Commit Graph

235801 Commits

Author SHA1 Message Date
Mateusz Piotrowski
e896acd05e Fix a broken "SEE ALSO" section of hlfsd(8).
While here pet mandoc and igor.

Reviewed by:	bcr, eadler, krion, mat
Approved by:	krion (mentor), mat (mentor)
Differential Revision:	https://reviews.freebsd.org/D16376
2018-08-14 20:33:48 +00:00
David Bright
4e258e2d9f Fix a couple whitespace errors in r337814.
Reported by:	Renato Botelho <garga.bsd@gmail.com>
MFC after:	3 days
X-MFC-with:	r337814
Sponsored by:	Dell EMC
2018-08-14 20:26:54 +00:00
Cy Schubert
0ec68024a0 MFV r337818:
WPA: Ignore unauthenticated encrypted EAPOL-Key data

Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

Obtained from:  git://w1.fi/hostap.git
MFC after:      1 day
Security:       CVE-2018-14526
Security:       VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317
2018-08-14 20:24:10 +00:00
Cy Schubert
765ef8a764 WPA: Ignore unauthenticated encrypted EAPOL-Key data
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

Obtained from:	git://w1.fi/hostap.git
MFC after:	1 day
Security:	CVE-2018-14526
Security:	VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317
2018-08-14 20:10:25 +00:00
David Bright
45bed28c11 Fix several (more) memory leaks.
A follow-up to r337812 to catch a couple more memory leaks that should
have been included in that change.

Reported by:	Coverity
CID:		1296064, 1296067 (for real this time)
MFC after:	3 days
X-MFC-with:	r337812
Sponsored by:	Dell EMC
2018-08-14 19:31:06 +00:00
Mark Johnston
b8abc9d8f5 Help ensure that the copy loop doesn't get converted to a memcpy() call.
Reported and reviewed by: kib
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 19:21:31 +00:00
David Bright
53e992cfb9 Fix several memory leaks.
The libkqueue tests have several places that leak memory by using an
idiom like:

puts(kevent_to_str(kevp));

Rework to save the pointer returned from kevent_to_str() and then
free() it after it has been used.

Reported by:	asomers (pointer to Coverity), Coverity
CID:		1296063, 1296064, 1296065, 1296066, 1296067, 1350287, 1394960
Sponsored by:	Dell EMC
2018-08-14 19:12:45 +00:00
Luiz Otavio O Souza
e13a20dad7 Disable the auto negotiation if the port is set to fixed-link.
Tested on SG-3100 (ARMADA38X) and Espresso.bin (A37x0).  Fixes the network
on espresso.bin.

Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 18:58:16 +00:00
Kyle Evans
e112e9d255 MFV r337586: lua: Update to 5.3.5
Bugfix release, nothing too major.

Tested with:	lualoader via userboot, lualoader live
Differential Revision:	https://reviews.freebsd.org/D16665
2018-08-14 18:58:01 +00:00
Warner Losh
eddbdee83d For our INT64 implementation, we can compare integers and numbers
directly because they are the same thing.

Reviewed by: kevans@
2018-08-14 18:45:25 +00:00
Warner Losh
243ff7d88b When the LUA floating point model is INT64, we don't need to do the
overflow dance. This avoids compile errors on latter-day gcc compilers
as well as simplifies the generated code.

Reviewed by: kevans@
2018-08-14 18:45:20 +00:00
Warner Losh
07d397d746 Prevent a wanring about checkdp being unused. It's not needed when we
have INT64 floats and somehow snuck through unused until now.

Reviewed by: kevans@
2018-08-14 18:45:16 +00:00
Warner Losh
9d45c24cc4 Create a loader for each interpreter for x86 BIOS and all EFI
Create loader_{4th,lua,simp}{,.efi}. All of these are installed by
default. Create LOADER_DEFAULT_INTERP to specify the default
interpreter when no other is specified. LOADER_INTERP is the current
interpreter language building. Turn building of lua on by default to
match 4th. simploader is a simplified loader build w/o any interpreter
language (but with a simple loader).  This is the historic behavir you
got with WITHOUT_FORTH. Make a hard link to the default loader. This
has to be a hard link rather than the more desirable soft link because
older zfsboot blocks don't support symlinks.

RelNotes: Yes
Differential Revision: https://reviews.freebsd.org/D16705
2018-08-14 18:44:41 +00:00
Kyle Evans
4c5d19fda4 bectl(8): Check jailparam_* return values
Previous iteration of this assumed that these won't fail because we've
already setup the jail param to this point, but the allocations could still
fail in pretty bad conditions.

Admit that it's possible and return (ENOENT, EINVAL, ENOMEM, or 0) when
deleting arguments. EINVAL shouldn't happen since we're passing optarg;
which may satisfy *optarg == '\0' but never optarg == NULL.

CID:		1394885, 1394901
2018-08-14 18:35:33 +00:00
Kyle Evans
cc4deabc28 libbe(3): Fix leaky faucets
Amongst them:
- Resource leaks
- Logically dead code
- Unused values
- Null termination issues

Reported by:	asomers (pointer to Coverity), Coverity
CID:		1394777, 1394791, 1394830, 1394844, 1394872, 1394894,
CID:		1394900, 1394907, 1394950, 1394965
2018-08-14 18:11:06 +00:00
Jung-uk Kim
dea77ea6fc Merge OpenSSL 1.0.2p. 2018-08-14 17:48:02 +00:00
Jonathan T. Looney
8c52a6dbf7 Update the inet(4) and inet6(4) man pages to reflect the changes made
to the reassembly code in r337778, r337780, r337781, r337782, and
r337783.

Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:36:21 +00:00
Jonathan T. Looney
2ceeacbe71 Lower the default limits on the IPv6 reassembly queue.
Currently, the limits are quite high. On machines with millions of
mbuf clusters, the reassembly queue limits can also run into
the millions. Lower these values.

Also, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the correct reassembly queue when processing an incoming
fragment.

Due to the low limits on each bucket's length, increase the size of
the hash table from 64 to 1024.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:32:07 +00:00
Jonathan T. Looney
a967df1c8f Lower the default limits on the IPv4 reassembly queue.
In particular, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the correct reassembly queue when processing an incoming
fragment.

Due to the low limits on each bucket's length, increase the size of
the hash table from 64 to 1024.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:30:46 +00:00
Konstantin Belousov
c30578feeb Provide part of the mitigation for L1TF-VMM.
On the guest entry in bhyve, flush L1 data cache, using either L1D
flush command MSR if available, or by reading enough uninteresting
data to fill whole cache.

Flush is automatically enabled on CPUs which do not report RDCL_NO,
and can be disabled with the hw.vmm.l1d_flush tunable/kenv.

Security:	CVE-2018-3646
Reviewed by:	emaste. jhb, Tony Luck <tony.luck@intel.com>
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:29:41 +00:00
Jonathan T. Looney
5f9f192dc5 Drop 0-byte IPv6 fragments.
Currently, we process IPv6 fragments with 0 bytes of payload, add them
to the reassembly queue, and do not recognize them as duplicating or
overlapping with adjacent 0-byte fragments. An attacker can exploit this
to create long fragment queues.

There is no legitimate reason for a fragment with no payload. However,
because IPv6 packets with an empty payload are acceptable, allow an
"atomic" fragment with no payload.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:29:22 +00:00
Jonathan T. Looney
1e9f3b734e Implement a limit on on the number of IPv6 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv6 reassembly
queues across the available buckets in a relatively even way. However,
if there is a flaw in the hashing algorithm which allows a large number
of IPv6 fragment reassembly queues to end up in a single bucket, a per-
bucket limit could help mitigate the performance impact of this flaw.

Implement such a limit, with a default of twice the maximum number of
reassembly queues divided by the number of buckets. Recalculate the
limit any time the maximum number of reassembly queues changes.
However, allow the user to override the value using a sysctl
(net.inet6.ip6.maxfragbucketsize).

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:27:41 +00:00
Jonathan T. Looney
03c99d7662 Add a limit of the number of fragments per IPv6 packet.
The IPv4 fragment reassembly code supports a limit on the number of
fragments per packet. The default limit is currently 17 fragments.
Among other things, this limit serves to limit the number of fragments
the code must parse when trying to reassembly a packet.

Add a limit to the IPv6 reassembly code. By default, limit a packet
to 65 fragments (64 on the queue, plus one final fragment to complete
the packet). This allows an average fragment size of 1,008 bytes, which
should be sufficient to hold a fragment. (Recall that the IPv6 minimum
MTU is 1280 bytes. Therefore, this configuration allows a full-size
IPv6 packet to be fragmented on a link with the minimum MTU and still
carry approximately 272 bytes of headers before the fragmented portion
of the packet.)

Users can adjust this limit using the net.inet6.ip6.maxfragsperpacket
sysctl.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:26:07 +00:00
Jonathan T. Looney
2adfd64f35 Make the IPv6 fragment limits be global, rather than per-VNET, limits.
The IPv6 reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
on enough VNETs), it is possible that the sum of all the VNET fragment
limits will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limits are intended (at least in part) to
regulate access to a global resource, the IPv6 fragment limit should
be applied on a global basis.

Note that it is still possible to disable fragmentation for a particular
VNET by setting the net.inet6.ip6.maxfragpackets sysctl to 0 for that
VNET. In addition, it is now possible to disable fragmentation globally
by setting the net.inet6.ip6.maxfrags sysctl to 0.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:24:26 +00:00
Jonathan T. Looney
ff790bbad0 Implement a limit on on the number of IPv4 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv4 reassembly
queues across the available buckets in a relatively even way. However,
if there is a flaw in the hashing algorithm which allows a large number
of IPv4 fragment reassembly queues to end up in a single bucket, a per-
bucket limit could help mitigate the performance impact of this flaw.

Implement such a limit, with a default of twice the maximum number of
reassembly queues divided by the number of buckets. Recalculate the
limit any time the maximum number of reassembly queues changes.
However, allow the user to override the value using a sysctl
(net.inet.ip.maxfragbucketsize).

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:23:05 +00:00
Alan Somers
e40369745c tftp: Close a resource leak when putting files
Reported by:	Coverity
CID:		1394842
MFC after:	2 weeks
2018-08-14 17:20:31 +00:00
Jonathan T. Looney
7b9c5eb0a5 Add a global limit on the number of IPv4 fragments.
The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
of enough VNETs), it is possible that the sum of all the VNET limits
will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limit is intended (at least in part) to
regulate access to a global resource, the fragment limit should
be applied on a global basis.

VNET-specific limits can be adjusted by modifying the
net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket
sysctls.

To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0.
To disable fragment reassembly for a particular VNET, set
net.inet.ip.maxfragpackets to 0.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:19:49 +00:00
Konstantin Belousov
8d32b46379 Add definitions related to the L1D flush operation capability and MSR.
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:19:11 +00:00
Jonathan T. Looney
80d7a85390 Improve IPv6 reassembly performance by hashing fragments into buckets.
Currently, all IPv6 fragment reassembly queues are kept in a flat
linked list. This has a number of implications. Two significant
implications are: all reassembly operations share a common lock,
and it is possible for the linked list to grow quite large.

Improve IPv6 reassembly performance by hashing fragments into buckets,
each of which has its own lock. Calculate the hash key using a Jenkins
hash with a random seed.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:17:37 +00:00
Jonathan T. Looney
5d9bd45518 Improve hashing of IPv4 fragments.
Currently, IPv4 fragments are hashed into buckets based on a 32-bit
key which is calculated by (src_ip ^ ip_id) and combined with a random
seed. However, because an attacker can control the values of src_ip
and ip_id, it is possible to construct an attack which causes very
deep chains to form in a given bucket.

To ensure more uniform distribution (and lower predictability for
an attacker), calculate the hash based on a key which includes all
the fields we use to identify a reassembly queue (dst_ip, src_ip,
ip_id, and the ip protocol) as well as a random seed.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:15:47 +00:00
Konstantin Belousov
9840c7373c Reserve page at the physical address zero on amd64.
We always zero the invalidated PTE/PDE for superpage, which means that
L1TF CPU vulnerability (CVE-2018-3620) can be only used for reading
from the page at zero.

Note that both i386 and amd64 exclude the page from phys_avail[]
array, so this change is redundant, but I think that phys_avail[] on
UEFI-boot does not need to do that.  Eventually the blacklisting
should be made conditional on CPUs which report that they are not
vulnerable to L1TF.

Reviewed by:	emaste. jhb
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:14:33 +00:00
Konstantin Belousov
8fba5348fc amd64: ensure that curproc->p_vmspace pmap always matches PCPU
curpmap.

When performing context switch on a machine without PCID, if current
%cr3 equals to the new pmap %cr3, which is typical for kernel_pmap
vs. kernel process, I overlooked to update PCPU curpmap value.  Remove
check for %cr3 not equal to pm_cr3 for doing the update.  It is
believed that this case cannot happen at all, due to other changes in
this revision.

Also, do not set the very first curpmap to kernel_pmap, it should be
vmspace0 pmap instead to match curproc.

Move the common code to activate the initial pmap both on BSP and APs
into pmap_activate_boot() helper.

Reported by: eadler, ambrisko
Discussed with: kevans
Reviewed by:	alc, markj (previous version)
Tested by: ambrisko (previous version)
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D16618
2018-08-14 16:37:14 +00:00
Luiz Otavio O Souza
6f207f5b47 Add support to the Marvell Xenon SDHCI controller.
Tested on Espresso.bin (37x0) and Macchiato.bin (8k) with SD cards and
eMMCs.

Obtained from:	pfSense
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 16:33:30 +00:00
Ruslan Bukin
5bcd113c91 Query MVPConf0.PVPE for number of CPUs.
Rather than hard-coding the number of CPUs to 2, look up the PVPE field
in MVPConf0, as the valid VPE numbers are from 0 to PVPE inclusive.

Submitted by:	"James Clarke" <jrtc4@cam.ac.uk>
Reviewed by:	br
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16644
2018-08-14 16:29:10 +00:00
Konstantin Belousov
ef52dc71eb Fix typo.
Noted by:	alc
MFC after:	3 days
2018-08-14 16:27:17 +00:00
Ruslan Bukin
b3410bc623 Avoid repeated address calculation for malta_ap_boot.
Submitted by:	"James Clarke" <jrtc4@cam.ac.uk>
Reviewed by:	br, arichardson
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16655
2018-08-14 16:26:44 +00:00
Ruslan Bukin
9aa2d5e4fa Remove unused code.
Sponsored by:	DARPA, AFRL
2018-08-14 16:22:14 +00:00
Jung-uk Kim
43a67e02da Import OpenSSL 1.0.2p. 2018-08-14 16:18:14 +00:00
Ruslan Bukin
2cfd37def0 Rewrite RISC-V disassembler:
- Use macroses from encoding.h generated by riscv-opcodes.
- Add support for C-compressed ISA extension.

Sponsored by:	DARPA, AFRL
2018-08-14 16:03:03 +00:00
Andrew Turner
3f9baabdd0 Remove cpu_pfr from arm. It's unused. 2018-08-14 16:01:25 +00:00
Andrew Turner
52a532939b Remove an old comment now the code it references has been removed. 2018-08-14 15:48:13 +00:00
Andrew Turner
27e0028cdd Fix the spelling of armv4_idcache_inv_all in an END macro. 2018-08-14 15:42:27 +00:00
Luiz Otavio O Souza
37844eaacf Use the correct PTE when changing the attribute of multiple pages.
Submitted by:	andrew (long time ago)
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 15:27:50 +00:00
Mark Johnston
27f4c235ee Explain why we aren't using memcpy().
Reported by:	jmg
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 14:50:06 +00:00
Mark Johnston
845800e190 Don't use memcpy() in the early microcode loading code.
At some point memcpy() may be an ifunc, ifunc resolution cannot be done
until CPU identification has been performed, and CPU identification must
be done after loading any microcode updates.

X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 14:02:53 +00:00
Luiz Otavio O Souza
217643e7da Fix a typo on the PSCI smc call wrapper.
Looks good from:	andrew
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 13:56:49 +00:00
Mark Johnston
3571aee662 Fix the !SMP x86 build.
Reported by:	Michael Butler <imb@protected-networks.net>
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 13:56:42 +00:00
Warner Losh
29989b4558 Add good description of init and lock devices from sio to uart. 2018-08-14 13:52:10 +00:00
Edward Tomasz Napierala
bd9325a169 Add the "autoro" flag to /media. This makes it attempt to mount
it read-only instead of just failing if the media is write-protected.

The /net doesn't seem to require the flag.

MFC after:	2 weeks
Relnotes:	yes
Sponsored by:	DARPA, AFRL
2018-08-14 13:52:08 +00:00
Martin Matuska
b6479158e1 MFV r337744:
Sync libarchive with vendor..

Vendor changes:
  PR #1042: validate iso9660 directory record length

MFC after:	3 days
Security:	CVE-2017-14501
2018-08-14 11:42:32 +00:00