xserver arm_video.c simplification - test on zaurus please
Hi, Since my zaurus was stolen last year, I need someone to test the diff below on a zaurus... it simplifies the code a bit (more to come for xserver 1.17 later) and makes it possible to run the wsudl on armv7 with a few more tweaks. Thanks in advance. Index: hw/xfree86/os-support/bsd/arm_video.c === RCS file: /cvs/xenocara/xserver/hw/xfree86/os-support/bsd/arm_video.c,v retrieving revision 1.11 diff -u -p -u -r1.11 arm_video.c --- hw/xfree86/os-support/bsd/arm_video.c 27 Sep 2014 17:53:02 - 1.11 +++ hw/xfree86/os-support/bsd/arm_video.c 23 May 2015 21:23:41 - @@ -69,33 +69,23 @@ #include xf86_OSlib.h #include xf86OSpriv.h -#include bus/Pci.h - #ifndef MAP_FAILED #define MAP_FAILED ((caddr_t)-1) #endif -#include sys/param.h -#include sys/sysctl.h - /***/ /* Video Memory Mapping section*/ /***/ -#ifdef __OpenBSD__ -#undef DEV_MEM -#define DEV_MEM /dev/xf86 -#endif - -static void* ppcMapVidMem(int, unsigned long, unsigned long, int flags); -static void ppcUnmapVidMem(int, void *, unsigned long); +static void* armMapVidMem(int, unsigned long, unsigned long, int flags); +static void armUnmapVidMem(int, void *, unsigned long); void xf86OSInitVidMem(VidMemInfoPtr pVidMem) { pVidMem-linearSupported = TRUE; -pVidMem-mapMem = ppcMapVidMem; -pVidMem-unmapMem = ppcUnmapVidMem; +pVidMem-mapMem = armMapVidMem; +pVidMem-unmapMem = armUnmapVidMem; pVidMem-initialised = TRUE; } @@ -103,7 +93,7 @@ xf86OSInitVidMem(VidMemInfoPtr pVidMem) volatile unsigned char *ioBase = MAP_FAILED; static void* -ppcMapVidMem(int ScreenNum, unsigned long Base, unsigned long Size, int flags) +armMapVidMem(int ScreenNum, unsigned long Base, unsigned long Size, int flags) { int fd = xf86Info.consoleFd; void *base; @@ -124,40 +114,17 @@ ppcMapVidMem(int ScreenNum, unsigned lon } static void -ppcUnmapVidMem(int ScreenNum, void *Base, unsigned long Size) +armUnmapVidMem(int ScreenNum, void *Base, unsigned long Size) { munmap(Base, Size); } -static int kmem = -1; - int xf86ReadBIOS(unsigned long Base, unsigned long Offset, unsigned char *Buf, int Len) { -int rv; - -if (Base 0x8000) { -xf86Msg(X_WARNING, No VGA Base=%#lx\n, Base); -return 0; -} - -if (kmem == -1) { -kmem = open(DEV_MEM, 2); -if (kmem == -1) { -FatalError(xf86ReadBIOS: open %s, DEV_MEM); -} -} - -#ifdef DEBUG -xf86MsgVerb(X_INFO, 3, xf86ReadBIOS() %lx %lx, %x\n, -Base, Offset, Len); -#endif - -lseek(kmem, Base + Offset, 0); -rv = read(kmem, Buf, Len); -return rv; +return -1; } /* @@ -166,26 +133,6 @@ xf86ReadBIOS(unsigned long Base, unsigne void xf86PrivilegedInit(void) { -int mib[2]; -char buf[128]; -size_t len; - -mib[0] = CTL_HW; -mib[1] = HW_MACHINE; -len = sizeof(buf); -if (sysctl(mib, 2, buf, len, NULL, 0) 0) { -FatalError(Cannot get hw.machine); -} -if (strcmp(buf, zaurus) != 0 -strcmp(buf, armish) != 0) { -/* Not Zaurus */ -kmem = open(DEV_MEM, 2); -if (kmem == -1) { -ErrorF(errno: %d\n, errno); -FatalError(xf86PrivilegedInit: open %s, DEV_MEM); -} -pci_system_init(); -} xf86OpenConsole(); } -- Matthieu Herrb
audioctl: expose counters returned by AUDIO{I,O}OFFS
This exposes the counters returned by AUDIO_GET{I,O}OFFS ioctls, they correspond to the number of bytes processed by the device. The main usefulness of these counters is to check whether the kernel is missing interrupts (by verifying that play.bytes and record.bytes are the same). If we expose them, the {play,record}.samples (aka the ones returned by AUDIO_GETINFO) are not useful anymore and could be removed to avoid confusion. OK? Index: audioctl.c === RCS file: /cvs/src/usr.bin/audioctl/audioctl.c,v retrieving revision 1.27 diff -u -p -r1.27 audioctl.c --- audioctl.c 16 May 2015 12:51:24 - 1.27 +++ audioctl.c 24 May 2015 01:36:26 - @@ -61,6 +61,8 @@ char encbuf[1000]; int properties, fullduplex, perrors, rerrors; +struct audio_offset poffs, roffs; + struct field { const char *name; void *valp; @@ -92,10 +94,10 @@ struct field { { play.bps, info.play.bps, UINT, 0 }, { play.msb, info.play.msb, UINT, 0 }, { play.encoding, info.play.encoding,ENC,0 }, - { play.samples, info.play.samples, UINT, READONLY }, { play.pause, info.play.pause, UCHAR, 0 }, { play.active,info.play.active, UCHAR, READONLY }, { play.block_size,info.play.block_size, UINT, 0 }, + { play.bytes, poffs.samples, INT,READONLY }, { play.errors,perrors, INT,READONLY }, { record.rate,info.record.sample_rate,UINT, 0 }, { record.sample_rate, info.record.sample_rate,UINT, ALIAS }, @@ -104,10 +106,10 @@ struct field { { record.bps, info.record.bps, UINT, 0 }, { record.msb, info.record.msb, UINT, 0 }, { record.encoding,info.record.encoding, ENC,0 }, - { record.samples, info.record.samples, UINT, READONLY }, { record.pause, info.record.pause, UCHAR, 0 }, { record.active, info.record.active,UCHAR, READONLY }, { record.block_size, info.record.block_size,UINT, 0 }, + { record.bytes, roffs.samples, INT,READONLY }, { record.errors, rerrors, INT,READONLY }, { 0 } }; @@ -299,6 +301,10 @@ getinfo(int fd) err(1, AUDIO_PERROR); if (ioctl(fd, AUDIO_RERROR, rerrors) 0) err(1, AUDIO_RERROR); + if (ioctl(fd, AUDIO_GETOOFFS, poffs) 0) + err(1, AUDIO_GETOOFFS); + if (ioctl(fd, AUDIO_GETIOFFS, roffs) 0) + err(1, AUDIO_GETOIFFS); if (ioctl(fd, AUDIO_GETINFO, info) 0) err(1, AUDIO_GETINFO); }
RAM encryption and key storing in CPU
Hello, == Problem: Everything is stored in plaintext in the Memory. So if although full disc encryption is used on an OpenBSD machine, it is possible to copy the content of the memory, while the notebook was on suspend or it was running: https://citp.princeton.edu/research/memory/media/ == Solution: Can we (optionally*) encrypt the content of the memory and store the key for decryption in the CPU to avoid in general these kind of attacks? There are solutions for this on Linux already, but only on patch level: https://www1.informatik.uni-erlangen.de/tresor *if someone would want to harden it's OpenBSD (since notebooks could be stolen..) it could turn on this feature to avoid a policy to always turn off the notebook while not using it. Thank you for your comments.
Re: pf.conf from/to negation homogeneous behavior
On 2015/05/22 11:09, Henning Brauer wrote: this doesn't do what you think it does. You think it matches everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches everything. Feed that rule through pfctl -nvf - and you'll see it expanded to match log on vic0 proto icmp from any to ! 8.8.8.8 match log on vic0 proto icmp from any to ! 8.8.4,4 the list negation discussion is as old as pf. It became more confusing after the ruleset optimizer was enabled though. $ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4 !5.5.5.5 !6.6.6.6}' | pfctl -nvf - table __automatic_0 const { 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 } pass inet proto tcp from ! __automatic_0 to any flags S/SA $ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4}' | pfctl -nvf - pass inet proto tcp from ! 1.1.1.1 to any flags S/SA pass inet proto tcp from ! 2.2.2.2 to any flags S/SA pass inet proto tcp from ! 3.3.3.3 to any flags S/SA pass inet proto tcp from ! 4.4.4.4 to any flags S/SA
NTRU Open Source Project / Post-quantum era
Hello, https://github.com/NTRUOpenSourceProject When will LibreSSL have ciphers for the Post-quantum era? http://tech.slashdot.org/story/15/05/15/007248/are-we-entering-a-golden-age-of-quantum-computing-research
Re: [patch 1/3] ksh: add overflow checking for memory allocations
Hi, Please don't forget to include Otto's license to the code, that you modified. Thanks for this reminder. Please accept my apologies, I'm not very familiar with the customs of licencing which doesn't exist in my profession. Would this be a satisfactory way of fulfilling your request? Index: Makefile === RCS file: /cvs/src/bin/ksh/Makefile,v retrieving revision 1.29 diff -u -p -r1.29 Makefile --- Makefile2 Dec 2013 20:41:01 - 1.29 +++ Makefile23 May 2015 12:56:30 - @@ -6,7 +6,7 @@ SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ misc.c path.c shf.c syn.c table.c trap.c tree.c tty.c var.c \ version.c vi.c -DEFS= -Wall +DEFS= -Wall -Wunused-function CFLAGS+=${DEFS} -I. -I${.CURDIR} -I${.CURDIR}/../../lib/libc/gen MAN= ksh.1 sh.1 Index: alloc.c === RCS file: /cvs/src/bin/ksh/alloc.c,v retrieving revision 1.8 diff -u -p -r1.8 alloc.c --- alloc.c 21 Jul 2008 17:30:08 - 1.8 +++ alloc.c 23 May 2015 12:56:30 - @@ -25,6 +25,22 @@ */ /* + * Copyright (c) 2008 Otto Moerbeek o...@drijf.net + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* * area-based allocation built on malloc/free */ @@ -74,6 +90,62 @@ alloc(size_t size, Area *ap) return L2P(l); } +/* + * From libc/stdlib/allocarray.c + * + * This is sqrt(SIZE_MAX+1), as s1 * s2 = SIZE_MAX + * if both s1 MUL_NO_OVERFLOW and s2 MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW((size_t)1 (sizeof(size_t) * 4)) +/* + * Generous upper bound for sqrt(sizeof(struct link)). + */ +#define SQRT_SIZ_STR_LINK (sizeof(struct link) / 2) + +void * +allocarray(size_t nmemb, size_t size, Area *ap) +{ + /* +* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. +* If overflow occurs, at least one of `size' and `nmemb' must be +* larger than sqrt(SIZE_MAX - sizeof(struct link)). +* Note: sqrt(a - b) sqrt(a) - sqrt(b) for a b. +*/ + if ((nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (alloc(size * nmemb, ap)); +} + +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 = SIZE_MAX + * if both s1 MUL_NO_OVERFLOW and s2 MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW((size_t)1 (sizeof(size_t) * 4)) +/* + * Generous upper bound for sqrt(sizeof(struct link)). + */ +#define SQRT_SIZ_STR_LINK (sizeof(struct link) / 2) + +void * +allocarray(size_t nmemb, size_t size, Area *ap) +{ + /* +* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. +* If overflow occurs, at least one of `size' and `nmemb' must be +* larger than sqrt(SIZE_MAX - sizeof(struct link)). +* Note: sqrt(a - b) sqrt(a) - sqrt(b) for a b. +*/ + if ((nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (alloc(size * nmemb, ap)); +} + void * aresize(void *ptr, size_t size, Area *ap) { @@ -97,6 +169,30 @@ aresize(void *ptr, size_t size, Area *ap lnext-prev = l2; return L2P(l2); +} + +void * +aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap) +{ + /* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. */ + if ((size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (aresize(ptr, size * nmemb, ap)); +} + +void * +aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap) +{ + /* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. */ + if ((size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) /
[patch 1/3] ksh: add overflow checking for memory allocations
This set of three patches adds overflow checking to ksh in the spirit of the malloc(A*B) - reallocarray(NULL, A, B) conversions that were ongoing since last summer. I've been running these patches on my main laptop since January on amd64/CURRENT and didn't notice any issues. ksh has its own memory management functions and only calls malloc and realloc in the functions alloc() and aresize() in alloc.c. There the `size' arguments have the form sizeof(struct link) + size where struct link is defined as struct link { struct link *prev; struct link *next; }; In order to ensure that this doesn't overflow if `size' is a product of two numbers, wrap alloc() and aresize() into two functions which take the two factors as arguments and take care of the overflow checking: void *allocarray(size_t nmemb, size_t size, Area *ap); void *aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap); The mathematically optimal check would test whether at least one of `size' and `nmemb' exceeds `sqrt(SIZE_MAX - sizeof(nmemb))' before proceeding. I went for something which is easier to compute. This first patch introduces the two wrappers and adds the overflow checking. The other two patches consist of purely mechanical conversions: Expand the macro #define sizeofN(type, n) (sizeof(type) * n) and take care of all explicit multiplications. Index: alloc.c === RCS file: /cvs/src/bin/ksh/alloc.c,v retrieving revision 1.8 diff -u -p -r1.8 alloc.c --- alloc.c 21 Jul 2008 17:30:08 - 1.8 +++ alloc.c 23 May 2015 11:58:27 - @@ -74,6 +74,33 @@ alloc(size_t size, Area *ap) return L2P(l); } +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 = SIZE_MAX + * if both s1 MUL_NO_OVERFLOW and s2 MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW((size_t)1 (sizeof(size_t) * 4)) +/* + * Generous upper bound for sqrt(sizeof(struct link)). + */ +#define SQRT_SIZ_STR_LINK (sizeof(struct link) / 2) + +void * +allocarray(size_t nmemb, size_t size, Area *ap) +{ + /* +* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. +* If overflow occurs, at least one of `size' and `nmemb' must be +* larger than sqrt(SIZE_MAX - sizeof(struct link)). +* Note: sqrt(a - b) sqrt(a) - sqrt(b) for a b. +*/ + if ((nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (alloc(size * nmemb, ap)); +} + void * aresize(void *ptr, size_t size, Area *ap) { @@ -97,6 +124,18 @@ aresize(void *ptr, size_t size, Area *ap lnext-prev = l2; return L2P(l2); +} + +void * +aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap) +{ + /* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. */ + if ((size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (aresize(ptr, size * nmemb, ap)); } void Index: proto.h === RCS file: /cvs/src/bin/ksh/proto.h,v retrieving revision 1.35 diff -u -p -r1.35 proto.h --- proto.h 4 Sep 2013 15:49:19 - 1.35 +++ proto.h 23 May 2015 11:58:27 - @@ -10,7 +10,9 @@ Area * ainit(Area *); void afreeall(Area *); void * alloc(size_t, Area *); +void * allocarray(size_t, size_t, Area *); void * aresize(void *, size_t, Area *); +void * aresizearray(void *, size_t, size_t, Area *); void afree(void *, Area *); /* c_ksh.c */ intc_hash(char **); Index: sh.h === RCS file: /cvs/src/bin/ksh/sh.h,v retrieving revision 1.33 diff -u -p -r1.33 sh.h --- sh.h18 Dec 2013 13:53:12 - 1.33 +++ sh.h23 May 2015 11:58:27 - @@ -15,6 +15,7 @@ #include setjmp.h #include stdbool.h #include stddef.h +#include stdint.h #include stdlib.h #include unistd.h #include string.h
[patch 2/3] ksh: add overflow checking for memory allocations
Conversion of explicit multiplications: alloc(A*B, ...) becomes allocarray(A, B, ...), and aresize(..., A*B, ...) becomes aresizearray(..., A, B, ...) I ordered the arguments in such a way that A is nmemb and B is size as in the prototypes of allocarray() and aresizearray(). Index: edit.c === RCS file: /cvs/src/bin/ksh/edit.c,v retrieving revision 1.40 diff -u -p -r1.40 edit.c --- edit.c 12 Mar 2015 10:20:30 - 1.40 +++ edit.c 23 May 2015 11:58:27 - @@ -474,7 +474,7 @@ x_command_glob(int flags, const char *st int i; info = (struct path_order_info *) - alloc(sizeof(struct path_order_info) * nwords, ATEMP); + allocarray(nwords, sizeof(struct path_order_info), ATEMP); for (i = 0; i nwords; i++) { info[i].word = words[i]; info[i].base = x_basename(words[i], (char *) 0); Index: history.c === RCS file: /cvs/src/bin/ksh/history.c,v retrieving revision 1.40 diff -u -p -r1.40 history.c --- history.c 20 Nov 2014 15:22:39 - 1.40 +++ history.c 23 May 2015 11:58:27 - @@ -506,7 +506,8 @@ sethistsize(int n) cursize = n; } - history = (char **)aresize(history, n*sizeof(char *), APERM); + history = (char **)aresizearray(history, n, sizeof(char *), + APERM); histsize = n; histptr = history + cursize; @@ -555,7 +556,7 @@ init_histvec(void) { if (history == (char **)NULL) { histsize = HISTORYSIZE; - history = (char **)alloc(histsize*sizeof (char *), APERM); + history = (char **)allocarray(histsize, sizeof(char *), APERM); histptr = history - 1; } } Index: lex.c === RCS file: /cvs/src/bin/ksh/lex.c,v retrieving revision 1.49 diff -u -p -r1.49 lex.c --- lex.c 17 Dec 2013 16:37:06 - 1.49 +++ lex.c 23 May 2015 11:58:27 - @@ -1621,7 +1621,7 @@ getsc_bn(void) static Lex_state * push_state_(State_info *si, Lex_state *old_end) { - Lex_state *new = alloc(sizeof(Lex_state) * STATE_BSIZE, ATEMP); + Lex_state *new = allocarray(STATE_BSIZE, sizeof(Lex_state), ATEMP); new[0].ls_info.base = old_end; si-base = new[0]; Index: main.c === RCS file: /cvs/src/bin/ksh/main.c,v retrieving revision 1.55 diff -u -p -r1.55 main.c --- main.c 9 Feb 2015 09:09:30 - 1.55 +++ main.c 23 May 2015 11:58:27 - @@ -78,7 +78,7 @@ make_argv(int argc, char *argv[]) char **nargv = argv; if (strcmp(argv[0], kshname) != 0) { - nargv = alloc(sizeof(char *) * (argc + 1), aperm); + nargv = allocarray(argc + 1, sizeof(char *), aperm); nargv[0] = (char *) kshname; for (i = 1; i argc; i++) nargv[i] = argv[i]; Index: shf.c === RCS file: /cvs/src/bin/ksh/shf.c,v retrieving revision 1.16 diff -u -p -r1.16 shf.c --- shf.c 19 Apr 2013 17:36:09 - 1.16 +++ shf.c 23 May 2015 11:58:27 - @@ -328,7 +328,7 @@ shf_emptybuf(struct shf *shf, int flags) !(shf-flags SHF_ALLOCB)) return EOF; /* allocate more space for buffer */ - nbuf = (unsigned char *) aresize(shf-buf, shf-wbsize * 2, + nbuf = (unsigned char *) aresizearray(shf-buf, 2, shf-wbsize, shf-areap); shf-rp = nbuf + (shf-rp - shf-buf); shf-wp = nbuf + (shf-wp - shf-buf); Index: tree.c === RCS file: /cvs/src/bin/ksh/tree.c,v retrieving revision 1.20 diff -u -p -r1.20 tree.c --- tree.c 27 Jun 2012 07:17:19 - 1.20 +++ tree.c 23 May 2015 11:58:27 - @@ -470,7 +470,7 @@ tcopy(struct op *t, Area *ap) for (tw = t-vars; *tw++ != NULL; ) ; rw = r-vars = (char **) - alloc((tw - t-vars + 1) * sizeof(*tw), ap); + allocarray(tw - t-vars + 1, sizeof(*tw), ap); for (tw = t-vars; *tw != NULL; ) *rw++ = wdcopy(*tw++, ap); *rw = NULL; @@ -482,7 +482,7 @@ tcopy(struct op *t, Area *ap) for (tw = t-args; *tw++ != NULL; ) ; rw = r-args = (char **) - alloc((tw - t-args + 1) * sizeof(*tw), ap); + allocarray(tw - t-args + 1, sizeof(*tw), ap); for (tw =
[patch 3/3] ksh: add overflow checking for memory allocations
Expand the macro #define sizeofN(type, n) (sizeof(type) * n) whenever it occurs as an argument to `alloc' or `aresize' and replace `alloc' by `allocarray' and `aresize' by `aresizearray'. There remains one single call to sizeofN(a,b) (see the patch for exec.c) which could safely be replaced by `a * b'. Index: c_sh.c === RCS file: /cvs/src/bin/ksh/c_sh.c,v retrieving revision 1.45 diff -u -p -r1.45 c_sh.c --- c_sh.c 27 Aug 2014 08:26:04 - 1.45 +++ c_sh.c 23 May 2015 11:58:27 - @@ -614,7 +614,8 @@ c_set(char **wp) while (*++wp != NULL) *wp = str_save(*wp, l-area); l-argc = wp - owp - 1; - l-argv = (char **) alloc(sizeofN(char *, l-argc+2), l-area); + l-argv = (char **) allocarray(l-argc+2, sizeof(char *), + l-area); for (wp = l-argv; (*wp++ = *owp++) != NULL; ) ; } Index: exec.c === RCS file: /cvs/src/bin/ksh/exec.c,v retrieving revision 1.51 diff -u -p -r1.51 exec.c --- exec.c 18 Apr 2015 18:28:36 - 1.51 +++ exec.c 23 May 2015 11:58:27 - @@ -92,7 +92,8 @@ execute(struct op *volatile t, flags = ~XTIME; if (t-ioact != NULL || t-type == TPIPE || t-type == TCOPROC) { - e-savefd = (short *) alloc(sizeofN(short, NUFILE), ATEMP); + e-savefd = (short *) allocarray(NUFILE, sizeof(short), + ATEMP); /* initialize to not redirected */ memset(e-savefd, 0, sizeofN(short, NUFILE)); } Index: expand.h === RCS file: /cvs/src/bin/ksh/expand.h,v retrieving revision 1.6 diff -u -p -r1.6 expand.h --- expand.h30 Mar 2005 17:16:37 - 1.6 +++ expand.h23 May 2015 11:58:27 - @@ -82,7 +82,7 @@ typedef struct XPtrV { #defineXPinit(x, n) do { \ void **vp__; \ - vp__ = (void**) alloc(sizeofN(void*, n), ATEMP); \ + vp__ = (void**) allocarray(n, sizeof(void*), ATEMP); \ (x).cur = (x).beg = vp__; \ (x).end = vp__ + n; \ } while (0) @@ -90,8 +90,9 @@ typedef struct XPtrV { #defineXPput(x, p) do { \ if ((x).cur = (x).end) { \ int n = XPsize(x); \ - (x).beg = (void**) aresize((void*) (x).beg, \ - sizeofN(void*, n*2), ATEMP); \ + (x).beg = (void**) \ + aresizearray((void*) (x).beg, \ + n, 2*sizeof(void*), ATEMP); \ (x).cur = (x).beg + n; \ (x).end = (x).cur + n; \ } \ @@ -101,7 +102,7 @@ typedef struct XPtrV { #defineXPptrv(x) ((x).beg) #defineXPsize(x) ((x).cur - (x).beg) -#defineXPclose(x) (void**) aresize((void*)(x).beg, \ -sizeofN(void*, XPsize(x)), ATEMP) +#defineXPclose(x) (void**) aresizearray((void*)(x).beg, \ +XPsize(x), sizeof(void*), ATEMP) #defineXPfree(x) afree((void*) (x).beg, ATEMP) Index: syn.c === RCS file: /cvs/src/bin/ksh/syn.c,v retrieving revision 1.29 diff -u -p -r1.29 syn.c --- syn.c 3 Jun 2013 18:40:05 - 1.29 +++ syn.c 23 May 2015 11:58:27 - @@ -197,7 +197,7 @@ get_command(int cf) XPtrV args, vars; struct nesting_state old_nesting; - iops = (struct ioword **) alloc(sizeofN(struct ioword *, NUFILE+1), + iops = (struct ioword **) allocarray(NUFILE+1, sizeof(struct ioword *), ATEMP); XPinit(args, 16); XPinit(vars, 16); @@ -389,8 +389,8 @@ get_command(int cf) t-ioact = NULL; } else { iops[iopn++] = NULL; - iops = (struct ioword **) aresize((void*) iops, - sizeofN(struct ioword *, iopn), ATEMP); + iops = (struct ioword **) aresizearray((void*) iops, + iopn, sizeof(struct ioword *), ATEMP); t-ioact = iops; } @@ -565,8 +565,8 @@ function_body(char *name, * be used as input), we pretend there is a colon here. */ t-left = newtp(TCOM); - t-left-args = (char **) alloc(sizeof(char *) * 2, ATEMP); - t-left-args[0] = alloc(sizeof(char) * 3, ATEMP); + t-left-args = (char **) allocarray(2, sizeof(char *), ATEMP); +
Re: [patch 1/3] ksh: add overflow checking for memory allocations
On Sat, May 23, 2015 at 12:28 PM, Theo Buehler t...@math.ethz.ch wrote: This set of three patches adds overflow checking to ksh in the spirit of the malloc(A*B) - reallocarray(NULL, A, B) conversions that were ongoing since last summer. I've been running these patches on my main laptop since January on amd64/CURRENT and didn't notice any issues. ksh has its own memory management functions and only calls malloc and realloc in the functions alloc() and aresize() in alloc.c. There the `size' arguments have the form sizeof(struct link) + size where struct link is defined as struct link { struct link *prev; struct link *next; }; In order to ensure that this doesn't overflow if `size' is a product of two numbers, wrap alloc() and aresize() into two functions which take the two factors as arguments and take care of the overflow checking: void *allocarray(size_t nmemb, size_t size, Area *ap); void *aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap); The mathematically optimal check would test whether at least one of `size' and `nmemb' exceeds `sqrt(SIZE_MAX - sizeof(nmemb))' before proceeding. I went for something which is easier to compute. This first patch introduces the two wrappers and adds the overflow checking. The other two patches consist of purely mechanical conversions: Expand the macro #define sizeofN(type, n) (sizeof(type) * n) and take care of all explicit multiplications. Hi, Please don't forget to include Otto's license to the code, that you modified. Index: alloc.c === RCS file: /cvs/src/bin/ksh/alloc.c,v retrieving revision 1.8 diff -u -p -r1.8 alloc.c --- alloc.c 21 Jul 2008 17:30:08 - 1.8 +++ alloc.c 23 May 2015 11:58:27 - @@ -74,6 +74,33 @@ alloc(size_t size, Area *ap) return L2P(l); } +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 = SIZE_MAX + * if both s1 MUL_NO_OVERFLOW and s2 MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW((size_t)1 (sizeof(size_t) * 4)) +/* + * Generous upper bound for sqrt(sizeof(struct link)). + */ +#define SQRT_SIZ_STR_LINK (sizeof(struct link) / 2) + +void * +allocarray(size_t nmemb, size_t size, Area *ap) +{ + /* +* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. +* If overflow occurs, at least one of `size' and `nmemb' must be +* larger than sqrt(SIZE_MAX - sizeof(struct link)). +* Note: sqrt(a - b) sqrt(a) - sqrt(b) for a b. +*/ + if ((nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (alloc(size * nmemb, ap)); +} + void * aresize(void *ptr, size_t size, Area *ap) { @@ -97,6 +124,18 @@ aresize(void *ptr, size_t size, Area *ap lnext-prev = l2; return L2P(l2); +} + +void * +aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap) +{ + /* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. */ + if ((size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (aresize(ptr, size * nmemb, ap)); } void Index: proto.h === RCS file: /cvs/src/bin/ksh/proto.h,v retrieving revision 1.35 diff -u -p -r1.35 proto.h --- proto.h 4 Sep 2013 15:49:19 - 1.35 +++ proto.h 23 May 2015 11:58:27 - @@ -10,7 +10,9 @@ Area * ainit(Area *); void afreeall(Area *); void * alloc(size_t, Area *); +void * allocarray(size_t, size_t, Area *); void * aresize(void *, size_t, Area *); +void * aresizearray(void *, size_t, size_t, Area *); void afree(void *, Area *); /* c_ksh.c */ intc_hash(char **); Index: sh.h === RCS file: /cvs/src/bin/ksh/sh.h,v retrieving revision 1.33 diff -u -p -r1.33 sh.h --- sh.h18 Dec 2013 13:53:12 - 1.33 +++ sh.h23 May 2015 11:58:27 - @@ -15,6 +15,7 @@ #include setjmp.h #include stdbool.h #include stddef.h +#include stdint.h #include stdlib.h #include unistd.h #include string.h
Re: [patch 1/3] ksh: add overflow checking for memory allocations
On Sat, May 23, 2015 at 03:01:03PM +0200, Theo Buehler wrote: Hi, Please don't forget to include Otto's license to the code, that you modified. Thanks for this reminder. Please accept my apologies, I'm not very familiar with the customs of licencing which doesn't exist in my profession. Would this be a satisfactory way of fulfilling your request? Index: Makefile === RCS file: /cvs/src/bin/ksh/Makefile,v retrieving revision 1.29 diff -u -p -r1.29 Makefile --- Makefile 2 Dec 2013 20:41:01 - 1.29 +++ Makefile 23 May 2015 12:56:30 - @@ -6,7 +6,7 @@ SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ misc.c path.c shf.c syn.c table.c trap.c tree.c tty.c var.c \ version.c vi.c -DEFS=-Wall +DEFS=-Wall -Wunused-function CFLAGS+=${DEFS} -I. -I${.CURDIR} -I${.CURDIR}/../../lib/libc/gen MAN= ksh.1 sh.1 Please ignore this chunk, I included this by mistake.
Re: [patch 1/3] ksh: add overflow checking for memory allocations
On Sat, May 23, 2015 at 03:01:03PM +0200, Theo Buehler wrote: Hi, Please don't forget to include Otto's license to the code, that you modified. Thanks for this reminder. Please accept my apologies, I'm not very familiar with the customs of licencing which doesn't exist in my profession. Would this be a satisfactory way of fulfilling your request? Something went completely awry when I included Otto's licence. Here's a patch that builds again. The other two patches still apply and build as well. I apologize for the noise. Index: alloc.c === RCS file: /cvs/src/bin/ksh/alloc.c,v retrieving revision 1.8 diff -u -p -r1.8 alloc.c --- alloc.c 21 Jul 2008 17:30:08 - 1.8 +++ alloc.c 23 May 2015 13:15:49 - @@ -25,6 +25,22 @@ */ /* + * Copyright (c) 2008 Otto Moerbeek o...@drijf.net + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* * area-based allocation built on malloc/free */ @@ -74,6 +90,35 @@ alloc(size_t size, Area *ap) return L2P(l); } +/* + * From libc/stdlib/reallocarray.c + * + * This is sqrt(SIZE_MAX+1), as s1 * s2 = SIZE_MAX + * if both s1 MUL_NO_OVERFLOW and s2 MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW((size_t)1 (sizeof(size_t) * 4)) +/* + * Generous upper bound for sqrt(sizeof(struct link)). + */ +#define SQRT_SIZ_STR_LINK (sizeof(struct link) / 2) + +void * +allocarray(size_t nmemb, size_t size, Area *ap) +{ + /* +* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. +* If overflow occurs, at least one of `size' and `nmemb' must be +* larger than sqrt(SIZE_MAX - sizeof(struct link)). +* Note: sqrt(a - b) sqrt(a) - sqrt(b) for a b. +*/ + if ((nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (alloc(size * nmemb, ap)); +} + void * aresize(void *ptr, size_t size, Area *ap) { @@ -97,6 +142,18 @@ aresize(void *ptr, size_t size, Area *ap lnext-prev = l2; return L2P(l2); +} + +void * +aresizearray(void *ptr, size_t nmemb, size_t size, Area *ap) +{ + /* Ensure that `sizeof(struct link) + size * nmemb' doesn't overflow. */ + if ((size = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK || + nmemb = MUL_NO_OVERFLOW - SQRT_SIZ_STR_LINK) + nmemb 0 (SIZE_MAX - sizeof(struct link)) / nmemb size) + internal_errorf(1, unable to allocate memory); + + return (aresize(ptr, size * nmemb, ap)); } void Index: proto.h === RCS file: /cvs/src/bin/ksh/proto.h,v retrieving revision 1.35 diff -u -p -r1.35 proto.h --- proto.h 4 Sep 2013 15:49:19 - 1.35 +++ proto.h 23 May 2015 13:15:49 - @@ -10,7 +10,9 @@ Area * ainit(Area *); void afreeall(Area *); void * alloc(size_t, Area *); +void * allocarray(size_t, size_t, Area *); void * aresize(void *, size_t, Area *); +void * aresizearray(void *, size_t, size_t, Area *); void afree(void *, Area *); /* c_ksh.c */ intc_hash(char **); Index: sh.h === RCS file: /cvs/src/bin/ksh/sh.h,v retrieving revision 1.33 diff -u -p -r1.33 sh.h --- sh.h18 Dec 2013 13:53:12 - 1.33 +++ sh.h23 May 2015 13:15:49 - @@ -15,6 +15,7 @@ #include setjmp.h #include stdbool.h #include stddef.h +#include stdint.h #include stdlib.h #include unistd.h #include string.h
Re: NTRU Open Source Project / Post-quantum era
On 2015-05-23 05.24.30 -0400, ertetlen barmok wrote: https://github.com/NTRUOpenSourceProject https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/LICENSE.md NTRU cryptographic IP and reference software may be used and modified to the needs of the user as long as the user adheres to version two (2) or higher of the GPL License When will LibreSSL have ciphers for the Post-quantum era? When you submit the patch -- with the correct license.
Re: carp(4) is out
Hey, so far no problems. //mxb On 22 maj 2015, at 16:05, Martin Pieuchot m...@openbsd.org wrote: Let's take carp(4) out of ether_input(). This is quite similar to what happened to trunk(4) and vlan(4). I appreciate tests of any kind, reviews and oks. Index: net/if_ethersubr.c === RCS file: /cvs/src/sys/net/if_ethersubr.c,v retrieving revision 1.199 diff -u -p -r1.199 if_ethersubr.c --- net/if_ethersubr.c19 May 2015 11:09:24 - 1.199 +++ net/if_ethersubr.c22 May 2015 13:39:44 - @@ -502,18 +502,6 @@ ether_input(struct mbuf *m, void *hdr) } #endif -#if NCARP 0 - if (ifp-if_carp) { - if (ifp-if_type != IFT_CARP (carp_input(ifp, eh, m) == 0)) - return (1); - /* clear mcast if received on a carp IP balanced address */ - else if (ifp-if_type == IFT_CARP - m-m_flags (M_BCAST|M_MCAST) - carp_our_mcastaddr(ifp, (u_int8_t *)eh-ether_dhost)) - m-m_flags = ~(M_BCAST|M_MCAST); - } -#endif /* NCARP 0 */ - ac = (struct arpcom *)ifp; /* Index: netinet/ip_carp.c === RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.257 diff -u -p -r1.257 ip_carp.c --- netinet/ip_carp.c 21 May 2015 09:17:53 - 1.257 +++ netinet/ip_carp.c 22 May 2015 13:54:30 - @@ -120,6 +120,7 @@ struct carp_softc { #define sc_carpdev sc_ac.ac_if.if_carpdev void *ah_cookie; void *lh_cookie; + struct ifih *sc_ifih; struct ip_moptions sc_imo; #ifdef INET6 struct ip6_moptions sc_im6o; @@ -193,6 +194,7 @@ void carp_hmac_generate(struct carp_vhos unsigned char *, u_int8_t); int carp_hmac_verify(struct carp_vhost_entry *, u_int32_t *, unsigned char *); +int carp_input(struct mbuf *, void *); void carp_proto_input_c(struct mbuf *, struct carp_header *, int, sa_family_t); void carpattach(int); @@ -824,6 +826,7 @@ carp_del_all_timeouts(struct carp_softc void carpdetach(struct carp_softc *sc) { + struct ifnet *ifp; struct carp_if *cif; int s; @@ -839,20 +842,29 @@ carpdetach(struct carp_softc *sc) carp_setrun_all(sc, 0); carp_multicast_cleanup(sc); - s = splnet(); if (sc-ah_cookie != NULL) hook_disestablish(sc-sc_if.if_addrhooks, sc-ah_cookie); - if (sc-sc_carpdev != NULL) { - if (sc-lh_cookie != NULL) - hook_disestablish(sc-sc_carpdev-if_linkstatehooks, - sc-lh_cookie); - cif = (struct carp_if *)sc-sc_carpdev-if_carp; - TAILQ_REMOVE(cif-vhif_vrs, sc, sc_list); - if (!--cif-vhif_nvrs) { - ifpromisc(sc-sc_carpdev, 0); - sc-sc_carpdev-if_carp = NULL; - free(cif, M_IFADDR, sizeof(*cif)); - } + + ifp = sc-sc_carpdev; + if (ifp == NULL) + return; + + s = splnet(); + /* Restore previous input handler. */ + if (--sc-sc_ifih-ifih_refcnt == 0) { + SLIST_REMOVE(ifp-if_inputs, sc-sc_ifih, ifih, ifih_next); + free(sc-sc_ifih, M_DEVBUF, sizeof(*sc-sc_ifih)); + } + + if (sc-lh_cookie != NULL) + hook_disestablish(ifp-if_linkstatehooks, + sc-lh_cookie); + cif = (struct carp_if *)ifp-if_carp; + TAILQ_REMOVE(cif-vhif_vrs, sc, sc_list); + if (!--cif-vhif_nvrs) { + ifpromisc(ifp, 0); + ifp-if_carp = NULL; + free(cif, M_IFADDR, sizeof(*cif)); } sc-sc_carpdev = NULL; splx(s); @@ -1403,27 +1415,21 @@ carp_get_srclladdr(struct ifnet *ifp, u_ } int -carp_our_mcastaddr(struct ifnet *ifp, u_int8_t *d_enaddr) -{ - struct carp_softc *sc = ifp-if_softc; - - if (sc-sc_balancing != CARP_BAL_IP) - return (0); - - return (!memcmp(sc-sc_ac.ac_enaddr, d_enaddr, ETHER_ADDR_LEN)); -} - - -int -carp_input(struct ifnet *ifp0, struct ether_header *eh0, struct mbuf *m) +carp_input(struct mbuf *m, void *hdr) { + struct carp_softc *sc; struct ether_header *eh; - struct carp_if *cif = (struct carp_if *)ifp0-if_carp; - struct ifnet *ifp; + struct mbuf_list ml = MBUF_LIST_INITIALIZER(); + struct carp_if *cif; + struct ifnet *ifp0, *ifp; - ifp = carp_ourether(cif, eh0-ether_dhost); - if (ifp == NULL (m-m_flags (M_BCAST|M_MCAST)) == 0) - return (1); + ifp0 = m-m_pkthdr.rcvif; + eh = mtod(m, struct ether_header *); + cif = (struct carp_if *)ifp0-if_carp; + + ifp = carp_ourether(cif, eh-ether_dhost); + if (ifp == NULL !ETHER_IS_MULTICAST(eh-ether_dhost)) + return (0); if (ifp ==