Part of ed549cb0c5 zeroed out a data structure in the resulting code-file
when a TUTCTime type was freed. This part of the patch applies to Heimdal
7.1+ and not our Heimdal 1.5.2.
PR: 267827
Reported by: Peter Much <pmc@citylink.dinoex.sub.org>
Tested by: Peter Much <pmc@citylink.dinoex.sub.org>
Approved by: so
Security: FreeBSD-EN-22:28.heimdal
Fixes: ed549cb0c5
(cherry picked from commit f556a05c49)
(cherry picked from commit b23fe6bade)
Ping reads raw IP packets to parse ICMP responses. When reading the
IP Header Len (IHL) ping was was taking the value from the provided
packet without any validation. This could lead to remotely triggerable
stack corruption.
Validate the IHL against expected and recieved data sizes when reading
from the received packet and when reading any quoted packets from within
the ICMP response.
Approved by: so
Reviewed by: markj, asomers
Security: FreeBSD-SA-22:15.ping
Security: CVE-2022-23093
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #77
Differential Revision: https://reviews.freebsd.org/D37195
(cherry picked from commit 46d7b45a26)
(cherry picked from commit 186f495d4b)
The following issues are patched:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Sponsored by: so (philip)
Obtained from: so (philip)
Tested by: philip, cy
(cherry picked from commit ed549cb0c5)
(cherry picked from commit d0b6550173)
Approved by: so
Security: FreeBSD-SA-22:14.heimdal
Coverty static analysis found these.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Neal Gompa <ngompa@datto.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes#10989Closes#13861
Approved by: so
Security: FreeBSD-EN-22:21.zfs
(cherry picked from commit 8131a96544)
The existing logic doesn't seem to make much sense, as we won't filter
on the type if st_shndx != SHN_UNDEF. In practice, this breaks booting
12.3 kernels on newer loaders, as they do have a `kernphys` symbol of
the wrong type (NOTYPE, rather than OBJECT) -- we end up deriving the
wrong value for copy_staging.
It's unclear if this version makes any more sense, but it seems to match
what rtld's matched_symbol() does. Loader doesn't need to care about
STT_FUNC w/ UND shndx, because we won't encounter those; in kmods,
undefined (kernel) functions are NOTYPE.
Approved by: so
Security: FreeBSD-EN-22:27.loader
Reported by: Christian McDonald <cmcdonald netgate com>
Reviewed by: imp, kib, tsoome
(cherry picked from commit 0701dbda94)
(cherry picked from commit 2b31059ea7)
Changes: https://github.com/eggert/tz/blob/2022d/NEWS
The /usr/share/zoneinfo/SystemV directory has been empty on FreeBSD
since 2006. The upstream source file was removed in 2020. Also stop
passing yearisdate to zic(8). This has not been necessary for years.
The script has been removed upstream since 2020.
Approved by: so
Security: FreeBSD-EN-22:22.tzdata
(cherry picked from commit 1576451a39)
(cherry picked from commit da038df8c9)
(cherry picked from commit 57338837ae)
(cherry picked from commit 77596427bd)
While a receiver should continue sending SACK blocks for the
duration of a SACK loss recovery, if for some reason the
TCP options no longer contain these SACK blocks, but we
already started maintaining the Scoreboard, keep on handling
incoming ACKs (without SACK) as belonging to the SACK recovery.
Approved by: so
Security: FreeBSD-EN-22:25.tcp
Reported by: thj
Reviewed by: tuexen, #transport
MFC after: 2 weeks
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D36046
(cherry picked from commit c21b7b55be)
(cherry picked from commit 2b8ee332b9)
The CAM version bump 0x19 -> 0x1a changed the CAMGETPASSTHRU definition,
so applications using the old ioctl are broken. However, that version
change did not affect anything relating to the ioctl implementation for
periphs.
Approved by: so
Security: FreeBSD-EN-22:26.cam
Fixes: 8f9be1eed1 ("cam(4): Improve XPT_DEV_MATCH")
PR: 264709
Tested by: andreas.mahling@googlemail.com
Reviewed by: imp
(cherry picked from commit 0cd631ee06)
(cherry picked from commit 16d4c1de7b)
As an optimization, vm_page_activate() avoids requeuing a page that's
already in the active queue. A page's location in the active queue is
mostly unimportant.
When a page is unwired and placed back in the page queues,
vm_page_unwire() avoids moving pages out of PQ_ACTIVE to honour the
request, the idea being that they're likely mapped and so will simply
get bounced back in to PQ_ACTIVE during a queue scan.
In both cases, if the page was logically in PQ_ACTIVE but had not yet
been physically enqueued (i.e., the page is in a per-CPU batch), we
would end up clearing PGA_REQUEUE from the page. Then, batch processing
would ignore the page, so it would end up unwired and not in any queues.
This can arise, for example, when a page is allocated and then
vm_page_activate() is called multiple times in quick succession. The
result is that the page is hidden from the page daemon, so while it will
be freed when its VM object is destroyed, it cannot be reclaimed under
memory pressure.
Fix the bug: when checking if a page is in PQ_ACTIVE, only perform the
optimization if the page is physically enqueued.
Approved by: so
Security: FreeBSD-EN-22:23.vm
PR: 256507
Fixes: f3f38e2580 ("Start implementing queue state updates using fcmpset loops.")
Reviewed by: alc, kib
Sponsored by: E-CARD Ltd.
Sponsored by: Klara, Inc.
(cherry picked from commit 2c9dc2384f)
(cherry picked from commit 6094749a1a)
This cherry-picks upstream ed566bf1cd
- Add a zfs_exit() call in an error path, otherwise a lock is
leaked.
- Remove the fid_gen > 1 check. That appears to be Linux-specific:
zfsctl_snapdir_fid() sets fid_gen to 0 or 1 depending on whether
the snapshot directory is mounted. On FreeBSD it fails, making
snapshot dirs inaccessible via NFS.
Approved by: so
PR: 266236
Security: FreeBSD-EN-22:24.zfs
(cherry picked from commit 6fe0a6c80a)
(cherry picked from commit 562c9ac58c)
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
(cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
(cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d)
(cherry picked from commit dc3509f1aa)
(cherry picked from commit 2969066f73)
(cherry picked from commit 10cc2bf5f7)
Approved by: so
Security: CVE-2022-37434
Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
and that number actually set the maximum we can safely use.
Approved by: so
Security: FreeBSD-SA-22:12.lib9p
PR: 265385
Reviewed by: markj
(cherry picked from commit 2dd83b3f05)
(cherry picked from commit c536045c51)
As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps
to share a shadow object. When copying a page from a backing object
into the shadow, all mappings of the source page must therefore be
removed. Otherwise, future operations on the object tree may detect
that the source page is fully shadowed and thus can be freed.
Approved by: so
Security: FreeBSD-SA-22:11.vm
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35635
(cherry picked from commit 5c50e900ad)
(cherry picked from commit 3ea8c7ad90)
Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
buffer overflowed. The later should not occur because get_ps_strings()
checks for catenated length, but check for this subtle detail explicitly
as well to be more resilent.
The end result is that p_comm is used in this situations.
Approved by: so
Security: FreeBSD-SA-22:09.elf
Reported by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by: delphij, markj
admbugs: 988
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35391
(cherry picked from commit 00d17cf342)
(cherry picked from commit 8a44a2c644)
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.
Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.
This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.
Approved by: so
Security: FreeBSD-EN-22:19.pam_exec
MFC after: 1 week
Reviewed by: des, khng
Differential Revision: https://reviews.freebsd.org/D35169
(cherry picked from commit b75e0eed34)
(cherry picked from commit ea80848e1c)
Suppose a periodic kevent timer fires close to its deadline, so that
now - kc->next is small. Then delta ends up being 1, and the next timer
deadline is set to (delta + 1) * kc->to, where kc->to is the timer
period. This means that the timer fires at half of the requested rate,
and the value returned in kn_data is similarly inaccurate.
Approved by: so
Security: FreeBSD-EN-22:16.kqueue
PR: 264131
Fixes: 7cb40543e9 ("filt_timerexpire: do not iterate over the interval")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 524dadf7a8)
(cherry picked from commit 129112f80d)
While recovery command executed, some other commands from the periph
may complete, that may affect periph_links of this CCB. So restoring
original CCB we must keep current periph_links as more up to date.
I've found this triggering assertions with debug kernel and suspect
some memory corruptions otherwise when spun down disk receives two
or sometimes more concurrent requests.
Approved by: so
Security: FreeBSD-EN22:17.cam
MFC after: 1 week
Sponsored by: iXsystems, Inc.
(cherry picked from commit 404f001161)
(cherry picked from commit 84849cfd1d)
- Bump BRANCH to RELEASE
- Add the anticipated RELEASE announcement date
- Set a static __FreeBSD_version
Approved by: re (implicit)
Sponsored by: Rubicon Communications, LLC ("Netgate")
tc_counter_mask is an unsigned int and in the TSC timecounter is equal
to UINT_MAX, so the addition tc->tc_counter_mask + 1 can overflow to 0,
resulting in a hang during boot.
Approved by: re (gjb)
Fixes: c2705ceaeb ("x86: Speed up clock calibration")
Reviewed by: cperciva
Sponsored by: The FreeBSD Foundation
(cherry picked from commit c3196306f0)
(cherry picked from commit 58f49b7da7)
Because the maximum number of endpoint contexts is stored there.
Tested by: ehaupt@
PR: 262882
Approved by: re (gjb, early MFC)
Sponsored by: NVIDIA Networking
(cherry picked from commit 09dd1adfa4)
(cherry picked from commit 6d8c6b24ee)
Only drop BULK and INTERRUPT endpoints, to reset the data toggle,
because for other endpoint types this is not critical.
While at it fix some whitespace.
Tested by: ehaupt@
PR: 262882
Approved by: re (gjb, early MFC)
Sponsored by: NVIDIA Networking
(cherry picked from commit e276d28150)
(cherry picked from commit 610528736f)
Use the drop and enable endpoint context commands to force a reset of
the data toggle for USB 2.0 and USB 3.0 after:
- clear endpoint halt command (when the driver wishes).
- set config command (when the kernel or user-space wants).
- set alternate setting command (only affected endpoints).
Some XHCI HW implementations may not allow the endpoint reset command when
the endpoint context is not in the halted state.
Reported by: Juniper and Gary Jennejohn
Approved by: re (gjb)
Sponsored by: NVIDIA Networking
(cherry picked from commit cda31e7349)
Padding was added to __cxa_exception in 45ca8b19 and
__cxa_dependent_exception needs the same layout.
Add some static_asserts to detect this in the future.
Merge of libcxxrt commit b00c6c564357
(cherry picked from commit c40e434988)
(cherry picked from commit 69a40d9241)
Approved by: re (gjb)
When allocating memory with a kernel memory allocator we may get
memory that will later be promoted to a superpage. If this happens
while another CPU is using the pointer they can race and when the
promotion passes through the break-before-make sequence the pointer
will be invalid for a short length of time.
Revert the commit that added the use of the kernel allocator and
subsequent fixes to the original change.
Revert "Pass the ACPI ID when reading the ACPI domain"
This reverts commit aa3b5d79b2.
Revert "Stop reading the arm64 domain when it's known"
This reverts commit b7c23efd74.
Revert "Allocate arm64 per-CPU data in the correct domain"
This reverts commit f51997c6e4.
Approved by: re (gjb)
Reported by: dch
Sponsored by: The FreeBSD Foundation
When VLAN HW filter is disabled, the NIC does not pass any vlan tagged
traffic. Setting these flags on the device allows vlan tagged traffic to
pass.
Approved by: re (gjb)
PR: 236983
Tested by: pi
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34824
(cherry picked from commit 0c6a2fa33e)
(cherry picked from commit e54505277c)
This mirrors dmu_read_impl(), zeroing out the tail end of the buffer and
clipping the read to what's contained by the block that exists.
This fixes an issue that arose during the 13.1 release process; in
13.1-RC1 and later, setting up GELI+ZFS will result in a failure to
boot. The culprit is this, which causes us to fail to load geom_eli.ko
as there's a residual portion after the single datablk that should be
zeroed out.
PR: 263407
Reviewed by: tsoome
Approved by: re (gjb)
(cherry picked from commit 914dc91d12)
(cherry picked from commit 0c9c8a4c64)
The time() system call first appeared in Version 1 AT&T UNIX. Through
the Version 3 AT&T UNIX, it returned 60 Hz ticks since an epoch that
changed occasionally, because it was a 32-bit value that overflowed in a
little over 2 years.
In Version 4 AT&T UNIX the granularity of the return value was reduced to
whole seconds, delaying the aforementioned overflow until 2038.
Version 7 AT&T UNIX introduced the ftime() system call, which returned
time at a millisecond level, though retained the gtime() system call
(exposed as time() in userland). time() could have been implemented as a
wrapper around ftime(), but that wasn't done.
4.1cBSD implemented a higher-precision time function gettimeofday() to
replace ftime() and reimplemented time() in terms of that.
Since FreeBSD 9 the implementation of time() uses
clock_gettime(CLOCK_SECOND) instead of gettimeofday() for performance
reasons.
With most valuable input from Warner (imp@).
Reviewed by: 0mp, jilles, imp
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D34751
(cherry picked from commit 3e0f3678ec)
Insert padding in __cxa_exception struct for compatibility
Similar to https://github.com/llvm/llvm-project/commit/f2a436058fcb, the
addition of __attribute__((__aligned__)) to _Unwind_Exception (in commit
b9616964) causes implicit padding to be inserted before the unwindHeader
field in __cxa_exception.
Applications attempt to get at the earlier fields in __cxa_exception, so
preserve the same negative offsets in __cxa_exception, by moving the
padding to the beginning of the struct.
The assumption here is that if the ABI is not aware of the padding
before unwindHeader and put the referenceCount/primaryException in
there, no padding should exist before unwindHeader.
This should make libreoffice's custom exception handling mechanisms work
correctly, even if it was built against an older cxxabi.h/unwind.h pair.
PR: 263370
Approved by: re (gjb)
MFC after: immediately
(cherry picked from commit 434215c26d)
(cherry picked from commit 06394327dd)
For some reason I can't reproduce this locally, but Jenkins complains.
Approved by: re (gjb)
Reported by: Jenkins
Fixes: bdf290cd3e ("ctf: Add v3 support to CTF tools, ctf{convert,dump,merge}")
(cherry picked from commit 3fe1f21fb3)
(cherry picked from commit fb89cf93a5)
ctfdump handles v2 and v3. ctfconvert now emits only CTFv3, whereas
ctfmerge can merge v2 and v3 containers into v3 containers.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bdf290cd3e)
(cherry picked from commit e5b54808f7)
In general, the patch adds indirection to minimize the amount of code
that needs to know about differences between v2 and v3. Specifically,
some new ctf_get_ctt_* functions are added, and new LCTF_* macros are
added to use the underlying container's version to do the right thing.
CTF containers can have parent/child relationships, wherein a type ID in
one container refers to a type in the parent. It is permitted for the
parent and child to have different versions.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a6fb869173)
(cherry picked from commit a49aa9da78)
Approved by: re (gjb)
Reviewed by: Domagoj Stolfa
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 8dbae4ce32)
(cherry picked from commit 8409eb0251)
The general aim in this and subsequent patches is to minimize the
amount of code that directly references CTF types such as ctf_type_t,
ctf_array_t, etc. To that end, introduce some routines similar to the
existing fbt_get_ctt_size() (which exists to deal with differences
between v1 and v2) and change ctf_lookup_by_id() to return a void
pointer.
Support for v2 containers is preserved.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d9175438c0)
(cherry picked from commit 2ecf3b58eb)
