CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jul  2 14:39:15 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1551


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.145 -r1.1.2.146 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.145 src/doc/CHANGES-6.1.6:1.1.2.146
--- src/doc/CHANGES-6.1.6:1.1.2.145	Sat Jun 30 11:43:53 2018
+++ src/doc/CHANGES-6.1.6	Mon Jul  2 14:39:15 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.145 2018/06/30 11:43:53 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.146 2018/07/02 14:39:15 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15175,3 +15175,8 @@ xsrc/xfree/xc/programs/mkfontscale/ident
 	Pass gzFile, not gzFile * to gzio functions.
 	[mrg, ticket #1550]
 
+gnu/dist/gcc4/gcc/toplev.h			(apply patch)
+
+	Avoid redefining functions.
+	[mrg, ticket #1551]
+

CVS commit: [netbsd-6-1] src/gnu/dist/gcc4/gcc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jul  2 14:38:41 UTC 2018

Modified Files:
src/gnu/dist/gcc4/gcc [netbsd-6-1]: toplev.h

Log Message:
Apply patch, requested by mrg in ticket #1551:

Avoid redefining functions.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.58.1 src/gnu/dist/gcc4/gcc/toplev.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/gnu/dist/gcc4/gcc/toplev.h
diff -u src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1 src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1.58.1
--- src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1	Thu Apr 20 10:19:17 2006
+++ src/gnu/dist/gcc4/gcc/toplev.h	Mon Jul  2 14:38:41 2018
@@ -158,6 +158,7 @@ extern int exact_log2  (
 /* Return floor of log2, with -1 for zero.  */
 extern int floor_log2  (unsigned HOST_WIDE_INT);
 
+#if 0 /* these are not valid, and break in GCC 5. */
 /* Inline versions of the above for speed.  */
 #if GCC_VERSION >= 3004
 # if HOST_BITS_PER_WIDE_INT == HOST_BITS_PER_LONG
@@ -183,6 +184,7 @@ exact_log2 (unsigned HOST_WIDE_INT x)
   return x == (x & -x) && x ? (int) CTZ_HWI (x) : -1;
 }
 #endif /* GCC_VERSION >= 3004 */
+#endif
 
 /* Functions used to get and set GCC's notion of in what directory
compilation was started.  */

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sat Jun 30 11:43:53 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1550


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.144 -r1.1.2.145 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.144 src/doc/CHANGES-6.1.6:1.1.2.145
--- src/doc/CHANGES-6.1.6:1.1.2.144	Thu Jun  7 18:04:56 2018
+++ src/doc/CHANGES-6.1.6	Sat Jun 30 11:43:53 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.144 2018/06/07 18:04:56 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.145 2018/06/30 11:43:53 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15170,3 +15170,8 @@ sys/arch/sparc64/conf/NONPLUS(patch)
 	Disable autoload of modules for svr4/svr4_32/ibcs2/freebsd.
 	[maxv, ticket #1500]
 
+xsrc/xfree/xc/programs/mkfontscale/ident.c	(apply patch)
+
+	Pass gzFile, not gzFile * to gzio functions.
+	[mrg, ticket #1550]
+

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Jun  7 18:04:56 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ammend ticket #1500


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.143 -r1.1.2.144 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.143 src/doc/CHANGES-6.1.6:1.1.2.144
--- src/doc/CHANGES-6.1.6:1.1.2.143	Tue May 22 14:45:21 2018
+++ src/doc/CHANGES-6.1.6	Thu Jun  7 18:04:56 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.143 2018/05/22 14:45:21 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.144 2018/06/07 18:04:56 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15162,6 +15162,8 @@ sys/arch/sparc/conf/MRCOFFEE(patch)
 sys/arch/sparc/conf/TADPOLE3GX(patch)
 sys/arch/sparc64/conf/GENERIC(patch)
 sys/arch/sparc64/conf/NONPLUS64(patch)
+sys/arch/sparc64/conf/GENERIC32(patch)
+sys/arch/sparc64/conf/NONPLUS(patch)
 
 	Disable compat_svr4 and compat_svr4_32 everywhere.
 	Disable compat_ibcs2 everywhere but on Vax.

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/conf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Jun  7 18:04:12 UTC 2018

Modified Files:
src/sys/arch/sparc64/conf [netbsd-6-1]: GENERIC32 NONPLUS

Log Message:
Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not
disable it here again.


To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.140.118.1 src/sys/arch/sparc64/conf/GENERIC32
cvs rdiff -u -r1.58 -r1.58.118.1 src/sys/arch/sparc64/conf/NONPLUS

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/conf/GENERIC32
diff -u src/sys/arch/sparc64/conf/GENERIC32:1.140 src/sys/arch/sparc64/conf/GENERIC32:1.140.118.1
--- src/sys/arch/sparc64/conf/GENERIC32:1.140	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/GENERIC32	Thu Jun  7 18:04:12 2018
@@ -1,13 +1,13 @@
-# $NetBSD: GENERIC32,v 1.140 2006/06/30 10:27:48 tsutsui Exp $
+# $NetBSD: GENERIC32,v 1.140.118.1 2018/06/07 18:04:12 martin Exp $
 #
 # GENERIC machine description file for 32-bit kernel
 #
 
 include 	"arch/sparc64/conf/GENERIC"
 
-#ident		"GENERIC32-$Revision: 1.140 $"
+#ident		"GENERIC32-$Revision: 1.140.118.1 $"
 
 include 	"arch/sparc64/conf/std.sparc64-32"
 
 no options 	COMPAT_NETBSD32
-no options 	COMPAT_SVR4_32
+#no options 	COMPAT_SVR4_32

Index: src/sys/arch/sparc64/conf/NONPLUS
diff -u src/sys/arch/sparc64/conf/NONPLUS:1.58 src/sys/arch/sparc64/conf/NONPLUS:1.58.118.1
--- src/sys/arch/sparc64/conf/NONPLUS:1.58	Fri Jun 30 10:27:48 2006
+++ src/sys/arch/sparc64/conf/NONPLUS	Thu Jun  7 18:04:12 2018
@@ -1,9 +1,9 @@
-# 	$NetBSD: NONPLUS,v 1.58 2006/06/30 10:27:48 tsutsui Exp $
+# 	$NetBSD: NONPLUS,v 1.58.118.1 2018/06/07 18:04:12 martin Exp $
 
 include "arch/sparc64/conf/NONPLUS64"
 include "arch/sparc64/conf/std.sparc64-32"
 
-#ident 		"NONPLUS-$Revision: 1.58 $"
+#ident 		"NONPLUS-$Revision: 1.58.118.1 $"
 
 no options 	COMPAT_NETBSD32	# NetBSD/sparc binary compatibility
-no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries
+#no options 	COMPAT_SVR4_32	# 32-bit SVR4 binaries

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue May 22 14:45:21 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1500


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.142 -r1.1.2.143 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.142 src/doc/CHANGES-6.1.6:1.1.2.143
--- src/doc/CHANGES-6.1.6:1.1.2.142	Thu May 17 13:51:22 2018
+++ src/doc/CHANGES-6.1.6	Tue May 22 14:45:21 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.142 2018/05/17 13:51:22 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.143 2018/05/22 14:45:21 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15147,3 +15147,24 @@ sys/net/npf/npf_inet.c1.45 (patch)
 	Fix use-after-free.
 	[maxv, ticket #1549]
 
+sys/kern/kern_exec.c	(patch)
+sys/arch/amiga/conf/DRACO(patch)
+sys/arch/amiga/conf/GENERIC(patch)
+sys/arch/amiga/conf/GENERIC.in(patch)
+sys/arch/hp300/conf/GENERIC(patch)
+sys/arch/i386/conf/GENERIC(patch)
+sys/arch/i386/conf/XEN3_DOM0(patch)
+sys/arch/i386/conf/XEN3_DOMU(patch)
+sys/arch/sparc/conf/BILL-THE-CAT			(patch)
+sys/arch/sparc/conf/GENERIC(patch)
+sys/arch/sparc/conf/KRUPS(patch)
+sys/arch/sparc/conf/MRCOFFEE(patch)
+sys/arch/sparc/conf/TADPOLE3GX(patch)
+sys/arch/sparc64/conf/GENERIC(patch)
+sys/arch/sparc64/conf/NONPLUS64(patch)
+
+	Disable compat_svr4 and compat_svr4_32 everywhere.
+	Disable compat_ibcs2 everywhere but on Vax.
+	Disable autoload of modules for svr4/svr4_32/ibcs2/freebsd.
+	[maxv, ticket #1500]
+

CVS commit: [netbsd-6-1] src/sys

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue May 22 14:44:31 UTC 2018

Modified Files:
src/sys/arch/amiga/conf [netbsd-6-1]: DRACO GENERIC GENERIC.in
src/sys/arch/hp300/conf [netbsd-6-1]: GENERIC
src/sys/arch/i386/conf [netbsd-6-1]: GENERIC XEN3_DOM0 XEN3_DOMU
src/sys/arch/sparc/conf [netbsd-6-1]: BILL-THE-CAT GENERIC KRUPS
MRCOFFEE TADPOLE3GX
src/sys/arch/sparc64/conf [netbsd-6-1]: GENERIC NONPLUS64
src/sys/kern [netbsd-6-1]: kern_exec.c

Log Message:
Apply patch requested by maxv in ticket #1500:

 * disable compat_svr4 and compat_svr4_32 everywhere
 * disable compat_ibcs2 everywhere but on Vax
 * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list


To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.154.8.1 src/sys/arch/amiga/conf/DRACO
cvs rdiff -u -r1.284 -r1.284.8.1 src/sys/arch/amiga/conf/GENERIC
cvs rdiff -u -r1.96 -r1.96.8.1 src/sys/arch/amiga/conf/GENERIC.in
cvs rdiff -u -r1.169 -r1.169.8.1 src/sys/arch/hp300/conf/GENERIC
cvs rdiff -u -r1.1066.2.7.6.1 -r1.1066.2.7.6.2 src/sys/arch/i386/conf/GENERIC
cvs rdiff -u -r1.60.2.7 -r1.60.2.7.2.1 src/sys/arch/i386/conf/XEN3_DOM0
cvs rdiff -u -r1.41.2.2 -r1.41.2.2.6.1 src/sys/arch/i386/conf/XEN3_DOMU
cvs rdiff -u -r1.51 -r1.51.10.1 src/sys/arch/sparc/conf/BILL-THE-CAT
cvs rdiff -u -r1.230 -r1.230.8.1 src/sys/arch/sparc/conf/GENERIC
cvs rdiff -u -r1.56.4.1 -r1.56.4.1.6.1 src/sys/arch/sparc/conf/KRUPS
cvs rdiff -u -r1.34 -r1.34.10.1 src/sys/arch/sparc/conf/MRCOFFEE
cvs rdiff -u -r1.54.4.1 -r1.54.4.1.6.1 src/sys/arch/sparc/conf/TADPOLE3GX
cvs rdiff -u -r1.148.2.2 -r1.148.2.2.6.1 src/sys/arch/sparc64/conf/GENERIC
cvs rdiff -u -r1.34 -r1.34.10.1 src/sys/arch/sparc64/conf/NONPLUS64
cvs rdiff -u -r1.339.2.6.2.3 -r1.339.2.6.2.4 src/sys/kern/kern_exec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/conf/DRACO
diff -u src/sys/arch/amiga/conf/DRACO:1.154 src/sys/arch/amiga/conf/DRACO:1.154.8.1
--- src/sys/arch/amiga/conf/DRACO:1.154	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/DRACO	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: DRACO,v 1.154 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: DRACO,v 1.154.8.1 2018/05/22 14:44:30 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.154 $"
+#ident 		"GENERIC-$Revision: 1.154.8.1 $"
 
 
 maxusers	8
@@ -143,7 +143,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC
diff -u src/sys/arch/amiga/conf/GENERIC:1.284 src/sys/arch/amiga/conf/GENERIC:1.284.8.1
--- src/sys/arch/amiga/conf/GENERIC:1.284	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.284 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC,v 1.284.8.1 2018/05/22 14:44:30 martin Exp $
 #
 # This file was automatically created.
 # Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.284 $"
+#ident 		"GENERIC-$Revision: 1.284.8.1 $"
 
 
 maxusers	8
@@ -155,7 +155,7 @@ options 	COMPAT_30	# NetBSD 3.0 compatib
 options 	COMPAT_40	# NetBSD 4.0 compatibility.
 options 	COMPAT_50	# NetBSD 5.0 compatibility.
 options 	COMPAT_SUNOS	# Support to run Sun (m68k) executables
-options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
+#options 	COMPAT_SVR4	# Support to run SVR4 (m68k) executables
 options 	COMPAT_NOMID	# allow nonvalid machine id executables
 #options 	COMPAT_LINUX	# Support to run Linux/m68k executables
 

Index: src/sys/arch/amiga/conf/GENERIC.in
diff -u src/sys/arch/amiga/conf/GENERIC.in:1.96 src/sys/arch/amiga/conf/GENERIC.in:1.96.8.1
--- src/sys/arch/amiga/conf/GENERIC.in:1.96	Tue Jan 24 00:19:39 2012
+++ src/sys/arch/amiga/conf/GENERIC.in	Tue May 22 14:44:30 2018
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC.in,v 1.96 2012/01/24 00:19:39 rkujawa Exp $
+# $NetBSD: GENERIC.in,v 1.96.8.1 2018/05/22 14:44:30 martin Exp $
 #
 ##
 # GENERIC machine description file
@@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.96 $"
+#ident 		"GENERIC-$Revision: 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May 17 13:51:22 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1549


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.141 -r1.1.2.142 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.141 src/doc/CHANGES-6.1.6:1.1.2.142
--- src/doc/CHANGES-6.1.6:1.1.2.141	Thu May  3 15:05:21 2018
+++ src/doc/CHANGES-6.1.6	Thu May 17 13:51:22 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.141 2018/05/03 15:05:21 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.142 2018/05/17 13:51:22 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15141,3 +15141,9 @@ sys/kern/uipc_mbuf.c1.211 (patch)
 	the chain.
 	[maxv, ticket #1547]
 
+sys/net/npf/npf_alg_icmp.c			1.27,1.28 (patch)
+sys/net/npf/npf_inet.c1.45 (patch)
+
+	Fix use-after-free.
+	[maxv, ticket #1549]
+

CVS commit: [netbsd-6-1] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May 17 13:47:24 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) via patch (requested by maxv in ticket #1549):

sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.

We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).

Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.

Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.

In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).

This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.


To generate a diff of this commit:
cvs rdiff -u -r1.8.4.7 -r1.8.4.7.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.10.4.9.2.1 -r1.10.4.9.2.2 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.7.2.1
--- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_alg_icmp.c	Thu May 17 13:47:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $	*/
 
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $");
 
 #include 
 #include 
@@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t
 /*
  * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
  * ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
  */
 
 static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 792. */
 	switch (type) {
@@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c
 	case ICMP_TSTAMPREPLY:
 	case ICMP_IREQ:
 	case ICMP_IREQREPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp, icmp_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c
 }
 
 static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
 {
-	u_int offby;
 
 	/* Per RFC 4443. */
 	switch (type) {
@@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c
 
 	case ICMP6_ECHO_REQUEST:
 	case ICMP6_ECHO_REPLY:
-		/* Should contain ICMP query ID - ensure. */
-		offby = offsetof(struct icmp6_hdr, icmp6_id);
-		if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
-			return false;
-		}
-		npc->npc_info |= NPC_ICMP_ID;
+		/* Contains ICMP query ID. */
+		*hasqid = true;
 		return true;
 	default:
 		break;
@@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c
 /*
  * npfa_icmp_session: ALG ICMP inspector.
  *
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
  */
 static bool
 npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc)
 {
-	bool ret;
+	bool ret, hasqid = false;
 
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf
 	 */
 	if (npf_iscached(npc, NPC_IP4)) {
 		const struct icmp *ic = npc->npc_l4.icmp;
-		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf);
+		ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, );
 	} else if 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 15:05:21 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Fix entry for ticket #1547


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.140 -r1.1.2.141 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.140 src/doc/CHANGES-6.1.6:1.1.2.141
--- src/doc/CHANGES-6.1.6:1.1.2.140	Thu May  3 15:01:58 2018
+++ src/doc/CHANGES-6.1.6	Thu May  3 15:05:21 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.140 2018/05/03 15:01:58 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.141 2018/05/03 15:05:21 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15135,7 +15135,7 @@ sys/netipsec/ipsec_output.c			1.67,1.75 
 	allow the function to fail (and drop the misformed packet).
 	[maxv, ticket #1546]
 
-sys/kern/uipc_mbuf.c1.211
+sys/kern/uipc_mbuf.c1.211 (patch)
 
 	Modify m_defrag, so that it never frees the first mbuf of
 	the chain.

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 15:01:58 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Tickets #1546 and #1547


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.139 -r1.1.2.140 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.139 src/doc/CHANGES-6.1.6:1.1.2.140
--- src/doc/CHANGES-6.1.6:1.1.2.139	Wed Apr 18 07:19:52 2018
+++ src/doc/CHANGES-6.1.6	Thu May  3 15:01:58 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.139 2018/04/18 07:19:52 msaitoh Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.140 2018/05/03 15:01:58 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15128,3 +15128,16 @@ sys/netipsec/ipsec_mbuf.c			1.23-1.24
 	Don't assume M_PKTHDR is set only on the first mbuf of the chain.
 	Fix a pretty bad mistake (IPsec DoS).
 	[maxv, ticket #1545]
+
+sys/netipsec/ipsec_output.c			1.67,1.75 (patch)
+
+	compute_ipsec_pos: strengthen checks to avoid overruns,
+	allow the function to fail (and drop the misformed packet).
+	[maxv, ticket #1546]
+
+sys/kern/uipc_mbuf.c1.211
+
+	Modify m_defrag, so that it never frees the first mbuf of
+	the chain.
+	[maxv, ticket #1547]
+

CVS commit: [netbsd-6-1] src/sys/kern

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 15:01:20 UTC 2018

Modified Files:
src/sys/kern [netbsd-6-1]: uipc_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1547):

sys/kern/uipc_mbuf.c: revision 1.211 (via patch)

Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.

We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.

This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).

Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.

It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.


To generate a diff of this commit:
cvs rdiff -u -r1.145.2.1 -r1.145.2.1.2.1 src/sys/kern/uipc_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.1.2.1
--- src/sys/kern/uipc_mbuf.c:1.145.2.1	Fri Feb  8 19:18:12 2013
+++ src/sys/kern/uipc_mbuf.c	Thu May  3 15:01:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1.2.1 2018/05/03 15:01:20 martin Exp $");
 
 #include "opt_mbuftrace.h"
 #include "opt_nmbclusters.h"
@@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off
 }
 
 /*
- * Copy the mbuf chain to a new mbuf chain that is as short as possible.
- * Return the new mbuf chain on success, NULL on failure.  On success,
- * free the old mbuf chain.
+ * Compress the mbuf chain. Return the new mbuf chain on success, NULL on
+ * failure. The first mbuf is preserved, and on success the pointer returned
+ * is the same as the one passed.
  */
 struct mbuf *
 m_defrag(struct mbuf *mold, int flags)
 {
 	struct mbuf *m0, *mn, *n;
-	size_t sz = mold->m_pkthdr.len;
+	int sz;
 
 #ifdef DIAGNOSTIC
 	if ((mold->m_flags & M_PKTHDR) == 0)
 		panic("m_defrag: not a mbuf chain header");
 #endif
 
-	MGETHDR(m0, flags, MT_DATA);
+	if (mold->m_next == NULL)
+		return mold;
+
+	m0 = m_get(flags, MT_DATA);
 	if (m0 == NULL)
 		return NULL;
-	M_COPY_PKTHDR(m0, mold);
 	mn = m0;
 
+	sz = mold->m_pkthdr.len - mold->m_len;
+	KASSERT(sz >= 0);
+
 	do {
-		if (sz > MHLEN) {
-			MCLGET(mn, M_DONTWAIT);
+		if (sz > MLEN) {
+			MCLGET(mn, flags);
 			if ((mn->m_flags & M_EXT) == 0) {
 m_freem(m0);
 return NULL;
@@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags)
 
 		if (sz > 0) {
 			/* need more mbufs */
-			MGET(n, M_NOWAIT, MT_DATA);
+			n = m_get(flags, MT_DATA);
 			if (n == NULL) {
 m_freem(m0);
 return NULL;
@@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags)
 		}
 	} while (sz > 0);
 
-	m_freem(mold);
+	m_freem(mold->m_next);
+	mold->m_next = m0;
 
-	return m0;
+	return mold;
 }
 
 int

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu May  3 14:36:30 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_output.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1546):

sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.16.1 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.38.16.1
--- src/sys/netipsec/ipsec_output.c:1.38	Tue Jan 10 20:01:57 2012
+++ src/sys/netipsec/ipsec_output.c	Thu May  3 14:36:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.38.16.1 2018/05/03 14:36:30 martin Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38.16.1 2018/05/03 14:36:30 martin Exp $");
 
 /*
  * IPsec output processing.
@@ -632,7 +632,7 @@ bad:
 #endif
 
 #ifdef INET6
-static void
+static int
 compute_ipsec_pos(struct mbuf *m, int *i, int *off)
 {
 	int nxt;
@@ -649,7 +649,11 @@ compute_ipsec_pos(struct mbuf *m, int *i
 	 * put AH/ESP/IPcomp header.
 	 *  IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
 	 */
-	do {
+	while (1) {
+		if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+			return EINVAL;
+		}
+
 		switch (nxt) {
 		case IPPROTO_AH:
 		case IPPROTO_ESP:
@@ -658,7 +662,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should not skip security header added
 		 * beforehand.
 		 */
-			return;
+			return 0;
 
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
@@ -668,7 +672,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		 * we should stop there.
 		 */
 			if (nxt == IPPROTO_DSTOPTS && dstopt)
-return;
+return 0;
 
 			if (nxt == IPPROTO_DSTOPTS) {
 /*
@@ -688,16 +692,14 @@ compute_ipsec_pos(struct mbuf *m, int *i
 			m_copydata(m, *i, sizeof(ip6e), );
 			nxt = ip6e.ip6e_nxt;
 			*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
-			/*
-			 * we will never see nxt == IPPROTO_AH
-			 * so it is safe to omit AH case.
-			 */
 			*i += (ip6e.ip6e_len + 1) << 3;
 			break;
 		default:
-			return;
+			return 0;
 		}
-	} while (*i < m->m_pkthdr.len);
+	}
+
+	return 0;
 }
 
 static int
@@ -799,7 +801,9 @@ ipsec6_process_packet(
 		i = ip->ip_hl << 2;
 		off = offsetof(struct ip, ip_p);
 	} else {	
-		compute_ipsec_pos(m, , );
+		error = compute_ipsec_pos(m, , );
+		if (error)
+			goto bad;
 	}
 	error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
 	splx(s);

CVS commit: [netbsd-6-1] src/doc

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Apr 18 07:19:52 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1545


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.138 -r1.1.2.139 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.138 src/doc/CHANGES-6.1.6:1.1.2.139
--- src/doc/CHANGES-6.1.6:1.1.2.138	Tue Apr 10 17:45:17 2018
+++ src/doc/CHANGES-6.1.6	Wed Apr 18 07:19:52 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.138 2018/04/10 17:45:17 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.139 2018/04/18 07:19:52 msaitoh Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15123,3 +15123,8 @@ usr.sbin/ypserv/ypserv/ypserv_proc.c		1.
 	procs to avoid returning stale request data to the client.
 	[christos, ticket #1528]
 
+sys/netipsec/ipsec_mbuf.c			1.23-1.24
+
+	Don't assume M_PKTHDR is set only on the first mbuf of the chain.
+	Fix a pretty bad mistake (IPsec DoS).
+	[maxv, ticket #1545]

CVS commit: [netbsd-6-1] src/sys/netipsec

[SAITOH Masanobu]

Module Name:src
Committed By:   msaitoh
Date:   Wed Apr 18 07:17:24 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1545):
sys/netipsec/ipsec_mbuf.c: revision 1.23
sys/netipsec/ipsec_mbuf.c: revision 1.24
Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.
The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().
Fix a pretty bad mistake, that has always been there.
 m_adj(m1, -(m1->m_len - roff));
 if (m1 != m)
 m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.24.1 src/sys/netipsec/ipsec_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_mbuf.c
diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.24.1
--- src/sys/netipsec/ipsec_mbuf.c:1.12	Mon May 16 10:05:23 2011
+++ src/sys/netipsec/ipsec_mbuf.c	Wed Apr 18 07:17:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $	*/
+/*	$NetBSD: ipsec_mbuf.c,v 1.12.24.1 2018/04/18 07:17:24 msaitoh Exp $	*/
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
  * All rights reserved.
@@ -28,7 +28,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.24.1 2018/04/18 07:17:24 msaitoh Exp $");
 
 /*
  * IPsec-specific mbuf routines.
@@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int
 		/* The header was at the beginning of the mbuf */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT);
 		m_adj(m1, hlen);
-		if ((m1->m_flags & M_PKTHDR) == 0)
+		if (m1 != m)
 			m->m_pkthdr.len -= hlen;
 	} else if (roff + hlen >= m1->m_len) {
 		struct mbuf *mo;
+		int adjlen;
 
 		/*
 		 * Part or all of the header is at the end of this mbuf,
@@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int
 		 */
 		IPSEC_STATINC(IPSEC_STAT_INPUT_END);
 		if (roff + hlen > m1->m_len) {
+			adjlen = roff + hlen - m1->m_len;
+
 			/* Adjust the next mbuf by the remainder */
-			m_adj(m1->m_next, roff + hlen - m1->m_len);
+			m_adj(m1->m_next, adjlen);
 
 			/* The second mbuf is guaranteed not to have a pkthdr... */
-			m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+			m->m_pkthdr.len -= adjlen;
 		}
 
 		/* Now, let's unlink the mbuf chain for a second...*/
@@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int
 		m1->m_next = NULL;
 
 		/* ...and trim the end of the first part of the chain...sick */
-		m_adj(m1, -(m1->m_len - roff));
-		if ((m1->m_flags & M_PKTHDR) == 0)
-			m->m_pkthdr.len -= (m1->m_len - roff);
+		adjlen = m1->m_len - roff;
+		m_adj(m1, -adjlen);
+		if (m1 != m)
+			m->m_pkthdr.len -= adjlen;
 
 		/* Finally, let's relink */
 		m1->m_next = mo;

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Apr 10 17:45:17 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1528


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.137 src/doc/CHANGES-6.1.6:1.1.2.138
--- src/doc/CHANGES-6.1.6:1.1.2.137	Tue Apr 10 11:29:28 2018
+++ src/doc/CHANGES-6.1.6	Tue Apr 10 17:45:17 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.137 2018/04/10 11:29:28 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.138 2018/04/10 17:45:17 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15117,3 +15117,9 @@ sys/arch/amiga/amiga/cc.c			1.27 (patch)
 	Fix a spl(9) leak.
 	[msaitoh, ticket #1544]
 
+usr.sbin/ypserv/ypserv/ypserv_proc.c		1.18 via patch
+
+	PR/47615: Always zero out the result structs in the svc
+	procs to avoid returning stale request data to the client.
+	[christos, ticket #1528]
+

CVS commit: [netbsd-6-1] src/usr.sbin/ypserv/ypserv

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Apr 10 17:44:17 UTC 2018

Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-6-1]: ypserv_proc.c

Log Message:
Pull up following revision(s) (requested by christos in ticket #1528):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18 via patch
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.16.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/ypserv/ypserv/ypserv_proc.c
diff -u src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16 src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16.16.1
--- src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16	Tue Aug 30 17:06:22 2011
+++ src/usr.sbin/ypserv/ypserv/ypserv_proc.c	Tue Apr 10 17:44:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ypserv_proc.c,v 1.16 2011/08/30 17:06:22 plunky Exp $	*/
+/*	$NetBSD: ypserv_proc.c,v 1.16.16.1 2018/04/10 17:44:16 snj Exp $	*/
 
 /*
  * Copyright (c) 1994 Mats O Jansson 
@@ -28,7 +28,7 @@
 
 #include 
 #ifndef lint
-__RCSID("$NetBSD: ypserv_proc.c,v 1.16 2011/08/30 17:06:22 plunky Exp $");
+__RCSID("$NetBSD: ypserv_proc.c,v 1.16.16.1 2018/04/10 17:44:16 snj Exp $");
 #endif
 
 #include 
@@ -163,10 +163,11 @@ ypproc_match_2_svc(void *argp, struct sv
 	"key %.*s", clientstr, TORF(secure), k->domain, k->map,
 	k->keydat.dsize, k->keydat.dptr));
 
-	if (secure && securecheck(caller))
+	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_YPERR;
-	else
-		res = ypdb_get_record(k->domain, k->map, k->keydat, FALSE);
+	} else
+		res = ypdb_get_record(k->domain, k->map, k->keydat, secure);
 
 	return ((void *));
 }
@@ -190,9 +191,10 @@ ypproc_first_2_svc(void *argp, struct sv
 	"first_2: request from %.500s, secure %s, domain %s, map %s",
 	clientstr, TORF(secure), k->domain, k->map));
 
-	if (secure && securecheck(caller))
+	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_YPERR;
-	else
+	} else
 		res = ypdb_get_first(k->domain, k->map, FALSE);
 
 	return ((void *));
@@ -218,9 +220,10 @@ ypproc_next_2_svc(void *argp, struct svc
 	"key %.*s", clientstr, TORF(secure), k->domain, k->map,
 	k->keydat.dsize, k->keydat.dptr));
 
-	if (secure && securecheck(caller))
+	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_YPERR;
-	else
+	} else
 		res = ypdb_get_next(k->domain, k->map, k->keydat, FALSE);
 
 	return ((void *));
@@ -326,6 +329,7 @@ ypproc_all_2_svc(void *argp, struct svc_
 	(void)memset(, 0, sizeof(res));
 
 	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.ypresp_all_u.val.status = YP_YPERR;
 		return ();
 	}
@@ -368,9 +372,10 @@ ypproc_master_2_svc(void *argp, struct s
 	"master_2: request from %.500s, secure %s, domain %s, map %s",
 	clientstr, TORF(secure), k->domain, k->map));
 
-	if (secure && securecheck(caller))
+	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_YPERR;
-	else
+	} else
 		res = ypdb_get_master(k->domain, k->map);
 
 	/*
@@ -409,12 +414,15 @@ ypproc_order_2_svc(void *argp, struct sv
 	"order_2: request from %.500s, secure %s, domain %s, map %s",
 	clientstr, TORF(secure), k->domain, k->map));
 
-	if (secure && securecheck(caller))
+	if (secure && securecheck(caller)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_YPERR;
-	else if (_yp_invalid_map(k->map))
+	} else if (_yp_invalid_map(k->map)) {
+		memset(, 0, sizeof(res));
 		res.status = YP_NOMAP;
-	else
+	} else {
 		res = ypdb_get_order(k->domain, k->map);
+	}
 
 	return ((void *));
 }
@@ -446,7 +454,7 @@ ypproc_maplist_2_svc(void *argp, struct 
 	(void)snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH,
 	domain);
 
-	res.list = NULL;
+	memset(, 0, sizeof(res));
 	status = YP_TRUE;
 
 	if ((stat(domain_path, ) != 0) || !S_ISDIR(finfo.st_mode)) {

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Apr 10 11:29:28 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1544


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.136 -r1.1.2.137 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.136 src/doc/CHANGES-6.1.6:1.1.2.137
--- src/doc/CHANGES-6.1.6:1.1.2.136	Mon Apr  9 13:08:25 2018
+++ src/doc/CHANGES-6.1.6	Tue Apr 10 11:29:28 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.136 2018/04/09 13:08:25 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.137 2018/04/10 11:29:28 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15112,3 +15112,8 @@ external/gpl3/binutils/dist/bfd/elflink.
 	indirectness first.
 	[joerg, ticket #1543]
 
+sys/arch/amiga/amiga/cc.c			1.27 (patch)
+
+	Fix a spl(9) leak.
+	[msaitoh, ticket #1544]
+

CVS commit: [netbsd-6-1] src/sys/arch/amiga/amiga

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Apr 10 11:28:56 UTC 2018

Modified Files:
src/sys/arch/amiga/amiga [netbsd-6-1]: cc.c

Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #1544):

sys/arch/amiga/amiga/cc.c: revision 1.27 (patch)

spl leak, found by mootja


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.28.1 src/sys/arch/amiga/amiga/cc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amiga/amiga/cc.c
diff -u src/sys/arch/amiga/amiga/cc.c:1.22 src/sys/arch/amiga/amiga/cc.c:1.22.28.1
--- src/sys/arch/amiga/amiga/cc.c:1.22	Mon Dec 20 00:25:25 2010
+++ src/sys/arch/amiga/amiga/cc.c	Tue Apr 10 11:28:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $	*/
+/*	$NetBSD: cc.c,v 1.22.28.1 2018/04/10 11:28:56 martin Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22.28.1 2018/04/10 11:28:56 martin Exp $");
 
 #include 
 #include 
@@ -504,9 +504,10 @@ alloc_chipmem(u_long size)
 	while (size > mn->size && mn != (void *)_list)
 		mn = mn->free_link.cqe_next;
 
-	if (mn == (void *)_list)
+	if (mn == (void *)_list) {
+		splx(s);
 		return(NULL);
-
+	}
 	if ((mn->size - size) <= sizeof (*mn)) {
 		/*
 		 * our allocation would not leave room

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Apr  9 13:08:25 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1543


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.135 -r1.1.2.136 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.135 src/doc/CHANGES-6.1.6:1.1.2.136
--- src/doc/CHANGES-6.1.6:1.1.2.135	Thu Apr  5 11:36:31 2018
+++ src/doc/CHANGES-6.1.6	Mon Apr  9 13:08:25 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.135 2018/04/05 11:36:31 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.136 2018/04/09 13:08:25 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15105,3 +15105,10 @@ sys/net/npf/npf.h1.55
 	Fix an integer overflow that allows incoming IPv6 packets
 	to bypass a certain number of filtering rules.
 	[maxv, ticket #1542]
+
+external/gpl3/binutils/dist/bfd/elflink.c	1.14 (patch)
+
+	When trying to decide the status of a weak symbol, resolve any
+	indirectness first.
+	[joerg, ticket #1543]
+

CVS commit: [netbsd-6-1] src/external/gpl3/binutils/dist/bfd

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Apr  9 13:01:37 UTC 2018

Modified Files:
src/external/gpl3/binutils/dist/bfd [netbsd-6-1]: elflink.c

Log Message:
Pull up following revision(s) (requested by joerg in ticket #1543):

external/gpl3/binutils/dist/bfd/elflink.c: revision 1.14 (patch)

When trying to decide the status of a weak symbol, resolve any
indirectness first. In the case of various Qt5 libraries, __bss_start
ends up with a Qt5 version, but it has to be resolved first to match the
actual (implicit) definition. This fixes the root cause of pkg/53089.


To generate a diff of this commit:
cvs rdiff -u -r1.5.2.1 -r1.5.2.1.6.1 \
src/external/gpl3/binutils/dist/bfd/elflink.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/gpl3/binutils/dist/bfd/elflink.c
diff -u src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.1 src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.1.6.1
--- src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.1	Tue Apr  3 15:54:48 2012
+++ src/external/gpl3/binutils/dist/bfd/elflink.c	Mon Apr  9 13:01:37 2018
@@ -2528,9 +2528,10 @@ _bfd_elf_fix_symbol_flags (struct elf_li
  over to the real definition.  */
   if (h->u.weakdef != NULL)
 {
-  struct elf_link_hash_entry *weakdef;
+  struct elf_link_hash_entry *weakdef = h->u.weakdef;
+  while (weakdef->root.type == bfd_link_hash_indirect)
+weakdef = (struct elf_link_hash_entry *) weakdef->root.u.i.link;
 
-  weakdef = h->u.weakdef;
   if (h->root.type == bfd_link_hash_indirect)
 	h = (struct elf_link_hash_entry *) h->root.u.i.link;
 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:36:31 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1542


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.134 src/doc/CHANGES-6.1.6:1.1.2.135
--- src/doc/CHANGES-6.1.6:1.1.2.134	Sun Apr  1 09:24:07 2018
+++ src/doc/CHANGES-6.1.6	Thu Apr  5 11:36:31 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.134 2018/04/01 09:24:07 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.135 2018/04/05 11:36:31 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15100,3 +15100,8 @@ sys/netinet6/raw_ip6.c1.161
 	Fix use-after-free.
 	[maxv, ticket #1541]
 
+sys/net/npf/npf.h1.55
+
+	Fix an integer overflow that allows incoming IPv6 packets
+	to bypass a certain number of filtering rules.
+	[maxv, ticket #1542]

CVS commit: [netbsd-6-1] src/sys/net/npf

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Apr  5 11:35:58 UTC 2018

Modified Files:
src/sys/net/npf [netbsd-6-1]: npf.h

Log Message:
Pullup the following revision, requested by maxv in ticket #1542:

sys/net/npf/npf.h   1.55

Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.

Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.

As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.

If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.

The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.

Simple example, a packet with:
packet +   0 = IP6 Header
packet +  40 = IP6 Routing header (ip6r_len = 31)
packet +  48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.12.2.1
--- src/sys/net/npf/npf.h:1.14.2.12	Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h	Thu Apr  5 11:35:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.12.2.1 2018/04/05 11:35:57 martin Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
 	npf_addr_t *		npc_dstip;
 	/* Size (v4 or v6) of IP addresses. */
 	uint8_t			npc_alen;
-	uint8_t			npc_hlen;
+	uint32_t		npc_hlen;
 	uint16_t		npc_proto;
 	/* IPv4, IPv6. */
 	union {

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:24:07 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Tickets #1540 and #1541


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.133 -r1.1.2.134 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.133 src/doc/CHANGES-6.1.6:1.1.2.134
--- src/doc/CHANGES-6.1.6:1.1.2.133	Mon Mar 26 12:20:00 2018
+++ src/doc/CHANGES-6.1.6	Sun Apr  1 09:24:07 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.133 2018/03/26 12:20:00 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.134 2018/04/01 09:24:07 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15089,3 +15089,14 @@ distrib/sets/lists/base/mi			1.1164
 
 	Updated tzdata to 2018d.
 	[kre, ticket #1539]
+
+sys/netinet6/ip6_forward.c			1.91 (patch)
+
+	Fix two IPv6 ipsec use-after-free issues.
+	[maxv, ticket #1540]
+
+sys/netinet6/raw_ip6.c1.161
+
+	Fix use-after-free.
+	[maxv, ticket #1541]
+

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:23:39 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1541):

sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.


To generate a diff of this commit:
cvs rdiff -u -r1.109.8.1 -r1.109.8.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.109.8.1 src/sys/netinet6/raw_ip6.c:1.109.8.2
--- src/sys/netinet6/raw_ip6.c:1.109.8.1	Tue Jan 30 18:45:59 2018
+++ src/sys/netinet6/raw_ip6.c	Sun Apr  1 09:23:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $");
 
 #include "opt_ipsec.h"
 
@@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke
 
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
 	in6p->in6p_cksum != -1) {
+		const uint8_t nxt = ip6->ip6_nxt;
 		int off;
 		u_int16_t sum;
 
@@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke
 			error = ENOBUFS;
 			goto bad;
 		}
-		sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+		sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
 		m = m_copyback_cow(m, off, sizeof(sum), (void *),
 		M_DONTWAIT);
 		if (m == NULL) {

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Apr  1 09:19:32 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1540):

sys/netinet6/ip6_forward.c: revision 1.91 (via patch)

Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed,
and a 'goto out' is missing after ipsec6_process_packet.


To generate a diff of this commit:
cvs rdiff -u -r1.69.8.1 -r1.69.8.2 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69.8.1 src/sys/netinet6/ip6_forward.c:1.69.8.2
--- src/sys/netinet6/ip6_forward.c:1.69.8.1	Tue Mar 13 16:43:04 2018
+++ src/sys/netinet6/ip6_forward.c	Sun Apr  1 09:19:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		 * because we asked key management for an SA and
 		 * it was delayed (e.g. kicked up to IKE).
 		 */
-	if (error == -EINVAL)
-		error = 0;
-	goto freecopy;
+		if (error == -EINVAL)
+			error = 0;
+		m_freem(m);
+		goto freecopy;
 	}
 #endif /* FAST_IPSEC */
 
@@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt)
 		s = splsoftnet();
 		error = ipsec6_process_packet(m,sp->req);
 		splx(s);
+		/* m is freed */
 		if (mcopy)
 			goto freecopy;
+		return;
 }
 #endif   
 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Mar 26 12:20:00 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ammend tickt #1539


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.132 -r1.1.2.133 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.132 src/doc/CHANGES-6.1.6:1.1.2.133
--- src/doc/CHANGES-6.1.6:1.1.2.132	Sun Mar 25 18:36:12 2018
+++ src/doc/CHANGES-6.1.6	Mon Mar 26 12:20:00 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.132 2018/03/25 18:36:12 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.133 2018/03/26 12:20:00 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15061,7 +15061,6 @@ sys/netipsec/ipsec_input.c			1.57-1.58
 	[maxv, ticket #1536]
 
 external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.5
-external/public-domain/tz/dist/Makefile up to 1.1.1.20
 external/public-domain/tz/dist/NEWS up to 1.1.1.21
 external/public-domain/tz/dist/README   up to 1.1.1.6
 external/public-domain/tz/dist/TZDATA_VERSION   up to 1.11

CVS commit: [netbsd-6-1] src/share/zoneinfo

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Mar 26 12:19:22 UTC 2018

Modified Files:
src/share/zoneinfo [netbsd-6-1]: Makefile

Log Message:
Back out all changes to this file accidently included in the pullup of
tickt #1539.


To generate a diff of this commit:
cvs rdiff -u -r1.43.18.3 -r1.43.18.4 src/share/zoneinfo/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/zoneinfo/Makefile
diff -u src/share/zoneinfo/Makefile:1.43.18.3 src/share/zoneinfo/Makefile:1.43.18.4
--- src/share/zoneinfo/Makefile:1.43.18.3	Sun Mar 25 18:35:29 2018
+++ src/share/zoneinfo/Makefile	Mon Mar 26 12:19:22 2018
@@ -1,43 +1,19 @@
-# This file is in the public domain, so clarified as of
-# 2009-05-17 by Arthur David Olson.
+#	$NetBSD: Makefile,v 1.43.18.4 2018/03/26 12:19:22 martin Exp $
 
-# Package name for the code distribution.
-PACKAGE=	tzcode
+.include 
 
-# Version number for the distribution, overridden in the 'tarballs' rule below.
-VERSION=	unknown
+TZDISTDIR=${.CURDIR}
 
-# Email address for bug reports.
-BUGEMAIL=	t...@iana.org
-
-# Choose source data features.  To get new features right away, use:
-#	DATAFORM=	vanguard
-# To wait a while before using new features, to give downstream users
-# time to upgrade zic (the default), use:
-#	DATAFORM=	main
-# To wait even longer for new features, use:
-#	DATAFORM=	rearguard
-DATAFORM=		main
-
-# Change the line below for your time zone (after finding the zone you want in
-# the time zone files, or adding it to a time zone file).
-# Alternately, if you discover you've got the wrong time zone, you can just
-#	zic -l rightzone
-# to correct things.
-# Use the command
-#	make zonenames
-# to get a list of the values you can use for LOCALTIME.
-
-LOCALTIME=	GMT
+.PATH: ${TZDISTDIR}
 
 # If you want something other than Eastern United States time as a template
 # for handling POSIX-style time zone environment variables,
 # change the line below (after finding the zone you want in the
 # time zone files, or adding it to a time zone file).
-# When a POSIX-style environment variable is handled, the rules in the
+# (When a POSIX-style environment variable is handled, the rules in the
 # template file are used to determine "spring forward" and "fall back" days and
 # times; the environment variable itself specifies UT offsets of standard and
-# daylight saving time.
+# summer time.)
 # Alternately, if you discover you've got the wrong time zone, you can just
 #	zic -p rightzone
 # to correct things.
@@ -48,72 +24,18 @@ LOCALTIME=	GMT
 
 POSIXRULES=	America/New_York
 
-# Also see TZDEFRULESTRING below, which takes effect only
-# if the time zone files cannot be accessed.
-
-
-# Installation locations.
-#
-# The defaults are suitable for Debian, except that if REDO is
-# posix_right or right_posix then files that Debian puts under
-# /usr/share/zoneinfo/posix and /usr/share/zoneinfo/right are instead
-# put under /usr/share/zoneinfo-posix and /usr/share/zoneinfo-leaps,
-# respectively.  Problems with the Debian approach are discussed in
-# the commentary for the right_posix rule (below).
-
-# Destination directory, which can be used for staging.
-# 'make DESTDIR=/stage install' installs under /stage (e.g., to
-# /stage/etc/localtime instead of to /etc/localtime).  Files under
-# /stage are not intended to work as-is, but can be copied by hand to
-# the root directory later.  If DESTDIR is empty, 'make install' does
-# not stage, but installs directly into production locations.
-DESTDIR =
-
-# Everything is installed into subdirectories of TOPDIR, and used there.
-# TOPDIR should be empty (meaning the root directory),
-# or a directory name that does not end in "/".
-# TOPDIR should be empty or an absolute name unless you're just testing.
-TOPDIR =
-
-# The default local time zone is taken from the file TZDEFAULT.
-TZDEFAULT = $(TOPDIR)/etc/localtime
-
-# The subdirectory containing installed program and data files, and
-# likewise for installed files that can be shared among architectures.
-# These should be relative file names.
-USRDIR = usr
-USRSHAREDIR = $(USRDIR)/share
-
 # "Compiled" time zone information is placed in the "TZDIR" directory
 # (and subdirectories).
-# TZDIR_BASENAME should not contain "/" and should not be ".", ".." or empty.
-TZDIR_BASENAME=	zoneinfo
-TZDIR = $(TOPDIR)/$(USRSHAREDIR)/$(TZDIR_BASENAME)
-
-# The "tzselect" and (if you do "make INSTALL") "date" commands go in:
-BINDIR = $(TOPDIR)/$(USRDIR)/bin
-
-# The "zdump" command goes in:
-ZDUMPDIR = $(BINDIR)
-
-# The "zic" command goes in:
-ZICDIR = $(TOPDIR)/$(USRDIR)/sbin
+# Use an absolute path name for TZDIR unless you're just testing the software.
+# Note: ${DESTDIR} is prepended to this for the actual copy.
 
-# Manual pages go in subdirectories of. . .
-MANDIR = $(TOPDIR)/$(USRSHAREDIR)/man
+TZDIR=	/usr/share/zoneinfo
 
-# Library functions are put in an archive in LIBDIR.

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Sun Mar 25 18:36:12 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1539


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.131 -r1.1.2.132 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.131 src/doc/CHANGES-6.1.6:1.1.2.132
--- src/doc/CHANGES-6.1.6:1.1.2.131	Tue Mar 13 18:02:25 2018
+++ src/doc/CHANGES-6.1.6	Sun Mar 25 18:36:12 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.131 2018/03/13 18:02:25 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.132 2018/03/25 18:36:12 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15060,3 +15060,33 @@ sys/netipsec/ipsec_input.c			1.57-1.58
 	Fix out-of-bounds read.
 	[maxv, ticket #1536]
 
+external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.5
+external/public-domain/tz/dist/Makefile up to 1.1.1.20
+external/public-domain/tz/dist/NEWS up to 1.1.1.21
+external/public-domain/tz/dist/README   up to 1.1.1.6
+external/public-domain/tz/dist/TZDATA_VERSION   up to 1.11
+external/public-domain/tz/dist/africa   up to 1.1.1.14
+external/public-domain/tz/dist/antarctica   up to 1.1.1.10
+external/public-domain/tz/dist/asia up to 1.1.1.19
+external/public-domain/tz/dist/australasia  up to 1.1.1.14
+external/public-domain/tz/dist/backzone up to 1.1.1.14
+external/public-domain/tz/dist/calendarsup to 1.1.1.1
+external/public-domain/tz/dist/checktab.awk up to 1.1.1.9
+external/public-domain/tz/dist/europe   up to 1.1.1.20
+external/public-domain/tz/dist/leap-seconds.list up to 1.1.1.9
+external/public-domain/tz/dist/leapseconds  up to 1.1.1.10
+external/public-domain/tz/dist/northamerica up to 1.1.1.19
+external/public-domain/tz/dist/southamerica up to 1.1.1.14
+external/public-domain/tz/dist/theory.html  up to 1.1.1.3
+external/public-domain/tz/dist/version  up to 1.1.1.8
+external/public-domain/tz/dist/ziguard.awk  up to 1.1.1.1
+external/public-domain/tz/dist/zishrink.awk up to 1.1.1.3
+external/public-domain/tz/dist/zone.tab up to 1.1.1.14
+external/public-domain/tz/dist/zone1970.tab up to 1.1.1.16
+	(with external/public-domain/tz/dist -> share/zoneinfo)
+share/zoneinfo/Theory   		delete
+doc/3RDPARTY	(patch)
+distrib/sets/lists/base/mi			1.1164
+
+	Updated tzdata to 2018d.
+	[kre, ticket #1539]

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 18:02:25 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1518-1520, 1532, 1535, 1536


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.130 -r1.1.2.131 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.130 src/doc/CHANGES-6.1.6:1.1.2.131
--- src/doc/CHANGES-6.1.6:1.1.2.130	Sat Mar  3 20:51:09 2018
+++ src/doc/CHANGES-6.1.6	Tue Mar 13 18:02:25 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.130 2018/03/03 20:51:09 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.131 2018/03/13 18:02:25 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15024,3 +15024,39 @@ sys/sys/cprng.h	patch
 	/dev/random.
 	[riastradh, ticket #1512]
 
+sys/netinet6/ip6_forward.c			1.89-1.90 via patch
+
+	Fix use-after-free of mbuf in ip6flow_create and ip6flow_create.
+	[ozaki-r, ticket #1518]
+
+sys/arch/sparc/sparc/timer.c			1.33-1.34 via patch
+sys/arch/sparc/sparc/timer_sun4m.c		1.31 via patch
+sys/arch/sparc/sparc/timerreg.h			1.10 via patch
+
+	Fix time goes backwards problems on sparc.
+	[mrg, ticket #1519]
+
+bin/ksh/history.c1.18 via patch
+
+	Use 0600 as the mode for histfile.  PR bin/52480
+	[maya, ticket #1520]
+
+sys/netipsec/xform_ah.c1.77 via patch
+sys/netipsec/xform_esp.c			1.73 via patch
+sys/netipsec/xform_ipip.c			1.56-1.57 via patch
+
+	Several fixes in IPsec: strengthen sanity checks (AH/ESP), and
+	fix possible use-after-free (Tunnel).
+	[maxv, ticket #1532]
+
+sys/net/if_mpls.c1.31-1.33 via patch
+sys/netmpls/mpls_ttl.c1.9 via patch
+
+   	Fix several memory corruptions and inconsistencies in MPLS.
+	[maxv, ticket #1535]
+
+sys/netipsec/ipsec_input.c			1.57-1.58
+
+	Fix out-of-bounds read.
+	[maxv, ticket #1536]
+

CVS commit: [netbsd-6-1] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:47:13 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1536):
sys/netipsec/ipsec_input.c: 1.57-1.58
Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.
--
Argh, in my previous commit in this file I forgot to fix the IPv6
entry point; apply the same fix there.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.16.1 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.29.16.1
--- src/sys/netipsec/ipsec_input.c:1.29	Wed Jan 25 21:58:10 2012
+++ src/sys/netipsec/ipsec_input.c	Tue Mar 13 17:47:12 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.29.16.1 2018/03/13 17:47:12 snj Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29.16.1 2018/03/13 17:47:12 snj Exp $");
 
 /*
  * IPsec input processing.
@@ -332,14 +332,15 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	ip->ip_len = htons(m->m_pkthdr.len);
 	prot = ip->ip_p;
 
+#ifdef notyet
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), );
 
-#ifdef notyet
 		/* XXX PROXY address isn't recorded in SAH */
 		/*
 		 * Check that the inner source address is the same as
@@ -367,7 +368,6 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #if INET6
 	/* IPv6-in-IP encapsulation. */
@@ -375,9 +375,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -403,9 +403,9 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET6 */
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was
@@ -651,15 +651,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	/* Save protocol */
 	m_copydata(m, protoff, 1, );
 
+#ifdef notyet
 #ifdef INET
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
 		/* ipn will now contain the inner IPv4 header */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -683,18 +684,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
 #endif /* INET */
-
 	/* IPv6-in-IP encapsulation */
 	if (prot == IPPROTO_IPV6) {
 		struct ip6_hdr ip6n;
 
 		/* ip6n will now contain the inner IPv6 header. */
+		/* XXX: check m_pkthdr.len */
 		m_copydata(m, skip, sizeof(struct ip6_hdr), );
 
-#ifdef notyet
 		/*
 		 * Check that the inner source address is the same as
 		 * the proxy address, if available.
@@ -719,8 +718,8 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EACCES;
 			goto bad;
 		}
-#endif /*XXX*/
 	}
+#endif /* notyet */
 
 	/*
 	 * Record what we've done to the packet (under what SA it was

CVS commit: [netbsd-6-1] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:42:39 UTC 2018

Modified Files:
src/sys/net [netbsd-6-1]: if_mpls.c
src/sys/netmpls [netbsd-6-1]: mpls_ttl.c

Log Message:
Pull up following revision(s) (requested by uwe in ticket #1534):
sys/net/if_mpls.c: 1.31-1.33 via patch
sys/netmpls/mpls_ttl.c: 1.9 via patch
Style, and fix several bugs:
 - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform
   pullups, so we need to pass the updated pointers back
 - in mpls_lse() the route is not always freed
Looks a little better now.
--
Kick MPLS packets earlier.
--
Several changes:
 * In mpls_unlabel_inet, copy the label locally. It's not incorrect to
   keep a pointer on the mbuf, but it's bug-friendly.
 * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we
   just want to make sure that m_copydata won't fail, but if we were
   guaranteed that m has M_PKTHDR set, we could simply check the length
   against m->m_pkthdr.len.


To generate a diff of this commit:
cvs rdiff -u -r1.8.22.1 -r1.8.22.2 src/sys/net/if_mpls.c
cvs rdiff -u -r1.3 -r1.3.32.1 src/sys/netmpls/mpls_ttl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_mpls.c
diff -u src/sys/net/if_mpls.c:1.8.22.1 src/sys/net/if_mpls.c:1.8.22.2
--- src/sys/net/if_mpls.c:1.8.22.1	Tue Jul 30 03:06:42 2013
+++ src/sys/net/if_mpls.c	Tue Mar 13 17:42:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_mpls.c,v 1.8.22.1 2013/07/30 03:06:42 msaitoh Exp $ */
+/*	$NetBSD: if_mpls.c,v 1.8.22.2 2018/03/13 17:42:39 snj Exp $ */
 
 /*
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.22.1 2013/07/30 03:06:42 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.22.2 2018/03/13 17:42:39 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_mpls.h"
@@ -83,12 +83,12 @@ static int mpls_send_frame(struct mbuf *
 static int mpls_lse(struct mbuf *);
 
 #ifdef INET
-static int mpls_unlabel_inet(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint);
 #endif
 
 #ifdef INET6
-static int mpls_unlabel_inet6(struct mbuf *);
+static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error);
 static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint);
 #endif
 
@@ -308,6 +308,12 @@ mpls_lse(struct mbuf *m)
 	int error = ENOBUFS;
 	uint psize = sizeof(struct sockaddr_mpls);
 
+	/* If we're not accepting MPLS frames, leave now. */
+	if (!mpls_accept) {
+		error = EINVAL;
+		goto done;
+	}
+
 	if (m->m_len < sizeof(union mpls_shim) &&
 	(m = m_pullup(m, sizeof(union mpls_shim))) == NULL)
 		goto done;
@@ -316,10 +322,7 @@ mpls_lse(struct mbuf *m)
 	dst.smpls_family = AF_MPLS;
 	dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr);
 
-	/* Check if we're accepting MPLS Frames */
 	error = EINVAL;
-	if (!mpls_accept)
-		goto done;
 
 	/* TTL decrement */
 	if ((m = mpls_ttl_dec(m)) == NULL)
@@ -331,15 +334,17 @@ mpls_lse(struct mbuf *m)
 #ifdef INET
 		case MPLS_LABEL_IPV4NULL:
 			/* Pop shim and push mbuf to IP stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet(m, );
+			}
 			break;
 #endif
 #ifdef INET6
 		case MPLS_LABEL_IPV6NULL:
 			/* Pop shim and push mbuf to IPv6 stack */
-			if (dst.smpls_addr.shim.bos)
-error = mpls_unlabel_inet6(m);
+			if (dst.smpls_addr.shim.bos) {
+m = mpls_unlabel_inet6(m, );
+			}
 			break;
 #endif
 		case MPLS_LABEL_RTALERT:	/* Yeah, I'm all alerted */
@@ -393,8 +398,10 @@ mpls_lse(struct mbuf *m)
 		tshim.shim.bos = tshim.shim.exp = 0;
 		tshim.shim.ttl = mpls_defttl;
 		if (tshim.shim.label != MPLS_LABEL_IMPLNULL &&
-		((m = mpls_prepend_shim(m, )) == NULL))
-			return ENOBUFS;
+		((m = mpls_prepend_shim(m, )) == NULL)) {
+			error = ENOBUFS;
+			goto done;
+		}
 		psize += sizeof(tshim);
 	}
 
@@ -439,11 +446,9 @@ mpls_send_frame(struct mbuf *m, struct i
 	return 0;
 }
 
-
-
 #ifdef INET
-static int
-mpls_unlabel_inet(struct mbuf *m)
+static struct mbuf *
+mpls_unlabel_inet(struct mbuf *m, int *error)
 {
 	int s, iphlen;
 	struct ip *iph;
@@ -451,7 +456,6 @@ mpls_unlabel_inet(struct mbuf *m)
 	struct ifqueue *inq;
 
 	if (mpls_mapttl_inet || mpls_mapprec_inet) {
-
 		/* get shim info */
 		ms = mtod(m, union mpls_shim *);
 		ms->s_addr = ntohl(ms->s_addr);
@@ -460,23 +464,29 @@ mpls_unlabel_inet(struct mbuf *m)
 		m_adj(m, sizeof(union mpls_shim));
 
 		/* get ip header */
-		if (m->m_len < sizeof (struct ip) &&
-		(m = m_pullup(m, sizeof(struct ip))) == NULL)
-			return ENOBUFS;
+		if (m->m_len < sizeof(struct ip) &&
+		(m = m_pullup(m, sizeof(struct ip))) == NULL) {
+			*error = ENOBUFS;
+			return NULL;
+		}
+
 		iph = mtod(m, struct ip *);
 		

CVS commit: [netbsd-6-1] src/sys/netipsec

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:18:14 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c xform_esp.c xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1532):
sys/netipsec/xform_ah.c: 1.77 via patch
sys/netipsec/xform_esp.c: 1.73 via patch
sys/netipsec/xform_ipip.c: 1.56-1.57 via patch
Reinforce and clarify.
--
Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.
--
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:
218 ipo = mtod(m, struct ip *);
281 m = m_pullup(m, hlen);
232 ipo->ip_src.s_addr
Found by Mootja.
Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.
--
As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.3 -r1.37.8.4 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.40 -r1.40.8.1 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.28.22.1 -r1.28.22.2 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.3 src/sys/netipsec/xform_ah.c:1.37.8.4
--- src/sys/netipsec/xform_ah.c:1.37.8.3	Thu Feb 15 16:49:35 2018
+++ src/sys/netipsec/xform_ah.c	Tue Mar 13 17:18:14 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.4 2018/03/13 17:18:14 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.4 2018/03/13 17:18:14 snj Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int
 
 		nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
 
-		for (off = 0; off < skip - sizeof(struct ip6_hdr);)
+		for (off = 0; off < skip - sizeof(struct ip6_hdr);) {
+			int noff;
+
 			switch (nxt) {
 			case IPPROTO_HOPOPTS:
 			case IPPROTO_DSTOPTS:
-ip6e = (struct ip6_ext *) (ptr + off);
+ip6e = (struct ip6_ext *)(ptr + off);
+noff = off + ((ip6e->ip6e_len + 1) << 3);
+
+/* Sanity check. */
+if (noff > skip - sizeof(struct ip6_hdr)) {
+	goto error6;
+}
 
 /*
- * Process the mutable/immutable
- * options -- borrows heavily from the
- * KAME code.
+ * Zero out mutable options.
  */
 for (count = off + sizeof(struct ip6_ext);
- count < off + ((ip6e->ip6e_len + 1) << 3);) {
+ count < noff;) {
 	if (ptr[count] == IP6OPT_PAD1) {
 		count++;
-		continue; /* Skip padding. */
-	}
-
-	/* Sanity check. */
-	if (count > off +
-	((ip6e->ip6e_len + 1) << 3)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
+		continue;
 	}
 
 	ad = ptr[count + 1] + 2;
 
-	/* If mutable option, zeroize. */
-	if (ptr[count] & IP6OPT_MUTABLE)
-		memcpy(ptr + count, ipseczeroes,
-		ad);
+	if (count + ad > noff) {
+		goto error6;
+	}
+
+	if (ptr[count] & IP6OPT_MUTABLE) {
+		memset(ptr + count, 0, ad);
+	}
 
 	count += ad;
+}
 
-	/* Sanity check. */
-	if (count >
-	skip - sizeof(struct ip6_hdr)) {
-		m_freem(m);
-
-		/* Free, if we allocated. */
-		if (alloc)
-			free(ptr, M_XDATA);
-		return EINVAL;
-	}
+if (count != noff) {
+	goto error6;
 }
 
 /* Advance. */
@@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int
 			default:
 DPRINTF(("ah_massage_headers: unexpected "
 "IPv6 header type %d", off));
+error6:
 if (alloc)
 	free(ptr, M_XDATA);
 m_freem(m);
 return EINVAL;
 			}
+		}
 
 		/* Copyback and free, if we allocated. */
 		if (alloc) {

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.40 src/sys/netipsec/xform_esp.c:1.40.8.1
--- src/sys/netipsec/xform_esp.c:1.40	Wed Jan 25 20:31:23 2012
+++ src/sys/netipsec/xform_esp.c	Tue Mar 13 17:18:14 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.40.8.1 2018/03/13 17:18:14 snj Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 

CVS commit: [netbsd-6-1] src/bin/ksh

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 17:01:56 UTC 2018

Modified Files:
src/bin/ksh [netbsd-6-1]: history.c

Log Message:
Pull up following revision(s) (requested by maya in ticket #1520):
bin/ksh/history.c: 1.18
Use 0600 as the mode for histfile here too.
pointed out by John D. Baker in PR bin/52480


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.18.1 src/bin/ksh/history.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/bin/ksh/history.c
diff -u src/bin/ksh/history.c:1.11 src/bin/ksh/history.c:1.11.18.1
--- src/bin/ksh/history.c:1.11	Wed Aug 31 16:24:54 2011
+++ src/bin/ksh/history.c	Tue Mar 13 17:01:55 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: history.c,v 1.11 2011/08/31 16:24:54 plunky Exp $	*/
+/*	$NetBSD: history.c,v 1.11.18.1 2018/03/13 17:01:55 snj Exp $	*/
 
 /*
  * command history
@@ -19,7 +19,7 @@
 #include 
 
 #ifndef lint
-__RCSID("$NetBSD: history.c,v 1.11 2011/08/31 16:24:54 plunky Exp $");
+__RCSID("$NetBSD: history.c,v 1.11.18.1 2018/03/13 17:01:55 snj Exp $");
 #endif
 
 
@@ -757,7 +757,7 @@ hist_finish()
   else
 hp = histlist;
 
-  fd = open(hname, O_WRONLY | O_CREAT | O_TRUNC | O_EXLOCK, 0777);
+  fd = open(hname, O_WRONLY | O_CREAT | O_TRUNC | O_EXLOCK, 0600);
   /* Remove anything written before we got the lock */
   ftruncate(fd, 0);
   if (fd >= 0 && (fh = fdopen(fd, "w"))) {

CVS commit: [netbsd-6-1] src/sys/arch/sparc/sparc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:48:03 UTC 2018

Modified Files:
src/sys/arch/sparc/sparc [netbsd-6-1]: timer.c timer_sun4m.c timerreg.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1519):
sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31
sys/arch/sparc/sparc/timer.c: 1.33
sys/arch/sparc/sparc/timer.c: 1.33 1.34
sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10
fix time goes backwards problems on sparc.
there are a few things here:
- there's a race between reading the limit register (which clears
  the interrupt and the limit bit) and increasing the latest offset.
  this can happen easily if an interrupt comes between the read and
  the call to tickle_tc() that increases the offset (i obverved this
  actually happening.)
- in early boot, sometimes the counter can cycle twice before the
  tickle happens.
to handle these issues, add two workarounds:
- if the limit bit isn't set, but the counter value is less than
  the previous value, and the offset hasn't changed, use the same
  fixup as if the limit bit was set.  this handles the first case
  above.
- add a hard-workaround for never allowing returning a smaller
  value (except during 32 bit overflow): if the result is less than
  the last result, add fixups until it does (or until it would
  overflow.)
the first workaround fixes general run-time issues, and the second
fixes issues only seen during boot.
also expand some comments in timer_sun4m.c and re-enable the sun4m
sub-microsecond tmr_ustolim4m() support (but it's always called with
at least 'tick' microseconds, so the end result is the same.)
fix hang at 4B microseconds (1h12 or so), and simplify part of the previous


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.14.1 src/sys/arch/sparc/sparc/timer.c
cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/arch/sparc/sparc/timer_sun4m.c
cvs rdiff -u -r1.9 -r1.9.134.1 src/sys/arch/sparc/sparc/timerreg.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc/sparc/timer.c
diff -u src/sys/arch/sparc/sparc/timer.c:1.29 src/sys/arch/sparc/sparc/timer.c:1.29.14.1
--- src/sys/arch/sparc/sparc/timer.c:1.29	Sun Jul 17 23:18:23 2011
+++ src/sys/arch/sparc/sparc/timer.c	Tue Mar 13 16:48:03 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $ */
+/*	$NetBSD: timer.c,v 1.29.14.1 2018/03/13 16:48:03 snj Exp $ */
 
 /*
  * Copyright (c) 1992, 1993
@@ -60,7 +60,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29.14.1 2018/03/13 16:48:03 snj Exp $");
 
 #include 
 #include 
@@ -83,56 +83,93 @@ static u_int timer_get_timecount(struct 
  * timecounter local state
  */
 static struct counter {
-	volatile u_int *cntreg;	/* counter register */
+	__cpu_simple_lock_t lock; /* protects access to offset, reg, last* */
+	volatile u_int *cntreg;	/* counter register to read */
 	u_int limit;		/* limit we count up to */
 	u_int offset;		/* accumulated offet due to wraps */
 	u_int shift;		/* scaling for valid bits */
 	u_int mask;		/* valid bit mask */
-} cntr;
+	u_int lastcnt;		/* the last* values are used to notice */
+	u_int lastres;		/* and fix up cases where it would appear */
+	u_int lastoffset;	/* time went backwards. */
+} cntr __aligned(CACHE_LINE_SIZE);
 
 /*
  * define timecounter
  */
 
 static struct timecounter counter_timecounter = {
-	timer_get_timecount,	/* get_timecount */
-	0,			/* no poll_pps */
-	~0u,			/* counter_mask */
-	0,  /* frequency - set at initialisation */
-	"timer-counter",	/* name */
-	100,			/* quality */
-/* private reference */
+	.tc_get_timecount =	timer_get_timecount,
+	.tc_poll_pps =		NULL,
+	.tc_counter_mask =	~0u,
+	.tc_frequency =		0,
+	.tc_name =		"timer-counter",
+	.tc_quality =		100,
+	.tc_priv =		,
 };
 
 /*
  * timer_get_timecount provide current counter value
  */
+__attribute__((__optimize__("Os")))
 static u_int
 timer_get_timecount(struct timecounter *tc)
 {
-	struct counter *ctr = (struct counter *)tc->tc_priv;
-
-	u_int c, res, r;
+	u_int cnt, res, fixup, offset;
 	int s;
 
-
+	/*
+	 * We use splhigh/__cpu_simple_lock here as we don't want
+	 * any mutex or lockdebug overhead.  The lock protects a
+	 * bunch of the members of cntr that are written here to
+	 * deal with the various minor races to be observed and
+	 * worked around.
+	 */
 	s = splhigh();
 
-	res = c = *ctr->cntreg;
+	__cpu_simple_lock();
+	res = cnt = *cntr.cntreg;
 
 	res  &= ~TMR_LIMIT;
+	offset = cntr.offset;
 
-	if (c != res) {
-		r = ctr->limit;
+	/*
+	 * There are 3 cases here:
+	 * - limit reached, interrupt not yet processed.
+	 * - count reset but offset the same, race between handling
+	 *   the interrupt and tickle_tc() updating the offset.
+	 * - normal case.
+	 *
+	 * For the first two cases, add the 

CVS commit: [netbsd-6-1] src/sys/netinet6

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Tue Mar 13 16:43:05 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_forward.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1518):
sys/netinet6/ip6_forward.c: 1.89-1.90 via patch
Fix use-after-free of mbuf by ip6flow_create
This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd.
--
Fix use-after-free of mbuf by ip6flow_create (one more)


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.8.1 src/sys/netinet6/ip6_forward.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.8.1
--- src/sys/netinet6/ip6_forward.c:1.69	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/ip6_forward.c	Tue Mar 13 16:43:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $");
 
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
@@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt)
 			IP6_STATINC(IP6_STAT_REDIRECTSENT);
 		else {
 #ifdef GATEWAY
-			if (m->m_flags & M_CANFASTFWD)
-ip6flow_create(_forward_rt, m);
+			if (mcopy->m_flags & M_CANFASTFWD)
+ip6flow_create(_forward_rt, mcopy);
 #endif
 			if (mcopy)
 goto freecopy;

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar  3 20:51:09 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1512


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.129 -r1.1.2.130 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.129 src/doc/CHANGES-6.1.6:1.1.2.130
--- src/doc/CHANGES-6.1.6:1.1.2.129	Mon Feb 19 20:56:16 2018
+++ src/doc/CHANGES-6.1.6	Sat Mar  3 20:51:09 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.129 2018/02/19 20:56:16 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.130 2018/03/03 20:51:09 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15016,3 +15016,11 @@ sys/arch/x86/x86/vm_machdep.c			1.30 via
 	Prevent unrestricted userland access to I/O ports in XEN.
 	[maxv, ticket #1517]
 
+sys/dev/rndpseudo.cpatch
+sys/kern/subr_cprng.cpatch
+sys/sys/cprng.h	patch
+
+	Fix panic when waiting with kqueue/kevent for a read from
+	/dev/random.
+	[riastradh, ticket #1512]
+

CVS commit: [netbsd-6-1] src/sys

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Mar  3 20:44:36 UTC 2018

Modified Files:
src/sys/dev [netbsd-6-1]: rndpseudo.c
src/sys/kern [netbsd-6-1]: subr_cprng.c
src/sys/sys [netbsd-6-1]: cprng.h

Log Message:
Apply patch (requested by riastradh in ticket #1512):
Fix panic when waiting with kqueue/kevent for a read from
/dev/random.


To generate a diff of this commit:
cvs rdiff -u -r1.6.2.3 -r1.6.2.3.6.1 src/sys/dev/rndpseudo.c
cvs rdiff -u -r1.5.2.8 -r1.5.2.8.2.1 src/sys/kern/subr_cprng.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.1.6.1 src/sys/sys/cprng.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/rndpseudo.c
diff -u src/sys/dev/rndpseudo.c:1.6.2.3 src/sys/dev/rndpseudo.c:1.6.2.3.6.1
--- src/sys/dev/rndpseudo.c:1.6.2.3	Mon May 21 16:49:54 2012
+++ src/sys/dev/rndpseudo.c	Sat Mar  3 20:44:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $	*/
+/*	$NetBSD: rndpseudo.c,v 1.6.2.3.6.1 2018/03/03 20:44:35 snj Exp $	*/
 
 /*-
  * Copyright (c) 1997-2011 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3.6.1 2018/03/03 20:44:35 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -673,13 +673,13 @@ rnd_poll(struct file *fp, int events)
 		}   
 	}
 
+	mutex_enter(>cprng->mtx);
 	if (cprng_strong_ready(ctx->cprng)) {
 		revents |= events & (POLLIN | POLLRDNORM);
 	} else {
-		mutex_enter(>cprng->mtx);
 		selrecord(curlwp, >cprng->selq);
-		mutex_exit(>cprng->mtx);
 	}
+	mutex_exit(>cprng->mtx);
 
 	return (revents);
 }
@@ -731,12 +731,24 @@ static int
 filt_rndread(struct knote *kn, long hint)
 {
 	cprng_strong_t *c = kn->kn_hook;
+	int ret;
 
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_enter(>mtx);
 	if (cprng_strong_ready(c)) {
 		kn->kn_data = RND_TEMP_BUFFER_SIZE;
-		return 1;
+		ret = 1;
+	} else {
+		ret = 0;
 	}
-	return 0;
+	if (hint & NOTE_SUBMIT)
+		KASSERT(mutex_owned(>mtx));
+	else
+		mutex_exit(>mtx);
+
+	return ret;
 }
 
 static const struct filterops rnd_seltrue_filtops =

Index: src/sys/kern/subr_cprng.c
diff -u src/sys/kern/subr_cprng.c:1.5.2.8 src/sys/kern/subr_cprng.c:1.5.2.8.2.1
--- src/sys/kern/subr_cprng.c:1.5.2.8	Fri Mar 29 00:44:28 2013
+++ src/sys/kern/subr_cprng.c	Sat Mar  3 20:44:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */
+/*	$NetBSD: subr_cprng.c,v 1.5.2.8.2.1 2018/03/03 20:44:35 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -46,7 +46,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8.2.1 2018/03/03 20:44:35 snj Exp $");
 
 void
 cprng_init(void)
@@ -95,7 +95,7 @@ cprng_strong_doreseed(cprng_strong_t *co
 	if (c->flags & CPRNG_USE_CV) {
 		cv_broadcast(>cv);
 	}
-	selnotify(>selq, 0, 0);
+	selnotify(>selq, 0, NOTE_SUBMIT);
 }
 
 static void
@@ -397,7 +397,7 @@ cprng_strong_setflags(cprng_strong_t *co
 			if (c->flags & CPRNG_USE_CV) {
 cv_broadcast(>cv);
 			}
-			selnotify(>selq, 0, 0);
+			selnotify(>selq, 0, NOTE_SUBMIT);
 		}
 	}
 	c->flags = flags;

Index: src/sys/sys/cprng.h
diff -u src/sys/sys/cprng.h:1.4.2.1 src/sys/sys/cprng.h:1.4.2.1.6.1
--- src/sys/sys/cprng.h:1.4.2.1	Fri Apr 20 23:35:20 2012
+++ src/sys/sys/cprng.h	Sat Mar  3 20:44:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cprng.h,v 1.4.2.1 2012/04/20 23:35:20 riz Exp $ */
+/*	$NetBSD: cprng.h,v 1.4.2.1.6.1 2018/03/03 20:44:36 snj Exp $ */
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -121,12 +121,11 @@ static inline int
 cprng_strong_ready(cprng_strong_t *c)
 {
 	int ret = 0;
-	
-	mutex_enter(>mtx);
+
+	KASSERT(mutex_owned(>mtx));
 	if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) {
 		ret = 1;
 	}
-	mutex_exit(>mtx);
 	return ret;
 }
 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Feb 19 20:56:16 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1517


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.128 -r1.1.2.129 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.128 src/doc/CHANGES-6.1.6:1.1.2.129
--- src/doc/CHANGES-6.1.6:1.1.2.128	Fri Feb 16 18:12:03 2018
+++ src/doc/CHANGES-6.1.6	Mon Feb 19 20:56:16 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.128 2018/02/16 18:12:03 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.129 2018/02/19 20:56:16 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15007,3 +15007,12 @@ sys/netipsec/ipsec.c1.130
 	[maxv, ticket #1531]
 
 
+sys/arch/amd64/amd64/machdep.c			1.280 via patch
+sys/arch/amd64/include/segments.h		1.34 via patch
+sys/arch/i386/i386/machdep.c			1.800 via patch
+sys/arch/i386/include/segments.h		1.64 via patch
+sys/arch/x86/x86/vm_machdep.c			1.30 via patch
+
+	Prevent unrestricted userland access to I/O ports in XEN.
+	[maxv, ticket #1517]
+

CVS commit: [netbsd-6-1] src/sys/arch

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Feb 19 20:54:53 UTC 2018

Modified Files:
src/sys/arch/amd64/amd64 [netbsd-6-1]: machdep.c
src/sys/arch/amd64/include [netbsd-6-1]: segments.h
src/sys/arch/i386/i386 [netbsd-6-1]: machdep.c
src/sys/arch/i386/include [netbsd-6-1]: segments.h
src/sys/arch/x86/x86 [netbsd-6-1]: vm_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1517):
sys/arch/amd64/amd64/machdep.c: 1.280 via patch
sys/arch/amd64/include/segments.h: 1.34 via patch
sys/arch/i386/i386/machdep.c: 1.800
sys/arch/i386/include/segments.h: 1.64
sys/arch/x86/x86/vm_machdep.c: 1.30
Fix a huge privilege separation vulnerability in Xen-amd64.
On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL
equals SEL_UPL. While Xen can make a distinction between usermode and
kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL
in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes
to read and write to the CPU ports.
It is easy, then, to completely escalate privileges; by reprogramming the
PIC, by reading the ATA disks, by intercepting the keyboard interrupts
(keylogger), etc.
Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use
the ports but not userland. I didn't test this change on i386, but it
seems fine enough.


To generate a diff of this commit:
cvs rdiff -u -r1.175.2.8.2.1 -r1.175.2.8.2.2 \
src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.22 -r1.22.16.1 src/sys/arch/amd64/include/segments.h
cvs rdiff -u -r1.717.2.7.6.1 -r1.717.2.7.6.2 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.54 -r1.54.24.1 src/sys/arch/i386/include/segments.h
cvs rdiff -u -r1.14 -r1.14.8.1 src/sys/arch/x86/x86/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/amd64/amd64/machdep.c
diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.1 src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.2
--- src/sys/arch/amd64/amd64/machdep.c:1.175.2.8.2.1	Tue Aug  8 11:59:16 2017
+++ src/sys/arch/amd64/amd64/machdep.c	Mon Feb 19 20:54:52 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.175.2.8.2.2 2018/02/19 20:54:52 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@@ -111,7 +111,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8.2.1 2017/08/08 11:59:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.8.2.2 2018/02/19 20:54:52 snj Exp $");
 
 /* #define XENDEBUG_LOW  */
 
@@ -477,7 +477,7 @@ x86_64_proc0_tss_ldt_init(void)
 	pcb->pcb_fs = 0;
 	pcb->pcb_gs = 0;
 	pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + KSTACK_SIZE - 16) & ~0xf;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 
 	pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;

Index: src/sys/arch/amd64/include/segments.h
diff -u src/sys/arch/amd64/include/segments.h:1.22 src/sys/arch/amd64/include/segments.h:1.22.16.1
--- src/sys/arch/amd64/include/segments.h:1.22	Mon Feb  7 03:54:45 2011
+++ src/sys/arch/amd64/include/segments.h	Mon Feb 19 20:54:52 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: segments.h,v 1.22 2011/02/07 03:54:45 chs Exp $	*/
+/*	$NetBSD: segments.h,v 1.22.16.1 2018/02/19 20:54:52 snj Exp $	*/
 
 /*-
  * Copyright (c) 1990 The Regents of the University of California.
@@ -107,6 +107,12 @@
 #define	ISLDT(s)	((s) & SEL_LDT)	/* is it local or global */
 #define	SEL_LDT		4		/* local descriptor table */	
 
+#ifdef XEN
+#define IOPL_KPL	1
+#else
+#define IOPL_KPL	SEL_KPL
+#endif
+
 /* Dynamically allocated TSSs and LDTs start (byte offset) */
 #define SYSSEL_START	(NGDT_MEM << 3)
 #define DYNSEL_START	(SYSSEL_START + (NGDT_SYS << 4))

Index: src/sys/arch/i386/i386/machdep.c
diff -u src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.1 src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.2
--- src/sys/arch/i386/i386/machdep.c:1.717.2.7.6.1	Tue Aug  8 11:59:16 2017
+++ src/sys/arch/i386/i386/machdep.c	Mon Feb 19 20:54:53 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.717.2.7.6.1 2017/08/08 11:59:16 martin Exp $	*/
+/*	$NetBSD: machdep.c,v 1.717.2.7.6.2 2018/02/19 20:54:53 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009
@@ -67,7 +67,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.7.6.1 2017/08/08 11:59:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.7.6.2 2018/02/19 20:54:53 snj Exp $");
 
 #include "opt_beep.h"
 #include "opt_compat_ibcs2.h"
@@ -509,7 +509,7 @@ i386_proc0_tss_ldt_init(void)
 	pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL);
 	pcb->pcb_cr0 = rcr0() & ~CR0_TS;
 	pcb->pcb_esp0 = uvm_lwp_getuarea(l) + KSTACK_SIZE - 16;
-	pcb->pcb_iopl = SEL_KPL;
+	pcb->pcb_iopl = IOPL_KPL;
 	l->l_md.md_regs = (struct trapframe 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb 16 18:12:03 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1531


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.127 -r1.1.2.128 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.127 src/doc/CHANGES-6.1.6:1.1.2.128
--- src/doc/CHANGES-6.1.6:1.1.2.127	Thu Feb 15 14:50:57 2018
+++ src/doc/CHANGES-6.1.6	Fri Feb 16 18:12:03 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.127 2018/02/15 14:50:57 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.128 2018/02/16 18:12:03 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -15001,3 +15001,9 @@ sys/netipsec/xform_ipip.c			1.44 via pat
 	Fix IPv6-IPsec-AH tunnels.
 	[maxv, ticket #1529]
 
+sys/netipsec/ipsec.c1.130
+
+	Fix inverted logic that could crash the kernel.
+	[maxv, ticket #1531]
+
+

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb 16 18:11:27 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: ipsec.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1531):

sys/netipsec/ipsec.c: revision 1.130

Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte
AH packet. Triggerable before authentication when IPsec and forwarding
are both enabled.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.14.1 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.55 src/sys/netipsec/ipsec.c:1.55.14.1
--- src/sys/netipsec/ipsec.c:1.55	Thu Jun  9 19:54:18 2011
+++ src/sys/netipsec/ipsec.c	Fri Feb 16 18:11:27 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.55.14.1 2018/02/16 18:11:27 martin Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55.14.1 2018/02/16 18:11:27 martin Exp $");
 
 /*
  * IPsec controller part.
@@ -979,7 +979,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se
 			spidx->dst.sin.sin_port = uh.uh_dport;
 			return;
 		case IPPROTO_AH:
-			if (m->m_pkthdr.len > off + sizeof(ip6e))
+			if (off + sizeof(ip6e) > m->m_pkthdr.len)
 goto done;
 			/* XXX sigh, this works but is totally bogus */
 			m_copydata(m, off, sizeof(ip6e), );

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 16:49:35 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Fix previous (Ticket #1530)


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.2 -r1.37.8.3 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.2 src/sys/netipsec/xform_ah.c:1.37.8.3
--- src/sys/netipsec/xform_ah.c:1.37.8.2	Thu Feb 15 08:09:30 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 16:49:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.3 2018/02/15 16:49:35 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -687,11 +687,10 @@ ah_input(struct mbuf *m, const struct se
 		return EACCES;
 	}
 	if (skip + authsize + rplen > m->m_pkthdr.len) {
-		char buf[IPSEC_ADDRSTRLEN];
 		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
 			" for packet in SA %s/%08lx\n", __func__,
 			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
-			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			ipsec_address(>sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
 		AH_STATINC(AH_STAT_BADAUTHL);
 		m_freem(m);

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 14:50:58 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1529


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.126 -r1.1.2.127 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.126 src/doc/CHANGES-6.1.6:1.1.2.127
--- src/doc/CHANGES-6.1.6:1.1.2.126	Thu Feb 15 08:10:07 2018
+++ src/doc/CHANGES-6.1.6	Thu Feb 15 14:50:57 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.126 2018/02/15 08:10:07 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.127 2018/02/15 14:50:57 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14996,3 +14996,8 @@ sys/netipsec/xform_ah.c1.80-1.81 via
 	Fix use-after-free and and add more consistency checks.
 	[maxv, ticket #1530]
 
+sys/netipsec/xform_ipip.c			1.44 via patch
+
+	Fix IPv6-IPsec-AH tunnels.
+	[maxv, ticket #1529]
+

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 14:50:17 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1529):
sys/netipsec/xform_ipip.c: revision 1.44 via patch

PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
don't forget to subtract the ipv6 header length.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.28 src/sys/netipsec/xform_ipip.c:1.28.22.1
--- src/sys/netipsec/xform_ipip.c:1.28	Sun Jul 17 20:54:54 2011
+++ src/sys/netipsec/xform_ipip.c	Thu Feb 15 14:50:17 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.28.22.1 2018/02/15 14:50:17 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.22.1 2018/02/15 14:50:17 martin Exp $");
 
 /*
  * IP-inside-IP processing
@@ -566,7 +566,7 @@ ipip_output(
 		ip6o->ip6_flow = 0;
 		ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
 		ip6o->ip6_vfc |= IPV6_VERSION;
-		ip6o->ip6_plen = htons(m->m_pkthdr.len);
+		ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o));
 		ip6o->ip6_hlim = ip_defttl;
 		ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
 		ip6o->ip6_src = saidx->src.sin6.sin6_addr;

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 08:10:07 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1530


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.125 -r1.1.2.126 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.125 src/doc/CHANGES-6.1.6:1.1.2.126
--- src/doc/CHANGES-6.1.6:1.1.2.125	Sat Feb 10 04:26:15 2018
+++ src/doc/CHANGES-6.1.6	Thu Feb 15 08:10:07 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.125 2018/02/10 04:26:15 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.126 2018/02/15 08:10:07 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14991,3 +14991,8 @@ sys/dist/pf/net/pf.c1.78 via patch
 	Fix signedness bug in PF. PR/44059.
 	[maxv, ticket #1527]
 
+sys/netipsec/xform_ah.c1.80-1.81 via patch
+
+	Fix use-after-free and and add more consistency checks.
+	[maxv, ticket #1530]
+

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Thu Feb 15 08:09:30 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1530):
sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch

Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.37.8.1 -r1.37.8.2 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37.8.1 src/sys/netipsec/xform_ah.c:1.37.8.2
--- src/sys/netipsec/xform_ah.c:1.37.8.1	Mon Jan 29 19:29:00 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 08:09:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.2 2018/02/15 08:09:30 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se
 	struct m_tag *mtag;
 	struct newah *ah;
 	int hl, rplen, authsize, error;
+	uint8_t nxt;
 
 	struct cryptodesc *crda;
 	struct cryptop *crp;
@@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se
 		return ENOBUFS;
 	}
 
+	nxt = ah->ah_nxt;
+
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
 		AH_STATINC(AH_STAT_REPLAY);
@@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se
 		m_freem(m);
 		return EACCES;
 	}
+	if (skip + authsize + rplen > m->m_pkthdr.len) {
+		char buf[IPSEC_ADDRSTRLEN];
+		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+			" for packet in SA %s/%08lx\n", __func__,
+			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+			ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+			(u_long) ntohl(sav->spi)));
+		AH_STATINC(AH_STAT_BADAUTHL);
+		m_freem(m);
+		return EACCES;
+	}
+
 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 
 	/* Get crypto descriptors. */
@@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se
 	tc->tc_spi = sav->spi;
 	tc->tc_dst = sav->sah->saidx.dst;
 	tc->tc_proto = sav->sah->saidx.proto;
-	tc->tc_nxt = ah->ah_nxt;
+	tc->tc_nxt = nxt;
 	tc->tc_protoff = protoff;
 	tc->tc_skip = skip;
 	tc->tc_ptr = mtag; /* Save the mtag we've identified. */

CVS commit: [netbsd-6-1] src/sys/dist/pf/net

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Feb 10 04:25:36 UTC 2018

Modified Files:
src/sys/dist/pf/net [netbsd-6-1]: pf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1527):
sys/dist/pf/net/pf.c: revision 1.78 via patch
Oh, what is this. Fix a remotely-triggerable integer overflow: the way we
define TCPOLEN_SACK makes it unsigned, and the comparison in the while()
is unsigned too. That's not the expected behavior, the original code
wanted a signed comparison.
It's pretty easy to make 'hlen' go negative and trigger a buffer overflow.
This bug was reported 8 years ago by Lucio Albornoz in PR/44059.


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.68.8.1 src/sys/dist/pf/net/pf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dist/pf/net/pf.c
diff -u src/sys/dist/pf/net/pf.c:1.68 src/sys/dist/pf/net/pf.c:1.68.8.1
--- src/sys/dist/pf/net/pf.c:1.68	Mon Dec 19 16:10:07 2011
+++ src/sys/dist/pf/net/pf.c	Sat Feb 10 04:25:36 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $	*/
+/*	$NetBSD: pf.c,v 1.68.8.1 2018/02/10 04:25:36 snj Exp $	*/
 /*	$OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
 
 /*
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68.8.1 2018/02/10 04:25:36 snj Exp $");
 
 #include "pflog.h"
 
@@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off
 	struct sackblk sack;
 
 #ifdef __NetBSD__
-#define	TCPOLEN_SACK (2 * sizeof(uint32_t))
+#define	TCPOLEN_SACK		8		/* 2*sizeof(tcp_seq) */
 #endif
 
 #define TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Feb 10 04:26:15 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1527


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.124 -r1.1.2.125 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.124 src/doc/CHANGES-6.1.6:1.1.2.125
--- src/doc/CHANGES-6.1.6:1.1.2.124	Fri Feb  9 14:11:54 2018
+++ src/doc/CHANGES-6.1.6	Sat Feb 10 04:26:15 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.124 2018/02/09 14:11:54 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.125 2018/02/10 04:26:15 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14986,3 +14986,8 @@ sys/netinet/ip_input.c1.366
 	Disable LSRR/SSRR by default.
 	[maxv, ticket #1526]
 
+sys/dist/pf/net/pf.c1.78 via patch
+
+	Fix signedness bug in PF. PR/44059.
+	[maxv, ticket #1527]
+

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  9 14:11:54 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1526


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.123 src/doc/CHANGES-6.1.6:1.1.2.124
--- src/doc/CHANGES-6.1.6:1.1.2.123	Fri Feb  2 13:12:14 2018
+++ src/doc/CHANGES-6.1.6	Fri Feb  9 14:11:54 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.123 2018/02/02 13:12:14 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.124 2018/02/09 14:11:54 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14981,3 +14981,8 @@ sys/netinet6/nd6_nbr.c1.145 (via pat
 	Fix memory leak.
 	[maxv, ticket #1525]
 
+sys/netinet/ip_input.c1.366
+
+	Disable LSRR/SSRR by default.
+	[maxv, ticket #1526]
+

CVS commit: [netbsd-6-1] src/sys/netinet

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  9 14:11:21 UTC 2018

Modified Files:
src/sys/netinet [netbsd-6-1]: ip_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1526):
sys/netinet/ip_input.c: revision 1.366

Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a
completely dumb idea, because they have security implications.

By sending an IPv4 packet containing an LSRR option, an attacker will
cause the system to forward the packet to another IPv4 address - and
this way he white-washes the source of the packet.

It is also possible for an attacker to reach hidden networks: if a server
has a public address, and a private one on an internal network (network
which has several internal machines connected), the attacker can send a
packet with:
source = 0.0.0.0
destination = public address of the server
LSRR first address = address of a machine on the internal network
And the packet will be forwarded, by the server, to the internal machine,
in some cases even with the internal IP address of the server as a source.


To generate a diff of this commit:
cvs rdiff -u -r1.298 -r1.298.8.1 src/sys/netinet/ip_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.8.1
--- src/sys/netinet/ip_input.c:1.298	Mon Jan  9 14:31:22 2012
+++ src/sys/netinet/ip_input.c	Fri Feb  9 14:11:21 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
@@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v
 #define	IPSENDREDIRECTS	1
 #endif
 #ifndef IPFORWSRCRT
-#define	IPFORWSRCRT	1	/* forward source-routed packets */
+#define	IPFORWSRCRT	0	/* forward source-routed packets */
 #endif
 #ifndef IPALLOWSRCRT
-#define	IPALLOWSRCRT	1	/* allow source-routed packets */
+#define	IPALLOWSRCRT	0	/* allow source-routed packets */
 #endif
 #ifndef IPMTUDISC
 #define IPMTUDISC	1

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 13:12:15 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1525


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.122 -r1.1.2.123 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.122 src/doc/CHANGES-6.1.6:1.1.2.123
--- src/doc/CHANGES-6.1.6:1.1.2.122	Fri Feb  2 11:09:12 2018
+++ src/doc/CHANGES-6.1.6	Fri Feb  2 13:12:14 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.122 2018/02/02 11:09:12 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.123 2018/02/02 13:12:14 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14976,3 +14976,8 @@ sys/netinet6/ip6_mroute.c			1.120
 	Fix a use-after-free in the Pim6 entry point.
 	[maxv, ticket #1524]
 
+sys/netinet6/nd6_nbr.c1.145 (via patch)
+
+	Fix memory leak.
+	[maxv, ticket #1525]
+

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 13:11:32 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_nbr.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1525):
sys/netinet6/nd6_nbr.c: revision 1.145 (patch)

Fix memory leak. Contrary to what the XXX indicates, this place is 100%
reachable remotely.


To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.95.8.1 src/sys/netinet6/nd6_nbr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/nd6_nbr.c
diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.8.1
--- src/sys/netinet6/nd6_nbr.c:1.95	Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/nd6_nbr.c	Fri Feb  2 13:11:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $	*/
 /*	$KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in
 
 	taddr6 = nd_na->nd_na_target;
 	if (in6_setscope(, ifp, NULL))
-		return;		/* XXX: impossible */
+		goto bad;
 
 	if (IN6_IS_ADDR_MULTICAST()) {
 		nd6log((LOG_ERR,

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 11:09:12 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1524


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.121 -r1.1.2.122 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.121 src/doc/CHANGES-6.1.6:1.1.2.122
--- src/doc/CHANGES-6.1.6:1.1.2.121	Tue Jan 30 18:46:45 2018
+++ src/doc/CHANGES-6.1.6	Fri Feb  2 11:09:12 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.121 2018/01/30 18:46:45 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.122 2018/02/02 11:09:12 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14971,3 +14971,8 @@ sys/netinet6/ipcomp_input.c			adjust oth
 	Fix a memory corruption in ip6_get_prevhdr().
 	[maxv, ticket #1523]
 
+sys/netinet6/ip6_mroute.c			1.120
+
+	Fix a use-after-free in the Pim6 entry point.
+	[maxv, ticket #1524]
+

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Fri Feb  2 11:08:30 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_mroute.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1524):
sys/netinet6/ip6_mroute.c: revision 1.120
Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE,
not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain
on an mbuf that was already freed.


To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.103.16.1 src/sys/netinet6/ip6_mroute.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_mroute.c
diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.16.1
--- src/sys/netinet6/ip6_mroute.c:1.103	Sat Dec 31 20:41:59 2011
+++ src/sys/netinet6/ip6_mroute.c	Fri Feb  2 11:08:30 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $	*/
+/*	$NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $	*/
 /*	$KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $	*/
 
 /*
@@ -117,7 +117,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_mrouting.h"
@@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, 
 			(eip6->ip6_vfc & IPV6_VERSION));
 #endif
 			m_freem(m);
-			return (IPPROTO_NONE);
+			return (IPPROTO_DONE);
 		}
 
 		/* verify the inner packet is destined to a mcast group */

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:56 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.14.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.14.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.14.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:46:45 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.120 src/doc/CHANGES-6.1.6:1.1.2.121
--- src/doc/CHANGES-6.1.6:1.1.2.120	Mon Jan 29 19:29:48 2018
+++ src/doc/CHANGES-6.1.6	Tue Jan 30 18:46:45 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.120 2018/01/29 19:29:48 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.121 2018/01/30 18:46:45 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14960,3 +14960,14 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1521]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+sys/netinet6/ah_input.cadjust other callers (patch)
+sys/netinet6/esp_input.c			adjust other callers (patch)
+sys/netinet6/ipcomp_input.c			adjust other callers (patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1523]
+

CVS commit: [netbsd-6-1] src/sys/netinet6

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:59 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.2.2.1
--- src/sys/netinet6/frag6.c:1.52.2.2	Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.8.1 src/sys/netinet6/ip6_input.c:1.136.8.2
--- src/sys/netinet6/ip6_input.c:1.136.8.1	Mon Jul  8 07:40:56 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This 

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jan 29 19:29:48 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1521


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.119 -r1.1.2.120 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.119 src/doc/CHANGES-6.1.6:1.1.2.120
--- src/doc/CHANGES-6.1.6:1.1.2.119	Sat Jan 13 22:30:37 2018
+++ src/doc/CHANGES-6.1.6	Mon Jan 29 19:29:48 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.119 2018/01/13 22:30:37 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.120 2018/01/29 19:29:48 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14955,3 +14955,8 @@ xsrc/xfree/xc/lib/font/fontfile/fontdir.
 	Fix CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612.
 	[mrg, ticket #1514]
 
+sys/netipsec/xform_ah.c1.76
+
+	Fix a remote DoS vulnerability in IPsec-AH.
+	[maxv, ticket #1521]
+

CVS commit: [netbsd-6-1] src/sys/netipsec

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Mon Jan 29 19:29:00 UTC 2018

Modified Files:
src/sys/netipsec [netbsd-6-1]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1521):
sys/netipsec/xform_ah.c: revision 1.76
Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely
crash the kernel with a single packet.
In this loop we need to increment 'ad' by two, because the length field
of the option header does not count the size of the option header itself.
If the length is zero, then 'count' is incremented by zero, and there's
an infinite loop. Beyond that, this code was written with the assumption
that since the IPv6 packet already went through the generic IPv6 option
parser, several fields are guaranteed to be valid; but this assumption
does not hold because of the missing '+2', and there's as a result a
triggerable buffer overflow (write zeros after the end of the mbuf,
potentially to the next mbuf in memory since it's a pool).
Add the missing '+2', this place will be reinforced in separate commits.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.37.8.1 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.37 src/sys/netipsec/xform_ah.c:1.37.8.1
--- src/sys/netipsec/xform_ah.c:1.37	Thu Jan 26 21:10:24 2012
+++ src/sys/netipsec/xform_ah.c	Mon Jan 29 19:29:00 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.8.1 2018/01/29 19:29:00 martin Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int
 		return EINVAL;
 	}
 
-	ad = ptr[count + 1];
+	ad = ptr[count + 1] + 2;
 
 	/* If mutable option, zeroize. */
 	if (ptr[count] & IP6OPT_MUTABLE)
 		memcpy(ptr + count, ipseczeroes,
-		ptr[count + 1]);
+		ad);
 
 	count += ad;
 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Jan 13 22:30:37 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1514


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.118 -r1.1.2.119 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.118 src/doc/CHANGES-6.1.6:1.1.2.119
--- src/doc/CHANGES-6.1.6:1.1.2.118	Wed Nov  8 21:33:35 2017
+++ src/doc/CHANGES-6.1.6	Sat Jan 13 22:30:37 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.118 2017/11/08 21:33:35 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.119 2018/01/13 22:30:37 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14939,3 +14939,19 @@ sys/arch/mips/mips/pmap.c			1.221-1.223
 		  installation
 	[skrll, ticket #1390]
 
+xsrc/external/mit/libXcursor/dist/src/file.c	patch
+xsrc/external/mit/libXcursor/dist/src/library.c	patch
+xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c patch
+xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c patch
+xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c patch
+xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c patch
+xsrc/xfree/xc/lib/Xcursor/file.c		patch
+xsrc/xfree/xc/lib/Xcursor/library.c		patch
+xsrc/xfree/xc/lib/font/bitmap/pcfread.c		patch
+xsrc/xfree/xc/lib/font/fontfile/dirfile.c	patch
+xsrc/xfree/xc/lib/font/fontfile/fileio.c	patch
+xsrc/xfree/xc/lib/font/fontfile/fontdir.c	patch
+
+	Fix CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612.
+	[mrg, ticket #1514]
+

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:33:36 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1056, 1068, 1390


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.117 -r1.1.2.118 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.117 src/doc/CHANGES-6.1.6:1.1.2.118
--- src/doc/CHANGES-6.1.6:1.1.2.117	Sun Nov  5 20:33:02 2017
+++ src/doc/CHANGES-6.1.6	Wed Nov  8 21:33:35 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.117 2017/11/05 20:33:02 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.118 2017/11/08 21:33:35 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14890,3 +14890,52 @@ xsrc/xfree/xc/programs/Xserver/render/re
 	apply fixes for CVEs 2017-12176 to 2017-12187
 	[mrg, ticket #1511]
 
+sys/arch/mips/mips/pmap.c			1.210-1.213
+sys/arch/mips/mips/vm_machdep.c			1.143
+
+	Fix a logic inversion introduced with the matt-nb5-mips64
+	branch for pmap_{zero,copy}_page cache alias handing.
+	Additionally flush the cache for the uarea va to avoid potential
+	(future) cache aliases in cpu_uarea_free when handing pages back
+	to uvm for later use.
+	Use pmap_tlb_asid_check to reduce code c
+	
+	PR/44900 - R5000/Rm5200 mips ports are broken
+	PR/46170 - NetBSD/cobalt 6.0_BETA does not boot
+	PR/46890 - upcoming NetBSD 6.0 release is very unstable / unusable
+		   on cobalt qube 2
+	PR/48628 - cobalt and hpcmips ports are dead
+	[skrll, ticket #1056]
+
+sys/arch/mips/include/pmap.h			1.63
+sys/arch/mips/mips/pmap.c			1.214
+sys/arch/mips/mips/pmap_segtab.c		1.8
+
+	Deal with incompatible cache aliases.
+	PR#44900, PR#46890, and PR#48628.
+	[skrll, ticket #1068]
+
+sys/arch/mips/mips/pmap.c			1.221-1.223
+
+	Fix PR/51288 reproducable panic on evbmips64-eb (erlite)
+
+	pmap_page_remove from the previous change neglected to
+	terminate the pv list correctly when it started with an
+	initial unmanaged mapping and subsequent managed mappings.
+	Fix this.
+
+	Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the
+	pv_list looking for bad aliases and removing the bad entries.
+	That is, revert to the code before the matt-mips64 merge.
+
+	Additionally, fix the pmap_update call to not use the (recently
+	removed/freed) pv for the pmap_t.
+
+	Fixes the following two PRs
+
+	PR/49903: Panic during installation on WorkPad Z50 (hpcmips)
+		  whilst uncompressing base.tgz
+	PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full
+		  installation
+	[skrll, ticket #1390]
+

CVS commit: [netbsd-6-1] src/sys/arch/mips/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:28:24 UTC 2017

Modified Files:
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1390):
sys/arch/mips/mips/pmap.c: 1.221-1.223
Fix a bug introduced by me in 1.214 where unmanaged mappings would be
affected by calls to pmap_page_protect which is wrong.  Now PV_KENTER
mappings are left intact.
Thanks to chuq for spotting my mistake and reviewing this diff.
Thanks to everyone who tested it as well.
Fix PR/51288 reproducable panic on evbmips64-eb (erlite)
pmap_page_remove from the previous change neglected to terminate the pv
list correctly when it started with an initial unmanaged mapping and
subsequent managed mappings.  Fix this.
Fix MIPS3_NO_PV_UNCACHED alias handling by looping through the pv_list
looking for bad aliases and removing the bad entries.  That is, revert
to the code before the matt-mips64 merge.
Additionally, fix the pmap_update call to not use the (recently
  removed/freed) pv for the pmap_t.
Fixes the following two PRs
PR/49903: Panic during installation on WorkPad Z50 (hpcmips) whilst 
uncompressing base.tgz
PR/51226: Install bug for hpcmips NetBSD V7 using FTP Full installation


To generate a diff of this commit:
cvs rdiff -u -r1.207.2.1.6.2 -r1.207.2.1.6.3 src/sys/arch/mips/mips/pmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.3
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2	Wed Nov  8 21:22:57 2017
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:28:24 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.3 2017/11/08 21:28:24 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.3 2017/11/08 21:28:24 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -316,6 +316,7 @@ u_int		pmap_page_colormask;
 	 (pm) == curlwp->l_proc->p_vmspace->vm_map.pmap)
 
 /* Forward function declarations */
+void pmap_page_remove(struct vm_page *);
 void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool);
 void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int);
 pt_entry_t *pmap_pte(pmap_t, vaddr_t);
@@ -1063,6 +1064,10 @@ pmap_page_protect(struct vm_page *pg, vm
 			while (pv != NULL) {
 const pmap_t pmap = pv->pv_pmap;
 const uint16_t gen = PG_MD_PVLIST_GEN(md);
+if (pv->pv_va & PV_KENTER) {
+	pv = pv->pv_next;
+	continue;
+}
 va = trunc_page(pv->pv_va);
 PG_MD_PVLIST_UNLOCK(md);
 pmap_protect(pmap, va, va + PAGE_SIZE, prot);
@@ -1087,17 +1092,7 @@ pmap_page_protect(struct vm_page *pg, vm
 		if (pmap_clear_mdpage_attributes(md, PG_MD_EXECPAGE)) {
 			PMAP_COUNT(exec_uncached_page_protect);
 		}
-		(void)PG_MD_PVLIST_LOCK(md, false);
-		pv = >pvh_first;
-		while (pv->pv_pmap != NULL) {
-			const pmap_t pmap = pv->pv_pmap;
-			va = trunc_page(pv->pv_va);
-			PG_MD_PVLIST_UNLOCK(md);
-			pmap_remove(pmap, va, va + PAGE_SIZE);
-			pmap_update(pmap);
-			(void)PG_MD_PVLIST_LOCK(md, false);
-		}
-		PG_MD_PVLIST_UNLOCK(md);
+		pmap_page_remove(pg);
 	}
 }
 
@@ -2069,6 +2064,32 @@ pmap_set_modified(paddr_t pa)
 / pv_entry management /
 
 static void
+pmap_check_alias(struct vm_page *pg)
+{
+#ifdef MIPS3_PLUS	/* XXX mmu XXX */
+#ifndef MIPS3_NO_PV_UNCACHED
+	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
+
+	if (MIPS_HAS_R4K_MMU && PG_MD_UNCACHED_P(md)) {
+		/*
+		 * Page is currently uncached, check if alias mapping has been
+		 * removed.  If it was, then reenable caching.
+		 */
+		pv_entry_t pv = >pvh_first;
+		pv_entry_t pv0 = pv->pv_next;
+
+		for (; pv0; pv0 = pv0->pv_next) {
+			if (mips_cache_badalias(pv->pv_va, pv0->pv_va))
+break;
+		}
+		if (pv0 == NULL)
+			pmap_page_cache(pg, true);
+	}
+#endif
+#endif	/* MIPS3_PLUS */
+}
+
+static void
 pmap_check_pvlist(struct vm_page_md *md)
 {
 #ifdef PARANOIADIAG
@@ -2155,12 +2176,12 @@ again:
 			 * be mapped with one index at any given time.
 			 */
 
-			if (mips_cache_badalias(pv->pv_va, va)) {
-for (npv = pv; npv; npv = npv->pv_next) {
-	vaddr_t nva = trunc_page(npv->pv_va);
-	pmap_remove(npv->pv_pmap, nva,
-	nva + PAGE_SIZE);
-	pmap_update(npv->pv_pmap);
+			for (npv = pv; npv; npv = npv->pv_next) {
+vaddr_t nva = trunc_page(npv->pv_va);
+pmap_t npm = npv->pv_pmap;
+if (mips_cache_badalias(nva, va)) {
+	pmap_remove(npm, nva, nva + PAGE_SIZE);
+	pmap_update(npm);
 	goto again;
 }
 			}
@@ -2283,6 +2304,114 @@ again:
 }
 
 /*
+ * Remove this page from all physical maps in which 

CVS commit: [netbsd-6-1] src/sys/arch/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:22:58 UTC 2017

Modified Files:
src/sys/arch/mips/include [netbsd-6-1]: pmap.h
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c pmap_segtab.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1068):
sys/arch/mips/include/pmap.h: revision 1.63
sys/arch/mips/mips/pmap.c: revision 1.214
sys/arch/mips/mips/pmap_segtab.c: revision 1.8
Deal with incompatible cache aliases. Specifically,
- always flush an ephemeral page on unmap
- track unmanaged mappings (mappings entered via pmap_kenter_pa) for
aliases where required and handle appropriately (via pmap_enter_pv)
Hopefully this (finally) addresses the instability reported in the
following PRs:
PR/44900 - R5000/Rm5200 mips ports are broken
PR/46890 - upcoming NetBSD 6.0 release is very unstable / unusable on cobalt 
qube 2
PR/48628 - cobalt and hpcmips ports are dead


To generate a diff of this commit:
cvs rdiff -u -r1.61.8.1 -r1.61.8.1.6.1 src/sys/arch/mips/include/pmap.h
cvs rdiff -u -r1.207.2.1.6.1 -r1.207.2.1.6.2 src/sys/arch/mips/mips/pmap.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.1.6.1 src/sys/arch/mips/mips/pmap_segtab.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/include/pmap.h
diff -u src/sys/arch/mips/include/pmap.h:1.61.8.1 src/sys/arch/mips/include/pmap.h:1.61.8.1.6.1
--- src/sys/arch/mips/include/pmap.h:1.61.8.1	Thu Jul  5 18:39:42 2012
+++ src/sys/arch/mips/include/pmap.h	Wed Nov  8 21:22:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.61.8.1 2012/07/05 18:39:42 riz Exp $	*/
+/*	$NetBSD: pmap.h,v 1.61.8.1.6.1 2017/11/08 21:22:57 snj Exp $	*/
 
 /*
  * Copyright (c) 1992, 1993
@@ -283,6 +283,7 @@ void	pmap_prefer(vaddr_t, vaddr_t *, vsi
 #endif /* MIPS3_PLUS */
 
 #define	PMAP_STEAL_MEMORY	/* enable pmap_steal_memory() */
+#define	PMAP_ENABLE_PMAP_KMPAGE	/* enable the PMAP_KMPAGE flag */
 
 /*
  * Alternate mapping hooks for pool pages.  Avoids thrashing the TLB.
@@ -329,6 +330,7 @@ typedef struct pv_entry {
 	struct pv_entry	*pv_next;	/* next pv_entry */
 	struct pmap	*pv_pmap;	/* pmap where mapping lies */
 	vaddr_t		pv_va;		/* virtual address for mapping */
+#define	PV_KENTER	0x001
 } *pv_entry_t;
 
 #define	PG_MD_UNCACHED		0x0001	/* page is mapped uncached */

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.2
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1	Wed Nov  8 21:19:46 2017
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:22:57 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.2 2017/11/08 21:22:57 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -317,7 +317,7 @@ u_int		pmap_page_colormask;
 
 /* Forward function declarations */
 void pmap_remove_pv(pmap_t, vaddr_t, struct vm_page *, bool);
-void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *);
+void pmap_enter_pv(pmap_t, vaddr_t, struct vm_page *, u_int *, int);
 pt_entry_t *pmap_pte(pmap_t, vaddr_t);
 
 /*
@@ -386,13 +386,13 @@ pmap_page_syncicache(struct vm_page *pg)
 	}
 	PG_MD_PVLIST_UNLOCK(md);
 	kpreempt_disable();
-	pmap_tlb_syncicache(md->pvh_first.pv_va, onproc);
+	pmap_tlb_syncicache(trunc_page(md->pvh_first.pv_va), onproc);
 	kpreempt_enable();
 #else
 	if (MIPS_HAS_R4K_MMU) {
 		if (PG_MD_CACHED_P(md)) {
 			mips_icache_sync_range_index(
-			md->pvh_first.pv_va, PAGE_SIZE);
+			trunc_page(md->pvh_first.pv_va), PAGE_SIZE);
 		}
 	} else {
 		mips_icache_sync_range(MIPS_PHYS_TO_KSEG0(VM_PAGE_TO_PHYS(pg)),
@@ -436,10 +436,10 @@ pmap_map_ephemeral_page(struct vm_page *
 		 */
 		(void)PG_MD_PVLIST_LOCK(md, false);
 		if (PG_MD_CACHED_P(md)
-		&& mips_cache_badalias(pv->pv_va, va))
-			mips_dcache_wbinv_range_index(pv->pv_va, PAGE_SIZE);
-		if (pv->pv_pmap == NULL)
-			pv->pv_va = va;
+		&& mips_cache_badalias(pv->pv_va, va)) {
+			mips_dcache_wbinv_range_index(trunc_page(pv->pv_va),
+			PAGE_SIZE);
+		}
 		PG_MD_PVLIST_UNLOCK(md);
 	}
 
@@ -450,23 +450,13 @@ static void
 pmap_unmap_ephemeral_page(struct vm_page *pg, vaddr_t va,
 	pt_entry_t old_pt_entry)
 {
-	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
-	pv_entry_t pv = >pvh_first;
-	
-	if (MIPS_CACHE_VIRTUAL_ALIAS) {
-		(void)PG_MD_PVLIST_LOCK(md, false);
-		if (PG_MD_CACHED_P(md)
-		|| (pv->pv_pmap != NULL
-			&& mips_cache_badalias(pv->pv_va, va))) {
 
-			/*
-			 * If this page was previously cached or we had to use an
-			 * incompatible alias and it has a valid mapping, flush it
-			 * from the cache.
-			 */
-			

CVS commit: [netbsd-6-1] src/sys/arch/mips/mips

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Nov  8 21:19:46 UTC 2017

Modified Files:
src/sys/arch/mips/mips [netbsd-6-1]: pmap.c vm_machdep.c

Log Message:
Pull up following revision(s) (requested by skrll in ticket #1056):
sys/arch/mips/mips/pmap.c: revision 1.210-1.213
sys/arch/mips/mips/vm_machdep.c: revision 1.143
Fix a logic inversion introduced with the matt-nb5-mips64 for
pmap_{zero,copy}_page cache alias handing. The check previously used
PG_MD_UNCACHED_P, where it now uses PG_MD_CACHED_P, when considering if
a cache invalidation is required.
Additionally flush the cache for the uarea va to avoid potential (future)
cache aliases in cpu_uarea_free when handing pages back to uvm for later
use.
ok matt@
Hopefully this addresses the instability reported in the following PRs:
PR/44900 - R5000/Rm5200 mips ports are broken
PR/46170 - NetBSD/cobalt 6.0_BETA does not boot
PR/46890 - upcoming NetBSD 6.0 release is very unstable / unusable on cobalt 
qube 2
PR/48628 - cobalt and hpcmips ports are dead
Grab pv_list lock in pmap_unmap_ephemeral_page only when needed.
Make PARANOIADIAG compile.
Use pmap_tlb_asid_check to reduce code c


To generate a diff of this commit:
cvs rdiff -u -r1.207.2.1 -r1.207.2.1.6.1 src/sys/arch/mips/mips/pmap.c
cvs rdiff -u -r1.141 -r1.141.14.1 src/sys/arch/mips/mips/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/mips/mips/pmap.c
diff -u src/sys/arch/mips/mips/pmap.c:1.207.2.1 src/sys/arch/mips/mips/pmap.c:1.207.2.1.6.1
--- src/sys/arch/mips/mips/pmap.c:1.207.2.1	Thu Jul  5 18:39:42 2012
+++ src/sys/arch/mips/mips/pmap.c	Wed Nov  8 21:19:46 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.207.2.1 2012/07/05 18:39:42 riz Exp $	*/
+/*	$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2001 The NetBSD Foundation, Inc.
@@ -67,7 +67,7 @@
 
 #include 
 
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1 2012/07/05 18:39:42 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.207.2.1.6.1 2017/11/08 21:19:46 snj Exp $");
 
 /*
  *	Manages physical address maps.
@@ -453,19 +453,21 @@ pmap_unmap_ephemeral_page(struct vm_page
 	struct vm_page_md * const md = VM_PAGE_TO_MD(pg);
 	pv_entry_t pv = >pvh_first;
 	
-	(void)PG_MD_PVLIST_LOCK(md, false);
-	if (MIPS_CACHE_VIRTUAL_ALIAS
-	&& (PG_MD_UNCACHED_P(md)
-		|| (pv->pv_pmap != NULL
-		&& mips_cache_badalias(pv->pv_va, va {
-		/*
-		 * If this page was previously uncached or we had to use an
-		 * incompatible alias and it has a valid mapping, flush it
-		 * from the cache.
-		 */
-		mips_dcache_wbinv_range(va, PAGE_SIZE);
+	if (MIPS_CACHE_VIRTUAL_ALIAS) {
+		(void)PG_MD_PVLIST_LOCK(md, false);
+		if (PG_MD_CACHED_P(md)
+		|| (pv->pv_pmap != NULL
+			&& mips_cache_badalias(pv->pv_va, va))) {
+
+			/*
+			 * If this page was previously cached or we had to use an
+			 * incompatible alias and it has a valid mapping, flush it
+			 * from the cache.
+			 */
+			mips_dcache_wbinv_range(va, PAGE_SIZE);
+		}
+		PG_MD_PVLIST_UNLOCK(md);
 	}
-	PG_MD_PVLIST_UNLOCK(md);
 #ifndef _LP64
 	/*
 	 * If we had to map using a page table entry, unmap it now.
@@ -575,7 +577,7 @@ pmap_bootstrap(void)
 
 	/*
 	 * Now actually allocate the kernel PTE array (must be done
-	 * after virtual_end is initialized).
+	 * after mips_virtual_end is initialized).
 	 */
 	Sysmap = (pt_entry_t *)
 	uvm_pageboot_alloc(sizeof(pt_entry_t) * Sysmapsize);
@@ -1023,15 +1025,7 @@ pmap_remove(pmap_t pmap, vaddr_t sva, va
 	if (eva > VM_MAXUSER_ADDRESS)
 		panic("pmap_remove: uva not in range");
 	if (PMAP_IS_ACTIVE(pmap)) {
-		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
-		uint32_t asid;
-
-		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
-		asid = (MIPS_HAS_R4K_MMU) ? (asid & 0xff) : (asid & 0xfc0) >> 6;
-		if (asid != pai->pai_asid) {
-			panic("inconsistency for active TLB flush: %d <-> %d",
-			asid, pai->pai_asid);
-		}
+		pmap_tlb_asid_check();
 	}
 #endif
 #ifdef PMAP_FAULTINFO
@@ -1214,15 +1208,7 @@ pmap_protect(pmap_t pmap, vaddr_t sva, v
 	if (eva > VM_MAXUSER_ADDRESS)
 		panic("pmap_protect: uva not in range");
 	if (PMAP_IS_ACTIVE(pmap)) {
-		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
-		uint32_t asid;
-
-		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
-		asid = (MIPS_HAS_R4K_MMU) ? (asid & 0xff) : (asid & 0xfc0) >> 6;
-		if (asid != pai->pai_asid) {
-			panic("inconsistency for active TLB update: %d <-> %d",
-			asid, pai->pai_asid);
-		}
+		pmap_tlb_asid_check();
 	}
 #endif
 
@@ -1586,6 +1572,7 @@ pmap_enter(pmap_t pmap, vaddr_t va, padd
 
 #ifdef PARANOIADIAG
 	if (PMAP_IS_ACTIVE(pmap)) {
+		struct pmap_asid_info * const pai = PMAP_PAI(pmap, curcpu());
 		uint32_t asid;
 
 		__asm volatile("mfc0 %0,$10; nop" : "=r"(asid));
@@ -1774,7 +1761,7 @@ pmap_unwire(pmap_t pmap, vaddr_t va)
 	if (pmap == pmap_kernel()) {
 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Nov  5 20:33:02 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1508, 1509, 1511


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.116 -r1.1.2.117 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.116 src/doc/CHANGES-6.1.6:1.1.2.117
--- src/doc/CHANGES-6.1.6:1.1.2.116	Tue Oct 17 16:01:23 2017
+++ src/doc/CHANGES-6.1.6	Sun Nov  5 20:33:02 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.116 2017/10/17 16:01:23 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.117 2017/11/05 20:33:02 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14853,3 +14853,40 @@ external/bsd/wpa/dist/wpa_supplicant/wnm
 	CVE-2017-13086 CVE-2017-13087 CVE-2017-13088
 	[spz, ticket #1507]
 
+etc/namedb/root.cache1.23
+
+	Update root.cache to 2017102400 (October 24, 2017).
+	[taca, ticket #1508]
+
+external/bsd/nvi/dist/common/recover.c		1.6-1.9 via patch to dist/nvi/common/recover.c
+external/bsd/nvi/usr.bin/recover/virecover	1.2-1.3 via patch usr.bin/nvi/recover/virecover
+
+	Fix vulnerabilities in the handling of recovery files.
+	[spz, ticket #1509]
+
+xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c patch
+xsrc/external/mit/xorg-server/dist/Xext/saver.c	patch
+xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c patch
+xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c patch
+xsrc/external/mit/xorg-server/dist/dbe/dbe.c	patch
+xsrc/external/mit/xorg-server/dist/dix/dispatch.c patch
+xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c patch
+xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c patch
+xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c patch
+xsrc/external/mit/xorg-server/dist/render/render.c patch
+xsrc/external/mit/xorg-server/dist/xfixes/cursor.c patch
+xsrc/external/mit/xorg-server/dist/xfixes/region.c patch
+xsrc/external/mit/xorg-server/dist/xfixes/saveset.c patch
+xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c patch
+xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c	patch
+xsrc/xfree/xc/programs/Xserver/Xext/saver.c	patch
+xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c	patch
+xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c	patch
+xsrc/xfree/xc/programs/Xserver/dbe/dbe.c	patch
+xsrc/xfree/xc/programs/Xserver/dix/dispatch.c	patch
+xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c	patch
+xsrc/xfree/xc/programs/Xserver/render/render.c	patch
+
+	apply fixes for CVEs 2017-12176 to 2017-12187
+	[mrg, ticket #1511]
+

CVS commit: [netbsd-6-1] src

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Nov  5 20:04:00 UTC 2017

Modified Files:
src/dist/nvi/common [netbsd-6-1]: recover.c
src/usr.bin/nvi/recover [netbsd-6-1]: virecover

Log Message:
Pull up following revision(s) (requested by spz in ticket #1509):
external/bsd/nvi/usr.bin/recover/virecover: 1.2-1.3 via patch
external/bsd/nvi/dist/common/recover.c: revision 1.6-1.9 via patch
be more careful about opening recovery files... in particular deal with
people trying to get 'vi -r' stuck using named pipes, symlink attacks,
and coercing others opening recovery files they did not create.
Put back the tests for "no files matched" (in a different way than they
were written previously - but that's just style.)   This is not csh...
Use the correct test operator to test for an empty file (rather than
testing for an empty file name...)
Write test ('[') commands in a way that is defined to work, rather than
just happens to - we can afford the (negligible) performance hit here.
- don't use command substitution to glob a pattern into a list of filenames;
  it is less efficient than doing it directly and does not handle whitespace
  in filenames properly.
- change test to [
- quote variables
Deal safely with recovery mail files.
oops, accidendally committed an earlier non-working version; fixed.
Don't use popenve() for portability; forking an extra shell here is not an
issue.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.24.1 src/dist/nvi/common/recover.c
cvs rdiff -u -r1.1 -r1.1.36.1 src/usr.bin/nvi/recover/virecover

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/dist/nvi/common/recover.c
diff -u src/dist/nvi/common/recover.c:1.3 src/dist/nvi/common/recover.c:1.3.24.1
--- src/dist/nvi/common/recover.c:1.3	Sun Jan 18 03:45:50 2009
+++ src/dist/nvi/common/recover.c	Sun Nov  5 20:04:00 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: recover.c,v 1.3 2009/01/18 03:45:50 lukem Exp $ */
+/*	$NetBSD: recover.c,v 1.3.24.1 2017/11/05 20:04:00 snj Exp $ */
 
 /*-
  * Copyright (c) 1993, 1994
@@ -112,7 +112,7 @@ static const char sccsid[] = "Id: recove
 #define	VI_PHEADER	"X-vi-recover-path: "
 
 static int	 rcv_copy __P((SCR *, int, char *));
-static void	 rcv_email __P((SCR *, char *));
+static void	 rcv_email __P((SCR *, const char *));
 static char	*rcv_gets __P((char *, size_t, int));
 static int	 rcv_mailfile __P((SCR *, int, char *));
 static int	 rcv_mktemp __P((SCR *, char *, const char *, int));
@@ -470,6 +470,23 @@ err:	if (!issync)
 }
 
 /*
+ * Since vi creates recovery files only accessible by the user, files
+ * accessible by group or others are probably malicious so avoid them.
+ * This is simpler than checking for getuid() == st.st_uid and we want
+ * to preserve the functionality that root can recover anything which
+ * means that root should know better and be careful.
+ */
+static int
+checkok(int fd)
+{
+   struct stat sb;
+
+   return fstat(fd, ) != -1 && S_ISREG(sb.st_mode) &&
+   (sb.st_mode & (S_IRWXG|S_IRWXO)) == 0;
+}
+
+
+/*
  *	people making love
  *	never exactly the same
  *	just like a snowflake
@@ -513,9 +530,14 @@ rcv_list(SCR *sp)
 		 * if we're using fcntl(2), there's no way to lock a file
 		 * descriptor that's not open for writing.
 		 */
-		if ((fp = fopen(dp->d_name, "r+")) == NULL)
+		if ((fp = fopen(dp->d_name, "r+efl")) == NULL)
 			continue;
 
+		if (!checkok(fileno(fp))) {
+			(void)fclose(fp);
+			continue;
+		}
+
 		switch (file_lock(sp, NULL, NULL, fileno(fp), 1)) {
 		case LOCK_FAILED:
 			/*
@@ -626,9 +648,16 @@ rcv_read(SCR *sp, FREF *frp)
 		 * if we're using fcntl(2), there's no way to lock a file
 		 * descriptor that's not open for writing.
 		 */
-		if ((fd = open(recpath, O_RDWR, 0)) == -1)
+		if ((fd = open(recpath, O_RDWR|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC,
+		   0)) == -1)
 			continue;
 
+		if (!checkok(fd)) {
+			(void)close(fd);
+			continue;
+		}
+
+
 		switch (file_lock(sp, NULL, NULL, fd, 1)) {
 		case LOCK_FAILED:
 			/*
@@ -836,24 +865,48 @@ rcv_mktemp(SCR *sp, char *path, const ch
  *	Send email.
  */
 static void
-rcv_email(SCR *sp, char *fname)
+rcv_email(SCR *sp, const char *fname)
 {
 	struct stat sb;
-	char buf[MAXPATHLEN * 2 + 20];
+	char buf[BUFSIZ];
+	FILE *fin, *fout;
+	size_t l;
 
-	if (_PATH_SENDMAIL[0] != '/' || stat(_PATH_SENDMAIL, ))
+	if (_PATH_SENDMAIL[0] != '/' || stat(_PATH_SENDMAIL, ) == -1) {
 		msgq_str(sp, M_SYSERR,
 		_PATH_SENDMAIL, "071|not sending email: %s");
-	else {
-		/*
-		 * !!!
-		 * If you need to port this to a system that doesn't have
-		 * sendmail, the -t flag causes sendmail to read the message
-		 * for the recipients instead of specifying them some other
-		 * way.
-		 */
-		(void)snprintf(buf, sizeof(buf),
-		"%s -t < %s", _PATH_SENDMAIL, fname);
-		(void)system(buf);
+		return;
 	}
+
+	/*
+	 * !!!
+	 * If you need to port this to a system that 

CVS commit: [netbsd-6-1] src/etc/namedb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sun Nov  5 19:55:16 UTC 2017

Modified Files:
src/etc/namedb [netbsd-6-1]: root.cache

Log Message:
Pull up following revision(s) (requested by taca in ticket #1508):
etc/namedb/root.cache: revision 1.23
Update root.cache to 2017102400 (October 24, 2017).
B.ROOT-SERVERS.NET's IPv4 and IPv6 address has changed.


To generate a diff of this commit:
cvs rdiff -u -r1.16.4.1.2.4 -r1.16.4.1.2.5 src/etc/namedb/root.cache

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/etc/namedb/root.cache
diff -u src/etc/namedb/root.cache:1.16.4.1.2.4 src/etc/namedb/root.cache:1.16.4.1.2.5
--- src/etc/namedb/root.cache:1.16.4.1.2.4	Fri Nov 11 06:59:20 2016
+++ src/etc/namedb/root.cache	Sun Nov  5 19:55:16 2017
@@ -1,4 +1,4 @@
-;	$NetBSD: root.cache,v 1.16.4.1.2.4 2016/11/11 06:59:20 snj Exp $
+;	$NetBSD: root.cache,v 1.16.4.1.2.5 2017/11/05 19:55:16 snj Exp $
 ;   This file holds the information on root name servers needed to
 ;   initialize cache of Internet domain name servers
 ;   (e.g. reference this file in the "cache  .  "
@@ -10,10 +10,10 @@
 ;   on server   FTP.INTERNIC.NET
 ;   -OR-RS.INTERNIC.NET
 ;
-;   last update:October 20, 2016
-;   related version of root zone:   2016102001
+;   last update:October 24, 2017
+;   related version of root zone:   2017102400
 ;
-; formerly NS.INTERNIC.NET
+; FORMERLY NS.INTERNIC.NET
 ;
 .360  NSA.ROOT-SERVERS.NET.
 A.ROOT-SERVERS.NET.  360  A 198.41.0.4
@@ -22,8 +22,8 @@ A.ROOT-SERVERS.NET.  360  AA
 ; FORMERLY NS1.ISI.EDU
 ;
 .360  NSB.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.  360  A 192.228.79.201
-B.ROOT-SERVERS.NET.  360    2001:500:84::b
+B.ROOT-SERVERS.NET.  360  A 199.9.14.201
+B.ROOT-SERVERS.NET.  360    2001:500:200::b
 ;
 ; FORMERLY C.PSI.NET
 ;

CVS commit: [netbsd-6-1] src/doc

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Oct 17 16:01:23 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1507


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.115 -r1.1.2.116 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.115 src/doc/CHANGES-6.1.6:1.1.2.116
--- src/doc/CHANGES-6.1.6:1.1.2.115	Fri Oct 13 08:04:37 2017
+++ src/doc/CHANGES-6.1.6	Tue Oct 17 16:01:23 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.115 2017/10/13 08:04:37 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.116 2017/10/17 16:01:23 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14836,3 +14836,20 @@ sys/arch/i386/i386/i386_trap.S			1.12 vi
 	use %ss instead of %ds in trap06
 	[maxv, ticket #1505]
 
+external/bsd/wpa/dist/src/ap/ieee802_11.c	1.2
+external/bsd/wpa/dist/src/ap/wpa_auth.c		1.10
+external/bsd/wpa/dist/src/ap/wpa_auth.h		1.2
+external/bsd/wpa/dist/src/ap/wpa_auth_ft.c	1.2
+external/bsd/wpa/dist/src/ap/wpa_auth_i.h	1.2
+external/bsd/wpa/dist/src/common/wpa_common.h	1.3
+external/bsd/wpa/dist/src/rsn_supp/tdls.c	1.2
+external/bsd/wpa/dist/src/rsn_supp/wpa.c	1.2
+external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c	1.2
+external/bsd/wpa/dist/src/rsn_supp/wpa_i.h	1.2
+external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c	1.4
+
+	Apply upstream patches for CVE-2017-13077 CVE-2017-13078
+	CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082
+	CVE-2017-13086 CVE-2017-13087 CVE-2017-13088
+	[spz, ticket #1507]
+

CVS commit: [netbsd-6-1] src/external/bsd/wpa/dist

[Martin Husemann]

Module Name:src
Committed By:   martin
Date:   Tue Oct 17 16:00:47 UTC 2017

Modified Files:
src/external/bsd/wpa/dist/src/ap [netbsd-6-1]: ieee802_11.c wpa_auth.c
wpa_auth.h wpa_auth_ft.c wpa_auth_i.h
src/external/bsd/wpa/dist/src/common [netbsd-6-1]: wpa_common.h
src/external/bsd/wpa/dist/src/rsn_supp [netbsd-6-1]: tdls.c wpa.c
wpa_ft.c wpa_i.h
src/external/bsd/wpa/dist/wpa_supplicant [netbsd-6-1]: wnm_sta.c

Log Message:
Pull up following revision(s) (requested by spz in ticket #1507):
external/bsd/wpa/dist/src/ap/ieee802_11.c: revision 1.2
external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c: revision 1.2
external/bsd/wpa/dist/src/ap/wpa_auth_i.h: revision 1.2
external/bsd/wpa/dist/src/rsn_supp/wpa.c: revision 1.2
external/bsd/wpa/dist/src/rsn_supp/wpa_i.h: revision 1.2
external/bsd/wpa/dist/src/ap/wpa_auth.h: revision 1.2
external/bsd/wpa/dist/src/rsn_supp/tdls.c: revision 1.2
external/bsd/wpa/dist/src/common/wpa_common.h: revision 1.3
external/bsd/wpa/dist/src/ap/wpa_auth_ft.c: revision 1.2
external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c: revision 1.4
external/bsd/wpa/dist/src/ap/wpa_auth.c: revision 1.10
apply patches from upstream, namely from https://w1.fi/security/2017-1/;>https://w1.fi/security/2017-1/ :
rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
02-Oct-2017 16:19   6.1K
rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
02-Oct-2017 16:19   7.7K
rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
02-Oct-2017 16:19   6.7K
rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
02-Oct-2017 16:19   2.5K
rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
02-Oct-2017 16:19   1.9K
rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
02-Oct-2017 16:19   4.2K
rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
02-Oct-2017 16:19   1.6K
rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
02-Oct-2017 16:19   2.7K
for CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088
(see
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt;>https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
for details)


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2.12.1 -r1.1.1.2.12.2 \
src/external/bsd/wpa/dist/src/ap/ieee802_11.c \
src/external/bsd/wpa/dist/src/ap/wpa_auth_ft.c
cvs rdiff -u -r1.3.12.1 -r1.3.12.2 \
src/external/bsd/wpa/dist/src/ap/wpa_auth.c
cvs rdiff -u -r1.1.1.1.16.1 -r1.1.1.1.16.2 \
src/external/bsd/wpa/dist/src/ap/wpa_auth.h \
src/external/bsd/wpa/dist/src/ap/wpa_auth_i.h
cvs rdiff -u -r1.1.1.1.16.1 -r1.1.1.1.16.2 \
src/external/bsd/wpa/dist/src/common/wpa_common.h
cvs rdiff -u -r1.1.1.5.12.2 -r1.1.1.5.12.3 \
src/external/bsd/wpa/dist/src/rsn_supp/tdls.c
cvs rdiff -u -r1.1.1.2.12.1 -r1.1.1.2.12.2 \
src/external/bsd/wpa/dist/src/rsn_supp/wpa.c
cvs rdiff -u -r1.1.1.1.16.1 -r1.1.1.1.16.2 \
src/external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c \
src/external/bsd/wpa/dist/src/rsn_supp/wpa_i.h
cvs rdiff -u -r1.3.12.2 -r1.3.12.3 \
src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/ap/ieee802_11.c
diff -u src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.12.1 src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.12.2
--- src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.12.1	Wed Aug 30 05:49:01 2017
+++ src/external/bsd/wpa/dist/src/ap/ieee802_11.c	Tue Oct 17 16:00:46 2017
@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hos
 {
 	struct ieee80211_ht_capabilities ht_cap;
 	struct ieee80211_vht_capabilities vht_cap;
+	int set = 1;
 
 	/*
 	 * Remove the STA entry to ensure the STA PS state gets cleared and
@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hos
 	 * FT-over-the-DS, where a station re-associates back to the same AP but
 	 * skips the authentication flow, or if working with a driver that
 	 * does not support full AP client state.
+	 *
+	 * Skip this if the STA has already completed FT reassociation and the
+	 * TK has been configured since the TX/RX PN must not be reset to 0 for
+	 * the same key.
 	 */
-	if (!sta->added_unassoc)
+	if (!sta->added_unassoc &&
+	(!(sta->flags & WLAN_STA_AUTHORIZED) ||
+	 !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
 		hostapd_drv_sta_remove(hapd, sta->addr);
+		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
+		set = 0;
+	}
 
 #ifdef CONFIG_IEEE80211N
 	if (sta->flags & WLAN_STA_HT)
@@ -1873,11 +1883,11 @@ static int 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Oct 13 08:04:37 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1505


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.114 -r1.1.2.115 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.114 src/doc/CHANGES-6.1.6:1.1.2.115
--- src/doc/CHANGES-6.1.6:1.1.2.114	Mon Sep 11 04:46:35 2017
+++ src/doc/CHANGES-6.1.6	Fri Oct 13 08:04:37 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.114 2017/09/11 04:46:35 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.115 2017/10/13 08:04:37 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14831,3 +14831,8 @@ crypto/external/bsd/heimdal/include/roke
 	  getpw*() internal buffers.
 	[mlelstv, ticket #1503]
 
+sys/arch/i386/i386/i386_trap.S			1.12 via patch
+
+	use %ss instead of %ds in trap06
+	[maxv, ticket #1505]
+

CVS commit: [netbsd-6-1] src/sys/arch/i386/i386

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Oct 13 08:03:02 UTC 2017

Modified Files:
src/sys/arch/i386/i386 [netbsd-6-1]: vector.S

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1505):
sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch
Pfff, use %ss and not %ds. The latter is controlled by userland, the former
contains the kernel value (flat); FreeBSD fixed this too a few weeks ago.
As I said earlier, this dtrace code is complete bullshit.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/arch/i386/i386/vector.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/i386/vector.S
diff -u src/sys/arch/i386/i386/vector.S:1.59 src/sys/arch/i386/i386/vector.S:1.59.14.1
--- src/sys/arch/i386/i386/vector.S:1.59	Sun Jun 12 03:35:42 2011
+++ src/sys/arch/i386/i386/vector.S	Fri Oct 13 08:03:02 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $	*/
+/*	$NetBSD: vector.S,v 1.59.14.1 2017/10/13 08:03:02 snj Exp $	*/
 
 /*
  * Copyright 2002 (c) Wasabi Systems, Inc.
@@ -65,7 +65,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59.14.1 2017/10/13 08:03:02 snj Exp $");
 
 #include "opt_ddb.h"
 #include "opt_multiprocessor.h"
@@ -773,7 +773,7 @@ IDTVEC(trap05)
 	SUPERALIGN_TEXT
 IDTVEC(trap06)
 	/* Check if there is no DTrace hook registered. */
-	cmpl	$0,dtrace_invop_jump_addr
+	cmpl	$0,%ss:dtrace_invop_jump_addr
 	je	norm_ill
 
 	/* Check if this is a user fault. */

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep 11 04:46:35 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1503


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.113 -r1.1.2.114 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.113 src/doc/CHANGES-6.1.6:1.1.2.114
--- src/doc/CHANGES-6.1.6:1.1.2.113	Sat Sep  9 16:54:15 2017
+++ src/doc/CHANGES-6.1.6	Mon Sep 11 04:46:35 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.113 2017/09/09 16:54:15 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.114 2017/09/11 04:46:35 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14807,9 +14807,27 @@ sys/arch/sparc64/sparc64/compat_13_machd
 
 sys/compat/linux32/arch/amd64/linux32_machdep.c	1.39
 
-
 	Fix a ring0 escalation vulnerability in compat_linux32 where the
 	index of %cs is controlled by userland, making it easy to trigger
 	the page fault and get kernel privileges.
 	[maxv, ticket #1502]
 
+crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4 1.1
+crypto/external/bsd/heimdal/dist/configure.ac	1.3
+crypto/external/bsd/heimdal/dist/kcm/client.c	1.3
+crypto/external/bsd/heimdal/dist/kcm/config.c	1.3
+crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c 1.3
+crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c 1.3
+crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c 1.3
+crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c 1.3
+crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c 1.3
+crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c 1.3
+crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in 1.5
+crypto/external/bsd/heimdal/include/config.h	1.9
+crypto/external/bsd/heimdal/include/roken.h	1.8
+
+	- Always use rk_getpwnam_r
+	- Use getpwuid_r instead of getpwuid, so that we don't trash
+	  getpw*() internal buffers.
+	[mlelstv, ticket #1503]
+

CVS commit: [netbsd-6-1] src/crypto/external/bsd/heimdal

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep 11 04:43:20 UTC 2017

Modified Files:
src/crypto/external/bsd/heimdal/dist [netbsd-6-1]: configure.ac
src/crypto/external/bsd/heimdal/dist/kcm [netbsd-6-1]: client.c
config.c
src/crypto/external/bsd/heimdal/dist/lib/gssapi/mech [netbsd-6-1]:
gss_pname_to_uid.c
src/crypto/external/bsd/heimdal/dist/lib/hx509 [netbsd-6-1]: softp11.c
src/crypto/external/bsd/heimdal/dist/lib/krb5 [netbsd-6-1]:
config_file.c get_default_principal.c kuserok.c
src/crypto/external/bsd/heimdal/dist/lib/roken [netbsd-6-1]: getxxyyy.c
roken.h.in
src/crypto/external/bsd/heimdal/include [netbsd-6-1]: config.h roken.h
Added Files:
src/crypto/external/bsd/heimdal/dist/cf [netbsd-6-1]:
check-getpwuid_r-posix.m4

Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1503):
crypto/external/bsd/heimdal/include/config.h: revision 1.9
crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c: 
revision 1.3
crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c: revision 1.3
crypto/external/bsd/heimdal/dist/configure.ac: revision 1.3
crypto/external/bsd/heimdal/dist/kcm/config.c: revision 1.3
crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c: revision 1.3
crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4: revision 
1.1
crypto/external/bsd/heimdal/include/roken.h: revision 1.8
crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c: 
revision 1.3
crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c: revision 1.3
crypto/external/bsd/heimdal/dist/kcm/client.c: revision 1.3
crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c: revision 1.3
crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in: revision 1.5
always use rk_getpwnam_r...
--
This is why we have libroken...
--
Use getpwuid_r instead of getpwuid, so that we don't trash getpw*() internal
buffers.
kde does (kdm/client/backend.c):
p = getpwnam();
pam_setcred() (which calls getpwuid in pam_afslog);
setusercontext(...,p,p->pw_uid,...) (now with trashed p data...)


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.20.1 -r1.1.1.1.20.2 \
src/crypto/external/bsd/heimdal/dist/configure.ac
cvs rdiff -u -r0 -r1.1.4.2 \
src/crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4
cvs rdiff -u -r1.1.1.1.20.1 -r1.1.1.1.20.2 \
src/crypto/external/bsd/heimdal/dist/kcm/client.c \
src/crypto/external/bsd/heimdal/dist/kcm/config.c
cvs rdiff -u -r1.2.10.2 -r1.2.10.3 \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c
cvs rdiff -u -r1.1.1.1.20.1 -r1.1.1.1.20.2 \
src/crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c
cvs rdiff -u -r1.1.1.1.20.1 -r1.1.1.1.20.2 \
src/crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c \
src/crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c \
src/crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c
cvs rdiff -u -r1.2.20.2 -r1.2.20.3 \
src/crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c
cvs rdiff -u -r1.2.20.1 -r1.2.20.2 \
src/crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in
cvs rdiff -u -r1.4.16.1 -r1.4.16.2 \
src/crypto/external/bsd/heimdal/include/config.h
cvs rdiff -u -r1.3.20.1 -r1.3.20.2 \
src/crypto/external/bsd/heimdal/include/roken.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/external/bsd/heimdal/dist/configure.ac
diff -u src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.20.1 src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.20.2
--- src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.20.1	Wed Aug 30 06:57:22 2017
+++ src/crypto/external/bsd/heimdal/dist/configure.ac	Mon Sep 11 04:43:19 2017
@@ -1,5 +1,5 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_REVISION($Revision: 1.1.1.1.20.1 $)
+AC_REVISION($Revision: 1.1.1.1.20.2 $)
 AC_PREREQ(2.62)
 test -z "$CFLAGS" && CFLAGS="-g"
 AC_INIT([Heimdal],[7.99.1],[https://github.com/heimdal/heimdal/issues])
@@ -514,6 +514,7 @@ KRB_CAPABILITIES
 rk_DLADDR
 
 AC_CHECK_GETPWNAM_R_POSIX
+AC_CHECK_GETPWUID_R_POSIX
 
 dnl detect doors on solaris
 if test "$enable_pthread_support" != no; then

Index: src/crypto/external/bsd/heimdal/dist/kcm/client.c
diff -u src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.20.1 src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.20.2
--- src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.20.1	Wed Aug 30 06:57:24 2017
+++ src/crypto/external/bsd/heimdal/dist/kcm/client.c	Mon Sep 11 04:43:19 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.1.1.1.20.1 2017/08/30 06:57:24 snj Exp $	*/
+/*	$NetBSD: client.c,v 1.1.1.1.20.2 2017/09/11 04:43:19 snj Exp $	*/
 
 /*
  * 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Sep  9 16:54:15 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1502


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.112 -r1.1.2.113 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.112 src/doc/CHANGES-6.1.6:1.1.2.113
--- src/doc/CHANGES-6.1.6:1.1.2.112	Mon Sep  4 16:04:59 2017
+++ src/doc/CHANGES-6.1.6	Sat Sep  9 16:54:15 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.112 2017/09/04 16:04:59 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.113 2017/09/09 16:54:15 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14805,3 +14805,11 @@ sys/arch/sparc64/sparc64/compat_13_machd
 	in %pstate and get kernel privileges on the hardware.
 	[maxv, ticket #1501]
 
+sys/compat/linux32/arch/amd64/linux32_machdep.c	1.39
+
+
+	Fix a ring0 escalation vulnerability in compat_linux32 where the
+	index of %cs is controlled by userland, making it easy to trigger
+	the page fault and get kernel privileges.
+	[maxv, ticket #1502]
+

CVS commit: [netbsd-6-1] src/sys/compat/linux32/arch/amd64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Sep  9 16:53:35 UTC 2017

Modified Files:
src/sys/compat/linux32/arch/amd64 [netbsd-6-1]: linux32_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1502):
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39
Fix a ring0 escalation vulnerability in compat_linux32 where the
index of %cs is controlled by userland, making it easy to trigger
the page fault and get kernel privileges.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.16.1 \
src/sys/compat/linux32/arch/amd64/linux32_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c
diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.16.1
--- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29	Fri Mar  4 22:25:31 2011
+++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c	Sat Sep  9 16:53:34 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */
+/*	$NetBSD: linux32_machdep.c,v 1.29.16.1 2017/09/09 16:53:34 snj Exp $ */
 
 /*-
  * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -31,7 +31,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.16.1 2017/09/09 16:53:34 snj Exp $");
 
 #include 
 #include 
@@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l
 	/*
 	 * Check for security violations.
 	 */
-	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 ||
-	!USERMODE(scp->sc_cs, scp->sc_eflags))
+	if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0)
+		return EINVAL;
+	if (!VALID_USER_CSEL32(scp->sc_cs))
 		return EINVAL;
 
 	if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep  4 16:04:59 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1501


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.111 -r1.1.2.112 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.111 src/doc/CHANGES-6.1.6:1.1.2.112
--- src/doc/CHANGES-6.1.6:1.1.2.111	Wed Aug 30 07:05:24 2017
+++ src/doc/CHANGES-6.1.6	Mon Sep  4 16:04:59 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.111 2017/08/30 07:05:24 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.112 2017/09/04 16:04:59 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14799,3 +14799,9 @@ usr.sbin/racoon/Makefile			1.28
 	Update Heimdal to 7.1.
 	[mrg, ticket #1493]
 
+sys/arch/sparc64/sparc64/compat_13_machdep.c	1.24
+
+	Apply only CCR. Otherwise userland could set PSTATE_PRIV
+	in %pstate and get kernel privileges on the hardware.
+	[maxv, ticket #1501]
+

CVS commit: [netbsd-6-1] src/sys/arch/sparc64/sparc64

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Sep  4 16:04:23 UTC 2017

Modified Files:
src/sys/arch/sparc64/sparc64 [netbsd-6-1]: compat_13_machdep.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1501):
sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24
Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get
kernel privileges on the hardware.
ok martin


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.32.1 \
src/sys/arch/sparc64/sparc64/compat_13_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c
diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.32.1
--- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23	Sat Nov 21 04:16:52 2009
+++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c	Mon Sep  4 16:04:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $	*/
+/*	$NetBSD: compat_13_machdep.c,v 1.23.32.1 2017/09/04 16:04:23 snj Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.32.1 2017/09/04 16:04:23 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c
 		return (EINVAL);
 	/* take only psr ICC field */
 #ifdef __arch64__
-	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate;
+	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR);
 #else
 	tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr);
 #endif

CVS commit: [netbsd-6-1] src

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Aug 30 05:49:13 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: 3RDPARTY
src/external/bsd/wpa/bin [netbsd-6-1]: Makefile.inc
src/external/bsd/wpa/bin/hostapd [netbsd-6-1]: Makefile aes-xinternal.c
hostapd.8 hostapd.conf.5
src/external/bsd/wpa/bin/hostapd_cli [netbsd-6-1]: Makefile
hostapd_cli.8
src/external/bsd/wpa/bin/wpa_cli [netbsd-6-1]: Makefile wpa_cli.8
src/external/bsd/wpa/bin/wpa_passphrase [netbsd-6-1]: Makefile
wpa_passphrase.8
src/external/bsd/wpa/bin/wpa_supplicant [netbsd-6-1]: Makefile
aes-xinternal.c wpa_supplicant.8 wpa_supplicant.conf.5
src/external/bsd/wpa/dist [netbsd-6-1]: COPYING README
src/external/bsd/wpa/dist/hostapd [netbsd-6-1]: ChangeLog Makefile
README README-WPS config_file.c config_file.h ctrl_iface.c
ctrl_iface.h defconfig eap_register.c eap_register.h hlr_auc_gw.c
hlr_auc_gw.milenage_db hostapd.8 hostapd.conf hostapd.eap_user
hostapd_cli.c main.c nt_password_hash.c
src/external/bsd/wpa/dist/src [netbsd-6-1]: Makefile lib.rules
src/external/bsd/wpa/dist/src/ap [netbsd-6-1]: Makefile accounting.c
accounting.h ap_config.c ap_config.h ap_drv_ops.c ap_drv_ops.h
ap_list.c ap_list.h ap_mlme.c ap_mlme.h authsrv.c authsrv.h
beacon.c beacon.h ctrl_iface_ap.c ctrl_iface_ap.h drv_callbacks.c
hostapd.c hostapd.h hw_features.c hw_features.h iapp.c iapp.h
ieee802_11.c ieee802_11.h ieee802_11_auth.c ieee802_11_auth.h
ieee802_11_ht.c ieee802_1x.c ieee802_1x.h peerkey_auth.c
pmksa_cache_auth.c pmksa_cache_auth.h preauth_auth.c preauth_auth.h
sta_info.c sta_info.h tkip_countermeasures.c tkip_countermeasures.h
utils.c vlan_init.c vlan_init.h wmm.c wmm.h wpa_auth.c wpa_auth.h
wpa_auth_ft.c wpa_auth_glue.c wpa_auth_glue.h wpa_auth_i.h
wpa_auth_ie.c wpa_auth_ie.h wps_hostapd.c wps_hostapd.h
src/external/bsd/wpa/dist/src/common [netbsd-6-1]: Makefile defs.h
eapol_common.h ieee802_11_common.c ieee802_11_common.h
ieee802_11_defs.h privsep_commands.h version.h wpa_common.c
wpa_common.h wpa_ctrl.c wpa_ctrl.h
src/external/bsd/wpa/dist/src/crypto [netbsd-6-1]: Makefile aes-cbc.c
aes-ctr.c aes-eax.c aes-encblock.c aes-internal-dec.c
aes-internal-enc.c aes-internal.c aes-omac1.c aes-unwrap.c
aes-wrap.c aes.h aes_i.h aes_wrap.h crypto.h crypto_gnutls.c
crypto_internal-cipher.c crypto_internal-modexp.c
crypto_internal-rsa.c crypto_internal.c crypto_libtomcrypt.c
crypto_none.c crypto_openssl.c des-internal.c des_i.h dh_group5.c
dh_group5.h dh_groups.c dh_groups.h fips_prf_internal.c
fips_prf_openssl.c md4-internal.c md5-internal.c md5.c md5.h
md5_i.h milenage.c milenage.h ms_funcs.c ms_funcs.h rc4.c
sha1-internal.c sha1-pbkdf2.c sha1-tlsprf.c sha1-tprf.c sha1.c
sha1.h sha1_i.h sha256-internal.c sha256.c sha256.h tls.h
tls_gnutls.c tls_internal.c tls_none.c tls_openssl.c
src/external/bsd/wpa/dist/src/drivers [netbsd-6-1]: Makefile driver.h
driver_atheros.c driver_bsd.c driver_hostap.c driver_hostap.h
driver_ndis.c driver_ndis.h driver_ndis_.c driver_nl80211.c
driver_none.c driver_privsep.c driver_roboswitch.c driver_wext.c
driver_wext.h driver_wired.c drivers.c drivers.mak linux_ioctl.c
linux_ioctl.h ndis_events.c netlink.c netlink.h nl80211_copy.h
priv_netlink.h
src/external/bsd/wpa/dist/src/eap_common [netbsd-6-1]: Makefile chap.c
chap.h eap_common.c eap_common.h eap_defs.h eap_fast_common.c
eap_fast_common.h eap_gpsk_common.c eap_gpsk_common.h
eap_ikev2_common.c eap_ikev2_common.h eap_pax_common.c
eap_pax_common.h eap_peap_common.c eap_peap_common.h
eap_psk_common.c eap_psk_common.h eap_sake_common.c
eap_sake_common.h eap_sim_common.c eap_sim_common.h
eap_tlv_common.h eap_ttls.h eap_wsc_common.c eap_wsc_common.h
ikev2_common.c ikev2_common.h
src/external/bsd/wpa/dist/src/eap_peer [netbsd-6-1]: Makefile eap.c
eap.h eap_aka.c eap_config.h eap_fast.c eap_fast_pac.c
eap_fast_pac.h eap_gpsk.c eap_gtc.c eap_i.h eap_ikev2.c eap_leap.c
eap_md5.c eap_methods.c eap_methods.h eap_mschapv2.c eap_otp.c
eap_pax.c eap_peap.c eap_psk.c eap_sake.c eap_sim.c eap_tls.c
eap_tls_common.c eap_tls_common.h eap_tnc.c eap_ttls.c
eap_vendor_test.c eap_wsc.c ikev2.c ikev2.h mschapv2.c mschapv2.h
tncc.c tncc.h
src/external/bsd/wpa/dist/src/eap_server [netbsd-6-1]: Makefile eap.h

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Aug 28 06:30:58 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1491


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.109 -r1.1.2.110 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.109 src/doc/CHANGES-6.1.6:1.1.2.110
--- src/doc/CHANGES-6.1.6:1.1.2.109	Sat Aug 26 16:37:36 2017
+++ src/doc/CHANGES-6.1.6	Mon Aug 28 06:30:58 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.109 2017/08/26 16:37:36 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.110 2017/08/28 06:30:58 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12539,3 +12539,26 @@ sys/arch/i386/conf/GENERIC			patch
 	i386 GENERIC: disable VM86 by default.
 	[maxv, ticket #1466]
 
+external/bsd/bind/dist/CHANGES			patch
+external/bsd/bind/dist/FAQ.xml			patch
+external/bsd/bind/dist/FAQ 			delete
+external/bsd/bind/dist/HISTORY.md		patch
+external/bsd/bind/dist/OPTIONS			patch
+external/bsd/bind/dist/OPTIONS.md		patch
+external/bsd/bind/dist/README.md		patch
+external/bsd/bind/dist/HISTORY			patch
+external/bsd/bind/dist/Makefile.in		patch
+external/bsd/bind/dist/README			patch
+external/bsd/bind/dist/acconfig.h		patch
+external/bsd/bind/dist/bind.keys		patch
+external/bsd/bind/dist/config.h.in		patch
+external/bsd/bind/dist/configure		patch
+external/bsd/bind/dist/configure.in		patch
+external/bsd/bind/dist/isc-config.sh.1		patch
+external/bsd/bind/dist/isc-config.sh.docbook	patch
+external/bsd/bind/dist/isc-config.sh.html	patch
+external/bsd/bind/dist/srcid external/bsd/bind/dist/version patch
+
+	Update BIND to 9.9.11.
+	[mrg, ticket #1491]
+

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 26 16:37:36 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1466


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.108 -r1.1.2.109 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.108 src/doc/CHANGES-6.1.6:1.1.2.109
--- src/doc/CHANGES-6.1.6:1.1.2.108	Wed Aug 23 19:37:48 2017
+++ src/doc/CHANGES-6.1.6	Sat Aug 26 16:37:36 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.108 2017/08/23 19:37:48 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.109 2017/08/26 16:37:36 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12534,3 +12534,8 @@ sys/compat/linux/common/linux_time.c		1.
 	missing cred check in linux_sys_settimeofday()
 	[mrg, ticket #1489]
 
+sys/arch/i386/conf/GENERIC			patch
+
+	i386 GENERIC: disable VM86 by default.
+	[maxv, ticket #1466]
+

CVS commit: [netbsd-6-1] src/sys/arch/i386/conf

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 26 16:26:29 UTC 2017

Modified Files:
src/sys/arch/i386/conf [netbsd-6-1]: GENERIC

Log Message:
Apply patch (requested by maxv in ticket #1466):
Disable vm86 by default. The use case is limited, and the potential
for damage is too high.


To generate a diff of this commit:
cvs rdiff -u -r1.1066.2.7 -r1.1066.2.7.6.1 src/sys/arch/i386/conf/GENERIC

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/i386/conf/GENERIC
diff -u src/sys/arch/i386/conf/GENERIC:1.1066.2.7 src/sys/arch/i386/conf/GENERIC:1.1066.2.7.6.1
--- src/sys/arch/i386/conf/GENERIC:1.1066.2.7	Wed Aug 15 15:33:00 2012
+++ src/sys/arch/i386/conf/GENERIC	Sat Aug 26 16:26:29 2017
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.1066.2.7 2012/08/15 15:33:00 sborrill Exp $
+# $NetBSD: GENERIC,v 1.1066.2.7.6.1 2017/08/26 16:26:29 snj Exp $
 #
 # GENERIC machine description file
 #
@@ -22,12 +22,12 @@ include 	"arch/i386/conf/std.i386"
 
 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary
 
-#ident 		"GENERIC-$Revision: 1.1066.2.7 $"
+#ident 		"GENERIC-$Revision: 1.1066.2.7.6.1 $"
 
 maxusers	64		# estimated number of users
 
 # CPU-related options.
-options 	VM86		# virtual 8086 emulation
+#options 	VM86		# virtual 8086 emulation
 options 	USER_LDT	# user-settable LDT; used by WINE
 #options 	PAE		# PAE mode (36 bits physical addressing)
 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Aug 23 19:37:48 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
add to 1481


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.107 src/doc/CHANGES-6.1.6:1.1.2.108
--- src/doc/CHANGES-6.1.6:1.1.2.107	Mon Aug 21 23:31:21 2017
+++ src/doc/CHANGES-6.1.6	Wed Aug 23 19:37:48 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.107 2017/08/21 23:31:21 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.108 2017/08/23 19:37:48 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12463,6 +12463,7 @@ sys/dev/vnd.c	1.260, 1.262
 sys/compat/ibcs2/ibcs2_exec_coff.c		1.27-1.29
 sys/compat/ibcs2/ibcs2_ioctl.c			1.46
 sys/compat/ibcs2/ibcs2_stat.c			1.49-1.50
+sys/lib/libkern/Makefile.libkern		1.19
 
 	Out of bound read and endless loop in exec_ibcs2_coff_prep_zmagic().
 	Infoleak in ibcs2_sys_ioctl.

CVS commit: [netbsd-6-1] src/sys/lib/libkern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Wed Aug 23 19:37:20 UTC 2017

Modified Files:
src/sys/lib/libkern [netbsd-6-1]: Makefile.libkern

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/lib/libkern/Makefile.libkern: revision 1.19
Add strnlen.c to SRCS (which will automatically use the .S version if it
exists).


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.8.1 src/sys/lib/libkern/Makefile.libkern

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/lib/libkern/Makefile.libkern
diff -u src/sys/lib/libkern/Makefile.libkern:1.17 src/sys/lib/libkern/Makefile.libkern:1.17.8.1
--- src/sys/lib/libkern/Makefile.libkern:1.17	Sun Feb  5 14:19:03 2012
+++ src/sys/lib/libkern/Makefile.libkern	Wed Aug 23 19:37:20 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.libkern,v 1.17 2012/02/05 14:19:03 dholland Exp $
+#	$NetBSD: Makefile.libkern,v 1.17.8.1 2017/08/23 19:37:20 snj Exp $
 
 # 
 # Variable definitions for libkern.  
@@ -84,7 +84,7 @@ SRCS+=	random.c
 SRCS+=	rngtest.c
 
 SRCS+=	memchr.c
-SRCS+=	strcat.c strcmp.c strcpy.c strlen.c
+SRCS+=	strcat.c strcmp.c strcpy.c strlen.c strnlen.c
 SRCS+=	strncmp.c strncpy.c
 SRCS+=	strcasecmp.c strncasecmp.c
 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Aug 21 23:31:21 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
note some files that were deleted in ticket #1468


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.106 -r1.1.2.107 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.106 src/doc/CHANGES-6.1.6:1.1.2.107
--- src/doc/CHANGES-6.1.6:1.1.2.106	Sat Aug 19 05:06:42 2017
+++ src/doc/CHANGES-6.1.6	Mon Aug 21 23:31:21 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.106 2017/08/19 05:06:42 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.107 2017/08/21 23:31:21 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12077,22 +12077,22 @@ crypto/external/bsd/openssh/dist/PROTOCO
 crypto/external/bsd/openssh/dist/addrmatch.c	patch
 crypto/external/bsd/openssh/dist/atomicio.c	patch
 crypto/external/bsd/openssh/dist/auth-bsdauth.c	patch
-crypto/external/bsd/openssh/dist/auth-chall.c	patch
+crypto/external/bsd/openssh/dist/auth-chall.c	delete
 crypto/external/bsd/openssh/dist/auth-krb5.c	patch
 crypto/external/bsd/openssh/dist/auth-options.c	patch
 crypto/external/bsd/openssh/dist/auth-options.h	patch
 crypto/external/bsd/openssh/dist/auth-pam.c	patch
 crypto/external/bsd/openssh/dist/auth-passwd.c	patch
-crypto/external/bsd/openssh/dist/auth-rh-rsa.c	patch
+crypto/external/bsd/openssh/dist/auth-rh-rsa.c	delete
 crypto/external/bsd/openssh/dist/auth-rhosts.c	patch
-crypto/external/bsd/openssh/dist/auth-rsa.c	patch
+crypto/external/bsd/openssh/dist/auth-rsa.c	delete
 crypto/external/bsd/openssh/dist/auth.c		patch
 crypto/external/bsd/openssh/dist/auth.h		patch
-crypto/external/bsd/openssh/dist/auth1.c	patch
+crypto/external/bsd/openssh/dist/auth1.c	delete
 crypto/external/bsd/openssh/dist/auth2-chall.c	patch
 crypto/external/bsd/openssh/dist/auth2-gss.c	patch
 crypto/external/bsd/openssh/dist/auth2-hostbased.c patch
-crypto/external/bsd/openssh/dist/auth2-jpake.c	patch
+crypto/external/bsd/openssh/dist/auth2-jpake.c	delete
 crypto/external/bsd/openssh/dist/auth2-kbdint.c	patch
 crypto/external/bsd/openssh/dist/auth2-krb5.c	patch
 crypto/external/bsd/openssh/dist/auth2-none.c	patch
@@ -12127,15 +12127,15 @@ crypto/external/bsd/openssh/dist/cipher-
 crypto/external/bsd/openssh/dist/cipher-chachapoly.c patch
 crypto/external/bsd/openssh/dist/cipher-chachapoly.h patch
 crypto/external/bsd/openssh/dist/cipher-ctr-mt.c patch
-crypto/external/bsd/openssh/dist/cipher-ctr.c	patch
+crypto/external/bsd/openssh/dist/cipher-ctr.c	delete
 crypto/external/bsd/openssh/dist/cipher.c	patch
 crypto/external/bsd/openssh/dist/cipher.h	patch
 crypto/external/bsd/openssh/dist/clientloop.c	patch
 crypto/external/bsd/openssh/dist/clientloop.h	patch
 crypto/external/bsd/openssh/dist/compat.c	patch
 crypto/external/bsd/openssh/dist/compat.h	patch
-crypto/external/bsd/openssh/dist/compress.c	patch
-crypto/external/bsd/openssh/dist/compress.h	patch
+crypto/external/bsd/openssh/dist/compress.c	delete
+crypto/external/bsd/openssh/dist/compress.h	delete
 crypto/external/bsd/openssh/dist/crypto_api.h	patch
 crypto/external/bsd/openssh/dist/deattack.c	patch
 crypto/external/bsd/openssh/dist/deattack.h	patch
@@ -12166,8 +12166,8 @@ crypto/external/bsd/openssh/dist/hmac.h	
 crypto/external/bsd/openssh/dist/hostfile.c	patch
 crypto/external/bsd/openssh/dist/hostfile.h	patch
 crypto/external/bsd/openssh/dist/includes.h	patch
-crypto/external/bsd/openssh/dist/jpake.c	patch
-crypto/external/bsd/openssh/dist/jpake.h	patch
+crypto/external/bsd/openssh/dist/jpake.c	delete
+crypto/external/bsd/openssh/dist/jpake.h	delete
 crypto/external/bsd/openssh/dist/kex.c		patch
 crypto/external/bsd/openssh/dist/kex.h		patch
 crypto/external/bsd/openssh/dist/kexc25519.c	patch
@@ -12208,8 +12208,8 @@ crypto/external/bsd/openssh/dist/moduli.
 crypto/external/bsd/openssh/dist/monitor.c	patch
 crypto/external/bsd/openssh/dist/monitor.h	patch
 crypto/external/bsd/openssh/dist/monitor_fdpass.c patch
-crypto/external/bsd/openssh/dist/monitor_mm.c	patch
-crypto/external/bsd/openssh/dist/monitor_mm.h	patch
+crypto/external/bsd/openssh/dist/monitor_mm.c	delete
+crypto/external/bsd/openssh/dist/monitor_mm.h	delete
 crypto/external/bsd/openssh/dist/monitor_wrap.c	patch
 crypto/external/bsd/openssh/dist/monitor_wrap.h	patch
 crypto/external/bsd/openssh/dist/msg.c		patch
@@ -12219,7 +12219,7 @@ crypto/external/bsd/openssh/dist/mypropo
 crypto/external/bsd/openssh/dist/namespace.h	patch
 crypto/external/bsd/openssh/dist/opacket.c	patch
 crypto/external/bsd/openssh/dist/opacket.h	patch
-crypto/external/bsd/openssh/dist/openssh2netbsd	patch
+crypto/external/bsd/openssh/dist/openssh2netbsd	delete
 crypto/external/bsd/openssh/dist/packet.c	patch
 crypto/external/bsd/openssh/dist/packet.h	patch
 

CVS commit: [netbsd-6-1] src/crypto/external/bsd/openssh/dist

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Mon Aug 21 23:23:59 UTC 2017

Removed Files:
src/crypto/external/bsd/openssh/dist [netbsd-6-1]: auth-chall.c
auth-rh-rsa.c auth-rsa.c auth1.c auth2-jpake.c cipher-ctr.c
compress.c compress.h jpake.c jpake.h monitor_mm.c monitor_mm.h
openssh2netbsd roaming.h roaming_client.c roaming_common.c
roaming_dummy.c roaming_serv.c sandbox-systrace.c schnorr.c
schnorr.h strtonum.c

Log Message:
prune empty files that should have been deleted in ticket #1468


To generate a diff of this commit:
cvs rdiff -u -r1.3.18.1 -r0 src/crypto/external/bsd/openssh/dist/auth-chall.c \
src/crypto/external/bsd/openssh/dist/compress.c
cvs rdiff -u -r1.4.18.1 -r0 \
src/crypto/external/bsd/openssh/dist/auth-rh-rsa.c \
src/crypto/external/bsd/openssh/dist/cipher-ctr.c \
src/crypto/external/bsd/openssh/dist/openssh2netbsd
cvs rdiff -u -r1.6.16.1 -r0 src/crypto/external/bsd/openssh/dist/auth-rsa.c
cvs rdiff -u -r1.5.16.1 -r0 src/crypto/external/bsd/openssh/dist/auth1.c
cvs rdiff -u -r1.4.16.1 -r0 \
src/crypto/external/bsd/openssh/dist/auth2-jpake.c
cvs rdiff -u -r1.2.22.1 -r0 src/crypto/external/bsd/openssh/dist/compress.h \
src/crypto/external/bsd/openssh/dist/monitor_mm.h
cvs rdiff -u -r1.6.12.1 -r0 src/crypto/external/bsd/openssh/dist/jpake.c
cvs rdiff -u -r1.3.22.1 -r0 src/crypto/external/bsd/openssh/dist/jpake.h \
src/crypto/external/bsd/openssh/dist/monitor_mm.c
cvs rdiff -u -r1.3.14.1 -r0 src/crypto/external/bsd/openssh/dist/roaming.h \
src/crypto/external/bsd/openssh/dist/roaming_client.c
cvs rdiff -u -r1.5.14.1 -r0 \
src/crypto/external/bsd/openssh/dist/roaming_common.c
cvs rdiff -u -r1.2.18.1 -r0 \
src/crypto/external/bsd/openssh/dist/roaming_dummy.c \
src/crypto/external/bsd/openssh/dist/roaming_serv.c \
src/crypto/external/bsd/openssh/dist/schnorr.h
cvs rdiff -u -r1.1.1.1.12.1 -r0 \
src/crypto/external/bsd/openssh/dist/sandbox-systrace.c
cvs rdiff -u -r1.5.18.1 -r0 src/crypto/external/bsd/openssh/dist/schnorr.c
cvs rdiff -u -r1.1.22.1 -r0 src/crypto/external/bsd/openssh/dist/strtonum.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/sys/altq

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:37:04 UTC 2017

Modified Files:
src/sys/altq [netbsd-6-1]: altq_cbq.c altq_hfsc.c altq_jobs.c
altq_priq.c altq_wfq.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1488):
sys/altq/altq_cbq.c: revision 1.31
sys/altq/altq_hfsc.c: revision 1.27
sys/altq/altq_jobs.c: revision 1.11
sys/altq/altq_priq.c: revision 1.24
sys/altq/altq_wfq.c: revision 1.22
Zero buffers copied to userland to avoid stack disclosure.
>From Ilja Van Sprundel.
--
Reject negative indices.
(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought.  Also one of
them is a u_long, because why not?)
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.26.32.1 src/sys/altq/altq_cbq.c
cvs rdiff -u -r1.24 -r1.24.52.1 src/sys/altq/altq_hfsc.c
cvs rdiff -u -r1.6.28.1 -r1.6.28.2 src/sys/altq/altq_jobs.c
cvs rdiff -u -r1.21 -r1.21.32.1 src/sys/altq/altq_priq.c
cvs rdiff -u -r1.19 -r1.19.50.1 src/sys/altq/altq_wfq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/altq/altq_cbq.c
diff -u src/sys/altq/altq_cbq.c:1.26 src/sys/altq/altq_cbq.c:1.26.32.1
--- src/sys/altq/altq_cbq.c:1.26	Sun Nov 22 18:40:26 2009
+++ src/sys/altq/altq_cbq.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.26.32.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26.32.1 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -472,6 +472,7 @@ cbq_getqstats(struct pf_altq *a, void *u
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)
@@ -876,6 +877,7 @@ cbq_getstats(struct cbq_getstats *gsp)
 			if (++i >= CBQ_MAX_CLASSES)
 goto out;
 
+		memset(, 0, sizeof(stats));
 		get_class_stats(, cl);
 		stats.handle = cl->stats_.handle;
 

Index: src/sys/altq/altq_hfsc.c
diff -u src/sys/altq/altq_hfsc.c:1.24 src/sys/altq/altq_hfsc.c:1.24.52.1
--- src/sys/altq/altq_hfsc.c:1.24	Wed Jun 18 09:06:27 2008
+++ src/sys/altq/altq_hfsc.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.24.52.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $	*/
 
 /*
@@ -43,7 +43,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.52.1 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -313,6 +313,7 @@ hfsc_getqstats(struct pf_altq *a, void *
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);
 
+	memset(, 0, sizeof(stats));
 	get_class_stats(, cl);
 
 	if ((error = copyout((void *), ubuf, sizeof(stats))) != 0)

Index: src/sys/altq/altq_jobs.c
diff -u src/sys/altq/altq_jobs.c:1.6.28.1 src/sys/altq/altq_jobs.c:1.6.28.2
--- src/sys/altq/altq_jobs.c:1.6.28.1	Mon Nov  3 15:10:39 2014
+++ src/sys/altq/altq_jobs.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_jobs.c,v 1.6.28.1 2014/11/03 15:10:39 msaitoh Exp $	*/
+/*	$NetBSD: altq_jobs.c,v 1.6.28.2 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (c) 2001, the Rector and Board of Visitors of the
@@ -59,7 +59,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.28.1 2014/11/03 15:10:39 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.28.2 2017/08/19 05:37:04 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@@ -2111,10 +2111,9 @@ jobscmd_class_stats(struct jobs_class_st
 	usp = ap->stats;
 	for (pri = 0; pri <= jif->jif_maxpri; pri++) {
 		cl = jif->jif_classes[pri];
+		(void)memset(, 0, sizeof(stats));
 		if (cl != NULL)
 			get_class_stats(, cl);
-		else
-			(void)memset(, 0, sizeof(stats));
 		if ((error = copyout((void *), (void *)usp++,
  sizeof(stats))) != 0)
 			return (error);

Index: src/sys/altq/altq_priq.c
diff -u src/sys/altq/altq_priq.c:1.21 src/sys/altq/altq_priq.c:1.21.32.1
--- src/sys/altq/altq_priq.c:1.21	Sat Mar 14 15:35:58 2009
+++ src/sys/altq/altq_priq.c	Sat Aug 19 05:37:04 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.21.32.1 2017/08/19 05:37:04 snj Exp $	*/
 /*	$KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $	*/
 /*
  * Copyright (C) 2000-2003
@@ 

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:06:42 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1478-1489


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.105 -r1.1.2.106 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.105 src/doc/CHANGES-6.1.6:1.1.2.106
--- src/doc/CHANGES-6.1.6:1.1.2.105	Fri Aug 18 15:10:01 2017
+++ src/doc/CHANGES-6.1.6	Sat Aug 19 05:06:42 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.105 2017/08/18 15:10:01 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.106 2017/08/19 05:06:42 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12436,3 +12436,100 @@ sys/dev/ic/dm9000.c1.12
 	dme_alloc_receive_buffer()
 	[mrg, ticket #1477]
 
+sys/dev/ic/bwi.c1.32
+
+	wrong error checking in bwi_newbuf() can cause an mbuf to
+	declare an mbuf length that is too big
+	[mrg, ticket #1478]
+
+sys/compat/svr4/svr4_lwp.c			1.20
+sys/compat/svr4/svr4_signal.c			1.67
+sys/compat/svr4/svr4_stream.c			1.89-1.91 via patch
+sys/compat/svr4_32/svr4_32_signal.c		1.29-1.30
+
+	Fix some of the multitudinous holes in svr4 streams.
+	Zero stack data before copyout.
+	Fix indexing of svr4 signals.
+	Attempt to get reference counting less bad.
+	Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds.
+	[mrg, ticket #1479]
+
+sys/dev/vnd.c	1.260, 1.262
+
+	int overflows / truncation issues in vndioctl can cause
+	memory corruption
+	[mrg, ticket #1480]
+
+sys/compat/ibcs2/ibcs2_exec_coff.c		1.27-1.29
+sys/compat/ibcs2/ibcs2_ioctl.c			1.46
+sys/compat/ibcs2/ibcs2_stat.c			1.49-1.50
+
+	Out of bound read and endless loop in exec_ibcs2_coff_prep_zmagic().
+	Infoleak in ibcs2_sys_ioctl.
+	Potenial use of expired pointers in ibcs2_sys_statfs()/
+	ibcs2_sys_statvfs()
+	[mrg, ticket #1481]
+
+sys/kern/vfs_getcwd.c1.52
+
+	out of bound read in getcwd_scandir()
+	[mrg, ticket #1482]
+
+sys/compat/common/vfs_syscalls_12.c		1.34
+sys/compat/common/vfs_syscalls_43.c		1.60
+sys/compat/ibcs2/ibcs2_misc.c			1.114
+sys/compat/linux/common/linux_file64.c		1.59
+sys/compat/linux/common/linux_misc.c		1.239
+sys/compat/linux32/common/linux32_dirent.c	1.18
+sys/compat/osf1/osf1_file.c			1.44
+sys/compat/sunos/sunos_misc.c			1.171
+sys/compat/sunos32/sunos32_misc.c		1.78
+sys/compat/svr4/svr4_misc.c			1.158
+sys/compat/svr4_32/svr4_32_misc.c		1.78
+
+	puffs userland can trigger panic in compat getdents
+	[mrg, ticket #1483]
+
+sys/kern/kern_ktrace.c1.171 via patch
+
+	infoleak in ktruser() if copyin fails.
+	[mrg, ticket #1484]
+
+sys/dev/ic/isp_netbsd.c1.89
+
+	unvalidated channel index in ISP_FC_GETDLIST case of
+	ispioctl() can cause out of bound read
+	[mrg, ticket #1485]
+
+sys/dev/ic/ciss.c1.37
+
+	out of bound read in ciss_ioctl_vol()
+	signedness bug in ciss_ioctl()
+	[mrg, ticket #1486]
+
+sys/netsmb/smb_dev.c1.50
+sys/netsmb/smb_subr.c1.38
+sys/netsmb/smb_subr.h1.22
+sys/netsmb/smb_usr.c1.17-1.19
+
+	- no length validation in smb_usr_vc2spec() can cause out
+	  of bound read.
+	- signedness bug in smb_usr_t2request() can cause out of
+	  bound read
+	[mrg, ticket #1487]
+
+sys/altq/altq_cbq.c1.31
+sys/altq/altq_hfsc.c1.27
+sys/altq/altq_jobs.c1.11
+sys/altq/altq_priq.c1.24
+sys/altq/altq_wfq.c1.22
+
+	infoleak in get_class_stats()
+	signedness bug in wfq_getstats()
+	[mrg, ticket #1488]
+
+sys/compat/linux/common/linux_time.c		1.38-1.39 via patch
+
+	missing cred check in linux_sys_settimeofday()
+	[mrg, ticket #1489]
+

CVS commit: [netbsd-6-1] src/sys/compat/linux/common

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 05:03:58 UTC 2017

Modified Files:
src/sys/compat/linux/common [netbsd-6-1]: linux_time.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1489):
sys/compat/linux/common/linux_time.c: 1.38-1.39 via patch
Only let the superuser set the compat_linux timezone.
Not really keen to invent a new kauth cookie for this useless purpose.
>From Ilja Van Sprundel.
--
Put suser check in the right function: settimeofday, not gettimeofday.
While here, remove wrong comment.
Noted by kre@.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/compat/linux/common/linux_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/linux/common/linux_time.c
diff -u src/sys/compat/linux/common/linux_time.c:1.35 src/sys/compat/linux/common/linux_time.c:1.35.14.1
--- src/sys/compat/linux/common/linux_time.c:1.35	Fri Nov 18 04:07:44 2011
+++ src/sys/compat/linux/common/linux_time.c	Sat Aug 19 05:03:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $ */
+/*	$NetBSD: linux_time.c,v 1.35.14.1 2017/08/19 05:03:58 snj Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35 2011/11/18 04:07:44 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.35.14.1 2017/08/19 05:03:58 snj Exp $");
 
 #include 
 #include 
@@ -109,11 +109,10 @@ linux_sys_settimeofday(struct lwp *l, co
 			return (error);
 	}
 
-	/*
-	 * If user is not the superuser, we returned
-	 * after the sys_settimeofday() call.
-	 */
 	if (SCARG(uap, tzp)) {
+		if (kauth_authorize_generic(kauth_cred_get(),
+			KAUTH_GENERIC_ISSUSER, NULL) != 0)
+			return (EPERM);
 		error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz));
 		if (error)
 			return (error);

CVS commit: [netbsd-6-1] src/sys/netsmb

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:44:54 UTC 2017

Modified Files:
src/sys/netsmb [netbsd-6-1]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1487):
sys/netsmb/smb_dev.c: 1.50
sys/netsmb/smb_subr.c: 1.38
sys/netsmb/smb_subr.h: 1.22
sys/netsmb/smb_usr.c: 1.17-1.19
Reject allocations for too-small buffers from userland.
>From Ilja Van Sprundel.
--
Plug another overflow: refuse bogus sa_len from user.
--
Reject negative ioc_setupcnt.
--
Reject negative offset/count for smb read/write.
Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault.  But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.20.1 src/sys/netsmb/smb_dev.c
cvs rdiff -u -r1.36 -r1.36.22.1 src/sys/netsmb/smb_subr.c
cvs rdiff -u -r1.20 -r1.20.20.1 src/sys/netsmb/smb_subr.h
cvs rdiff -u -r1.16 -r1.16.32.1 src/sys/netsmb/smb_usr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netsmb/smb_dev.c
diff -u src/sys/netsmb/smb_dev.c:1.39 src/sys/netsmb/smb_dev.c:1.39.20.1
--- src/sys/netsmb/smb_dev.c:1.39	Fri Dec 17 14:27:34 2010
+++ src/sys/netsmb/smb_dev.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $	*/
+/*	$NetBSD: smb_dev.c,v 1.39.20.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39 2010/12/17 14:27:34 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.39.20.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -334,6 +334,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo
 		struct uio auio;
 		struct iovec iov;
 
+		if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0)
+			return EINVAL;
 		if ((ssp = sdp->sd_share) == NULL)
 			return ENOTCONN;
 		iov.iov_base = rwrq->ioc_base;

Index: src/sys/netsmb/smb_subr.c
diff -u src/sys/netsmb/smb_subr.c:1.36 src/sys/netsmb/smb_subr.c:1.36.22.1
--- src/sys/netsmb/smb_subr.c:1.36	Sun Sep 25 13:42:30 2011
+++ src/sys/netsmb/smb_subr.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $	*/
+/*	$NetBSD: smb_subr.c,v 1.36.22.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36 2011/09/25 13:42:30 chs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.22.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -371,3 +371,32 @@ dup_sockaddr(struct sockaddr *sa, int ca
 		memcpy(sa2, sa, sa->sa_len);
 	return sa2;
 }
+
+int
+dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa,
+size_t usalen)
+{
+	struct sockaddr *ksa;
+
+	/* Make sure user provided enough data for a generic sockaddr.  */
+	if (usalen < sizeof(*ksa))
+		return EINVAL;
+
+	/* Don't let the user overfeed us.  */
+	usalen = MIN(usalen, sizeof(struct sockaddr_storage));
+
+	/* Copy the buffer in from userland.  */
+	ksa = smb_memdupin(usa, usalen);
+	if (ksa == NULL)
+		return ENOMEM;
+
+	/* Make sure the user's idea of sa_len is reasonable.  */
+	if (ksa->sa_len > usalen) {
+		smb_memfree(ksa);
+		return EINVAL;
+	}
+
+	/* Success!  */
+	*ksap = ksa;
+	return 0;
+}

Index: src/sys/netsmb/smb_subr.h
diff -u src/sys/netsmb/smb_subr.h:1.20 src/sys/netsmb/smb_subr.h:1.20.20.1
--- src/sys/netsmb/smb_subr.h:1.20	Fri Dec 17 13:05:29 2010
+++ src/sys/netsmb/smb_subr.h	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_subr.h,v 1.20 2010/12/17 13:05:29 pooka Exp $	*/
+/*	$NetBSD: smb_subr.h,v 1.20.20.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001, Boris Popov
@@ -127,5 +127,6 @@ int  smb_put_asunistring(struct smb_rq *
 #endif
 
 struct sockaddr *dup_sockaddr(struct sockaddr *, int);
+int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t);
 
 #endif /* !_NETSMB_SMB_SUBR_H_ */

Index: src/sys/netsmb/smb_usr.c
diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.16.32.1
--- src/sys/netsmb/smb_usr.c:1.16	Wed Mar 18 16:00:24 2009
+++ src/sys/netsmb/smb_usr.c	Sat Aug 19 04:44:53 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $	*/
+/*	$NetBSD: smb_usr.c,v 1.16.32.1 2017/08/19 04:44:53 snj Exp $	*/
 
 /*
  * Copyright (c) 2000-2001 Boris Popov
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16.32.1 2017/08/19 04:44:53 snj Exp $");
 
 #include 
 #include 
@@ -65,6 +65,7 @@ static int
 smb_usr_vc2spec(struct smbioc_ossn *dp, struct smb_vcspec *spec)
 {
 

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:29:12 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: ciss.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1486):
sys/dev/ic/ciss.c: revision 1.37
Reject negative indices from userland.


To generate a diff of this commit:
cvs rdiff -u -r1.27.8.1 -r1.27.8.1.2.1 src/sys/dev/ic/ciss.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/ciss.c
diff -u src/sys/dev/ic/ciss.c:1.27.8.1 src/sys/dev/ic/ciss.c:1.27.8.1.2.1
--- src/sys/dev/ic/ciss.c:1.27.8.1	Thu Nov 22 17:24:52 2012
+++ src/sys/dev/ic/ciss.c	Sat Aug 19 04:29:12 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $	*/
+/*	$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $	*/
 /*	$OpenBSD: ciss.c,v 1.14 2006/03/13 16:02:23 mickey Exp $	*/
 
 /*
@@ -19,7 +19,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1 2012/11/22 17:24:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.27.8.1.2.1 2017/08/19 04:29:12 snj Exp $");
 
 #include "bio.h"
 
@@ -1198,12 +1198,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi
 		/* FALLTHROUGH */
 	case BIOCDISK:
 		bd = (struct bioc_disk *)addr;
-		if (bd->bd_volid > sc->maxunits) {
+		if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) {
 			error = EINVAL;
 			break;
 		}
 		ldp = sc->sc_lds[0];
-		if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) {
+		if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) {
 			error = EINVAL;
 			break;
 		}
@@ -1304,7 +1304,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st
 	int error = 0;
 	u_int blks;
 
-	if (bv->bv_volid > sc->maxunits) {
+	if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) {
 		return EINVAL;
 	}
 	ldp = sc->sc_lds[bv->bv_volid];

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:27:37 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: isp_netbsd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1485):
sys/dev/ic/isp_netbsd.c: revision 1.89
Reject out-of-bounds channel index.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.85.2.1 -r1.85.2.1.4.1 src/sys/dev/ic/isp_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/isp_netbsd.c
diff -u src/sys/dev/ic/isp_netbsd.c:1.85.2.1 src/sys/dev/ic/isp_netbsd.c:1.85.2.1.4.1
--- src/sys/dev/ic/isp_netbsd.c:1.85.2.1	Mon Sep  3 18:38:34 2012
+++ src/sys/dev/ic/isp_netbsd.c	Sat Aug 19 04:27:37 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $ */
+/* $NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $ */
 /*
  * Platform (NetBSD) dependent common attachment code for Qlogic adapters.
  */
@@ -33,7 +33,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1 2012/09/03 18:38:34 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.85.2.1.4.1 2017/08/19 04:27:37 snj Exp $");
 
 #include 
 #include 
@@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_
 		}
 		lim = local.count;
 		channel = local.channel;
+		if (channel >= isp->isp_nchan) {
+			retval = EINVAL;
+			break;
+		}
 
 		ua = *(isp_dlist_t **)addr;
 		uptr = >wwns[0];

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:24:22 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: kern_ktrace.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1484):
sys/kern/kern_ktrace.c: revision 1.171 via patch
Clamp the length we use, not the length we don't.
Avoids uninitialized memory disclosure to userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.160 -r1.160.8.1 src/sys/kern/kern_ktrace.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/kern_ktrace.c
diff -u src/sys/kern/kern_ktrace.c:1.160 src/sys/kern/kern_ktrace.c:1.160.8.1
--- src/sys/kern/kern_ktrace.c:1.160	Fri Dec 30 20:33:04 2011
+++ src/sys/kern/kern_ktrace.c	Sat Aug 19 04:24:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $	*/
+/*	$NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $	*/
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160 2011/12/30 20:33:04 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.160.8.1 2017/08/19 04:24:22 snj Exp $");
 
 #include 
 #include 
@@ -952,7 +952,7 @@ ktruser(const char *id, void *addr, size
 
 	user_dta = (void *)(ktp + 1);
 	if ((error = copyin(addr, (void *)user_dta, len)) != 0)
-		len = 0;
+		kte->kte_kth.ktr_len = 0;
 
 	ktraddentry(l, kte, KTA_WAITOK);
 	return error;

CVS commit: [netbsd-6-1] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:19:59 UTC 2017

Modified Files:
src/sys/compat/common [netbsd-6-1]: vfs_syscalls_12.c vfs_syscalls_43.c
src/sys/compat/ibcs2 [netbsd-6-1]: ibcs2_misc.c
src/sys/compat/linux/common [netbsd-6-1]: linux_file64.c linux_misc.c
src/sys/compat/linux32/common [netbsd-6-1]: linux32_dirent.c
src/sys/compat/osf1 [netbsd-6-1]: osf1_file.c
src/sys/compat/sunos [netbsd-6-1]: sunos_misc.c
src/sys/compat/sunos32 [netbsd-6-1]: sunos32_misc.c
src/sys/compat/svr4 [netbsd-6-1]: svr4_misc.c
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_misc.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1483):
sys/compat/common/vfs_syscalls_12.c: revision 1.34
sys/compat/svr4_32/svr4_32_misc.c: revision 1.78
sys/compat/sunos32/sunos32_misc.c: revision 1.78
sys/compat/linux/common/linux_misc.c: revision 1.239
sys/compat/osf1/osf1_file.c: revision 1.44
sys/compat/common/vfs_syscalls_43.c: revision 1.60
sys/compat/svr4/svr4_misc.c: revision 1.158
sys/compat/ibcs2/ibcs2_misc.c: revision 1.114
sys/compat/linux/common/linux_file64.c: revision 1.59
sys/compat/linux32/common/linux32_dirent.c: revision 1.18
sys/compat/sunos/sunos_misc.c: revision 1.171
Fail, don't panic, on bad dirents from file system.
Controllable via puffs from userland.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.29.26.1 -r1.29.26.2 src/sys/compat/common/vfs_syscalls_12.c
cvs rdiff -u -r1.54.14.1.2.2 -r1.54.14.1.2.3 \
src/sys/compat/common/vfs_syscalls_43.c
cvs rdiff -u -r1.111 -r1.111.22.1 src/sys/compat/ibcs2/ibcs2_misc.c
cvs rdiff -u -r1.53 -r1.53.22.1 src/sys/compat/linux/common/linux_file64.c
cvs rdiff -u -r1.219 -r1.219.16.1 src/sys/compat/linux/common/linux_misc.c
cvs rdiff -u -r1.13 -r1.13.22.1 \
src/sys/compat/linux32/common/linux32_dirent.c
cvs rdiff -u -r1.41.22.1 -r1.41.22.2 src/sys/compat/osf1/osf1_file.c
cvs rdiff -u -r1.168 -r1.168.28.1 src/sys/compat/sunos/sunos_misc.c
cvs rdiff -u -r1.74 -r1.74.16.1 src/sys/compat/sunos32/sunos32_misc.c
cvs rdiff -u -r1.155 -r1.155.22.1 src/sys/compat/svr4/svr4_misc.c
cvs rdiff -u -r1.74 -r1.74.22.1 src/sys/compat/svr4_32/svr4_32_misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/vfs_syscalls_12.c
diff -u src/sys/compat/common/vfs_syscalls_12.c:1.29.26.1 src/sys/compat/common/vfs_syscalls_12.c:1.29.26.2
--- src/sys/compat/common/vfs_syscalls_12.c:1.29.26.1	Sat Aug 12 16:22:30 2017
+++ src/sys/compat/common/vfs_syscalls_12.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_12.c,v 1.29.26.2 2017/08/19 04:19:58 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.26.1 2017/08/12 16:22:30 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.29.26.2 2017/08/19 04:19:58 snj Exp $");
 
 #include 
 #include 
@@ -171,8 +171,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/common/vfs_syscalls_43.c
diff -u src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.2 src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.3
--- src/sys/compat/common/vfs_syscalls_43.c:1.54.14.1.2.2	Sat Aug 12 16:22:30 2017
+++ src/sys/compat/common/vfs_syscalls_43.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.2 2017/08/12 16:22:30 snj Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.3 2017/08/19 04:19:58 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.2 2017/08/12 16:22:30 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.54.14.1.2.3 2017/08/19 04:19:58 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -450,8 +450,10 @@ again:
 	for (cookie = cookiebuf; len > 0; len -= reclen) {
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
-		if (reclen & 3)
-			panic(__func__);
+		if (reclen & 3) {
+			error = EIO;
+			goto out;
+		}
 		if (bdp->d_fileno == 0) {
 			inp += reclen;	/* it is a hole; squish it out */
 			if (cookie)

Index: src/sys/compat/ibcs2/ibcs2_misc.c
diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.111 src/sys/compat/ibcs2/ibcs2_misc.c:1.111.22.1
--- src/sys/compat/ibcs2/ibcs2_misc.c:1.111	Thu Jun 24 13:03:06 2010
+++ src/sys/compat/ibcs2/ibcs2_misc.c	Sat Aug 19 04:19:58 2017
@@ -1,4 +1,4 @@
-/*	

CVS commit: [netbsd-6-1] src/sys/kern

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:17:10 UTC 2017

Modified Files:
src/sys/kern [netbsd-6-1]: vfs_getcwd.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1482):
sys/kern/vfs_getcwd.c: revision 1.52
Don't walk off the end of the dirent buffer.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.22.1 src/sys/kern/vfs_getcwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/vfs_getcwd.c
diff -u src/sys/kern/vfs_getcwd.c:1.47 src/sys/kern/vfs_getcwd.c:1.47.22.1
--- src/sys/kern/vfs_getcwd.c:1.47	Tue Nov 30 10:30:02 2010
+++ src/sys/kern/vfs_getcwd.c	Sat Aug 19 04:17:10 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $ */
+/* $NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $ */
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47 2010/11/30 10:30:02 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.47.22.1 2017/08/19 04:17:10 snj Exp $");
 
 #include 
 #include 
@@ -207,7 +207,8 @@ unionread:
 reclen = dp->d_reclen;
 
 /* check for malformed directory.. */
-if (reclen < _DIRENT_MINSIZE(dp)) {
+if (reclen < _DIRENT_MINSIZE(dp) ||
+reclen > len) {
 	error = EINVAL;
 	goto out;
 }

CVS commit: [netbsd-6-1] src/sys/compat/ibcs2

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:13:50 UTC 2017

Modified Files:
src/sys/compat/ibcs2 [netbsd-6-1]: ibcs2_exec_coff.c ibcs2_ioctl.c
ibcs2_stat.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1481):
sys/compat/ibcs2/ibcs2_exec_coff.c: 1.27-1.29
sys/compat/ibcs2/ibcs2_ioctl.c: 1.46
sys/compat/ibcs2/ibcs2_stat.c: 1.49-1.50
Check for NUL termination within the buffer we have.
>From Ilja Van Sprundel.
--
Make sure we have enough space in the buffer before reading it.
>From Ilja Van Sprundel.
--
Make sure we move forward over the buffer.
>From Ilja Van Sprundel.
--
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
>From Ilja Van Sprundel.
--
Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs.
Nothing else guarantees the mount will stick around.
>From Ilja Van Sprundel.
--
Little happy on the commit trigger.  Actually use the out label.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.28.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c
cvs rdiff -u -r1.45 -r1.45.52.1 src/sys/compat/ibcs2/ibcs2_ioctl.c
cvs rdiff -u -r1.47 -r1.47.32.1 src/sys/compat/ibcs2/ibcs2_stat.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c
diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25.28.1
--- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.25	Thu Jul 22 03:19:02 2010
+++ src/sys/compat/ibcs2/ibcs2_exec_coff.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $	*/
+/*	$NetBSD: ibcs2_exec_coff.c,v 1.25.28.1 2017/08/19 04:13:50 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995, 1998 Scott Bartram
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25 2010/07/22 03:19:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.25.28.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 		}
 		bufp = tbuf;
 		while (len) {
+			if (len < sizeof(struct coff_slhdr)) {
+free(tbuf, M_TEMP);
+return ENOEXEC;
+			}
 			slhdr = (struct coff_slhdr *)bufp;
 
 			if (slhdr->path_index > LONG_MAX / sizeof(long) ||
@@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp *
 			path_index = slhdr->path_index * sizeof(long);
 			entry_len = slhdr->entry_len * sizeof(long);
 
-			if (entry_len > len) {
+			if (entry_len < sizeof(struct coff_slhdr) ||
+			entry_len > len ||
+			strnlen(slhdr->sl_name, entry_len) == entry_len) {
 free(tbuf, M_TEMP);
 return ENOEXEC;
 			}

Index: src/sys/compat/ibcs2/ibcs2_ioctl.c
diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.52.1
--- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45	Tue Jun 24 10:03:17 2008
+++ src/sys/compat/ibcs2/ibcs2_ioctl.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $	*/
+/*	$NetBSD: ibcs2_ioctl.c,v 1.45.52.1 2017/08/19 04:13:50 snj Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Scott Bartram
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.52.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str
 		if ((error = (*ctl)(fp, TIOCGETA, )) != 0)
 			goto out;
 
+		memset(, 0, sizeof(sts));
 		btios2stios(, );
 		if (SCARG(uap, cmd) == IBCS2_TCGETA) {
+			memset(, 0, sizeof(st));
 			stios2stio(, );
 			error = copyout(, SCARG(uap, data), sizeof(st));
 			if (error)
@@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru
 
 	fd_putfile(SCARG(uap, fd));
 
+	memset(, 0, sizeof(itb));
 	itb.sg_ispeed = tb.sg_ispeed;
 	itb.sg_ospeed = tb.sg_ospeed;
 	itb.sg_erase = tb.sg_erase;

Index: src/sys/compat/ibcs2/ibcs2_stat.c
diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.32.1
--- src/sys/compat/ibcs2/ibcs2_stat.c:1.47	Mon Jun 29 05:08:16 2009
+++ src/sys/compat/ibcs2/ibcs2_stat.c	Sat Aug 19 04:13:50 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $	*/
+/*	$NetBSD: ibcs2_stat.c,v 1.47.32.1 2017/08/19 04:13:50 snj Exp $	*/
 /*
  * Copyright (c) 1995, 1998 Scott Bartram
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.32.1 2017/08/19 04:13:50 snj Exp $");
 
 #include 
 #include 
@@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st
 		return (error);
 	mp = vp->v_mount;
 	sp = >mnt_stat;
-	vrele(vp);
 	if ((error = VFS_STATVFS(mp, sp)) != 0)
-		return (error);
+		goto out;
 	sp->f_flag = 

CVS commit: [netbsd-6-1] src/sys/compat/svr4_32

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 04:02:22 UTC 2017

Modified Files:
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by martin in ticket #1481):
sys/compat/svr4_32/svr4_32_signal.c: 1.30
make it compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.26.56.1 -r1.26.56.2 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4_32/svr4_32_signal.c
diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.2
--- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.56.1	Sat Aug 19 03:40:48 2017
+++ src/sys/compat/svr4_32/svr4_32_signal.c	Sat Aug 19 04:02:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_32_signal.c,v 1.26.56.1 2017/08/19 03:40:48 snj Exp $	 */
+/*	$NetBSD: svr4_32_signal.c,v 1.26.56.2 2017/08/19 04:02:22 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.56.1 2017/08/19 03:40:48 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.56.2 2017/08/19 04:02:22 snj Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_svr4.h"
@@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = (sig_t)SCARG(uap, handler);
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		error = sigaction1(l, signum, , , NULL, 0);
+		error = sigaction1(l, native_signo, , , NULL, 0);
 		if (error)
-			return (error);
+			return error;
 		*retval = (u_int)(u_long)obsa.sa_handler;
-		return (0);
+		return 0;
 
 	case SVR4_SIGHOLD_MASK:
 	sighold:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_BLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const 
 
 	case SVR4_SIGRELSE_MASK:
 		sigemptyset();
-		sigaddset(, signum);
+		sigaddset(, native_signo);
 		mutex_enter(p->p_lock);
 		error = sigprocmask1(l, SIG_UNBLOCK, , 0);
 		mutex_exit(p->p_lock);
@@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const 
 		nbsa.sa_handler = SIG_IGN;
 		sigemptyset(_mask);
 		nbsa.sa_flags = 0;
-		return (sigaction1(l, signum, , 0, NULL, 0));
+		return sigaction1(l, native_signo, , 0, NULL, 0);
 
 	case SVR4_SIGPAUSE_MASK:
 		mutex_enter(p->p_lock);
 		ss = l->l_sigmask;
 		mutex_exit(p->p_lock);
-		sigdelset(, signum);
-		return (sigsuspend1(l, ));
+		sigdelset(, native_signo);
+		return sigsuspend1(l, );
 
 	default:
-		return (ENOSYS);
+		return ENOSYS;
 	}
 }
 

CVS commit: [netbsd-6-1] src/sys/compat

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:40:48 UTC 2017

Modified Files:
src/sys/compat/svr4 [netbsd-6-1]: svr4_lwp.c svr4_signal.c
svr4_stream.c
src/sys/compat/svr4_32 [netbsd-6-1]: svr4_32_signal.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1479):
sys/compat/svr4/svr4_lwp.c: 1.20
sys/compat/svr4/svr4_signal.c: 1.67
sys/compat/svr4/svr4_stream.c: 1.89-1.91 via patch
sys/compat/svr4_32/svr4_32_signal.c: 1.29
Fix some of the multitudinous holes in svr4 streams.
We should never have enabled this by default; it is a minefield.
>From Ilja Van Sprundel.
--
Zero stack data before copyout.
>From Ilja Van Sprundel.
--
Fix indexing of svr4 signals.
>From Ilja Van Sprundel.
--
Feebly attempt to get this reference counting less bad.
This svr4 streams code is bad and it should feel bad.
>From Ilja Van Sprundel.
--
Check bounds in svr4_sys_putmsg.  Check more svr4_strmcmd bounds.
svr4 streams code is still a disaster.
>From Ilja Van Sprundel.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.32.1 src/sys/compat/svr4/svr4_lwp.c
cvs rdiff -u -r1.65 -r1.65.24.1 src/sys/compat/svr4/svr4_signal.c
cvs rdiff -u -r1.79 -r1.79.22.1 src/sys/compat/svr4/svr4_stream.c
cvs rdiff -u -r1.26 -r1.26.56.1 src/sys/compat/svr4_32/svr4_32_signal.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/svr4/svr4_lwp.c
diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.32.1
--- src/sys/compat/svr4/svr4_lwp.c:1.19	Mon Nov 23 00:46:07 2009
+++ src/sys/compat/svr4/svr4_lwp.c	Sat Aug 19 03:40:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $	*/
+/*	$NetBSD: svr4_lwp.c,v 1.19.32.1 2017/08/19 03:40:48 snj Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.32.1 2017/08/19 03:40:48 snj Exp $");
 
 #include 
 #include 
@@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const 
 	struct svr4_lwpinfo lwpinfo;
 	int error;
 
+	memset(, 0, sizeof(lwpinfo));
+
 	/* XXX NJWLWP */
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime);
 	TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime);

Index: src/sys/compat/svr4/svr4_signal.c
diff -u src/sys/compat/svr4/svr4_signal.c:1.65 src/sys/compat/svr4/svr4_signal.c:1.65.24.1
--- src/sys/compat/svr4/svr4_signal.c:1.65	Thu Feb  3 21:45:31 2011
+++ src/sys/compat/svr4/svr4_signal.c	Sat Aug 19 03:40:48 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $	 */
+/*	$NetBSD: svr4_signal.c,v 1.65.24.1 2017/08/19 03:40:48 snj Exp $	 */
 
 /*-
  * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65 2011/02/03 21:45:31 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.24.1 2017/08/19 03:40:48 snj Exp $");
 
 #include 
 #include 
@@ -73,6 +73,21 @@ void native_to_svr4_sigaction(const stru
 extern const int native_to_svr4_signo[];
 extern const int svr4_to_native_signo[];
 
+static int
+svr4_decode_signum(int signum, int *native_signo, int *sigcall)
+{
+
+	if (SVR4_SIGNO(signum) >= SVR4_NSIG)
+		return EINVAL;
+
+	if (native_signo)
+		*native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)];
+	if (sigcall)
+		*sigcall = SVR4_SIGCALL(signum);
+
+	return 0;
+}
+
 static inline void
 svr4_sigfillset(svr4_sigset_t *s)
 {
@@ -174,6 +189,7 @@ svr4_sys_sigaction(struct lwp *l, const 
 	} */
 	struct svr4_sigaction nssa, ossa;
 	struct sigaction nbsa, obsa;
+	int native_signo;
 	int error;
 
 	if (SCARG(uap, nsa)) {
@@ -182,7 +198,12 @@ svr4_sys_sigaction(struct lwp *l, const 
 			return (error);
 		svr4_to_native_sigaction(, );
 	}
-	error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))],
+
+	error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL);
+	if (error)
+		return error;
+
+	error = sigaction1(l, native_signo,
 	SCARG(uap, nsa) ?  : 0, SCARG(uap, osa) ?  : 0,
 	NULL, 0);
 	if (error)
@@ -217,16 +238,18 @@ svr4_sys_signal(struct lwp *l, const str
 		syscallarg(int) signum;
 		syscallarg(svr4_sig_t) handler;
 	} */
-	int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))];
+	int native_signo, sigcall;
 	struct proc *p = l->l_proc;
 	struct sigaction nbsa, obsa;
 	sigset_t ss;
 	int error;
 
-	if (signum <= 0 || signum >= SVR4_NSIG)
-		return (EINVAL);
+	error = svr4_decode_signum(SCARG(uap, signum), _signo,
+	);
+	if (error)
+		return error;
 
-	switch (SVR4_SIGCALL(SCARG(uap, signum))) {
+	switch (sigcall) {
 	case SVR4_SIGDEFER_MASK:
 		if (SCARG(uap, handler) == SVR4_SIG_HOLD)
 			goto sighold;
@@ -236,7 +259,7 @@ svr4_sys_signal(struct lwp *l, const str
 		

CVS commit: [netbsd-6-1] src/sys/dev/ic

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Sat Aug 19 03:15:55 UTC 2017

Modified Files:
src/sys/dev/ic [netbsd-6-1]: bwi.c

Log Message:
`cat ~/releng/r-commit`


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.18.14.1 src/sys/dev/ic/bwi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/bwi.c
diff -u src/sys/dev/ic/bwi.c:1.18 src/sys/dev/ic/bwi.c:1.18.14.1
--- src/sys/dev/ic/bwi.c:1.18	Mon Oct 10 11:15:24 2011
+++ src/sys/dev/ic/bwi.c	Sat Aug 19 03:15:55 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $	*/
+/*	$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $	*/
 /*	$OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $	*/
 
 /*
@@ -48,7 +48,7 @@
 
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18 2011/10/10 11:15:24 njoly Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.18.14.1 2017/08/19 03:15:55 snj Exp $");
 
 #include 
 #include 
@@ -8315,7 +8315,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf
 	if (m == NULL)
 		return (ENOBUFS);
 	MCLGET(m, init ? M_WAITOK : M_DONTWAIT);
-	if (m == NULL) {
+	if ((m->m_flags & M_EXT) == 0) {
 		error = ENOBUFS;
 
 		/*

CVS commit: [netbsd-6-1] src/doc

[Soren Jacobsen]

Module Name:src
Committed By:   snj
Date:   Fri Aug 18 15:10:01 UTC 2017

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
1465, 1473-1477


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.104 -r1.1.2.105 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.104 src/doc/CHANGES-6.1.6:1.1.2.105
--- src/doc/CHANGES-6.1.6:1.1.2.104	Fri Aug 18 05:37:44 2017
+++ src/doc/CHANGES-6.1.6	Fri Aug 18 15:10:01 2017
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.104 2017/08/18 05:37:44 snj Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.105 2017/08/18 15:10:01 snj Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -12405,3 +12405,34 @@ crypto/external/bsd/openssl/dist/ssl/ssl
 	namespace clashes with zlib.h.
 	[mrg, ticket #1497]
 
+sys/kern/kern_malloc.c1.146
+
+	Avoid integer overflow in kern_malloc().
+	[martin, ticket #1465]
+
+sys/dev/pci/if_ipw.c1.65 via patch
+
+	double free in ipw_dma_alloc()
+	[mrg, ticket #1473]
+
+sys/dev/pci/if_et.c1.15
+
+	missing mbuf cluster allocation error checking in et_newbuf()
+	[mrg, ticket #1474]
+
+sys/dev/ic/i82596.c1.37
+
+	potential double free in iee_init()/iee_stop()
+	[mrg, ticket #1475]
+
+sys/dev/ic/dp83932.c1.41
+
+	Plug mbuf leak on MCLGET failure in sonic_rxintr.
+	[mrg, ticket #1476]
+
+sys/dev/ic/dm9000.c1.12
+
+	missing mbuf cluster allocation error checking in
+	dme_alloc_receive_buffer()
+	[mrg, ticket #1477]
+