This reverts commit 020f411255.
Because now ASLR is enabled by default for 64-bit architectures
and the purpose of the installation menu is to allow choosing
additional 'mitigation'/'hardening' options that are originally
disabled, remove the ASLR knob from bsdinstall.
Discussed with: emaste
Obtained from: Semihalf
Sponsored by: Stormshield
In accordance with a SHOULD in RFC 4861, rtsol and rtsold wait a
random time between zero and one (aka MAX_RTR_SOLICITATION_DELAY)
seconds before sending a Router Solicitation, in order to avoid
network congestion if many hosts come online at once. (The
question of how many hosts would be required to cause congestion
by each sending a single packet on a Gbps+ network is left to the
reader.)
The new option -i disables this wait and instructs rtsol and rtsold
to send the Router Solicitation immediately.
Reviewed by: bz, kp (earlier version)
MFC after: 1 week
Relnotes: yes
Sponsored by: https://www.patreon.com/cperciva
Differential Revision: https://reviews.freebsd.org/D32956
This reverts commit a30e8044aa.
WITHOUT_OPENSSL build is a subset of WITHOUT_CRYPT build. It was
incorrect to label this patch as fixing WITHOUT_CRYPT when in fact
it fixes WITHOUT_OPENSSL. The build failure will be addressed in a
fix for WITHOUT_OPENSSL build.
MFC after: 1 week
Global options are defined in usr.sbin/wpa/Makefile.inc. Those in
usr.sbin/wpa/src/crypto/Makefile are duplicates of those found above.
Remove them.
MFC after: 1 week
This is a follow-up to 2697622687,
which fixed 2 out of 3 broken uses of the mirrorselect script.
Reviewed by: emaste
Approved by: emaste (src)
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D32927
The exports file format allows export to a network using an explicit
mask or prefix length (CIDR). It also allows a network with just
a dotted address, in which case the historical mask was used.
Deprecate this usage, and warn when it is used. Document that this
is deprecated.
MFC after: 1 month
Reviewed by: rmacklem, bcr, #manpages
Differential Revision: https://reviews.freebsd.org/D32713
powerd_flags is mentioned in rc.conf(5) and can be set there and pass to
powerd.
PR: 258320
MFC after: 3 days
Reported by: Michael <michael.hmich@gmail.com>
It was a hack only needed for trpt, which can just define it locally.
This makes it possible to fix up systat which also includes the file.
Sponsored by: Rubicon Communications, LLC ("Netgate")
devinfo(8) manpage contains reference to pnpinfo(8) which existed at the
time. Remove it.
PR: 232587
MFC: 3 days
Reported by: Graham Perrin <grahamperrin@gmail.com>
PASN requires CRYPT and when built WITHOUT_CRYPT buildworld
fails. Only enable PASN when MK_CRYPT is enabled (default).
PR: 259517
Reported by: emaste
Fixes: c1d255d3ff
MFC after: 1 week
The limit of 384 maxusers for auto configuration was only imposed on
32-bit systems. Document that maxusers scales above 384 based on memory
for 64-bit systems.
PR: 204938
MFC after: 3 days
Reported by: David Höppner <0xffea@gmail.com>
I dropped the + 1 from the other two instances in each file but failed
to do so for this one, resulting in a more egregious buffer overread
than the one I was fixing (since the read character ended up in the
output if there was space).
Reported by: Jenkins
Fixes: 34fb1c133c ("Fix intra-object buffer overread for labeled msdosfs volumes")
Volume labels, like directory entries, are padded with spaces and so
have no NUL terminator. Whilst the MIN for the dsize argument to strlcpy
ensures that the copy does not overflow the destination, strlcpy is
defined to return the number of characters in the source string,
regardless of the provided dsize, and so keeps reading until it finds a
NUL, which likely exists somewhere within the following fields, but On
CHERI with the subobject bounds enabled in the compiler this buffer
overread will be detected and trap with a bounds violation.
Found by: CHERI
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D32579
r366466 (9c7bd4f198) fixed a subtle bug by stripping the trailing
'\n' appended to the output of popen("cd %s && pwd -P", p->srcdir).
Replace this cumbersome implementation with a single realpath(3) call
which avoids spawning a shell, reading from the stream with fgets(3),
and final strdup(3).
Reviewed by: arichardson, kevans
Approved by: imp
Differential Revision: https://reviews.freebsd.org/D26734
This key is Declarative and should always be sent even if the
initiator did not send it's own limit. This is similar to the fix in
fc79cf4fea but for the target side. However, unlike that fix,
failure to send the key simply results in reduced performance.
PR: 259439
Reviewed by: mav, emaste
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D32651
Previously we updated the conection's conn_max_recv_data_segment_length
only when we received a response containing MaxRecvDataSegmentLength
from the target. If the target did not send MaxRecvDataSegmentLength
then we left conn_max_recv_data_segment_length at the default (i.e.,
8192). A target could then send more data than that defult (up to our
advertised maximum), and we would drop the connection.
RFC 7143 specifies that MaxRecvDataSegmentLength is Declarative, not
negotiated. Just set conn_max_recv_data_segment_length to our
advertised value in login_negotiate().
PR: 259355
Reviewed by: mav
MFC after: 1 week
Fixes: a15fbc904a ("Alike to r312190 decouple iSCSI...")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32605
There is a workaround in acpidump for an old IBM laptop. This is being
hit on a modern arm64 system causing acpidump to use the wrong field
when reading a later address.
As the laptop has a 32-bit CPU the only FreeBSD support for it is i386.
As such limit the workaround to that architecture.
Reviewed by: emaste, jkim, jhb (all earlier version)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32573
Bump the firmware version to 14.0 and set the firmware release date
to today.
Reviewed by: jhb, bz, imp
Differential Revision: https://reviews.freebsd.org/D32534
Note, this breaks compatibility with snapshots generated by older builds
of bhyve(8).
Fixes: 7fa2335347 ("bhyve: Map the MSI-X table unconditionally for passthrough")
Reported by: Greg V <greg@unrelenting.technology>
Reviewed by: grehan, bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32523
In some cases when passing /dev/dspX.vpY as mixer devices, m->ci.longname and
m->ci.hw_info will be empty. Don't print any brackets and parentheses
in this case.
Differential Revision: https://reviews.freebsd.org/D32500
Submitted by: christos@
Sponsored by: NVIDIA Networking
Bhyve could emulate wrong PCI registers.
In the best case, the guest reads wrong registers and the device driver would
report some errors.
In the worst case, the guest writes to wrong PCI registers and could brick
hardware when using PCI passthrough.
According to Intels specification, low bits of CFGADR should be
ignored. Some OS like linux may rely on it. Otherwise, bhyve could
emulate a wrong PCI register.
E.g.
If linux would like to read 2 bytes from offset 0x02, following would
happen.
linux:
outl 0x80000002 at CFGADR
inw at CFGDAT + 2
bhyve:
cfgoff = 0x80000002 & 0xFF = 0x02
coff = cfgoff + (port - CFGDAT) = 0x02 + 0x02 = 0x04
Bhyve would emulate the register at offset 0x04 not 0x02.
Reviewed By: #bhyve, grehan
Differential Revision: https://reviews.freebsd.org/D31819
Sponsored by: Beckhoff Automation GmbH & Co. KG
Let's make it clear to users that -k is for configuration files.
Also, point to bhyve_config(5) in the paragraph describing the flag.
Reviewed by: jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D32467
It is possible for the PBA to reside in the same page as the MSI-X
table. And, while devices are not supposed to do this, at least some
Intel wifi devices place registers in a page shared with the MSI-X
table. To handle the first case we currently map the PBA page using
/dev/mem, and the second case is not handled.
Kill two birds with one stone: map the MSI-X table BAR using the
PCIOCBARMMAP ioctl instead of /dev/mem, and map the entire table so that
accesses beyond the bounds of the table can be emulated. Regions of the
BAR not containing the table are left unmapped.
Reviewed by: bz, grehan, jhb
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32359
My current style is to copy C for "/* NOTREACHED */" instead of spelling
out "Not reached". Make this one nominal change in this one file and the
others later.
While here, word-smith "Preload" into "Pre-load" as I believe that to
be more grammatically correct in this instance.
Also while here, fix a comment capitalization error.
Lastly, bump copyright for above changes.
Add two options, -i and -e, for filtering prometheus metrics.
Each option takes a regular expression as an argument. The provided
regex will be tested against the prometheus metric name.
The -i option includes metrics matching the given regex.
The -e option excludes metrics matching the given regex.
Sponsored by: Modirum MDPay
Sponsored by: Klara Inc.
Reviewed by: 0mp, debdrup
Differential Revision: https://reviews.freebsd.org/D32269
RPCINFO on macOS behaves different compared to other linux clients and
doesn't provide request address in rpcb structure of the
RPCBPROC_GETADDRLIST call which doesn't seem to be forbidden.
In this case RPCBIND uses RPC call's source address and picks a
closest corresponding local address. If there are no addresses in the
same subnet as the source address, return of RPCBIND may vary
depending on the order of addresses returned in getifaddrs. If a link
local precedes global address it may be returned even if the request
comes from neither a link local nor from link local in a different
scope, which will prevent services like nfs from working in tpc6
scenario on macOS clients. Issue can be seen only on FreeBSD rpcbind
port due to changes in workflow of addrmerge call.
Submitted by: Dmitry Ovsyannikov (Dmitry.Ovsyannikov@dell.com)
Reviewers: dab
Differential Revision: https://reviews.freebsd.org/D31491
Sponsored by: Dell EMC
MFC to: stable/12, stable/13
MFC after: 1 week
Make freebsd-update(8) support jails by adding the -j flag which takes
a jail jid or name as an argument. This takes advantage of the recently
added -j support to freebsd-version(8) in order to get the version of
the installed userland.
Reviewed by: dteske, kevans
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D25711
Restore ability for our syslogd to collect pre-RFC3164 formatted
messages from remote hosts that was broken with r326573.
For example, the line from Cisco SCE8000 splitted for readability:
1130: 03:37:57: %USER-6-PORT_OPERSTATUS_CHANGE_TRAP: CPU#000 trap:link
down EntityAdminState: 4 EntityAlarmStatus: 32
Such line was collected and stored before mentioned change
but silently dropped after that. Now syslogd saves it again.
Note that parsing of RFC5424 format not changed.
MFC after: 1 month
