kernel fault after 7.1

[kasak]

hello everybody. after upgrading to 7.1 my router started to panic very 
often :(( about twice a day.


This is the information from the screen:

kernel: protection fault trap, code=0

Stopped at    ipsp_ids_gc+0xb4    cmpl $0,0x64(%r14)

ddb{0}> show panic

the kernel did not panic
ddb{0}> trace

ipsp_ids_gc(0) at ipsp_ids_gc+0xb4

softclock_thread(800022baf260) at softclock_thread+0x13b

and trace frame: 0x0, count: -2

ddb{0}> machine ddbcpu 1

Stopped at    x86_ipi_db+0x12:    leave

ddb{1}> trace

x86_ipi_db(800022909ff0) at x86_ipi_db+0x12

x86_ipi_handler() at x86_ipi_handler+0x80

Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23

acpicpu_idle() at acpicpu_idle+0x203

sched_idle(800022909ff0) at sched_idle+0x280

end trace frame: 0x0, count -5

Re: Sprurios errors from syspatch -c

[Theo de Raadt]

Richard Narron  wrote:

> On Fri, 22 Apr 2022, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> 
> > After the 7.1 update syspatch -c started throwing errors due to a
> > missing signatures file:
> >
> >   Patch check:
> >   syspatch: Error retrieving 
> > http://ftp.openbsd.org/pub/OpenBSD/syspatch/7.1/amd64/SHA256.sig: 404 Not 
> > Found
> >
> > The error is valid.  To suppress this message it would make sense to drop
> > an empty place holder SHA256.sig file whenever a new release comes out.
> >
> 
> The error is caused by the wrong directory name.
> 
> The syspatch/7.1 directory was renamed to syspatch/7.1-no
> 
> Rumor has it that the source patch is good but the syspatch is bad, so
> someone renamed the syspatch 7.1 directory to prevent its use.
> 
> Has anyone heard anything "official" about this?


The syspatch was accidentally built from the wrong branch, so upon
relinking, it results in a kernel which says it is "7.1-stable".

To prevent application of syspatches to the wrong type of system,
syspatch(8) inspects 'sysctl kern.version'.  It checks you have a normal
release system (ie. 7.0 or 7.1).  Since this patch renamed the system to
"7.1-stable", syspatch(8) will refuse to install future patches.  And of
course the way this check is coded, it won't let you backout the patch
which took the system to 7.1-stable..

Simple instructions for getting over this trouble will be coming along
before there is a new syspatch 001_wifi is made available.  I estimate a
week.

People who already installed the 001_wifi syspatch aren't harmed by the
fix otherwise, but I have stopped distribution of the file to reduce the
number of people in this crossed-over state.

(Other than this issue, the syspatch itself was good, it fixes wifi
association problems on a number of devices, so people who already
have it shouldn't take special measures to get rid of it yet, wait for
our advice in a week or so).

And of course, the syspatch testing procedures will get another step or
two to make sure this doesn't happen again

So just wait.

Re: Sprurios errors from syspatch -c

[Richard Narron]

On Fri, 22 Apr 2022, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:

> After the 7.1 update syspatch -c started throwing errors due to a
> missing signatures file:
>
>   Patch check:
>   syspatch: Error retrieving 
> http://ftp.openbsd.org/pub/OpenBSD/syspatch/7.1/amd64/SHA256.sig: 404 Not 
> Found
>
> The error is valid.  To suppress this message it would make sense to drop
> an empty place holder SHA256.sig file whenever a new release comes out.
>

The error is caused by the wrong directory name.

The syspatch/7.1 directory was renamed to syspatch/7.1-no

Rumor has it that the source patch is good but the syspatch is bad, so
someone renamed the syspatch 7.1 directory to prevent its use.

Has anyone heard anything "official" about this?

Richard Narron

Re: rc.daily missing diff markers

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

Ingo Schwarze writes:

> That's not new, it has been like that for at least 14 years and likely
> much longer:

Heh :-)  Filing a bug report about my horrible memory seems wrong.

> I don't think adding the more characters to each line would be a good idea.
> It would cause line wrapping in mail even more often than the long lines
> already do now.  Besides, there is no real ambiguity because the file
> name in the last column makes the pairing obvious and the dates right
> in front of that show the direction of the change.

Sure.  It just caught my attention today because this is probably
the first time I've seen such a large batch of changes in one email
like that.  Which has no doubt happened endless times in the past,
but I never noticed it until today for some reason.

Mostly this jars my OCD by having some of it in diff format, and
some not.  I'll get over it.

--lyndon

Small go clone of httpd

[Aaron Riekenberg]

If anyone is interested have a small go clone of the httpd web server
here: https://github.com/aaronriekenberg/go-httpd

Not nearly as complete as the real httpd but has enough features to
roughly handle a config similar to /etc/examples/httpd.conf

Sample config file:
https://github.com/aaronriekenberg/go-httpd/blob/main/configfiles/gohttpd.json

Some things that work:
* Supports HTTP 1.1 and HTTP 2.0 via builtin go http server
* Uses JSON for simple config file parsing
* Uses chroot and setgid/setuid to drop privileges at startup after
creating server sockets and reading tls files.
* Configurable list of locations for each server that are matched in
order for each request
* For now only matching locations by URL path prefix but could easily
use go regexp package
* Configurable Cache-Control headers for file server locations
* Fastcgi support using github.com/yookoala/gofast library
* Request logging with file rotation
* Small amount of code using builtin go http server and handlers

Re: rc.daily missing diff markers

[Ingo Schwarze]

Hi Lyndon,

Lyndon Nerenberg wrote on Fri, Apr 22, 2022 at 09:33:57AM -0700:

> In the output from the daily insecurity report run, the sections on
> setuid and block device changes are missing any diff markup.  The
> remaining sections are fine.
> 
> From this morning's post-7.1-upgrade run:
> 
> Setuid changes:
> -r-sr-xr-x 2 root  bin  355952 Sep 30 13:01:03 2021 /sbin/ping
> -r-sr-xr-x 2 root  bin  358736 Apr 11 16:46:17 2022 /sbin/ping
> -r-sr-xr-x 2 root  bin  355952 Sep 30 13:01:03 2021 /sbin/ping6
> -r-sr-xr-x 2 root  bin  358736 Apr 11 16:46:17 2022 /sbin/ping6
> -r-sr-x--- 1 root  operator 274936 Sep 30 13:01:04 2021 /sbin/shutdown
> -r-sr-x--- 1 root  operator 277592 Apr 11 16:46:17 2022 /sbin/shutdown
> [...]
> 
> 
> Block device changes:
> brw-r- 1 root operator 6,  0   Mar 4  14:48:06 2022 /dev/cd0a
> brw-r- 1 root operator 6,  0   Apr 21 12:19:45 2022 /dev/cd0a
> brw-r- 1 root operator 6,  2   Mar 4  14:48:06 2022 /dev/cd0c
> brw-r- 1 root operator 6,  2   Apr 21 12:19:45 2022 /dev/cd0c
> brw-r- 1 root operator 6,  16  Mar 4  14:48:01 2022 /dev/cd1a
> brw-r- 1 root operator 6,  16  Apr 21 12:19:40 2022 /dev/cd1a
> [...]

That's not new, it has been like that for at least 14 years and likely
much longer:

From: Charlie Root 
Date: Sun, 27 Apr 2008 01:31:15 +0200
To: r...@usta.de
Subject: hera.usta.de daily insecurity output
[...]
Setuid changes:
-r-sr-xr-x  1  root  bin   157408   Feb  11  00:00:58  2008  /sbin/ping
-r-sr-xr-x  1  root  bin   157440   Apr  21  02:58:12  2008  /sbin/ping
-r-sr-xr-x  1  root  bin   180896   Apr  21  02:58:12  2008  /sbin/ping6
-r-sr-xr-x  1  root  bin   181024   Feb  11  00:00:58  2008  /sbin/ping6
[...]
Block device changes:
brw-r-  1  root  operator  16,  0 Apr  26  21:21:20  2008  /dev/ccd0a
brw-r-  1  root  operator  16,  0 Feb  16  18:24:18  2008  /dev/ccd0a
brw-r-  1  root  operator  16,  1 Apr  26  21:21:20  2008  /dev/ccd0b
brw-r-  1  root  operator  16,  1 Feb  16  18:24:18  2008  /dev/ccd0b
[...]

Which means my 2011 rewrite of the utility (together with afresh1@)
merely preserved the traditional format.

These lines do not come from diff(1); see the functions check_filelist()
and adjust_columns() for details.

I don't think adding the more characters to each line would be a good idea.
It would cause line wrapping in mail even more often than the long lines
already do now.  Besides, there is no real ambiguity because the file
name in the last column makes the pairing obvious and the dates right
in front of that show the direction of the change.

Yours,
  Ingo

Should FUSE mounts be considered local?

[Allan Streib]

I had an SMB network share mounted on a directory under my $HOME (via
FUSE using usmb package), and overnight security(8) tried to check it for
setuid/setgid files. That did not go well. I see that I could have set
the SUIDSKIP environment variable but I didn't think about that in advance
and even if I had, I probably would have assumed that such a mount was not
considered local.

$ mount
[...]
fusefs on /home/astreib/sav type fuse (local)

Is this a problem with the usmb package, that it did not indicate that
this was a network mount, or is that distinction just not possible with
FUSE mounts? I.e. wondering if this is potentially fixable or if I need
to remember to exclude any FUSE mounts via SUIDSKIP?

Running OpenBSD 7.1 amd64 release.

Allan

Re: 7.1 & nsd - failed writing to tcp: Permission denied

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

Laura, for a first step I would look at pflog(4).  As Peter hinted,
if you have an obscure pf rule blocking things after the connection
sets up, this will point it out.  (Make sure you have all the
appropriate pflog bits enabled, of course.)

If that doesn't work your next step is to fire up tcpdump and see
what's actually happening on the wire.  Look for a post-connection
RST and work back from that.

--lyndon

Re: 7.1 & nsd - failed writing to tcp: Permission denied

[Peter J. Philipp]

On Fri, Apr 22, 2022 at 04:03:17PM +, Laura Smith wrote:
> Hi,
> Am seeing some odd nsd log entries crop up in /var/log/messages.?? Any cause 
> for concern ? Anyone else seen these ?
> 
> Apr 22 15:08:46 nsd[99760]: failed writing to tcp: Permission denied
> 
> No problems with IPv4 or IPv6 connectivity on this host, I can access the 
> internet fine both directly on this host and through it (it doubles up as a 
> firewall).
> 
> Laura

Hi Laura,

I took a look at the code and it is a writev() or a write() they do on 
tcp writes.  Then I checked the manpage for send because write() on a TCP socket
is the same as send() afaik.  The manpage says this about your error:

 [EACCES]   The connection was blocked by pf(4), or SO_BROADCAST
is not set on the socket and a broadcast address was
given as the destination.

TCP doesn't do any broadcasting so it was blocked by p(4).

So that's weird becuase the 3-way handshake must have completed for nsd to
reply a query.  Meaning there was SYN's and ACK's being exchanged but perhaps
a PUSH+ACK may not succeed through the pf rules?

Don't post your firewall rules to the list, but study them :-) and correct 
them.

Best Regards,
-peter

rc.daily missing diff markers

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

In the output from the daily insecurity report run, the sections on
setuid and block device changes are missing any diff markup.  The
remaining sections are fine.

>From this morning's post-7.1-upgrade run:

Setuid changes:
-r-sr-xr-x 2 root  bin  355952 Sep 30 13:01:03 2021 /sbin/ping
-r-sr-xr-x 2 root  bin  358736 Apr 11 16:46:17 2022 /sbin/ping
-r-sr-xr-x 2 root  bin  355952 Sep 30 13:01:03 2021 /sbin/ping6
-r-sr-xr-x 2 root  bin  358736 Apr 11 16:46:17 2022 /sbin/ping6
-r-sr-x--- 1 root  operator 274936 Sep 30 13:01:04 2021 /sbin/shutdown
-r-sr-x--- 1 root  operator 277592 Apr 11 16:46:17 2022 /sbin/shutdown
[...]


Block device changes:
brw-r- 1 root operator 6,  0   Mar 4  14:48:06 2022 /dev/cd0a
brw-r- 1 root operator 6,  0   Apr 21 12:19:45 2022 /dev/cd0a
brw-r- 1 root operator 6,  2   Mar 4  14:48:06 2022 /dev/cd0c
brw-r- 1 root operator 6,  2   Apr 21 12:19:45 2022 /dev/cd0c
brw-r- 1 root operator 6,  16  Mar 4  14:48:01 2022 /dev/cd1a
brw-r- 1 root operator 6,  16  Apr 21 12:19:40 2022 /dev/cd1a
[...]

Sprurios errors from syspatch -c

[Lyndon Nerenberg (VE7TFX/VE6BBM)]

After the 7.1 update syspatch -c started throwing errors due to a
missing signatures file:

  Patch check:
  syspatch: Error retrieving 
http://ftp.openbsd.org/pub/OpenBSD/syspatch/7.1/amd64/SHA256.sig: 404 Not Found

The error is valid.  To suppress this message it would make sense to drop
an empty place holder SHA256.sig file whenever a new release comes out.

--lyndon

Re: No valid root disk found when upgrading

[Stuart Henderson]

On 2022-04-21, Stuart Henderson  wrote:
>> upgrade# cd /dev; sh MAKEDEV sd0
>> upgrade# mount -t ffs -r /dev/sd0a /mnt
>> upgrade# ls /mnt
>> .cshrc  bsd dev sbin
>> .profilebsd.booted  etc sys
>> altroot bsd.rd  hometmp
>> auto_upgrade.conf   bsd.sp  mailwrapper.coreusr
>> bin bsd.upgrade rootvar
>> upgrade# df -h
>> Filesystem SizeUsed   Avail Capacity  Mounted on
>> /dev/rd0a  3.5M3.0M451K87%/
>> /dev/sd0a  3.9G677M3.0G18%/mnt
>>
>>> it's worth seeing what "sysctl hw.disknames" says too
>> upgrade# sysctl hw.disknames
>> hw.disknames=sd0:dc999ef6267325df,rd0:a8c7c8e3bbaa0da7
>
> That looks sane too..

Oh I didn't look close enough. You are missing /mnt. mkdir it and
that shoukd fix the problem.