CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Apr 15 14:59:33 UTC 2020 Modified Files: src/sys/netinet6 [netbsd-7-0]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by kim in ticket #1727): sys/netinet6/nd6_rtr.c: revision 1.148 (via patch) Fix default route selection The primary issue was that in revision 1.79 a check was added in the nd6_defrouter_select() search loop to ignore the entry if RA processing is enabled on its interface. In practice this results in all entries being ignored. This fix reverses the condition, so that an entry is ignored when RA processing is NOT enabled on its interface. Further, the entry is only ignored for being selected as the default router. The currently installed router must be identified regardless of the (current) status of its interface, so that we can delete the route before installing a new one. I also added error logging when adding or deleting a route fails. This should help the administrator (or kernel developer) in noticing possible problems. Finally, if deleting a route fails, the corresponding default route entry no longer has its "installed" flag cleared, so that deletion will be retried. At a minimum, this will cause repeated messages about the failed deletion as opposed to only getting repeated messages about the installation of a new default route failing. Fixes PR kern/55091 and also PR bin/54997 as far as the behaviour observed with ndp(8). To generate a diff of this commit: cvs rdiff -u -r1.93.2.3 -r1.93.2.3.2.1 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_rtr.c diff -u src/sys/netinet6/nd6_rtr.c:1.93.2.3 src/sys/netinet6/nd6_rtr.c:1.93.2.3.2.1 --- src/sys/netinet6/nd6_rtr.c:1.93.2.3 Sat May 2 18:23:25 2015 +++ src/sys/netinet6/nd6_rtr.c Wed Apr 15 14:59:33 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_rtr.c,v 1.93.2.3 2015/05/02 18:23:25 martin Exp $ */ +/* $NetBSD: nd6_rtr.c,v 1.93.2.3.2.1 2020/04/15 14:59:33 martin Exp $ */ /* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.93.2.3 2015/05/02 18:23:25 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.93.2.3.2.1 2020/04/15 14:59:33 martin Exp $"); #include #include @@ -472,6 +472,10 @@ defrouter_addreq(struct nd_defrouter *ne } if (error == 0) new->installed = 1; + else + log(LOG_ERR, "defrouter_addreq: " + "error %d adding default router %s on %s\n", + error, ip6_sprintf(>rtaddr), new->ifp->if_xname); splx(s); return; } @@ -559,6 +563,7 @@ defrouter_delreq(struct nd_defrouter *dr struct sockaddr sa; } def, mask, gw; struct rtentry *oldrt = NULL; + int error; #ifdef DIAGNOSTIC if (dr == NULL) @@ -577,7 +582,7 @@ defrouter_delreq(struct nd_defrouter *dr gw.sin6.sin6_scope_id = 0; /* XXX */ #endif - rtrequest(RTM_DELETE, , , , RTF_GATEWAY, ); + error = rtrequest(RTM_DELETE, , , , RTF_GATEWAY, ); if (oldrt) { nd6_rtmsg(RTM_DELETE, oldrt); if (oldrt->rt_refcnt <= 0) { @@ -591,7 +596,12 @@ defrouter_delreq(struct nd_defrouter *dr } } - dr->installed = 0; + if (error == 0) + dr->installed = 0; + else + log(LOG_ERR, "defrouter_delreq: " + "error %d deleting default router %s on %s\n", + error, ip6_sprintf(>rtaddr), dr->ifp->if_xname); } /* @@ -672,8 +682,16 @@ defrouter_select(void) */ for (dr = TAILQ_FIRST(_defrouter); dr; dr = TAILQ_NEXT(dr, dr_entry)) { + if (dr->installed && !installed_dr) + installed_dr = dr; + else if (dr->installed && installed_dr) { + /* this should not happen. warn for diagnosis. */ + log(LOG_ERR, "defrouter_select: more than one router" + " is installed\n"); + } + ndi = ND_IFINFO(dr->ifp); - if (nd6_accepts_rtadv(ndi)) + if (!nd6_accepts_rtadv(ndi)) continue; if (selected_dr == NULL && @@ -682,14 +700,6 @@ defrouter_select(void) ND6_IS_LLINFO_PROBREACH(ln)) { selected_dr = dr; } - - if (dr->installed && !installed_dr) - installed_dr = dr; - else if (dr->installed && installed_dr) { - /* this should not happen. warn for diagnosis. */ - log(LOG_ERR, "defrouter_select: more than one router" - " is installed\n"); - } } /* * If none of the default routers was found to be reachable,
CVS commit: [netbsd-7-0] src/sys/conf
Module Name:src Committed By: martin Date: Thu Jan 2 09:57:59 UTC 2020 Modified Files: src/sys/conf [netbsd-7-0]: copyright Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1719): sys/conf/copyright: revision 1.18 Welcome to 2020. To generate a diff of this commit: cvs rdiff -u -r1.12.4.1.2.3 -r1.12.4.1.2.4 src/sys/conf/copyright Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/conf/copyright diff -u src/sys/conf/copyright:1.12.4.1.2.3 src/sys/conf/copyright:1.12.4.1.2.4 --- src/sys/conf/copyright:1.12.4.1.2.3 Wed Jan 2 15:29:22 2019 +++ src/sys/conf/copyright Thu Jan 2 09:57:59 2020 @@ -1,5 +1,5 @@ Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, -2018, 2019 The NetBSD Foundation, Inc. All rights reserved. +2018, 2019, 2020 The NetBSD Foundation, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved.
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: martin Date: Tue Dec 17 16:35:28 UTC 2019 Modified Files: src/sys/dev/ic [netbsd-7-0]: ath.c Log Message: Pull up following revision(s) (requested by christos in ticket #1718): sys/dev/ic/ath.c: revision 1.129 Protect network ioctls from non-authorized users. (Ilja Van Sprundel) To generate a diff of this commit: cvs rdiff -u -r1.116 -r1.116.6.1 src/sys/dev/ic/ath.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/ath.c diff -u src/sys/dev/ic/ath.c:1.116 src/sys/dev/ic/ath.c:1.116.6.1 --- src/sys/dev/ic/ath.c:1.116 Thu Sep 12 12:17:53 2013 +++ src/sys/dev/ic/ath.c Tue Dec 17 16:35:28 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ath.c,v 1.116 2013/09/12 12:17:53 martin Exp $ */ +/* $NetBSD: ath.c,v 1.116.6.1 2019/12/17 16:35:28 martin Exp $ */ /*- * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting @@ -41,7 +41,7 @@ __FBSDID("$FreeBSD: src/sys/dev/ath/if_ath.c,v 1.104 2005/09/16 10:09:23 ru Exp $"); #endif #ifdef __NetBSD__ -__KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.116 2013/09/12 12:17:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.116.6.1 2019/12/17 16:35:28 martin Exp $"); #endif /* @@ -69,6 +69,7 @@ __KERNEL_RCSID(0, "$NetBSD: ath.c,v 1.11 #include #include #include +#include #include #include @@ -5362,6 +5363,12 @@ ath_ioctl(struct ifnet *ifp, u_long cmd, return copyout(>sc_stats, ifr->ifr_data, sizeof (sc->sc_stats)); case SIOCGATHDIAG: + error = kauth_authorize_network(curlwp->l_cred, + KAUTH_NETWORK_INTERFACE, + KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, KAUTH_ARG(cmd), + NULL); + if (error) + break; error = ath_ioctl_diag(sc, (struct ath_diag *) ifr); break; default:
CVS commit: [netbsd-7-0] src/sys/dev
Module Name:src Committed By: martin Date: Sun Dec 8 10:27:32 UTC 2019 Modified Files: src/sys/dev [netbsd-7-0]: cons.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1717): sys/dev/cons.c: revision 1.76 sys/dev/cons.c: revision 1.77 Fix reference count leak in cons(4). Don't forget to vrele after you're done, folks! Restore historical $Hdr$ tag after git cvsexportcommit nixed it. To generate a diff of this commit: cvs rdiff -u -r1.72.2.1 -r1.72.2.1.2.1 src/sys/dev/cons.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/cons.c diff -u src/sys/dev/cons.c:1.72.2.1 src/sys/dev/cons.c:1.72.2.1.2.1 --- src/sys/dev/cons.c:1.72.2.1 Mon Mar 9 08:00:46 2015 +++ src/sys/dev/cons.c Sun Dec 8 10:27:32 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: cons.c,v 1.72.2.1 2015/03/09 08:00:46 snj Exp $ */ +/* $NetBSD: cons.c,v 1.72.2.1.2.1 2019/12/08 10:27:32 martin Exp $ */ /* * Copyright (c) 1988 University of Utah. @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.72.2.1 2015/03/09 08:00:46 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cons.c,v 1.72.2.1.2.1 2019/12/08 10:27:32 martin Exp $"); #include #include @@ -150,6 +150,7 @@ cnclose(dev_t dev, int flag, int mode, s if (error == 0) { error = VOP_CLOSE(vp, flag, kauth_cred_get()); VOP_UNLOCK(vp); + vrele(vp); } return error; }
CVS commit: [netbsd-7-0] src/sys/netsmb
Module Name:src Committed By: martin Date: Tue May 7 18:55:48 UTC 2019 Modified Files: src/sys/netsmb [netbsd-7-0]: smb_conn.c Log Message: Pull up following revision(s) (requested by christos in ticket #1696): sys/netsmb/smb_conn.c: revision 1.30 Prevent a NULL pointer dereference when the local endpoint is not defined. >From Andy Nguyen, many thanks. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.18.1 src/sys/netsmb/smb_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netsmb/smb_conn.c diff -u src/sys/netsmb/smb_conn.c:1.29 src/sys/netsmb/smb_conn.c:1.29.18.1 --- src/sys/netsmb/smb_conn.c:1.29 Sun Apr 29 20:27:31 2012 +++ src/sys/netsmb/smb_conn.c Tue May 7 18:55:48 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_conn.c,v 1.29 2012/04/29 20:27:31 dsl Exp $ */ +/* $NetBSD: smb_conn.c,v 1.29.18.1 2019/05/07 18:55:48 martin Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_conn.c,v 1.29 2012/04/29 20:27:31 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_conn.c,v 1.29.18.1 2019/05/07 18:55:48 martin Exp $"); /* * Connection engine. @@ -553,7 +553,8 @@ smb_vc_create(struct smb_vcspec *vcspec, if ((vcp->vc_paddr = dup_sockaddr(vcspec->sap, 1)) == NULL) goto fail; - if ((vcp->vc_laddr = dup_sockaddr(vcspec->lap, 1)) == NULL) + if (vcspec->lap && + (vcp->vc_laddr = dup_sockaddr(vcspec->lap, 1)) == NULL) goto fail; if ((vcp->vc_pass = smb_strdup(vcspec->pass)) == NULL)
CVS commit: [netbsd-7-0] src/sys/arch
Module Name:src Committed By: martin Date: Sun May 5 08:49:19 UTC 2019 Modified Files: src/sys/arch/amd64/amd64 [netbsd-7-0]: copy.S src/sys/arch/i386/i386 [netbsd-7-0]: copy.S Log Message: Pull up following revision(s) (requested by maxv in ticket #1693): sys/arch/amd64/amd64/copy.S: revision 1.33 sys/arch/i386/i386/copy.S: revision 1.31 Hum. Fix a potentially catastrophic bug: kcopy() sets DF=1 if the areas overlap, but doesn't clear it if the copy faults. If this happens, we return to the caller with DF=1, and each future memory copy will be backwards. I wonder if there really are places where kcopy() is called with overlapping areas. To generate a diff of this commit: cvs rdiff -u -r1.18.38.1 -r1.18.38.2 src/sys/arch/amd64/amd64/copy.S cvs rdiff -u -r1.23 -r1.23.8.1 src/sys/arch/i386/i386/copy.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/copy.S diff -u src/sys/arch/amd64/amd64/copy.S:1.18.38.1 src/sys/arch/amd64/amd64/copy.S:1.18.38.2 --- src/sys/arch/amd64/amd64/copy.S:1.18.38.1 Sat Dec 24 04:07:00 2016 +++ src/sys/arch/amd64/amd64/copy.S Sun May 5 08:49:18 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: copy.S,v 1.18.38.1 2016/12/24 04:07:00 snj Exp $ */ +/* $NetBSD: copy.S,v 1.18.38.2 2019/05/05 08:49:18 martin Exp $ */ /* * Copyright (c) 2001 Wasabi Systems, Inc. @@ -233,6 +233,7 @@ NENTRY(copy_efault) */ NENTRY(kcopy_fault) + cld ret NENTRY(copy_fault) Index: src/sys/arch/i386/i386/copy.S diff -u src/sys/arch/i386/i386/copy.S:1.23 src/sys/arch/i386/i386/copy.S:1.23.8.1 --- src/sys/arch/i386/i386/copy.S:1.23 Fri Jan 10 16:47:07 2014 +++ src/sys/arch/i386/i386/copy.S Sun May 5 08:49:18 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: copy.S,v 1.23 2014/01/10 16:47:07 pedro Exp $ */ +/* $NetBSD: copy.S,v 1.23.8.1 2019/05/05 08:49:18 martin Exp $ */ /* NetBSD: locore.S,v 1.34 2005/04/01 11:59:31 yamt Exp $ */ /*- @@ -65,7 +65,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.23 2014/01/10 16:47:07 pedro Exp $"); +__KERNEL_RCSID(0, "$NetBSD: copy.S,v 1.23.8.1 2019/05/05 08:49:18 martin Exp $"); #include "assym.h" @@ -308,6 +308,7 @@ NENTRY(copy_efault) */ /* LINTSTUB: Ignore */ NENTRY(kcopy_fault) + cld popl %edi popl %esi ret
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Fri Apr 19 16:03:09 UTC 2019 Modified Files: src/sys/compat/common [netbsd-7-0]: uipc_syscalls_40.c src/sys/compat/linux/common [netbsd-7-0]: linux_socket.c src/sys/compat/linux32/common [netbsd-7-0]: linux32_socket.c src/sys/net [netbsd-7-0]: if.c Log Message: Pull up following revision(s) via patch (requested by christos in ticket #1689): sys/compat/linux/common/linux_socket.c: revision 1.145 sys/net/if.c: revision 1.449 sys/compat/linux32/common/linux32_socket.c: revision 1.30 sys/compat/common/uipc_syscalls_40.c: revision 1.19 Zero out the ifreq struct for SIOCGIFCONF to avoid up to 127 bytes of stack disclosure. From Andy Nguyen, many thanks! - Zero out the ifreq struct for SIOCGIFCONF to avoid up to 127 bytes of stack disclosure. From Andy Nguyen, many thanks! This is the compat code part pointed out by ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.7.34.1 src/sys/compat/common/uipc_syscalls_40.c cvs rdiff -u -r1.119.2.1 -r1.119.2.1.2.1 \ src/sys/compat/linux/common/linux_socket.c cvs rdiff -u -r1.18 -r1.18.4.1 src/sys/compat/linux32/common/linux32_socket.c cvs rdiff -u -r1.290.2.1 -r1.290.2.1.2.1 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/uipc_syscalls_40.c diff -u src/sys/compat/common/uipc_syscalls_40.c:1.7 src/sys/compat/common/uipc_syscalls_40.c:1.7.34.1 --- src/sys/compat/common/uipc_syscalls_40.c:1.7 Wed Jan 19 10:21:16 2011 +++ src/sys/compat/common/uipc_syscalls_40.c Fri Apr 19 16:03:09 2019 @@ -1,9 +1,9 @@ -/* $NetBSD: uipc_syscalls_40.c,v 1.7 2011/01/19 10:21:16 tsutsui Exp $ */ +/* $NetBSD: uipc_syscalls_40.c,v 1.7.34.1 2019/04/19 16:03:09 martin Exp $ */ /* written by Pavel Cahyna, 2006. Public domain. */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.7 2011/01/19 10:21:16 tsutsui Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.7.34.1 2019/04/19 16:03:09 martin Exp $"); /* * System call interface to the socket abstraction. @@ -39,6 +39,7 @@ compat_ifconf(u_long cmd, void *data) int space, error = 0; const int sz = (int)sizeof(ifr); + memset(, 0, sizeof(ifr)); if ((ifrp = ifc->ifc_req) == NULL) space = 0; else Index: src/sys/compat/linux/common/linux_socket.c diff -u src/sys/compat/linux/common/linux_socket.c:1.119.2.1 src/sys/compat/linux/common/linux_socket.c:1.119.2.1.2.1 --- src/sys/compat/linux/common/linux_socket.c:1.119.2.1 Sat Jan 17 12:10:54 2015 +++ src/sys/compat/linux/common/linux_socket.c Fri Apr 19 16:03:08 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_socket.c,v 1.119.2.1 2015/01/17 12:10:54 martin Exp $ */ +/* $NetBSD: linux_socket.c,v 1.119.2.1.2.1 2019/04/19 16:03:08 martin Exp $ */ /*- * Copyright (c) 1995, 1998, 2008 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.119.2.1 2015/01/17 12:10:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.119.2.1.2.1 2019/04/19 16:03:08 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -1124,6 +1124,7 @@ linux_getifconf(struct lwp *l, register_ if (error) return error; + memset(, 0, sizeof(ifr)); ifrp = ifc.ifc_req; if (ifrp == NULL) space = 0; Index: src/sys/compat/linux32/common/linux32_socket.c diff -u src/sys/compat/linux32/common/linux32_socket.c:1.18 src/sys/compat/linux32/common/linux32_socket.c:1.18.4.1 --- src/sys/compat/linux32/common/linux32_socket.c:1.18 Sat May 17 21:26:20 2014 +++ src/sys/compat/linux32/common/linux32_socket.c Fri Apr 19 16:03:09 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_socket.c,v 1.18 2014/05/17 21:26:20 rmind Exp $ */ +/* $NetBSD: linux32_socket.c,v 1.18.4.1 2019/04/19 16:03:09 martin Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -33,7 +33,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_socket.c,v 1.18 2014/05/17 21:26:20 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_socket.c,v 1.18.4.1 2019/04/19 16:03:09 martin Exp $"); #include #include @@ -423,6 +423,7 @@ linux32_getifconf(struct lwp *l, registe if (error) return error; + memset(, 0, sizeof(ifr)); ifrp = NETBSD32PTR64(ifc.ifc_req); if (ifrp == NULL) space = 0; Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.290.2.1 src/sys/net/if.c:1.290.2.1.2.1 --- src/sys/net/if.c:1.290.2.1 Tue Nov 11 12:20:28 2014 +++ src/sys/net/if.c Fri Apr 19 16:03:08 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.290.2.1 2014/11/11 12:20:28 martin Exp $ */ +/* $NetBSD: if.c,v 1.290.2.1.2.1 2019/04/19 16:03:08 martin Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.290.2.1 2014/11/11 12:20:28 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: msaitoh Date: Tue Apr 16 03:53:26 UTC 2019 Modified Files: src/sys/kern [netbsd-7-0]: sys_mqueue.c Log Message: Pull up following revision(s) (requested by martin in ticket #1688): sys/kern/sys_mqueue.c: revision 1.44 mq_send1: fix argument validation and reject too large lengths early. Discovered by Andy Nguyen. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.6.1 src/sys/kern/sys_mqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/sys_mqueue.c diff -u src/sys/kern/sys_mqueue.c:1.36 src/sys/kern/sys_mqueue.c:1.36.6.1 --- src/sys/kern/sys_mqueue.c:1.36 Tue Feb 25 18:30:11 2014 +++ src/sys/kern/sys_mqueue.c Tue Apr 16 03:53:25 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: sys_mqueue.c,v 1.36 2014/02/25 18:30:11 pooka Exp $ */ +/* $NetBSD: sys_mqueue.c,v 1.36.6.1 2019/04/16 03:53:25 msaitoh Exp $ */ /* * Copyright (c) 2007-2011 Mindaugas Rasiukevicius @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sys_mqueue.c,v 1.36 2014/02/25 18:30:11 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sys_mqueue.c,v 1.36.6.1 2019/04/16 03:53:25 msaitoh Exp $"); #include #include @@ -794,6 +794,8 @@ mq_send1(mqd_t mqdes, const char *msg_pt return EINVAL; /* Allocate a new message */ + if (msg_len > mq_max_msgsize) + return EMSGSIZE; size = sizeof(struct mq_msg) + msg_len; if (size > mq_max_msgsize) return EMSGSIZE;
CVS commit: [netbsd-7-0] src/sys/dev/scsipi
Module Name:src Committed By: martin Date: Thu Mar 7 16:51:51 UTC 2019 Modified Files: src/sys/dev/scsipi [netbsd-7-0]: files.scsipi st.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1682): sys/dev/scsipi/st.c: revision 1.236 (patch) sys/dev/scsipi/st.c: revision 1.237 sys/dev/scsipi/files.scsipi: revision 1.42 Fix PR kern/53949: Fix inconsistent/incomplete file mark handling to conform again to mtio(4) at close(2) time. This was necessary as the PREVENT/ALLOW bracket was reduced from a whole mount session to cover only the open(2)/close(2) time on ~2002-03-22. The rationale was to allow robots and humans to change the media during a mount session. Unfortunately this lead to file marks being written to potentially other media at the beginning on drives that used the two file marks as EOM pattern. In order for that to happen the media had to be removed after data and at most one file mark had been written before removal. The mount error message has been clarified and a warning about potential data/file mark lossage on UNIT ATTENTION during an active mount session with unfinished file marks has been added. While there, fix, but disable the commented SUN compatibility to write final file marks by opening and immediately closing the device in O_WRONLY mode. That code has not been working since around 1998. It can now be enabled with options ST_SUNCOMPAT. Additionally debug output coverage has been extended. Correct printing type of b_blkno (int64_t) in st.c Fixes build with kUBSan on NetBSD/i386. Fix, but disable the commented SUN compatibility in st.c to write final file marks by opening and immediately closing the device in O_WRONLY mode. That code has not been working since around 1998. It can now be enabled with options ST_SUNCOMPAT. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.41.142.1 src/sys/dev/scsipi/files.scsipi cvs rdiff -u -r1.226 -r1.226.6.1 src/sys/dev/scsipi/st.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/scsipi/files.scsipi diff -u src/sys/dev/scsipi/files.scsipi:1.41 src/sys/dev/scsipi/files.scsipi:1.41.142.1 --- src/sys/dev/scsipi/files.scsipi:1.41 Sun Dec 11 12:23:50 2005 +++ src/sys/dev/scsipi/files.scsipi Thu Mar 7 16:51:50 2019 @@ -1,11 +1,12 @@ -# $NetBSD: files.scsipi,v 1.41 2005/12/11 12:23:50 christos Exp $ +# $NetBSD: files.scsipi,v 1.41.142.1 2019/03/07 16:51:50 martin Exp $ # # Config file and device description for machine-independent SCSI code. # Included by ports that need it. Ports that use it must provide # their own "major" declarations for the appropriate devices. defflag opt_scsi.h SCSIVERBOSE ST_ENABLE_EARLYWARN -SES_ENABLE_PASSTHROUGH SCSI_OLD_NOINQUIRY +ST_SUNCOMPAT SES_ENABLE_PASSTHROUGH +SCSI_OLD_NOINQUIRY defparam opt_scsi.h ST_MOUNT_DELAY SDRETRIES SD_IO_TIMEOUT defflag opt_scsipi_debug.h SCSIPI_DEBUG Index: src/sys/dev/scsipi/st.c diff -u src/sys/dev/scsipi/st.c:1.226 src/sys/dev/scsipi/st.c:1.226.6.1 --- src/sys/dev/scsipi/st.c:1.226 Sun Aug 10 16:44:36 2014 +++ src/sys/dev/scsipi/st.c Thu Mar 7 16:51:50 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: st.c,v 1.226 2014/08/10 16:44:36 tls Exp $ */ +/* $NetBSD: st.c,v 1.226.6.1 2019/03/07 16:51:50 martin Exp $ */ /*- * Copyright (c) 1998, 2004 The NetBSD Foundation, Inc. @@ -50,7 +50,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: st.c,v 1.226 2014/08/10 16:44:36 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: st.c,v 1.226.6.1 2019/03/07 16:51:50 martin Exp $"); #include "opt_scsi.h" @@ -605,6 +605,30 @@ stopen(dev_t dev, int flags, int mode, s */ if ((st->flags & ST_MOUNTED) || ST_MOUNT_DELAY == 0 || (st->mt_key != SKEY_NOT_READY)) { + device_printf(st->sc_dev, + "mount error (sense key=%d) - " + "terminating mount session\n", + st->mt_key); + /* + * the following should not trigger unless + * something serious happened while the device + * was open (PREVENT MEDIUM REMOVAL in effect) + */ + if (st->flags & ST_WRITTEN && + st->mt_key == SKEY_UNIT_ATTENTION) { +/* + * device / media state may have changed + * refrain from writing missing file marks + * onto potentially newly inserted/formatted + * media (e. g. emergency EJECT/RESET/etc.) + */ +st->flags &= ~(ST_WRITTEN|ST_FM_WRITTEN); + +device_printf(st->sc_dev, +"CAUTION: file marks/data may be missing" +" - ASC = 0x%02x, ASCQ = 0x%02x\n", + st->asc, st->ascq); + } goto bad; } @@ -713,15 +737,30 @@ stclose(dev_t dev, int flags, int mode, */ stxx = st->flags & (ST_WRITTEN | ST_FM_WRITTEN); - if (((flags & FWRITE) && stxx == ST_WRITTEN) || - ((flags & O_ACCMODE) == FWRITE && stxx == 0)) { - int nm; + if ((flags & FWRITE) != 0) { + int
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Sun Feb 24 10:55:24 UTC 2019 Modified Files: src/sys/kern [netbsd-7-0]: kern_time.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1196): sys/kern/kern_time.c: revision 1.196 The callout is used by any nonvirtual timer including CLOCK_MONOTONIC and needs to be initialized. Detected by [syzkaller]. To generate a diff of this commit: cvs rdiff -u -r1.179.12.5 -r1.179.12.6 src/sys/kern/kern_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_time.c diff -u src/sys/kern/kern_time.c:1.179.12.5 src/sys/kern/kern_time.c:1.179.12.6 --- src/sys/kern/kern_time.c:1.179.12.5 Fri Feb 1 11:12:03 2019 +++ src/sys/kern/kern_time.c Sun Feb 24 10:55:24 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_time.c,v 1.179.12.5 2019/02/01 11:12:03 martin Exp $ */ +/* $NetBSD: kern_time.c,v 1.179.12.6 2019/02/24 10:55:24 martin Exp $ */ /*- * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.5 2019/02/01 11:12:03 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.6 2019/02/24 10:55:24 martin Exp $"); #include #include @@ -1141,7 +1141,7 @@ dosetitimer(struct proc *p, int which, s pt->pt_type = which; pt->pt_entry = which; pt->pt_queued = false; - if (pt->pt_type == CLOCK_REALTIME) + if (!CLOCK_VIRTUAL_P(which)) callout_init(>pt_ch, CALLOUT_MPSAFE); else pt->pt_active = 0;
CVS commit: [netbsd-7-0] src/sys/net
Module Name:src Committed By: martin Date: Sat Feb 23 07:14:40 UTC 2019 Modified Files: src/sys/net [netbsd-7-0]: rtsock.c Log Message: Apply patch, requested by sborrill in ticket #1680: sys/net/rtsock.c(apply patch) Fix locking for sysctl_rtable (fix in HEAD will be different). To generate a diff of this commit: cvs rdiff -u -r1.163.4.1 -r1.163.4.2 src/sys/net/rtsock.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/rtsock.c diff -u src/sys/net/rtsock.c:1.163.4.1 src/sys/net/rtsock.c:1.163.4.2 --- src/sys/net/rtsock.c:1.163.4.1 Wed Nov 28 16:32:14 2018 +++ src/sys/net/rtsock.c Sat Feb 23 07:14:40 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: rtsock.c,v 1.163.4.1 2018/11/28 16:32:14 martin Exp $ */ +/* $NetBSD: rtsock.c,v 1.163.4.2 2019/02/23 07:14:40 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.163.4.1 2018/11/28 16:32:14 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.163.4.2 2019/02/23 07:14:40 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1408,6 +1408,8 @@ again: w.w_needed = 0 - w.w_given; w.w_where = where; + mutex_enter(softnet_lock); + KERNEL_LOCK(1, NULL); s = splsoftnet(); switch (w.w_op) { @@ -1434,6 +1436,8 @@ again: break; } splx(s); + KERNEL_UNLOCK_ONE(NULL); + mutex_exit(softnet_lock); /* check to see if we couldn't allocate memory with NOWAIT */ if (error == ENOBUFS && w.w_tmem == 0 && w.w_tmemneeded)
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Sat Feb 23 07:05:41 UTC 2019 Modified Files: src/sys/compat/linux/common [netbsd-7-0]: linux_ipc.c src/sys/compat/linux32/common [netbsd-7-0]: linux32_ipccall.c src/sys/compat/netbsd32 [netbsd-7-0]: netbsd32_compat_14.c netbsd32_conv.h src/sys/compat/sys [netbsd-7-0]: ipc.h msg.h sem.h shm.h src/sys/kern [netbsd-7-0]: sysv_msg.c sysv_sem.c sysv_shm.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1679): sys/compat/sys/ipc.h: revision 1.6 sys/compat/sys/ipc.h: revision 1.7 sys/compat/sys/shm.h: revision 1.8 sys/kern/sysv_shm.c: revision 1.133 sys/compat/sys/sem.h: revision 1.7 sys/compat/linux/common/linux_ipc.c: revision 1.56 sys/compat/netbsd32/netbsd32_conv.h: revision 1.38 sys/kern/sysv_sem.c: revision 1.96 sys/compat/netbsd32/netbsd32_compat_14.c: revision 1.28 sys/compat/netbsd32/netbsd32_compat_14.c: revision 1.29 sys/compat/linux32/common/linux32_ipccall.c: revision 1.12 sys/kern/sysv_msg.c: revision 1.73 sys/compat/sys/msg.h: revision 1.6 for sysv ipc stat operations, explicitly copy the exported parts instead of the whole ds structure. besides triggering a recently added assert in netbsd32, this stops exposing kernel addresses. copy the mode clamping to 0777 from sem to shm and msg. while here, make sure that the compat callers to sysv_ipc clear the contents of the compat structure before setting the result members to ensure padding bytes are cleared. don't set/copy _sem_base, _msg_first, _msg_last or _shm_internal. even if used, which seems very dodgy, they leak KVAs as well. possibly this may affect linux binaries, in particular, the comments around _shm_internal ("XXX Oh well.") may mean apps rely upon these but hopefully not -- the comments date back to rev 1.1 in 1995. the _key, _seq and _msg_cbytes members are exported as before as i found multiple consumers of these (no less than ipcs(1), and they appear to be useful for debugging and more. XXX: the naming of compat functions have too many styles. there are at least 3 different ones changed here. fix naming errors in previous. (this file is no longer compiled, but this fix makes the pull up more obvious, before deleting this file.) include libkern.h or strings.h. should fix i386 build issues. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.34.1 src/sys/compat/linux/common/linux_ipc.c cvs rdiff -u -r1.11 -r1.11.38.1 \ src/sys/compat/linux32/common/linux32_ipccall.c cvs rdiff -u -r1.21.78.1 -r1.21.78.2 \ src/sys/compat/netbsd32/netbsd32_compat_14.c cvs rdiff -u -r1.28.8.1 -r1.28.8.2 src/sys/compat/netbsd32/netbsd32_conv.h cvs rdiff -u -r1.4 -r1.4.34.1 src/sys/compat/sys/ipc.h cvs rdiff -u -r1.4.44.1 -r1.4.44.2 src/sys/compat/sys/msg.h cvs rdiff -u -r1.6 -r1.6.44.1 src/sys/compat/sys/sem.h cvs rdiff -u -r1.7 -r1.7.42.1 src/sys/compat/sys/shm.h cvs rdiff -u -r1.66 -r1.66.8.1 src/sys/kern/sysv_msg.c cvs rdiff -u -r1.90 -r1.90.6.1 src/sys/kern/sysv_sem.c cvs rdiff -u -r1.125 -r1.125.6.1 src/sys/kern/sysv_shm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_ipc.c diff -u src/sys/compat/linux/common/linux_ipc.c:1.55 src/sys/compat/linux/common/linux_ipc.c:1.55.34.1 --- src/sys/compat/linux/common/linux_ipc.c:1.55 Sat May 28 23:24:58 2011 +++ src/sys/compat/linux/common/linux_ipc.c Sat Feb 23 07:05:40 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_ipc.c,v 1.55 2011/05/28 23:24:58 alnsn Exp $ */ +/* $NetBSD: linux_ipc.c,v 1.55.34.1 2019/02/23 07:05:40 martin Exp $ */ /*- * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.55 2011/05/28 23:24:58 alnsn Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.55.34.1 2019/02/23 07:05:40 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_sysv.h" @@ -117,6 +117,7 @@ void bsd_to_linux_ipc_perm(struct ipc_perm *bpp, struct linux_ipc_perm *lpp) { + memset(lpp, 0, sizeof *lpp); lpp->l_key = bpp->_key; lpp->l_uid = bpp->uid; lpp->l_gid = bpp->gid; @@ -129,6 +130,8 @@ bsd_to_linux_ipc_perm(struct ipc_perm *b void bsd_to_linux_ipc64_perm(struct ipc_perm *bpp, struct linux_ipc64_perm *lpp) { + + memset(lpp, 0, sizeof *lpp); lpp->l_key = bpp->_key; lpp->l_uid = bpp->uid; lpp->l_gid = bpp->gid; @@ -152,16 +155,19 @@ bsd_to_linux_ipc64_perm(struct ipc_perm void bsd_to_linux_semid_ds(struct semid_ds *bs, struct linux_semid_ds *ls) { + + memset(ls, 0, sizeof *ls); bsd_to_linux_ipc_perm(>sem_perm, >l_sem_perm); ls->l_sem_otime = bs->sem_otime; ls->l_sem_ctime = bs->sem_ctime; ls->l_sem_nsems = bs->sem_nsems; - ls->l_sem_base = bs->_sem_base; } void bsd_to_linux_semid64_ds(struct semid_ds *bs, struct
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Fri Feb 1 11:12:03 UTC 2019 Modified Files: src/sys/kern [netbsd-7-0]: kern_time.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1678): sys/kern/kern_time.c: revision 1.190 sys/kern/kern_time.c: revision 1.194 Fix stack info leak. There are 4 bytes of padding in struct timeval. Looks like there are other leaks related to timeval in this file. [ 133.414352] kleak: Possible leak in copyout: [len=16, leaked=4] [ 133.414352] #0 0x80224d0a in kleak_note [ 133.424360] #1 0x80224d8a in kleak_copyout [ 133.434361] #2 0x80b5fd79 in sys___gettimeofday50 [ 133.434361] #3 0x8025a89c in sy_call [ 133.444351] #4 0x8025aace in sy_invoke [ 133.454365] #5 0x8025ab54 in syscall - Fix kernel info leaks. To generate a diff of this commit: cvs rdiff -u -r1.179.12.4 -r1.179.12.5 src/sys/kern/kern_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_time.c diff -u src/sys/kern/kern_time.c:1.179.12.4 src/sys/kern/kern_time.c:1.179.12.5 --- src/sys/kern/kern_time.c:1.179.12.4 Thu Dec 27 12:01:50 2018 +++ src/sys/kern/kern_time.c Fri Feb 1 11:12:03 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_time.c,v 1.179.12.4 2018/12/27 12:01:50 martin Exp $ */ +/* $NetBSD: kern_time.c,v 1.179.12.5 2019/02/01 11:12:03 martin Exp $ */ /*- * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.4 2018/12/27 12:01:50 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.5 2019/02/01 11:12:03 martin Exp $"); #include #include @@ -388,6 +388,7 @@ sys___gettimeofday50(struct lwp *l, cons struct timezone tzfake; if (SCARG(uap, tp)) { + memset(, 0, sizeof(atv)); microtime(); error = copyout(, SCARG(uap, tp), sizeof(atv)); if (error) @@ -487,6 +488,7 @@ adjtime1(const struct timeval *delta, st extern int64_t time_adjtime; /* in kern_ntptime.c */ if (olddelta) { + memset(olddelta, 0, sizeof(*olddelta)); mutex_spin_enter(_lock); olddelta->tv_sec = time_adjtime / 100; olddelta->tv_usec = time_adjtime % 100;
CVS commit: [netbsd-7-0] src/sys/arch
Module Name:src Committed By: martin Date: Wed Jan 30 13:32:58 UTC 2019 Modified Files: src/sys/arch/alpha/alpha [netbsd-7-0]: machdep.c src/sys/arch/amd64/amd64 [netbsd-7-0]: netbsd32_machdep.c src/sys/arch/arm/arm [netbsd-7-0]: sig_machdep.c src/sys/arch/hppa/hppa [netbsd-7-0]: sig_machdep.c src/sys/arch/i386/i386 [netbsd-7-0]: machdep.c src/sys/arch/m68k/m68k [netbsd-7-0]: sig_machdep.c src/sys/arch/mips/mips [netbsd-7-0]: netbsd32_machdep.c sig_machdep.c src/sys/arch/powerpc/powerpc [netbsd-7-0]: sig_machdep.c src/sys/arch/sh3/sh3 [netbsd-7-0]: sh3_machdep.c src/sys/arch/sparc64/sparc64 [netbsd-7-0]: machdep.c netbsd32_machdep.c src/sys/arch/usermode/target/i386 [netbsd-7-0]: cpu_i386.c src/sys/arch/usermode/target/x86_64 [netbsd-7-0]: cpu_x86_64.c src/sys/arch/vax/vax [netbsd-7-0]: sig_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1677): sys/arch/hppa/hppa/sig_machdep.c: revision 1.26 sys/arch/arm/arm/sig_machdep.c: revision 1.51 sys/arch/i386/i386/machdep.c: revision 1.813 sys/arch/alpha/alpha/machdep.c: revision 1.352 sys/arch/m68k/m68k/sig_machdep.c: revision 1.50 sys/arch/usermode/target/i386/cpu_i386.c: revision 1.8 sys/arch/sparc64/sparc64/machdep.c: revision 1.289 sys/arch/sparc64/sparc64/netbsd32_machdep.c: revision 1.111 sys/arch/powerpc/powerpc/sig_machdep.c: revision 1.46 sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.117 sys/arch/sh3/sh3/sh3_machdep.c: revision 1.106 sys/arch/mips/mips/netbsd32_machdep.c: revision 1.16 sys/arch/mips/mips/sig_machdep.c: revision 1.24 sys/arch/usermode/target/x86_64/cpu_x86_64.c: revision 1.7 sys/arch/vax/vax/sig_machdep.c: revision 1.23 Fix widespread leak in the sendsig_siginfo() functions. sigframe_siginfo has padding, so zero it out properly. While here I'm also zeroing out some other things in several ports, for safety. Same problem in netbsd32, so fix that too. I can't compile-test on each architecture, but there should be no breakage (tm). Overall this fixes at least 14 info leaks. Prompted by the discovery by KLEAK of a leak in amd64's sendsig_siginfo. To generate a diff of this commit: cvs rdiff -u -r1.345.4.1 -r1.345.4.2 src/sys/arch/alpha/alpha/machdep.c cvs rdiff -u -r1.92 -r1.92.8.1 src/sys/arch/amd64/amd64/netbsd32_machdep.c cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/arch/arm/arm/sig_machdep.c cvs rdiff -u -r1.25 -r1.25.34.1 src/sys/arch/hppa/hppa/sig_machdep.c cvs rdiff -u -r1.752.8.2 -r1.752.8.3 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.49 -r1.49.18.1 src/sys/arch/m68k/m68k/sig_machdep.c cvs rdiff -u -r1.11 -r1.11.8.1 src/sys/arch/mips/mips/netbsd32_machdep.c cvs rdiff -u -r1.23 -r1.23.32.1 src/sys/arch/mips/mips/sig_machdep.c cvs rdiff -u -r1.43.14.1 -r1.43.14.1.2.1 \ src/sys/arch/powerpc/powerpc/sig_machdep.c cvs rdiff -u -r1.102.8.1 -r1.102.8.2 src/sys/arch/sh3/sh3/sh3_machdep.c cvs rdiff -u -r1.278.2.3 -r1.278.2.3.2.1 \ src/sys/arch/sparc64/sparc64/machdep.c cvs rdiff -u -r1.103.8.1 -r1.103.8.2 \ src/sys/arch/sparc64/sparc64/netbsd32_machdep.c cvs rdiff -u -r1.4 -r1.4.20.1 src/sys/arch/usermode/target/i386/cpu_i386.c cvs rdiff -u -r1.2 -r1.2.28.1 \ src/sys/arch/usermode/target/x86_64/cpu_x86_64.c cvs rdiff -u -r1.21 -r1.21.32.1 src/sys/arch/vax/vax/sig_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/alpha/alpha/machdep.c diff -u src/sys/arch/alpha/alpha/machdep.c:1.345.4.1 src/sys/arch/alpha/alpha/machdep.c:1.345.4.2 --- src/sys/arch/alpha/alpha/machdep.c:1.345.4.1 Tue Nov 1 20:27:51 2016 +++ src/sys/arch/alpha/alpha/machdep.c Wed Jan 30 13:32:57 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.345.4.1 2016/11/01 20:27:51 snj Exp $ */ +/* $NetBSD: machdep.c,v 1.345.4.2 2019/01/30 13:32:57 martin Exp $ */ /*- * Copyright (c) 1998, 1999, 2000 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ #include /* RCS ID & Copyright macro defns */ -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.345.4.1 2016/11/01 20:27:51 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.345.4.2 2019/01/30 13:32:57 martin Exp $"); #include #include @@ -1465,12 +1465,11 @@ sendsig_siginfo(const ksiginfo_t *ksi, c #endif /* Build stack frame for signal trampoline. */ - + memset(, 0, sizeof(frame)); frame.sf_si._info = ksi->ksi_info; frame.sf_uc.uc_flags = _UC_SIGMASK; frame.sf_uc.uc_sigmask = *mask; frame.sf_uc.uc_link = l->l_ctxlink; - memset(_uc.uc_stack, 0, sizeof(frame.sf_uc.uc_stack)); sendsig_reset(l, sig); mutex_exit(p->p_lock); cpu_getmcontext(l, _uc.uc_mcontext, _uc.uc_flags); Index: src/sys/arch/amd64/amd64/netbsd32_machdep.c diff -u src/sys/arch/amd64/amd64/netbsd32_machdep.c:1.92
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: msaitoh Date: Tue Jan 29 08:09:01 UTC 2019 Modified Files: src/sys/net [netbsd-7-0]: link_proto.c src/sys/netatalk [netbsd-7-0]: ddp_usrreq.c src/sys/netbt [netbsd-7-0]: hci_socket.c l2cap_socket.c rfcomm_socket.c sco_socket.c src/sys/netinet [netbsd-7-0]: tcp_usrreq.c src/sys/netinet6 [netbsd-7-0]: raw_ip6.c udp6_usrreq.c src/sys/netmpls [netbsd-7-0]: mpls_proto.c src/sys/netnatm [netbsd-7-0]: natm.c Log Message: Pull up following revision(s) (requested by martin in ticket #1676): sys/net/link_proto.c1.37 sys/netatalk/ddp_usrreq.c 1.72 sys/netbt/hci_socket.c 1.46 sys/netbt/l2cap_socket.c1.36 sys/netbt/rfcomm_socket.c 1.38 sys/netbt/sco_socket.c 1.38 sys/netinet/tcp_usrreq.c1.223 via patch sys/netinet6/raw_ip6.c 1.173 sys/netinet6/udp6_usrreq.c 1.146 sys/netmpls/mpls_proto.c1.32 sys/netnatm/natm.c patch Fix memory leaks pointed out by Ilja Van Sprundel: all sendoob() functions are expted to free both passed mbuf chains. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.24.6.1 src/sys/net/link_proto.c cvs rdiff -u -r1.63 -r1.63.6.1 src/sys/netatalk/ddp_usrreq.c cvs rdiff -u -r1.40 -r1.40.6.1 src/sys/netbt/hci_socket.c cvs rdiff -u -r1.31 -r1.31.6.1 src/sys/netbt/l2cap_socket.c cvs rdiff -u -r1.33 -r1.33.6.1 src/sys/netbt/rfcomm_socket.c \ src/sys/netbt/sco_socket.c cvs rdiff -u -r1.200.2.2 -r1.200.2.2.2.1 src/sys/netinet/tcp_usrreq.c cvs rdiff -u -r1.136.6.2 -r1.136.6.3 src/sys/netinet6/raw_ip6.c cvs rdiff -u -r1.115 -r1.115.6.1 src/sys/netinet6/udp6_usrreq.c cvs rdiff -u -r1.24 -r1.24.6.1 src/sys/netmpls/mpls_proto.c cvs rdiff -u -r1.45 -r1.45.6.1 src/sys/netnatm/natm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/link_proto.c diff -u src/sys/net/link_proto.c:1.24 src/sys/net/link_proto.c:1.24.6.1 --- src/sys/net/link_proto.c:1.24 Sat Aug 9 05:33:01 2014 +++ src/sys/net/link_proto.c Tue Jan 29 08:09:00 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: link_proto.c,v 1.24 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: link_proto.c,v 1.24.6.1 2019/01/29 08:09:00 msaitoh Exp $ */ /*- * Copyright (c) 1982, 1986, 1993 @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: link_proto.c,v 1.24 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: link_proto.c,v 1.24.6.1 2019/01/29 08:09:00 msaitoh Exp $"); #include #include @@ -389,6 +389,9 @@ link_sendoob(struct socket *so, struct m { KASSERT(solocked(so)); + m_freem(m); + m_freem(control); + return EOPNOTSUPP; } Index: src/sys/netatalk/ddp_usrreq.c diff -u src/sys/netatalk/ddp_usrreq.c:1.63 src/sys/netatalk/ddp_usrreq.c:1.63.6.1 --- src/sys/netatalk/ddp_usrreq.c:1.63 Sat Aug 9 05:33:01 2014 +++ src/sys/netatalk/ddp_usrreq.c Tue Jan 29 08:09:00 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ddp_usrreq.c,v 1.63 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: ddp_usrreq.c,v 1.63.6.1 2019/01/29 08:09:00 msaitoh Exp $ */ /* * Copyright (c) 1990,1991 Regents of The University of Michigan. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.63 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ddp_usrreq.c,v 1.63.6.1 2019/01/29 08:09:00 msaitoh Exp $"); #include "opt_mbuftrace.h" @@ -581,8 +581,8 @@ ddp_sendoob(struct socket *so, struct mb { KASSERT(solocked(so)); - if (m) - m_freem(m); + m_freem(m); + m_freem(control); return EOPNOTSUPP; } Index: src/sys/netbt/hci_socket.c diff -u src/sys/netbt/hci_socket.c:1.40 src/sys/netbt/hci_socket.c:1.40.6.1 --- src/sys/netbt/hci_socket.c:1.40 Sat Aug 9 05:33:01 2014 +++ src/sys/netbt/hci_socket.c Tue Jan 29 08:09:00 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: hci_socket.c,v 1.40 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: hci_socket.c,v 1.40.6.1 2019/01/29 08:09:00 msaitoh Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.40 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.40.6.1 2019/01/29 08:09:00 msaitoh Exp $"); /* load symbolic names */ #ifdef BLUETOOTH_DEBUG @@ -712,10 +712,8 @@ hci_sendoob(struct socket *so, struct mb { KASSERT(solocked(so)); - if (m) - m_freem(m); - if (control) - m_freem(control); + m_freem(m); + m_freem(control); return EOPNOTSUPP; } Index: src/sys/netbt/l2cap_socket.c diff -u src/sys/netbt/l2cap_socket.c:1.31 src/sys/netbt/l2cap_socket.c:1.31.6.1 --- src/sys/netbt/l2cap_socket.c:1.31 Sat Aug 9 05:33:01 2014 +++ src/sys/netbt/l2cap_socket.c Tue Jan 29 08:09:00 2019 @@ -1,4 +1,4 @@
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu Jan 24 14:12:09 UTC 2019 Modified Files: src/sys/kern [netbsd-7-0]: kern_ntptime.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1675): sys/kern/kern_ntptime.c: revision 1.60 Zero out the ntptimeval structure to prevent a 4 byte kernel stack disclosure. Reported by Thomas Barabosch. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/kern/kern_ntptime.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ntptime.c diff -u src/sys/kern/kern_ntptime.c:1.55 src/sys/kern/kern_ntptime.c:1.55.8.1 --- src/sys/kern/kern_ntptime.c:1.55 Tue Feb 25 18:30:11 2014 +++ src/sys/kern/kern_ntptime.c Thu Jan 24 14:12:09 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ntptime.c,v 1.55 2014/02/25 18:30:11 pooka Exp $ */ +/* $NetBSD: kern_ntptime.c,v 1.55.8.1 2019/01/24 14:12:09 martin Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -60,7 +60,7 @@ #include /* __FBSDID("$FreeBSD: src/sys/kern/kern_ntptime.c,v 1.59 2005/05/28 14:34:41 rwatson Exp $"); */ -__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.55 2014/02/25 18:30:11 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.55.8.1 2019/01/24 14:12:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_ntp.h" @@ -239,6 +239,7 @@ static void hardupdate(long offset); void ntp_gettime(struct ntptimeval *ntv) { + memset(ntv, 0, sizeof(*ntv)); mutex_spin_enter(_lock); nanotime(>time);
CVS commit: [netbsd-7-0] src/sys/arch/sparc/sparc
Module Name:src Committed By: martin Date: Tue Jan 15 18:45:24 UTC 2019 Modified Files: src/sys/arch/sparc/sparc [netbsd-7-0]: pmap.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1672): sys/arch/sparc/sparc/pmap.c: revision 1.366 switch sparc pmap lock to the scheme sparc64 uses: - - local IPL_NONE mutex for general pmap locking operations, not kernel lock. - - for pmap_activate()/pmap_deactivate(), switch to using the existing ctx_lock, and push handling of it into ctx_alloc() the ctx_free() callers. fixes easy to trigger deadlocks on systems with >2 cpus. without this patch i usually hang during boot. with it, i was able to push the machine hard for over 12 hours. XXX: pullup-8, and maybe -7. To generate a diff of this commit: cvs rdiff -u -r1.358 -r1.358.6.1 src/sys/arch/sparc/sparc/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/pmap.c diff -u src/sys/arch/sparc/sparc/pmap.c:1.358 src/sys/arch/sparc/sparc/pmap.c:1.358.6.1 --- src/sys/arch/sparc/sparc/pmap.c:1.358 Sat May 3 11:17:06 2014 +++ src/sys/arch/sparc/sparc/pmap.c Tue Jan 15 18:45:24 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: pmap.c,v 1.358 2014/05/03 11:17:06 nakayama Exp $ */ +/* $NetBSD: pmap.c,v 1.358.6.1 2019/01/15 18:45:24 martin Exp $ */ /* * Copyright (c) 1996 @@ -56,7 +56,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.358 2014/05/03 11:17:06 nakayama Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.358.6.1 2019/01/15 18:45:24 martin Exp $"); #include "opt_ddb.h" #include "opt_kgdb.h" @@ -176,8 +176,8 @@ paddr_t vm_first_phys = (paddr_t)-1; paddr_t vm_last_phys = 0; psize_t vm_num_phys; -#define PMAP_LOCK() KERNEL_LOCK(1, NULL) -#define PMAP_UNLOCK() KERNEL_UNLOCK_ONE(NULL) +#define PMAP_LOCK() mutex_enter(_lock) +#define PMAP_UNLOCK() mutex_exit(_lock) /* * Flags in pvlist.pv_flags. Note that PV_MOD must be 1 and PV_REF must be 2 @@ -347,6 +347,7 @@ mmuq_insert_tail(struct mmuentry *head, int seginval; /* [4/4c] the invalid segment number */ int reginval; /* [4/3mmu] the invalid region number */ +static kmutex_t pmap_lock; static kmutex_t demap_lock; static bool lock_available = false; /* demap_lock has been initialized */ @@ -372,15 +373,15 @@ union ctxinfo { struct pmap *c_pmap; /* pmap (if busy) */ }; -static kmutex_t ctx_lock; /* lock for below */ +static kmutex_t ctx_lock; /* lock for below, and {,de}activate */ union ctxinfo *ctxinfo; /* allocated at in pmap_bootstrap */ union ctxinfo *ctx_freelist; /* context free list */ int ctx_kick; /* allocation rover when none free */ int ctx_kickdir; /* ctx_kick roves both directions */ int ncontext; /* sizeof ctx_freelist */ -void ctx_alloc(struct pmap *); -void ctx_free(struct pmap *); +static void ctx_alloc(struct pmap *); +static void ctx_free(struct pmap *); /*void * vdumppages; -* 32KB worth of reserved dump pages */ @@ -2121,7 +2122,7 @@ mmu_pagein(struct pmap *pm, vaddr_t va, * This routine is only ever called from locore.s just after it has * saved away the previous process, so there are no active user windows. */ -void +static void ctx_alloc(struct pmap *pm) { union ctxinfo *c; @@ -2133,6 +2134,8 @@ ctx_alloc(struct pmap *pm) struct cpu_info *cpi; #endif + KASSERT(mutex_owned(_lock)); + /*XXX-GCC!*/gap_start=gap_end=0; #ifdef DEBUG if (pm->pm_ctx) @@ -2145,7 +2148,6 @@ ctx_alloc(struct pmap *pm) gap_end = pm->pm_gap_end; } - mutex_spin_enter(_lock); if ((c = ctx_freelist) != NULL) { ctx_freelist = c->c_nextfree; cnum = c - ctxinfo; @@ -2288,13 +2290,12 @@ ctx_alloc(struct pmap *pm) setcontext4m(cnum); #endif /* SUN4M || SUN4D */ } - mutex_spin_exit(_lock); } /* * Give away a context. */ -void +static void ctx_free(struct pmap *pm) { union ctxinfo *c; @@ -2303,6 +2304,8 @@ ctx_free(struct pmap *pm) struct cpu_info *cpi; #endif + KASSERT(mutex_owned(_lock)); + c = pm->pm_ctx; ctx = pm->pm_ctxnum; pm->pm_ctx = NULL; @@ -2316,8 +2319,6 @@ ctx_free(struct pmap *pm) } #endif /* SUN4 || SUN4C */ - mutex_spin_enter(_lock); - #if defined(SUN4M) || defined(SUN4D) if (CPU_HAS_SRMMU) { CPU_INFO_ITERATOR i; @@ -2334,7 +2335,6 @@ ctx_free(struct pmap *pm) c->c_nextfree = ctx_freelist; ctx_freelist = c; - mutex_spin_exit(_lock); } @@ -3070,6 +3070,7 @@ pmap_bootstrap(int nctx, int nregion, in } pmap_page_upload(); + mutex_init(_lock, MUTEX_DEFAULT, IPL_NONE); mutex_init(_lock, MUTEX_DEFAULT, IPL_VM); mutex_init(_lock, MUTEX_DEFAULT, IPL_SCHED); lock_available = true; @@ -4386,7 +4387,9 @@ pmap_pmap_pool_dtor(void *arg, void *obj #endif if ((c = pm->pm_ctx) != NULL) { + mutex_spin_enter(_lock); ctx_free(pm); + mutex_spin_exit(_lock); } #if defined(SUN4M) || defined(SUN4D) @@ -4656,7 +4659,7 @@ pmap_remove(struct pmap *pm,
CVS commit: [netbsd-7-0] src/sys/compat/sys
Module Name:src Committed By: martin Date: Thu Jan 3 11:16:04 UTC 2019 Modified Files: src/sys/compat/sys [netbsd-7-0]: time_types.h Log Message: Additionally pull up the following for ticket #1668: sys/compat/sys/time_types.h 1.3 include libkern.h or string.h & stddef.h, to get the offsetof() and memset() definitions. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.1.44.1 src/sys/compat/sys/time_types.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/sys/time_types.h diff -u src/sys/compat/sys/time_types.h:1.1 src/sys/compat/sys/time_types.h:1.1.44.1 --- src/sys/compat/sys/time_types.h:1.1 Thu Nov 5 16:59:01 2009 +++ src/sys/compat/sys/time_types.h Thu Jan 3 11:16:04 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: time_types.h,v 1.1 2009/11/05 16:59:01 pooka Exp $ */ +/* $NetBSD: time_types.h,v 1.1.44.1 2019/01/03 11:16:04 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -34,6 +34,13 @@ #ifndef _COMPAT_SYS_TIME_TYPES_H_ #define _COMPAT_SYS_TIME_TYPES_H_ +#ifdef _KERNEL +#include +#else +#include +#include +#endif + /* * Structure returned by gettimeofday(2) system call, * and used in other calls.
CVS commit: [netbsd-7-0] src/sys/conf
Module Name:src Committed By: martin Date: Wed Jan 2 15:29:22 UTC 2019 Modified Files: src/sys/conf [netbsd-7-0]: copyright Log Message: Pull up following revision(s) (requested by jnemeth in ticket #1669): sys/conf/copyright: revision 1.17 Welcome to 2019! To generate a diff of this commit: cvs rdiff -u -r1.12.4.1.2.2 -r1.12.4.1.2.3 src/sys/conf/copyright Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/conf/copyright diff -u src/sys/conf/copyright:1.12.4.1.2.2 src/sys/conf/copyright:1.12.4.1.2.3 --- src/sys/conf/copyright:1.12.4.1.2.2 Fri Mar 9 19:50:14 2018 +++ src/sys/conf/copyright Wed Jan 2 15:29:22 2019 @@ -1,5 +1,5 @@ Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, -2018 The NetBSD Foundation, Inc. All rights reserved. +2018, 2019 The NetBSD Foundation, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved.
CVS commit: [netbsd-7-0] src/sys/compat
Module Name:src Committed By: martin Date: Wed Jan 2 15:27:23 UTC 2019 Modified Files: src/sys/compat/netbsd32 [netbsd-7-0]: netbsd32_compat_14.c netbsd32_conv.h src/sys/compat/sys [netbsd-7-0]: msg.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1668): sys/compat/netbsd32/netbsd32_conv.h: revision 1.37 sys/compat/netbsd32/netbsd32_compat_14.c: revision 1.27 sys/compat/sys/msg.h: revision 1.5 Fix kernel info leaks. + Possible info leak: [len=80, leaked=10] | #0 0x80bad7a7 in kleak_copyout | #1 0x8048e71b in netbsd32___msgctl50 | #2 0x8022fb5b in netbsd32_syscall | #3 0x802096dd in handle_syscall To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.21.78.1 src/sys/compat/netbsd32/netbsd32_compat_14.c cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/compat/netbsd32/netbsd32_conv.h cvs rdiff -u -r1.4 -r1.4.44.1 src/sys/compat/sys/msg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_compat_14.c diff -u src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21.78.1 --- src/sys/compat/netbsd32/netbsd32_compat_14.c:1.21 Thu Dec 20 23:03:01 2007 +++ src/sys/compat/netbsd32/netbsd32_compat_14.c Wed Jan 2 15:27:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $ */ +/* $NetBSD: netbsd32_compat_14.c,v 1.21.78.1 2019/01/02 15:27:23 martin Exp $ */ /* * Copyright (c) 1999 Eduardo E. Horvath @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21 2007/12/20 23:03:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_14.c,v 1.21.78.1 2019/01/02 15:27:23 martin Exp $"); #include #include @@ -126,6 +126,7 @@ static inline void native_to_netbsd32_msqid_ds14(struct msqid_ds *msqbuf, struct netbsd32_msqid_ds14 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); native_to_netbsd32_ipc_perm14(>msg_perm, >msg_perm); #define CVT(x) omsqbuf->x = msqbuf->x Index: src/sys/compat/netbsd32/netbsd32_conv.h diff -u src/sys/compat/netbsd32/netbsd32_conv.h:1.28 src/sys/compat/netbsd32/netbsd32_conv.h:1.28.8.1 --- src/sys/compat/netbsd32/netbsd32_conv.h:1.28 Tue Mar 18 18:20:41 2014 +++ src/sys/compat/netbsd32/netbsd32_conv.h Wed Jan 2 15:27:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_conv.h,v 1.28 2014/03/18 18:20:41 riastradh Exp $ */ +/* $NetBSD: netbsd32_conv.h,v 1.28.8.1 2019/01/02 15:27:23 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -543,6 +543,7 @@ netbsd32_from_msqid_ds50(const struct ms struct netbsd32_msqid_ds50 *ds32p) { + memset(ds32p, 0, sizeof(*ds32p)); netbsd32_from_ipc_perm(>msg_perm, >msg_perm); ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes; ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum; @@ -559,6 +560,7 @@ netbsd32_from_msqid_ds(const struct msqi struct netbsd32_msqid_ds *ds32p) { + memset(ds32p, 0, sizeof(*ds32p)); netbsd32_from_ipc_perm(>msg_perm, >msg_perm); ds32p->_msg_cbytes = (netbsd32_u_long)dsp->_msg_cbytes; ds32p->msg_qnum = (netbsd32_u_long)dsp->msg_qnum; Index: src/sys/compat/sys/msg.h diff -u src/sys/compat/sys/msg.h:1.4 src/sys/compat/sys/msg.h:1.4.44.1 --- src/sys/compat/sys/msg.h:1.4 Mon Jan 19 19:39:41 2009 +++ src/sys/compat/sys/msg.h Wed Jan 2 15:27:23 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: msg.h,v 1.4 2009/01/19 19:39:41 christos Exp $ */ +/* $NetBSD: msg.h,v 1.4.44.1 2019/01/02 15:27:23 martin Exp $ */ /* * SVID compatible msg.h file @@ -108,6 +108,7 @@ static __inline void __native_to_msqid_ds13(const struct msqid_ds *msqbuf, struct msqid_ds13 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); omsqbuf->msg_perm = msqbuf->msg_perm; #define CVT(x) omsqbuf->x = msqbuf->x @@ -149,6 +150,7 @@ static __inline void __native_to_msqid_ds14(const struct msqid_ds *msqbuf, struct msqid_ds14 *omsqbuf) { + memset(omsqbuf, 0, sizeof(*omsqbuf)); __native_to_ipc_perm14(>msg_perm, >msg_perm); #define CVT(x) omsqbuf->x = msqbuf->x
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu Dec 27 12:01:50 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: kern_time.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1667): sys/kern/kern_time.c: revision 1.191 Fix kernel info leak. There are 2x4 bytes of padding in struct itimerval. [ 738.451860] kleak: Possible leak in copyout: [len=32, leaked=8] [ 738.481840] #0 0x80b7c42a in kleak_note [ 738.491821] #1 0x80b7c4aa in kleak_copyout [ 738.501806] #2 0x80b6154e in sys___getitimer50 [ 738.511778] #3 0x80b61e39 in sys___setitimer50 [ 738.521781] #4 0x8025ab3c in sy_call [ 738.521781] #5 0x8025ad6e in sy_invoke [ 738.531808] #6 0x8025adf4 in syscall To generate a diff of this commit: cvs rdiff -u -r1.179.12.3 -r1.179.12.4 src/sys/kern/kern_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_time.c diff -u src/sys/kern/kern_time.c:1.179.12.3 src/sys/kern/kern_time.c:1.179.12.4 --- src/sys/kern/kern_time.c:1.179.12.3 Fri Dec 14 12:07:54 2018 +++ src/sys/kern/kern_time.c Thu Dec 27 12:01:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_time.c,v 1.179.12.3 2018/12/14 12:07:54 martin Exp $ */ +/* $NetBSD: kern_time.c,v 1.179.12.4 2018/12/27 12:01:50 martin Exp $ */ /*- * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.3 2018/12/14 12:07:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.4 2018/12/27 12:01:50 martin Exp $"); #include #include @@ -1030,6 +1030,7 @@ sys___getitimer50(struct lwp *l, const s struct itimerval aitv; int error; + memset(, 0, sizeof(aitv)); error = dogetitimer(p, SCARG(uap, which), ); if (error) return error;
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Tue Dec 25 11:34:14 UTC 2018 Modified Files: src/sys/compat/netbsd32 [netbsd-7-0]: netbsd32_netbsd.c src/sys/uvm [netbsd-7-0]: uvm_swap.c Log Message: Apply patch, requested by maxv in ticket #1666: Fix similar to: sys/uvm/uvm_swap.c: revision 1.178 Woah man, fix enormous leak. Possible info leak: [len=1056, leaked=931] #0 0x80bad351 in kleak_copyout #1 0x80b2cf64 in uvm_swap_stats.part.1 #2 0x80b2d38d in uvm_swap_stats #3 0x80b2d43c in sys_swapctl #4 0x80259b82 in syscall To generate a diff of this commit: cvs rdiff -u -r1.193 -r1.193.6.1 src/sys/compat/netbsd32/netbsd32_netbsd.c cvs rdiff -u -r1.172 -r1.172.6.1 src/sys/uvm/uvm_swap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_netbsd.c diff -u src/sys/compat/netbsd32/netbsd32_netbsd.c:1.193 src/sys/compat/netbsd32/netbsd32_netbsd.c:1.193.6.1 --- src/sys/compat/netbsd32/netbsd32_netbsd.c:1.193 Thu Jul 31 12:35:33 2014 +++ src/sys/compat/netbsd32/netbsd32_netbsd.c Tue Dec 25 11:34:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_netbsd.c,v 1.193 2014/07/31 12:35:33 maxv Exp $ */ +/* $NetBSD: netbsd32_netbsd.c,v 1.193.6.1 2018/12/25 11:34:14 martin Exp $ */ /* * Copyright (c) 1998, 2001, 2008 Matthew R. Green @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_netbsd.c,v 1.193 2014/07/31 12:35:33 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_netbsd.c,v 1.193.6.1 2018/12/25 11:34:14 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_ddb.h" @@ -1754,7 +1754,7 @@ netbsd32_swapctl_stats(struct lwp *l, st count = uvmexp.nswapdev; ksep_len = sizeof(*ksep) * count; - ksep = kmem_alloc(ksep_len, KM_SLEEP); + ksep = kmem_zalloc(ksep_len, KM_SLEEP); usep32 = (struct netbsd32_swapent *)SCARG(uap, arg); uvm_swap_stats(SWAP_STATS, ksep, count, retval); Index: src/sys/uvm/uvm_swap.c diff -u src/sys/uvm/uvm_swap.c:1.172 src/sys/uvm/uvm_swap.c:1.172.6.1 --- src/sys/uvm/uvm_swap.c:1.172 Fri Jul 25 08:10:40 2014 +++ src/sys/uvm/uvm_swap.c Tue Dec 25 11:34:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_swap.c,v 1.172 2014/07/25 08:10:40 dholland Exp $ */ +/* $NetBSD: uvm_swap.c,v 1.172.6.1 2018/12/25 11:34:14 martin Exp $ */ /* * Copyright (c) 1995, 1996, 1997, 2009 Matthew R. Green @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.172 2014/07/25 08:10:40 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.172.6.1 2018/12/25 11:34:14 martin Exp $"); #include "opt_uvmhist.h" #include "opt_compat_netbsd.h" @@ -515,7 +515,7 @@ sys_swapctl(struct lwp *l, const struct else #endif len = sizeof(struct swapent) * misc; - sep = (struct swapent *)kmem_alloc(len, KM_SLEEP); + sep = (struct swapent *)kmem_zalloc(len, KM_SLEEP); uvm_swap_stats(SCARG(uap, cmd), sep, misc, retval); error = copyout(sep, SCARG(uap, arg), len);
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Fri Dec 14 12:07:54 UTC 2018 Modified Files: src/sys/compat/linux/common [netbsd-7-0]: linux_misc_notalpha.c src/sys/kern [netbsd-7-0]: kern_time.c Log Message: Additionally pull up following revision(s) (requested by maxv in ticket #1660): sys/compat/linux/common/linux_misc_notalpha.c: revision 1.110 sys/kern/kern_time.c: revision 1.193 Improve my kern_time.c::rev1.192, systematically clear the buffers we get from 'ptimer_pool' to prevent more leaks. To generate a diff of this commit: cvs rdiff -u -r1.108.34.1 -r1.108.34.1.2.1 \ src/sys/compat/linux/common/linux_misc_notalpha.c cvs rdiff -u -r1.179.12.2 -r1.179.12.3 src/sys/kern/kern_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_misc_notalpha.c diff -u src/sys/compat/linux/common/linux_misc_notalpha.c:1.108.34.1 src/sys/compat/linux/common/linux_misc_notalpha.c:1.108.34.1.2.1 --- src/sys/compat/linux/common/linux_misc_notalpha.c:1.108.34.1 Sat Jan 17 12:10:54 2015 +++ src/sys/compat/linux/common/linux_misc_notalpha.c Fri Dec 14 12:07:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_misc_notalpha.c,v 1.108.34.1 2015/01/17 12:10:54 martin Exp $ */ +/* $NetBSD: linux_misc_notalpha.c,v 1.108.34.1.2.1 2018/12/14 12:07:54 martin Exp $ */ /*- * Copyright (c) 1995, 1998, 2008 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_misc_notalpha.c,v 1.108.34.1 2015/01/17 12:10:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_misc_notalpha.c,v 1.108.34.1.2.1 2018/12/14 12:07:54 martin Exp $"); /* * Note that we must NOT include "opt_compat_linux32.h" here, @@ -161,6 +161,7 @@ linux_sys_alarm(struct lwp *l, const str if (spare == NULL) { mutex_spin_exit(_lock); spare = pool_get(_pool, PR_WAITOK); + memset(spare, 0, sizeof(*spare)); goto retry; } ptp = spare; Index: src/sys/kern/kern_time.c diff -u src/sys/kern/kern_time.c:1.179.12.2 src/sys/kern/kern_time.c:1.179.12.3 --- src/sys/kern/kern_time.c:1.179.12.2 Thu Nov 29 09:00:14 2018 +++ src/sys/kern/kern_time.c Fri Dec 14 12:07:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_time.c,v 1.179.12.2 2018/11/29 09:00:14 martin Exp $ */ +/* $NetBSD: kern_time.c,v 1.179.12.3 2018/12/14 12:07:54 martin Exp $ */ /*- * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.2 2018/11/29 09:00:14 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.3 2018/12/14 12:07:54 martin Exp $"); #include #include @@ -1126,6 +1126,7 @@ dosetitimer(struct proc *p, int which, s if (spare == NULL) { mutex_spin_exit(_lock); spare = pool_get(_pool, PR_WAITOK); + memset(spare, 0, sizeof(*spare)); goto retry; } pt = spare;
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Wed Dec 12 11:37:42 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: sys_sig.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1664): sys/kern/sys_sig.c: revision 1.47 Fix kernel info leak, 4 bytes of padding in struct _ksiginfo. Maybe we should just set _pad to zero on LP64? + Possible info leak: [len=40, leaked=4] | #0 0x80baf397 in kleak_copyout | #1 0x80bda817 in sigtimedwait1 | #2 0x80bdab95 in sys_sigtimedwait50 | #3 0x80259c42 in syscall To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.42.6.1 src/sys/kern/sys_sig.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/sys_sig.c diff -u src/sys/kern/sys_sig.c:1.42 src/sys/kern/sys_sig.c:1.42.6.1 --- src/sys/kern/sys_sig.c:1.42 Fri Feb 14 16:35:11 2014 +++ src/sys/kern/sys_sig.c Wed Dec 12 11:37:42 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: sys_sig.c,v 1.42 2014/02/14 16:35:11 christos Exp $ */ +/* $NetBSD: sys_sig.c,v 1.42.6.1 2018/12/12 11:37:42 martin Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sys_sig.c,v 1.42 2014/02/14 16:35:11 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sys_sig.c,v 1.42.6.1 2018/12/12 11:37:42 martin Exp $"); #include #include @@ -759,6 +759,8 @@ sigtimedwait1(struct lwp *l, const struc */ sigminusset(, >l_sigwaitset); + memset(_info, 0, sizeof(ksi.ksi_info)); + mutex_enter(p->p_lock); /* Check for pending signals in the process, if no - then in LWP. */
CVS commit: [netbsd-7-0] src/sys/arch/amd64/amd64
Module Name:src Committed By: martin Date: Tue Dec 4 19:18:12 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-7-0]: machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1662): sys/arch/amd64/amd64/machdep.c: revision 1.321 Fix stack info leak. There is a big padding in struct sigframe_siginfo. [ 224.006287] kleak: Possible leak in copyout: [len=920, leaked=92] [ 224.016977] #0 0x80224d0a in kleak_note [ 224.026268] #1 0x80224d8a in kleak_copyout [ 224.026268] #2 0x802224b5 in sendsig_siginfo [ 224.036261] #3 0x80b51564 in sendsig [ 224.046475] #4 0x80b51282 in postsig [ 224.046475] #5 0x80b2fc5d in lwp_userret [ 224.056273] #6 0x8025a951 in mi_userret [ 224.066277] #7 0x8025ab89 in syscall To generate a diff of this commit: cvs rdiff -u -r1.211.6.2 -r1.211.6.3 src/sys/arch/amd64/amd64/machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.211.6.2 src/sys/arch/amd64/amd64/machdep.c:1.211.6.3 --- src/sys/arch/amd64/amd64/machdep.c:1.211.6.2 Mon Jan 22 19:40:25 2018 +++ src/sys/arch/amd64/amd64/machdep.c Tue Dec 4 19:18:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.211.6.2 2018/01/22 19:40:25 snj Exp $ */ +/* $NetBSD: machdep.c,v 1.211.6.3 2018/12/04 19:18:12 martin Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011 @@ -111,7 +111,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.211.6.2 2018/01/22 19:40:25 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.211.6.3 2018/12/04 19:18:12 martin Exp $"); /* #define XENDEBUG_LOW */ @@ -570,6 +570,7 @@ sendsig_siginfo(const ksiginfo_t *ksi, c /* Round down the stackpointer to a multiple of 16 for the ABI. */ fp = (struct sigframe_siginfo *)(((unsigned long)sp & ~15) - 8); + memset(, 0, sizeof(frame)); frame.sf_ra = (uint64_t)ps->sa_sigdesc[sig].sd_tramp; frame.sf_si._info = ksi->ksi_info; frame.sf_uc.uc_flags = _UC_SIGMASK; @@ -577,7 +578,6 @@ sendsig_siginfo(const ksiginfo_t *ksi, c frame.sf_uc.uc_link = l->l_ctxlink; frame.sf_uc.uc_flags |= (l->l_sigstk.ss_flags & SS_ONSTACK) ? _UC_SETSTACK : _UC_CLRSTACK; - memset(_uc.uc_stack, 0, sizeof(frame.sf_uc.uc_stack)); sendsig_reset(l, sig); mutex_exit(p->p_lock);
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Fri Nov 30 10:40:19 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: kern_sig.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1661): sys/kern/kern_sig.c: revision 1.350 Fix kernel info leak, 4 bytes of padding at the end of struct sigaction. + Possible info leak: [len=32, leaked=4] | #0 0x80baf327 in kleak_copyout | #1 0x80bd9ca8 in sys___sigaction_sigtramp | #2 0x80259c42 in syscall To generate a diff of this commit: cvs rdiff -u -r1.319.8.1 -r1.319.8.2 src/sys/kern/kern_sig.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_sig.c diff -u src/sys/kern/kern_sig.c:1.319.8.1 src/sys/kern/kern_sig.c:1.319.8.2 --- src/sys/kern/kern_sig.c:1.319.8.1 Thu Nov 5 09:21:50 2015 +++ src/sys/kern/kern_sig.c Fri Nov 30 10:40:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_sig.c,v 1.319.8.1 2015/11/05 09:21:50 snj Exp $ */ +/* $NetBSD: kern_sig.c,v 1.319.8.2 2018/11/30 10:40:19 martin Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -70,7 +70,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.319.8.1 2015/11/05 09:21:50 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_sig.c,v 1.319.8.2 2018/11/30 10:40:19 martin Exp $"); #include "opt_ptrace.h" #include "opt_compat_sunos.h" @@ -191,6 +191,13 @@ signal_listener_cb(kauth_cred_t cred, ka return result; } +static int +sigacts_ctor(void *arg __unused, void *obj, int flags __unused) +{ + memset(obj, 0, sizeof(struct sigacts)); + return 0; +} + /* * signal_init: * @@ -204,7 +211,7 @@ signal_init(void) sigacts_cache = pool_cache_init(sizeof(struct sigacts), 0, 0, 0, "sigacts", sizeof(struct sigacts) > PAGE_SIZE ? - _allocator : NULL, IPL_NONE, NULL, NULL, NULL); + _allocator : NULL, IPL_NONE, sigacts_ctor, NULL, NULL); ksiginfo_cache = pool_cache_init(sizeof(ksiginfo_t), 0, 0, 0, "ksiginfo", NULL, IPL_VM, NULL, NULL, NULL);
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Thu Nov 29 09:00:14 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: kern_time.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1660): sys/kern/kern_time.c: revision 1.192 Fix kernel info leak. + Possible info leak: [len=32, leaked=16] | #0 0x80baf3a7 in kleak_copyout | #1 0x80b940f8 in sys___timer_settime50 | #2 0x80259c42 in syscall To generate a diff of this commit: cvs rdiff -u -r1.179.12.1 -r1.179.12.2 src/sys/kern/kern_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_time.c diff -u src/sys/kern/kern_time.c:1.179.12.1 src/sys/kern/kern_time.c:1.179.12.2 --- src/sys/kern/kern_time.c:1.179.12.1 Thu Mar 3 15:41:35 2016 +++ src/sys/kern/kern_time.c Thu Nov 29 09:00:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_time.c,v 1.179.12.1 2016/03/03 15:41:35 martin Exp $ */ +/* $NetBSD: kern_time.c,v 1.179.12.2 2018/11/29 09:00:14 martin Exp $ */ /*- * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.1 2016/03/03 15:41:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.179.12.2 2018/11/29 09:00:14 martin Exp $"); #include #include @@ -566,6 +566,7 @@ timer_create1(timer_t *tid, clockid_t id pts = timers_alloc(p); pt = pool_get(_pool, PR_WAITOK); + memset(pt, 0, sizeof(*pt)); if (evp != NULL) { if (((error = (*fetch_event)(evp, >pt_ev, sizeof(pt->pt_ev))) != 0) ||
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Wed Nov 28 19:37:46 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: kern_exec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1658): sys/kern/kern_exec.c: revision 1.462 Fix stack info leak. There are 2x4 bytes of padding in struct ps_strings. [ 223.896199] kleak: Possible leak in copyout: [len=32, leaked=8] [ 223.906430] #0 0x80224d0a in kleak_note [ 223.906430] #1 0x80224d8a in kleak_copyout [ 223.918363] #2 0x80b1e26c in copyoutpsstrs [ 223.926560] #3 0x80b1e331 in copyoutargs [ 223.936216] #4 0x80b21768 in execve_runproc [ 223.946225] #5 0x80b21cc9 in execve1 [ 223.946225] #6 0x8025a89c in sy_call [ 223.956225] #7 0x8025aace in sy_invoke [ 223.966232] #8 0x8025ab54 in syscall To generate a diff of this commit: cvs rdiff -u -r1.408.2.3.2.2 -r1.408.2.3.2.3 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_exec.c diff -u src/sys/kern/kern_exec.c:1.408.2.3.2.2 src/sys/kern/kern_exec.c:1.408.2.3.2.3 --- src/sys/kern/kern_exec.c:1.408.2.3.2.2 Sun Feb 25 21:15:20 2018 +++ src/sys/kern/kern_exec.c Wed Nov 28 19:37:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_exec.c,v 1.408.2.3.2.2 2018/02/25 21:15:20 snj Exp $ */ +/* $NetBSD: kern_exec.c,v 1.408.2.3.2.3 2018/11/28 19:37:46 martin Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -59,7 +59,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.408.2.3.2.2 2018/02/25 21:15:20 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.408.2.3.2.3 2018/11/28 19:37:46 martin Exp $"); #include "opt_exec.h" #include "opt_execfmt.h" @@ -1391,6 +1391,8 @@ copyoutargs(struct execve_data * restric struct proc *p = l->l_proc; int error; + memset(>ed_arginfo, 0, sizeof(data->ed_arginfo)); + /* remember information about the process */ data->ed_arginfo.ps_nargvstr = data->ed_argc; data->ed_arginfo.ps_nenvstr = data->ed_envc;
CVS commit: [netbsd-7-0] src/sys/net
Module Name:src Committed By: martin Date: Wed Nov 28 16:32:14 UTC 2018 Modified Files: src/sys/net [netbsd-7-0]: rtsock.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1657): sys/net/rtsock.c: revision 1.244 (adapted) Fix kernel info leak. There are 2 bytes of padding in struct if_msghdr. [ 944.607323] kleak: Possible leak in copyout: [len=176, leaked=2] [ 944.617335] #0 0x80b7c44a in kleak_note [ 944.627332] #1 0x80b7c4ca in kleak_copyout [ 944.627332] #2 0x80c91698 in sysctl_iflist_if [ 944.637336] #3 0x80c91d3c in sysctl_iflist [ 944.647343] #4 0x80c93855 in sysctl_rtable [ 944.647343] #5 0x80b5b328 in sysctl_dispatch [ 944.657346] #6 0x80b5b62e in sys___sysctl [ 944.667354] #7 0x8025ab3c in sy_call [ 944.667354] #8 0x8025ad6e in sy_invoke [ 944.677365] #9 0x8025adf4 in syscall To generate a diff of this commit: cvs rdiff -u -r1.163 -r1.163.4.1 src/sys/net/rtsock.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/rtsock.c diff -u src/sys/net/rtsock.c:1.163 src/sys/net/rtsock.c:1.163.4.1 --- src/sys/net/rtsock.c:1.163 Sat Aug 9 05:33:01 2014 +++ src/sys/net/rtsock.c Wed Nov 28 16:32:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: rtsock.c,v 1.163 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: rtsock.c,v 1.163.4.1 2018/11/28 16:32:14 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.163 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.163.4.1 2018/11/28 16:32:14 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -968,7 +968,7 @@ again: if (rw->w_tmemsize < len) { if (rw->w_tmem) free(rw->w_tmem, M_RTABLE); -rw->w_tmem = malloc(len, M_RTABLE, M_NOWAIT); +rw->w_tmem = malloc(len, M_RTABLE, M_NOWAIT|M_ZERO); if (rw->w_tmem) rw->w_tmemsize = len; else @@ -1398,7 +1398,7 @@ sysctl_rtable(SYSCTLFN_ARGS) again: /* we may return here if a later [re]alloc of the t_mem buffer fails */ if (w.w_tmemneeded) { - w.w_tmem = malloc(w.w_tmemneeded, M_RTABLE, M_WAITOK); + w.w_tmem = malloc(w.w_tmemneeded, M_RTABLE, M_WAITOK|M_ZERO); w.w_tmemsize = w.w_tmemneeded; w.w_tmemneeded = 0; }
CVS commit: [netbsd-7-0] src/sys/compat/netbsd32
Module Name:src Committed By: martin Date: Wed Nov 21 14:13:47 UTC 2018 Modified Files: src/sys/compat/netbsd32 [netbsd-7-0]: netbsd32_socket.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1652): sys/compat/netbsd32/netbsd32_socket.c: revision 1.48 (via patch) Fix inverted logic, which leads to buffer overflow. Detected by kASan. To generate a diff of this commit: cvs rdiff -u -r1.41.14.1 -r1.41.14.1.2.1 \ src/sys/compat/netbsd32/netbsd32_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/netbsd32/netbsd32_socket.c diff -u src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1.2.1 --- src/sys/compat/netbsd32/netbsd32_socket.c:1.41.14.1 Sat Aug 8 15:41:54 2015 +++ src/sys/compat/netbsd32/netbsd32_socket.c Wed Nov 21 14:13:47 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $ */ +/* $NetBSD: netbsd32_socket.c,v 1.41.14.1.2.1 2018/11/21 14:13:47 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1 2015/08/08 15:41:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_socket.c,v 1.41.14.1.2.1 2018/11/21 14:13:47 martin Exp $"); #include #include @@ -99,7 +99,7 @@ copyout32_msg_control_mbuf(struct lwp *l } ktrkuser("msgcontrol", cmsg, cmsg->cmsg_len); - error = copyout(, *q, MAX(i, sizeof(cmsg32))); + error = copyout(, *q, MIN(i, sizeof(cmsg32))); if (error) return (error); if (i > CMSG32_LEN(0)) {
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Wed Nov 21 12:14:30 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: kern_event.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1653): sys/kern/kern_event.c: revision 1.104 Fix kernel info leak. There are 4 bytes of padding in struct kevent. [ 287.537676] kleak: Possible leak in copyout: [len=40, leaked=4] [ 287.537676] #0 0x80b7c41a in kleak_note [ 287.547673] #1 0x80b7c49a in kleak_copyout [ 287.557677] #2 0x80b1d32d in kqueue_scan.isra.1.constprop.2 [ 287.557677] #3 0x80b1dc6a in kevent1 [ 287.567683] #4 0x80b1dcb0 in sys___kevent50 [ 287.567683] #5 0x8025ab3c in sy_call [ 287.577688] #6 0x8025ad6e in sy_invoke [ 287.587693] #7 0x8025adf4 in syscall To generate a diff of this commit: cvs rdiff -u -r1.80.2.1.2.1 -r1.80.2.1.2.2 src/sys/kern/kern_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_event.c diff -u src/sys/kern/kern_event.c:1.80.2.1.2.1 src/sys/kern/kern_event.c:1.80.2.1.2.2 --- src/sys/kern/kern_event.c:1.80.2.1.2.1 Sat Jul 8 16:51:56 2017 +++ src/sys/kern/kern_event.c Wed Nov 21 12:14:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_event.c,v 1.80.2.1.2.1 2017/07/08 16:51:56 snj Exp $ */ +/* $NetBSD: kern_event.c,v 1.80.2.1.2.2 2018/11/21 12:14:29 martin Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -58,7 +58,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.80.2.1.2.1 2017/07/08 16:51:56 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.80.2.1.2.2 2018/11/21 12:14:29 martin Exp $"); #include #include @@ -584,6 +584,7 @@ filt_proc(struct knote *kn, long hint) * event with the parent's pid. Register knote with new * process. */ + memset(, 0, sizeof(kev)); kev.ident = hint & NOTE_PDATAMASK; /* pid */ kev.filter = kn->kn_filter; kev.flags = kn->kn_flags | EV_ADD | EV_ENABLE | EV_FLAG1;
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Aug 14 14:36:37 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1630): sys/netinet6/frag6.c: revision 1.64 Kick zero-sized fragments. We can't allow them to enter; two fragments could be put at the same offset. To generate a diff of this commit: cvs rdiff -u -r1.55.6.2 -r1.55.6.3 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55.6.2 src/sys/netinet6/frag6.c:1.55.6.3 --- src/sys/netinet6/frag6.c:1.55.6.2 Thu Apr 5 11:53:02 2018 +++ src/sys/netinet6/frag6.c Tue Aug 14 14:36:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.55.6.3 2018/08/14 14:36:37 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.3 2018/08/14 14:36:37 martin Exp $"); #include #include @@ -152,13 +152,14 @@ frag6_input(struct mbuf **mp, int *offp, } /* - * check whether fragment packet's fragment length is + * Check whether fragment packet's fragment length is non-zero and * multiple of 8 octets. * sizeof(struct ip6_frag) == 8 * sizeof(struct ip6_hdr) = 40 */ if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && - (((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { + (((ntohs(ip6->ip6_plen) - offset) == 0) || + ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail);
CVS commit: [netbsd-7-0] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Jun 7 05:03:26 UTC 2018 Modified Files: src/sys/netinet [netbsd-7-0]: udp_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1607): sys/netinet/udp_usrreq.c: revision 1.237 (via patch) Fix three pretty bad mistakes in NAT-T: * If we got a keepalive packet, we need to call m_freem, not m_free. Here the next mbufs in the chain are not freed. Seems easy to remotely DoS the system by sending fragmented keepalives in a loop. * If !ipsec_used, free the mbuf. * In udp_input, we need to update 'uh', because udp4_realinput may have modified the chain. Perhaps we also need to re-enforce alignment, so add an XXX. To generate a diff of this commit: cvs rdiff -u -r1.217 -r1.217.6.1 src/sys/netinet/udp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/udp_usrreq.c diff -u src/sys/netinet/udp_usrreq.c:1.217 src/sys/netinet/udp_usrreq.c:1.217.6.1 --- src/sys/netinet/udp_usrreq.c:1.217 Sat Aug 9 05:33:01 2014 +++ src/sys/netinet/udp_usrreq.c Thu Jun 7 05:03:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: udp_usrreq.c,v 1.217.6.1 2018/06/07 05:03:26 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217.6.1 2018/06/07 05:03:26 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -395,7 +395,15 @@ udp_input(struct mbuf *m, ...) */ return; } + ip = mtod(m, struct ip *); + IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr)); + if (uh == NULL) { + UDP_STATINC(UDP_STAT_HDROPS); + return; + } + /* XXX Re-enforce alignment? */ + #ifdef INET6 if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) { struct sockaddr_in6 src6, dst6; @@ -1301,7 +1309,7 @@ udp4_espinudp(struct mbuf **mp, int off, /* Ignore keepalive packets */ if ((len == 1) && (*(unsigned char *)data == 0xff)) { - m_free(m); + m_freem(m); *mp = NULL; /* avoid any further processiong by caller ... */ return 1; } @@ -1383,7 +1391,8 @@ udp4_espinudp(struct mbuf **mp, int off, #ifdef IPSEC if (ipsec_used) ipsec4_common_input(m, iphdrlen, IPPROTO_ESP); - /* XXX: else */ + else + m_freem(m); #else esp4_input(m, iphdrlen); #endif
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Tue May 22 17:38:05 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1606): sys/kern/uipc_mbuf.c: revision 1.214 Revert my rev1.190, remove the M_READONLY check. The initial code was correct: what is read-only is the mbuf storage, not the mbuf itself. The storage contains the packet payload, and never has anything related to mbufs. So it is fine to remove M_PKTHDR on mbufs that have a read-only storage. In fact it was kind of obvious, since several places already manually remove M_PKTHDR without taking care of the external storage. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1.2.3 -r1.158.4.1.2.4 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1.2.3 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.4 --- src/sys/kern/uipc_mbuf.c:1.158.4.1.2.3 Tue May 15 04:48:16 2018 +++ src/sys/kern/uipc_mbuf.c Tue May 22 17:38:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.3 2018/05/15 04:48:16 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.4 2018/05/22 17:38:05 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.3 2018/05/15 04:48:16 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.4 2018/05/22 17:38:05 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -458,11 +458,6 @@ m_pkthdr_remove(struct mbuf *m) { KASSERT(m->m_flags & M_PKTHDR); - if (M_READONLY(m)) { - /* Nothing we can do. */ - return; - } - m_tag_delete_chain(m, NULL); m->m_flags &= ~M_PKTHDR; memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Tue May 15 04:48:16 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1602): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1.2.2 -r1.158.4.1.2.3 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1.2.2 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.3 --- src/sys/kern/uipc_mbuf.c:1.158.4.1.2.2 Tue Apr 17 08:30:08 2018 +++ src/sys/kern/uipc_mbuf.c Tue May 15 04:48:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.2 2018/04/17 08:30:08 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.3 2018/05/15 04:48:16 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.2 2018/04/17 08:30:08 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.3 2018/05/15 04:48:16 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -1376,30 +1376,35 @@ m_makewritable(struct mbuf **mp, int off } /* - * Copy the mbuf chain to a new mbuf chain that is as short as possible. - * Return the new mbuf chain on success, NULL on failure. On success, - * free the old mbuf chain. + * Compress the mbuf chain. Return the new mbuf chain on success, NULL on + * failure. The first mbuf is preserved, and on success the pointer returned + * is the same as the one passed. */ struct mbuf * m_defrag(struct mbuf *mold, int flags) { struct mbuf *m0, *mn, *n; - size_t sz = mold->m_pkthdr.len; + int sz; #ifdef DIAGNOSTIC if ((mold->m_flags & M_PKTHDR) == 0) panic("m_defrag: not a mbuf chain header"); #endif - m0 = m_gethdr(flags, MT_DATA); + if (mold->m_next == NULL) + return mold; + + m0 = m_get(flags, MT_DATA); if (m0 == NULL) return NULL; - M_COPY_PKTHDR(m0, mold); mn = m0; + sz = mold->m_pkthdr.len - mold->m_len; + KASSERT(sz >= 0); + do { - if (sz > MHLEN) { - MCLGET(mn, M_DONTWAIT); + if (sz > MLEN) { + MCLGET(mn, flags); if ((mn->m_flags & M_EXT) == 0) { m_freem(m0); return NULL; @@ -1415,7 +1420,7 @@ m_defrag(struct mbuf *mold, int flags) if (sz > 0) { /* need more mbufs */ - n = m_get(M_NOWAIT, MT_DATA); + n = m_get(flags, MT_DATA); if (n == NULL) { m_freem(m0); return NULL; @@ -1426,9 +1431,10 @@ m_defrag(struct mbuf *mold, int flags) } } while (sz > 0); - m_freem(mold); + m_freem(mold->m_next); + mold->m_next = m0; - return m0; + return mold; } int
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Mon May 14 19:03:48 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.6.1 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.32 -r1.32.6.1 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_alg_icmp.c diff -u src/sys/net/npf/npf_alg_icmp.c:1.23 src/sys/net/npf/npf_alg_icmp.c:1.23.6.1 --- src/sys/net/npf/npf_alg_icmp.c:1.23 Sun Jul 20 00:37:41 2014 +++ src/sys/net/npf/npf_alg_icmp.c Mon May 14 19:03:48 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $ */ +/* $NetBSD: npf_alg_icmp.c,v 1.23.6.1 2018/05/14 19:03:48 martin Exp $ */ /*- * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23 2014/07/20 00:37:41 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.23.6.1 2018/05/14 19:03:48 martin Exp $"); #include #include @@ -118,13 +118,15 @@ npfa_icmp_match(npf_cache_t *npc, npf_na /* * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query * ID or TCP/UDP ports of the original packet, which is embedded. + * + * => Sets hasqid=true if the packet has a Query Id. In this case neither + *the nbuf nor npc is touched. */ static bool -npfa_icmp4_inspect(const int type, npf_cache_t *npc) +npfa_icmp4_inspect(const int type, npf_cache_t *npc, bool *hasqid) { nbuf_t *nbuf = npc->npc_nbuf; - u_int offby; /* Per RFC 792. */ switch (type) { @@ -148,12 +150,8 @@ npfa_icmp4_inspect(const int type, npf_c case ICMP_TSTAMPREPLY: case ICMP_IREQ: case ICMP_IREQREPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp, icmp_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -162,10 +160,9 @@ npfa_icmp4_inspect(const int type, npf_c } static bool -npfa_icmp6_inspect(const int type, npf_cache_t *npc) +npfa_icmp6_inspect(const int type, npf_cache_t *npc, bool *hasqid) { nbuf_t *nbuf = npc->npc_nbuf; - u_int offby; /* Per RFC 4443. */ switch (type) { @@ -184,12 +181,8 @@ npfa_icmp6_inspect(const int type, npf_c case ICMP6_ECHO_REQUEST: case ICMP6_ECHO_REPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp6_hdr, icmp6_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -200,13 +193,13 @@ npfa_icmp6_inspect(const int type, npf_c /* * npfa_icmp_inspect: ALG ICMP inspector. * - * => Returns true if "enpc" is filled. + * => Returns false if there is a problem with the format. */ static bool npfa_icmp_inspect(npf_cache_t *npc, npf_cache_t *enpc) { nbuf_t *nbuf = npc->npc_nbuf; - bool ret; + bool ret, hasqid = false; KASSERT(npf_iscached(npc, NPC_IP46)); KASSERT(npf_iscached(npc, NPC_ICMP)); @@ -225,10 +218,10 @@ npfa_icmp_inspect(npf_cache_t *npc, npf_ */ if (npf_iscached(npc, NPC_IP4)) {
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu May 3 14:49:50 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: ipsec_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1600): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.40.8.1 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.40 src/sys/netipsec/ipsec_output.c:1.40.8.1 --- src/sys/netipsec/ipsec_output.c:1.40 Sun Nov 3 18:37:10 2013 +++ src/sys/netipsec/ipsec_output.c Thu May 3 14:49:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.40 2013/11/03 18:37:10 mrg Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.40.8.1 2018/05/03 14:49:50 martin Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.40 2013/11/03 18:37:10 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.40.8.1 2018/05/03 14:49:50 martin Exp $"); /* * IPsec output processing. @@ -624,7 +624,7 @@ bad: #endif #ifdef INET6 -static void +static int compute_ipsec_pos(struct mbuf *m, int *i, int *off) { int nxt; @@ -641,7 +641,11 @@ compute_ipsec_pos(struct mbuf *m, int *i * put AH/ESP/IPcomp header. * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ - do { + while (1) { + if (*i + sizeof(ip6e) > m->m_pkthdr.len) { + return EINVAL; + } + switch (nxt) { case IPPROTO_AH: case IPPROTO_ESP: @@ -650,7 +654,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should not skip security header added * beforehand. */ - return; + return 0; case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: @@ -660,7 +664,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should stop there. */ if (nxt == IPPROTO_DSTOPTS && dstopt) -return; +return 0; if (nxt == IPPROTO_DSTOPTS) { /* @@ -680,16 +684,14 @@ compute_ipsec_pos(struct mbuf *m, int *i m_copydata(m, *i, sizeof(ip6e), ); nxt = ip6e.ip6e_nxt; *off = *i + offsetof(struct ip6_ext, ip6e_nxt); - /* - * we will never see nxt == IPPROTO_AH - * so it is safe to omit AH case. - */ *i += (ip6e.ip6e_len + 1) << 3; break; default: - return; + return 0; } - } while (*i < m->m_pkthdr.len); + } + + return 0; } static int @@ -791,7 +793,9 @@ ipsec6_process_packet( i = ip->ip_hl << 2; off = offsetof(struct ip, ip_p); } else { - compute_ipsec_pos(m, , ); + error = compute_ipsec_pos(m, , ); + if (error) + goto bad; } error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); splx(s);
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Tue Apr 17 15:38:57 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: ipsec_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1599): sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24 (via patch) Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.34.1 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.34.1 --- src/sys/netipsec/ipsec_mbuf.c:1.12 Mon May 16 10:05:23 2011 +++ src/sys/netipsec/ipsec_mbuf.c Tue Apr 17 15:38:57 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.12.34.1 2018/04/17 15:38:57 martin Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting * All rights reserved. @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.34.1 2018/04/17 15:38:57 martin Exp $"); /* * IPsec-specific mbuf routines. @@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int /* The header was at the beginning of the mbuf */ IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT); m_adj(m1, hlen); - if ((m1->m_flags & M_PKTHDR) == 0) + if (m1 != m) m->m_pkthdr.len -= hlen; } else if (roff + hlen >= m1->m_len) { struct mbuf *mo; + int adjlen; /* * Part or all of the header is at the end of this mbuf, @@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int */ IPSEC_STATINC(IPSEC_STAT_INPUT_END); if (roff + hlen > m1->m_len) { + adjlen = roff + hlen - m1->m_len; + /* Adjust the next mbuf by the remainder */ - m_adj(m1->m_next, roff + hlen - m1->m_len); + m_adj(m1->m_next, adjlen); /* The second mbuf is guaranteed not to have a pkthdr... */ - m->m_pkthdr.len -= (roff + hlen - m1->m_len); + m->m_pkthdr.len -= adjlen; } /* Now, let's unlink the mbuf chain for a second...*/ @@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int m1->m_next = NULL; /* ...and trim the end of the first part of the chain...sick */ - m_adj(m1, -(m1->m_len - roff)); - if ((m1->m_flags & M_PKTHDR) == 0) - m->m_pkthdr.len -= (m1->m_len - roff); + adjlen = m1->m_len - roff; + m_adj(m1, -adjlen); + if (m1 != m) + m->m_pkthdr.len -= adjlen; /* Finally, let's relink */ m1->m_next = mo;
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: martin Date: Tue Apr 17 08:30:08 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1598): sys/kern/uipc_mbuf.c: revision 1.190 If the mbuf is shared leave M_PKTHDR in place. Given where this function is called from that's not supposed to happen, but I'm growing unconfident about our mbuf code. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1.2.1 -r1.158.4.1.2.2 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.2 --- src/sys/kern/uipc_mbuf.c:1.158.4.1.2.1 Thu Apr 5 11:53:02 2018 +++ src/sys/kern/uipc_mbuf.c Tue Apr 17 08:30:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.2 2018/04/17 08:30:08 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.2 2018/04/17 08:30:08 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -458,6 +458,11 @@ m_pkthdr_remove(struct mbuf *m) { KASSERT(m->m_flags & M_PKTHDR); + if (M_READONLY(m)) { + /* Nothing we can do. */ + return; + } + m_tag_delete_chain(m, NULL); m->m_flags &= ~M_PKTHDR; memset(>m_pkthdr, 0, sizeof(m->m_pkthdr));
CVS commit: [netbsd-7-0] src/sys/arch/amiga/amiga
Module Name:src Committed By: martin Date: Mon Apr 9 13:31:26 UTC 2018 Modified Files: src/sys/arch/amiga/amiga [netbsd-7-0]: cc.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1597): sys/arch/amiga/amiga/cc.c: revision 1.27 spl leak, found by mootja To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.8.1 src/sys/arch/amiga/amiga/cc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/amiga/cc.c diff -u src/sys/arch/amiga/amiga/cc.c:1.26 src/sys/arch/amiga/amiga/cc.c:1.26.8.1 --- src/sys/arch/amiga/amiga/cc.c:1.26 Wed Jan 22 00:25:16 2014 +++ src/sys/arch/amiga/amiga/cc.c Mon Apr 9 13:31:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cc.c,v 1.26 2014/01/22 00:25:16 christos Exp $ */ +/* $NetBSD: cc.c,v 1.26.8.1 2018/04/09 13:31:26 martin Exp $ */ /* * Copyright (c) 1994 Christian E. Hopps @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.26 2014/01/22 00:25:16 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.26.8.1 2018/04/09 13:31:26 martin Exp $"); #include #include @@ -503,8 +503,10 @@ alloc_chipmem(u_long size) if (size <= mn->size) break; - if (mn == NULL) + if (mn == NULL) { + splx(s); return NULL; + } if ((mn->size - size) <= sizeof (*mn)) { /*
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:53:03 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c src/sys/netinet [netbsd-7-0]: ip_reass.c src/sys/netinet6 [netbsd-7-0]: frag6.c src/sys/sys [netbsd-7-0]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.158.4.1 src/sys/kern/uipc_mbuf.c:1.158.4.1.2.1 --- src/sys/kern/uipc_mbuf.c:1.158.4.1 Mon Feb 9 09:46:01 2015 +++ src/sys/kern/uipc_mbuf.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1 2015/02/09 09:46:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.158.4.1.2.1 2018/04/05 11:53:02 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -453,6 +453,16 @@ mb_ctor(void *arg, void *object, int fla return (0); } +void +m_pkthdr_remove(struct mbuf *m) +{ + KASSERT(m->m_flags & M_PKTHDR); + + m_tag_delete_chain(m, NULL); + m->m_flags &= ~M_PKTHDR; + memset(>m_pkthdr, 0, sizeof(m->m_pkthdr)); +} + /* * Add mbuf to the end of a chain */ Index: src/sys/netinet/ip_reass.c diff -u src/sys/netinet/ip_reass.c:1.9 src/sys/netinet/ip_reass.c:1.9.8.1 --- src/sys/netinet/ip_reass.c:1.9 Tue Feb 25 18:30:12 2014 +++ src/sys/netinet/ip_reass.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $ */ +/* $NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1988, 1993 @@ -46,7 +46,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9 2014/02/25 18:30:12 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.9.8.1 2018/04/05 11:53:02 martin Exp $"); #include #include @@ -393,6 +393,7 @@ insert: t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); pool_cache_put(ipfren_cache, q); + m_pkthdr_remove(t); m_cat(m, t); } @@ -410,7 +411,8 @@ insert: m->m_data -= (ip->ip_hl << 2); /* Fix up mbuf. XXX This should be done elsewhere. */ - if (m->m_flags & M_PKTHDR) { + { + KASSERT(m->m_flags & M_PKTHDR); int plen = 0; for (t = m; t; t = t->m_next) { plen += t->m_len; Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55.6.1 src/sys/netinet6/frag6.c:1.55.6.2 --- src/sys/netinet6/frag6.c:1.55.6.1 Tue Jan 30 18:31:53 2018 +++ src/sys/netinet6/frag6.c Thu Apr 5 11:53:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.2 2018/04/05 11:53:02 martin Exp $"); #include
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:51 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.47 src/sys/net/npf/npf.h:1.47.6.1 --- src/sys/net/npf/npf.h:1.47 Sun Aug 10 19:09:43 2014 +++ src/sys/net/npf/npf.h Thu Apr 5 11:43:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ +/* $NetBSD: npf.h,v 1.47.6.1 2018/04/05 11:43:51 martin Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -150,7 +150,7 @@ typedef struct { uint8_t npc_alen; /* IP header length and L4 protocol. */ - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:14:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1591): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.136.6.1 src/sys/netinet6/raw_ip6.c:1.136.6.2 --- src/sys/netinet6/raw_ip6.c:1.136.6.1 Tue Jan 30 18:31:53 2018 +++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:14:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $"); #include "opt_ipsec.h" @@ -476,6 +476,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -497,7 +498,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *), M_DONTWAIT); if (m == NULL) {
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:09:58 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1590): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.73.2.1.2.1 -r1.73.2.1.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.73.2.1.2.1 src/sys/netinet6/ip6_forward.c:1.73.2.1.2.2 --- src/sys/netinet6/ip6_forward.c:1.73.2.1.2.1 Mon Feb 12 18:37:48 2018 +++ src/sys/netinet6/ip6_forward.c Sun Apr 1 09:09:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.73.2.1.2.1 2018/02/12 18:37:48 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.73.2.1.2.2 2018/04/01 09:09:58 martin Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.73.2.1.2.1 2018/02/12 18:37:48 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.73.2.1.2.2 2018/04/01 09:09:58 martin Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -166,6 +166,7 @@ ip6_forward(struct mbuf *m, int srcrt) */ if (error == -EINVAL) error = 0; + m_freem(m); goto freecopy; } } @@ -264,8 +265,10 @@ ip6_forward(struct mbuf *m, int srcrt) int s = splsoftnet(); error = ipsec6_process_packet(m, sp->req); splx(s); + /* m is freed */ if (mcopy) goto freecopy; + return; } #endif
CVS commit: [netbsd-7-0] src/sys/sys
Module Name:src Committed By: martin Date: Wed Mar 21 11:10:57 UTC 2018 Modified Files: src/sys/sys [netbsd-7-0]: bitops.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1582): sys/sys/bitops.h: revision 1.12 sys/sys/bitops.h: revision 1.13 sys/sys/bitops.h: revision 1.14 fix sign issues use 1ul for a left shift that may be greater than int sized. noticed by martin. fixes PR#53081. PR/53081: Fix size of the shift to depend on the type of the bitmap so that we get the correct width. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.11.16.1 src/sys/sys/bitops.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/sys/bitops.h diff -u src/sys/sys/bitops.h:1.11 src/sys/sys/bitops.h:1.11.16.1 --- src/sys/sys/bitops.h:1.11 Fri Dec 7 02:27:58 2012 +++ src/sys/sys/bitops.h Wed Mar 21 11:10:57 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: bitops.h,v 1.11 2012/12/07 02:27:58 christos Exp $ */ +/* $NetBSD: bitops.h,v 1.11.16.1 2018/03/21 11:10:57 martin Exp $ */ /*- * Copyright (c) 2007, 2010 The NetBSD Foundation, Inc. @@ -271,8 +271,8 @@ fast_divide32_prepare(uint32_t _div, uin _l = fls32(_div - 1); _mt = (uint64_t)(0x1ULL * ((1ULL << _l) - _div)); *_m = (uint32_t)(_mt / _div + 1); - *_s1 = (_l > 1) ? 1 : _l; - *_s2 = (_l == 0) ? 0 : _l - 1; + *_s1 = (_l > 1) ? 1U : (uint8_t)_l; + *_s2 = (_l == 0) ? 0 : (uint8_t)(_l - 1); } /* ARGSUSED */ @@ -304,7 +304,7 @@ fast_remainder32(uint32_t _v, uint32_t _ #define __BITMAP_SIZE(__t, __n) \ (((__n) + (__BITMAP_BITS(__t) - 1)) / __BITMAP_BITS(__t)) #define __BITMAP_BIT(__n, __v) \ -(1 << ((__n) & __BITMAP_MASK(*(__v)->_b))) +((__typeof__((__v)->_b[0]))1 << ((__n) & __BITMAP_MASK(*(__v)->_b))) #define __BITMAP_WORD(__n, __v) \ ((__n) >> __BITMAP_SHIFT(*(__v)->_b))
CVS commit: [netbsd-7-0] src/sys/dev/ppbus
Module Name:src Committed By: martin Date: Wed Mar 21 08:11:39 UTC 2018 Modified Files: src/sys/dev/ppbus [netbsd-7-0]: if_plip.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1579): sys/dev/ppbus/if_plip.c: revision 1.28 spl leak, found by Mootja To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.25.6.1 src/sys/dev/ppbus/if_plip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ppbus/if_plip.c diff -u src/sys/dev/ppbus/if_plip.c:1.25 src/sys/dev/ppbus/if_plip.c:1.25.6.1 --- src/sys/dev/ppbus/if_plip.c:1.25 Thu Jun 5 23:48:16 2014 +++ src/sys/dev/ppbus/if_plip.c Wed Mar 21 08:11:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_plip.c,v 1.25 2014/06/05 23:48:16 rmind Exp $ */ +/* $NetBSD: if_plip.c,v 1.25.6.1 2018/03/21 08:11:39 martin Exp $ */ /*- * Copyright (c) 1997 Poul-Henning Kamp @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.25 2014/06/05 23:48:16 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.25.6.1 2018/03/21 08:11:39 martin Exp $"); /* * Parallel port TCP/IP interfaces added. I looked at the driver from @@ -445,6 +445,7 @@ lpioctl(struct ifnet *ifp, u_long cmd, v case AF_INET: break; default: + splx(s); return EAFNOSUPPORT; } break;
CVS commit: [netbsd-7-0] src/sys/arch/xen/x86
Module Name:src Committed By: martin Date: Tue Mar 20 17:18:28 UTC 2018 Modified Files: src/sys/arch/xen/x86 [netbsd-7-0]: cpu.c Log Message: Additionally pull up the following for ticket #1118: sys/arch/xen/x86/cpu.c 1.102-1.103 to unbreak the build (adjust cpu_feature declaration to changes in generic x86 code). To generate a diff of this commit: cvs rdiff -u -r1.98.4.1 -r1.98.4.1.2.1 src/sys/arch/xen/x86/cpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/x86/cpu.c diff -u src/sys/arch/xen/x86/cpu.c:1.98.4.1 src/sys/arch/xen/x86/cpu.c:1.98.4.1.2.1 --- src/sys/arch/xen/x86/cpu.c:1.98.4.1 Tue Aug 4 18:12:28 2015 +++ src/sys/arch/xen/x86/cpu.c Tue Mar 20 17:18:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cpu.c,v 1.98.4.1 2015/08/04 18:12:28 snj Exp $ */ +/* $NetBSD: cpu.c,v 1.98.4.1.2.1 2018/03/20 17:18:28 martin Exp $ */ /* NetBSD: cpu.c,v 1.18 2004/02/20 17:35:01 yamt Exp */ /*- @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.98.4.1 2015/08/04 18:12:28 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.98.4.1.2.1 2018/03/20 17:18:28 martin Exp $"); #include "opt_ddb.h" #include "opt_multiprocessor.h" @@ -172,12 +172,14 @@ struct cpu_info phycpu_info_primary __al struct cpu_info *cpu_info_list = _info_primary; struct cpu_info *phycpu_info_list = _info_primary; -uint32_t cpu_feature[5]; /* X86 CPUID feature bits +uint32_t cpu_feature[7]; /* X86 CPUID feature bits * [0] basic features %edx * [1] basic features %ecx * [2] extended features %edx * [3] extended features %ecx * [4] VIA padlock features + * [5] structured extended features cpuid.7:%ebx + * [6] structured extended features cpuid.7:%ecx */ bool x86_mp_online;
CVS commit: [netbsd-7-0] src/sys/arch/x86
Module Name:src Committed By: martin Date: Mon Mar 19 16:54:58 UTC 2018 Modified Files: src/sys/arch/x86/include [netbsd-7-0]: cpu.h cpuvar.h src/sys/arch/x86/x86 [netbsd-7-0]: cpu.c identcpu.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1118): sys/arch/x86/include/cpuvar.h: revision 1.47 sys/arch/x86/x86/cpu.c: revision 1.117 sys/arch/x86/x86/identcpu.c: revision 1.49 sys/arch/x86/include/cpu.h: revision 1.67 Retrieve cpuid7 (Structured Extended Features) into ci_feat_val. To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.66.8.1 src/sys/arch/x86/include/cpu.h cvs rdiff -u -r1.46 -r1.46.18.1 src/sys/arch/x86/include/cpuvar.h cvs rdiff -u -r1.111.2.1.2.1 -r1.111.2.1.2.2 src/sys/arch/x86/x86/cpu.c cvs rdiff -u -r1.45.2.1 -r1.45.2.1.2.1 src/sys/arch/x86/x86/identcpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/include/cpu.h diff -u src/sys/arch/x86/include/cpu.h:1.66 src/sys/arch/x86/include/cpu.h:1.66.8.1 --- src/sys/arch/x86/include/cpu.h:1.66 Sun Feb 23 22:38:40 2014 +++ src/sys/arch/x86/include/cpu.h Mon Mar 19 16:54:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cpu.h,v 1.66 2014/02/23 22:38:40 dsl Exp $ */ +/* $NetBSD: cpu.h,v 1.66.8.1 2018/03/19 16:54:58 martin Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -157,12 +157,14 @@ struct cpu_info { uint32_t ci_max_ext_cpuid; /* cpuid.8000:%eax */ volatile uint32_t ci_lapic_counter; - uint32_t ci_feat_val[5]; /* X86 CPUID feature bits */ + uint32_t ci_feat_val[7]; /* X86 CPUID feature bits */ /* [0] basic features cpuid.1:%edx * [1] basic features cpuid.1:%ecx (CPUID2_xxx bits) * [2] extended features cpuid:8001:%edx * [3] extended features cpuid:8001:%ecx * [4] VIA padlock features + * [5] structured extended features cpuid.7:%ebx + * [6] structured extended features cpuid.7:%ecx */ const struct cpu_functions *ci_func; /* start/stop functions */ Index: src/sys/arch/x86/include/cpuvar.h diff -u src/sys/arch/x86/include/cpuvar.h:1.46 src/sys/arch/x86/include/cpuvar.h:1.46.18.1 --- src/sys/arch/x86/include/cpuvar.h:1.46 Fri Apr 20 22:23:24 2012 +++ src/sys/arch/x86/include/cpuvar.h Mon Mar 19 16:54:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cpuvar.h,v 1.46 2012/04/20 22:23:24 rmind Exp $ */ +/* $NetBSD: cpuvar.h,v 1.46.18.1 2018/03/19 16:54:58 martin Exp $ */ /*- * Copyright (c) 2000, 2007 The NetBSD Foundation, Inc. @@ -125,7 +125,7 @@ void pat_init(struct cpu_info *); extern int cpu_vendor; extern bool x86_mp_online; -extern uint32_t cpu_feature[5]; +extern uint32_t cpu_feature[7]; #endif /* _KERNEL */ Index: src/sys/arch/x86/x86/cpu.c diff -u src/sys/arch/x86/x86/cpu.c:1.111.2.1.2.1 src/sys/arch/x86/x86/cpu.c:1.111.2.1.2.2 --- src/sys/arch/x86/x86/cpu.c:1.111.2.1.2.1 Sun Nov 8 00:15:47 2015 +++ src/sys/arch/x86/x86/cpu.c Mon Mar 19 16:54:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cpu.c,v 1.111.2.1.2.1 2015/11/08 00:15:47 riz Exp $ */ +/* $NetBSD: cpu.c,v 1.111.2.1.2.2 2018/03/19 16:54:58 martin Exp $ */ /*- * Copyright (c) 2000-2012 NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.111.2.1.2.1 2015/11/08 00:15:47 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cpu.c,v 1.111.2.1.2.2 2018/03/19 16:54:58 martin Exp $"); #include "opt_ddb.h" #include "opt_mpbios.h" /* for MPDEBUG */ @@ -177,13 +177,15 @@ static void tss_init(struct i386tss *, v static void cpu_init_idle_lwp(struct cpu_info *); -uint32_t cpu_feature[5]; /* X86 CPUID feature bits - * [0] basic features %edx - * [1] basic features %ecx - * [2] extended features %edx - * [3] extended features %ecx - * [4] VIA padlock features - */ +uint32_t cpu_feature[7]; /* X86 CPUID feature bits */ + /* [0] basic features cpuid.1:%edx + * [1] basic features cpuid.1:%ecx (CPUID2_xxx bits) + * [2] extended features cpuid:8001:%edx + * [3] extended features cpuid:8001:%ecx + * [4] VIA padlock features + * [5] structured extended features cpuid.7:%ebx + * [6] structured extended features cpuid.7:%ecx + */ extern char x86_64_doubleflt_stack[]; @@ -784,7 +786,7 @@ cpu_boot_secondary(struct cpu_info *ci) } /* - * The CPU ends up here when its ready to run + * The CPU ends up here when it's ready to run. * This is called from code in mptramp.s; at this point, we are running * in the idle pcb/idle stack of the new CPU. When this function returns, * this processor will enter the idle loop and start looking for work. Index: src/sys/arch/x86/x86/identcpu.c diff -u src/sys/arch/x86/x86/identcpu.c:1.45.2.1 src/sys/arch/x86/x86/identcpu.c:1.45.2.1.2.1 --- src/sys/arch/x86/x86/identcpu.c:1.45.2.1 Thu Oct 30 18:58:45 2014 +++ src/sys/arch/x86/x86/identcpu.c Mon Mar 19 16:54:58 2018 @@ -1,4
CVS commit: [netbsd-7-0] src/sys/conf
Module Name:src Committed By: snj Date: Fri Mar 9 19:50:14 UTC 2018 Modified Files: src/sys/conf [netbsd-7-0]: copyright Log Message: Pull up following revision(s) (requested by maya in ticket #1581): sys/conf/copyright: 1.16 Update for 2018 new year To generate a diff of this commit: cvs rdiff -u -r1.12.4.1.2.1 -r1.12.4.1.2.2 src/sys/conf/copyright Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/conf/copyright diff -u src/sys/conf/copyright:1.12.4.1.2.1 src/sys/conf/copyright:1.12.4.1.2.2 --- src/sys/conf/copyright:1.12.4.1.2.1 Sat Mar 11 07:48:22 2017 +++ src/sys/conf/copyright Fri Mar 9 19:50:14 2018 @@ -1,5 +1,5 @@ Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, -2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 -The NetBSD Foundation, Inc. All rights reserved. +2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, +2018 The NetBSD Foundation, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved.
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: snj Date: Sat Mar 3 20:24:53 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1577): sys/netipsec/ipsec_input.c: 1.57 1.58 sys/netipsec/ipsec_input.c: 1.57 Extend these #ifdef notyet. The m_copydata's in these branches are wrong, we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload. Argh, in my previous commit in this file I forgot to fix the IPv6 entry point; apply the same fix there. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.8.1 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.32 src/sys/netipsec/ipsec_input.c:1.32.8.1 --- src/sys/netipsec/ipsec_input.c:1.32 Sat Mar 8 12:18:04 2014 +++ src/sys/netipsec/ipsec_input.c Sat Mar 3 20:24:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.32 2014/03/08 12:18:04 ozaki-r Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.32.8.1 2018/03/03 20:24:53 snj Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.32 2014/03/08 12:18:04 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.32.8.1 2018/03/03 20:24:53 snj Exp $"); /* * IPsec input processing. @@ -324,14 +324,15 @@ ipsec4_common_input_cb(struct mbuf *m, s ip->ip_len = htons(m->m_pkthdr.len); prot = ip->ip_p; +#ifdef notyet /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), ); -#ifdef notyet /* XXX PROXY address isn't recorded in SAH */ /* * Check that the inner source address is the same as @@ -359,7 +360,6 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #if INET6 /* IPv6-in-IP encapsulation. */ @@ -367,9 +367,9 @@ ipsec4_common_input_cb(struct mbuf *m, s struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -395,9 +395,9 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET6 */ +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was @@ -643,15 +643,16 @@ ipsec6_common_input_cb(struct mbuf *m, s /* Save protocol */ m_copydata(m, protoff, 1, ); +#ifdef notyet #ifdef INET /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -675,18 +676,16 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET */ - /* IPv6-in-IP encapsulation */ if (prot == IPPROTO_IPV6) { struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip6_hdr), ); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -711,8 +710,8 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: snj Date: Sun Feb 25 23:17:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1572): sys/netinet6/ip6_input.c: 1.188 via patch Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.149.2.1.2.1 -r1.149.2.1.2.2 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.149.2.1.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.2.2 --- src/sys/netinet6/ip6_input.c:1.149.2.1.2.1 Tue Jan 30 18:31:53 2018 +++ src/sys/netinet6/ip6_input.c Sun Feb 25 23:17:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.149.2.1.2.2 2018/02/25 23:17:22 snj Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.2.2 2018/02/25 23:17:22 snj Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -249,7 +249,7 @@ ip6_input(struct mbuf *m) int hit, off = sizeof(struct ip6_hdr), nest; u_int32_t plen; u_int32_t rtalert = ~0; - int nxt, ours = 0, rh_present = 0; + int nxt, ours = 0, rh_present = 0, frg_present; struct ifnet *deliverifp = NULL; int srcrt = 0; const struct rtentry *rt; @@ -720,6 +720,7 @@ ip6_input(struct mbuf *m) nest = 0; rh_present = 0; + frg_present = 0; while (nxt != IPPROTO_DONE) { if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { IP6_STATINC(IP6_STAT_TOOMANYHDR); @@ -744,6 +745,13 @@ ip6_input(struct mbuf *m) IP6_STATINC(IP6_STAT_BADOPTIONS); goto bad; } + } else if (nxt == IPPROTO_FRAGMENT) { + if (frg_present++) { +in6_ifstat_inc(m->m_pkthdr.rcvif, +ifs6_in_hdrerr); +IP6_STATINC(IP6_STAT_BADOPTIONS); +goto bad; + } } #ifdef IPSEC
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: snj Date: Sun Feb 25 21:15:20 UTC 2018 Modified Files: src/sys/arch/amiga/conf [netbsd-7-0]: DRACO GENERIC GENERIC.in src/sys/arch/i386/conf [netbsd-7-0]: GENERIC XEN3_DOM0 XEN3_DOMU src/sys/arch/sparc/conf [netbsd-7-0]: GENERIC KRUPS MRCOFFEE TADPOLE3GX src/sys/arch/sparc64/conf [netbsd-7-0]: GENERIC NONPLUS64 src/sys/kern [netbsd-7-0]: kern_exec.c Log Message: Apply patch (requested by maxv in ticket #1499): - disable compat_svr4 and compat_svr4_32 everywhere - disable compat_ibcs2 everywhere but on Vax - remove svr4/svr4_32/ibcs2/freebsd from the module autoload list To generate a diff of this commit: cvs rdiff -u -r1.175 -r1.175.4.1 src/sys/arch/amiga/conf/DRACO cvs rdiff -u -r1.307.2.2 -r1.307.2.2.2.1 src/sys/arch/amiga/conf/GENERIC cvs rdiff -u -r1.125.2.2 -r1.125.2.2.2.1 src/sys/arch/amiga/conf/GENERIC.in cvs rdiff -u -r1.1107.2.8.2.1 -r1.1107.2.8.2.2 src/sys/arch/i386/conf/GENERIC cvs rdiff -u -r1.85.2.5 -r1.85.2.5.2.1 src/sys/arch/i386/conf/XEN3_DOM0 cvs rdiff -u -r1.59.2.5 -r1.59.2.5.2.1 src/sys/arch/i386/conf/XEN3_DOMU cvs rdiff -u -r1.243.4.3 -r1.243.4.3.2.1 src/sys/arch/sparc/conf/GENERIC cvs rdiff -u -r1.66 -r1.66.6.1 src/sys/arch/sparc/conf/KRUPS cvs rdiff -u -r1.45 -r1.45.6.1 src/sys/arch/sparc/conf/MRCOFFEE cvs rdiff -u -r1.61.4.2 -r1.61.4.2.2.1 src/sys/arch/sparc/conf/TADPOLE3GX cvs rdiff -u -r1.171.4.4 -r1.171.4.4.2.1 src/sys/arch/sparc64/conf/GENERIC cvs rdiff -u -r1.41.4.2 -r1.41.4.2.2.1 src/sys/arch/sparc64/conf/NONPLUS64 cvs rdiff -u -r1.408.2.3.2.1 -r1.408.2.3.2.2 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/conf/DRACO diff -u src/sys/arch/amiga/conf/DRACO:1.175 src/sys/arch/amiga/conf/DRACO:1.175.4.1 --- src/sys/arch/amiga/conf/DRACO:1.175 Sat Jul 5 10:00:42 2014 +++ src/sys/arch/amiga/conf/DRACO Sun Feb 25 21:15:19 2018 @@ -1,4 +1,4 @@ -# $NetBSD: DRACO,v 1.175 2014/07/05 10:00:42 tsutsui Exp $ +# $NetBSD: DRACO,v 1.175.4.1 2018/02/25 21:15:19 snj Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.175 $" +#ident "GENERIC-$Revision: 1.175.4.1 $" makeoptions COPTS="-O2 -fno-reorder-blocks" # see share/mk/sys.mk @@ -140,7 +140,7 @@ options COMPAT_40 # NetBSD 4.0 compatib options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_60 # NetBSD 6.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC diff -u src/sys/arch/amiga/conf/GENERIC:1.307.2.2 src/sys/arch/amiga/conf/GENERIC:1.307.2.2.2.1 --- src/sys/arch/amiga/conf/GENERIC:1.307.2.2 Tue Nov 18 19:05:28 2014 +++ src/sys/arch/amiga/conf/GENERIC Sun Feb 25 21:15:19 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.307.2.2 2014/11/18 19:05:28 snj Exp $ +# $NetBSD: GENERIC,v 1.307.2.2.2.1 2018/02/25 21:15:19 snj Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.307.2.2 $" +#ident "GENERIC-$Revision: 1.307.2.2.2.1 $" makeoptions COPTS="-O2 -fno-reorder-blocks" # see share/mk/sys.mk @@ -153,7 +153,7 @@ options COMPAT_40 # NetBSD 4.0 compatib options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_60 # NetBSD 6.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC.in diff -u src/sys/arch/amiga/conf/GENERIC.in:1.125.2.2 src/sys/arch/amiga/conf/GENERIC.in:1.125.2.2.2.1 --- src/sys/arch/amiga/conf/GENERIC.in:1.125.2.2 Tue Nov 18 19:05:28 2014 +++ src/sys/arch/amiga/conf/GENERIC.in Sun Feb 25 21:15:19 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC.in,v 1.125.2.2 2014/11/18 19:05:28 snj Exp $ +# $NetBSD: GENERIC.in,v 1.125.2.2.2.1 2018/02/25 21:15:19 snj Exp $ # ## # GENERIC machine description file @@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.125.2.2 $" +#ident "GENERIC-$Revision: 1.125.2.2.2.1 $"
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: snj Date: Sat Feb 24 18:29:37 UTC 2018 Modified Files: src/sys/net [netbsd-7-0]: if_mpls.c src/sys/netmpls [netbsd-7-0]: mpls_ttl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1571): sys/net/if_mpls.c: 1.31-1.33 via patch sys/netmpls/mpls_ttl.c: 1.9 Style, and fix several bugs: - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform pullups, so we need to pass the updated pointers back - in mpls_lse() the route is not always freed Looks a little better now. -- Kick MPLS packets earlier. -- Several changes: * Declare TRIM_LABEL as a function. * In mpls_unlabel_inet, copy the label locally. It's not incorrect to keep a pointer on the mbuf, but it's bug-friendly. * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we just want to make sure that m_copydata won't fail, but if we were guaranteed that m has M_PKTHDR set, we could simply check the length against m->m_pkthdr.len. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.6.1 src/sys/net/if_mpls.c cvs rdiff -u -r1.4 -r1.4.8.1 src/sys/netmpls/mpls_ttl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_mpls.c diff -u src/sys/net/if_mpls.c:1.16 src/sys/net/if_mpls.c:1.16.6.1 --- src/sys/net/if_mpls.c:1.16 Thu Jul 17 10:46:57 2014 +++ src/sys/net/if_mpls.c Sat Feb 24 18:29:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_mpls.c,v 1.16 2014/07/17 10:46:57 bouyer Exp $ */ +/* $NetBSD: if_mpls.c,v 1.16.6.1 2018/02/24 18:29:36 snj Exp $ */ /* * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.16 2014/07/17 10:46:57 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.16.6.1 2018/02/24 18:29:36 snj Exp $"); #include "opt_inet.h" #include "opt_mpls.h" @@ -92,12 +92,12 @@ static int mpls_send_frame(struct mbuf * static int mpls_lse(struct mbuf *); #ifdef INET -static int mpls_unlabel_inet(struct mbuf *); +static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error); static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint); #endif #ifdef INET6 -static int mpls_unlabel_inet6(struct mbuf *); +static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error); static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint); #endif @@ -321,6 +321,12 @@ mpls_lse(struct mbuf *m) uint psize = sizeof(struct sockaddr_mpls); bool push_back_alert = false; + /* If we're not accepting MPLS frames, leave now. */ + if (!mpls_frame_accept) { + error = EINVAL; + goto done; + } + if (m->m_len < sizeof(union mpls_shim) && (m = m_pullup(m, sizeof(union mpls_shim))) == NULL) goto done; @@ -329,21 +335,19 @@ mpls_lse(struct mbuf *m) dst.smpls_family = AF_MPLS; dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr); - /* Check if we're accepting MPLS Frames */ error = EINVAL; - if (!mpls_frame_accept) - goto done; /* TTL decrement */ if ((m = mpls_ttl_dec(m)) == NULL) goto done; /* RFC 4182 */ - if (mpls_rfc4182 != 0) - while((dst.smpls_addr.shim.label == MPLS_LABEL_IPV4NULL || + if (mpls_rfc4182 != 0) { + while ((dst.smpls_addr.shim.label == MPLS_LABEL_IPV4NULL || dst.smpls_addr.shim.label == MPLS_LABEL_IPV6NULL) && __predict_false(dst.smpls_addr.shim.bos == 0)) TRIM_LABEL; + } /* RFC 3032 Section 2.1 Page 4 */ if (__predict_false(dst.smpls_addr.shim.label == MPLS_LABEL_RTALERT) && @@ -358,15 +362,17 @@ mpls_lse(struct mbuf *m) #ifdef INET case MPLS_LABEL_IPV4NULL: /* Pop shim and push mbuf to IP stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet(m, ); + } break; #endif #ifdef INET6 case MPLS_LABEL_IPV6NULL: /* Pop shim and push mbuf to IPv6 stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet6(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet6(m, ); + } break; #endif case MPLS_LABEL_RTALERT: /* Yeah, I'm all alerted */ @@ -420,8 +426,10 @@ mpls_lse(struct mbuf *m) tshim.shim.bos = tshim.shim.exp = 0; tshim.shim.ttl = mpls_defttl; if (tshim.shim.label != MPLS_LABEL_IMPLNULL && - ((m = mpls_prepend_shim(m, )) == NULL)) - return ENOBUFS; + ((m = mpls_prepend_shim(m, )) == NULL)) { + error = ENOBUFS; + goto done; + } psize += sizeof(tshim); } @@ -431,8 +439,10 @@ mpls_lse(struct mbuf *m) tshim.s_addr = MPLS_LABEL_RTALERT; tshim.shim.bos = tshim.shim.exp = 0; tshim.shim.ttl = mpls_defttl; - if ((m = mpls_prepend_shim(m, )) == NULL) - return ENOBUFS; + if ((m = mpls_prepend_shim(m, )) == NULL) { + error = ENOBUFS; + goto done; + } } error = mpls_send_frame(m, rt->rt_ifp, rt); @@ -480,18 +490,15 @@
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 16:42:18 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1570): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.63.4.1 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.63 src/sys/netipsec/ipsec.c:1.63.4.1 --- src/sys/netipsec/ipsec.c:1.63 Fri May 30 01:39:03 2014 +++ src/sys/netipsec/ipsec.c Fri Feb 16 16:42:18 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.63 2014/05/30 01:39:03 christos Exp $ */ +/* $NetBSD: ipsec.c,v 1.63.4.1 2018/02/16 16:42:18 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.63 2014/05/30 01:39:03 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.63.4.1 2018/02/16 16:42:18 martin Exp $"); /* * IPsec controller part. @@ -1176,7 +1176,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se spidx->dst.sin.sin_port = uh.uh_dport; return; case IPPROTO_AH: - if (m->m_pkthdr.len > off + sizeof(ip6e)) + if (off + sizeof(ip6e) > m->m_pkthdr.len) goto done; /* XXX sigh, this works but is totally bogus */ m_copydata(m, off, sizeof(ip6e), );
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 17:52:52 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: xform_ah.c xform_esp.c xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1569): sys/netipsec/xform_ah.c: revision 1.77, 1.81 (via patch) sys/netipsec/xform_esp.c: revision 1.73 (via patch) sys/netipsec/xform_ipip.c: revision 1.56, 1.57 (via patch) Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. Reinforce and clarify. Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.42.8.2 -r1.42.8.3 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.45 -r1.45.8.1 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.31.6.1 -r1.31.6.2 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.42.8.2 src/sys/netipsec/xform_ah.c:1.42.8.3 --- src/sys/netipsec/xform_ah.c:1.42.8.2 Thu Feb 15 08:06:15 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 17:52:52 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.42.8.2 2018/02/15 08:06:15 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.42.8.3 2018/02/15 17:52:52 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42.8.2 2018/02/15 08:06:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42.8.3 2018/02/15 17:52:52 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ - for (off = 0; off < skip - sizeof(struct ip6_hdr);) + for (off = 0; off < skip - sizeof(struct ip6_hdr);) { + int noff; + switch (nxt) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: -ip6e = (struct ip6_ext *) (ptr + off); +ip6e = (struct ip6_ext *)(ptr + off); +noff = off + ((ip6e->ip6e_len + 1) << 3); + +/* Sanity check. */ +if (noff > skip - sizeof(struct ip6_hdr)) { + goto error6; +} /* - * Process the mutable/immutable - * options -- borrows heavily from the - * KAME code. + * Zero out mutable options. */ for (count = off + sizeof(struct ip6_ext); - count < off + ((ip6e->ip6e_len + 1) << 3);) { + count < noff;) { if (ptr[count] == IP6OPT_PAD1) { count++; - continue; /* Skip padding. */ - } - - /* Sanity check. */ - if (count > off + - ((ip6e->ip6e_len + 1) << 3)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; + continue; } ad = ptr[count + 1] + 2; - /* If mutable option, zeroize. */ - if (ptr[count] & IP6OPT_MUTABLE) - memcpy(ptr + count, ipseczeroes, - ad); + if (count + ad > noff) { + goto error6; + } + + if (ptr[count] & IP6OPT_MUTABLE) { + memset(ptr + count, 0, ad); + } count += ad; +} - /* Sanity check. */ - if (count > - skip - sizeof(struct ip6_hdr)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; - } +if (count != noff) { + goto error6; } /* Advance. */ @@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int default: DPRINTF(("ah_massage_headers: unexpected " "IPv6 header type %d", off)); +error6: if (alloc) free(ptr, M_XDATA); m_freem(m); return EINVAL; } + } /* Copyback and free, if we allocated. */ if (alloc) { @@ -687,11 +680,10 @@ ah_input(struct mbuf *m, const struct se return EACCES; } if (skip + authsize + rplen > m->m_pkthdr.len) { - char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" " for packet in SA %s/%08lx\n", __func__, m->m_pkthdr.len, (u_long)(skip + authsize + rplen), - ipsec_address(>sah->saidx.dst, buf, sizeof(buf)), + ipsec_address(>sah->saidx.dst), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_BADAUTHL); m_freem(m); Index: src/sys/netipsec/xform_esp.c
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 14:43:12 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1567): sys/netipsec/xform_ipip.c: revision 1.44 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right, don't forget to subtract the ipv6 header length. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.31.6.1 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.31 src/sys/netipsec/xform_ipip.c:1.31.6.1 --- src/sys/netipsec/xform_ipip.c:1.31 Thu Jun 5 23:48:17 2014 +++ src/sys/netipsec/xform_ipip.c Thu Feb 15 14:43:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.31 2014/06/05 23:48:17 rmind Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.31.6.1 2018/02/15 14:43:12 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.31 2014/06/05 23:48:17 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.31.6.1 2018/02/15 14:43:12 martin Exp $"); /* * IP-inside-IP processing @@ -562,7 +562,7 @@ ipip_output( ip6o->ip6_flow = 0; ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; ip6o->ip6_vfc |= IPV6_VERSION; - ip6o->ip6_plen = htons(m->m_pkthdr.len); + ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); ip6o->ip6_hlim = ip_defttl; ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr;
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 08:06:15 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1568): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.42.8.1 -r1.42.8.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.42.8.1 src/sys/netipsec/xform_ah.c:1.42.8.2 --- src/sys/netipsec/xform_ah.c:1.42.8.1 Mon Jan 29 19:43:32 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 08:06:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.42.8.1 2018/01/29 19:43:32 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.42.8.2 2018/02/15 08:06:15 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42.8.1 2018/01/29 19:43:32 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42.8.2 2018/02/15 08:06:15 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se struct m_tag *mtag; struct newah *ah; int hl, rplen, authsize, error; + uint8_t nxt; struct cryptodesc *crda; struct cryptop *crp; @@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se return ENOBUFS; } + nxt = ah->ah_nxt; + /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { AH_STATINC(AH_STAT_REPLAY); @@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + char buf[IPSEC_ADDRSTRLEN]; + DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long)(skip + authsize + rplen), + ipsec_address(>sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AH_STATINC(AH_STAT_BADAUTHL); + m_freem(m); + return EACCES; + } + AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = nxt; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = mtag; /* Save the mtag we've identified. */
CVS commit: [netbsd-7-0] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Mon Feb 12 18:42:16 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-7-0]: timer.c timer_sun4m.c timerreg.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1552): sys/arch/sparc/sparc/timer.c: 1.33-1.34 sys/arch/sparc/sparc/timer_sun4m.c: 1.31 sys/arch/sparc/sparc/timerreg.h: 1.10 fix time goes backwards problems on sparc. there are a few things here: - there's a race between reading the limit register (which clears the interrupt and the limit bit) and increasing the latest offset. this can happen easily if an interrupt comes between the read and the call to tickle_tc() that increases the offset (i obverved this actually happening.) - in early boot, sometimes the counter can cycle twice before the tickle happens. to handle these issues, add two workarounds: - if the limit bit isn't set, but the counter value is less than the previous value, and the offset hasn't changed, use the same fixup as if the limit bit was set. this handles the first case above. - add a hard-workaround for never allowing returning a smaller value (except during 32 bit overflow): if the result is less than the last result, add fixups until it does (or until it would overflow.) the first workaround fixes general run-time issues, and the second fixes issues only seen during boot. also expand some comments in timer_sun4m.c and re-enable the sun4m sub-microsecond tmr_ustolim4m() support (but it's always called with at least 'tick' microseconds, so the end result is the same.) -- fix hang at 4B microseconds (1h12 or so), and simplify part of the previous To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.8.1 src/sys/arch/sparc/sparc/timer.c cvs rdiff -u -r1.30 -r1.30.8.1 src/sys/arch/sparc/sparc/timer_sun4m.c cvs rdiff -u -r1.9 -r1.9.144.1 src/sys/arch/sparc/sparc/timerreg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/timer.c diff -u src/sys/arch/sparc/sparc/timer.c:1.32 src/sys/arch/sparc/sparc/timer.c:1.32.8.1 --- src/sys/arch/sparc/sparc/timer.c:1.32 Sun Jan 19 00:22:33 2014 +++ src/sys/arch/sparc/sparc/timer.c Mon Feb 12 18:42:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: timer.c,v 1.32 2014/01/19 00:22:33 mrg Exp $ */ +/* $NetBSD: timer.c,v 1.32.8.1 2018/02/12 18:42:16 snj Exp $ */ /* * Copyright (c) 1992, 1993 @@ -60,7 +60,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.32 2014/01/19 00:22:33 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.32.8.1 2018/02/12 18:42:16 snj Exp $"); #include #include @@ -85,55 +85,92 @@ void *sched_cookie; * timecounter local state */ static struct counter { - volatile u_int *cntreg; /* counter register */ + __cpu_simple_lock_t lock; /* protects access to offset, reg, last* */ + volatile u_int *cntreg; /* counter register to read */ u_int limit; /* limit we count up to */ u_int offset; /* accumulated offset due to wraps */ u_int shift; /* scaling for valid bits */ u_int mask; /* valid bit mask */ -} cntr; + u_int lastcnt; /* the last* values are used to notice */ + u_int lastres; /* and fix up cases where it would appear */ + u_int lastoffset; /* time went backwards. */ +} cntr __aligned(CACHE_LINE_SIZE); /* * define timecounter */ static struct timecounter counter_timecounter = { - timer_get_timecount, /* get_timecount */ - 0, /* no poll_pps */ - ~0u, /* counter_mask */ - 0, /* frequency - set at initialisation */ - "timer-counter", /* name */ - 100, /* quality */ -/* private reference */ + .tc_get_timecount = timer_get_timecount, + .tc_poll_pps = NULL, + .tc_counter_mask = ~0u, + .tc_frequency = 0, + .tc_name = "timer-counter", + .tc_quality = 100, + .tc_priv = , }; /* * timer_get_timecount provide current counter value */ +__attribute__((__optimize__("Os"))) static u_int timer_get_timecount(struct timecounter *tc) { - struct counter *ctr = (struct counter *)tc->tc_priv; - - u_int c, res, r; + u_int cnt, res, fixup, offset; int s; + /* + * We use splhigh/__cpu_simple_lock here as we don't want + * any mutex or lockdebug overhead. The lock protects a + * bunch of the members of cntr that are written here to + * deal with the various minor races to be observed and + * worked around. + */ s = splhigh(); - - res = c = *ctr->cntreg; + __cpu_simple_lock(); + res = cnt = *cntr.cntreg; res &= ~TMR_LIMIT; + offset = cntr.offset; - if (c != res) { - r = ctr->limit; + /* + * There are 3 cases here: + * - limit reached, interrupt not yet processed. + * - count reset but offset the same, race between handling + * the interrupt and tickle_tc() updating the offset. + * - normal case. + * + * For the first two cases, add the limit so that we avoid + * time going backwards. + */ + if (cnt != res) { + fixup =
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 12 18:37:48 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1551): sys/netinet6/ip6_forward.c: 1.89-1.90 via patch Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.73.2.1 -r1.73.2.1.2.1 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.73.2.1 src/sys/netinet6/ip6_forward.c:1.73.2.1.2.1 --- src/sys/netinet6/ip6_forward.c:1.73.2.1 Sat Jan 17 12:10:54 2015 +++ src/sys/netinet6/ip6_forward.c Mon Feb 12 18:37:48 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.73.2.1 2015/01/17 12:10:54 martin Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.73.2.1.2.1 2018/02/12 18:37:48 snj Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.73.2.1 2015/01/17 12:10:54 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.73.2.1.2.1 2018/02/12 18:37:48 snj Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -406,8 +406,8 @@ ip6_forward(struct mbuf *m, int srcrt) IP6_STATINC(IP6_STAT_REDIRECTSENT); else { #ifdef GATEWAY - if (m->m_flags & M_CANFASTFWD) -ip6flow_create(_forward_rt, m); + if (mcopy->m_flags & M_CANFASTFWD) +ip6flow_create(_forward_rt, mcopy); #endif if (mcopy) goto freecopy;
CVS commit: [netbsd-7-0] src/sys/dist/pf/net
Module Name:src Committed By: snj Date: Sat Feb 10 04:21:15 UTC 2018 Modified Files: src/sys/dist/pf/net [netbsd-7-0]: pf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1565): sys/dist/pf/net/pf.c: revision 1.78 via patch Oh, what is this. Fix a remotely-triggerable integer overflow: the way we define TCPOLEN_SACK makes it unsigned, and the comparison in the while() is unsigned too. That's not the expected behavior, the original code wanted a signed comparison. It's pretty easy to make 'hlen' go negative and trigger a buffer overflow. This bug was reported 8 years ago by Lucio Albornoz in PR/44059. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.72.6.1 src/sys/dist/pf/net/pf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dist/pf/net/pf.c diff -u src/sys/dist/pf/net/pf.c:1.72 src/sys/dist/pf/net/pf.c:1.72.6.1 --- src/sys/dist/pf/net/pf.c:1.72 Fri Jul 25 04:09:58 2014 +++ src/sys/dist/pf/net/pf.c Sat Feb 10 04:21:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pf.c,v 1.72 2014/07/25 04:09:58 ozaki-r Exp $ */ +/* $NetBSD: pf.c,v 1.72.6.1 2018/02/10 04:21:15 snj Exp $ */ /* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */ /* @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.72 2014/07/25 04:09:58 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.72.6.1 2018/02/10 04:21:15 snj Exp $"); #include "pflog.h" @@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off struct sackblk sack; #ifdef __NetBSD__ -#define TCPOLEN_SACK (2 * sizeof(uint32_t)) +#define TCPOLEN_SACK 8 /* 2*sizeof(tcp_seq) */ #endif #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
CVS commit: [netbsd-7-0] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 14:06:25 UTC 2018 Modified Files: src/sys/netinet [netbsd-7-0]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1563): sys/netinet/ip_input.c: revision 1.366 (via patch) Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.319 -r1.319.6.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.319 src/sys/netinet/ip_input.c:1.319.6.1 --- src/sys/netinet/ip_input.c:1.319 Mon Jun 16 00:33:39 2014 +++ src/sys/netinet/ip_input.c Fri Feb 9 14:06:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.319 2014/06/16 00:33:39 ozaki-r Exp $ */ +/* $NetBSD: ip_input.c,v 1.319.6.1 2018/02/09 14:06:25 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.319 2014/06/16 00:33:39 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.319.6.1 2018/02/09 14:06:25 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -157,10 +157,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 13:06:29 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1562): sys/netinet6/nd6_nbr.c: revision 1.145 (patch) Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.100.2.2 -r1.100.2.2.2.1 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.100.2.2 src/sys/netinet6/nd6_nbr.c:1.100.2.2.2.1 --- src/sys/netinet6/nd6_nbr.c:1.100.2.2 Mon Apr 6 01:32:33 2015 +++ src/sys/netinet6/nd6_nbr.c Fri Feb 2 13:06:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.100.2.2 2015/04/06 01:32:33 snj Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.100.2.2.2.1 2018/02/02 13:06:29 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.100.2.2 2015/04/06 01:32:33 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.100.2.2.2.1 2018/02/02 13:06:29 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -590,7 +590,7 @@ nd6_na_input(struct mbuf *m, int off, in taddr6 = nd_na->nd_na_target; if (in6_setscope(, ifp, NULL)) - return; /* XXX: impossible */ + goto bad; if (IN6_IS_ADDR_MULTICAST()) { nd6log((LOG_ERR,
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:03:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1561): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.107 -r1.107.6.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_mroute.c diff -u src/sys/netinet6/ip6_mroute.c:1.107 src/sys/netinet6/ip6_mroute.c:1.107.6.1 --- src/sys/netinet6/ip6_mroute.c:1.107 Sat May 17 21:26:20 2014 +++ src/sys/netinet6/ip6_mroute.c Fri Feb 2 11:03:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_mroute.c,v 1.107 2014/05/17 21:26:20 rmind Exp $ */ +/* $NetBSD: ip6_mroute.c,v 1.107.6.1 2018/02/02 11:03:53 martin Exp $ */ /* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */ /* @@ -117,7 +117,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.107 2014/05/17 21:26:20 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.107.6.1 2018/02/02 11:03:53 martin Exp $"); #include "opt_inet.h" #include "opt_mrouting.h" @@ -1861,7 +1861,7 @@ pim6_input(struct mbuf **mp, int *offp, (eip6->ip6_vfc & IPV6_VERSION)); #endif m_freem(m); - return (IPPROTO_NONE); + return (IPPROTO_DONE); } /* verify the inner packet is destined to a mcast group */
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.6.1 --- src/sys/netinet6/frag6.c:1.55 Fri Aug 30 07:42:08 2013 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:31:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $ */ +/* $NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -456,11 +448,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.2.1 --- src/sys/netinet6/ip6_input.c:1.149.2.1 Fri Jan 23 09:27:15 2015 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:31:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header
CVS commit: [netbsd-7-0] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Jan 29 19:43:32 UTC 2018 Modified Files: src/sys/netipsec [netbsd-7-0]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1557): sys/netipsec/xform_ah.c: revision 1.76 Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.42.8.1 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.42 src/sys/netipsec/xform_ah.c:1.42.8.1 --- src/sys/netipsec/xform_ah.c:1.42 Sun Nov 3 18:37:10 2013 +++ src/sys/netipsec/xform_ah.c Mon Jan 29 19:43:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.42 2013/11/03 18:37:10 mrg Exp $ */ +/* $NetBSD: xform_ah.c,v 1.42.8.1 2018/01/29 19:43:32 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42 2013/11/03 18:37:10 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.42.8.1 2018/01/29 19:43:32 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int return EINVAL; } - ad = ptr[count + 1]; + ad = ptr[count + 1] + 2; /* If mutable option, zeroize. */ if (ptr[count] & IP6OPT_MUTABLE) memcpy(ptr + count, ipseczeroes, - ptr[count + 1]); + ad); count += ad;
CVS commit: [netbsd-7-0] src/sys/arch
Module Name:src Committed By: snj Date: Mon Jan 22 19:40:25 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-7-0]: machdep.c src/sys/arch/amd64/include [netbsd-7-0]: segments.h src/sys/arch/i386/i386 [netbsd-7-0]: machdep.c src/sys/arch/i386/include [netbsd-7-0]: segments.h src/sys/arch/x86/x86 [netbsd-7-0]: vm_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1550): sys/arch/amd64/amd64/machdep.c: revision 1.280 via patch sys/arch/amd64/include/segments.h: revision 1.34 via patch sys/arch/i386/i386/machdep.c: revision 1.800 via patch sys/arch/i386/include/segments.h: revision 1.64 via patch sys/arch/x86/x86/vm_machdep.c: revision 1.30 via patch Fix a huge privilege separation vulnerability in Xen-amd64. On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL equals SEL_UPL. While Xen can make a distinction between usermode and kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes to read and write to the CPU ports. It is easy, then, to completely escalate privileges; by reprogramming the PIC, by reading the ATA disks, by intercepting the keyboard interrupts (keylogger), etc. Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use the ports but not userland. I didn't test this change on i386, but it seems fine enough. To generate a diff of this commit: cvs rdiff -u -r1.211.6.1 -r1.211.6.2 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.24 -r1.24.16.1 src/sys/arch/amd64/include/segments.h cvs rdiff -u -r1.752.8.1 -r1.752.8.2 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.54 -r1.54.34.1 src/sys/arch/i386/include/segments.h cvs rdiff -u -r1.25.8.1 -r1.25.8.2 src/sys/arch/x86/x86/vm_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.211.6.1 src/sys/arch/amd64/amd64/machdep.c:1.211.6.2 --- src/sys/arch/amd64/amd64/machdep.c:1.211.6.1 Wed Apr 26 14:50:51 2017 +++ src/sys/arch/amd64/amd64/machdep.c Mon Jan 22 19:40:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.211.6.1 2017/04/26 14:50:51 martin Exp $ */ +/* $NetBSD: machdep.c,v 1.211.6.2 2018/01/22 19:40:25 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011 @@ -111,7 +111,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.211.6.1 2017/04/26 14:50:51 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.211.6.2 2018/01/22 19:40:25 snj Exp $"); /* #define XENDEBUG_LOW */ @@ -468,7 +468,7 @@ x86_64_proc0_tss_ldt_init(void) pcb->pcb_fs = 0; pcb->pcb_gs = 0; pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + USPACE - 16) & ~0xf; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; Index: src/sys/arch/amd64/include/segments.h diff -u src/sys/arch/amd64/include/segments.h:1.24 src/sys/arch/amd64/include/segments.h:1.24.16.1 --- src/sys/arch/amd64/include/segments.h:1.24 Mon Jan 7 17:03:06 2013 +++ src/sys/arch/amd64/include/segments.h Mon Jan 22 19:40:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: segments.h,v 1.24 2013/01/07 17:03:06 chs Exp $ */ +/* $NetBSD: segments.h,v 1.24.16.1 2018/01/22 19:40:25 snj Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -107,6 +107,12 @@ #define ISLDT(s) ((s) & SEL_LDT) /* is it local or global */ #define SEL_LDT 4 /* local descriptor table */ +#ifdef XEN +#define IOPL_KPL 1 +#else +#define IOPL_KPL SEL_KPL +#endif + /* Dynamically allocated TSSs and LDTs start (byte offset) */ #define SYSSEL_START (NGDT_MEM << 3) #define DYNSEL_START (SYSSEL_START + (NGDT_SYS << 4)) Index: src/sys/arch/i386/i386/machdep.c diff -u src/sys/arch/i386/i386/machdep.c:1.752.8.1 src/sys/arch/i386/i386/machdep.c:1.752.8.2 --- src/sys/arch/i386/i386/machdep.c:1.752.8.1 Thu Jul 20 01:42:39 2017 +++ src/sys/arch/i386/i386/machdep.c Mon Jan 22 19:40:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.752.8.1 2017/07/20 01:42:39 snj Exp $ */ +/* $NetBSD: machdep.c,v 1.752.8.2 2018/01/22 19:40:25 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009 @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.752.8.1 2017/07/20 01:42:39 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.752.8.2 2018/01/22 19:40:25 snj Exp $"); #include "opt_beep.h" #include "opt_compat_ibcs2.h" @@ -502,7 +502,7 @@ i386_proc0_tss_ldt_init(void) pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; pcb->pcb_esp0 = uvm_lwp_getuarea(l) + USPACE - 16; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; l->l_md.md_regs = (struct trapframe *)pcb->pcb_esp0 -
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: snj Date: Wed Jan 3 21:11:37 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: subr_kobj.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1539): sys/kern/subr_kobj.c: revision 1.52 Compare names of duplicate symbols properly, so we correctly return an error status. Fixes PR kern/45125 with patch supplied by Akinobu Mita To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.50.6.1 src/sys/kern/subr_kobj.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_kobj.c diff -u src/sys/kern/subr_kobj.c:1.50 src/sys/kern/subr_kobj.c:1.50.6.1 --- src/sys/kern/subr_kobj.c:1.50 Wed Jul 16 13:26:33 2014 +++ src/sys/kern/subr_kobj.c Wed Jan 3 21:11:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_kobj.c,v 1.50 2014/07/16 13:26:33 maxv Exp $ */ +/* $NetBSD: subr_kobj.c,v 1.50.6.1 2018/01/03 21:11:37 snj Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_kobj.c,v 1.50 2014/07/16 13:26:33 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_kobj.c,v 1.50.6.1 2018/01/03 21:11:37 snj Exp $"); #include "opt_modular.h" @@ -904,7 +904,7 @@ kobj_checksyms(kobj_t ko, bool undefined strcmp(name, "__end") == 0 || strcmp(name, "__end__") == 0 || strncmp(name, "__start_link_set_", 17) == 0 || - strncmp(name, "__stop_link_set_", 16)) { + strncmp(name, "__stop_link_set_", 16) == 0) { continue; } kobj_error(ko, "global symbol `%s' redefined",
CVS commit: [netbsd-7-0] src/sys/external/bsd/drm2/drm
Module Name:src Committed By: snj Date: Wed Jan 3 20:46:44 UTC 2018 Modified Files: src/sys/external/bsd/drm2/drm [netbsd-7-0]: drm_drv.c Log Message: Pull up following revision(s) (requested by jmcneill in ticket #1536): sys/external/bsd/drm2/drm/drm_drv.c: 1.20 drm_stat: fix device minor calculation, ok riastradh@ To generate a diff of this commit: cvs rdiff -u -r1.9.2.4 -r1.9.2.4.2.1 src/sys/external/bsd/drm2/drm/drm_drv.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/drm2/drm/drm_drv.c diff -u src/sys/external/bsd/drm2/drm/drm_drv.c:1.9.2.4 src/sys/external/bsd/drm2/drm/drm_drv.c:1.9.2.4.2.1 --- src/sys/external/bsd/drm2/drm/drm_drv.c:1.9.2.4 Tue Mar 17 17:52:49 2015 +++ src/sys/external/bsd/drm2/drm/drm_drv.c Wed Jan 3 20:46:43 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: drm_drv.c,v 1.9.2.4 2015/03/17 17:52:49 riz Exp $ */ +/* $NetBSD: drm_drv.c,v 1.9.2.4.2.1 2018/01/03 20:46:43 snj Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: drm_drv.c,v 1.9.2.4 2015/03/17 17:52:49 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: drm_drv.c,v 1.9.2.4.2.1 2018/01/03 20:46:43 snj Exp $"); #include #include @@ -578,7 +578,7 @@ drm_stat(struct file *fp, struct stat *s struct drm_file *const file = fp->f_data; struct drm_minor *const dminor = file->minor; const dev_t devno = makedev(cdevsw_lookup_major(_cdevsw), - 64*dminor->index + dminor->type); + 64*dminor->type + dminor->index); (void)memset(st, 0, sizeof(*st));
CVS commit: [netbsd-7-0] src/sys/arch/x86/x86
Module Name:src Committed By: snj Date: Wed Jan 3 20:17:36 UTC 2018 Modified Files: src/sys/arch/x86/x86 [netbsd-7-0]: pmap.c Log Message: Apply patch (requested by maxv in ticket #1531): amd64: Make the direct map non executable. To generate a diff of this commit: cvs rdiff -u -r1.183.2.2.2.3 -r1.183.2.2.2.4 src/sys/arch/x86/x86/pmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/x86/pmap.c diff -u src/sys/arch/x86/x86/pmap.c:1.183.2.2.2.3 src/sys/arch/x86/x86/pmap.c:1.183.2.2.2.4 --- src/sys/arch/x86/x86/pmap.c:1.183.2.2.2.3 Mon Mar 6 03:32:45 2017 +++ src/sys/arch/x86/x86/pmap.c Wed Jan 3 20:17:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pmap.c,v 1.183.2.2.2.3 2017/03/06 03:32:45 snj Exp $ */ +/* $NetBSD: pmap.c,v 1.183.2.2.2.4 2018/01/03 20:17:36 snj Exp $ */ /*- * Copyright (c) 2008, 2010 The NetBSD Foundation, Inc. @@ -171,7 +171,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.183.2.2.2.3 2017/03/06 03:32:45 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.183.2.2.2.4 2018/01/03 20:17:36 snj Exp $"); #include "opt_user_ldt.h" #include "opt_lockdebug.h" @@ -1517,7 +1517,7 @@ pmap_bootstrap(vaddr_t kva_start) } } - kpm->pm_pdir[PDIR_SLOT_DIRECT] = dmpdp | PG_KW | PG_V | PG_U; + kpm->pm_pdir[PDIR_SLOT_DIRECT] = dmpdp | PG_KW | PG_V | PG_U | pg_nx; tlbflush();
CVS commit: [netbsd-7-0] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Wed Jan 3 20:06:02 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-7-0]: locore.s Log Message: Pull up following revision(s) (requested by maya in ticket #1530): sys/arch/sparc/sparc/locore.s: revision 1.269 Avoid an instruction requiring a higher alignment than we are guaranteed Fixes PR port-sparc/52721: ddb errors on ps command Thanks to mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.268 -r1.268.16.1 src/sys/arch/sparc/sparc/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/locore.s diff -u src/sys/arch/sparc/sparc/locore.s:1.268 src/sys/arch/sparc/sparc/locore.s:1.268.16.1 --- src/sys/arch/sparc/sparc/locore.s:1.268 Sun Nov 4 00:32:47 2012 +++ src/sys/arch/sparc/sparc/locore.s Wed Jan 3 20:06:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.s,v 1.268 2012/11/04 00:32:47 chs Exp $ */ +/* $NetBSD: locore.s,v 1.268.16.1 2018/01/03 20:06:02 snj Exp $ */ /* * Copyright (c) 1996 Paul Kranenburg @@ -6288,8 +6288,9 @@ ENTRY(longjmp) cmp %fp, %g7 ! compare against desired frame bl,a 1b ! if below, restore !pop frame and loop - be,a 2f ! if there, - ldd [%g1+0], %o2 !fetch return %sp and pc, and get out + ld [%g1+0], %o2 ! fetch return %sp + be,a 2f ! we're there, get out + ld [%g1+4], %o3 ! fetch return pc Llongjmpbotch: ! otherwise, went too far; bomb out
CVS commit: [netbsd-7-0] src/sys/arch
Module Name:src Committed By: snj Date: Wed Jan 3 19:58:10 UTC 2018 Modified Files: src/sys/arch/amd64/include [netbsd-7-0]: i82093reg.h src/sys/arch/i386/include [netbsd-7-0]: i82093reg.h src/sys/arch/x86/x86 [netbsd-7-0]: ioapic.c Log Message: Pull up following revision(s) (requested by nakayama in ticket #1527): sys/arch/amd64/include/i82093reg.h: revision 1.9 sys/arch/i386/include/i82093reg.h: revision 1.11 sys/arch/x86/x86/ioapic.c: revision 1.54 Don't write a 1 to the read only RIRR bit in the IOAPIC redirection register to fix "tlp0: filter setup and transmit timeout" observed on Hyper-V VMs with the Legacy Network Adapter. >From OpenBSD via PR kern/49323: https://marc.info/?l=openbsd-cvs=146718035432599=2 To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.5.62.1 src/sys/arch/amd64/include/i82093reg.h cvs rdiff -u -r1.8 -r1.8.62.1 src/sys/arch/i386/include/i82093reg.h cvs rdiff -u -r1.48 -r1.48.12.1 src/sys/arch/x86/x86/ioapic.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/include/i82093reg.h diff -u src/sys/arch/amd64/include/i82093reg.h:1.5 src/sys/arch/amd64/include/i82093reg.h:1.5.62.1 --- src/sys/arch/amd64/include/i82093reg.h:1.5 Thu Jul 3 14:02:25 2008 +++ src/sys/arch/amd64/include/i82093reg.h Wed Jan 3 19:58:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: i82093reg.h,v 1.5 2008/07/03 14:02:25 drochner Exp $ */ +/* $NetBSD: i82093reg.h,v 1.5.62.1 2018/01/03 19:58:10 snj Exp $ */ #include @@ -50,6 +50,7 @@ movq IOAPIC_SC_DATA(%rdi),%r15 ;\ movl (%r15),%esi ;\ orl $IOAPIC_REDLO_MASK,%esi;\ + andl $~IOAPIC_REDLO_RIRR,%esi ;\ movl %esi,(%r15) ;\ movq IS_PIC(%r14),%rdi;\ ioapic_asm_unlock(num) @@ -66,7 +67,7 @@ movq IOAPIC_SC_DATA(%rdi),%r13 ;\ movl %esi, (%r15) ;\ movl (%r13),%r12d ;\ - andl $~IOAPIC_REDLO_MASK,%r12d ;\ + andl $~(IOAPIC_REDLO_MASK|IOAPIC_REDLO_RIRR),%r12d ;\ movl %esi,(%r15) ;\ movl %r12d,(%r13) ;\ movq IS_PIC(%r14),%rdi;\ Index: src/sys/arch/i386/include/i82093reg.h diff -u src/sys/arch/i386/include/i82093reg.h:1.8 src/sys/arch/i386/include/i82093reg.h:1.8.62.1 --- src/sys/arch/i386/include/i82093reg.h:1.8 Thu Jul 3 14:02:25 2008 +++ src/sys/arch/i386/include/i82093reg.h Wed Jan 3 19:58:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: i82093reg.h,v 1.8 2008/07/03 14:02:25 drochner Exp $ */ +/* $NetBSD: i82093reg.h,v 1.8.62.1 2018/01/03 19:58:10 snj Exp $ */ #include @@ -41,6 +41,7 @@ movl IOAPIC_SC_DATA(%edi),%ebx ;\ movl (%ebx),%esi ;\ orl $IOAPIC_REDLO_MASK,%esi;\ + andl $~IOAPIC_REDLO_RIRR,%esi ;\ movl %esi,(%ebx) ;\ movl IS_PIC(%ebp),%edi;\ ioapic_asm_unlock(num) @@ -64,7 +65,7 @@ movl IOAPIC_SC_DATA(%edi),%eax ;\ movl %esi, (%ebx) ;\ movl (%eax),%edx ;\ - andl $~IOAPIC_REDLO_MASK,%edx ;\ + andl $~(IOAPIC_REDLO_MASK|IOAPIC_REDLO_RIRR),%edx ;\ movl %esi, (%ebx) ;\ movl %edx,(%eax) ;\ movl IS_PIC(%ebp),%edi;\ Index: src/sys/arch/x86/x86/ioapic.c diff -u src/sys/arch/x86/x86/ioapic.c:1.48 src/sys/arch/x86/x86/ioapic.c:1.48.12.1 --- src/sys/arch/x86/x86/ioapic.c:1.48 Fri Jun 28 14:31:49 2013 +++ src/sys/arch/x86/x86/ioapic.c Wed Jan 3 19:58:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ioapic.c,v 1.48 2013/06/28 14:31:49 jakllsch Exp $ */ +/* $NetBSD: ioapic.c,v 1.48.12.1 2018/01/03 19:58:10 snj Exp $ */ /*- * Copyright (c) 2000, 2009 The NetBSD Foundation, Inc. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ioapic.c,v 1.48 2013/06/28 14:31:49 jakllsch Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ioapic.c,v 1.48.12.1 2018/01/03 19:58:10 snj Exp $"); #include "opt_ddb.h" @@ -506,6 +506,7 @@ ioapic_hwmask(struct pic *pic, int pin) flags = ioapic_lock(sc); redlo = ioapic_read_ul(sc, IOAPIC_REDLO(pin)); redlo |= IOAPIC_REDLO_MASK; + redlo &= ~IOAPIC_REDLO_RIRR; ioapic_write_ul(sc, IOAPIC_REDLO(pin), redlo); ioapic_unlock(sc, flags); } @@ -546,7 +547,7 @@ ioapic_hwunmask(struct pic *pic, int pin flags = ioapic_lock(sc); redlo = ioapic_read_ul(sc, IOAPIC_REDLO(pin)); - redlo &= ~IOAPIC_REDLO_MASK; + redlo &= ~(IOAPIC_REDLO_MASK | IOAPIC_REDLO_RIRR); ioapic_write_ul(sc, IOAPIC_REDLO(pin), redlo); ioapic_unlock(sc, flags); }
CVS commit: [netbsd-7-0] src/sys/external/bsd/ipf/netinet
Module Name:src Committed By: snj Date: Wed Jan 3 19:30:41 UTC 2018 Modified Files: src/sys/external/bsd/ipf/netinet [netbsd-7-0]: ip_state.c Log Message: Pull up following revision(s) (requested by sborrill in ticket #1525): sys/external/bsd/ipf/netinet/ip_state.c: 1.9-1.10 When growing the state, remember to grow the seed array, otherwise we'll end up accessing memory we did not allocate. -- put back the cast. To generate a diff of this commit: cvs rdiff -u -r1.6.8.1 -r1.6.8.2 src/sys/external/bsd/ipf/netinet/ip_state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/ipf/netinet/ip_state.c diff -u src/sys/external/bsd/ipf/netinet/ip_state.c:1.6.8.1 src/sys/external/bsd/ipf/netinet/ip_state.c:1.6.8.2 --- src/sys/external/bsd/ipf/netinet/ip_state.c:1.6.8.1 Fri Aug 25 05:31:36 2017 +++ src/sys/external/bsd/ipf/netinet/ip_state.c Wed Jan 3 19:30:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_state.c,v 1.6.8.1 2017/08/25 05:31:36 snj Exp $ */ +/* $NetBSD: ip_state.c,v 1.6.8.2 2018/01/03 19:30:41 snj Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -100,7 +100,7 @@ struct file; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6.8.1 2017/08/25 05:31:36 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6.8.2 2018/01/03 19:30:41 snj Exp $"); #else static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp"; @@ -298,6 +298,32 @@ ipf_state_soft_destroy(ipf_main_softc_t KFREE(softs); } +static void * +ipf_state_seed_alloc(u_int state_size, u_int state_max) +{ + u_int i; + u_long *state_seed; + KMALLOCS(state_seed, u_long *, state_size * sizeof(*state_seed)); + if (state_seed == NULL) + return NULL; + + for (i = 0; i < state_size; i++) { + /* + * XXX - ipf_state_seed[X] should be a random number of sorts. + */ +#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL) + state_seed[i] = cprng_fast32(); +#else + state_seed[i] = ((u_long)state_seed + i) * state_size; + state_seed[i] ^= 0xa5a55a5a; + state_seed[i] *= (u_long)state_seed; + state_seed[i] ^= 0x5a5aa5a5; + state_seed[i] *= state_max; +#endif + } + return state_seed; +} + /* */ /* Function:ipf_state_soft_init */ @@ -328,27 +354,11 @@ ipf_state_soft_init(ipf_main_softc_t *so bzero((char *)softs->ipf_state_table, softs->ipf_state_size * sizeof(ipstate_t *)); - KMALLOCS(softs->ipf_state_seed, u_long *, - softs->ipf_state_size * sizeof(*softs->ipf_state_seed)); + softs->ipf_state_seed = ipf_state_seed_alloc(softs->ipf_state_size, + softs->ipf_state_max); if (softs->ipf_state_seed == NULL) return -2; - for (i = 0; i < softs->ipf_state_size; i++) { - /* - * XXX - ipf_state_seed[X] should be a random number of sorts. - */ -#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL) - softs->ipf_state_seed[i] = cprng_fast32(); -#else - softs->ipf_state_seed[i] = ((u_long)softs->ipf_state_seed + i) * -softs->ipf_state_size; - softs->ipf_state_seed[i] ^= 0xa5a55a5a; - softs->ipf_state_seed[i] *= (u_long)softs->ipf_state_seed; - softs->ipf_state_seed[i] ^= 0x5a5aa5a5; - softs->ipf_state_seed[i] *= softs->ipf_state_max; -#endif - } - KMALLOCS(softs->ipf_state_stats.iss_bucketlen, u_int *, softs->ipf_state_size * sizeof(u_int)); if (softs->ipf_state_stats.iss_bucketlen == NULL) @@ -5137,6 +5147,7 @@ ipf_state_rehash(ipf_main_softc_t *softc { ipf_state_softc_t *softs = softc->ipf_state_soft; ipstate_t **newtab, *is; + u_long *newseed; u_int *bucketlens; u_int maxbucket; u_int newsize; @@ -5163,6 +5174,14 @@ ipf_state_rehash(ipf_main_softc_t *softc return ENOMEM; } + newseed = ipf_state_seed_alloc(newsize, softs->ipf_state_max); + if (newseed == NULL) { + KFREES(bucketlens, newsize * sizeof(*bucketlens)); + KFREES(newtab, newsize * sizeof(*newtab)); + IPFERROR(100037); + return ENOMEM; + } + for (maxbucket = 0, i = newsize; i > 0; i >>= 1) maxbucket++; maxbucket *= 2; @@ -5178,6 +5197,12 @@ ipf_state_rehash(ipf_main_softc_t *softc } softs->ipf_state_table = newtab; + if (softs->ipf_state_seed != NULL) { + KFREES(softs->ipf_state_seed, + softs->ipf_state_size * sizeof(*softs->ipf_state_seed)); + } + softs->ipf_state_seed = newseed; + if (softs->ipf_state_stats.iss_bucketlen != NULL) { KFREES(softs->ipf_state_stats.iss_bucketlen, softs->ipf_state_size * sizeof(u_int));
CVS commit: [netbsd-7-0] src/sys/arch/x86/x86
Module Name:src Committed By: snj Date: Tue Dec 12 09:12:50 UTC 2017 Modified Files: src/sys/arch/x86/x86 [netbsd-7-0]: fpu.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1540): sys/arch/x86/x86/fpu.c: 1.19 via patch Mask mxcsr, otherwise userland could set reserved bits to 1 and make xrstor fault. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/arch/x86/x86/fpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/x86/x86/fpu.c diff -u src/sys/arch/x86/x86/fpu.c:1.9 src/sys/arch/x86/x86/fpu.c:1.9.12.1 --- src/sys/arch/x86/x86/fpu.c:1.9 Tue Feb 25 22:16:52 2014 +++ src/sys/arch/x86/x86/fpu.c Tue Dec 12 09:12:50 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: fpu.c,v 1.9 2014/02/25 22:16:52 dsl Exp $ */ +/* $NetBSD: fpu.c,v 1.9.12.1 2017/12/12 09:12:50 snj Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. All @@ -100,7 +100,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.9 2014/02/25 22:16:52 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.9.12.1 2017/12/12 09:12:50 snj Exp $"); #include "opt_multiprocessor.h" @@ -617,6 +617,7 @@ process_write_fpregs_xmm(struct lwp *lwp sizeof fpu_save->sv_xmm); /* Invalid bits in the mxcsr_mask will cause faults */ fpu_save->sv_xmm.fx_mxcsr_mask &= __INITIAL_MXCSR_MASK__; + fpu_save->sv_xmm.fx_mxcsr &= fpu_save->sv_xmm.fx_mxcsr_mask; } else { process_xmm_to_s87(fpregs, _save->sv_87); }
CVS commit: [netbsd-7-0] src/sys/dev/sysmon
Module Name:src Committed By: snj Date: Tue Oct 24 09:24:32 UTC 2017 Modified Files: src/sys/dev/sysmon [netbsd-7-0]: sysmon_envsys.c Log Message: Fix fallout from ticket #1511: It's rnd_detach_source, not rnd_detach_sources. To generate a diff of this commit: cvs rdiff -u -r1.127.2.1.2.1 -r1.127.2.1.2.2 \ src/sys/dev/sysmon/sysmon_envsys.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sysmon/sysmon_envsys.c diff -u src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.2.1 src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.2.2 --- src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.2.1 Mon Oct 23 18:57:08 2017 +++ src/sys/dev/sysmon/sysmon_envsys.c Tue Oct 24 09:24:32 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.2.1 2017/10/23 18:57:08 snj Exp $ */ +/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.2.2 2017/10/24 09:24:32 snj Exp $ */ /*- * Copyright (c) 2007, 2008 Juan Romero Pardines. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.2.1 2017/10/23 18:57:08 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.2.2 2017/10/24 09:24:32 snj Exp $"); #include #include @@ -1210,7 +1210,7 @@ sme_remove_userprops(void) * Detach from entropy collection */ if (edata->flags & ENVSYS_FHAS_ENTROPY) -rnd_detach_sources(>rnd_src); +rnd_detach_source(>rnd_src); /* * Finally, remove any old limits event, then
CVS commit: [netbsd-7-0] src/sys/dev
Module Name:src Committed By: snj Date: Mon Oct 23 19:27:41 UTC 2017 Modified Files: src/sys/dev [netbsd-7-0]: cgd.c Log Message: Pull up following revision(s) (requested by kamil in ticket #1518): sys/dev/cgd.c: revision 1.113 PR kern/52630: The cgd(4) module requires des and blowfish symbols This has been exposed with the MODULAR kernel. kobj_checksyms, 979: [cgd]: linker error: symbol `BF_set_key' not found kobj_checksyms, 979: [cgd]: linker error: symbol `des_key_sched' not found kobj_checksyms, 979: [cgd]: linker error: symbol `des_ede3_cbc_encrypt' not found WARNING: module error: unable to affix module `cgd', error 8 Reviewed by To generate a diff of this commit: cvs rdiff -u -r1.90.4.2 -r1.90.4.3 src/sys/dev/cgd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/cgd.c diff -u src/sys/dev/cgd.c:1.90.4.2 src/sys/dev/cgd.c:1.90.4.3 --- src/sys/dev/cgd.c:1.90.4.2 Sat Jul 8 16:12:44 2017 +++ src/sys/dev/cgd.c Mon Oct 23 19:27:41 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: cgd.c,v 1.90.4.2 2017/07/08 16:12:44 snj Exp $ */ +/* $NetBSD: cgd.c,v 1.90.4.3 2017/10/23 19:27:41 snj Exp $ */ /*- * Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.4.2 2017/07/08 16:12:44 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cgd.c,v 1.90.4.3 2017/10/23 19:27:41 snj Exp $"); #include #include @@ -998,7 +998,7 @@ hexprint(const char *start, void *buf, i } #endif -MODULE(MODULE_CLASS_DRIVER, cgd, "dk_subr"); +MODULE(MODULE_CLASS_DRIVER, cgd, "blowfish,des,dk_subr"); #ifdef _MODULE CFDRIVER_DECL(cgd, DV_DISK, NULL);
CVS commit: [netbsd-7-0] src/sys/dev/sysmon
Module Name:src Committed By: snj Date: Mon Oct 23 18:57:08 UTC 2017 Modified Files: src/sys/dev/sysmon [netbsd-7-0]: sysmon_envsys.c Log Message: Apply patch (requested by pgoyette in ticket #1511): Detach the rndsrc before re-attaching it. To generate a diff of this commit: cvs rdiff -u -r1.127.2.1 -r1.127.2.1.2.1 src/sys/dev/sysmon/sysmon_envsys.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sysmon/sysmon_envsys.c diff -u src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1 src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1.2.1 --- src/sys/dev/sysmon/sysmon_envsys.c:1.127.2.1 Mon Apr 6 18:45:30 2015 +++ src/sys/dev/sysmon/sysmon_envsys.c Mon Oct 23 18:57:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: sysmon_envsys.c,v 1.127.2.1 2015/04/06 18:45:30 snj Exp $ */ +/* $NetBSD: sysmon_envsys.c,v 1.127.2.1.2.1 2017/10/23 18:57:08 snj Exp $ */ /*- * Copyright (c) 2007, 2008 Juan Romero Pardines. @@ -64,7 +64,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1 2015/04/06 18:45:30 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sysmon_envsys.c,v 1.127.2.1.2.1 2017/10/23 18:57:08 snj Exp $"); #include #include @@ -1207,6 +1207,12 @@ sme_remove_userprops(void) } /* + * Detach from entropy collection + */ + if (edata->flags & ENVSYS_FHAS_ENTROPY) +rnd_detach_sources(>rnd_src); + + /* * Finally, remove any old limits event, then * install a new event (which will update the * dictionary)
CVS commit: [netbsd-7-0] src/sys/arch/i386/i386
Module Name:src Committed By: snj Date: Sun Oct 1 17:01:44 UTC 2017 Modified Files: src/sys/arch/i386/i386 [netbsd-7-0]: i386_trap.S Log Message: Pull up following revision(s) (requested by maxv in ticket #1512): sys/arch/i386/i386/i386_trap.S: revision 1.12 Pfff, use %ss and not %ds. The latter is controlled by userland, the former contains the kernel value (flat); FreeBSD fixed this too a few weeks ago. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.5.12.1 src/sys/arch/i386/i386/i386_trap.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/i386/i386_trap.S diff -u src/sys/arch/i386/i386/i386_trap.S:1.5 src/sys/arch/i386/i386/i386_trap.S:1.5.12.1 --- src/sys/arch/i386/i386/i386_trap.S:1.5 Wed Feb 12 23:24:09 2014 +++ src/sys/arch/i386/i386/i386_trap.S Sun Oct 1 17:01:44 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: i386_trap.S,v 1.5 2014/02/12 23:24:09 dsl Exp $ */ +/* $NetBSD: i386_trap.S,v 1.5.12.1 2017/10/01 17:01:44 snj Exp $ */ /* * Copyright 2002 (c) Wasabi Systems, Inc. @@ -66,7 +66,7 @@ #if 0 #include -__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.5 2014/02/12 23:24:09 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: i386_trap.S,v 1.5.12.1 2017/10/01 17:01:44 snj Exp $"); #endif /* @@ -119,7 +119,7 @@ IDTVEC_END(trap05) SUPERALIGN_TEXT IDTVEC(trap06) /* Check if there is no DTrace hook registered. */ - cmpl $0,dtrace_invop_jump_addr + cmpl $0,%ss:dtrace_invop_jump_addr je norm_ill /* Check if this is a user fault. */
CVS commit: [netbsd-7-0] src/sys/arch
Module Name:src Committed By: snj Date: Sun Sep 24 20:12:53 UTC 2017 Modified Files: src/sys/arch/evbmips/conf [netbsd-7-0]: MALTA MALTA32 MALTA64 src/sys/arch/mips/mips [netbsd-7-0]: bds_emul.S Log Message: Pull up following revision(s) (requested by mrg in ticket #1500): sys/arch/evbmips/conf/MALTA64: revision 1.8 sys/arch/evbmips/conf/MALTA32: revision 1.4 sys/arch/mips/mips/bds_emul.S: revision 1.9 sys/arch/evbmips/conf/MALTA: revision 1.88 Re-enable the NOFPU and (renamed) FPEMUL options. None of the Malta CPU daughter cards currently supported by NetBSD have an FPU. Detected on real hardware. gxemul wrongly supports an FPU on the 4Kc and 5Kc CPUs. -- Remove the NOFPU option. The main MALTA config file has this now. -- mips_emul_daddi and mips_emul_daddiu don't exist, but there are bcemul_daddi and bcemul_daddiu here that should be used. however, bcemul_daddi needed to be changed to use dadd not daddui. fixes FPEMUL and N64 kernels. ok simonb. To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.78.4.1 src/sys/arch/evbmips/conf/MALTA cvs rdiff -u -r1.3 -r1.3.26.1 src/sys/arch/evbmips/conf/MALTA32 cvs rdiff -u -r1.6 -r1.6.14.1 src/sys/arch/evbmips/conf/MALTA64 cvs rdiff -u -r1.6 -r1.6.26.1 src/sys/arch/mips/mips/bds_emul.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/evbmips/conf/MALTA diff -u src/sys/arch/evbmips/conf/MALTA:1.78 src/sys/arch/evbmips/conf/MALTA:1.78.4.1 --- src/sys/arch/evbmips/conf/MALTA:1.78 Sun Jul 20 10:06:11 2014 +++ src/sys/arch/evbmips/conf/MALTA Sun Sep 24 20:12:53 2017 @@ -1,17 +1,18 @@ -# $NetBSD: MALTA,v 1.78 2014/07/20 10:06:11 alnsn Exp $ +# $NetBSD: MALTA,v 1.78.4.1 2017/09/24 20:12:53 snj Exp $ include "arch/evbmips/conf/std.malta" #options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "MALTA-$Revision: 1.78 $" +#ident "MALTA-$Revision: 1.78.4.1 $" maxusers 32 options MIPS32 options MIPS64 -#options NOFPU # No FPU -#options FPEMUL # emulate FPU insn + +options NOFPU # No FPU +options FPEMUL # emulate FPU insn # Options for necessary to use MD # options MEMORY_DISK_HOOKS Index: src/sys/arch/evbmips/conf/MALTA32 diff -u src/sys/arch/evbmips/conf/MALTA32:1.3 src/sys/arch/evbmips/conf/MALTA32:1.3.26.1 --- src/sys/arch/evbmips/conf/MALTA32:1.3 Thu Feb 9 18:58:44 2012 +++ src/sys/arch/evbmips/conf/MALTA32 Sun Sep 24 20:12:53 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA32,v 1.3 2012/02/09 18:58:44 matt Exp $ +# $NetBSD: MALTA32,v 1.3.26.1 2017/09/24 20:12:53 snj Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="no" no options MIPS32 -options NOFPU # No FPU #options EXEC_ELF64 no ath* Index: src/sys/arch/evbmips/conf/MALTA64 diff -u src/sys/arch/evbmips/conf/MALTA64:1.6 src/sys/arch/evbmips/conf/MALTA64:1.6.14.1 --- src/sys/arch/evbmips/conf/MALTA64:1.6 Sat Oct 13 06:08:11 2012 +++ src/sys/arch/evbmips/conf/MALTA64 Sun Sep 24 20:12:53 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA64,v 1.6 2012/10/13 06:08:11 riz Exp $ +# $NetBSD: MALTA64,v 1.6.14.1 2017/09/24 20:12:53 snj Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="yes" no options MIPS32 -options NOFPU # No FPU options EXEC_ELF64 options COMPAT_NETBSD32 no options SYMTAB_SPACE Index: src/sys/arch/mips/mips/bds_emul.S diff -u src/sys/arch/mips/mips/bds_emul.S:1.6 src/sys/arch/mips/mips/bds_emul.S:1.6.26.1 --- src/sys/arch/mips/mips/bds_emul.S:1.6 Sun Dec 25 11:51:15 2011 +++ src/sys/arch/mips/mips/bds_emul.S Sun Sep 24 20:12:53 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bds_emul.S,v 1.6 2011/12/25 11:51:15 kiyohara Exp $ */ +/* $NetBSD: bds_emul.S,v 1.6.26.1 2017/09/24 20:12:53 snj Exp $ */ /* * Copyright (c) 1992, 1993 @@ -101,8 +101,8 @@ bcemul_optbl: PTR_WORD bcemul_sigill # 030 LDL (*) PTR_WORD bcemul_sigill # 031 LDR (*) #else - PTR_WORD _C_LABEL(mips_emul_daddi) # 030 DADDI (*) - PTR_WORD _C_LABEL(mips_emul_daddiu) # 031 DADDIU (*) + PTR_WORD bcemul_daddi # 030 DADDI (*) + PTR_WORD bcemul_daddiu # 031 DADDIU (*) PTR_WORD _C_LABEL(mips_emul_ldl) # 032 LDL (*) PTR_WORD _C_LABEL(mips_emul_ldr) # 033 LDR (*) #endif @@ -191,7 +191,7 @@ bcemul_uimmed_prologue: #ifndef __mips_o32 bcemul_daddi: bal bcemul_immed_prologue - daddiu t0, v0, v1 + dadd t0, v0, v1 b bcemul_check_add_overflow #endif
CVS commit: [netbsd-7-0] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:57:34 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-7-0]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1507): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.8.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36.8.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.36 Wed Feb 19 21:45:01 2014 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:57:34 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.36.8.1 2017/09/09 16:57:34 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36 2014/02/19 21:45:01 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.36.8.1 2017/09/09 16:57:34 snj Exp $"); #include #include @@ -417,8 +417,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-7-0] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: snj Date: Mon Sep 4 16:07:14 UTC 2017 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-7-0]: compat_13_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1504): sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24 Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get kernel privileges on the hardware. ok martin To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.42.1 \ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.42.1 --- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 Sat Nov 21 04:16:52 2009 +++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Mon Sep 4 16:07:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $ */ +/* $NetBSD: compat_13_machdep.c,v 1.23.42.1 2017/09/04 16:07:14 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.42.1 2017/09/04 16:07:14 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_ddb.h" @@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c return (EINVAL); /* take only psr ICC field */ #ifdef __arch64__ - tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate; + tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR); #else tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr); #endif
CVS commit: [netbsd-7-0] src/sys/external/bsd/ipf/netinet
Module Name:src Committed By: snj Date: Fri Aug 25 05:31:36 UTC 2017 Modified Files: src/sys/external/bsd/ipf/netinet [netbsd-7-0]: fil.c ip_frag.c ip_state.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1412): sys/external/bsd/ipf/netinet/fil.c: revision 1.20 sys/external/bsd/ipf/netinet/ip_frag.c: revision 1.5 sys/external/bsd/ipf/netinet/ip_state.c: revision 1.7 Disconnect maintaining fragment state from keeping session state. The user now must specify keep frags along with keep state to have ipfilter do what it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD) -- Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free issues and eventually panic. To generate a diff of this commit: cvs rdiff -u -r1.15.2.1 -r1.15.2.1.2.1 src/sys/external/bsd/ipf/netinet/fil.c cvs rdiff -u -r1.3 -r1.3.18.1 src/sys/external/bsd/ipf/netinet/ip_frag.c cvs rdiff -u -r1.6 -r1.6.8.1 src/sys/external/bsd/ipf/netinet/ip_state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/external/bsd/ipf/netinet/fil.c diff -u src/sys/external/bsd/ipf/netinet/fil.c:1.15.2.1 src/sys/external/bsd/ipf/netinet/fil.c:1.15.2.1.2.1 --- src/sys/external/bsd/ipf/netinet/fil.c:1.15.2.1 Fri Apr 10 20:26:46 2015 +++ src/sys/external/bsd/ipf/netinet/fil.c Fri Aug 25 05:31:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: fil.c,v 1.15.2.1 2015/04/10 20:26:46 snj Exp $ */ +/* $NetBSD: fil.c,v 1.15.2.1.2.1 2017/08/25 05:31:36 snj Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -138,7 +138,7 @@ extern struct timeout ipf_slowtimer_ch; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.15.2.1 2015/04/10 20:26:46 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.15.2.1.2.1 2017/08/25 05:31:36 snj Exp $"); #else static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)Id: fil.c,v 1.1.1.2 2012/07/22 13:45:07 darrenr Exp $"; @@ -2689,7 +2689,7 @@ ipf_firewall(fr_info_t *fin, u_32_t *pas * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); Index: src/sys/external/bsd/ipf/netinet/ip_frag.c diff -u src/sys/external/bsd/ipf/netinet/ip_frag.c:1.3 src/sys/external/bsd/ipf/netinet/ip_frag.c:1.3.18.1 --- src/sys/external/bsd/ipf/netinet/ip_frag.c:1.3 Sun Jul 22 14:27:51 2012 +++ src/sys/external/bsd/ipf/netinet/ip_frag.c Fri Aug 25 05:31:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_frag.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $ */ +/* $NetBSD: ip_frag.c,v 1.3.18.1 2017/08/25 05:31:36 snj Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -87,7 +87,7 @@ struct file; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.3 2012/07/22 14:27:51 darrenr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.3.18.1 2017/08/25 05:31:36 snj Exp $"); #else static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)Id: ip_frag.c,v 1.1.1.2 2012/07/22 13:45:17 darrenr Exp"; @@ -468,7 +468,7 @@ ipfr_frag_new( IPFR_CMPSZ)) { RWLOCK_EXIT(lock); FBUMPD(ifs_exists); - KFREE(fra); + KFREE(fran); return NULL; } Index: src/sys/external/bsd/ipf/netinet/ip_state.c diff -u src/sys/external/bsd/ipf/netinet/ip_state.c:1.6 src/sys/external/bsd/ipf/netinet/ip_state.c:1.6.8.1 --- src/sys/external/bsd/ipf/netinet/ip_state.c:1.6 Sat Sep 14 12:16:11 2013 +++ src/sys/external/bsd/ipf/netinet/ip_state.c Fri Aug 25 05:31:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $ */ +/* $NetBSD: ip_state.c,v 1.6.8.1 2017/08/25 05:31:36 snj Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -100,7 +100,7 @@ struct file; #if !defined(lint) #if defined(__NetBSD__) #include -__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6.8.1 2017/08/25 05:31:36 snj Exp $"); #else static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp"; @@ -3341,7 +3341,8 @@ ipf_state_check(fr_info_t *fin, u_32_t * * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) && + is->is_pass & FR_KEEPFRAG) (void) ipf_frag_new(softc, fin, is->is_pass); /*
CVS commit: [netbsd-7-0] src/sys/arch/i386/conf
Module Name:src Committed By: snj Date: Thu Aug 24 06:50:16 UTC 2017 Modified Files: src/sys/arch/i386/conf [netbsd-7-0]: GENERIC Log Message: Apply patch (requested by maxv in ticket #1463): i386 GENERIC: disable VM86 by default. To generate a diff of this commit: cvs rdiff -u -r1.1107.2.8 -r1.1107.2.8.2.1 src/sys/arch/i386/conf/GENERIC Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/conf/GENERIC diff -u src/sys/arch/i386/conf/GENERIC:1.1107.2.8 src/sys/arch/i386/conf/GENERIC:1.1107.2.8.2.1 --- src/sys/arch/i386/conf/GENERIC:1.1107.2.8 Fri Jun 5 16:52:39 2015 +++ src/sys/arch/i386/conf/GENERIC Thu Aug 24 06:50:16 2017 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.1107.2.8 2015/06/05 16:52:39 snj Exp $ +# $NetBSD: GENERIC,v 1.1107.2.8.2.1 2017/08/24 06:50:16 snj Exp $ # # GENERIC machine description file # @@ -22,12 +22,12 @@ include "arch/i386/conf/std.i386" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.1107.2.8 $" +#ident "GENERIC-$Revision: 1.1107.2.8.2.1 $" maxusers 64 # estimated number of users # CPU-related options. -options VM86 # virtual 8086 emulation +#options VM86 # virtual 8086 emulation options USER_LDT # user-settable LDT; used by WINE #options PAE # PAE mode (36 bits physical addressing)
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 19 05:21:56 UTC 2017 Modified Files: src/sys/kern [netbsd-7-0]: kern_ktrace.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1481): sys/kern/kern_ktrace.c: 1.171 via patch Clamp the length we use, not the length we don't. Avoids uninitialized memory disclosure to userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.164.4.1 -r1.164.4.1.2.1 src/sys/kern/kern_ktrace.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.164.4.1 src/sys/kern/kern_ktrace.c:1.164.4.1.2.1 --- src/sys/kern/kern_ktrace.c:1.164.4.1 Mon Dec 1 11:38:42 2014 +++ src/sys/kern/kern_ktrace.c Sat Aug 19 05:21:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.164.4.1 2014/12/01 11:38:42 martin Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.164.4.1.2.1 2017/08/19 05:21:56 snj Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.164.4.1 2014/12/01 11:38:42 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.164.4.1.2.1 2017/08/19 05:21:56 snj Exp $"); #include #include @@ -931,7 +931,7 @@ ktruser(const char *id, void *addr, size user_dta = (void *)(ktp + 1); if ((error = copyin(addr, (void *)user_dta, len)) != 0) - len = 0; + kte->kte_kth.ktr_len = 0; ktraddentry(l, kte, KTA_WAITOK); return error;
CVS commit: [netbsd-7-0] src/sys/dev
Module Name:src Committed By: snj Date: Sat Aug 19 05:19:28 UTC 2017 Modified Files: src/sys/dev [netbsd-7-0]: vnd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1476): sys/dev/vnd.c: revision 1.260, 1.262 via patch Put in a litany of judicious bounds checks around vnd headers. Thought I was done with this crap after I rewrote vndcompress(1)! >From Ilja Van Sprundel. -- Appease toxic bullshit warning from gcc. If you have a better way to write a useful bounds check that happens to always pass on LP64 but doesn't always on LP32, without making it fail to compile on LP64 or making it an #ifdef conditional on LP32, please put it in here instead. To generate a diff of this commit: cvs rdiff -u -r1.232.2.3.2.1 -r1.232.2.3.2.2 src/sys/dev/vnd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/vnd.c diff -u src/sys/dev/vnd.c:1.232.2.3.2.1 src/sys/dev/vnd.c:1.232.2.3.2.2 --- src/sys/dev/vnd.c:1.232.2.3.2.1 Sat Jan 2 14:38:45 2016 +++ src/sys/dev/vnd.c Sat Aug 19 05:19:28 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $ */ +/* $NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2008 The NetBSD Foundation, Inc. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.1 2016/01/02 14:38:45 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vnd.c,v 1.232.2.3.2.2 2017/08/19 05:19:28 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_vnd.h" @@ -1238,6 +1238,13 @@ vndioctl(dev_t dev, u_long cmd, void *da VOP_UNLOCK(nd.ni_vp); goto close_and_exit; } + + if (ntohl(ch->block_size) == 0 || + ntohl(ch->num_blocks) > UINT32_MAX - 1) { +free(ch, M_TEMP); +VOP_UNLOCK(nd.ni_vp); +goto close_and_exit; + } /* save some header info */ vnd->sc_comp_blksz = ntohl(ch->block_size); @@ -1249,20 +1256,40 @@ vndioctl(dev_t dev, u_long cmd, void *da error = EINVAL; goto close_and_exit; } - if (sizeof(struct vnd_comp_header) + - sizeof(u_int64_t) * vnd->sc_comp_numoffs > - vattr.va_size) { + KASSERT(0 < vnd->sc_comp_blksz); + KASSERT(0 < vnd->sc_comp_numoffs); + /* + * @#^@!$& gcc -Wtype-limits refuses to let me + * write SIZE_MAX/sizeof(uint64_t) < numoffs, + * because the range of the type on amd64 makes + * the comparisons always false. + */ +#if SIZE_MAX <= UINT32_MAX*(64/CHAR_BIT) + if (SIZE_MAX/sizeof(uint64_t) < vnd->sc_comp_numoffs) { +VOP_UNLOCK(nd.ni_vp); +error = EINVAL; +goto close_and_exit; + } +#endif + if ((vattr.va_size < sizeof(struct vnd_comp_header)) || + (vattr.va_size - sizeof(struct vnd_comp_header) < +sizeof(uint64_t)*vnd->sc_comp_numoffs) || + (UQUAD_MAX/vnd->sc_comp_blksz < +vnd->sc_comp_numoffs - 1)) { VOP_UNLOCK(nd.ni_vp); error = EINVAL; goto close_and_exit; } /* set decompressed file size */ + KASSERT(vnd->sc_comp_numoffs - 1 <= + UQUAD_MAX/vnd->sc_comp_blksz); vattr.va_size = ((u_quad_t)vnd->sc_comp_numoffs - 1) * (u_quad_t)vnd->sc_comp_blksz; /* allocate space for all the compressed offsets */ + __CTASSERT(UINT32_MAX <= UQUAD_MAX/sizeof(uint64_t)); vnd->sc_comp_offsets = malloc(sizeof(u_int64_t) * vnd->sc_comp_numoffs, M_DEVBUF, M_WAITOK);
CVS commit: [netbsd-7-0] src/sys/compat/svr4_32
Module Name:src Committed By: martin Date: Sat Aug 12 19:11:24 UTC 2017 Modified Files: src/sys/compat/svr4_32 [netbsd-7-0]: svr4_32_signal.c Log Message: Addionaly pull up rev1.30 (missed in ticket #1475) To generate a diff of this commit: cvs rdiff -u -r1.26.66.1 -r1.26.66.2 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4_32/svr4_32_signal.c diff -u src/sys/compat/svr4_32/svr4_32_signal.c:1.26.66.1 src/sys/compat/svr4_32/svr4_32_signal.c:1.26.66.2 --- src/sys/compat/svr4_32/svr4_32_signal.c:1.26.66.1 Sat Aug 12 03:59:24 2017 +++ src/sys/compat/svr4_32/svr4_32_signal.c Sat Aug 12 19:11:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_32_signal.c,v 1.26.66.1 2017/08/12 03:59:24 snj Exp $ */ +/* $NetBSD: svr4_32_signal.c,v 1.26.66.2 2017/08/12 19:11:24 martin Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.66.1 2017/08/12 03:59:24 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_32_signal.c,v 1.26.66.2 2017/08/12 19:11:24 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_svr4.h" @@ -397,16 +397,16 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = (sig_t)SCARG(uap, handler); sigemptyset(_mask); nbsa.sa_flags = 0; - error = sigaction1(l, signum, , , NULL, 0); + error = sigaction1(l, native_signo, , , NULL, 0); if (error) - return (error); + return error; *retval = (u_int)(u_long)obsa.sa_handler; - return (0); + return 0; case SVR4_SIGHOLD_MASK: sighold: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_BLOCK, , 0); mutex_exit(p->p_lock); @@ -414,7 +414,7 @@ svr4_32_sys_signal(struct lwp *l, const case SVR4_SIGRELSE_MASK: sigemptyset(); - sigaddset(, signum); + sigaddset(, native_signo); mutex_enter(p->p_lock); error = sigprocmask1(l, SIG_UNBLOCK, , 0); mutex_exit(p->p_lock); @@ -424,17 +424,17 @@ svr4_32_sys_signal(struct lwp *l, const nbsa.sa_handler = SIG_IGN; sigemptyset(_mask); nbsa.sa_flags = 0; - return (sigaction1(l, signum, , 0, NULL, 0)); + return sigaction1(l, native_signo, , 0, NULL, 0); case SVR4_SIGPAUSE_MASK: mutex_enter(p->p_lock); ss = l->l_sigmask; mutex_exit(p->p_lock); - sigdelset(, signum); - return (sigsuspend1(l, )); + sigdelset(, native_signo); + return sigsuspend1(l, ); default: - return (ENOSYS); + return ENOSYS; } }
CVS commit: [netbsd-7-0] src/sys/compat/linux/common
Module Name:src Committed By: snj Date: Sat Aug 12 04:49:52 UTC 2017 Modified Files: src/sys/compat/linux/common [netbsd-7-0]: linux_time.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1486): sys/compat/linux/common/linux_time.c: revision 1.38-1.39 via patch Only let the superuser set the compat_linux timezone. Not really keen to invent a new kauth cookie for this useless purpose. >From Ilja Van Sprundel. -- Put suser check in the right function: settimeofday, not gettimeofday. While here, remove wrong comment. Noted by kre@. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.8.1 src/sys/compat/linux/common/linux_time.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux/common/linux_time.c diff -u src/sys/compat/linux/common/linux_time.c:1.37 src/sys/compat/linux/common/linux_time.c:1.37.8.1 --- src/sys/compat/linux/common/linux_time.c:1.37 Mon Jan 13 10:33:03 2014 +++ src/sys/compat/linux/common/linux_time.c Sat Aug 12 04:49:52 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $ */ +/* $NetBSD: linux_time.c,v 1.37.8.1 2017/08/12 04:49:52 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37 2014/01/13 10:33:03 njoly Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_time.c,v 1.37.8.1 2017/08/12 04:49:52 snj Exp $"); #include #include @@ -102,11 +102,10 @@ linux_sys_settimeofday(struct lwp *l, co return (error); } - /* - * If user is not the superuser, we returned - * after the sys_settimeofday() call. - */ if (SCARG(uap, tzp)) { + if (kauth_authorize_generic(kauth_cred_get(), + KAUTH_GENERIC_ISSUSER, NULL) != 0) + return (EPERM); error = copyin(SCARG(uap, tzp), _sys_tz, sizeof(linux_sys_tz)); if (error) return (error);
CVS commit: [netbsd-7-0] src/sys/altq
Module Name:src Committed By: snj Date: Sat Aug 12 04:44:32 UTC 2017 Modified Files: src/sys/altq [netbsd-7-0]: altq_cbq.c altq_hfsc.c altq_jobs.c altq_priq.c altq_wfq.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1485): sys/altq/altq_cbq.c: revision 1.31 sys/altq/altq_hfsc.c: revision 1.27 sys/altq/altq_priq.c: revision 1.24 sys/altq/altq_jobs.c: revision 1.11 sys/altq/altq_wfq.c: revision 1.22 Zero buffers copied to userland to avoid stack disclosure. >From Ilja Van Sprundel. -- Reject negative indices. (Would be nice to change the types too, and it's *probably* safe to replace int by u_int, but I'm reluctant to touch the ioctl definitions without at least a modicum more thought. Also one of them is a u_long, because why not?) >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.27.6.1 src/sys/altq/altq_cbq.c cvs rdiff -u -r1.24 -r1.24.62.1 src/sys/altq/altq_hfsc.c cvs rdiff -u -r1.6.34.1 -r1.6.34.1.2.1 src/sys/altq/altq_jobs.c cvs rdiff -u -r1.21 -r1.21.42.1 src/sys/altq/altq_priq.c cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/altq/altq_wfq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/altq/altq_cbq.c diff -u src/sys/altq/altq_cbq.c:1.27 src/sys/altq/altq_cbq.c:1.27.6.1 --- src/sys/altq/altq_cbq.c:1.27 Thu Mar 20 20:51:54 2014 +++ src/sys/altq/altq_cbq.c Sat Aug 12 04:44:32 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_cbq.c,v 1.27 2014/03/20 20:51:54 christos Exp $ */ +/* $NetBSD: altq_cbq.c,v 1.27.6.1 2017/08/12 04:44:32 snj Exp $ */ /* $KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $ */ /* @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.27 2014/03/20 20:51:54 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.27.6.1 2017/08/12 04:44:32 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -472,6 +472,7 @@ cbq_getqstats(struct pf_altq *a, void *u if (*nbytes < sizeof(stats)) return (EINVAL); + memset(, 0, sizeof(stats)); get_class_stats(, cl); if ((error = copyout((void *), ubuf, sizeof(stats))) != 0) @@ -876,6 +877,7 @@ cbq_getstats(struct cbq_getstats *gsp) if (++i >= CBQ_MAX_CLASSES) goto out; + memset(, 0, sizeof(stats)); get_class_stats(, cl); stats.handle = cl->stats_.handle; Index: src/sys/altq/altq_hfsc.c diff -u src/sys/altq/altq_hfsc.c:1.24 src/sys/altq/altq_hfsc.c:1.24.62.1 --- src/sys/altq/altq_hfsc.c:1.24 Wed Jun 18 09:06:27 2008 +++ src/sys/altq/altq_hfsc.c Sat Aug 12 04:44:32 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $ */ +/* $NetBSD: altq_hfsc.c,v 1.24.62.1 2017/08/12 04:44:32 snj Exp $ */ /* $KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $ */ /* @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.62.1 2017/08/12 04:44:32 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -313,6 +313,7 @@ hfsc_getqstats(struct pf_altq *a, void * if (*nbytes < sizeof(stats)) return (EINVAL); + memset(, 0, sizeof(stats)); get_class_stats(, cl); if ((error = copyout((void *), ubuf, sizeof(stats))) != 0) Index: src/sys/altq/altq_jobs.c diff -u src/sys/altq/altq_jobs.c:1.6.34.1 src/sys/altq/altq_jobs.c:1.6.34.1.2.1 --- src/sys/altq/altq_jobs.c:1.6.34.1 Fri Aug 22 10:15:22 2014 +++ src/sys/altq/altq_jobs.c Sat Aug 12 04:44:32 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_jobs.c,v 1.6.34.1 2014/08/22 10:15:22 martin Exp $ */ +/* $NetBSD: altq_jobs.c,v 1.6.34.1.2.1 2017/08/12 04:44:32 snj Exp $ */ /* $KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $ */ /* * Copyright (c) 2001, the Rector and Board of Visitors of the @@ -59,7 +59,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.34.1 2014/08/22 10:15:22 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.34.1.2.1 2017/08/12 04:44:32 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_altq.h" @@ -2111,10 +2111,9 @@ jobscmd_class_stats(struct jobs_class_st usp = ap->stats; for (pri = 0; pri <= jif->jif_maxpri; pri++) { cl = jif->jif_classes[pri]; + (void)memset(, 0, sizeof(stats)); if (cl != NULL) get_class_stats(, cl); - else - (void)memset(, 0, sizeof(stats)); if ((error = copyout((void *), (void *)usp++, sizeof(stats))) != 0) return (error); Index: src/sys/altq/altq_priq.c diff -u src/sys/altq/altq_priq.c:1.21 src/sys/altq/altq_priq.c:1.21.42.1 --- src/sys/altq/altq_priq.c:1.21 Sat Mar 14 15:35:58 2009 +++ src/sys/altq/altq_priq.c Sat Aug 12 04:44:32 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $ */ +/* $NetBSD: altq_priq.c,v 1.21.42.1 2017/08/12 04:44:32 snj Exp $ */ /* $KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $ */ /* * Copyright (C)
CVS commit: [netbsd-7-0] src/sys/netsmb
Module Name:src Committed By: snj Date: Sat Aug 12 04:32:43 UTC 2017 Modified Files: src/sys/netsmb [netbsd-7-0]: smb_dev.c smb_subr.c smb_subr.h smb_usr.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1484): sys/netsmb/smb_dev.c: revision 1.50 sys/netsmb/smb_subr.c: revision 1.38 sys/netsmb/smb_subr.h: revision 1.22 sys/netsmb/smb_usr.c: revision 1.17-1.19 Reject allocations for too-small buffers from userland. >From Ilja Van Sprundel. -- Plug another overflow: refuse bogus sa_len from user. -- Reject negative ioc_setupcnt. -- Reject negative offset/count for smb read/write. Not clear that this is actually a problem for the kernel -- might overwrite user's buffers or return garbage to user, but that's their own damn fault. But it's hard to imagine that negative offset/count ever makes sense, and I haven't ruled out a problem for the kernel. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.42.4.1 src/sys/netsmb/smb_dev.c cvs rdiff -u -r1.36.28.1 -r1.36.28.1.2.1 src/sys/netsmb/smb_subr.c cvs rdiff -u -r1.21 -r1.21.18.1 src/sys/netsmb/smb_subr.h cvs rdiff -u -r1.16 -r1.16.42.1 src/sys/netsmb/smb_usr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netsmb/smb_dev.c diff -u src/sys/netsmb/smb_dev.c:1.42 src/sys/netsmb/smb_dev.c:1.42.4.1 --- src/sys/netsmb/smb_dev.c:1.42 Fri Jul 25 08:10:40 2014 +++ src/sys/netsmb/smb_dev.c Sat Aug 12 04:32:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_dev.c,v 1.42 2014/07/25 08:10:40 dholland Exp $ */ +/* $NetBSD: smb_dev.c,v 1.42.4.1 2017/08/12 04:32:43 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.42 2014/07/25 08:10:40 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_dev.c,v 1.42.4.1 2017/08/12 04:32:43 snj Exp $"); #include #include @@ -344,6 +344,8 @@ nsmb_dev_ioctl(dev_t dev, u_long cmd, vo struct uio auio; struct iovec iov; + if (rwrq->ioc_cnt < 0 || rwrq->ioc_offset < 0) + return EINVAL; if ((ssp = sdp->sd_share) == NULL) return ENOTCONN; iov.iov_base = rwrq->ioc_base; Index: src/sys/netsmb/smb_subr.c diff -u src/sys/netsmb/smb_subr.c:1.36.28.1 src/sys/netsmb/smb_subr.c:1.36.28.1.2.1 --- src/sys/netsmb/smb_subr.c:1.36.28.1 Mon Dec 1 09:31:40 2014 +++ src/sys/netsmb/smb_subr.c Sat Aug 12 04:32:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.c,v 1.36.28.1 2014/12/01 09:31:40 martin Exp $ */ +/* $NetBSD: smb_subr.c,v 1.36.28.1.2.1 2017/08/12 04:32:43 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.28.1 2014/12/01 09:31:40 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_subr.c,v 1.36.28.1.2.1 2017/08/12 04:32:43 snj Exp $"); #include #include @@ -380,3 +380,32 @@ dup_sockaddr(struct sockaddr *sa, int ca memcpy(sa2, sa, sa->sa_len); return sa2; } + +int +dup_sockaddr_copyin(struct sockaddr **ksap, struct sockaddr *usa, +size_t usalen) +{ + struct sockaddr *ksa; + + /* Make sure user provided enough data for a generic sockaddr. */ + if (usalen < sizeof(*ksa)) + return EINVAL; + + /* Don't let the user overfeed us. */ + usalen = MIN(usalen, sizeof(struct sockaddr_storage)); + + /* Copy the buffer in from userland. */ + ksa = smb_memdupin(usa, usalen); + if (ksa == NULL) + return ENOMEM; + + /* Make sure the user's idea of sa_len is reasonable. */ + if (ksa->sa_len > usalen) { + smb_memfree(ksa); + return EINVAL; + } + + /* Success! */ + *ksap = ksa; + return 0; +} Index: src/sys/netsmb/smb_subr.h diff -u src/sys/netsmb/smb_subr.h:1.21 src/sys/netsmb/smb_subr.h:1.21.18.1 --- src/sys/netsmb/smb_subr.h:1.21 Tue Mar 13 18:41:01 2012 +++ src/sys/netsmb/smb_subr.h Sat Aug 12 04:32:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_subr.h,v 1.21 2012/03/13 18:41:01 elad Exp $ */ +/* $NetBSD: smb_subr.h,v 1.21.18.1 2017/08/12 04:32:43 snj Exp $ */ /* * Copyright (c) 2000-2001, Boris Popov @@ -128,5 +128,6 @@ int smb_put_asunistring(struct smb_rq * #endif struct sockaddr *dup_sockaddr(struct sockaddr *, int); +int dup_sockaddr_copyin(struct sockaddr **, struct sockaddr *, size_t); #endif /* !_NETSMB_SMB_SUBR_H_ */ Index: src/sys/netsmb/smb_usr.c diff -u src/sys/netsmb/smb_usr.c:1.16 src/sys/netsmb/smb_usr.c:1.16.42.1 --- src/sys/netsmb/smb_usr.c:1.16 Wed Mar 18 16:00:24 2009 +++ src/sys/netsmb/smb_usr.c Sat Aug 12 04:32:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $ */ +/* $NetBSD: smb_usr.c,v 1.16.42.1 2017/08/12 04:32:43 snj Exp $ */ /* * Copyright (c) 2000-2001 Boris Popov @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16 2009/03/18 16:00:24 cegger Exp $"); +__KERNEL_RCSID(0, "$NetBSD: smb_usr.c,v 1.16.42.1 2017/08/12 04:32:43 snj Exp $"); #include #include @@ -65,6 +65,7
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 04:28:39 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: ciss.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1483): sys/dev/ic/ciss.c: revision 1.37 Reject negative indices from userland. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.8.1 src/sys/dev/ic/ciss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/ciss.c diff -u src/sys/dev/ic/ciss.c:1.32 src/sys/dev/ic/ciss.c:1.32.8.1 --- src/sys/dev/ic/ciss.c:1.32 Thu Oct 17 21:24:24 2013 +++ src/sys/dev/ic/ciss.c Sat Aug 12 04:28:39 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ciss.c,v 1.32 2013/10/17 21:24:24 christos Exp $ */ +/* $NetBSD: ciss.c,v 1.32.8.1 2017/08/12 04:28:39 snj Exp $ */ /* $OpenBSD: ciss.c,v 1.68 2013/05/30 16:15:02 deraadt Exp $ */ /* @@ -19,7 +19,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.32 2013/10/17 21:24:24 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ciss.c,v 1.32.8.1 2017/08/12 04:28:39 snj Exp $"); #include "bio.h" @@ -1274,12 +1274,12 @@ ciss_ioctl(device_t dev, u_long cmd, voi /* FALLTHROUGH */ case BIOCDISK: bd = (struct bioc_disk *)addr; - if (bd->bd_volid > sc->maxunits) { + if (bd->bd_volid < 0 || bd->bd_volid > sc->maxunits) { error = EINVAL; break; } ldp = sc->sc_lds[0]; - if (!ldp || (pd = bd->bd_diskid) > ldp->ndrives) { + if (!ldp || (pd = bd->bd_diskid) < 0 || pd > ldp->ndrives) { error = EINVAL; break; } @@ -1380,7 +1380,7 @@ ciss_ioctl_vol(struct ciss_softc *sc, st int error = 0; u_int blks; - if (bv->bv_volid > sc->maxunits) { + if (bv->bv_volid < 0 || bv->bv_volid > sc->maxunits) { return EINVAL; } ldp = sc->sc_lds[bv->bv_volid];
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 04:22:26 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: isp_netbsd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1482): sys/dev/ic/isp_netbsd.c: revision 1.89 Reject out-of-bounds channel index. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.86 -r1.86.16.1 src/sys/dev/ic/isp_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/isp_netbsd.c diff -u src/sys/dev/ic/isp_netbsd.c:1.86 src/sys/dev/ic/isp_netbsd.c:1.86.16.1 --- src/sys/dev/ic/isp_netbsd.c:1.86 Tue Aug 21 15:53:07 2012 +++ src/sys/dev/ic/isp_netbsd.c Sat Aug 12 04:22:26 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: isp_netbsd.c,v 1.86 2012/08/21 15:53:07 bouyer Exp $ */ +/* $NetBSD: isp_netbsd.c,v 1.86.16.1 2017/08/12 04:22:26 snj Exp $ */ /* * Platform (NetBSD) dependent common attachment code for Qlogic adapters. */ @@ -33,7 +33,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.86 2012/08/21 15:53:07 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: isp_netbsd.c,v 1.86.16.1 2017/08/12 04:22:26 snj Exp $"); #include #include @@ -475,6 +475,10 @@ ispioctl(struct scsipi_channel *chan, u_ } lim = local.count; channel = local.channel; + if (channel >= isp->isp_nchan) { + retval = EINVAL; + break; + } ua = *(isp_dlist_t **)addr; uptr = >wwns[0];
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: snj Date: Sat Aug 12 04:16:17 UTC 2017 Modified Files: src/sys/compat/common [netbsd-7-0]: vfs_syscalls_12.c vfs_syscalls_43.c src/sys/compat/ibcs2 [netbsd-7-0]: ibcs2_misc.c src/sys/compat/linux/common [netbsd-7-0]: linux_file64.c linux_misc.c src/sys/compat/linux32/common [netbsd-7-0]: linux32_dirent.c src/sys/compat/osf1 [netbsd-7-0]: osf1_file.c src/sys/compat/sunos [netbsd-7-0]: sunos_misc.c src/sys/compat/sunos32 [netbsd-7-0]: sunos32_misc.c src/sys/compat/svr4 [netbsd-7-0]: svr4_misc.c src/sys/compat/svr4_32 [netbsd-7-0]: svr4_32_misc.c src/sys/rump/kern/lib/libsys_sunos [netbsd-7-0]: rump_sunos_compat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1479): sys/compat/common/vfs_syscalls_12.c: revision 1.34 sys/rump/kern/lib/libsys_sunos/rump_sunos_compat.c: revision 1.2 sys/compat/svr4_32/svr4_32_misc.c: revision 1.78 sys/compat/sunos32/sunos32_misc.c: revision 1.78 sys/compat/linux/common/linux_misc.c: revision 1.239 sys/compat/osf1/osf1_file.c: revision 1.44 sys/compat/common/vfs_syscalls_43.c: revision 1.60 sys/compat/svr4/svr4_misc.c: revision 1.158 sys/compat/ibcs2/ibcs2_misc.c: revision 1.114 sys/compat/linux/common/linux_file64.c: revision 1.59 sys/compat/linux32/common/linux32_dirent.c: revision 1.18 sys/compat/sunos/sunos_misc.c: revision 1.171 Fail, don't panic, on bad dirents from file system. Controllable via puffs from userland. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.6.1 src/sys/compat/common/vfs_syscalls_12.c cvs rdiff -u -r1.56.6.1 -r1.56.6.2 src/sys/compat/common/vfs_syscalls_43.c cvs rdiff -u -r1.112 -r1.112.14.1 src/sys/compat/ibcs2/ibcs2_misc.c cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/compat/linux/common/linux_file64.c cvs rdiff -u -r1.229 -r1.229.4.1 src/sys/compat/linux/common/linux_misc.c cvs rdiff -u -r1.13 -r1.13.32.1 \ src/sys/compat/linux32/common/linux32_dirent.c cvs rdiff -u -r1.41.28.1 -r1.41.28.1.2.1 src/sys/compat/osf1/osf1_file.c cvs rdiff -u -r1.168 -r1.168.36.1 src/sys/compat/sunos/sunos_misc.c cvs rdiff -u -r1.74 -r1.74.24.1 src/sys/compat/sunos32/sunos32_misc.c cvs rdiff -u -r1.155 -r1.155.30.1 src/sys/compat/svr4/svr4_misc.c cvs rdiff -u -r1.74 -r1.74.30.1 src/sys/compat/svr4_32/svr4_32_misc.c cvs rdiff -u -r1.1 -r1.1.18.1 \ src/sys/rump/kern/lib/libsys_sunos/rump_sunos_compat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/common/vfs_syscalls_12.c diff -u src/sys/compat/common/vfs_syscalls_12.c:1.30 src/sys/compat/common/vfs_syscalls_12.c:1.30.6.1 --- src/sys/compat/common/vfs_syscalls_12.c:1.30 Fri Jan 24 22:11:46 2014 +++ src/sys/compat/common/vfs_syscalls_12.c Sat Aug 12 04:16:16 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $ */ +/* $NetBSD: vfs_syscalls_12.c,v 1.30.6.1 2017/08/12 04:16:16 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30 2014/01/24 22:11:46 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_12.c,v 1.30.6.1 2017/08/12 04:16:16 snj Exp $"); #include #include @@ -171,8 +171,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/common/vfs_syscalls_43.c diff -u src/sys/compat/common/vfs_syscalls_43.c:1.56.6.1 src/sys/compat/common/vfs_syscalls_43.c:1.56.6.2 --- src/sys/compat/common/vfs_syscalls_43.c:1.56.6.1 Sat Aug 27 15:10:42 2016 +++ src/sys/compat/common/vfs_syscalls_43.c Sat Aug 12 04:16:16 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_syscalls_43.c,v 1.56.6.1 2016/08/27 15:10:42 bouyer Exp $ */ +/* $NetBSD: vfs_syscalls_43.c,v 1.56.6.2 2017/08/12 04:16:16 snj Exp $ */ /* * Copyright (c) 1989, 1993 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.6.1 2016/08/27 15:10:42 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.56.6.2 2017/08/12 04:16:16 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -450,8 +450,10 @@ again: for (cookie = cookiebuf; len > 0; len -= reclen) { bdp = (struct dirent *)inp; reclen = bdp->d_reclen; - if (reclen & 3) - panic(__func__); + if (reclen & 3) { + error = EIO; + goto out; + } if (bdp->d_fileno == 0) { inp += reclen; /* it is a hole; squish it out */ if (cookie) Index: src/sys/compat/ibcs2/ibcs2_misc.c diff -u src/sys/compat/ibcs2/ibcs2_misc.c:1.112
CVS commit: [netbsd-7-0] src/sys/kern
Module Name:src Committed By: snj Date: Sat Aug 12 04:11:10 UTC 2017 Modified Files: src/sys/kern [netbsd-7-0]: vfs_getcwd.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1478): sys/kern/vfs_getcwd.c: revision 1.52 Don't walk off the end of the dirent buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/kern/vfs_getcwd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/vfs_getcwd.c diff -u src/sys/kern/vfs_getcwd.c:1.50 src/sys/kern/vfs_getcwd.c:1.50.8.1 --- src/sys/kern/vfs_getcwd.c:1.50 Fri Feb 7 15:29:22 2014 +++ src/sys/kern/vfs_getcwd.c Sat Aug 12 04:11:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vfs_getcwd.c,v 1.50 2014/02/07 15:29:22 hannken Exp $ */ +/* $NetBSD: vfs_getcwd.c,v 1.50.8.1 2017/08/12 04:11:10 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.50 2014/02/07 15:29:22 hannken Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vfs_getcwd.c,v 1.50.8.1 2017/08/12 04:11:10 snj Exp $"); #include #include @@ -211,7 +211,8 @@ unionread: reclen = dp->d_reclen; /* check for malformed directory.. */ -if (reclen < _DIRENT_MINSIZE(dp)) { +if (reclen < _DIRENT_MINSIZE(dp) || +reclen > len) { error = EINVAL; goto out; }
CVS commit: [netbsd-7-0] src/sys/compat/ibcs2
Module Name:src Committed By: snj Date: Sat Aug 12 04:08:26 UTC 2017 Modified Files: src/sys/compat/ibcs2 [netbsd-7-0]: ibcs2_exec_coff.c ibcs2_ioctl.c ibcs2_stat.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1477): sys/compat/ibcs2/ibcs2_exec_coff.c: revision 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c: revision 1.46 sys/compat/ibcs2/ibcs2_stat.c: revision 1.49-1.50 Check for NUL termination within the buffer we have. >From Ilja Van Sprundel. -- Make sure we have enough space in the buffer before reading it. >From Ilja Van Sprundel. -- Make sure we move forward over the buffer. >From Ilja Van Sprundel. -- Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland. >From Ilja Van Sprundel. -- Don't drop vnode ref until we're done with mount in ibcs2_stat(v)fs. Nothing else guarantees the mount will stick around. >From Ilja Van Sprundel. -- Little happy on the commit trigger. Actually use the out label. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.26.8.1 src/sys/compat/ibcs2/ibcs2_exec_coff.c cvs rdiff -u -r1.45 -r1.45.62.1 src/sys/compat/ibcs2/ibcs2_ioctl.c cvs rdiff -u -r1.47 -r1.47.40.1 src/sys/compat/ibcs2/ibcs2_stat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/ibcs2/ibcs2_exec_coff.c diff -u src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26.8.1 --- src/sys/compat/ibcs2/ibcs2_exec_coff.c:1.26 Fri Oct 25 14:46:35 2013 +++ src/sys/compat/ibcs2/ibcs2_exec_coff.c Sat Aug 12 04:08:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $ */ +/* $NetBSD: ibcs2_exec_coff.c,v 1.26.8.1 2017/08/12 04:08:25 snj Exp $ */ /* * Copyright (c) 1994, 1995, 1998 Scott Bartram @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26 2013/10/25 14:46:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_exec_coff.c,v 1.26.8.1 2017/08/12 04:08:25 snj Exp $"); #include #include @@ -454,6 +454,10 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * } bufp = tbuf; while (len) { + if (len < sizeof(struct coff_slhdr)) { +free(tbuf, M_TEMP); +return ENOEXEC; + } slhdr = (struct coff_slhdr *)bufp; if (slhdr->path_index > LONG_MAX / sizeof(long) || @@ -465,7 +469,9 @@ exec_ibcs2_coff_prep_zmagic(struct lwp * /* path_index = slhdr->path_index * sizeof(long); */ entry_len = slhdr->entry_len * sizeof(long); - if (entry_len > len) { + if (entry_len < sizeof(struct coff_slhdr) || + entry_len > len || + strnlen(slhdr->sl_name, entry_len) == entry_len) { free(tbuf, M_TEMP); return ENOEXEC; } Index: src/sys/compat/ibcs2/ibcs2_ioctl.c diff -u src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45.62.1 --- src/sys/compat/ibcs2/ibcs2_ioctl.c:1.45 Tue Jun 24 10:03:17 2008 +++ src/sys/compat/ibcs2/ibcs2_ioctl.c Sat Aug 12 04:08:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $ */ +/* $NetBSD: ibcs2_ioctl.c,v 1.45.62.1 2017/08/12 04:08:25 snj Exp $ */ /* * Copyright (c) 1994, 1995 Scott Bartram @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45 2008/06/24 10:03:17 gmcgarry Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_ioctl.c,v 1.45.62.1 2017/08/12 04:08:25 snj Exp $"); #include #include @@ -402,8 +402,10 @@ ibcs2_sys_ioctl(struct lwp *l, const str if ((error = (*ctl)(fp, TIOCGETA, )) != 0) goto out; + memset(, 0, sizeof(sts)); btios2stios(, ); if (SCARG(uap, cmd) == IBCS2_TCGETA) { + memset(, 0, sizeof(st)); stios2stio(, ); error = copyout(, SCARG(uap, data), sizeof(st)); if (error) @@ -559,6 +561,7 @@ ibcs2_sys_gtty(struct lwp *l, const stru fd_putfile(SCARG(uap, fd)); + memset(, 0, sizeof(itb)); itb.sg_ispeed = tb.sg_ispeed; itb.sg_ospeed = tb.sg_ospeed; itb.sg_erase = tb.sg_erase; Index: src/sys/compat/ibcs2/ibcs2_stat.c diff -u src/sys/compat/ibcs2/ibcs2_stat.c:1.47 src/sys/compat/ibcs2/ibcs2_stat.c:1.47.40.1 --- src/sys/compat/ibcs2/ibcs2_stat.c:1.47 Mon Jun 29 05:08:16 2009 +++ src/sys/compat/ibcs2/ibcs2_stat.c Sat Aug 12 04:08:25 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $ */ +/* $NetBSD: ibcs2_stat.c,v 1.47.40.1 2017/08/12 04:08:25 snj Exp $ */ /* * Copyright (c) 1995, 1998 Scott Bartram * All rights reserved. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47 2009/06/29 05:08:16 dholland Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ibcs2_stat.c,v 1.47.40.1 2017/08/12 04:08:25 snj Exp $"); #include #include @@ -147,11 +147,13 @@ ibcs2_sys_statfs(struct lwp *l, const st return (error); mp = vp->v_mount; sp = >mnt_stat; - vrele(vp); if ((error = VFS_STATVFS(mp, sp)) != 0) - return (error); + goto
CVS commit: [netbsd-7-0] src/sys/compat
Module Name:src Committed By: snj Date: Sat Aug 12 03:59:24 UTC 2017 Modified Files: src/sys/compat/svr4 [netbsd-7-0]: svr4_lwp.c svr4_signal.c svr4_stream.c src/sys/compat/svr4_32 [netbsd-7-0]: svr4_32_signal.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1475): sys/compat/svr4/svr4_lwp.c: revision 1.20 sys/compat/svr4/svr4_signal.c: revision 1.67 sys/compat/svr4/svr4_stream.c: revision 1.89-1.91 via patch sys/compat/svr4_32/svr4_32_signal.c: revision 1.29 Fix some of the multitudinous holes in svr4 streams. We should never have enabled this by default; it is a minefield. >From Ilja Van Sprundel. -- Zero stack data before copyout. >From Ilja Van Sprundel. -- Fix indexing of svr4 signals. >From Ilja Van Sprundel. -- Feebly attempt to get this reference counting less bad. This svr4 streams code is bad and it should feel bad. >From Ilja Van Sprundel. -- Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds. svr4 streams code is still a disaster. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.42.1 src/sys/compat/svr4/svr4_lwp.c cvs rdiff -u -r1.65.30.1 -r1.65.30.1.2.1 src/sys/compat/svr4/svr4_signal.c cvs rdiff -u -r1.80 -r1.80.4.1 src/sys/compat/svr4/svr4_stream.c cvs rdiff -u -r1.26 -r1.26.66.1 src/sys/compat/svr4_32/svr4_32_signal.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/svr4/svr4_lwp.c diff -u src/sys/compat/svr4/svr4_lwp.c:1.19 src/sys/compat/svr4/svr4_lwp.c:1.19.42.1 --- src/sys/compat/svr4/svr4_lwp.c:1.19 Mon Nov 23 00:46:07 2009 +++ src/sys/compat/svr4/svr4_lwp.c Sat Aug 12 03:59:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $ */ +/* $NetBSD: svr4_lwp.c,v 1.19.42.1 2017/08/12 03:59:24 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19 2009/11/23 00:46:07 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_lwp.c,v 1.19.42.1 2017/08/12 03:59:24 snj Exp $"); #include #include @@ -108,6 +108,8 @@ svr4_sys__lwp_info(struct lwp *l, const struct svr4_lwpinfo lwpinfo; int error; + memset(, 0, sizeof(lwpinfo)); + /* XXX NJWLWP */ TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_stime, _stime); TIMEVAL_TO_TIMESPEC(>l_proc->p_stats->p_ru.ru_utime, _utime); Index: src/sys/compat/svr4/svr4_signal.c diff -u src/sys/compat/svr4/svr4_signal.c:1.65.30.1 src/sys/compat/svr4/svr4_signal.c:1.65.30.1.2.1 --- src/sys/compat/svr4/svr4_signal.c:1.65.30.1 Sat Jan 17 12:10:53 2015 +++ src/sys/compat/svr4/svr4_signal.c Sat Aug 12 03:59:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $ */ +/* $NetBSD: svr4_signal.c,v 1.65.30.1.2.1 2017/08/12 03:59:24 snj Exp $ */ /*- * Copyright (c) 1994, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1 2015/01/17 12:10:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: svr4_signal.c,v 1.65.30.1.2.1 2017/08/12 03:59:24 snj Exp $"); #include #include @@ -72,6 +72,21 @@ void native_to_svr4_sigaction(const stru extern const int native_to_svr4_signo[]; extern const int svr4_to_native_signo[]; +static int +svr4_decode_signum(int signum, int *native_signo, int *sigcall) +{ + + if (SVR4_SIGNO(signum) >= SVR4_NSIG) + return EINVAL; + + if (native_signo) + *native_signo = svr4_to_native_signo[SVR4_SIGNO(signum)]; + if (sigcall) + *sigcall = SVR4_SIGCALL(signum); + + return 0; +} + static inline void svr4_sigfillset(svr4_sigset_t *s) { @@ -173,6 +188,7 @@ svr4_sys_sigaction(struct lwp *l, const } */ struct svr4_sigaction nssa, ossa; struct sigaction nbsa, obsa; + int native_signo; int error; if (SCARG(uap, nsa)) { @@ -181,7 +197,12 @@ svr4_sys_sigaction(struct lwp *l, const return (error); svr4_to_native_sigaction(, ); } - error = sigaction1(l, svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))], + + error = svr4_decode_signum(SCARG(uap, signum), _signo, NULL); + if (error) + return error; + + error = sigaction1(l, native_signo, SCARG(uap, nsa) ? : 0, SCARG(uap, osa) ? : 0, NULL, 0); if (error) @@ -216,16 +237,18 @@ svr4_sys_signal(struct lwp *l, const str syscallarg(int) signum; syscallarg(svr4_sig_t) handler; } */ - int signum = svr4_to_native_signo[SVR4_SIGNO(SCARG(uap, signum))]; + int native_signo, sigcall; struct proc *p = l->l_proc; struct sigaction nbsa, obsa; sigset_t ss; int error; - if (signum <= 0 || signum >= SVR4_NSIG) - return (EINVAL); + error = svr4_decode_signum(SCARG(uap, signum), _signo, + ); + if (error) + return error; - switch (SVR4_SIGCALL(SCARG(uap, signum))) { + switch (sigcall) { case SVR4_SIGDEFER_MASK: if (SCARG(uap, handler) == SVR4_SIG_HOLD)
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 03:47:51 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: bwi.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1474): sys/dev/ic/bwi.c: revision 1.32 Check for M_EXT in m->m_flags, whether m is NULL, after MCLGET. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.24.4.1 -r1.24.4.1.2.1 src/sys/dev/ic/bwi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/bwi.c diff -u src/sys/dev/ic/bwi.c:1.24.4.1 src/sys/dev/ic/bwi.c:1.24.4.1.2.1 --- src/sys/dev/ic/bwi.c:1.24.4.1 Tue Apr 21 04:55:15 2015 +++ src/sys/dev/ic/bwi.c Sat Aug 12 03:47:50 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bwi.c,v 1.24.4.1 2015/04/21 04:55:15 snj Exp $ */ +/* $NetBSD: bwi.c,v 1.24.4.1.2.1 2017/08/12 03:47:50 snj Exp $ */ /* $OpenBSD: bwi.c,v 1.74 2008/02/25 21:13:30 mglocker Exp $ */ /* @@ -48,7 +48,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.24.4.1 2015/04/21 04:55:15 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bwi.c,v 1.24.4.1.2.1 2017/08/12 03:47:50 snj Exp $"); #include #include @@ -8292,7 +8292,7 @@ bwi_newbuf(struct bwi_softc *sc, int buf if (m == NULL) return (ENOBUFS); MCLGET(m, init ? M_WAITOK : M_DONTWAIT); - if (m == NULL) { + if ((m->m_flags & M_EXT) == 0) { error = ENOBUFS; /*
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 03:44:15 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: dm9000.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1473): sys/dev/ic/dm9000.c: revision 1.12 Check for MCLGET failure in dme_alloc_receive_buffer. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.4.22.1 -r1.4.22.1.2.1 src/sys/dev/ic/dm9000.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dm9000.c diff -u src/sys/dev/ic/dm9000.c:1.4.22.1 src/sys/dev/ic/dm9000.c:1.4.22.1.2.1 --- src/sys/dev/ic/dm9000.c:1.4.22.1 Fri Jan 2 20:24:14 2015 +++ src/sys/dev/ic/dm9000.c Sat Aug 12 03:44:15 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dm9000.c,v 1.4.22.1 2015/01/02 20:24:14 martin Exp $ */ +/* $NetBSD: dm9000.c,v 1.4.22.1.2.1 2017/08/12 03:44:15 snj Exp $ */ /* * Copyright (c) 2009 Paul Fleischer @@ -1122,8 +1122,13 @@ dme_alloc_receive_buffer(struct ifnet *i sizeof(struct ether_header); /* All our frames have the CRC attached */ m->m_flags |= M_HASFCS; - if (m->m_pkthdr.len + pad > MHLEN ) + if (m->m_pkthdr.len + pad > MHLEN) { MCLGET(m, M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return NULL; + } + } m->m_data += pad; m->m_len = frame_length + (frame_length % sc->sc_data_width);
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 03:40:34 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: dp83932.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1472): sys/dev/ic/dp83932.c: revision 1.41 Plug mbuf leak on MCLGET failure in sonic_rxintr. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.36.8.1 src/sys/dev/ic/dp83932.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/dp83932.c diff -u src/sys/dev/ic/dp83932.c:1.36 src/sys/dev/ic/dp83932.c:1.36.8.1 --- src/sys/dev/ic/dp83932.c:1.36 Fri Oct 25 21:29:28 2013 +++ src/sys/dev/ic/dp83932.c Sat Aug 12 03:40:34 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: dp83932.c,v 1.36 2013/10/25 21:29:28 martin Exp $ */ +/* $NetBSD: dp83932.c,v 1.36.8.1 2017/08/12 03:40:34 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.36 2013/10/25 21:29:28 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: dp83932.c,v 1.36.8.1 2017/08/12 03:40:34 snj Exp $"); #include @@ -785,8 +785,10 @@ sonic_rxintr(struct sonic_softc *sc) goto dropit; if (len > (MHLEN - 2)) { MCLGET(m, M_DONTWAIT); -if ((m->m_flags & M_EXT) == 0) +if ((m->m_flags & M_EXT) == 0) { + m_freem(m); goto dropit; +} } m->m_data += 2; /*
CVS commit: [netbsd-7-0] src/sys/dev/ic
Module Name:src Committed By: snj Date: Sat Aug 12 03:29:51 UTC 2017 Modified Files: src/sys/dev/ic [netbsd-7-0]: i82596.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1471): sys/dev/ic/i82596.c: revision 1.37 Null out sc_rx_mbuf[i] after m_freem to avoid double-free later. >From Ilja Van Sprundel. Also null out sc_tx_mbuf[i] after m_freem, out of paranoia. XXX Not entirely clear to how tx mbufs are freed, but no way to test this since it's ews4800mips- and hp700-only, so not keen to make any more elaborate changes... To generate a diff of this commit: cvs rdiff -u -r1.31.4.1 -r1.31.4.1.2.1 src/sys/dev/ic/i82596.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/i82596.c diff -u src/sys/dev/ic/i82596.c:1.31.4.1 src/sys/dev/ic/i82596.c:1.31.4.1.2.1 --- src/sys/dev/ic/i82596.c:1.31.4.1 Sat Feb 21 19:27:49 2015 +++ src/sys/dev/ic/i82596.c Sat Aug 12 03:29:51 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: i82596.c,v 1.31.4.1 2015/02/21 19:27:49 martin Exp $ */ +/* $NetBSD: i82596.c,v 1.31.4.1.2.1 2017/08/12 03:29:51 snj Exp $ */ /* * Copyright (c) 2003 Jochen Kunz. @@ -43,7 +43,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.31.4.1 2015/02/21 19:27:49 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: i82596.c,v 1.31.4.1.2.1 2017/08/12 03:29:51 snj Exp $"); /* autoconfig and device stuff */ #include @@ -754,6 +754,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -763,6 +764,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't allocate mbuf " "cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; m_freem(m); t--; continue; @@ -778,6 +780,7 @@ iee_start(struct ifnet *ifp) printf("%s: iee_start: can't load TX DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_tx_mbuf[t]); +sc->sc_tx_mbuf[t] = NULL; t--; continue; } @@ -927,6 +930,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't allocate mbuf" " cluster\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -940,6 +944,7 @@ iee_init(struct ifnet *ifp) printf("%s: iee_init: can't create RX " "DMA map\n", device_xname(sc->sc_dev)); m_freem(sc->sc_rx_mbuf[r]); +sc->sc_rx_mbuf[r] = NULL; err = 1; break; } @@ -949,6 +954,7 @@ iee_init(struct ifnet *ifp) device_xname(sc->sc_dev)); bus_dmamap_destroy(sc->sc_dmat, sc->sc_rx_map[r]); m_freem(sc->sc_rx_mbuf[r]); + sc->sc_rx_mbuf[r] = NULL; err = 1; break; }
CVS commit: [netbsd-7-0] src/sys/dev/pci
Module Name:src Committed By: snj Date: Sat Aug 12 03:26:20 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-7-0]: if_et.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1470): sys/dev/pci/if_et.c: revision 1.15 Check for MCLGET failure in et_newbuf. >From Ilja Van Sprundel. To generate a diff of this commit: cvs rdiff -u -r1.8.4.1 -r1.8.4.1.2.1 src/sys/dev/pci/if_et.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_et.c diff -u src/sys/dev/pci/if_et.c:1.8.4.1 src/sys/dev/pci/if_et.c:1.8.4.1.2.1 --- src/sys/dev/pci/if_et.c:1.8.4.1 Tue Aug 4 21:16:43 2015 +++ src/sys/dev/pci/if_et.c Sat Aug 12 03:26:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_et.c,v 1.8.4.1 2015/08/04 21:16:43 snj Exp $ */ +/* $NetBSD: if_et.c,v 1.8.4.1.2.1 2017/08/12 03:26:20 snj Exp $ */ /* $OpenBSD: if_et.c,v 1.11 2008/06/08 06:18:07 jsg Exp $ */ /* * Copyright (c) 2007 The DragonFly Project. All rights reserved. @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.8.4.1 2015/08/04 21:16:43 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_et.c,v 1.8.4.1.2.1 2017/08/12 03:26:20 snj Exp $"); #include "opt_inet.h" #include "vlan.h" @@ -2028,6 +2028,10 @@ et_newbuf(struct et_rxbuf_data *rbd, int if (m == NULL) return (ENOBUFS); MCLGET(m, init ? M_WAITOK : M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return (ENOBUFS); + } len = MCLBYTES; } else { MGETHDR(m, init ? M_WAITOK : M_DONTWAIT, MT_DATA);
CVS commit: [netbsd-7-0] src/sys/dev/pci
Module Name:src Committed By: snj Date: Sat Aug 12 03:23:03 UTC 2017 Modified Files: src/sys/dev/pci [netbsd-7-0]: if_ipw.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1469): sys/dev/pci/if_ipw.c: revision 1.65 Null out sbuf->m on failure to avoid double-free later. >From Ilja Van Sprundel. Also null out sbuf->map out of paranoia. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.57.8.1 src/sys/dev/pci/if_ipw.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_ipw.c diff -u src/sys/dev/pci/if_ipw.c:1.57 src/sys/dev/pci/if_ipw.c:1.57.8.1 --- src/sys/dev/pci/if_ipw.c:1.57 Sat Mar 29 19:28:24 2014 +++ src/sys/dev/pci/if_ipw.c Sat Aug 12 03:23:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ipw.c,v 1.57 2014/03/29 19:28:24 christos Exp $ */ +/* $NetBSD: if_ipw.c,v 1.57.8.1 2017/08/12 03:23:03 snj Exp $ */ /* FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp */ /*- @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.57 2014/03/29 19:28:24 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.57.8.1 2017/08/12 03:23:03 snj Exp $"); /*- * Intel(R) PRO/Wireless 2100 MiniPCI driver @@ -592,6 +592,7 @@ ipw_dma_alloc(struct ipw_softc *sc) MCLGET(sbuf->m, M_DONTWAIT); if (!(sbuf->m->m_flags & M_EXT)) { m_freem(sbuf->m); + sbuf->m = NULL; aprint_error_dev(sc->sc_dev, "could not allocate rx mbuf cluster\n"); error = ENOMEM; goto fail; @@ -604,6 +605,7 @@ ipw_dma_alloc(struct ipw_softc *sc) if (error != 0) { aprint_error_dev(sc->sc_dev, "could not create rxbuf dma map\n"); m_freem(sbuf->m); + sbuf->m = NULL; goto fail; } @@ -611,7 +613,9 @@ ipw_dma_alloc(struct ipw_softc *sc) sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT); if (error != 0) { bus_dmamap_destroy(sc->sc_dmat, sbuf->map); + sbuf->map = NULL; m_freem(sbuf->m); + sbuf->m = NULL; aprint_error_dev(sc->sc_dev, "could not map rxbuf dma memory\n"); goto fail; }