: revision 1.42
sys/netinet/ip_etherip.c: revision 1.21

Don't call if_attach, do if_initialize+if_register, otherwise when an
EtherIP packet is received the first KASSERT in if_input() fires.

A few fixes:
 * Style.
 * Don't add M_PKTHDR manually, that's absolutely forbidden. Add a
   KASSERT to make sure it's already there.
 * Add a missing NULL check after m_pullup.


To generate a diff of this commit:
cvs rdiff -u -r1.38.10.2 -r1.38.10.3 src/sys/net/if_etherip.c
cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet/ip_etherip.c
cvs rdiff -u -r1.21 -r1.21.8.1 src/sys/netinet6/ip6_etherip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 14:31:19 UTC 2018

Modified Files:
src/sys/net [netbsd-8]: if_etherip.c
src/sys/netinet [netbsd-8]: ip_etherip.c
src/sys/netinet6 [netbsd-8]: ip6_etherip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #694):

sys/netinet6/ip6_etherip.c: revision 1.22
sys/net/if_etherip.c: revision 1.41
sys/net/if_etherip.c: revision 1.42
sys/netinet/ip_etherip.c: revision 1.21

Don't call if_attach, do if_initialize+if_register, otherwise when an
EtherIP packet is received the first KASSERT in if_input() fires.

A few fixes:
 * Style.
 * Don't add M_PKTHDR manually, that's absolutely forbidden. Add a
   KASSERT to make sure it's already there.
 * Add a missing NULL check after m_pullup.


To generate a diff of this commit:
cvs rdiff -u -r1.38.10.2 -r1.38.10.3 src/sys/net/if_etherip.c
cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet/ip_etherip.c
cvs rdiff -u -r1.21 -r1.21.8.1 src/sys/netinet6/ip6_etherip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_etherip.c
diff -u src/sys/net/if_etherip.c:1.38.10.2 src/sys/net/if_etherip.c:1.38.10.3
--- src/sys/net/if_etherip.c:1.38.10.2	Tue Jan  2 10:20:33 2018
+++ src/sys/net/if_etherip.c	Thu Apr  5 14:31:19 2018
@@ -1,4 +1,4 @@
-/*  $NetBSD: if_etherip.c,v 1.38.10.2 2018/01/02 10:20:33 snj Exp $*/
+/*  $NetBSD: if_etherip.c,v 1.38.10.3 2018/04/05 14:31:19 martin Exp $*/
 
 /*
  *  Copyright (c) 2006, Hans Rosenfeld 
@@ -27,8 +27,9 @@
  *  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  *  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  *  SUCH DAMAGE.
- *
- *
+ */
+
+/*
  *  Copyright (c) 2003, 2004, 2008 The NetBSD Foundation.
  *  All rights reserved.
  *
@@ -55,9 +56,9 @@
  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  *  POSSIBILITY OF SUCH DAMAGE.
- *
- *
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ */
+
+/* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -86,7 +87,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_etherip.c,v 1.38.10.2 2018/01/02 10:20:33 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_etherip.c,v 1.38.10.3 2018/04/05 14:31:19 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -227,7 +228,7 @@ etherip_attach(device_t parent, device_t
 	memcpy(enaddr+3, (uint8_t *), 3);
 
 	aprint_verbose_dev(self, "Ethernet address %s\n",
-		   ether_snprintf(enaddrstr, sizeof(enaddrstr), enaddr));
+	ether_snprintf(enaddrstr, sizeof(enaddrstr), enaddr));
 
 	/*
 	 * Why 1000baseT? Why not? You can add more.
@@ -266,14 +267,15 @@ etherip_attach(device_t parent, device_t
 	 * Those steps are mandatory for an Ethernet driver, the first call
 	 * being common to all network interface drivers.
 	 */
-	error = if_attach(ifp);
+	error = if_initialize(ifp);
 	if (error != 0) {
-		aprint_error_dev(self, "if_attach failed(%d)\n", error);
+		aprint_error_dev(self, "if_initialize failed(%d)\n", error);
 		ifmedia_delete_instance(>sc_im, IFM_INST_ANY);
 		pmf_device_deregister(self);
 		return;
 	}
 	ether_ifattach(ifp, enaddr);
+	if_register(ifp);
 
 	/*
 	 * Add a sysctl node for that interface.
@@ -362,7 +364,7 @@ etherip_start(struct ifnet *ifp)
 {
 	struct etherip_softc *sc = ifp->if_softc;
 
-	if(sc->sc_si)
+	if (sc->sc_si)
 		softint_schedule(sc->sc_si);
 }
 
@@ -399,10 +401,14 @@ etheripintr(void *arg)
 break;
 #endif
 			default:
+/* impossible */
+m_freem(m);
 error = ENETDOWN;
 			}
 			ifp->if_flags &= ~IFF_OACTIVE;
-		} else  m_freem(m);
+		} else {
+			m_freem(m);
+		}
 	}
 	mutex_exit(softnet_lock);
 	__USE(error);

Index: src/sys/netinet/ip_etherip.c
diff -u src/sys/netinet/ip_etherip.c:1.20 src/sys/netinet/ip_etherip.c:1.20.8.1
--- src/sys/netinet/ip_etherip.c:1.20	Wed Jan 11 13:08:29 2017
+++ src/sys/netinet/ip_etherip.c	Thu Apr  5 14:31:19 2018
@@ -1,4 +1,4 @@
-/*  $NetBSD: ip_etherip.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $*/
+/*  $NetBSD: ip_etherip.c,v 1.20.8.1 2018/04/05 14:31:19 martin Exp $*/
 
 /*
  *  Copyright (c) 2006, Hans Rosenfeld 
@@ -27,8 +27,9 @@
  *  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  *  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  *  SUCH DAMAGE.
- *
- *
+ */
+
+/*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
  *
@@ -58,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_etherip.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0,

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 14:14:27 UTC 2018

Modified Files:
src/sys/arch/x86/x86: dbregs.c

Log Message:
Hum, don't let userland set bit 13, because this can crash the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/arch/x86/x86/dbregs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 14:14:27 UTC 2018

Modified Files:
src/sys/arch/x86/x86: dbregs.c

Log Message:
Hum, don't let userland set bit 13, because this can crash the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/arch/x86/x86/dbregs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/dbregs.c
diff -u src/sys/arch/x86/x86/dbregs.c:1.7 src/sys/arch/x86/x86/dbregs.c:1.8
--- src/sys/arch/x86/x86/dbregs.c:1.7	Thu Apr  5 14:11:20 2018
+++ src/sys/arch/x86/x86/dbregs.c	Thu Apr  5 14:14:27 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: dbregs.c,v 1.7 2018/04/05 14:11:20 maxv Exp $	*/
+/*	$NetBSD: dbregs.c,v 1.8 2018/04/05 14:14:27 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2016 The NetBSD Foundation, Inc.
@@ -191,6 +191,9 @@ x86_dbregs_validate(const struct dbreg *
 		if (regs->dr[i] >= (vaddr_t)VM_MAXUSER_ADDRESS)
 			return EINVAL;
 
+	if (regs->dr[7] & X86_DR7_GENERAL_DETECT_ENABLE)
+		return EINVAL;
+
 	/*
 	 * Skip checks for reserved registers (DR4-DR5, DR8-DR15).
 	 *

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 14:11:20 UTC 2018

Modified Files:
src/sys/arch/x86/x86: dbregs.c

Log Message:
Fix the check, should be >=.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/arch/x86/x86/dbregs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/x86/x86/dbregs.c
diff -u src/sys/arch/x86/x86/dbregs.c:1.6 src/sys/arch/x86/x86/dbregs.c:1.7
--- src/sys/arch/x86/x86/dbregs.c:1.6	Thu Feb 23 12:01:12 2017
+++ src/sys/arch/x86/x86/dbregs.c	Thu Apr  5 14:11:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: dbregs.c,v 1.6 2017/02/23 12:01:12 martin Exp $	*/
+/*	$NetBSD: dbregs.c,v 1.7 2018/04/05 14:11:20 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2016 The NetBSD Foundation, Inc.
@@ -188,7 +188,7 @@ x86_dbregs_validate(const struct dbreg *
 
 	/* Check that DR0-DR3 contain user-space address */
 	for (i = 0; i < X86_DBREGS; i++)
-		if (regs->dr[i] > (vaddr_t)VM_MAXUSER_ADDRESS)
+		if (regs->dr[i] >= (vaddr_t)VM_MAXUSER_ADDRESS)
 			return EINVAL;
 
 	/*

CVS commit: src/sys/arch/x86/x86

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 14:11:20 UTC 2018

Modified Files:
src/sys/arch/x86/x86: dbregs.c

Log Message:
Fix the check, should be >=.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/arch/x86/x86/dbregs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:54:36 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.98 -r1.1.2.99 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.0.3
diff -u src/doc/CHANGES-7.0.3:1.1.2.98 src/doc/CHANGES-7.0.3:1.1.2.99
--- src/doc/CHANGES-7.0.3:1.1.2.98	Thu Apr  5 11:44:57 2018
+++ src/doc/CHANGES-7.0.3	Thu Apr  5 11:54:36 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.0.3,v 1.1.2.98 2018/04/05 11:44:57 martin Exp $
+# $NetBSD: CHANGES-7.0.3,v 1.1.2.99 2018/04/05 11:54:36 martin Exp $
 
 A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3
 release:
@@ -5372,3 +5372,12 @@ sys/net/npf/npf.h1.55
 	Fix an integer overflow that allows incoming IPv6 packets
 	to bypass a certain number of filtering rules.
 	[maxv, ticket #1593]
+
+sys/kern/uipc_mbuf.c1.182
+sys/netinet/ip_reass.c1.14
+sys/netinet6/frag6.c1.67
+sys/sys/mbuf.h	1.179
+
+	Remove M_PKTHDR from secondary mbufs when reassembling packets.
+	[maxv, ticket #1594]
+

CVS commit: [netbsd-7-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:54:36 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.98 -r1.1.2.99 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:52:22 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.3

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.5 -r1.1.2.6 src/doc/CHANGES-7.1.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.1.3
diff -u src/doc/CHANGES-7.1.3:1.1.2.5 src/doc/CHANGES-7.1.3:1.1.2.6
--- src/doc/CHANGES-7.1.3:1.1.2.5	Thu Apr  5 11:43:08 2018
+++ src/doc/CHANGES-7.1.3	Thu Apr  5 11:52:21 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.1.3,v 1.1.2.5 2018/04/05 11:43:08 martin Exp $
+# $NetBSD: CHANGES-7.1.3,v 1.1.2.6 2018/04/05 11:52:21 martin Exp $
 
 A complete list of changes from the NetBSD 7.1.2 release to the NetBSD 7.1.3
 release:
@@ -64,3 +64,12 @@ sys/net/npf/npf.h1.55
 	Fix an integer overflow that allows incoming IPv6 packets
 	to bypass a certain number of filtering rules.
 	[maxv, ticket #1593]
+
+sys/kern/uipc_mbuf.c1.182
+sys/netinet/ip_reass.c1.14
+sys/netinet6/frag6.c1.67
+sys/sys/mbuf.h	1.179
+
+	Remove M_PKTHDR from secondary mbufs when reassembling packets.
+	[maxv, ticket #1594]
+

CVS commit: [netbsd-7-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:52:22 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.3

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.5 -r1.1.2.6 src/doc/CHANGES-7.1.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:53:03 UTC 2018

Modified Files:
src/sys/kern [netbsd-7-0]: uipc_mbuf.c
src/sys/netinet [netbsd-7-0]: ip_reass.c
src/sys/netinet6 [netbsd-7-0]: frag6.c
src/sys/sys [netbsd-7-0]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:53:03 UTC 2018

Modified Files:
src/sys/kern [netbsd-7-0]: uipc_mbuf.c
src/sys/netinet [netbsd-7-0]: ip_reass.c
src/sys/netinet6 [netbsd-7-0]: frag6.c
src/sys/sys [netbsd-7-0]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.1
--- src/sys/kern/uipc_mbuf.c:1.158.4.1	Mon Feb  9 09:46:01 2015
+++ src/sys/kern/uipc_mbuf.c	Thu Apr  5 11:53:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla
 	return (0);
 }
 
+void
+m_pkthdr_remove(struct mbuf *m)
+{
+	KASSERT(m->m_flags & M_PKTHDR);
+
+	m_tag_delete_chain(m, NULL);
+	m->m_flags &= ~M_PKTHDR;
+	memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
+}
+
 /*
  * Add mbuf to the end of a chain
  */

Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.8.1
--- src/sys/netinet/ip_reass.c:1.9	Tue Feb 25 18:30:12 2014
+++ src/sys/netinet/ip_reass.c	Thu Apr  5 11:53:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $	*/
+/*	$NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $");
 
 #include 
 #include 
@@ -393,6 +393,7 @@ insert:
 		t = q->ipqe_m;
 		nq = TAILQ_NEXT(q, ipqe_q);
 		pool_cache_put(ipfren_cache, q);
+		m_pkthdr_remove(t);
 		m_cat(m, t);
 	}
 
@@ -410,7 +411,8 @@ insert:
 	m->m_data -= (ip->ip_hl << 2);
 
 	/* Fix up mbuf.  XXX This should be done elsewhere. */
-	if (m->m_flags & M_PKTHDR) {
+	{
+		KASSERT(m->m_flags & M_PKTHDR);
 		int plen = 0;
 		for (t = m; t; t = t->m_next) {
 			plen += t->m_len;

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55.6.1 src/sys/netinet6/frag6.c:1.55.6.2
--- src/sys/netinet6/frag6.c:1.55.6.1	Tue Jan 30 18:31:53 2018
+++ src/sys/netinet6/frag6.c	Thu Apr  5 11:53:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $");
 
 #include

CVS commit: [netbsd-7-1] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:50:17 UTC 2018

Modified Files:
src/sys/kern [netbsd-7-1]: uipc_mbuf.c
src/sys/netinet [netbsd-7-1]: ip_reass.c
src/sys/netinet6 [netbsd-7-1]: frag6.c
src/sys/sys [netbsd-7-1]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.1.6.1 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.10.1 -r1.55.10.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:50:17 UTC 2018

Modified Files:
src/sys/kern [netbsd-7-1]: uipc_mbuf.c
src/sys/netinet [netbsd-7-1]: ip_reass.c
src/sys/netinet6 [netbsd-7-1]: frag6.c
src/sys/sys [netbsd-7-1]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.1.6.1 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.10.1 -r1.55.10.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.6.1
--- src/sys/kern/uipc_mbuf.c:1.158.4.1	Mon Feb  9 09:46:01 2015
+++ src/sys/kern/uipc_mbuf.c	Thu Apr  5 11:50:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.158.4.1.6.1 2018/04/05 11:50:17 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.6.1 2018/04/05 11:50:17 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla
 	return (0);
 }
 
+void
+m_pkthdr_remove(struct mbuf *m)
+{
+	KASSERT(m->m_flags & M_PKTHDR);
+
+	m_tag_delete_chain(m, NULL);
+	m->m_flags &= ~M_PKTHDR;
+	memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
+}
+
 /*
  * Add mbuf to the end of a chain
  */

Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.12.1
--- src/sys/netinet/ip_reass.c:1.9	Tue Feb 25 18:30:12 2014
+++ src/sys/netinet/ip_reass.c	Thu Apr  5 11:50:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $	*/
+/*	$NetBSD: ip_reass.c,v 1.9.12.1 2018/04/05 11:50:17 martin Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.12.1 2018/04/05 11:50:17 martin Exp $");
 
 #include 
 #include 
@@ -393,6 +393,7 @@ insert:
 		t = q->ipqe_m;
 		nq = TAILQ_NEXT(q, ipqe_q);
 		pool_cache_put(ipfren_cache, q);
+		m_pkthdr_remove(t);
 		m_cat(m, t);
 	}
 
@@ -410,7 +411,8 @@ insert:
 	m->m_data -= (ip->ip_hl << 2);
 
 	/* Fix up mbuf.  XXX This should be done elsewhere. */
-	if (m->m_flags & M_PKTHDR) {
+	{
+		KASSERT(m->m_flags & M_PKTHDR);
 		int plen = 0;
 		for (t = m; t; t = t->m_next) {
 			plen += t->m_len;

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55.10.1 src/sys/netinet6/frag6.c:1.55.10.2
--- src/sys/netinet6/frag6.c:1.55.10.1	Tue Jan 30 18:30:31 2018
+++ src/sys/netinet6/frag6.c	Thu Apr  5 11:50:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.10.2 2018/04/05 11:50:17 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.2 2018/04/05 11:50:17 martin Exp $");

CVS commit: [netbsd-7] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:49:19 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.82 -r1.1.2.83 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.2
diff -u src/doc/CHANGES-7.2:1.1.2.82 src/doc/CHANGES-7.2:1.1.2.83
--- src/doc/CHANGES-7.2:1.1.2.82	Thu Apr  5 11:42:03 2018
+++ src/doc/CHANGES-7.2	Thu Apr  5 11:49:19 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.2,v 1.1.2.82 2018/04/05 11:42:03 martin Exp $
+# $NetBSD: CHANGES-7.2,v 1.1.2.83 2018/04/05 11:49:19 martin Exp $
 
 A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2
 release:
@@ -5404,3 +5404,12 @@ sys/net/npf/npf.h1.55
 	Fix an integer overflow that allows incoming IPv6 packets
 	to bypass a certain number of filtering rules.
 	[maxv, ticket #1593]
+
+sys/kern/uipc_mbuf.c1.182
+sys/netinet/ip_reass.c1.14
+sys/netinet6/frag6.c1.67
+sys/sys/mbuf.h	1.179
+
+	Remove M_PKTHDR from secondary mbufs when reassembling packets.
+	[maxv, ticket #1594]
+

CVS commit: [netbsd-7] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:49:19 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1594


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.82 -r1.1.2.83 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:48:13 UTC 2018

Modified Files:
src/sys/kern [netbsd-7]: uipc_mbuf.c
src/sys/netinet [netbsd-7]: ip_reass.c
src/sys/netinet6 [netbsd-7]: frag6.c
src/sys/sys [netbsd-7]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.2 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.4.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.4.1 -r1.55.4.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155.2.1 -r1.155.2.2 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.2
--- src/sys/kern/uipc_mbuf.c:1.158.4.1	Mon Feb  9 09:46:01 2015
+++ src/sys/kern/uipc_mbuf.c	Thu Apr  5 11:48:13 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.158.4.2 2018/04/05 11:48:13 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.2 2018/04/05 11:48:13 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla
 	return (0);
 }
 
+void
+m_pkthdr_remove(struct mbuf *m)
+{
+	KASSERT(m->m_flags & M_PKTHDR);
+
+	m_tag_delete_chain(m, NULL);
+	m->m_flags &= ~M_PKTHDR;
+	memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
+}
+
 /*
  * Add mbuf to the end of a chain
  */

Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.4.1
--- src/sys/netinet/ip_reass.c:1.9	Tue Feb 25 18:30:12 2014
+++ src/sys/netinet/ip_reass.c	Thu Apr  5 11:48:13 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $	*/
+/*	$NetBSD: ip_reass.c,v 1.9.4.1 2018/04/05 11:48:13 martin Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.4.1 2018/04/05 11:48:13 martin Exp $");
 
 #include 
 #include 
@@ -393,6 +393,7 @@ insert:
 		t = q->ipqe_m;
 		nq = TAILQ_NEXT(q, ipqe_q);
 		pool_cache_put(ipfren_cache, q);
+		m_pkthdr_remove(t);
 		m_cat(m, t);
 	}
 
@@ -410,7 +411,8 @@ insert:
 	m->m_data -= (ip->ip_hl << 2);
 
 	/* Fix up mbuf.  XXX This should be done elsewhere. */
-	if (m->m_flags & M_PKTHDR) {
+	{
+		KASSERT(m->m_flags & M_PKTHDR);
 		int plen = 0;
 		for (t = m; t; t = t->m_next) {
 			plen += t->m_len;

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55.4.1 src/sys/netinet6/frag6.c:1.55.4.2
--- src/sys/netinet6/frag6.c:1.55.4.1	Tue Jan 30 18:28:45 2018
+++ src/sys/netinet6/frag6.c	Thu Apr  5 11:48:13 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.4.2 2018/04/05 11:48:13 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.2 2018/04/05 11:48:13 martin Exp $");
 
 #include 
 #include 
@@ -405,6 +405,7

CVS commit: [netbsd-7] src/sys

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:48:13 UTC 2018

Modified Files:
src/sys/kern [netbsd-7]: uipc_mbuf.c
src/sys/netinet [netbsd-7]: ip_reass.c
src/sys/netinet6 [netbsd-7]: frag6.c
src/sys/sys [netbsd-7]: mbuf.h

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1594):

sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179

Remove M_PKTHDR from secondary mbufs when reassembling packets.

This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.

It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.

So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.


To generate a diff of this commit:
cvs rdiff -u -r1.158.4.1 -r1.158.4.2 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.9 -r1.9.4.1 src/sys/netinet/ip_reass.c
cvs rdiff -u -r1.55.4.1 -r1.55.4.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.155.2.1 -r1.155.2.2 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:44:57 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.97 -r1.1.2.98 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.0.3
diff -u src/doc/CHANGES-7.0.3:1.1.2.97 src/doc/CHANGES-7.0.3:1.1.2.98
--- src/doc/CHANGES-7.0.3:1.1.2.97	Sun Apr  1 09:15:43 2018
+++ src/doc/CHANGES-7.0.3	Thu Apr  5 11:44:57 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.0.3,v 1.1.2.97 2018/04/01 09:15:43 martin Exp $
+# $NetBSD: CHANGES-7.0.3,v 1.1.2.98 2018/04/05 11:44:57 martin Exp $
 
 A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3
 release:
@@ -5367,3 +5367,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1591]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1593]

CVS commit: [netbsd-7-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:44:57 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.97 -r1.1.2.98 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:43:51 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7-0]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.6.1
--- src/sys/net/npf/npf.h:1.47	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:43:51 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.47.6.1 2018/04/05 11:43:51 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@ typedef struct {
 	uint8_t			npc_alen;
 
 	/* IP header length and L4 protocol. */
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 
 	/* IPv4, IPv6. */

CVS commit: [netbsd-7-0] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:43:51 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7-0]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:43:08 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.3

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.1.3
diff -u src/doc/CHANGES-7.1.3:1.1.2.4 src/doc/CHANGES-7.1.3:1.1.2.5
--- src/doc/CHANGES-7.1.3:1.1.2.4	Sun Apr  1 09:14:15 2018
+++ src/doc/CHANGES-7.1.3	Thu Apr  5 11:43:08 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.1.3,v 1.1.2.4 2018/04/01 09:14:15 martin Exp $
+# $NetBSD: CHANGES-7.1.3,v 1.1.2.5 2018/04/05 11:43:08 martin Exp $
 
 A complete list of changes from the NetBSD 7.1.2 release to the NetBSD 7.1.3
 release:
@@ -59,3 +59,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1591]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1593]

CVS commit: [netbsd-7-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:43:08 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.3

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:42:36 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.12.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.12.1
--- src/sys/net/npf/npf.h:1.47	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:42:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.47.12.1 2018/04/05 11:42:36 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@ typedef struct {
 	uint8_t			npc_alen;
 
 	/* IP header length and L4 protocol. */
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 
 	/* IPv4, IPv6. */

CVS commit: [netbsd-7-1] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:42:36 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.12.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:42:03 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.81 -r1.1.2.82 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:42:03 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1593


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.81 -r1.1.2.82 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.2
diff -u src/doc/CHANGES-7.2:1.1.2.81 src/doc/CHANGES-7.2:1.1.2.82
--- src/doc/CHANGES-7.2:1.1.2.81	Sun Apr  1 09:13:25 2018
+++ src/doc/CHANGES-7.2	Thu Apr  5 11:42:03 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.2,v 1.1.2.81 2018/04/01 09:13:25 martin Exp $
+# $NetBSD: CHANGES-7.2,v 1.1.2.82 2018/04/05 11:42:03 martin Exp $
 
 A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2
 release:
@@ -5399,3 +5399,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1591]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1593]

CVS commit: [netbsd-7] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:41:28 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.2.1
--- src/sys/net/npf/npf.h:1.47	Sun Aug 10 19:09:43 2014
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:41:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.47.2.1 2018/04/05 11:41:28 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -150,7 +150,7 @@ typedef struct {
 	uint8_t			npc_alen;
 
 	/* IP header length and L4 protocol. */
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 
 	/* IPv4, IPv6. */

CVS commit: [netbsd-7] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:41:28 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-7]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1593:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:40:14 UTC 2018

Modified Files:
src/doc [netbsd-6-0]: CHANGES-6.0.7

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.0.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.0.7
diff -u src/doc/CHANGES-6.0.7:1.1.2.137 src/doc/CHANGES-6.0.7:1.1.2.138
--- src/doc/CHANGES-6.0.7:1.1.2.137	Sun Apr  1 09:25:09 2018
+++ src/doc/CHANGES-6.0.7	Thu Apr  5 11:40:14 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.0.7,v 1.1.2.137 2018/04/01 09:25:09 martin Exp $
+# $NetBSD: CHANGES-6.0.7,v 1.1.2.138 2018/04/05 11:40:14 martin Exp $
 
 A complete list of changes from the NetBSD 6.0.6 release to the NetBSD 6.0.7
 release:
@@ -15431,3 +15431,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1541]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1542]

CVS commit: [netbsd-6-0] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:40:14 UTC 2018

Modified Files:
src/doc [netbsd-6-0]: CHANGES-6.0.7

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.0.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-0] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:38:36 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-0]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.6.4.1 -r1.14.2.6.4.2 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.6.4.1 src/sys/net/npf/npf.h:1.14.2.6.4.2
--- src/sys/net/npf/npf.h:1.14.2.6.4.1	Sun Dec 16 18:20:09 2012
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:38:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.6.4.1 2012/12/16 18:20:09 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.6.4.2 2018/04/05 11:38:36 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	int			npc_alen;
-	u_int			npc_hlen;
+	uint32_t		npc_hlen;
 	int			npc_next_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: [netbsd-6-0] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:38:36 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-0]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.6.4.1 -r1.14.2.6.4.2 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:36:31 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.134 src/doc/CHANGES-6.1.6:1.1.2.135
--- src/doc/CHANGES-6.1.6:1.1.2.134	Sun Apr  1 09:24:07 2018
+++ src/doc/CHANGES-6.1.6	Thu Apr  5 11:36:31 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.134 2018/04/01 09:24:07 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.135 2018/04/05 11:36:31 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15100,3 +15100,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1541]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1542]

CVS commit: [netbsd-6-1] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:36:31 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:58 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:58 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.12.2.1
--- src/sys/net/npf/npf.h:1.14.2.12	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:35:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.12.2.1 2018/04/05 11:35:57 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	uint8_t			npc_alen;
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: [netbsd-6] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:09 UTC 2018

Modified Files:
src/doc [netbsd-6]: CHANGES-6.2

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/doc

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:09 UTC 2018

Modified Files:
src/doc [netbsd-6]: CHANGES-6.2

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.2
diff -u src/doc/CHANGES-6.2:1.1.2.330 src/doc/CHANGES-6.2:1.1.2.331
--- src/doc/CHANGES-6.2:1.1.2.330	Sun Apr  1 09:23:13 2018
+++ src/doc/CHANGES-6.2	Thu Apr  5 11:35:08 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.2,v 1.1.2.330 2018/04/01 09:23:13 martin Exp $
+# $NetBSD: CHANGES-6.2,v 1.1.2.331 2018/04/05 11:35:08 martin Exp $
 
 A complete list of changes from the 6.1 release until the 6.2 release:
 
@@ -21205,3 +21205,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1541]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1542]

CVS commit: [netbsd-6] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:34:17 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/sys/net/npf

2018-04-05 Thread Martin Husemann

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:34:17 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.13
--- src/sys/net/npf/npf.h:1.14.2.12	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:34:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.13 2018/04/05 11:34:17 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	uint8_t			npc_alen;
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: src/lib/libutil

2018-04-05 Thread Thomas Klausner

Module Name:src
Committed By:   wiz
Date:   Thu Apr  5 11:07:00 UTC 2018

Modified Files:
src/lib/libutil: opendisk.3

Log Message:
Use mdoc macros.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/lib/libutil/opendisk.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/lib/libutil/opendisk.3
diff -u src/lib/libutil/opendisk.3:1.15 src/lib/libutil/opendisk.3:1.16
--- src/lib/libutil/opendisk.3:1.15	Wed Apr  4 04:43:46 2018
+++ src/lib/libutil/opendisk.3	Thu Apr  5 11:07:00 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: opendisk.3,v 1.15 2018/04/04 04:43:46 kre Exp $
+.\"	$NetBSD: opendisk.3,v 1.16 2018/04/05 11:07:00 wiz Exp $
 .\"
 .\" Copyright (c) 1997, 2001 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -200,7 +200,7 @@ may also set
 to any value specified by the
 .Xr open 2
 function.
-.PP
+.Pp
 The
 .Fn opendisk1
 function may also set
@@ -216,7 +216,7 @@ The
 .Fn opendisk
 function first appeared in
 .Nx 1.3 .
-.br
+.Pp
 The
 .Fn opendisk1
 function first appeared in

CVS commit: src/lib/libutil

2018-04-05 Thread Thomas Klausner

Module Name:src
Committed By:   wiz
Date:   Thu Apr  5 11:07:00 UTC 2018

Modified Files:
src/lib/libutil: opendisk.3

Log Message:
Use mdoc macros.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/lib/libutil/opendisk.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/arch/arm/sunxi

2018-04-05 Thread Jared D. McNeill

Module Name:src
Committed By:   jmcneill
Date:   Thu Apr  5 10:21:39 UTC 2018

Modified Files:
src/sys/arch/arm/sunxi: sunxi_debe.c

Log Message:
Remove AWIN_DEBE_FWINIT blocks


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/arch/arm/sunxi/sunxi_debe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/arm/sunxi/sunxi_debe.c
diff -u src/sys/arch/arm/sunxi/sunxi_debe.c:1.6 src/sys/arch/arm/sunxi/sunxi_debe.c:1.7
--- src/sys/arch/arm/sunxi/sunxi_debe.c:1.6	Thu Apr  5 10:19:25 2018
+++ src/sys/arch/arm/sunxi/sunxi_debe.c	Thu Apr  5 10:21:39 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $ */
+/* $NetBSD: sunxi_debe.c,v 1.7 2018/04/05 10:21:39 jmcneill Exp $ */
 
 /*-
  * Copyright (c) 2018 Manuel Bouyer 
@@ -38,7 +38,7 @@
 #define SUNXI_DEBE_CURMAX	64
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.7 2018/04/05 10:21:39 jmcneill Exp $");
 
 #include 
 #include 
@@ -148,9 +148,6 @@ sunxi_debe_attach(device_t parent, devic
 	bus_addr_t addr;
 	bus_size_t size;
 	struct fdtbus_reset *rst;
-#ifdef AWIN_DEBE_FWINIT
-	struct videomode mode;
-#endif
 	int error;
 
 	sc->sc_dev = self;
@@ -216,32 +213,6 @@ sunxi_debe_attach(device_t parent, devic
 	fdtbus_get_string(phandle, "name"));
 
 
-#ifdef AWIN_DEBE_FWINIT
-	const uint32_t modctl = DEBE_READ(sc, SUNXI_DEBE_MODCTL_REG);
-	const uint32_t dissize = DEBE_READ(sc, SUNXI_DEBE_DISSIZE_REG);
-	if ((modctl & SUNXI_DEBE_MODCTL_EN) == 0) {
-		aprint_error_dev(sc->sc_dev, "disabled\n");
-		return;
-	}
-	if ((modctl & SUNXI_DEBE_MODCTL_START_CTL) == 0) {
-		aprint_error_dev(sc->sc_dev, "stopped\n");
-		return;
-	}
-	memset(, 0, sizeof(mode));
-	mode.hdisplay = (dissize & 0x) + 1;
-	mode.vdisplay = ((dissize >> 16) & 0x) + 1;
-
-	if (mode.hdisplay == 1 || mode.vdisplay == 1) {
-		aprint_error_dev(sc->sc_dev,
-		"couldn't determine video mode\n");
-		return;
-	}
-
-	aprint_verbose_dev(sc->sc_dev, "using %dx%d mode from firmware\n",
-	mode.hdisplay, mode.vdisplay);
-
-	sc->sc_dmasize = mode.hdisplay * mode.vdisplay * 4;
-#else
 	for (unsigned int reg = 0x800; reg < 0x1000; reg += 4) {
 		DEBE_WRITE(sc, reg, 0);
 	}
@@ -249,7 +220,6 @@ sunxi_debe_attach(device_t parent, devic
 	DEBE_WRITE(sc, SUNXI_DEBE_MODCTL_REG, SUNXI_DEBE_MODCTL_EN);
 
 	sc->sc_dmasize = SUNXI_DEBE_VIDEOMEM;
-#endif
 
 	DEBE_WRITE(sc, SUNXI_DEBE_HWC_PALETTE_TABLE, 0);
 
@@ -265,16 +235,11 @@ sunxi_debe_attach(device_t parent, devic
 	sc->sc_ports.dp_ep_enable = sunxi_debe_ep_enable;
 	fdt_ports_register(>sc_ports, self, phandle, EP_OTHER);
 
-#ifdef AWIN_DEBE_FWINIT
-	sunxi_debe_set_videomode(device_unit(self), );
-	sunxi_debe_enable(device_unit(self), true);
-#else
 	if (clk_disable(sc->sc_clk_ahb) != 0 ||
 	clk_disable(sc->sc_clk_mod) != 0) {
 		aprint_error(": couldn't disable clocks\n");
 		return;
 	}
-#endif
 }

CVS commit: src/sys/arch/arm/sunxi

2018-04-05 Thread Jared D. McNeill

Module Name:src
Committed By:   jmcneill
Date:   Thu Apr  5 10:21:39 UTC 2018

Modified Files:
src/sys/arch/arm/sunxi: sunxi_debe.c

Log Message:
Remove AWIN_DEBE_FWINIT blocks


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/arch/arm/sunxi/sunxi_debe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/arch/arm/sunxi

2018-04-05 Thread Jared D. McNeill

Module Name:src
Committed By:   jmcneill
Date:   Thu Apr  5 10:19:25 UTC 2018

Modified Files:
src/sys/arch/arm/sunxi: sunxi_debe.c

Log Message:
Remove NAWIN_MP blocks (this code was experimental in the original driver and 
is not worth porting over)


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/arch/arm/sunxi/sunxi_debe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/arch/arm/sunxi

2018-04-05 Thread Jared D. McNeill

Module Name:src
Committed By:   jmcneill
Date:   Thu Apr  5 10:19:25 UTC 2018

Modified Files:
src/sys/arch/arm/sunxi: sunxi_debe.c

Log Message:
Remove NAWIN_MP blocks (this code was experimental in the original driver and 
is not worth porting over)


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/arch/arm/sunxi/sunxi_debe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/arm/sunxi/sunxi_debe.c
diff -u src/sys/arch/arm/sunxi/sunxi_debe.c:1.5 src/sys/arch/arm/sunxi/sunxi_debe.c:1.6
--- src/sys/arch/arm/sunxi/sunxi_debe.c:1.5	Tue Apr  3 16:17:59 2018
+++ src/sys/arch/arm/sunxi/sunxi_debe.c	Thu Apr  5 10:19:25 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: sunxi_debe.c,v 1.5 2018/04/03 16:17:59 bouyer Exp $ */
+/* $NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $ */
 
 /*-
  * Copyright (c) 2018 Manuel Bouyer 
@@ -38,7 +38,7 @@
 #define SUNXI_DEBE_CURMAX	64
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.5 2018/04/03 16:17:59 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sunxi_debe.c,v 1.6 2018/04/05 10:19:25 jmcneill Exp $");
 
 #include 
 #include 
@@ -148,9 +148,6 @@ sunxi_debe_attach(device_t parent, devic
 	bus_addr_t addr;
 	bus_size_t size;
 	struct fdtbus_reset *rst;
-#if NAWIN_MP > 0
-	device_t mpdev;
-#endif
 #ifdef AWIN_DEBE_FWINIT
 	struct videomode mode;
 #endif
@@ -263,15 +260,6 @@ sunxi_debe_attach(device_t parent, devic
 		return;
 	}
 
-#if NAWIN_MP > 0
-	mpdev = device_find_by_driver_unit("sunximp", 0);
-	if (mpdev) {
-		paddr_t pa = sc->sc_dmamap->dm_segs[0].ds_addr;
-		if (pa >= SUNXI_SDRAM_PBASE)
-			pa -= SUNXI_SDRAM_PBASE;
-		sunxi_mp_setbase(mpdev, pa, sc->sc_dmasize);
-	}
-#endif
 	sc->sc_unit = -1;
 	sc->sc_ports.dp_ep_connect = sunxi_debe_ep_connect;
 	sc->sc_ports.dp_ep_enable = sunxi_debe_ep_enable;
@@ -699,7 +687,6 @@ sunxi_debe_ioctl(device_t self, u_long c
 struct sunxi_befb_softc {
 	struct genfb_softc sc_gen;
 	device_t sc_debedev;
-	device_t sc_mpdev;
 
 	bus_dma_tag_t sc_dmat;
 	bus_dma_segment_t *sc_dmasegs;
@@ -740,7 +727,6 @@ sunxi_befb_attach(device_t parent, devic
 	sc->sc_dmat = afb->afb_dmat;
 	sc->sc_dmasegs = afb->afb_dmasegs;
 	sc->sc_ndmasegs = afb->afb_ndmasegs;
-	sc->sc_mpdev = device_find_by_driver_unit("sunximp", 0);
 
 	prop_dictionary_set_uint32(cfg, "width", afb->afb_width);
 	prop_dictionary_set_uint32(cfg, "height", afb->afb_height);
@@ -800,10 +786,6 @@ sunxi_befb_ioctl(void *v, void *vs, u_lo
 		if (error == 0) {
 			fbi->fbi_flags |= WSFB_VRAM_IS_RAM;
 			fbi->fbi_fbsize = sc->sc_dmasegs[0].ds_len;
-#if NAWIN_MP > 0
-			if (sc->sc_mpdev)
-fbi->fbi_flags |= WSFB_ACCEL;
-#endif
 		}
 		return error;
 	case WSDISPLAYIO_SVIDEO:
@@ -813,14 +795,6 @@ sunxi_befb_ioctl(void *v, void *vs, u_lo
 	case WSDISPLAYIO_GCURMAX:
 	case WSDISPLAYIO_SCURSOR:
 		return sunxi_debe_ioctl(sc->sc_debedev, cmd, data);
-#if NAWIN_MP > 0
-	case WSDISPLAYIO_FILL:
-	case WSDISPLAYIO_COPY:
-	case WSDISPLAYIO_SYNC:
-		if (sc->sc_mpdev == NULL)
-			return EPASSTHROUGH;
-		return sunxi_mp_ioctl(sc->sc_mpdev, cmd, data);
-#endif
 	default:
 		return EPASSTHROUGH;
 	}

CVS commit: src/sys/arch

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 08:43:07 UTC 2018

Modified Files:
src/sys/arch/i386/i386: machdep.c
src/sys/arch/x86/x86: cpu.c

Log Message:
Call cpu_speculation_init on i386 too. We don't have IBRS for i386, but
we do have the AMD DIS_IND method.


To generate a diff of this commit:
cvs rdiff -u -r1.805 -r1.806 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.154 -r1.155 src/sys/arch/x86/x86/cpu.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/i386/machdep.c
diff -u src/sys/arch/i386/i386/machdep.c:1.805 src/sys/arch/i386/i386/machdep.c:1.806
--- src/sys/arch/i386/i386/machdep.c:1.805	Tue Apr  3 07:20:52 2018
+++ src/sys/arch/i386/i386/machdep.c	Thu Apr  5 08:43:07 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.805 2018/04/03 07:20:52 christos Exp $	*/
+/*	$NetBSD: machdep.c,v 1.806 2018/04/05 08:43:07 maxv Exp $	*/
 
 /*
  * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009, 2017
@@ -67,7 +67,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.805 2018/04/03 07:20:52 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.806 2018/04/05 08:43:07 maxv Exp $");
 
 #include "opt_beep.h"
 #include "opt_compat_freebsd.h"
@@ -1168,6 +1168,9 @@ init386(paddr_t first_avail)
 
 	cpu_probe(_info_primary);
 	cpu_init_msrs(_info_primary, true);
+#ifndef XEN
+	cpu_speculation_init(_info_primary);
+#endif
 
 #ifdef PAE
 	use_pae = 1;

Index: src/sys/arch/x86/x86/cpu.c
diff -u src/sys/arch/x86/x86/cpu.c:1.154 src/sys/arch/x86/x86/cpu.c:1.155
--- src/sys/arch/x86/x86/cpu.c:1.154	Wed Apr  4 12:59:49 2018
+++ src/sys/arch/x86/x86/cpu.c	Thu Apr  5 08:43:07 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cpu.c,v 1.154 2018/04/04 12:59:49 maxv Exp $	*/
+/*	$NetBSD: cpu.c,v 1.155 2018/04/05 08:43:07 maxv Exp $	*/
 
 /*
  * Copyright (c) 2000-2012 NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.154 2018/04/04 12:59:49 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.155 2018/04/05 08:43:07 maxv Exp $");
 
 #include "opt_ddb.h"
 #include "opt_mpbios.h"		/* for MPDEBUG */
@@ -848,9 +848,7 @@ cpu_hatch(void *v)
 
 	cpu_init_msrs(ci, true);
 	cpu_probe(ci);
-#ifdef __x86_64__
 	cpu_speculation_init(ci);
-#endif
 
 	ci->ci_data.cpu_cc_freq = cpu_info_primary.ci_data.cpu_cc_freq;
 	/* cpu_get_tsc_freq(ci); */

CVS commit: src/sys/arch

2018-04-05 Thread Maxime Villard

Module Name:src
Committed By:   maxv
Date:   Thu Apr  5 08:43:07 UTC 2018

Modified Files:
src/sys/arch/i386/i386: machdep.c
src/sys/arch/x86/x86: cpu.c

Log Message:
Call cpu_speculation_init on i386 too. We don't have IBRS for i386, but
we do have the AMD DIS_IND method.


To generate a diff of this commit:
cvs rdiff -u -r1.805 -r1.806 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.154 -r1.155 src/sys/arch/x86/x86/cpu.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

71 matches

Mail list logo