Re: svn commit: r349974 - head/libexec/rc/rc.d

[Enji Cooper (yaneurabeya)]

> On Jul 13, 2019, at 09:07, Ian Lepore  wrote:
> 
> Author: ian
> Date: Sat Jul 13 16:07:38 2019
> New Revision: 349974
> URL: https://svnweb.freebsd.org/changeset/base/349974
> 
> Log:
>  Limit access to system accounting files.
> 
>  In 2013 the security chapter of the Handbook was updated in r42501 to
>  suggest limiting access to the system accounting file [*1] by creating the
>  initial file with a mode of 0600. This was in part based on a discussion in
>  the forums [*2]. Unfortunately, this advice is overridden by the fact that a
>  new file is created as part of periodic daily processing, and the file mode
>  is set by the rc.d/accounting script.
> 
>  These changes update the accounting script to create the directory with mode
>  0750 if it doesn't already exist, and to create the daily file with mode
>  0640. This limits write access to root only, read access to root and members
>  of wheel, and eliminates world access completely. For admins who want to
>  prevent even members of wheel from accessing the files, the mode of the
>  /var/account directory can be manually changed to 0700, because the script
>  never creates or changes that directory if it already exists.
> 
>  The accounting_rotate_log() function now also handles the error cases of no
>  existing log file to rotate, and attempting to rotate the file multiple
>  times (.0 file already exists).
> 
>  Another small change here eliminates the complexity of the mktemp/chmod/mv
>  sequence for creating a new acct file by using install(1) with the flags
>  needed to directly create the file with the desired ownership and
>  modes. That allows coalescing two separate if checkyesno accounting_enable
>  blocks into one.
> 
>  These changes were inspired by my investigation of PR 202203.
> 
>  [1] https://www.freebsd.org/doc/handbook/security-accounting.html
>  [2] http://forums.freebsd.org/showthread.php?t=41059
> 
>  PR:  202203
>  Differential Revision:   https://reviews.freebsd.org/D20876

Does this deserve a “Relnotes: yes”…?
Thanks!
-Enji
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r349989 - head/sys/kern

[Michael Tuexen]

Author: tuexen
Date: Sun Jul 14 21:44:18 2019
New Revision: 349989
URL: https://svnweb.freebsd.org/changeset/base/349989

Log:
  Improve the input validation for l_linger.
  When using the SOL_SOCKET level socket option SO_LINGER, the structure
  struct linger is used as the option value. The component l_linger is of
  type int, but internally copied to the field so_linger of the structure
  struct socket. The type of so_linger is short, but it is assumed to be
  non-negative and the value is used to compute ticks to be stored in a
  variable of type int.
  
  Therefore, perform input validation on l_linger similar to the one
  performed by NetBSD and OpenBSD.
  
  Thanks to syzkaller for making me aware of this issue.
  
  Thanks to markj@ for pointing out that a similar check should be added
  to so_linger_set().
  
  Reviewed by:  markj@
  MFC after:2 weeks
  Differential Revision:https://reviews.freebsd.org/D20948

Modified:
  head/sys/kern/uipc_socket.c

Modified: head/sys/kern/uipc_socket.c
==
--- head/sys/kern/uipc_socket.c Sun Jul 14 21:08:54 2019(r349988)
+++ head/sys/kern/uipc_socket.c Sun Jul 14 21:44:18 2019(r349989)
@@ -2776,7 +2776,12 @@ sosetopt(struct socket *so, struct sockopt *sopt)
error = sooptcopyin(sopt, , sizeof l, sizeof l);
if (error)
goto bad;
-
+   if (l.l_linger < 0 ||
+   l.l_linger > USHRT_MAX ||
+   l.l_linger > (INT_MAX / hz)) {
+   error = EDOM;
+   goto bad;
+   }
SOCK_LOCK(so);
so->so_linger = l.l_linger;
if (l.l_onoff)
@@ -4105,6 +4110,9 @@ so_linger_get(const struct socket *so)
 void
 so_linger_set(struct socket *so, int val)
 {
+
+   KASSERT(val >= 0 && val <= USHRT_MAX && val <= (INT_MAX / hz),
+   ("%s: val %d out of range", __func__, val));
 
so->so_linger = val;
 }
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r349988 - head/sys/x86/iommu

[Konstantin Belousov]

On Sun, Jul 14, 2019 at 09:08:54PM +, Konstantin Belousov wrote:
> Author: kib
> Date: Sun Jul 14 21:08:54 2019
> New Revision: 349988
> URL: https://svnweb.freebsd.org/changeset/base/349988
In dmar_find(), refuse to search for DMAR unit for non-PCI device.

Eventually this should be reworked, because ACPI DMAR table can
specify ANND entries for scoping ACPI namespace enumerated devices.
But code to match DMAR unit against such device is missed currently
anyway.

Sorry.
> 
> Log:
>   PR: 239143
>   Reported and tested by: Wes Maag 
>   Sponsored by:   The FreeBSD Foundation
>   MFC after:  1 week
> 
> Modified:
>   head/sys/x86/iommu/intel_drv.c
> 
> Modified: head/sys/x86/iommu/intel_drv.c
> ==
> --- head/sys/x86/iommu/intel_drv.cSun Jul 14 16:05:47 2019
> (r349987)
> +++ head/sys/x86/iommu/intel_drv.cSun Jul 14 21:08:54 2019
> (r349988)
> @@ -770,6 +770,13 @@ dmar_find(device_t dev, bool verbose)
>   const char *banner;
>   int i, dev_domain, dev_busno, dev_path_len;
>  
> + /*
> +  * This function can only handle PCI(e) devices.
> +  */
> + if (device_get_devclass(device_get_parent(dev)) !=
> + devclass_find("pci"))
> + return (NULL);
> +
>   dmar_dev = NULL;
>   dev_domain = pci_get_domain(dev);
>   dev_path_len = dmar_dev_depth(dev);
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r349988 - head/sys/x86/iommu

[Konstantin Belousov]

Author: kib
Date: Sun Jul 14 21:08:54 2019
New Revision: 349988
URL: https://svnweb.freebsd.org/changeset/base/349988

Log:
  PR:   239143
  Reported and tested by:   Wes Maag 
  Sponsored by: The FreeBSD Foundation
  MFC after:1 week

Modified:
  head/sys/x86/iommu/intel_drv.c

Modified: head/sys/x86/iommu/intel_drv.c
==
--- head/sys/x86/iommu/intel_drv.c  Sun Jul 14 16:05:47 2019
(r349987)
+++ head/sys/x86/iommu/intel_drv.c  Sun Jul 14 21:08:54 2019
(r349988)
@@ -770,6 +770,13 @@ dmar_find(device_t dev, bool verbose)
const char *banner;
int i, dev_domain, dev_busno, dev_path_len;
 
+   /*
+* This function can only handle PCI(e) devices.
+*/
+   if (device_get_devclass(device_get_parent(dev)) !=
+   devclass_find("pci"))
+   return (NULL);
+
dmar_dev = NULL;
dev_domain = pci_get_domain(dev);
dev_path_len = dmar_dev_depth(dev);
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Re: svn commit: r349391 - head/sys/kern

[Conrad Meyer]

Hi Alan,

This change restores the possible overflow beyond IO_SEQMAX that the
removed conditional prevented.

On Tue, Jun 25, 2019 at 12:44 PM Alan Somers  wrote:
>
> Author: asomers
> Date: Tue Jun 25 19:44:22 2019
> New Revision: 349391
> URL: https://svnweb.freebsd.org/changeset/base/349391
>
> --- head/sys/kern/vfs_vnops.c   Tue Jun 25 19:36:01 2019(r349390)
> +++ head/sys/kern/vfs_vnops.c   Tue Jun 25 19:44:22 2019(r349391)
> @@ -499,10 +499,8 @@ sequential_heuristic(struct uio *uio, struct file *fp)
>  * closely related to the best I/O size for real disks than
>  * to any block size used by software.
>  */
> -   fp->f_seqcount += MIN(IO_SEQMAX,
> +   fp->f_seqcount += lmin(IO_SEQMAX,
> howmany(uio->uio_resid, 16384));
> -   if (fp->f_seqcount > IO_SEQMAX)
> -   fp->f_seqcount = IO_SEQMAX;
> return (fp->f_seqcount << IO_SEQSHIFT);
> }

Perhaps instead this should be:

fp->f_seqcount = lmin(IO_SEQMAX,
  fp->f_seqcount + howmany(...));

Best,
Conrad
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r349987 - in head/sys/netinet: . tcp_stacks

[Randall Stewart]

Author: rrs
Date: Sun Jul 14 16:05:47 2019
New Revision: 349987
URL: https://svnweb.freebsd.org/changeset/base/349987

Log:
  This is the second in a number of patches needed to
  get BBRv1 into the tree. This fixes the DSACK bug but
  is also needed by BBR. We have yet to go two more
  one will be for the pacing code (tcp_ratelimit.c) and
  the second will be for the new updated LRO code that
  allows a transport to know the arrival times of packets
  and (tcp_lro.c). After that we should finally be able
  to get BBRv1 into head.
  
  Sponsored by: Netflix Inc
  Differential Revision:https://reviews.freebsd.org/D20908

Modified:
  head/sys/netinet/tcp_output.c
  head/sys/netinet/tcp_sack.c
  head/sys/netinet/tcp_stacks/rack.c
  head/sys/netinet/tcp_var.h

Modified: head/sys/netinet/tcp_output.c
==
--- head/sys/netinet/tcp_output.c   Sun Jul 14 12:04:39 2019
(r349986)
+++ head/sys/netinet/tcp_output.c   Sun Jul 14 16:05:47 2019
(r349987)
@@ -1508,7 +1508,13 @@ timer:
if (SEQ_GT(tp->snd_nxt + xlen, tp->snd_max))
tp->snd_max = tp->snd_nxt + xlen;
}
-
+   if ((error == 0) &&
+   (TCPS_HAVEESTABLISHED(tp->t_state) &&
+(tp->t_flags & TF_SACK_PERMIT) &&
+tp->rcv_numsacks > 0)) {
+   /* Clean up any DSACK's sent */
+   tcp_clean_dsack_blocks(tp);
+   }
if (error) {
/* Record the error. */
TCP_LOG_EVENT(tp, NULL, >so_rcv, >so_snd, TCP_LOG_OUT,

Modified: head/sys/netinet/tcp_sack.c
==
--- head/sys/netinet/tcp_sack.c Sun Jul 14 12:04:39 2019(r349986)
+++ head/sys/netinet/tcp_sack.c Sun Jul 14 16:05:47 2019(r349987)
@@ -279,6 +279,45 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_sta
tp->rcv_numsacks = num_head + num_saved;
 }
 
+void
+tcp_clean_dsack_blocks(struct tcpcb *tp)
+{
+   struct sackblk saved_blks[MAX_SACK_BLKS];
+   int num_saved, i;
+
+   INP_WLOCK_ASSERT(tp->t_inpcb);
+   /*
+* Clean up any DSACK blocks that
+* are in our queue of sack blocks.
+* 
+*/
+   num_saved = 0;
+   for (i = 0; i < tp->rcv_numsacks; i++) {
+   tcp_seq start = tp->sackblks[i].start;
+   tcp_seq end = tp->sackblks[i].end;
+   if (SEQ_GEQ(start, end) || SEQ_LEQ(start, tp->rcv_nxt)) {
+   /*
+* Discard this D-SACK block.
+*/
+   continue;
+   }
+   /*
+* Save this SACK block.
+*/
+   saved_blks[num_saved].start = start;
+   saved_blks[num_saved].end = end;
+   num_saved++;
+   }
+   if (num_saved > 0) {
+   /*
+* Copy the saved SACK blocks back.
+*/
+   bcopy(saved_blks, >sackblks[0],
+ sizeof(struct sackblk) * num_saved);
+   }
+   tp->rcv_numsacks = num_saved;
+}
+
 /*
  * Delete all receiver-side SACK information.
  */

Modified: head/sys/netinet/tcp_stacks/rack.c
==
--- head/sys/netinet/tcp_stacks/rack.c  Sun Jul 14 12:04:39 2019
(r349986)
+++ head/sys/netinet/tcp_stacks/rack.c  Sun Jul 14 16:05:47 2019
(r349987)
@@ -5087,9 +5087,8 @@ rack_do_fastnewdata(struct mbuf *m, struct tcphdr *th,
 
 
/* Clean receiver SACK report if present */
-/* if (tp->rcv_numsacks)
+   if (tp->rcv_numsacks)
tcp_clean_sackreport(tp);
-*/
TCPSTAT_INC(tcps_preddat);
tp->rcv_nxt += tlen;
/*
@@ -8537,10 +8536,10 @@ out:
 * retransmit.  In persist state, just set snd_max.
 */
if (error == 0) {
-/* if (TCPS_HAVEESTABLISHED(tp->t_state) &&
+   if (TCPS_HAVEESTABLISHED(tp->t_state) &&
(tp->t_flags & TF_SACK_PERMIT) &&
tp->rcv_numsacks > 0)
-   tcp_clean_dsack_blocks(tp);*/
+   tcp_clean_dsack_blocks(tp);
if (len == 0)
counter_u64_add(rack_out_size[TCP_MSS_ACCT_SNDACK], 1);
else if (len == 1) {

Modified: head/sys/netinet/tcp_var.h
==
--- head/sys/netinet/tcp_var.h  Sun Jul 14 12:04:39 2019(r349986)
+++ head/sys/netinet/tcp_var.h  Sun Jul 14 16:05:47 2019(r349987)
@@ -939,6 +939,7 @@ tcp_seq  tcp_new_isn(struct in_conninfo *);
 
 int tcp_sack_doack(struct tcpcb *, struct tcpopt *, tcp_seq);
 voidtcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_laststart, tcp_seq 
rcv_lastend);
+void

svn commit: r349986 - in head/sys: netinet netinet6

[Michael Tuexen]

Author: tuexen
Date: Sun Jul 14 12:04:39 2019
New Revision: 349986
URL: https://svnweb.freebsd.org/changeset/base/349986

Log:
  When calling sctp_initialize_auth_params(), the inp must have at
  least a read lock. To avoid more complex locking dances, just
  call it in sctp_aloc_assoc() when the write lock is still held.
  
  Reported by:  syzbot+08a486f7e6966f1c3...@syzkaller.appspotmail.com
  MFC after:1 week

Modified:
  head/sys/netinet/sctp_input.c
  head/sys/netinet/sctp_output.c
  head/sys/netinet/sctp_pcb.c
  head/sys/netinet/sctp_pcb.h
  head/sys/netinet/sctp_usrreq.c
  head/sys/netinet6/sctp6_usrreq.c

Modified: head/sys/netinet/sctp_input.c
==
--- head/sys/netinet/sctp_input.c   Sun Jul 14 05:41:43 2019
(r349985)
+++ head/sys/netinet/sctp_input.c   Sun Jul 14 12:04:39 2019
(r349986)
@@ -2155,8 +2155,8 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
ntohl(initack_cp->init.initiate_tag), vrf_id,
ntohs(initack_cp->init.num_outbound_streams),
port,
-   (struct thread *)NULL
-   );
+   (struct thread *)NULL,
+   SCTP_DONT_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
struct mbuf *op_err;
 

Modified: head/sys/netinet/sctp_output.c
==
--- head/sys/netinet/sctp_output.c  Sun Jul 14 05:41:43 2019
(r349985)
+++ head/sys/netinet/sctp_output.c  Sun Jul 14 12:04:39 2019
(r349986)
@@ -12769,7 +12769,8 @@ sctp_lower_sosend(struct socket *so,
stcb = sctp_aloc_assoc(inp, addr, , 0, vrf_id,
inp->sctp_ep.pre_open_stream_count,
inp->sctp_ep.port,
-   p);
+   p,
+   SCTP_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
/* Error is setup for us in the call */
goto out_unlocked;
@@ -12797,9 +12798,6 @@ sctp_lower_sosend(struct socket *so,
asoc = >asoc;
SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
(void)SCTP_GETTIME_TIMEVAL(>time_entered);
-
-   /* initialize authentication params for the assoc */
-   sctp_initialize_auth_params(inp, stcb);
 
if (control) {
if (sctp_process_cmsgs_for_init(stcb, control, 
)) {

Modified: head/sys/netinet/sctp_pcb.c
==
--- head/sys/netinet/sctp_pcb.c Sun Jul 14 05:41:43 2019(r349985)
+++ head/sys/netinet/sctp_pcb.c Sun Jul 14 12:04:39 2019(r349986)
@@ -4190,8 +4190,8 @@ struct sctp_tcb *
 sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
 int *error, uint32_t override_tag, uint32_t vrf_id,
 uint16_t o_streams, uint16_t port,
-struct thread *p
-)
+struct thread *p,
+int initialize_auth_params)
 {
/* note the p argument is only valid in unbound sockets */
 
@@ -4420,6 +4420,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
head = >sctp_tcbhash[SCTP_PCBHASH_ALLADDR(stcb->rport,
inp->sctp_hashmark)];
LIST_INSERT_HEAD(head, stcb, sctp_tcbhash);
+   }
+   if (initialize_auth_params == SCTP_INITIALIZE_AUTH_PARAMS) {
+   sctp_initialize_auth_params(inp, stcb);
}
SCTP_INP_WUNLOCK(inp);
SCTPDBG(SCTP_DEBUG_PCB1, "Association %p now allocated\n", (void 
*)stcb);

Modified: head/sys/netinet/sctp_pcb.h
==
--- head/sys/netinet/sctp_pcb.h Sun Jul 14 05:41:43 2019(r349985)
+++ head/sys/netinet/sctp_pcb.h Sun Jul 14 12:04:39 2019(r349986)
@@ -578,9 +578,13 @@ int sctp_is_address_on_local_host(struct sockaddr *add
 
 void sctp_inpcb_free(struct sctp_inpcb *, int, int);
 
+#define SCTP_DONT_INITIALIZE_AUTH_PARAMS   0
+#define SCTP_INITIALIZE_AUTH_PARAMS1
+
 struct sctp_tcb *
 sctp_aloc_assoc(struct sctp_inpcb *, struct sockaddr *,
-int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *);
+int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *,
+int);
 
 int sctp_free_assoc(struct sctp_inpcb *, struct sctp_tcb *, int, int);
 

Modified: head/sys/netinet/sctp_usrreq.c
==
--- head/sys/netinet/sctp_usrreq.c  Sun Jul 14 05:41:43 2019
(r349985)
+++ head/sys/netinet/sctp_usrreq.c  Sun Jul 14 12:04:39 2019
(r349986)
@@ -1443,8 +1443,8 @@ sctp_do_connect_x(struct socket *so, struct sctp_inpcb
stcb = sctp_aloc_assoc(inp,