Re: nsd 4.1.6rc1
On Thu, 15 Oct 2015 22:22:17 -0400, "Ted Unangst" wrote: > Secondary question: what's involved in updating lex? I didn't realize we had > fallen behind as it were, but should we switch too? At one point it required GNU m4'isms we didn't support (the -P flag). We've had that for some time so I could take my merge of flex 2.5.35 and update it to the latest (2.5.39) if there is interest. - todd
remove unused variables in netcat.c
It looks like the subject and issuer variables are no longer used in
report_tls() since the recent libtls api change. Also a few whitespace
mods.
Regards,
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.139
diff -u -p -r1.139 netcat.c
--- netcat.c11 Oct 2015 00:26:23 - 1.139
+++ netcat.c16 Oct 2015 02:26:09 -
@@ -670,6 +670,7 @@ tls_setup_client(struct tls *tls_ctx, in
strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
errx(1, "peer certificate is not %s", tls_expecthash);
}
+
struct tls *
tls_setup_server(struct tls *tls_ctx, int connfd, char *host)
{
@@ -709,6 +710,7 @@ tls_setup_server(struct tls *tls_ctx, in
}
return NULL;
}
+
/*
* unix_connect()
* Returns a socket connected to a local unix socket. Returns -1 on failure.
@@ -1135,7 +1137,6 @@ drainbuf(int fd, unsigned char *buf, siz
return n;
}
-
ssize_t
fillbuf(int fd, unsigned char *buf, size_t *bufpos, struct tls *tls)
{
@@ -1442,7 +1443,6 @@ map_tls(char *s, int *val)
void
report_tls(struct tls * tls_ctx, char * host, char *tls_expectname)
{
- char *subject = NULL, *issuer = NULL;
fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
fprintf(stderr, "Peer name %s\n",
@@ -1456,9 +1456,8 @@ report_tls(struct tls * tls_ctx, char *
if (tls_peer_cert_hash(tls_ctx))
fprintf(stderr, "Cert Hash: %s\n",
tls_peer_cert_hash(tls_ctx));
- free(subject);
- free(issuer);
}
+
void
report_connect(const struct sockaddr *sa, socklen_t salen)
{
Re: nsd 4.1.6rc1
Stuart Henderson wrote: > It does not build as-is, there's an issue with "c_get_text" (a renamed > yyget_text) with our version of flex. I have two possible workarounds > so far but neither is particularly nice; > > - add a configlexer.c file generated with newer flex to the tree (e.g. > the one included in the upstream distribution) and copy into obj/ > before building. (I'm currently running binaries from a build done > like this). Secondary question: what's involved in updating lex? I didn't realize we had fallen behind as it were, but should we switch too?
Re: Another lock(1) pledge tweak
Whoops. I meant lock(1) in the subject. I guess making a patch put the
word patch into my head.
On Thu, October 15, 2015 9:25 pm, trondd wrote:
> Is it safer to drop the recently added proc and exec pledges if the
> arguments are not chosen which need them?
>
> Index: lock.c
> ===
> RCS file: /cvs/src/usr.bin/lock/lock.c,v
> retrieving revision 1.32
> diff -u -p -r1.32 lock.c
> --- lock.c 15 Oct 2015 02:35:04 - 1.32
> +++ lock.c 16 Oct 2015 01:22:46 -
> @@ -148,6 +148,8 @@ main(int argc, char *argv[])
> strftime(date, sizeof(date), "%c", timp);
>
> if (!usemine) {
> + if (pledge("stdio rpath wpath getpw tty", NULL) == -1)
> + err(1, "pledge");
> /* get key and check again */
> if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF)
> ||
> *s == '\0')
>
Another patch(1) pledge tweak
Is it safer to drop the recently added proc and exec pledges if the
arguments are not chosen which need them?
Index: lock.c
===
RCS file: /cvs/src/usr.bin/lock/lock.c,v
retrieving revision 1.32
diff -u -p -r1.32 lock.c
--- lock.c 15 Oct 2015 02:35:04 - 1.32
+++ lock.c 16 Oct 2015 01:22:46 -
@@ -148,6 +148,8 @@ main(int argc, char *argv[])
strftime(date, sizeof(date), "%c", timp);
if (!usemine) {
+ if (pledge("stdio rpath wpath getpw tty", NULL) == -1)
+ err(1, "pledge");
/* get key and check again */
if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
*s == '\0')
Oct 15 OpenBSD errata and LibreSSL releases
The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun and memory leak, as reported by Qualys Security. This can be abused by an attacker to cause a denial of service in some cases. Patches are now available for OpenBSD as well as new releases of LibreSSL portable. 5.6, 5.7, and 5.8 are affected, as well as all releases of LibreSSL. Note that in addition to the instructions to rebuild libcrypto in the patch, some binaries may link statically with libcrypto (isakmpd, iked, ...) and need rebuilding as well. And services restarted. OpenBSD patches: http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig LibreSSL releases: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.6.tar.gz http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.8.tar.gz http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.4.tar.gz There will be a libressl-2.3.1 release coming, but as a reminder it's still a development branch. (The OpenBSD patches should apply to 2.3.0 as well.) With the release of OpenBSD 5.8 in a few days, 5.6 will be officially retired from support, and along with it LibreSSL 2.0. Hopefully, this will be the last release in that line.
Re: ctags.1: stop misusing Nm
Hi Michael, Michael Reed wrote on Wed, Oct 14, 2015 at 04:18:04PM -0400: > If the author wanted to emphasize these terms then they should have > used Sy or Em, but I wasn't convinced that the terms below > needed emphasis so I just removed the Nm usage altogether. Committed, thanks. Ingo > Index: ctags.1 > === > RCS file: /cvs/src/usr.bin/ctags/ctags.1,v > retrieving revision 1.30 > diff -u -p -r1.30 ctags.1 > --- ctags.1 22 Aug 2015 06:46:00 - 1.30 > +++ ctags.1 14 Oct 2015 20:08:43 - > @@ -200,12 +200,7 @@ The > command appeared in > .Bx 2 . > .Sh BUGS > -Recognition of > -.Nm functions , > -.Nm subroutines , > -and > -.Nm procedures > -for > +Recognition of functions, subroutines, and procedures for > .Tn FORTRAN > and Pascal is done in a very simple-minded way. > No attempt
Re: nsd 4.1.6rc1
On Thu, 15 Oct 2015 22:50:44 +0100, Stuart Henderson wrote:
> It does not build as-is, there's an issue with "c_get_text" (a renamed
> yyget_text) with our version of flex. I have two possible workarounds
> so far but neither is particularly nice;
Third option, add c_get_text to configlexer.lex as follows:
char *c_get_text(void)
{
return yytext;
}
I did this just before the definition of yy_set_bol but it can go
just about anywhere in the first %{ ... %} block
- todd
nsd 4.1.6rc1
I thought I'd send this diff out in case it avoids some duplicate work
and to solicit feedback about a problem. Comments about the code changes
in the update are welcome too.
It does not build as-is, there's an issue with "c_get_text" (a renamed
yyget_text) with our version of flex. I have two possible workarounds
so far but neither is particularly nice;
- add a configlexer.c file generated with newer flex to the tree (e.g.
the one included in the upstream distribution) and copy into obj/
before building. (I'm currently running binaries from a build done
like this).
- backout the changes ("print failed token for config syntax
error or parse error") to c_error() / c_error_va_list() in options.c.
Release notes since our last update (4.1.3):
4.1.4
Features
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- SO_REUSEPORT support, by default on Linux, or with reuseport: yes.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
- --enable-pie and --enable-relro-now options for a safer executable.
Bugfixes
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer and
older serial numbers.
- Document that minimal responses only minimizes responses to fit in one
datagram. It does not minimize smaller responses.
- Fix #618: documented need to list ip-addresses seperately in nsd.conf
if there are multiple, because the source address of replies can
otherwise go wrong.
- Fix that notify from nsd-control contains soa serial.
- Fix #698 formatting errors and typos in nsd.8.in.
4.1.5
- Fix #706: default port 53 not opened on ip4 because of getaddrinfo hints
initialisation failure.
4.1.6rc1
- Fix #701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix #711: Document that debug-mode yes is used for staying attached to
the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
Index: acx_nlnetlabs.m4
===
RCS file: /cvs/src/usr.sbin/nsd/acx_nlnetlabs.m4,v
retrieving revision 1.1.1.9
diff -u -p -r1.1.1.9 acx_nlnetlabs.m4
--- acx_nlnetlabs.m417 Jul 2015 17:36:01 - 1.1.1.9
+++ acx_nlnetlabs.m415 Oct 2015 20:47:20 -
@@ -2,7 +2,8 @@
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
# BSD licensed.
#
-# Version 27
+# Version 28
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
# 2013-09-19 FLTO help text improved.
# 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
@@ -94,6 +95,8 @@
# ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters.
# AHX_MEMCMP_BROKEN- replace memcmp func for CHECK_MEMCMP_SIGNED.
# ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE- add --enable-pie option and check if
works
+# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it
#
dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
@@ -1385,5 +1388,47 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
#include
#endif
]) ])
+
+dnl Check if CC and linker support -fPIE and -pie.
+dnl If so, sets them in CFLAGS / LDFLAGS.
+AC_DEFUN([ACX_CHECK_PIE], [
+AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable
Position-Independent Executable (eg. to fully benefit from ASLR, small
performance penalty)]))
+AS_IF([test "x$enable_pie" = "xyes"], [
+ AC_MSG_CHECKING([if $CC supports PIE])
+ BAKLDFLAGS="$LDFLAGS"
+ BAKCFLAGS="$CFLAGS"
+ LDFLAGS="$LDFLAGS -pie"
+ CFLAGS="$CFLAGS -fPIE"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep
"warning: no debug symbols in executable" >/dev/null; then
+ LDFLAGS="$BAKLDFLAGS"
+ AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(yes)
+ fi
+ rm -f conftest conftest.c conftest.o
+ ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
+])
+])
+
+dnl Check if linker supports -Wl,-z,relro,-z,now.
+dnl If so, adds it to LDFLAGS.
+AC_DEFUN([ACX_CHECK_RELRO_NOW], [
+AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable
full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor
areas)]))
+AS_IF([test "x$enable_relro_now" = "xyes"], [
+ AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
+ BAKLDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+ if $CC $CFLAGS $LDFLAGS -o conftest conftest.c
Re: nlist(3): out of boundary access
On Thu, 15 Oct 2015 23:12:43 +0200, Tobias Stoeckmann wrote: > I consider sym to be trustworthy here, because it's supplied by the > caller. It's not a pointer into the binary file. Fair enough. - todd
Re: nlist(3): out of boundary access
On Thu, Oct 15, 2015 at 11:28:07AM -0600, Todd C. Miller wrote:
> Those checks all look good. The only thing I had a question
> about is the:
>
> len = strlen(sym);
>
> Would it be better to use memchr to search for the NUL terminator
> to avoid going past the end? E.g.
>
> if (memchr(sym, 0, left) == NULL)
> continue;
__fdnlist(int fd, struct nlist *list)
...
for (p = list; !ISLAST(p); p++) {
...
sym = p->n_un.n_name;
I consider sym to be trustworthy here, because it's supplied by the
caller. It's not a pointer into the binary file.
cast struct sockaddr_dl
Hi,
Inspired by the satosin() functions, I think it is better to have
inline functions than casts to convert between sockaddrs. They
check if the incoming object has the expected type. So introduce
satosdl() and sdltosa() to the kernel.
ok?
bluhm
Index: net/if.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if.c,v
retrieving revision 1.389
diff -u -p -r1.389 if.c
--- net/if.c12 Oct 2015 13:17:58 - 1.389
+++ net/if.c15 Oct 2015 20:40:39 -
@@ -1945,7 +1945,7 @@ ifioctl(struct socket *so, u_long cmd, c
case SIOCSIFLLADDR:
if ((error = suser(p, 0)))
return (error);
- sdl = (struct sockaddr_dl *)ifp->if_sadl;
+ sdl = ifp->if_sadl;
if (sdl == NULL)
return (EINVAL);
if (ifr->ifr_addr.sa_len != ETHER_ADDR_LEN)
Index: net/if_dl.h
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_dl.h,v
retrieving revision 1.9
diff -u -p -r1.9 if_dl.h
--- net/if_dl.h 15 Sep 2015 09:13:33 - 1.9
+++ net/if_dl.h 15 Oct 2015 20:39:13 -
@@ -71,7 +71,21 @@ struct sockaddr_dl {
#define LLADDR(s) ((caddr_t)((s)->sdl_data + (s)->sdl_nlen))
-#ifndef _KERNEL
+#ifdef _KERNEL
+
+static __inline struct sockaddr_dl *
+satosdl(struct sockaddr *sa)
+{
+ return ((struct sockaddr_dl *)(sa));
+}
+
+static __inline struct sockaddr *
+sdltosa(struct sockaddr_dl *sdl)
+{
+ return ((struct sockaddr *)(sdl));
+}
+
+#else /* _KERNEL */
__BEGIN_DECLS
char *link_ntoa(const struct sockaddr_dl *);
Index: net/if_enc.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_enc.c,v
retrieving revision 1.60
diff -u -p -r1.60 if_enc.c
--- net/if_enc.c14 Mar 2015 03:38:51 - 1.60
+++ net/if_enc.c15 Oct 2015 20:40:40 -
@@ -27,6 +27,7 @@
#include
#include
+#include
#include
#include
#include
@@ -104,7 +105,7 @@ enc_clone_create(struct if_clone *ifc, i
if_alloc_sadl(ifp);
sc->sc_ifa.ifa_ifp = ifp;
sc->sc_ifa.ifa_rtrequest = link_rtrequest;
- sc->sc_ifa.ifa_addr = (struct sockaddr *)ifp->if_sadl;
+ sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl);
sc->sc_ifa.ifa_netmask = NULL;
#if NBPFILTER > 0
Index: net/if_ethersubr.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.228
diff -u -p -r1.228 if_ethersubr.c
--- net/if_ethersubr.c 29 Sep 2015 10:11:40 - 1.228
+++ net/if_ethersubr.c 15 Oct 2015 20:41:54 -
@@ -222,10 +222,9 @@ ether_output(struct ifnet *ifp, struct m
switch (dst->sa_family) {
case AF_LINK:
- if (((struct sockaddr_dl *)dst)->sdl_alen <
- sizeof(edst))
+ if (satosdl(dst)->sdl_alen < sizeof(edst))
senderr(EHOSTUNREACH);
- memcpy(edst, LLADDR((struct sockaddr_dl *)dst),
+ memcpy(edst, LLADDR(satosdl(dst)),
sizeof(edst));
break;
case AF_INET:
Index: net/if_mpe.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_mpe.c,v
retrieving revision 1.47
diff -u -p -r1.47 if_mpe.c
--- net/if_mpe.c12 Sep 2015 20:50:17 - 1.47
+++ net/if_mpe.c15 Oct 2015 20:40:40 -
@@ -25,6 +25,7 @@
#include
#include
+#include
#include
#include
#include
@@ -105,7 +106,7 @@ mpe_clone_create(struct if_clone *ifc, i
mpeif->sc_ifa.ifa_ifp = ifp;
mpeif->sc_ifa.ifa_rtrequest = link_rtrequest;
- mpeif->sc_ifa.ifa_addr = (struct sockaddr *) ifp->if_sadl;
+ mpeif->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl);
mpeif->sc_smpls.smpls_len = sizeof(mpeif->sc_smpls);
mpeif->sc_smpls.smpls_family = AF_MPLS;
Index: net/if_mpw.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_mpw.c,v
retrieving revision 1.6
diff -u -p -r1.6 if_mpw.c
--- net/if_mpw.c12 Sep 2015 20:50:17 - 1.6
+++ net/if_mpw.c15 Oct 2015 20:40:40 -
@@ -27,6 +27,7 @@
#include
#include
+#include
#include
#include
@@ -105,7 +106,7 @@ mpw_clone_create(struct if_clone *ifc, i
sc->sc_ifa.ifa_ifp = ifp;
sc->sc_ifa.ifa_rtrequest = link_rtrequest;
- sc->sc_ifa.ifa_addr = (struct sockaddr *) ifp->if_sadl;
+ sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl);
sc->sc_smpls.smpls_len = sizeof(sc->sc_smpls);
sc->sc_smpls.smpls_family = AF_MPLS;
Index: n
Re: FreeType-2.6.1 !!header files layout changed again!!
On 2015-10-07, David Coppa wrote: > New freetype version, new header file layout :( :( > > Obviously, I'm expecting some fallouts from a bulk build with this... Known fallout so far: all Mozilla ports. Another build with this is running since the first one suffered too many problems from unrelated issues. Should be finished in 24 hours. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: preparing pfi_kif to MP world
On Wed, Oct 14, 2015 at 10:03 +1000, David Gwynne wrote:
>
> > On 13 Oct 2015, at 21:12, Mike Belopuhov wrote:
> >
> > On Tue, Oct 13, 2015 at 20:36 +1000, David Gwynne wrote:
> >>
> >>> On 12 Oct 2015, at 12:00 AM, Alexandr Nedvedicky
> >>> wrote:
> >>>
> >>> Hello,
> >>>
> >>> patch below introduces struct refcnt to pfi_kif structure. Patch also
> >>> changes
> >>> pfi_kif_get() function to always return a reference to pfi_kif instance.
> >>>
> >>> Furthermore existing functions pfi_kif_ref()/pfi_kif_unref() are thrown
> >>> away
> >>> in favor of pfi_kif_take()/pfi_kif_rele(), which follow naming convention
> >>> set by refcnt_init(9). Patch also removes kif reference types (enum
> >>> pfi_kif_refs).
> >>>
> >>> Patch also updates if_pfsync.c file. I'm bit puzzled with test as follows
> >>> in pfsync_in_clr():
> >>>
> >>> 770 for (i = 0; i < count; i++) {
> >>> 771 clr = (struct pfsync_clr *)buf + len * i;
> >>> 772 creatorid = clr->creatorid;
> >>> 773
> >>> 774 if (clr->ifname[0] == '\0') {
> >>> ...
> >>> 783 } else {
> >>> 784 if (pfi_kif_get(clr->ifname) == NULL)
> >>> 789 continue;
> >>> 790
> >>>
> >>> I could not make any sense of line 784. Are we just making sure
> >>> particular kif
> >>> object exists for clr->ifname? Note pfi_kif_get() creates kif for us if it
> >>> does not exist. If we want to query for kif existence only patch offers
> >>> pfi_kif_check() function. I need some advice here if we should keep,
> >>> what's
> >>> currently in patch or switch to pfi_kif_check().
> >>
> >> my name is probably against that code.
> >>
> >> i didn't realise that pfi_kif_get creates a kif on demand. however,
> >> it also uses malloc(, , M_NOWAIT) to try and allocate it, which can
> >> fail and cause pfi_kif_get to return NULL.
> >>
> >
> > Revision 1.102 used to get the kif and check the state against it:
> >
> > if (si->s->creatorid == creatorid &&
> > si->s->kif == kif) {
> >
> > Then in the rev 1.103 you have removed the check. The question is
> > why did you do that? (-:
>
> oh. i have no idea. it was a long time ago :(
>
> putting it back makes sense to me, but id like the opinions of
> people who are more aware of pf internals to agree with me too.
>
> dlg
Turns out this is a rather simple issue that got slightly
complicated by the code diverging quite a bit since the
inception. Essentially the clr->ifname comes from the
interface specification in the "pfctl -i foo0 -Fs" for
if-bound states (floating states use fake interface "any").
Previously states have been hanging off of kif nodes but it's
long gone and we can simply iterate over the state table tree
(or even a state list like it's done in the DIOCGETSTATES in
pf_ioctl).
Calling pf_kif_get here wouldn't be prudent because spawning
new objects while disposing of the other ones seems somewhat
counterproductive.
diff --git sys/net/if_pfsync.c sys/net/if_pfsync.c
index 7d633db..fcaf5f5 100644
--- sys/net/if_pfsync.c
+++ sys/net/if_pfsync.c
@@ -752,46 +752,28 @@ done:
int
pfsync_in_clr(caddr_t buf, int len, int count, int flags)
{
struct pfsync_clr *clr;
- int i;
-
struct pf_state *st, *nexts;
- struct pf_state_key *sk, *nextsk;
- struct pf_state_item *si;
+ struct pfi_kif *kif = NULL;
u_int32_t creatorid;
+ int i;
for (i = 0; i < count; i++) {
clr = (struct pfsync_clr *)buf + len * i;
creatorid = clr->creatorid;
+ if (strlen(clr->ifname) &&
+ (kif = pfi_kif_find(clr->ifname)) == NULL)
+ continue;
- if (clr->ifname[0] == '\0') {
- for (st = RB_MIN(pf_state_tree_id, &tree_id);
- st; st = nexts) {
- nexts = RB_NEXT(pf_state_tree_id, &tree_id, st);
- if (st->creatorid == creatorid) {
- SET(st->state_flags, PFSTATE_NOSYNC);
- pf_unlink_state(st);
- }
- }
- } else {
- if (pfi_kif_get(clr->ifname) == NULL)
- continue;
-
- /* XXX correct? */
- for (sk = RB_MIN(pf_state_tree, &pf_statetbl);
- sk; sk = nextsk) {
- nextsk = RB_NEXT(pf_state_tree,
- &pf_statetbl, sk);
- TAILQ_FOREACH(si, &sk->states, entry) {
- if (si->s->creatorid == creatorid) {
- SET(si->s->state_flags,
- PFSTATE_NOSYNC);
-
Re: Black screen with inteldrm and recent snapshots
> Date: Thu, 15 Oct 2015 01:03:10 +0200 (CEST)
> From: si...@slackware.it
>
> Hello tech@,
> I'm sorry for resurrecting an old thread: I'm seeing intel drm errors in my
> dmesg, they appeared with the same end of September -current snapshot as the
> original poster mentioned but I'm having no visible issues other than some
> noise in the logs.
> Hardware is an EeePC 701 (i915) running i386 -current, here's dmesg from 13th
> October snapshot:
>
...
> error: [drm:pid0:i915_gem_detect_bit_6_swizzle] *ERROR* Couldn't read from
> MCHBAR. Disabling tiling.
Hmm, does the diff below help?
Index: drm_linux.h
===
RCS file: /home/cvs/src/sys/dev/pci/drm/drm_linux.h,v
retrieving revision 1.41
diff -u -p -r1.41 drm_linux.h
--- drm_linux.h 27 Sep 2015 21:28:14 - 1.41
+++ drm_linux.h 15 Oct 2015 18:20:53 -
@@ -971,6 +971,10 @@ struct dmi_system_id {
#defineDMI_EXACT_MATCH(a, b) {(a), (b)}
int dmi_check_system(const struct dmi_system_id *);
+struct resource {
+ u_long start;
+};
+
struct pci_dev {
uint16_tvendor;
uint16_tdevice;
Index: i915/i915_dma.c
===
RCS file: /home/cvs/src/sys/dev/pci/drm/i915/i915_dma.c,v
retrieving revision 1.23
diff -u -p -r1.23 i915_dma.c
--- i915/i915_dma.c 23 Sep 2015 23:12:11 - 1.23
+++ i915/i915_dma.c 15 Oct 2015 19:15:44 -
@@ -1128,6 +1128,17 @@ static int i915_get_bridge_dev(struct dr
}
return 0;
}
+#else
+int i915_get_bridge_dev(struct drm_device *dev)
+{
+ struct drm_i915_private *dev_priv = dev->dev_private;
+
+ dev_priv->bridge_dev = malloc(sizeof(*dev_priv->bridge_dev),
+ M_DEVBUF, M_WAITOK);
+ dev_priv->bridge_dev->pc = dev->pdev->pc;
+ dev_priv->bridge_dev->tag = pci_make_tag(dev->pdev->pc, 0, 0, 0);
+ return 0;
+}
#endif
#define MCHBAR_I915 0x44
@@ -1145,35 +1156,29 @@ intel_alloc_mchbar_resource(struct drm_d
int reg = INTEL_INFO(dev)->gen >= 4 ? MCHBAR_I965 : MCHBAR_I915;
u32 temp_lo, temp_hi = 0;
u64 mchbar_addr;
- u_long addr;
if (INTEL_INFO(dev)->gen >= 4)
- temp_hi = pci_conf_read(dev_priv->pc, dev_priv->tag, reg + 4);
- temp_lo = pci_conf_read(dev_priv->pc, dev_priv->tag, reg);
+ pci_read_config_dword(dev_priv->bridge_dev, reg + 4, &temp_hi);
+ pci_read_config_dword(dev_priv->bridge_dev, reg, &temp_lo);
mchbar_addr = ((u64)temp_hi << 32) | temp_lo;
- if (mchbar_addr == 0) {
- addr = (u_long)mchbar_addr;
- if (dev_priv->memex == NULL || extent_alloc(dev_priv->memex,
- MCHBAR_SIZE, MCHBAR_SIZE, 0, 0, 0, &addr)) {
- return -ENOMEM;
- } else {
- mchbar_addr = addr;
- /* We've allocated it, now fill in the BAR again */
- if (INTEL_INFO(dev)->gen >= 4)
- pci_conf_write(dev_priv->pc, dev_priv->tag,
- reg + 4, upper_32_bits(mchbar_addr));
- pci_conf_write(dev_priv->pc, dev_priv->tag,
- reg, lower_32_bits(mchbar_addr));
- }
+ if (mchbar_addr &&
+ extent_alloc_region(dev_priv->memex, mchbar_addr, MCHBAR_SIZE,
+ EX_NOWAIT) == 0)
+ return 0;
+
+ /* Get some space for it */
+ if (dev_priv->memex == NULL || extent_alloc(dev_priv->memex,
+ MCHBAR_SIZE, MCHBAR_SIZE, 0, 0, 0, &dev_priv->mch_res.start)) {
+ return -ENOMEM;
}
if (INTEL_INFO(dev)->gen >= 4)
- pci_conf_write(dev_priv->pc, dev_priv->tag, reg + 4,
- upper_32_bits(mchbar_addr));
+ pci_write_config_dword(dev_priv->bridge_dev, reg + 4,
+ upper_32_bits(dev_priv->mch_res.start));
- pci_conf_write(dev_priv->pc, dev_priv->tag, reg,
- lower_32_bits(mchbar_addr));
+ pci_write_config_dword(dev_priv->bridge_dev, reg,
+ lower_32_bits(dev_priv->mch_res.start));
return 0;
}
@@ -1183,16 +1188,16 @@ intel_setup_mchbar(struct drm_device *de
{
drm_i915_private_t *dev_priv = dev->dev_private;
int mchbar_reg = INTEL_INFO(dev)->gen >= 4 ? MCHBAR_I965 : MCHBAR_I915;
- pcireg_t temp;
+ u32 temp;
bool enabled;
dev_priv->mchbar_need_disable = false;
if (IS_I915G(dev) || IS_I915GM(dev)) {
- temp = pci_conf_read(dev_priv->pc, dev_priv->tag, DEVEN_REG);
+ pci_read_config_dword(dev_priv->bridge_dev, DEVEN_REG, &temp);
enabled = !!(temp & DEVEN_MCHBAR_EN);
} else {
- temp = pci_conf_read(dev_priv->pc, dev_priv->tag,
Re: typo in OPENBSD-RELAYD-MIB.txt
On 2015/10/14 09:53, Rob Pierce wrote: > > How is this? I played with the DESCRIPTION so it would all fit on one > line and match the current style, etc. > > Thanks! Thanks Rob, I've committed this.
Re: nlist(3): out of boundary access
Those checks all look good. The only thing I had a question about is the: len = strlen(sym); Would it be better to use memchr to search for the NUL terminator to avoid going past the end? E.g. if (memchr(sym, 0, left) == NULL) continue; - todd
two bge(4) bugfixes
The following diff attempts to fix two small bge(4) bugs:
- the first chunk fixes what seems to be a logic error on BCM 5720,
where the code attemps to preserve the state of four bits, but these
have actually already been set in the local variable by the call to
bge_dma_swap_options() immediately above. For some reason the
bge_dma_swap_options() logic does not affect BCM 5762, and I'm not
sure whether this is a bug or not.
- the second chunk repairs BCM5704 A3 support, as found on some G5 Xserve
(RackMac3,1), by using the proper function pointer to write a magic
register. Apparently, using the wrong function only works once, which
allows the driver to attach, but as soon as you attempt to give it an
IP address, the machine freezes without that change.
I could only test this on:
bge0 at pci0 dev 3 function 0 "Broadcom BCM5701" rev 0x15, BCM5701 B5 (0x105):
irq 3, xbow irq 60, address 08:00:69:11:da:82
bge0 at pci1 dev 5 function 0 "Broadcom BCM5703X" rev 0x02, BCM5702/5703 A2
(0x1002): dec 6600 irq 4, address 00:02:a5:c6:11:b3
bge0 at pci3 dev 4 function 0 "Broadcom BCM5704C" rev 0x03, BCM5704 A3
(0x2003): irq 54, address 00:0d:93:9b:f2:94
tests on more models would be welcome, as the second chunk affects
almost all models.
Index: if_bge.c
===
RCS file: /OpenBSD/src/sys/dev/pci/if_bge.c,v
retrieving revision 1.369
diff -u -p -U4 -r1.369 if_bge.c
--- if_bge.c19 Jul 2015 06:28:12 - 1.369
+++ if_bge.c15 Oct 2015 17:19:49 -
@@ -1764,8 +1764,11 @@ bge_chipinit(struct bge_softc *sc)
mode_ctl = bge_dma_swap_options(sc);
if (BGE_ASICREV(sc->bge_chipid) == BGE_ASICREV_BCM5720 ||
BGE_ASICREV(sc->bge_chipid) == BGE_ASICREV_BCM5762) {
/* Retain Host-2-BMC settings written by APE firmware. */
+ mode_ctl &= ~(BGE_MODECTL_BYTESWAP_B2HRX_DATA |
+ BGE_MODECTL_WORDSWAP_B2HRX_DATA |
+ BGE_MODECTL_B2HRX_ENABLE | BGE_MODECTL_HTX2B_ENABLE);
mode_ctl |= CSR_READ_4(sc, BGE_MODE_CTL) &
(BGE_MODECTL_BYTESWAP_B2HRX_DATA |
BGE_MODECTL_WORDSWAP_B2HRX_DATA |
BGE_MODECTL_B2HRX_ENABLE | BGE_MODECTL_HTX2B_ENABLE);
@@ -3229,9 +3232,9 @@ bge_reset(struct bge_softc *sc)
* Write the magic number to SRAM at offset 0xB50.
* When firmware finishes its initialization it will
* write ~BGE_SRAM_FW_MB_MAGIC to the same location.
*/
- bge_writemem_ind(sc, BGE_SOFTWARE_GENCOMM, BGE_MAGIC_NUMBER);
+ write_op(sc, BGE_SOFTWARE_GENCOMM, BGE_MAGIC_NUMBER);
reset = BGE_MISCCFG_RESET_CORE_CLOCKS | BGE_32BITTIME_66MHZ;
if (sc->bge_flags & BGE_PCIE) {
Re: dedup in_pcbbind() port scan loop
On 10/07/15 14:05, Martin Pieuchot wrote:
> On 01/10/15(Thu) 19:40, Vincent Gross wrote:
>> Although the sysctls controlling the port range are labelled
>> "port(hi)?first" and
>> "port(hi)?last", no ordering is enforced and you can have portfirst >
>> portlast.
>> in_pcbbind() (and in6_pcbsetport()) work around this by duplicating the loop
>> looking
>> for an available port.
>
> What about a small regress test?
>
>> This diff introduce temporary bounds and compare them to guarantee that
>> first <= last, thus allowing deduplication of the port scan loop.
>
> Makes sense to me, I'd keep the comment though.
>
>>
>> Tested on my laptop with a narrow port range and heavy cheezburger browsing,
>> no fault
>> detected. Deeper testing welcome.
>>
>> Should I include in6_pcbsetport() changes right now or should ipv4 be
>> validated first ?
>
> I prefer when both version are keep in sync, so yes a in6_pcbsetport()
> diff would be nice. Plus if it's possible to have a regress test it
> would be awesome.
>
Ok ?
Index: sys/netinet/in_pcb.c
===
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.181
diff -u -p -r1.181 in_pcb.c
--- sys/netinet/in_pcb.c9 Oct 2015 01:10:27 - 1.181
+++ sys/netinet/in_pcb.c15 Oct 2015 12:08:06 -
@@ -360,67 +360,47 @@ in_pcbbind(struct inpcb *inp, struct mbu
inp->inp_laddr = sin->sin_addr;
}
if (lport == 0) {
- u_int16_t first, last;
+ u_int16_t bound_a, bound_b, first, last;
int count;
if (inp->inp_flags & INP_HIGHPORT) {
- first = ipport_hifirstauto; /* sysctl */
- last = ipport_hilastauto;
+ bound_a = ipport_hifirstauto; /* sysctl */
+ bound_b = ipport_hilastauto;
} else if (inp->inp_flags & INP_LOWPORT) {
if ((error = suser(p, 0)))
return (EACCES);
- first = IPPORT_RESERVED-1; /* 1023 */
- last = 600;/* not IPPORT_RESERVED/2 */
+ bound_a = IPPORT_RESERVED-1; /* 1023 */
+ bound_b = 600; /* not IPPORT_RESERVED/2 */
} else {
- first = ipport_firstauto; /* sysctl */
- last = ipport_lastauto;
+ bound_a = ipport_firstauto; /* sysctl */
+ bound_b = ipport_lastauto;
+ }
+ if (bound_a < bound_b) {
+ first = bound_a;
+ last = bound_b;
+ } else {
+ first = bound_b;
+ last = bound_a;
}
/*
* Simple check to ensure all ports are not used up causing
* a deadlock here.
-*
-* We split the two cases (up and down) so that the direction
-* is not being tested on each round of the loop.
*/
- if (first > last) {
- /*
-* counting down
-*/
- count = first - last;
- if (count)
- lastport = first - arc4random_uniform(count);
+ count = last - first;
+ lastport = first + arc4random_uniform(count);
- do {
- if (count-- < 0)/* completely used? */
- return (EADDRNOTAVAIL);
- --lastport;
- if (lastport > first || lastport < last)
- lastport = first;
- lport = htons(lastport);
- } while (in_baddynamic(lastport,
so->so_proto->pr_protocol) ||
- in_pcblookup(table, &zeroin_addr, 0,
- &inp->inp_laddr, lport, wild, inp->inp_rtableid));
- } else {
- /*
-* counting up
-*/
- count = last - first;
- if (count)
- lastport = first + arc4random_uniform(count);
-
- do {
- if (count-- < 0)/* completely used? */
- return (EADDRNOTAVAIL);
- ++lastport;
- if (lastport < first || lastport > last)
- lastport = first;
- lport = htons(lastport);
- } while (in_baddynamic(lastport,
so->so_proto->pr_pr
Re: iwm: fix handling of large firmware commands
Any objections to putting this in soon? Any OKs?
I'd like to move forward with iwm(4) (less fixing bugs, more
adding new features...)
On Sun, Oct 11, 2015 at 04:55:29PM +0200, Stefan Sperling wrote:
> The iwm(4) driver pre-allocates fw command payload buffers of 320 bytes.
>
> For some firmware commands, particularly those used when configuring
> the PHY (iwm_send_phy_db_cmd) and running scans (iwm_mvm_scan_request),
> the payload exceeds 320 bytes. I've seen somewhere between 2k and 3.5k
> being used. Precisely these commands fail often while we're trying to
> bring the interface up. You've probably seen "could not initiate scan".
> The PHY failure case doesn't print anything unless IWM_DEBUG is set.
>
> If the payload doesn't fit, the driver tries to use an mbuf instead
> of the pre-allocated payload buffer. This seems to be based on the
> approach taken in iwn(4).
>
> The current code seems confused about sizes.
> If a command requires 'sizeof(cmd->hdr) + paylen' bytes, the driver only
> maps hcmd->len[0] bytes for DMA. But 'paylen' is the sum of hcmod->len[0]
> and hcmd->len[1]. And the DMA map used to map large payloads only handles
> mappings of up to MCLBYTES, which is only 2k...
>
> Fix this by sizing the mbuf and its DMA map correctly.
>
> Index: if_iwm.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v
> retrieving revision 1.55
> diff -u -p -r1.55 if_iwm.c
> --- if_iwm.c 11 Oct 2015 10:22:28 - 1.55
> +++ if_iwm.c 11 Oct 2015 14:37:41 -
> @@ -1108,14 +1108,21 @@ iwm_alloc_tx_ring(struct iwm_softc *sc,
> paddr = ring->cmd_dma.paddr;
> for (i = 0; i < IWM_TX_RING_COUNT; i++) {
> struct iwm_tx_data *data = &ring->data[i];
> + size_t mapsize;
>
> data->cmd_paddr = paddr;
> data->scratch_paddr = paddr + sizeof(struct iwm_cmd_header)
> + offsetof(struct iwm_tx_cmd, scratch);
> paddr += sizeof(struct iwm_device_cmd);
>
> - error = bus_dmamap_create(sc->sc_dmat, MCLBYTES,
> - IWM_NUM_OF_TBS - 2, MCLBYTES, 0, BUS_DMA_NOWAIT,
> + /* FW commands may require more mapped space than packets. */
> + if (qid == IWM_MVM_CMD_QUEUE)
> + mapsize = (sizeof(struct iwm_cmd_header) +
> + IWM_MAX_CMD_PAYLOAD_SIZE);
> + else
> + mapsize = MCLBYTES;
> + error = bus_dmamap_create(sc->sc_dmat, mapsize,
> + IWM_NUM_OF_TBS - 2, mapsize, 0, BUS_DMA_NOWAIT,
> &data->map);
> if (error != 0) {
> printf("%s: could not create TX buf DMA map\n",
> DEVNAME(sc));
> @@ -3393,30 +3400,31 @@ iwm_send_cmd(struct iwm_softc *sc, struc
> data = &ring->data[ring->cur];
>
> if (paylen > sizeof(cmd->data)) {
> - /* Command is too large */
> - if (sizeof(cmd->hdr) + paylen > IWM_RBUF_SIZE) {
> + /* Command is too large to fit in pre-allocated space. */
> + size_t totlen = sizeof(cmd->hdr) + paylen;
> + if (paylen > IWM_MAX_CMD_PAYLOAD_SIZE) {
> + printf("%s: firmware command too long (%zd bytes)\n",
> + DEVNAME(sc), totlen);
> error = EINVAL;
> goto out;
> }
> - m = m_gethdr(M_DONTWAIT, MT_DATA);
> + m = MCLGETI(NULL, M_DONTWAIT, NULL, totlen);
> if (m == NULL) {
> - error = ENOMEM;
> - goto out;
> - }
> - MCLGETI(m, M_DONTWAIT, NULL, IWM_RBUF_SIZE);
> - if (!(m->m_flags & M_EXT)) {
> - m_freem(m);
> + printf("%s: could not get fw cmd mbuf (%zd bytes)\n",
> + DEVNAME(sc), totlen);
> error = ENOMEM;
> goto out;
> }
> cmd = mtod(m, struct iwm_device_cmd *);
> error = bus_dmamap_load(sc->sc_dmat, data->map, cmd,
> - hcmd->len[0], NULL, BUS_DMA_NOWAIT | BUS_DMA_WRITE);
> + totlen, NULL, BUS_DMA_NOWAIT | BUS_DMA_WRITE);
> if (error != 0) {
> + printf("%s: could not load fw cmd mbuf (%zd bytes)\n",
> + DEVNAME(sc), totlen);
> m_freem(m);
> goto out;
> }
> - data->m = m;
> + data->m = m; /* mbuf will be freed in iwm_cmd_done() */
> paddr = data->map->dm_segs[0].ds_addr;
> } else {
> cmd = &ring->cmd[ring->cur];
> @@ -3447,13 +3455,13 @@ iwm_send_cmd(struct iwm_softc *sc, struc
> code, hcmd->len[0] + hcmd->len[1] + sizeof(cmd->hdr),
> async ? " (async)" : ""));
>
> - if (hcmd->len[0] > sizeof(cmd->data
nlist(3): out of boundary access
The library function nlist(3) does not properly validate parsed ELF
binary files, which can lead to out of boundary accesses.
Also, nlist will return -1 for stripped binary files, because eventually
it will try to mmap 0 bytes. Instead of returning the amount of symbols
we tried to look up, -1 suggests that the file was not there or invalid.
I moved that check a bit up so it behaves as expected.
What my diff does to prevent out of boundary accesses:
- Prevent mmap to map memory from outside file boundaries. A broken
file could contain invalid values for ehdr.e_shoff and shdr_size.
Please note that shdr_size calculation is safe ((2^16 - 1)^2 < 2^32).
- Verify that shdr[i].sh_link contains a valid index.
- While iterating through symbols, make sure that symsize actually
references enough memory for an Elf_Sym. Imagine that only 1 byte is
left in file. Current code would read that 1 byte into an Elf_Sym
struct and processes its content. That's definitely undefined
behaviour.
- Verify that Elf symbol references a valid string offset.
- When comparing symbol names, make sure that strcmp() won't access
memory outside the allocated space. A symbol name must \0 terminate,
and that byte must be in the ELF file.
Index: lib/libc/gen/nlist.c
===
RCS file: /cvs/src/lib/libc/gen/nlist.c,v
retrieving revision 1.59
diff -u -p -r1.59 nlist.c
--- lib/libc/gen/nlist.c6 Feb 2015 23:21:58 - 1.59
+++ lib/libc/gen/nlist.c15 Oct 2015 09:03:07 -
@@ -101,6 +101,7 @@ __fdnlist(int fd, struct nlist *list)
Elf_Word shdr_size;
struct stat st;
int usemalloc = 0;
+ size_t left, len;
/* Make sure obj is OK */
if (pread(fd, &ehdr, sizeof(Elf_Ehdr), (off_t)0) != sizeof(Elf_Ehdr) ||
@@ -111,7 +112,8 @@ __fdnlist(int fd, struct nlist *list)
shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
/* Make sure it's not too big to mmap */
- if (shdr_size > SIZE_MAX) {
+ if (SIZE_MAX - ehdr.e_shoff < shdr_size ||
+ ehdr.e_shoff + shdr_size > st.st_size) {
errno = EFBIG;
return (-1);
}
@@ -138,6 +140,8 @@ __fdnlist(int fd, struct nlist *list)
*/
for (i = 0; i < ehdr.e_shnum; i++) {
if (shdr[i].sh_type == SHT_SYMTAB) {
+ if (shdr[i].sh_link >= ehdr.e_shnum)
+ continue;
symoff = shdr[i].sh_offset;
symsize = shdr[i].sh_size;
symstroff = shdr[shdr[i].sh_link].sh_offset;
@@ -152,12 +156,37 @@ __fdnlist(int fd, struct nlist *list)
else
munmap((caddr_t)shdr, shdr_size);
+ /*
+* clean out any left-over information for all valid entries.
+* Type and value defined to be 0 if not found; historical
+* versions cleared other and desc as well. Also figure out
+* the largest string length so don't read any more of the
+* string table than we have to.
+*
+* XXX clearing anything other than n_type and n_value violates
+* the semantics given in the man page.
+*/
+ nent = 0;
+ for (p = list; !ISLAST(p); ++p) {
+ p->n_type = 0;
+ p->n_other = 0;
+ p->n_desc = 0;
+ p->n_value = 0;
+ ++nent;
+ }
+
+ /* Don't process any further if object is stripped. */
+ /* ELFism - dunno if stripped by looking at header */
+ if (symoff == 0)
+ return nent;
+
/* Check for files too large to mmap. */
- /* XXX is this really possible? */
- if (symstrsize > SIZE_MAX) {
+ if (SIZE_MAX - symstrsize < symstroff ||
+ symstrsize + symstroff > st.st_size) {
errno = EFBIG;
return (-1);
}
+
/*
* Map string table into our address space. This gives us
* an easy way to randomly access all the strings, without
@@ -177,41 +206,20 @@ __fdnlist(int fd, struct nlist *list)
if (strtab == MAP_FAILED)
return (-1);
}
- /*
-* clean out any left-over information for all valid entries.
-* Type and value defined to be 0 if not found; historical
-* versions cleared other and desc as well. Also figure out
-* the largest string length so don't read any more of the
-* string table than we have to.
-*
-* XXX clearing anything other than n_type and n_value violates
-* the semantics given in the man page.
-*/
- nent = 0;
- for (p = list; !ISLAST(p); ++p) {
- p->n_type = 0;
- p->n_other = 0;
- p->n_desc = 0;
- p->n_value = 0;
- ++nent;
- }
- /* Don't process any further if object is stripped. */
-
