Re: ifmedia_ioctl: ignore ENETRESET from ifm_change()
On Mon, Apr 15, 2019 at 04:48:02PM +0200, Stefan Sperling wrote:
> ieee80211_media_change() will return ENETRESET if the interface is
> switched into 11a/b/g/n mode from any other mode.
> ifmedia_ioctl() considers this an error and reverts ifmedia's state
> to the previous setting, even though net80211 has actually succeeded.
> The result is that if_media and net80211 have conflicting ideas about the
> current media mode of the interface, which can be observed with ifconfig.
Diff makes sense to me. Currently we have some drivers with media_change
functions returning the errno from ieee80211_media_change (iwn, iwm) and some
just returning 0 at the end (run, rtwn, ral). The ones returning 0 are mostly
ignoring possible errors from x_init() so I'm leaning towards making them more
like iwn/m.
>
> The commands below were run while the interface is down.
> Note how 'ifconfig mode' needs to be run twice to get consistent results:
>
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect
> # ifconfig iwm0 mode 11b
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect (autoselect mode 11b)
> # ifconfig iwm0 mode 11b
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect mode 11b
> # ifconfig iwm0 mode 11g
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect mode 11b (autoselect mode 11g)
> # ifconfig iwm0 mode 11g
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect mode 11g
>
> The diff below fixes this issue for me:
>
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect
> # ifconfig iwm0 mode 11b
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect mode 11b
> # ifconfig iwm0 mode 11g
> # ifconfig iwm0 | grep media:
> media: IEEE802.11 autoselect mode 11g
>
> OK?
>
> diff 23a4e4a1e8913390694e35727d2131b2938cb472 /usr/src
> blob - 5168b074cbdd5a95f9945134cdd47c0649ad76a1
> file + sys/net/if_media.c
> --- sys/net/if_media.c
> +++ sys/net/if_media.c
> @@ -277,7 +277,7 @@ ifmedia_ioctl(struct ifnet *ifp, struct ifreq *ifr, st
> ifm->ifm_cur = match;
> ifm->ifm_media = newmedia;
> error = (*ifm->ifm_change)(ifp);
> - if (error) {
> + if (error && error != ENETRESET) {
> ifm->ifm_cur = oldentry;
> ifm->ifm_media = oldmedia;
> }
>
Re: Tighten nl(1) pledge(2) a bit
Rafael Neves wrote:
> Hi tech@,
>
> The Patch 1 below tighten pledge(2) promises to stdio, after the
> freopen(3) call,
I've commited this.
> and replaces an exit(3) call to return, so the
> stack protector could be used.
I'm still not a huge fan of those. I don't recall ever seeing
an overflow in such a circumstance.
> I verify that after pledge stdio, there are only calls to:
> getline(3), memcmp(3), regexec(3), printf(3), fwrite(3), fputs(3),
> ferror(3), free(3), and err(3). All this functions do not need
> the rpath promise.
>
> The Patch 2, includes Patch 1 and uses unveil(2) when the user supply
> a file. A prior version of this patch used unveil("/dev/null", "r")
> after the first pledge call, to forbid any filesystem access, except
> the file supplied. But it seemed like a hack.
Doing 1 unveil before 1 open, is pointless. Instead, drop all path
pledges immediately afterwards. Which is what "stdio" is about.
Re: libevent: Protect integer multiplications (min_heap)
Tobias Stoeckmann wrote:
> I would like to protect min_heap_push against integer overflows,
> which could either be triggered on a 64 bit system with massive
> amounts of RAM (to overflow s->n) or on a 32 bit system with tight
> memory layout (overflowing a * sizeof *p).
>
> Both cases are basically not possible to be triggered, but I prefer
> to have reallocarray in place to be sure about it.
ok, so back to this. here's a diff which solves this by using appropriate
size_t types.
Note the first chunk changes the size of struct event, so this is a library
ABI change. (Maybe it's padded? I don't feel like digging that deep.)
Index: event.h
===
RCS file: /cvs/src/lib/libevent/event.h,v
retrieving revision 1.30
diff -u -p -r1.30 event.h
--- event.h 5 Jan 2015 23:14:36 - 1.30
+++ event.h 20 Apr 2019 23:28:09 -
@@ -196,7 +196,7 @@ struct event {
TAILQ_ENTRY (event) ev_next;
TAILQ_ENTRY (event) ev_active_next;
TAILQ_ENTRY (event) ev_signal_next;
- unsigned int min_heap_idx; /* for managing timeouts */
+ size_t min_heap_idx;/* for managing timeouts */
struct event_base *ev_base;
Index: min_heap.h
===
RCS file: /cvs/src/lib/libevent/min_heap.h,v
retrieving revision 1.5
diff -u -p -r1.5 min_heap.h
--- min_heap.h 20 Apr 2019 23:22:28 - 1.5
+++ min_heap.h 20 Apr 2019 23:28:09 -
@@ -33,7 +33,7 @@
typedef struct min_heap {
struct event **p;
- unsigned n, a;
+ size_t n, a;
} min_heap_t;
static inline void min_heap_ctor(min_heap_t * s);
@@ -41,14 +41,14 @@ static inline void min_heap_dtor(min_hea
static inline void min_heap_elem_init(struct event * e);
static inline int min_heap_elem_greater(struct event * a, struct event * b);
static inline int min_heap_empty(min_heap_t * s);
-static inline unsigned min_heap_size(min_heap_t * s);
+static inline size_t min_heap_size(min_heap_t * s);
static inline struct event *min_heap_top(min_heap_t * s);
-static inline int min_heap_reserve(min_heap_t * s, unsigned n);
+static inline int min_heap_reserve(min_heap_t * s, size_t n);
static inline int min_heap_push(min_heap_t * s, struct event * e);
static inline struct event *min_heap_pop(min_heap_t * s);
static inline int min_heap_erase(min_heap_t * s, struct event * e);
-static inline void min_heap_shift_up_(min_heap_t * s, unsigned hole_index,
struct event * e);
-static inline void min_heap_shift_down_(min_heap_t * s, unsigned hole_index,
struct event * e);
+static inline void min_heap_shift_up_(min_heap_t * s, size_t hole_index,
struct event * e);
+static inline void min_heap_shift_down_(min_heap_t * s, size_t hole_index,
struct event * e);
int
min_heap_elem_greater(struct event * a, struct event * b)
@@ -77,7 +77,7 @@ min_heap_empty(min_heap_t * s)
{
return 0u == s->n;
}
-unsigned
+size_t
min_heap_size(min_heap_t * s)
{
return s->n;
@@ -112,9 +112,9 @@ min_heap_pop(min_heap_t * s)
int
min_heap_erase(min_heap_t * s, struct event * e)
{
- if (((unsigned int)-1) != e->min_heap_idx) {
+ if (e->min_heap_idx != -1) {
struct event *last = s->p[--s->n];
- unsigned parent = (e->min_heap_idx - 1) / 2;
+ size_t parent = (e->min_heap_idx - 1) / 2;
/*
* we replace e with the last element in the heap. We might
* need to shift it upward if it is less than its parent, or
@@ -133,14 +133,14 @@ min_heap_erase(min_heap_t * s, struct ev
}
int
-min_heap_reserve(min_heap_t * s, unsigned n)
+min_heap_reserve(min_heap_t * s, size_t n)
{
if (s->a < n) {
struct event **p;
- unsigned a = s->a ? s->a * 2 : 8;
+ size_t a = s->a ? s->a * 2 : 8;
if (a < n)
a = n;
- if (!(p = realloc(s->p, a * sizeof *p)))
+ if (!(p = reallocarray(s->p, a, sizeof *p)))
return -1;
s->p = p;
s->a = a;
@@ -149,9 +149,9 @@ min_heap_reserve(min_heap_t * s, unsigne
}
void
-min_heap_shift_up_(min_heap_t * s, unsigned hole_index, struct event * e)
+min_heap_shift_up_(min_heap_t * s, size_t hole_index, struct event * e)
{
- unsigned parent = (hole_index - 1) / 2;
+ size_t parent = (hole_index - 1) / 2;
while (hole_index && min_heap_elem_greater(s->p[parent], e)) {
s->p[hole_index] = s->p[parent];
s->p[hole_index]->min_heap_idx = hole_index;
@@ -163,9 +163,9 @@ min_heap_shift_up_(min_heap_t * s, unsig
}
void
-min_heap_shift_down_(min_heap_t * s, unsigned hole_index, struct event * e)
+min_heap_shift_down_(min_heap_t * s, size_t hole_index, struct event * e)
{
- unsigned min_child = 2 * (hole_index + 1);
+ size_t min_child = 2 * (hole_index + 1);
Tighten nl(1) pledge(2) a bit
Hi tech@,
The Patch 1 below tighten pledge(2) promises to stdio, after the
freopen(3) call, and replaces an exit(3) call to return, so the
stack protector could be used.
I verify that after pledge stdio, there are only calls to:
getline(3), memcmp(3), regexec(3), printf(3), fwrite(3), fputs(3),
ferror(3), free(3), and err(3). All this functions do not need
the rpath promise.
The Patch 2, includes Patch 1 and uses unveil(2) when the user supply
a file. A prior version of this patch used unveil("/dev/null", "r")
after the first pledge call, to forbid any filesystem access, except
the file supplied. But it seemed like a hack.
Comments?
Regards,
Rafael Neves
Patch 1 (just pledge):
Index: usr.bin/nl/nl.c
===
RCS file: /cvs/src/usr.bin/nl/nl.c,v
retrieving revision 1.6
diff -u -p -r1.6 nl.c
--- usr.bin/nl/nl.c 9 Oct 2015 01:37:08 - 1.6
+++ usr.bin/nl/nl.c 20 Apr 2019 21:27:39 -
@@ -218,6 +218,9 @@ main(int argc, char *argv[])
/* NOTREACHED */
}
+ if (pledge("stdio", NULL) == -1)
+ err(1, "pledge");
+
/* Generate the delimiter sequence */
memcpy(delim, delim1, delim1len);
memcpy(delim + delim1len, delim2, delim2len);
@@ -226,7 +229,7 @@ main(int argc, char *argv[])
/* Do the work. */
filter();
- exit(EXIT_SUCCESS);
+ return(EXIT_SUCCESS);
}
void
Pledge 2 (pledge and unveil):
Index: usr.bin/nl/nl.c
===
RCS file: /cvs/src/usr.bin/nl/nl.c,v
retrieving revision 1.6
diff -u -p -r1.6 nl.c
--- usr.bin/nl/nl.c 9 Oct 2015 01:37:08 - 1.6
+++ usr.bin/nl/nl.c 20 Apr 2019 21:28:44 -
@@ -118,7 +118,7 @@ main(int argc, char *argv[])
(void)setlocale(LC_ALL, "");
- if (pledge("stdio rpath", NULL) == -1)
+ if (pledge("stdio unveil rpath", NULL) == -1)
err(1, "pledge");
while ((c = getopt(argc, argv, "pb:d:f:h:i:l:n:s:v:w:")) != -1) {
@@ -209,8 +209,14 @@ main(int argc, char *argv[])
case 0:
break;
case 1:
- if (strcmp(argv[0], "-") != 0 &&
- freopen(argv[0], "r", stdin) == NULL)
+ if (strcmp(argv[0], "-") == 0)
+ break;
+
+ /* Let freopen(3) check deal with permission problems. */
+ if (unveil(argv[0], "r") == -1 && errno != ENOENT)
+ err(1, "unveil");
+
+ if (freopen(argv[0], "r", stdin) == NULL)
err(EXIT_FAILURE, "%s", argv[0]);
break;
default:
@@ -218,6 +224,9 @@ main(int argc, char *argv[])
/* NOTREACHED */
}
+ if (pledge("stdio", NULL) == -1)
+ err(1, "pledge");
+
/* Generate the delimiter sequence */
memcpy(delim, delim1, delim1len);
memcpy(delim + delim1len, delim2, delim2len);
@@ -226,7 +235,7 @@ main(int argc, char *argv[])
/* Do the work. */
filter();
- exit(EXIT_SUCCESS);
+ return(EXIT_SUCCESS);
}
void
