Commit Graph

279438 Commits

Author SHA1 Message Date
John Baldwin
afb4998dd4 rs: Use getopt() and strtol() instead of mannual parsing.
This uses the "::" extension to getopt() to handle options which take
an optional argument.

The updated flag tests were all wrong before and only passed because
the manual parser failed to raise errors when a required argument was
missing.  The invalid argument test now gets a better error message.

Reviewed by:	brooks, imp, emaste
Differential Revision:	https://reviews.freebsd.org/D36834
2022-11-15 21:19:35 -08:00
John Baldwin
838a061417 depend-cleanup.sh: Handle rs(1) moving to C++.
To support changes in filenames for programs (and not just libraries),
update clean_dep() to check .depend.foo.o files as well as
.depend.foo.pico files.
2022-11-15 21:17:28 -08:00
John Baldwin
42d10b1b56 rs: Convert to C++ to convert elem to a std::vector<char *>.
This also updates various indices and counters from int to size_t to
pacify resulting -Wsign-compare warnings.

Reviewed by:	brooks
Differential Revision:	https://reviews.freebsd.org/D36833
2022-11-15 21:03:12 -08:00
Kyle Evans
fc8b021e7a share: i18n: fix mismatch in BIG5 esdb generation
In the first loop, we setup Big5_$i_variable where $i are elements of
$PART with : replaced to @.  Do the same in the second loop when we're
trying to refer to the same variable.

No functional change, because none of the in-tree mappings have an @
in them.

Sponsored by:	Klara, Inc.
2022-11-15 22:09:22 -06:00
John Baldwin
f53dc31bb3 src.opts.mk: Disable all of LLVM if C++ support is disabled.
Reviewed by:	imp, emaste
Differential Revision:	https://reviews.freebsd.org/D36891
2022-11-15 19:21:20 -08:00
John Baldwin
fd104a6ebc bhyve: Use XHCI_PORTREG_PTR in one place that open-coded it.
Reviewed by:	corvink, markj
Differential Revision:	https://reviews.freebsd.org/D36888
2022-11-15 19:19:35 -08:00
John Baldwin
57fbafb8de libfetch: Pass a zeroed digest to DigestCalcResponse.
GCC 12 warns that passing "" (a constant of char[1]) to a parameter of
type char[33] could potentially overread.  It is not clear from the
context that c->qops can never be "auth-int" (and if it can't, then
the "auth-int" handling in DigestCalcResponse is dead code that should
be removed since this is the only place the function is called).

Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D36825
2022-11-15 19:18:58 -08:00
John Baldwin
6100374ccf diff: Don't (ab)use sprintf() as a kind of strcat().
Previously print_header() used sprintf() of a buffer to itself as a
kind of string builder but without checking for overflows.  This
raised -Wformat-truncation and -Wrestrict warnings in GCC.  Instead,
just conditionally print the new timestamp fields after the initial
strftime()-formatted string.  While here, use sizeof(buf) with
strftime() rather than a magic number.

Reviewed by:	bapt
Differential Revision:	https://reviews.freebsd.org/D36814
2022-11-15 19:17:36 -08:00
John Baldwin
4e0771714d diff: Don't treat null characters like carriage returns in readhash().
The implicit fall-through in the !D_FORCEASCII case caused null
characters to be treated as carriage returns honoring the D_STRIPCR,
D_FOLDBLANKS, and D_IGNOREBLANKS flags.

Reported by:	GCC -Wimplicit-fallthrough
Reviewed by:	bapt
Fixes:	 	3cbf98e2be diff: read whole files to determine if they are ASCII text
Differential Revision:	https://reviews.freebsd.org/D36813
2022-11-15 19:16:50 -08:00
Bjoern A. Zeeb
325ba12055 LinuxKPI: in efi.h include queue.h
sys/linker.h needs sys/queue.h;  this gets another wireless driver
closer to compiling on main.

MFC after:	3 days
2022-11-15 23:08:05 +00:00
Dag-Erling Smørgrav
eb0292d929 tftpd: cleanup
Sponsored by:	Klara, Inc.
2022-11-15 23:37:54 +01:00
Ed Maste
714f6f9c14 ipfilter: replace defunct home page link with FAQ URL
ipfilter.org disappeared in mid 2004.  There is still a FAQ at
https://www.phildev.net/ipf so point to that.
2022-11-15 17:11:59 -05:00
Michael Tuexen
9a71437621 libalias: improve handling of invalid SCTP packets
In case of a paritial chunk only pretend the result is OK if
the packet is not the last fragment and there is a valid association.

PR:		267476
MFC after:	3 days
2022-11-15 21:05:02 +01:00
Rick Macklem
e471259313 rpc.tlsservd.8: Update man page for new -N/--numdaemons option
Commit 1e588a9ceb added a new command line option -N/numdaemons
that specifies how many daemons to run. This allows a server
to be configured with more than one rpc.tlsservd daemon, which
may be necessary to handle a reboot for an NFS server with
many NFS-over-TLS client mounts.

This patch updates the man page for this commit.

This is a content change.

Reviewed by:	karels, pauamma (man pages)
Differential Revision:	https://reviews.freebsd.org/D37382
2022-11-15 13:30:41 -08:00
Cy Schubert
ed549cb0c5 heimdal: Fix multiple security vulnerabilities
The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Sponsored by:	so (philip)
Obtained from:	so (philip)
Tested by:	philip, cy
MFC after:	immediately
2022-11-15 13:12:37 -08:00
Cy Schubert
1ffab636da ipfilter: Document count_mask_bits() arguments
Document arguments input to count_mask_bits().

MFC after:	3 days
2022-11-15 13:11:16 -08:00
John Baldwin
2ff447ee3b cxgbe: Enable TOE TLS RX when an RX key is provided via setsockopt().
Rather than requiring a socket to be created as a TLS socket from the
get go, switch a TOE socket from "plain" TOE to TLS mode when a
receive key is added to the socket.

The firmware is only able to switch a "plain" TOE connection to TLS
mode if the head of the pending socket data is the start of a TLS
record, so the connection is migrated to TLS mode as a multi-step
process.

When TOE TLS RX is enabled, the associated connection's receive side
is frozen via a flag in the TCB.  The state of the socket buffer is
then examined to determine if the pending data in the socket buffer
ends on a TLS record boundary.  If so, the connection is migrated to
TLS mode and unfrozen.  Otherwise, the connection is unfrozen
temporarily until more data arrives.  Once more data arrives, the
receive queue is frozen again and rechecked.  This continues until the
connection is paused at a record boundary.  Any records received
before TLS mode is enabled are decrypted as software records.

Note that this removes the 'rx_tls_ports' sysctl.  TOE TLS offload for
receive is now enabled automatically on existing TOE connections when
using a KTLS-aware SSL library just as it was previously enabled
automatically for TLS transmit.  This also enables TLS offload for TOE
connections which enable TLS after passing initial data in the clear
(e.g. STARTTLS with SMTP).

Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37351
2022-11-15 12:08:51 -08:00
John Baldwin
21186bdb2d cxgbe: Various whitespace fixes.
Mostly trailing whitespace and spaces before tabs.

Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37350
2022-11-15 12:03:57 -08:00
John Baldwin
65bd3adbed ktls: Add tests for receiving corrupted or invalid records.
These should all trigger errors when reading from the socket.

Tests include truncated records (socket closed early on the other
side), corrupted records (bits flipped in explicit IVs, ciphertext, or
MAC), invalid header fields, and various invalid record lengths.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37373
2022-11-15 12:03:19 -08:00
John Baldwin
4e47414648 ktls_ocf: Reject encrypted TLS records using AEAD that are too small.
If a TLS record is too small to contain the required explicit IV,
record_type (TLS 1.3), and MAC, reject attempts to decrypt it with
EMSGSIZE without submitting it to OCF.  OCF drivers may not properly
detect that regions in the crypto request are outside the bounds of
the mbuf chain.  The caller isn't supposed to submit such requests.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37372
2022-11-15 12:02:57 -08:00
John Baldwin
64811651aa ktls: Add tests for software AES-CBC decryption for TLS 1.1+.
Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37371
2022-11-15 12:02:28 -08:00
John Baldwin
9a673b7158 ktls: Add software support for AES-CBC decryption for TLS 1.1+.
This is mainly intended to provide a fallback for TOE TLS which may
need to use software decryption for an initial record at the start
of a connection.

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D37370
2022-11-15 12:02:03 -08:00
Emmanuel Vadot
b97ee269ea Import device-tree files from Linux 6.0
Sponsored by:   Beckhoff Automation GmbH & Co. KG
2022-11-15 20:02:06 +01:00
Emmanuel Vadot
d5b0e70f7e Import device-tree files from Linux 5.19
Sponsored by:   Beckhoff Automation GmbH & Co. KG
2022-11-15 20:01:13 +01:00
Emmanuel Vadot
8bf583e1ce Import device-tree files from Linux 6.0 2022-11-15 19:51:46 +01:00
Emmanuel Vadot
0085f59d9e Import device-tree files from Linux 5.19 2022-11-15 19:50:16 +01:00
Andrew Turner
8a2adde1e4 Split out the arm64 EL2 exception vectors
These were originally in locore.S as they are only needed so we have
a valid value to put into the vbar_el2 register. As these will soon
be used by bhyve so move them to a new file as we already have with
the EL1 exception vectors in exception.S.

Obtained from:	https://github.com/FreeBSD-UPB/freebsd-src (earlier version)
Sponsored by:	Innovate UK
Sponsored by:	The FreeBSD Foundation
2022-11-15 17:26:52 +00:00
Andrew Turner
2468c61958 Add more arm64 hypervisor registers
These will be used by bhyve.

Sponsored by:	Innovate UK
Sponsored by:	The FreeBSD Foundation
2022-11-15 17:26:52 +00:00
Andrew Turner
ae43a817d3 Put the arm64 vttbr_el2 register into a state
Zero the vttbr_el2 register on each CPU so we can tell if we are
running the host or guest kernel from a hypervisor.

Obtained from:	https://github.com/FreeBSD-UPB/freebsd-src (earlier version)
Sponsored by:	Innovate UK
Sponsored by:	The FreeBSD Foundation
2022-11-15 17:26:52 +00:00
Andrew Turner
80ba994bfa Add the arch field to the arm64 MIDR macros
For completeness add accessors for the MIDR field. As the field is
always 0xf on arm64 it is unneeded in the current MICR handling, but
will be used in the vmm module for bhyve.

Obtained from:	https://github.com/FreeBSD-UPB/freebsd-src (earlier version)
Sponsored by:	The FreeBSD Foundation
2022-11-15 17:26:52 +00:00
Mateusz Guzik
60bae7ec04 mac_lomac: whack giant usage
It does not protect anything, the code looks dodgy regardless.
2022-11-15 14:31:41 +00:00
Mateusz Guzik
c3f1a13902 Retire broken GPROF support from the kernel
The option is not even recognized and with that patched it does not
compile. Even if it did work, it would be prohibitively expensive to
use.

Interested parties can use pmcstat or dtrace instead.
2022-11-15 14:17:10 +00:00
Mateusz Guzik
a72edfea57 dtrace: avoid kinst warn when not used
Reviewed by:	markj
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-11-15 13:40:31 +00:00
Bjoern A. Zeeb
5d310ea8c5 LinuxKPI: add memset_startat macro
Add a memset_startat() macro which sets a pattern from a struct member
to the end of the struct.   Needed by a wireless driver.

MFC after:	3 days
Reviewed by:	emaste
Differential Revision: https://reviews.freebsd.org/D37389
2022-11-15 12:52:10 +00:00
Andrew Turner
386a5e3ae6 Rename the arm64 pmap_invalidate_* functions
These all work on stage 1 tables. Rename them so we can add similar
functions that operate on stage 2 tables.

Reviewed by:	alc, markj, kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37302
2022-11-15 12:33:39 +00:00
Andrew Turner
0b976be033 Disable superpage use for stage 2 arm64 mappings
When modifying a stage 2 mapping we may need to call into the
hypervisor to invalidate the TLB. Until it is known if the cost of
this operation is less than the performance gains superpages offers
disable their use.

Reviewed by:	kib. markj
Sponsored by:	Innovate UK
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37299
2022-11-15 12:33:39 +00:00
Andrew Turner
ba2bbac4c1 Revert "Check alignment of fp in unwind_frame"
Fix the build as is_aligned doesn't exist in FreeBSD.

This reverts commit 40e0fa10f5.
2022-11-15 12:33:39 +00:00
Kristof Provost
48767d8734 pfsync: fix memory leak
The recent refactoring to prepare for pfsync over IPv6 introduced a
memory leak.
If we don't have a sync peer configured we return early (without sending
out a packet), but failed to free the newly allocated packet.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2022-11-15 12:13:11 +01:00
Mateusz Guzik
c1f48e62dc proc: retire 2 unused lock annotations 2022-11-15 10:50:39 +00:00
Kristof Provost
5246f8fade if_ovpn: pass control packets through the socket
Rather than passing control packets through the ioctl interface allow
them to pass through the normal UDP socket flow.
This simplifies both kernel and userspace, and matches the approach
taken (or the one that will be taken) on the Linux side of things.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D37317
2022-11-15 10:01:18 +01:00
Baptiste Daroussin
e1184adecf sendmail: remove leftovers from mta_start_script and rc.sendmail
Switch /etc/mail/Makefile to use /etc/rc.d/sendmail instead of
/etc/rc.sendmail this switch should have been done 20 years ago.

While here update the documentation to not refer anymore to
mta_start_script

Reported by:	Jose Luis Duran <jlduran@gmail.com>
2022-11-15 09:10:53 +01:00
Corvin Köhne
49b947c01d
bhyve: add basl support for pointers
Some ACPI tables like XSDT contain pointers to other ACPI tables. When
an ACPI table is loaded by qemu's loader, the address in the guest
memory is unknown. For that reason, the qemu loader supports patching
those pointers. Basl keeps track of all pointers and causes the qemu
loader to patch all pointers.

The qemu ACPI table loader is unsupport yet. However, in a future commit
bhyve will use dynamic ACPI table offsets based on the size and
alignment requirements of each ACPI table. Therefore, tracking ACPI
table pointer is required too.

Reviewed by:		jhb
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36991
2022-11-15 08:27:11 +01:00
Corvin Köhne
2957847031
bhyve: add basl support for checksums
The qemu ACPI table loader patches the ACPI tables. After patching them,
checksums aren't correct any more. It has to calculate a new checksum
for the ACPI table. For that reason, basl has to keep track of checksums
and has to cause the qemu loader to create new checksums for the tables.

The qemu ACPI table loader isn't supported yet. However, the address of
all tables is unknown as long as bhyve hasn't finished ACPI table
creation. So, the checksum of tables which include pointer to other
tables are unknown too. This requires tracking of checksums too.

Reviewed by:		jhb
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36990
2022-11-15 08:27:10 +01:00
Corvin Köhne
3a766cd0f1
bhyve: add basl support for length fields
ACPI tables have different layouts. So, there's no common position for
the length field. When tables are build by basl, the length is unknown
at the beginning. It has to be set after building the table.

Reviewed by:		jhb
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36989
2022-11-15 08:27:09 +01:00
Corvin Köhne
995374a655
bhyve: add basl support for generic addresses
In upcoming commits, bhyve will build some ACPI tables by it's own.
Therefore, it should be capable of appending GENERIC_ADDRESS structs to
ACPI tables.

Reviewed by:		jhb, markj
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36988
2022-11-15 08:27:08 +01:00
Corvin Köhne
e22f5ce2bf
bhyve: add basl support for int values
In upcoming commits, bhyve will build some ACPI tables by it's own.
Therefore, it should be capable of appending int values to ACPI tables.

Reviewed by:		jhb, markj (older version)
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36987
2022-11-15 08:27:07 +01:00
Corvin Köhne
22a2e94f38
bhyve: use basl to load ACPI tables
Load the blobs compiled by iasl into a basl_table. The basl_table is a
temporary buffer which copies the ACPI tables into guest memory for us.
This allows us in the future to pass the blobs over the qemu fwcfg
interface to the guest.

Reviewed by:		jhb, markj
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36986
2022-11-15 08:27:06 +01:00
Corvin Köhne
ac3c2b3e38
bhyve: add table dump functions for basl
Developing an ACPI table compiler isn't quite easy. It's helpful if you
can take a look at the ACPI tables created by the compiler.

The dump functions can either dump a ACPI table which was copied into
guest memory or a ACPI table provided for qemu's ACPI table loader.

Reviewed by:		jhb, markj
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36985
2022-11-15 08:27:04 +01:00
Corvin Köhne
21bbc28426
bhyve: add basic basl implementation
Basl is the bhyve ASL compiler. At the moment, it's just a small wrapper
to call iasl, the Intel ASL compiler. As bhyve will gain support for
qemu's ACPI table loader in the future, it has to create ACPI tables on
it's own. Therefore, it makes sense to create a new file which keeps the
code for basl.

This first implementation of basl supports creating an ACPI table by
appending raw bytes to it. It's also capable of loading all tables into
guest memory.

Reviewed by:		jhb, markj (older version)
Approved by:		manu (mentor)
MFC after:		2 weeks
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D36984
2022-11-15 08:27:01 +01:00
Corvin Köhne
eff8d03477
bhyve/kdblayout: add some missing keys to german layout
The '/' and '§' keys are missing in the german keyboard layout.

Reviewed by:		markj
Approved by:		manu (mentor)
MFC after:		1 week
Sponsored by:		Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D37386
2022-11-15 07:48:27 +01:00