Commit Graph

254132 Commits

Author SHA1 Message Date
imp
2c25b8aab6 arm/ralink cleanup
Remove the non-INTRNG code.
Remove left over cut and paste code from the lpc code that was the start for the port.
Set KERNPHYSADDR and KERNVIRTADDR

Tested on Buffalo_WZR2-G300N

Differential Revision: https://reviews.freebsd.org/D16622
2018-08-14 20:45:43 +00:00
0mp
27e678125e Fix a broken "SEE ALSO" section of hlfsd(8).
While here pet mandoc and igor.

Reviewed by:	bcr, eadler, krion, mat
Approved by:	krion (mentor), mat (mentor)
Differential Revision:	https://reviews.freebsd.org/D16376
2018-08-14 20:33:48 +00:00
dab
57fd893bf6 Fix a couple whitespace errors in r337814.
Reported by:	Renato Botelho <garga.bsd@gmail.com>
MFC after:	3 days
X-MFC-with:	r337814
Sponsored by:	Dell EMC
2018-08-14 20:26:54 +00:00
cy
dff9d8df15 MFV r337818:
WPA: Ignore unauthenticated encrypted EAPOL-Key data

Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

Obtained from:  git://w1.fi/hostap.git
MFC after:      1 day
Security:       CVE-2018-14526
Security:       VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317
2018-08-14 20:24:10 +00:00
dab
7f25aa2f2f Fix several (more) memory leaks.
A follow-up to r337812 to catch a couple more memory leaks that should
have been included in that change.

Reported by:	Coverity
CID:		1296064, 1296067 (for real this time)
MFC after:	3 days
X-MFC-with:	r337812
Sponsored by:	Dell EMC
2018-08-14 19:31:06 +00:00
markj
74cc2b609b Help ensure that the copy loop doesn't get converted to a memcpy() call.
Reported and reviewed by: kib
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 19:21:31 +00:00
dab
fb78c87264 Fix several memory leaks.
The libkqueue tests have several places that leak memory by using an
idiom like:

puts(kevent_to_str(kevp));

Rework to save the pointer returned from kevent_to_str() and then
free() it after it has been used.

Reported by:	asomers (pointer to Coverity), Coverity
CID:		1296063, 1296064, 1296065, 1296066, 1296067, 1350287, 1394960
Sponsored by:	Dell EMC
2018-08-14 19:12:45 +00:00
loos
f7a39db135 Disable the auto negotiation if the port is set to fixed-link.
Tested on SG-3100 (ARMADA38X) and Espresso.bin (A37x0).  Fixes the network
on espresso.bin.

Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 18:58:16 +00:00
kevans
48babfba2e MFV r337586: lua: Update to 5.3.5
Bugfix release, nothing too major.

Tested with:	lualoader via userboot, lualoader live
Differential Revision:	https://reviews.freebsd.org/D16665
2018-08-14 18:58:01 +00:00
imp
0c28afb46f For our INT64 implementation, we can compare integers and numbers
directly because they are the same thing.

Reviewed by: kevans@
2018-08-14 18:45:25 +00:00
imp
bee7aea5bc When the LUA floating point model is INT64, we don't need to do the
overflow dance. This avoids compile errors on latter-day gcc compilers
as well as simplifies the generated code.

Reviewed by: kevans@
2018-08-14 18:45:20 +00:00
imp
6912a5c9ce Prevent a wanring about checkdp being unused. It's not needed when we
have INT64 floats and somehow snuck through unused until now.

Reviewed by: kevans@
2018-08-14 18:45:16 +00:00
imp
b000ad447c Create a loader for each interpreter for x86 BIOS and all EFI
Create loader_{4th,lua,simp}{,.efi}. All of these are installed by
default. Create LOADER_DEFAULT_INTERP to specify the default
interpreter when no other is specified. LOADER_INTERP is the current
interpreter language building. Turn building of lua on by default to
match 4th. simploader is a simplified loader build w/o any interpreter
language (but with a simple loader).  This is the historic behavir you
got with WITHOUT_FORTH. Make a hard link to the default loader. This
has to be a hard link rather than the more desirable soft link because
older zfsboot blocks don't support symlinks.

RelNotes: Yes
Differential Revision: https://reviews.freebsd.org/D16705
2018-08-14 18:44:41 +00:00
kevans
0945f4125a bectl(8): Check jailparam_* return values
Previous iteration of this assumed that these won't fail because we've
already setup the jail param to this point, but the allocations could still
fail in pretty bad conditions.

Admit that it's possible and return (ENOENT, EINVAL, ENOMEM, or 0) when
deleting arguments. EINVAL shouldn't happen since we're passing optarg;
which may satisfy *optarg == '\0' but never optarg == NULL.

CID:		1394885, 1394901
2018-08-14 18:35:33 +00:00
kevans
17e1e9b97a libbe(3): Fix leaky faucets
Amongst them:
- Resource leaks
- Logically dead code
- Unused values
- Null termination issues

Reported by:	asomers (pointer to Coverity), Coverity
CID:		1394777, 1394791, 1394830, 1394844, 1394872, 1394894,
CID:		1394900, 1394907, 1394950, 1394965
2018-08-14 18:11:06 +00:00
jkim
58e331e535 Merge OpenSSL 1.0.2p. 2018-08-14 17:48:02 +00:00
jtl
5e6a278368 Update the inet(4) and inet6(4) man pages to reflect the changes made
to the reassembly code in r337778, r337780, r337781, r337782, and
r337783.

Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:36:21 +00:00
jtl
bd4f87b859 Lower the default limits on the IPv6 reassembly queue.
Currently, the limits are quite high. On machines with millions of
mbuf clusters, the reassembly queue limits can also run into
the millions. Lower these values.

Also, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the correct reassembly queue when processing an incoming
fragment.

Due to the low limits on each bucket's length, increase the size of
the hash table from 64 to 1024.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:32:07 +00:00
jtl
25dd68b737 Lower the default limits on the IPv4 reassembly queue.
In particular, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the correct reassembly queue when processing an incoming
fragment.

Due to the low limits on each bucket's length, increase the size of
the hash table from 64 to 1024.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:30:46 +00:00
kib
77ff24342c Provide part of the mitigation for L1TF-VMM.
On the guest entry in bhyve, flush L1 data cache, using either L1D
flush command MSR if available, or by reading enough uninteresting
data to fill whole cache.

Flush is automatically enabled on CPUs which do not report RDCL_NO,
and can be disabled with the hw.vmm.l1d_flush tunable/kenv.

Security:	CVE-2018-3646
Reviewed by:	emaste. jhb, Tony Luck <tony.luck@intel.com>
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:29:41 +00:00
jtl
55789af7ee Drop 0-byte IPv6 fragments.
Currently, we process IPv6 fragments with 0 bytes of payload, add them
to the reassembly queue, and do not recognize them as duplicating or
overlapping with adjacent 0-byte fragments. An attacker can exploit this
to create long fragment queues.

There is no legitimate reason for a fragment with no payload. However,
because IPv6 packets with an empty payload are acceptable, allow an
"atomic" fragment with no payload.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:29:22 +00:00
jtl
e5f23fbf44 Implement a limit on on the number of IPv6 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv6 reassembly
queues across the available buckets in a relatively even way. However,
if there is a flaw in the hashing algorithm which allows a large number
of IPv6 fragment reassembly queues to end up in a single bucket, a per-
bucket limit could help mitigate the performance impact of this flaw.

Implement such a limit, with a default of twice the maximum number of
reassembly queues divided by the number of buckets. Recalculate the
limit any time the maximum number of reassembly queues changes.
However, allow the user to override the value using a sysctl
(net.inet6.ip6.maxfragbucketsize).

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:27:41 +00:00
jtl
a7668fa529 Add a limit of the number of fragments per IPv6 packet.
The IPv4 fragment reassembly code supports a limit on the number of
fragments per packet. The default limit is currently 17 fragments.
Among other things, this limit serves to limit the number of fragments
the code must parse when trying to reassembly a packet.

Add a limit to the IPv6 reassembly code. By default, limit a packet
to 65 fragments (64 on the queue, plus one final fragment to complete
the packet). This allows an average fragment size of 1,008 bytes, which
should be sufficient to hold a fragment. (Recall that the IPv6 minimum
MTU is 1280 bytes. Therefore, this configuration allows a full-size
IPv6 packet to be fragmented on a link with the minimum MTU and still
carry approximately 272 bytes of headers before the fragmented portion
of the packet.)

Users can adjust this limit using the net.inet6.ip6.maxfragsperpacket
sysctl.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:26:07 +00:00
jtl
1f361945df Make the IPv6 fragment limits be global, rather than per-VNET, limits.
The IPv6 reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
on enough VNETs), it is possible that the sum of all the VNET fragment
limits will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limits are intended (at least in part) to
regulate access to a global resource, the IPv6 fragment limit should
be applied on a global basis.

Note that it is still possible to disable fragmentation for a particular
VNET by setting the net.inet6.ip6.maxfragpackets sysctl to 0 for that
VNET. In addition, it is now possible to disable fragmentation globally
by setting the net.inet6.ip6.maxfrags sysctl to 0.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:24:26 +00:00
jtl
fba8297bee Implement a limit on on the number of IPv4 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv4 reassembly
queues across the available buckets in a relatively even way. However,
if there is a flaw in the hashing algorithm which allows a large number
of IPv4 fragment reassembly queues to end up in a single bucket, a per-
bucket limit could help mitigate the performance impact of this flaw.

Implement such a limit, with a default of twice the maximum number of
reassembly queues divided by the number of buckets. Recalculate the
limit any time the maximum number of reassembly queues changes.
However, allow the user to override the value using a sysctl
(net.inet.ip.maxfragbucketsize).

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:23:05 +00:00
asomers
8568b90f96 tftp: Close a resource leak when putting files
Reported by:	Coverity
CID:		1394842
MFC after:	2 weeks
2018-08-14 17:20:31 +00:00
jtl
5a5ca2cd22 Add a global limit on the number of IPv4 fragments.
The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
of enough VNETs), it is possible that the sum of all the VNET limits
will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limit is intended (at least in part) to
regulate access to a global resource, the fragment limit should
be applied on a global basis.

VNET-specific limits can be adjusted by modifying the
net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket
sysctls.

To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0.
To disable fragment reassembly for a particular VNET, set
net.inet.ip.maxfragpackets to 0.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:19:49 +00:00
kib
f7521148ce Add definitions related to the L1D flush operation capability and MSR.
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:19:11 +00:00
jtl
dca433c72f Improve IPv6 reassembly performance by hashing fragments into buckets.
Currently, all IPv6 fragment reassembly queues are kept in a flat
linked list. This has a number of implications. Two significant
implications are: all reassembly operations share a common lock,
and it is possible for the linked list to grow quite large.

Improve IPv6 reassembly performance by hashing fragments into buckets,
each of which has its own lock. Calculate the hash key using a Jenkins
hash with a random seed.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:17:37 +00:00
jtl
6acb9fd7be Improve hashing of IPv4 fragments.
Currently, IPv4 fragments are hashed into buckets based on a 32-bit
key which is calculated by (src_ip ^ ip_id) and combined with a random
seed. However, because an attacker can control the values of src_ip
and ip_id, it is possible to construct an attack which causes very
deep chains to form in a given bucket.

To ensure more uniform distribution (and lower predictability for
an attacker), calculate the hash based on a key which includes all
the fields we use to identify a reassembly queue (dst_ip, src_ip,
ip_id, and the ip protocol) as well as a random seed.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:15:47 +00:00
kib
eda5a2bfba Reserve page at the physical address zero on amd64.
We always zero the invalidated PTE/PDE for superpage, which means that
L1TF CPU vulnerability (CVE-2018-3620) can be only used for reading
from the page at zero.

Note that both i386 and amd64 exclude the page from phys_avail[]
array, so this change is redundant, but I think that phys_avail[] on
UEFI-boot does not need to do that.  Eventually the blacklisting
should be made conditional on CPUs which report that they are not
vulnerable to L1TF.

Reviewed by:	emaste. jhb
Sponsored by:	The FreeBSD Foundation
2018-08-14 17:14:33 +00:00
kib
bf861eb196 amd64: ensure that curproc->p_vmspace pmap always matches PCPU
curpmap.

When performing context switch on a machine without PCID, if current
%cr3 equals to the new pmap %cr3, which is typical for kernel_pmap
vs. kernel process, I overlooked to update PCPU curpmap value.  Remove
check for %cr3 not equal to pm_cr3 for doing the update.  It is
believed that this case cannot happen at all, due to other changes in
this revision.

Also, do not set the very first curpmap to kernel_pmap, it should be
vmspace0 pmap instead to match curproc.

Move the common code to activate the initial pmap both on BSP and APs
into pmap_activate_boot() helper.

Reported by: eadler, ambrisko
Discussed with: kevans
Reviewed by:	alc, markj (previous version)
Tested by: ambrisko (previous version)
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D16618
2018-08-14 16:37:14 +00:00
loos
21f5deb5e6 Add support to the Marvell Xenon SDHCI controller.
Tested on Espresso.bin (37x0) and Macchiato.bin (8k) with SD cards and
eMMCs.

Obtained from:	pfSense
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 16:33:30 +00:00
br
5676b73b44 Query MVPConf0.PVPE for number of CPUs.
Rather than hard-coding the number of CPUs to 2, look up the PVPE field
in MVPConf0, as the valid VPE numbers are from 0 to PVPE inclusive.

Submitted by:	"James Clarke" <jrtc4@cam.ac.uk>
Reviewed by:	br
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16644
2018-08-14 16:29:10 +00:00
kib
992d01aa68 Fix typo.
Noted by:	alc
MFC after:	3 days
2018-08-14 16:27:17 +00:00
br
606f6bd92e Avoid repeated address calculation for malta_ap_boot.
Submitted by:	"James Clarke" <jrtc4@cam.ac.uk>
Reviewed by:	br, arichardson
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16655
2018-08-14 16:26:44 +00:00
br
3cf10d0d09 Remove unused code.
Sponsored by:	DARPA, AFRL
2018-08-14 16:22:14 +00:00
jkim
aae9fa3e7b Import OpenSSL 1.0.2p. 2018-08-14 16:18:14 +00:00
br
308e1fa4ce Rewrite RISC-V disassembler:
- Use macroses from encoding.h generated by riscv-opcodes.
- Add support for C-compressed ISA extension.

Sponsored by:	DARPA, AFRL
2018-08-14 16:03:03 +00:00
andrew
09c72a94ea Remove cpu_pfr from arm. It's unused. 2018-08-14 16:01:25 +00:00
andrew
60b658b495 Remove an old comment now the code it references has been removed. 2018-08-14 15:48:13 +00:00
andrew
654a4d329f Fix the spelling of armv4_idcache_inv_all in an END macro. 2018-08-14 15:42:27 +00:00
loos
bda515985d Use the correct PTE when changing the attribute of multiple pages.
Submitted by:	andrew (long time ago)
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 15:27:50 +00:00
markj
b1388464db Explain why we aren't using memcpy().
Reported by:	jmg
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 14:50:06 +00:00
markj
35e8b53f7d Don't use memcpy() in the early microcode loading code.
At some point memcpy() may be an ifunc, ifunc resolution cannot be done
until CPU identification has been performed, and CPU identification must
be done after loading any microcode updates.

X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 14:02:53 +00:00
loos
a7d70398d2 Fix a typo on the PSCI smc call wrapper.
Looks good from:	andrew
Sponsored by:	Rubicon Communications, LLC (Netgate)
2018-08-14 13:56:49 +00:00
markj
85a7f32424 Fix the !SMP x86 build.
Reported by:	Michael Butler <imb@protected-networks.net>
X-MFC with:	r337715
Sponsored by:	The FreeBSD Foundation
2018-08-14 13:56:42 +00:00
imp
3b98d5fdda Add good description of init and lock devices from sio to uart. 2018-08-14 13:52:10 +00:00
trasz
275a387bfc Add the "autoro" flag to /media. This makes it attempt to mount
it read-only instead of just failing if the media is write-protected.

The /net doesn't seem to require the flag.

MFC after:	2 weeks
Relnotes:	yes
Sponsored by:	DARPA, AFRL
2018-08-14 13:52:08 +00:00
mm
d7f6156007 MFV r337744:
Sync libarchive with vendor..

Vendor changes:
  PR #1042: validate iso9660 directory record length

MFC after:	3 days
Security:	CVE-2017-14501
2018-08-14 11:42:32 +00:00