From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
CVE: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
This reverts commit 22508c8b6c.
The t_kinst_curprobe field is no longer needed by kinst.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41031
Using per-CPU and per-thread trampolines is expensive and error-prone,
since we're rewriting the same memory blocks constantly. Per-probe
trampolines solve this problem by giving each probe its own block of
executable memory, which more or less remains the same after the initial
write.
What this patch does, is get rid of the initialization code which
allocates a trampoline for each thread, and instead let each port of
kinst allocate a trampoline for each new probe created. It also sets up
the infrastructure needed to support the new trampoline scheme.
This change is not currently supported on amd64, as the amd64 port needs
further changes to work, so this is a temporary/gradual patch to fix the
riscv and arm64 ports.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40962
Currently kinst checks if only the first instruction is 'push %rbp',
essentially excluding functions that do push RBP, but not in the first
instruction. This patch modifies kinst to check for 'push %rbp', as
well, as a following 'pop %rbp', anywhere in the function. This behavior
also matches that of FBT.
Reviewed by: markj
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40283
Replace the implementations of lookup_le and lookup_ge with ones
that do not use a stack or climb back up the tree, and instead
exploit the popmap field to quickly identify the place to resume
searching if the straightforward indexed search fails.
The code size of the original functions shrinks by a combined 160
bytes on amd64, and the cumulative cycle count per invocation of
the two functions together is reduced 20% in a buildworld test.
Reviewed by: alc, markj
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D40936
Fix the following problem:
1. A nonexistent user, someuser, is added to /etc/group as
someuser:*:12345:someuser.
2. someuser is then created with the default login group.
A second group entry for someuser will be created.
someuser:*:12345:someuser
someuser:*:12346:
With this fix, the existing group entry will be used.
PR: 238995
Reviewed by: bapt, jrm
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41057
Fix the following problem:
1. A nonexistent user, someuser, is added to somegroup in /etc/group.
2. someuser is then created with membership in somegroup.
The entry for somegroup in /etc/group will then contain
somegroup:*:12345:someuser,someuser
With this fix, the entry will be
somegroup:*:12345:someuser
PR: 238995
Reviewed by: bapt, jrm
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41076
Put optional fields at the end to minimize run time problems in
case CC modules are build from within its directory.
Reviewed by: cc, gallatin, glebius, imp
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D41059
This routine is specific to CAM and no longer assumes any internal
bus_dma knowledge as it is simple wrapper around bus_dmamap_load_mem.
Fixes: 60381fd1ee memdesc: Retire MEMDESC_CCB.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D41058
Looks like prior to ino64 project the size of the struct linux_dirent
was greater (or equal) to the size of the native struct dirent so the
native dirent fit into the buffer. After ino64 project the size of the
native struct dirent has increased.
Spotted by gcc12.
MFC after: 2 weeks
- Change -g (ignored for BSD 4.3 compatibility since BSD 4.4)
to use POSIX semantics of implying -l but omitting the owner's
name.
- Change -n to imply -l.
The -o option remains unchanged (POSIX defines -o as a complement to
-g that implies -l but omits group names whereas BSD defines -o to add
file flags to -l). This compromise is the same used by both NetBSD
and OpenBSD.
PR: 70813
Reviewed by: jhb, Pau Amma <pauamma@gundo.com>
Co-authored-by: John Baldwin <jhb@FreeBSD.org>
Differential Revision: https://reviews.freebsd.org/D34747
As it turns out having autotrim default to 'on' on FreeBSD never really
worked due to mess with defines where userland and kernel module were
getting different default values (userland was defaulting to 'off',
module was thinking it's 'on').
PR: 264234
Reviewed by: mav (zfs)
Differential Revision: https://reviews.freebsd.org/D41056
The lang/python3 port had failed to properly install because
it did in fact already exist and FORCE_PKG_REGISTER was not
set. So, behaviorally everything here was correct. However,
installing lang/python3 is in fact not correct and not needed,
so only install the lang/python port to provide symbolic links.
PR: 272354
MFC after: 3 days
MFC with: 510fd83138
MFC with: cd8cad0ef5
MFC with: 0ed426276f
Sponsored by: GoFundMe https://www.gofundme.com/f/gjbbsd
beadm will recursively promote deep BE datasets. In order to match the
beadm behavior, we need to recursively iterate over child filesystems
and promote them along the way.
This patch further refines the work from D40903, completing the fix for
promotion.
Reviewed by: kevans, rew
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40972
Allow makefiles better control of newvers.sh env and args.
Also allow variable overrides on command line.
Reviewed by: imp, stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41012
Always define t_osd. congestion control modules access it
unconditionally. This fixes the build.
However, this is, at best, a temporary band-aide until the
larger issues are sorted.
Sponsored by: Netflix
At one point the RIP value was passed to fbsdrun_addcpu(), but this is
no longer the case. No functional change intended.
Reviewed by: jhb, corvink
Sponsored by: Innovate UK
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D40988
The current versions of lib/msun/src/s_cospi.c, s_sinpi.c and s_tanpi.c
all exhibit the same defect. After checking for various numeric ranges,
they check to see whether the input argument is a NaN or an Infinity.
However, the code uses a value of 0x7f80000 instead of the correct value
of 0x7ff00000.
If you review s_cospif.c, s_sinpif.c, and s_tanpif.c, you will see that
the equivalent statements in these functions are accurate and have
appropriate source comments.
The impact of these defects is to flag some valid input values as
invalid and raise a pole error (divide by zero).
Reported by: Paul Green <Paul.Green@stratus.com>
PR: 272539
MFC after: 1 week
pmap_pinit0 also needs to initialize a vm_radix, in case vm_radix_init
does anything but zeroing fields.
Reported by: alc
Reviewed by: alc
Differential Revision: https://reviews.freebsd.org/D41055
[PowerPC] Replace PPCISD::VABSD cases with generic ISD::ABDU(X,Y) node
A move towards using the generic ISD::ABDU nodes on more backends
Also support ISD::ABDS for v4i32 types using the existing signbit flip trick
PowerPC has a select(icmp_ugt(x,y),sub(x,y),sub(y,x)) -> abdu(x,y) combine that I intend to move to DAGCombiner in a future patch.
The ABS(SUB(X,Y)) -> PPCISD::VABSD(X,Y,1) v4i32 combine wasn't legal (https://alive2.llvm.org/ce/z/jc2hLU) - so I've removed it, having already added the legal sub nsw tests equivalent.
Differential Revision: https://reviews.llvm.org/D142313
This fixes a "Wasn't expecting to be able to lower this!" fatal error
when compiling graphics/opencv for PowerPC.
Requested by: pkubaj
PR: 271047
MFC after: 1 month
bcmp() returned the number of remaining bytes when the main loop exits.
In case of a match, this is zero, else a positive integer. On systems
where SIZE_MAX > INT_MAX, the implicit conversion from size_t to int in
the return value may cause the number of remaining bytes to overflow,
becoming zero and falsely indicating a successful comparison.
Fix the bug by always returning 0 on equality, 1 otherwise.
PR: 272474
Approved by: emaste
Reviewed by: imp
MFC After: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41011
With ifunc based SIMD dispatch, we cannot use the amd64 assembly
implementations of string functions. Modify rtld to instead use
the generic functions. To avoid an architecture-specific special
case, this change is applied to all architectures.
This change is a prerequisite to and formerly part of D40693.
Sponsored by: FreeBSD Foundation
Approved by: kib
See also: D40693
Differential Revision: https://reviews.freebsd.org/D41050
For instance, dso might be mapped as needed but not yet initialized from
the other subtree of needed objects, while current object' constructor
does dlopen() for the dso. Right now rtld does relocations and other
processing based on the arrival of new objects in the global list, which
is not happens there. Directly check for the initialization state of
the object, for which we would return the handle.
One practical use case of this support is e.g. dlopen("libthr.so",
RTLD_NOLOAD) by libraries that are threading-aware but happy to live
with libc pthread shims if the program is not multithreaded.
Reviewed by: tijl
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
