CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Mon Jul 2 14:37:59 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1551 To generate a diff of this commit: cvs rdiff -u -r1.1.2.342 -r1.1.2.343 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.342 src/doc/CHANGES-6.2:1.1.2.343 --- src/doc/CHANGES-6.2:1.1.2.342 Sat Jun 30 11:42:34 2018 +++ src/doc/CHANGES-6.2 Mon Jul 2 14:37:59 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.342 2018/06/30 11:42:34 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.343 2018/07/02 14:37:59 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21286,3 +21286,9 @@ xsrc/xfree/xc/programs/mkfontscale/ident Pass gzFile, not gzFile * to gzio functions. [mrg, ticket #1550] +gnu/dist/gcc4/gcc/toplev.h (apply patch) + + Avoid redefining functions. + [mrg, ticket #1551] + +
CVS commit: [netbsd-6] src/gnu/dist/gcc4/gcc
Module Name:src Committed By: martin Date: Mon Jul 2 14:36:42 UTC 2018 Modified Files: src/gnu/dist/gcc4/gcc [netbsd-6]: toplev.h Log Message: Apply patch, requested by mrg in ticket #1551: Avoid redefining functions. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.44.1 src/gnu/dist/gcc4/gcc/toplev.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/gnu/dist/gcc4/gcc/toplev.h diff -u src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1 src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1.44.1 --- src/gnu/dist/gcc4/gcc/toplev.h:1.1.1.1 Thu Apr 20 10:19:17 2006 +++ src/gnu/dist/gcc4/gcc/toplev.h Mon Jul 2 14:36:42 2018 @@ -158,6 +158,7 @@ extern int exact_log2 ( /* Return floor of log2, with -1 for zero. */ extern int floor_log2 (unsigned HOST_WIDE_INT); +#if 0 /* these are not valid, and break in GCC 5. */ /* Inline versions of the above for speed. */ #if GCC_VERSION >= 3004 # if HOST_BITS_PER_WIDE_INT == HOST_BITS_PER_LONG @@ -183,6 +184,7 @@ exact_log2 (unsigned HOST_WIDE_INT x) return x == (x & -x) && x ? (int) CTZ_HWI (x) : -1; } #endif /* GCC_VERSION >= 3004 */ +#endif /* Functions used to get and set GCC's notion of in what directory compilation was started. */
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Sat Jun 30 11:42:34 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1550 To generate a diff of this commit: cvs rdiff -u -r1.1.2.341 -r1.1.2.342 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.341 src/doc/CHANGES-6.2:1.1.2.342 --- src/doc/CHANGES-6.2:1.1.2.341 Thu Jun 7 18:03:14 2018 +++ src/doc/CHANGES-6.2 Sat Jun 30 11:42:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.341 2018/06/07 18:03:14 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.342 2018/06/30 11:42:34 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21281,3 +21281,8 @@ sys/arch/sparc64/conf/NONPLUS(patch) [maxv, ticket #1500] +xsrc/xfree/xc/programs/mkfontscale/ident.c (apply patch) + + Pass gzFile, not gzFile * to gzio functions. + [mrg, ticket #1550] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Jun 7 18:03:14 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ammend ticket #1500 To generate a diff of this commit: cvs rdiff -u -r1.1.2.340 -r1.1.2.341 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.340 src/doc/CHANGES-6.2:1.1.2.341 --- src/doc/CHANGES-6.2:1.1.2.340 Tue May 22 14:40:58 2018 +++ src/doc/CHANGES-6.2 Thu Jun 7 18:03:14 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.340 2018/05/22 14:40:58 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.341 2018/06/07 18:03:14 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21272,6 +21272,8 @@ sys/arch/sparc/conf/MRCOFFEE(patch) sys/arch/sparc/conf/TADPOLE3GX(patch) sys/arch/sparc64/conf/GENERIC(patch) sys/arch/sparc64/conf/NONPLUS64(patch) +sys/arch/sparc64/conf/GENERIC32(patch) +sys/arch/sparc64/conf/NONPLUS(patch) Disable compat_svr4 and compat_svr4_32 everywhere. Disable compat_ibcs2 everywhere but on Vax.
CVS commit: [netbsd-6] src/sys/arch/sparc64/conf
Module Name:src Committed By: martin Date: Thu Jun 7 18:01:51 UTC 2018 Modified Files: src/sys/arch/sparc64/conf [netbsd-6]: GENERIC32 NONPLUS Log Message: Fix fallout from ticket #1500: COMPAT_SVR4* has been disabled, do not disable it here again. To generate a diff of this commit: cvs rdiff -u -r1.140 -r1.140.102.1 src/sys/arch/sparc64/conf/GENERIC32 cvs rdiff -u -r1.58 -r1.58.102.1 src/sys/arch/sparc64/conf/NONPLUS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/conf/GENERIC32 diff -u src/sys/arch/sparc64/conf/GENERIC32:1.140 src/sys/arch/sparc64/conf/GENERIC32:1.140.102.1 --- src/sys/arch/sparc64/conf/GENERIC32:1.140 Fri Jun 30 10:27:48 2006 +++ src/sys/arch/sparc64/conf/GENERIC32 Thu Jun 7 18:01:51 2018 @@ -1,13 +1,13 @@ -# $NetBSD: GENERIC32,v 1.140 2006/06/30 10:27:48 tsutsui Exp $ +# $NetBSD: GENERIC32,v 1.140.102.1 2018/06/07 18:01:51 martin Exp $ # # GENERIC machine description file for 32-bit kernel # include "arch/sparc64/conf/GENERIC" -#ident "GENERIC32-$Revision: 1.140 $" +#ident "GENERIC32-$Revision: 1.140.102.1 $" include "arch/sparc64/conf/std.sparc64-32" no options COMPAT_NETBSD32 -no options COMPAT_SVR4_32 +#no options COMPAT_SVR4_32 Index: src/sys/arch/sparc64/conf/NONPLUS diff -u src/sys/arch/sparc64/conf/NONPLUS:1.58 src/sys/arch/sparc64/conf/NONPLUS:1.58.102.1 --- src/sys/arch/sparc64/conf/NONPLUS:1.58 Fri Jun 30 10:27:48 2006 +++ src/sys/arch/sparc64/conf/NONPLUS Thu Jun 7 18:01:51 2018 @@ -1,9 +1,9 @@ -# $NetBSD: NONPLUS,v 1.58 2006/06/30 10:27:48 tsutsui Exp $ +# $NetBSD: NONPLUS,v 1.58.102.1 2018/06/07 18:01:51 martin Exp $ include "arch/sparc64/conf/NONPLUS64" include "arch/sparc64/conf/std.sparc64-32" -#ident "NONPLUS-$Revision: 1.58 $" +#ident "NONPLUS-$Revision: 1.58.102.1 $" no options COMPAT_NETBSD32 # NetBSD/sparc binary compatibility -no options COMPAT_SVR4_32 # 32-bit SVR4 binaries +#no options COMPAT_SVR4_32 # 32-bit SVR4 binaries
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue May 22 14:40:58 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1500 To generate a diff of this commit: cvs rdiff -u -r1.1.2.339 -r1.1.2.340 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.339 src/doc/CHANGES-6.2:1.1.2.340 --- src/doc/CHANGES-6.2:1.1.2.339 Thu May 17 13:46:08 2018 +++ src/doc/CHANGES-6.2 Tue May 22 14:40:58 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.339 2018/05/17 13:46:08 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.340 2018/05/22 14:40:58 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21257,3 +21257,25 @@ sys/net/npf/npf_inet.c1.45 (patch) Fix use-after-free. [maxv, ticket #1549] +sys/kern/kern_exec.c (patch) +sys/arch/amiga/conf/DRACO(patch) +sys/arch/amiga/conf/GENERIC(patch) +sys/arch/amiga/conf/GENERIC.in(patch) +sys/arch/hp300/conf/GENERIC(patch) +sys/arch/i386/conf/GENERIC(patch) +sys/arch/i386/conf/XEN3_DOM0(patch) +sys/arch/i386/conf/XEN3_DOMU(patch) +sys/arch/sparc/conf/BILL-THE-CAT (patch) +sys/arch/sparc/conf/GENERIC(patch) +sys/arch/sparc/conf/KRUPS(patch) +sys/arch/sparc/conf/MRCOFFEE(patch) +sys/arch/sparc/conf/TADPOLE3GX(patch) +sys/arch/sparc64/conf/GENERIC(patch) +sys/arch/sparc64/conf/NONPLUS64(patch) + + Disable compat_svr4 and compat_svr4_32 everywhere. + Disable compat_ibcs2 everywhere but on Vax. + Disable autoload of modules for svr4/svr4_32/ibcs2/freebsd. + [maxv, ticket #1500] + +
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: martin Date: Tue May 22 14:38:20 UTC 2018 Modified Files: src/sys/arch/amiga/conf [netbsd-6]: DRACO GENERIC GENERIC.in src/sys/arch/hp300/conf [netbsd-6]: GENERIC src/sys/arch/i386/conf [netbsd-6]: GENERIC XEN3_DOM0 XEN3_DOMU src/sys/arch/sparc/conf [netbsd-6]: BILL-THE-CAT GENERIC KRUPS MRCOFFEE TADPOLE3GX src/sys/arch/sparc64/conf [netbsd-6]: GENERIC NONPLUS64 src/sys/kern [netbsd-6]: kern_exec.c Log Message: Apply patch requested by maxv in ticket #1500: * disable compat_svr4 and compat_svr4_32 everywhere * disable compat_ibcs2 everywhere but on Vax * remove the svr4/svr4_32/ibcs2/freebsd entries from the autoload list To generate a diff of this commit: cvs rdiff -u -r1.154 -r1.154.2.1 src/sys/arch/amiga/conf/DRACO cvs rdiff -u -r1.284 -r1.284.2.1 src/sys/arch/amiga/conf/GENERIC cvs rdiff -u -r1.96 -r1.96.2.1 src/sys/arch/amiga/conf/GENERIC.in cvs rdiff -u -r1.169.2.1 -r1.169.2.2 src/sys/arch/hp300/conf/GENERIC cvs rdiff -u -r1.1066.2.8 -r1.1066.2.9 src/sys/arch/i386/conf/GENERIC cvs rdiff -u -r1.60.2.7 -r1.60.2.8 src/sys/arch/i386/conf/XEN3_DOM0 cvs rdiff -u -r1.41.2.2 -r1.41.2.3 src/sys/arch/i386/conf/XEN3_DOMU cvs rdiff -u -r1.51 -r1.51.4.1 src/sys/arch/sparc/conf/BILL-THE-CAT cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/arch/sparc/conf/GENERIC cvs rdiff -u -r1.56.4.1 -r1.56.4.2 src/sys/arch/sparc/conf/KRUPS cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc/conf/MRCOFFEE cvs rdiff -u -r1.54.4.1 -r1.54.4.2 src/sys/arch/sparc/conf/TADPOLE3GX cvs rdiff -u -r1.148.2.2 -r1.148.2.3 src/sys/arch/sparc64/conf/GENERIC cvs rdiff -u -r1.34 -r1.34.4.1 src/sys/arch/sparc64/conf/NONPLUS64 cvs rdiff -u -r1.339.2.10 -r1.339.2.11 src/sys/kern/kern_exec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/conf/DRACO diff -u src/sys/arch/amiga/conf/DRACO:1.154 src/sys/arch/amiga/conf/DRACO:1.154.2.1 --- src/sys/arch/amiga/conf/DRACO:1.154 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/DRACO Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: DRACO,v 1.154 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: DRACO,v 1.154.2.1 2018/05/22 14:38:20 martin Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.154 $" +#ident "GENERIC-$Revision: 1.154.2.1 $" maxusers 8 @@ -143,7 +143,7 @@ options COMPAT_30 # NetBSD 3.0 compatib options COMPAT_40 # NetBSD 4.0 compatibility. options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC diff -u src/sys/arch/amiga/conf/GENERIC:1.284 src/sys/arch/amiga/conf/GENERIC:1.284.2.1 --- src/sys/arch/amiga/conf/GENERIC:1.284 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/GENERIC Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.284 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: GENERIC,v 1.284.2.1 2018/05/22 14:38:20 martin Exp $ # # This file was automatically created. # Changes will be lost when make is run in this directory. @@ -29,7 +29,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.284 $" +#ident "GENERIC-$Revision: 1.284.2.1 $" maxusers 8 @@ -155,7 +155,7 @@ options COMPAT_30 # NetBSD 3.0 compatib options COMPAT_40 # NetBSD 4.0 compatibility. options COMPAT_50 # NetBSD 5.0 compatibility. options COMPAT_SUNOS # Support to run Sun (m68k) executables -options COMPAT_SVR4 # Support to run SVR4 (m68k) executables +#options COMPAT_SVR4 # Support to run SVR4 (m68k) executables options COMPAT_NOMID # allow nonvalid machine id executables #options COMPAT_LINUX # Support to run Linux/m68k executables Index: src/sys/arch/amiga/conf/GENERIC.in diff -u src/sys/arch/amiga/conf/GENERIC.in:1.96 src/sys/arch/amiga/conf/GENERIC.in:1.96.2.1 --- src/sys/arch/amiga/conf/GENERIC.in:1.96 Tue Jan 24 00:19:39 2012 +++ src/sys/arch/amiga/conf/GENERIC.in Tue May 22 14:38:20 2018 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC.in,v 1.96 2012/01/24 00:19:39 rkujawa Exp $ +# $NetBSD: GENERIC.in,v 1.96.2.1 2018/05/22 14:38:20 martin Exp $ # ## # GENERIC machine description file @@ -52,7 +52,7 @@ include "arch/amiga/conf/std.amiga" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.96 $" +#ident "GENERIC-$Revision: 1.96.2.1 $" m4_ifdef(`INSTALL_CONFIGURATION',
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu May 17 13:46:08 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1549 To generate a diff of this commit: cvs rdiff -u -r1.1.2.338 -r1.1.2.339 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.338 src/doc/CHANGES-6.2:1.1.2.339 --- src/doc/CHANGES-6.2:1.1.2.338 Mon May 14 16:08:15 2018 +++ src/doc/CHANGES-6.2 Thu May 17 13:46:08 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.338 2018/05/14 16:08:15 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.339 2018/05/17 13:46:08 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21251,3 +21251,9 @@ sys/dev/ic/hme.c1.97 Fix mis-placed right parenthesis. [pgoyette, ticket #1548] +sys/net/npf/npf_alg_icmp.c 1.27,1.28 (patch) +sys/net/npf/npf_inet.c1.45 (patch) + + Fix use-after-free. + [maxv, ticket #1549] +
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu May 17 13:45:15 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) via patch (requested by maxv in ticket #1549): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. To generate a diff of this commit: cvs rdiff -u -r1.8.4.7 -r1.8.4.8 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.10.4.10 -r1.10.4.11 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf_alg_icmp.c diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.8 --- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf_alg_icmp.c Thu May 17 13:45:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $ */ /*- * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.8 2018/05/17 13:45:15 martin Exp $"); #include #include @@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t /* * npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query * ID or TCP/UDP ports of the original packet, which is embedded. + * + * => Sets hasqid=true if the packet has a Query Id. In this case neither + *the nbuf nor npc is touched. */ static bool -npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf) +npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid) { - u_int offby; /* Per RFC 792. */ switch (type) { @@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c case ICMP_TSTAMPREPLY: case ICMP_IREQ: case ICMP_IREQREPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp, icmp_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c } static bool -npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf) +npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid) { - u_int offby; /* Per RFC 4443. */ switch (type) { @@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c case ICMP6_ECHO_REQUEST: case ICMP6_ECHO_REPLY: - /* Should contain ICMP query ID - ensure. */ - offby = offsetof(struct icmp6_hdr, icmp6_id); - if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) { - return false; - } - npc->npc_info |= NPC_ICMP_ID; + /* Contains ICMP query ID. */ + *hasqid = true; return true; default: break; @@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c /* * npfa_icmp_session: ALG ICMP inspector. * - * => Returns true if "enpc" is filled. + * => Returns false if there is a problem with the format. */ static bool npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc) { - bool ret; + bool ret, hasqid = false; KASSERT(npf_iscached(npc, NPC_IP46)); KASSERT(npf_iscached(npc, NPC_ICMP)); @@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf */ if (npf_iscached(npc, NPC_IP4)) { const struct icmp *ic = npc->npc_l4.icmp; - ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf); + ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, &hasqid); } else if (npf_iscached(npc, NPC_IP6)) {
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Mon May 14 16:08:15 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1548 To generate a diff of this commit: cvs rdiff -u -r1.1.2.337 -r1.1.2.338 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.337 src/doc/CHANGES-6.2:1.1.2.338 --- src/doc/CHANGES-6.2:1.1.2.337 Thu May 3 15:05:46 2018 +++ src/doc/CHANGES-6.2 Mon May 14 16:08:15 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.337 2018/05/03 15:05:46 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.338 2018/05/14 16:08:15 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21246,3 +21246,8 @@ sys/kern/uipc_mbuf.c1.211 (patch) the chain. [maxv, ticket #1547] +sys/dev/ic/hme.c1.97 + + Fix mis-placed right parenthesis. + [pgoyette, ticket #1548] +
CVS commit: [netbsd-6] src/sys/dev/ic
Module Name:src Committed By: martin Date: Mon May 14 16:07:06 UTC 2018 Modified Files: src/sys/dev/ic [netbsd-6]: hme.c Log Message: Pull up following revision(s) (requested by pgoyette in ticket #1548): sys/dev/ic/hme.c: revision 1.97 Fix mis-placed right paren. kern/53271 To generate a diff of this commit: cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/dev/ic/hme.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/hme.c diff -u src/sys/dev/ic/hme.c:1.87.2.1 src/sys/dev/ic/hme.c:1.87.2.2 --- src/sys/dev/ic/hme.c:1.87.2.1 Wed Jul 4 19:43:10 2012 +++ src/sys/dev/ic/hme.c Mon May 14 16:07:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $ */ +/* $NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.1 2012/07/04 19:43:10 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hme.c,v 1.87.2.2 2018/05/14 16:07:06 martin Exp $"); /* #define HMEDEBUG */ @@ -752,7 +752,7 @@ hme_get(struct hme_softc *sc, int ri, ui pktlen = m0->m_pkthdr.len - ETHER_HDR_LEN; } else if (ntohs(eh->ether_type) == ETHERTYPE_VLAN) { evh = (struct ether_vlan_header *)eh; - if (ntohs(evh->evl_proto != ETHERTYPE_IP)) + if (ntohs(evh->evl_proto) != ETHERTYPE_IP) goto swcsum; ip = (struct ip *)((char *)eh + ETHER_HDR_LEN + ETHER_VLAN_ENCAP_LEN);
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu May 3 15:05:46 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Fix entry for ticket #1547 To generate a diff of this commit: cvs rdiff -u -r1.1.2.336 -r1.1.2.337 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.336 src/doc/CHANGES-6.2:1.1.2.337 --- src/doc/CHANGES-6.2:1.1.2.336 Thu May 3 14:58:46 2018 +++ src/doc/CHANGES-6.2 Thu May 3 15:05:46 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.336 2018/05/03 14:58:46 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.337 2018/05/03 15:05:46 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21240,7 +21240,7 @@ sys/netipsec/ipsec_output.c 1.67,1.75 allow the function to fail (and drop the misformed packet). [maxv, ticket #1546] -sys/kern/uipc_mbuf.c1.211 +sys/kern/uipc_mbuf.c1.211 (patch) Modify m_defrag, so that it never frees the first mbuf of the chain.
CVS commit: [netbsd-6] src/sys/kern
Module Name:src Committed By: martin Date: Thu May 3 15:00:38 UTC 2018 Modified Files: src/sys/kern [netbsd-6]: uipc_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1547): sys/kern/uipc_mbuf.c: revision 1.211 (via patch) Modify m_defrag, so that it never frees the first mbuf of the chain. While here use the given 'flags' argument, and not M_DONTWAIT. We have a problem with several drivers: they poll an mbuf chain from their queues and call m_defrag on them, but m_defrag could update the mbuf pointer, so the mbuf in the queue is no longer valid. It is not easy to fix each driver, because doing pop+push will reorder the queue, and we don't really want that to happen. This problem was independently spotted by me, Kengo, Masanobu, and other people too it seems (perhaps PR/53218). Now m_defrag leaves the first mbuf in place, and compresses the chain only starting from the second mbuf in the chain. It is important not to compress the first mbuf with hacks, because the storage of this first mbuf may be shared with other mbufs. To generate a diff of this commit: cvs rdiff -u -r1.145.2.1 -r1.145.2.2 src/sys/kern/uipc_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/uipc_mbuf.c diff -u src/sys/kern/uipc_mbuf.c:1.145.2.1 src/sys/kern/uipc_mbuf.c:1.145.2.2 --- src/sys/kern/uipc_mbuf.c:1.145.2.1 Fri Feb 8 19:18:12 2013 +++ src/sys/kern/uipc_mbuf.c Thu May 3 15:00:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $ */ /*- * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.1 2013/02/08 19:18:12 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.145.2.2 2018/05/03 15:00:37 martin Exp $"); #include "opt_mbuftrace.h" #include "opt_nmbclusters.h" @@ -1266,30 +1266,35 @@ m_makewritable(struct mbuf **mp, int off } /* - * Copy the mbuf chain to a new mbuf chain that is as short as possible. - * Return the new mbuf chain on success, NULL on failure. On success, - * free the old mbuf chain. + * Compress the mbuf chain. Return the new mbuf chain on success, NULL on + * failure. The first mbuf is preserved, and on success the pointer returned + * is the same as the one passed. */ struct mbuf * m_defrag(struct mbuf *mold, int flags) { struct mbuf *m0, *mn, *n; - size_t sz = mold->m_pkthdr.len; + int sz; #ifdef DIAGNOSTIC if ((mold->m_flags & M_PKTHDR) == 0) panic("m_defrag: not a mbuf chain header"); #endif - MGETHDR(m0, flags, MT_DATA); + if (mold->m_next == NULL) + return mold; + + m0 = m_get(flags, MT_DATA); if (m0 == NULL) return NULL; - M_COPY_PKTHDR(m0, mold); mn = m0; + sz = mold->m_pkthdr.len - mold->m_len; + KASSERT(sz >= 0); + do { - if (sz > MHLEN) { - MCLGET(mn, M_DONTWAIT); + if (sz > MLEN) { + MCLGET(mn, flags); if ((mn->m_flags & M_EXT) == 0) { m_freem(m0); return NULL; @@ -1305,7 +1310,7 @@ m_defrag(struct mbuf *mold, int flags) if (sz > 0) { /* need more mbufs */ - MGET(n, M_NOWAIT, MT_DATA); + n = m_get(flags, MT_DATA); if (n == NULL) { m_freem(m0); return NULL; @@ -1316,9 +1321,10 @@ m_defrag(struct mbuf *mold, int flags) } } while (sz > 0); - m_freem(mold); + m_freem(mold->m_next); + mold->m_next = m0; - return m0; + return mold; } int
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu May 3 14:58:46 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Tickets #1546 and #1547 To generate a diff of this commit: cvs rdiff -u -r1.1.2.335 -r1.1.2.336 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.335 src/doc/CHANGES-6.2:1.1.2.336 --- src/doc/CHANGES-6.2:1.1.2.335 Wed Apr 18 07:19:23 2018 +++ src/doc/CHANGES-6.2 Thu May 3 14:58:46 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.335 2018/04/18 07:19:23 msaitoh Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.336 2018/05/03 14:58:46 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21233,3 +21233,16 @@ sys/netipsec/ipsec_mbuf.c 1.23-1.24 Don't assume M_PKTHDR is set only on the first mbuf of the chain. Fix a pretty bad mistake (IPsec DoS). [maxv, ticket #1545] + +sys/netipsec/ipsec_output.c 1.67,1.75 (patch) + + compute_ipsec_pos: strengthen checks to avoid overruns, + allow the function to fail (and drop the misformed packet). + [maxv, ticket #1546] + +sys/kern/uipc_mbuf.c1.211 + + Modify m_defrag, so that it never frees the first mbuf of + the chain. + [maxv, ticket #1547] +
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu May 3 14:33:30 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1546): sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch) Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.2.1 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.38.2.1 --- src/sys/netipsec/ipsec_output.c:1.38 Tue Jan 10 20:01:57 2012 +++ src/sys/netipsec/ipsec_output.c Thu May 3 14:33:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38.2.1 2018/05/03 14:33:30 martin Exp $"); /* * IPsec output processing. @@ -632,7 +632,7 @@ bad: #endif #ifdef INET6 -static void +static int compute_ipsec_pos(struct mbuf *m, int *i, int *off) { int nxt; @@ -649,7 +649,11 @@ compute_ipsec_pos(struct mbuf *m, int *i * put AH/ESP/IPcomp header. * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ - do { + while (1) { + if (*i + sizeof(ip6e) > m->m_pkthdr.len) { + return EINVAL; + } + switch (nxt) { case IPPROTO_AH: case IPPROTO_ESP: @@ -658,7 +662,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should not skip security header added * beforehand. */ - return; + return 0; case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: @@ -668,7 +672,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should stop there. */ if (nxt == IPPROTO_DSTOPTS && dstopt) -return; +return 0; if (nxt == IPPROTO_DSTOPTS) { /* @@ -688,16 +692,14 @@ compute_ipsec_pos(struct mbuf *m, int *i m_copydata(m, *i, sizeof(ip6e), &ip6e); nxt = ip6e.ip6e_nxt; *off = *i + offsetof(struct ip6_ext, ip6e_nxt); - /* - * we will never see nxt == IPPROTO_AH - * so it is safe to omit AH case. - */ *i += (ip6e.ip6e_len + 1) << 3; break; default: - return; + return 0; } - } while (*i < m->m_pkthdr.len); + } + + return 0; } static int @@ -799,7 +801,9 @@ ipsec6_process_packet( i = ip->ip_hl << 2; off = offsetof(struct ip, ip_p); } else { - compute_ipsec_pos(m, &i, &off); + error = compute_ipsec_pos(m, &i, &off); + if (error) + goto bad; } error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); splx(s);
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: msaitoh Date: Wed Apr 18 07:19:23 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1545 To generate a diff of this commit: cvs rdiff -u -r1.1.2.334 -r1.1.2.335 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.334 src/doc/CHANGES-6.2:1.1.2.335 --- src/doc/CHANGES-6.2:1.1.2.334 Tue Apr 10 17:45:27 2018 +++ src/doc/CHANGES-6.2 Wed Apr 18 07:19:23 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.334 2018/04/10 17:45:27 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.335 2018/04/18 07:19:23 msaitoh Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21228,3 +21228,8 @@ usr.sbin/ypserv/ypserv/ypserv_proc.c 1. procs to avoid returning stale request data to the client. [christos, ticket #1528] +sys/netipsec/ipsec_mbuf.c 1.23-1.24 + + Don't assume M_PKTHDR is set only on the first mbuf of the chain. + Fix a pretty bad mistake (IPsec DoS). + [maxv, ticket #1545]
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: msaitoh Date: Wed Apr 18 06:59:10 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1545): sys/netipsec/ipsec_mbuf.c: revision 1.23 sys/netipsec/ipsec_mbuf.c: revision 1.24 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.10.1 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.12 src/sys/netipsec/ipsec_mbuf.c:1.12.10.1 --- src/sys/netipsec/ipsec_mbuf.c:1.12 Mon May 16 10:05:23 2011 +++ src/sys/netipsec/ipsec_mbuf.c Wed Apr 18 06:59:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting * All rights reserved. @@ -28,7 +28,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12 2011/05/16 10:05:23 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.12.10.1 2018/04/18 06:59:10 msaitoh Exp $"); /* * IPsec-specific mbuf routines. @@ -407,10 +407,11 @@ m_striphdr(struct mbuf *m, int skip, int /* The header was at the beginning of the mbuf */ IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT); m_adj(m1, hlen); - if ((m1->m_flags & M_PKTHDR) == 0) + if (m1 != m) m->m_pkthdr.len -= hlen; } else if (roff + hlen >= m1->m_len) { struct mbuf *mo; + int adjlen; /* * Part or all of the header is at the end of this mbuf, @@ -419,11 +420,13 @@ m_striphdr(struct mbuf *m, int skip, int */ IPSEC_STATINC(IPSEC_STAT_INPUT_END); if (roff + hlen > m1->m_len) { + adjlen = roff + hlen - m1->m_len; + /* Adjust the next mbuf by the remainder */ - m_adj(m1->m_next, roff + hlen - m1->m_len); + m_adj(m1->m_next, adjlen); /* The second mbuf is guaranteed not to have a pkthdr... */ - m->m_pkthdr.len -= (roff + hlen - m1->m_len); + m->m_pkthdr.len -= adjlen; } /* Now, let's unlink the mbuf chain for a second...*/ @@ -431,9 +434,10 @@ m_striphdr(struct mbuf *m, int skip, int m1->m_next = NULL; /* ...and trim the end of the first part of the chain...sick */ - m_adj(m1, -(m1->m_len - roff)); - if ((m1->m_flags & M_PKTHDR) == 0) - m->m_pkthdr.len -= (m1->m_len - roff); + adjlen = m1->m_len - roff; + m_adj(m1, -adjlen); + if (m1 != m) + m->m_pkthdr.len -= adjlen; /* Finally, let's relink */ m1->m_next = mo;
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Tue Apr 10 17:45:27 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1528 To generate a diff of this commit: cvs rdiff -u -r1.1.2.333 -r1.1.2.334 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.333 src/doc/CHANGES-6.2:1.1.2.334 --- src/doc/CHANGES-6.2:1.1.2.333 Tue Apr 10 11:28:34 2018 +++ src/doc/CHANGES-6.2 Tue Apr 10 17:45:27 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.333 2018/04/10 11:28:34 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.334 2018/04/10 17:45:27 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21222,3 +21222,9 @@ sys/arch/amiga/amiga/cc.c 1.27 (patch) Fix a spl(9) leak. [msaitoh, ticket #1544] +usr.sbin/ypserv/ypserv/ypserv_proc.c 1.18 via patch + + PR/47615: Always zero out the result structs in the svc + procs to avoid returning stale request data to the client. + [christos, ticket #1528] +
CVS commit: [netbsd-6] src/usr.sbin/ypserv/ypserv
Module Name:src Committed By: snj Date: Tue Apr 10 17:44:19 UTC 2018 Modified Files: src/usr.sbin/ypserv/ypserv [netbsd-6]: ypserv_proc.c Log Message: Pull up following revision(s) (requested by christos in ticket #1528): usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18 via patch PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the svc procs to avoid returning stale request data to the client. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.4.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/ypserv/ypserv/ypserv_proc.c diff -u src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16 src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16.4.1 --- src/usr.sbin/ypserv/ypserv/ypserv_proc.c:1.16 Tue Aug 30 17:06:22 2011 +++ src/usr.sbin/ypserv/ypserv/ypserv_proc.c Tue Apr 10 17:44:18 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ypserv_proc.c,v 1.16 2011/08/30 17:06:22 plunky Exp $ */ +/* $NetBSD: ypserv_proc.c,v 1.16.4.1 2018/04/10 17:44:18 snj Exp $ */ /* * Copyright (c) 1994 Mats O Jansson @@ -28,7 +28,7 @@ #include #ifndef lint -__RCSID("$NetBSD: ypserv_proc.c,v 1.16 2011/08/30 17:06:22 plunky Exp $"); +__RCSID("$NetBSD: ypserv_proc.c,v 1.16.4.1 2018/04/10 17:44:18 snj Exp $"); #endif #include @@ -163,10 +163,11 @@ ypproc_match_2_svc(void *argp, struct sv "key %.*s", clientstr, TORF(secure), k->domain, k->map, k->keydat.dsize, k->keydat.dptr)); - if (secure && securecheck(caller)) + if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.status = YP_YPERR; - else - res = ypdb_get_record(k->domain, k->map, k->keydat, FALSE); + } else + res = ypdb_get_record(k->domain, k->map, k->keydat, secure); return ((void *)&res); } @@ -190,9 +191,10 @@ ypproc_first_2_svc(void *argp, struct sv "first_2: request from %.500s, secure %s, domain %s, map %s", clientstr, TORF(secure), k->domain, k->map)); - if (secure && securecheck(caller)) + if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.status = YP_YPERR; - else + } else res = ypdb_get_first(k->domain, k->map, FALSE); return ((void *)&res); @@ -218,9 +220,10 @@ ypproc_next_2_svc(void *argp, struct svc "key %.*s", clientstr, TORF(secure), k->domain, k->map, k->keydat.dsize, k->keydat.dptr)); - if (secure && securecheck(caller)) + if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.status = YP_YPERR; - else + } else res = ypdb_get_next(k->domain, k->map, k->keydat, FALSE); return ((void *)&res); @@ -326,6 +329,7 @@ ypproc_all_2_svc(void *argp, struct svc_ (void)memset(&res, 0, sizeof(res)); if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.ypresp_all_u.val.status = YP_YPERR; return (&res); } @@ -368,9 +372,10 @@ ypproc_master_2_svc(void *argp, struct s "master_2: request from %.500s, secure %s, domain %s, map %s", clientstr, TORF(secure), k->domain, k->map)); - if (secure && securecheck(caller)) + if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.status = YP_YPERR; - else + } else res = ypdb_get_master(k->domain, k->map); /* @@ -409,12 +414,15 @@ ypproc_order_2_svc(void *argp, struct sv "order_2: request from %.500s, secure %s, domain %s, map %s", clientstr, TORF(secure), k->domain, k->map)); - if (secure && securecheck(caller)) + if (secure && securecheck(caller)) { + memset(&res, 0, sizeof(res)); res.status = YP_YPERR; - else if (_yp_invalid_map(k->map)) + } else if (_yp_invalid_map(k->map)) { + memset(&res, 0, sizeof(res)); res.status = YP_NOMAP; - else + } else { res = ypdb_get_order(k->domain, k->map); + } return ((void *)&res); } @@ -446,7 +454,7 @@ ypproc_maplist_2_svc(void *argp, struct (void)snprintf(domain_path, sizeof(domain_path), "%s/%s", YP_DB_PATH, domain); - res.list = NULL; + memset(&res, 0, sizeof(res)); status = YP_TRUE; if ((stat(domain_path, &finfo) != 0) || !S_ISDIR(finfo.st_mode)) {
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Apr 10 11:28:34 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1544 To generate a diff of this commit: cvs rdiff -u -r1.1.2.332 -r1.1.2.333 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.332 src/doc/CHANGES-6.2:1.1.2.333 --- src/doc/CHANGES-6.2:1.1.2.332 Mon Apr 9 13:08:06 2018 +++ src/doc/CHANGES-6.2 Tue Apr 10 11:28:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.332 2018/04/09 13:08:06 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.333 2018/04/10 11:28:34 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21217,3 +21217,8 @@ external/gpl3/binutils/dist/bfd/elflink. indirectness first. [joerg, ticket #1543] +sys/arch/amiga/amiga/cc.c 1.27 (patch) + + Fix a spl(9) leak. + [msaitoh, ticket #1544] +
CVS commit: [netbsd-6] src/sys/arch/amiga/amiga
Module Name:src Committed By: martin Date: Tue Apr 10 11:27:55 UTC 2018 Modified Files: src/sys/arch/amiga/amiga [netbsd-6]: cc.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1544): sys/arch/amiga/amiga/cc.c: revision 1.27 (patch) spl leak, found by mootja To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.22.14.1 src/sys/arch/amiga/amiga/cc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amiga/amiga/cc.c diff -u src/sys/arch/amiga/amiga/cc.c:1.22 src/sys/arch/amiga/amiga/cc.c:1.22.14.1 --- src/sys/arch/amiga/amiga/cc.c:1.22 Mon Dec 20 00:25:25 2010 +++ src/sys/arch/amiga/amiga/cc.c Tue Apr 10 11:27:55 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $ */ +/* $NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $ */ /* * Copyright (c) 1994 Christian E. Hopps @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22 2010/12/20 00:25:25 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: cc.c,v 1.22.14.1 2018/04/10 11:27:55 martin Exp $"); #include #include @@ -504,9 +504,10 @@ alloc_chipmem(u_long size) while (size > mn->size && mn != (void *)&free_list) mn = mn->free_link.cqe_next; - if (mn == (void *)&free_list) + if (mn == (void *)&free_list) { + splx(s); return(NULL); - + } if ((mn->size - size) <= sizeof (*mn)) { /* * our allocation would not leave room
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Mon Apr 9 13:08:06 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1543 To generate a diff of this commit: cvs rdiff -u -r1.1.2.331 -r1.1.2.332 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.331 src/doc/CHANGES-6.2:1.1.2.332 --- src/doc/CHANGES-6.2:1.1.2.331 Thu Apr 5 11:35:08 2018 +++ src/doc/CHANGES-6.2 Mon Apr 9 13:08:06 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.331 2018/04/05 11:35:08 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.332 2018/04/09 13:08:06 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21210,3 +21210,10 @@ sys/net/npf/npf.h1.55 Fix an integer overflow that allows incoming IPv6 packets to bypass a certain number of filtering rules. [maxv, ticket #1542] + +external/gpl3/binutils/dist/bfd/elflink.c 1.14 (patch) + + When trying to decide the status of a weak symbol, resolve any + indirectness first. + [joerg, ticket #1543] +
CVS commit: [netbsd-6] src/external/gpl3/binutils/dist/bfd
Module Name:src Committed By: martin Date: Mon Apr 9 13:00:07 UTC 2018 Modified Files: src/external/gpl3/binutils/dist/bfd [netbsd-6]: elflink.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1543): external/gpl3/binutils/dist/bfd/elflink.c: revision 1.14 (patch) When trying to decide the status of a weak symbol, resolve any indirectness first. In the case of various Qt5 libraries, __bss_start ends up with a Qt5 version, but it has to be resolved first to match the actual (implicit) definition. This fixes the root cause of pkg/53089. To generate a diff of this commit: cvs rdiff -u -r1.5.2.1 -r1.5.2.2 \ src/external/gpl3/binutils/dist/bfd/elflink.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/gpl3/binutils/dist/bfd/elflink.c diff -u src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.1 src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.2 --- src/external/gpl3/binutils/dist/bfd/elflink.c:1.5.2.1 Tue Apr 3 15:54:48 2012 +++ src/external/gpl3/binutils/dist/bfd/elflink.c Mon Apr 9 13:00:06 2018 @@ -2528,9 +2528,10 @@ _bfd_elf_fix_symbol_flags (struct elf_li over to the real definition. */ if (h->u.weakdef != NULL) { - struct elf_link_hash_entry *weakdef; + struct elf_link_hash_entry *weakdef = h->u.weakdef; + while (weakdef->root.type == bfd_link_hash_indirect) +weakdef = (struct elf_link_hash_entry *) weakdef->root.u.i.link; - weakdef = h->u.weakdef; if (h->root.type == bfd_link_hash_indirect) h = (struct elf_link_hash_entry *) h->root.u.i.link;
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:09 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.330 src/doc/CHANGES-6.2:1.1.2.331 --- src/doc/CHANGES-6.2:1.1.2.330 Sun Apr 1 09:23:13 2018 +++ src/doc/CHANGES-6.2 Thu Apr 5 11:35:08 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.330 2018/04/01 09:23:13 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.331 2018/04/05 11:35:08 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21205,3 +21205,8 @@ sys/netinet6/raw_ip6.c1.161 Fix use-after-free. [maxv, ticket #1541] +sys/net/npf/npf.h1.55 + + Fix an integer overflow that allows incoming IPv6 packets + to bypass a certain number of filtering rules. + [maxv, ticket #1542]
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/npf/npf.h diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.13 --- src/sys/net/npf/npf.h:1.14.2.12 Mon Feb 11 21:49:49 2013 +++ src/sys/net/npf/npf.h Thu Apr 5 11:34:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $ */ +/* $NetBSD: npf.h,v 1.14.2.13 2018/04/05 11:34:17 martin Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -99,7 +99,7 @@ typedef struct { npf_addr_t * npc_dstip; /* Size (v4 or v6) of IP addresses. */ uint8_t npc_alen; - uint8_t npc_hlen; + uint32_t npc_hlen; uint16_t npc_proto; /* IPv4, IPv6. */ union {
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Sun Apr 1 09:23:13 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Tickets #1540 and #1541 To generate a diff of this commit: cvs rdiff -u -r1.1.2.329 -r1.1.2.330 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.329 src/doc/CHANGES-6.2:1.1.2.330 --- src/doc/CHANGES-6.2:1.1.2.329 Mon Mar 26 12:18:23 2018 +++ src/doc/CHANGES-6.2 Sun Apr 1 09:23:13 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.329 2018/03/26 12:18:23 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.330 2018/04/01 09:23:13 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21195,3 +21195,13 @@ distrib/sets/lists/base/mi 1.1164 Updated tzdata to 2018d. [kre, ticket #1539] +sys/netinet6/ip6_forward.c 1.91 (patch) + + Fix two IPv6 ipsec use-after-free issues. + [maxv, ticket #1540] + +sys/netinet6/raw_ip6.c1.161 + + Fix use-after-free. + [maxv, ticket #1541] +
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:22:37 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1541): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.109.2.1 -r1.109.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.109.2.1 src/sys/netinet6/raw_ip6.c:1.109.2.2 --- src/sys/netinet6/raw_ip6.c:1.109.2.1 Tue Jan 30 18:44:22 2018 +++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:22:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $"); #include "opt_ipsec.h" @@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum, M_DONTWAIT); if (m == NULL) {
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:18:54 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1540): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.69.2.1 -r1.69.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.69.2.1 src/sys/netinet6/ip6_forward.c:1.69.2.2 --- src/sys/netinet6/ip6_forward.c:1.69.2.1 Tue Mar 13 16:43:06 2018 +++ src/sys/netinet6/ip6_forward.c Sun Apr 1 09:18:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.2 2018/04/01 09:18:54 martin Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt) * because we asked key management for an SA and * it was delayed (e.g. kicked up to IKE). */ - if (error == -EINVAL) - error = 0; - goto freecopy; + if (error == -EINVAL) + error = 0; + m_freem(m); + goto freecopy; } #endif /* FAST_IPSEC */ @@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt) s = splsoftnet(); error = ipsec6_process_packet(m,sp->req); splx(s); + /* m is freed */ if (mcopy) goto freecopy; + return; } #endif
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Mon Mar 26 12:18:23 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ammend tickt #1539 To generate a diff of this commit: cvs rdiff -u -r1.1.2.328 -r1.1.2.329 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.328 src/doc/CHANGES-6.2:1.1.2.329 --- src/doc/CHANGES-6.2:1.1.2.328 Sun Mar 25 18:32:04 2018 +++ src/doc/CHANGES-6.2 Mon Mar 26 12:18:23 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.328 2018/03/25 18:32:04 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.329 2018/03/26 12:18:23 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21166,7 +21166,6 @@ share/man/man4/altq.41.3 [sevan, ticket #1538] external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.5 -external/public-domain/tz/dist/Makefile up to 1.1.1.20 external/public-domain/tz/dist/NEWS up to 1.1.1.21 external/public-domain/tz/dist/README up to 1.1.1.6 external/public-domain/tz/dist/TZDATA_VERSION up to 1.11
CVS commit: [netbsd-6] src/share/zoneinfo
Module Name:src Committed By: martin Date: Mon Mar 26 12:17:20 UTC 2018 Modified Files: src/share/zoneinfo [netbsd-6]: Makefile Log Message: Back out all changes to this file accidently included in the pullup of tickt #1539. To generate a diff of this commit: cvs rdiff -u -r1.43.8.4 -r1.43.8.5 src/share/zoneinfo/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/zoneinfo/Makefile diff -u src/share/zoneinfo/Makefile:1.43.8.4 src/share/zoneinfo/Makefile:1.43.8.5 --- src/share/zoneinfo/Makefile:1.43.8.4 Sun Mar 25 18:31:03 2018 +++ src/share/zoneinfo/Makefile Mon Mar 26 12:17:20 2018 @@ -1,43 +1,19 @@ -# This file is in the public domain, so clarified as of -# 2009-05-17 by Arthur David Olson. +# $NetBSD: Makefile,v 1.43.8.5 2018/03/26 12:17:20 martin Exp $ -# Package name for the code distribution. -PACKAGE= tzcode +.include -# Version number for the distribution, overridden in the 'tarballs' rule below. -VERSION= unknown +TZDISTDIR=${.CURDIR} -# Email address for bug reports. -BUGEMAIL= t...@iana.org - -# Choose source data features. To get new features right away, use: -# DATAFORM= vanguard -# To wait a while before using new features, to give downstream users -# time to upgrade zic (the default), use: -# DATAFORM= main -# To wait even longer for new features, use: -# DATAFORM= rearguard -DATAFORM= main - -# Change the line below for your time zone (after finding the zone you want in -# the time zone files, or adding it to a time zone file). -# Alternately, if you discover you've got the wrong time zone, you can just -# zic -l rightzone -# to correct things. -# Use the command -# make zonenames -# to get a list of the values you can use for LOCALTIME. - -LOCALTIME= GMT +.PATH: ${TZDISTDIR} # If you want something other than Eastern United States time as a template # for handling POSIX-style time zone environment variables, # change the line below (after finding the zone you want in the # time zone files, or adding it to a time zone file). -# When a POSIX-style environment variable is handled, the rules in the +# (When a POSIX-style environment variable is handled, the rules in the # template file are used to determine "spring forward" and "fall back" days and # times; the environment variable itself specifies UT offsets of standard and -# daylight saving time. +# summer time.) # Alternately, if you discover you've got the wrong time zone, you can just # zic -p rightzone # to correct things. @@ -48,72 +24,18 @@ LOCALTIME= GMT POSIXRULES= America/New_York -# Also see TZDEFRULESTRING below, which takes effect only -# if the time zone files cannot be accessed. - - -# Installation locations. -# -# The defaults are suitable for Debian, except that if REDO is -# posix_right or right_posix then files that Debian puts under -# /usr/share/zoneinfo/posix and /usr/share/zoneinfo/right are instead -# put under /usr/share/zoneinfo-posix and /usr/share/zoneinfo-leaps, -# respectively. Problems with the Debian approach are discussed in -# the commentary for the right_posix rule (below). - -# Destination directory, which can be used for staging. -# 'make DESTDIR=/stage install' installs under /stage (e.g., to -# /stage/etc/localtime instead of to /etc/localtime). Files under -# /stage are not intended to work as-is, but can be copied by hand to -# the root directory later. If DESTDIR is empty, 'make install' does -# not stage, but installs directly into production locations. -DESTDIR = - -# Everything is installed into subdirectories of TOPDIR, and used there. -# TOPDIR should be empty (meaning the root directory), -# or a directory name that does not end in "/". -# TOPDIR should be empty or an absolute name unless you're just testing. -TOPDIR = - -# The default local time zone is taken from the file TZDEFAULT. -TZDEFAULT = $(TOPDIR)/etc/localtime - -# The subdirectory containing installed program and data files, and -# likewise for installed files that can be shared among architectures. -# These should be relative file names. -USRDIR = usr -USRSHAREDIR = $(USRDIR)/share - # "Compiled" time zone information is placed in the "TZDIR" directory # (and subdirectories). -# TZDIR_BASENAME should not contain "/" and should not be ".", ".." or empty. -TZDIR_BASENAME= zoneinfo -TZDIR = $(TOPDIR)/$(USRSHAREDIR)/$(TZDIR_BASENAME) - -# The "tzselect" and (if you do "make INSTALL") "date" commands go in: -BINDIR = $(TOPDIR)/$(USRDIR)/bin - -# The "zdump" command goes in: -ZDUMPDIR = $(BINDIR) - -# The "zic" command goes in: -ZICDIR = $(TOPDIR)/$(USRDIR)/sbin +# Use an absolute path name for TZDIR unless you're just testing the software. +# Note: ${DESTDIR} is prepended to this for the actual copy. -# Manual pages go in subdirectories of. . . -MANDIR = $(TOPDIR)/$(USRSHAREDIR)/man +TZDIR= /usr/share/zoneinfo -# Library functions are put in an archive in LIBDIR. -LIBDIR = $
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Sun Mar 25 18:32:04 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1539 To generate a diff of this commit: cvs rdiff -u -r1.1.2.327 -r1.1.2.328 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.327 src/doc/CHANGES-6.2:1.1.2.328 --- src/doc/CHANGES-6.2:1.1.2.327 Tue Mar 13 18:06:22 2018 +++ src/doc/CHANGES-6.2 Sun Mar 25 18:32:04 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.327 2018/03/13 18:06:22 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.328 2018/03/25 18:32:04 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21165,3 +21165,34 @@ share/man/man4/altq.41.3 Update URL for the cited paper [sevan, ticket #1538] +external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.5 +external/public-domain/tz/dist/Makefile up to 1.1.1.20 +external/public-domain/tz/dist/NEWS up to 1.1.1.21 +external/public-domain/tz/dist/README up to 1.1.1.6 +external/public-domain/tz/dist/TZDATA_VERSION up to 1.11 +external/public-domain/tz/dist/africa up to 1.1.1.14 +external/public-domain/tz/dist/antarctica up to 1.1.1.10 +external/public-domain/tz/dist/asia up to 1.1.1.19 +external/public-domain/tz/dist/australasia up to 1.1.1.14 +external/public-domain/tz/dist/backzone up to 1.1.1.14 +external/public-domain/tz/dist/calendarsup to 1.1.1.1 +external/public-domain/tz/dist/checktab.awk up to 1.1.1.9 +external/public-domain/tz/dist/europe up to 1.1.1.20 +external/public-domain/tz/dist/leap-seconds.list up to 1.1.1.9 +external/public-domain/tz/dist/leapseconds up to 1.1.1.10 +external/public-domain/tz/dist/northamerica up to 1.1.1.19 +external/public-domain/tz/dist/southamerica up to 1.1.1.14 +external/public-domain/tz/dist/theory.html up to 1.1.1.3 +external/public-domain/tz/dist/version up to 1.1.1.8 +external/public-domain/tz/dist/ziguard.awk up to 1.1.1.1 +external/public-domain/tz/dist/zishrink.awk up to 1.1.1.3 +external/public-domain/tz/dist/zone.tab up to 1.1.1.14 +external/public-domain/tz/dist/zone1970.tab up to 1.1.1.16 + (with external/public-domain/tz/dist -> share/zoneinfo) +share/zoneinfo/Theory delete +doc/3RDPARTY (patch) +distrib/sets/lists/base/mi 1.1164 + + Updated tzdata to 2018d. + [kre, ticket #1539] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Tue Mar 13 18:06:22 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1516, 1518-1520, 1522, 1532-1538 To generate a diff of this commit: cvs rdiff -u -r1.1.2.326 -r1.1.2.327 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.326 src/doc/CHANGES-6.2:1.1.2.327 --- src/doc/CHANGES-6.2:1.1.2.326 Sat Mar 3 20:50:38 2018 +++ src/doc/CHANGES-6.2 Tue Mar 13 18:06:22 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.326 2018/03/03 20:50:38 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.327 2018/03/13 18:06:22 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21093,3 +21093,75 @@ dist/pf/etc/pf.os1.4-1.5 Add DragonFly BSD fingerprints. [sevan, ticket #1515] +sys/dev/fss.c 1.101-1.103 + + fss: + - Bounds check against media size for non-persistent snapshots. + - Treat partial read from backing store as I/O error. + - Pass residual back to b_resid for persistent snapshots. + [hannken, ticket #1516] + +sys/netinet6/ip6_forward.c 1.89-1.90 via patch + + Fix use-after-free of mbuf in ip6flow_create and ip6flow_create. + [ozaki-r, ticket #1518] + +sys/arch/sparc/sparc/timer.c 1.33-1.34 via patch +sys/arch/sparc/sparc/timer_sun4m.c 1.31 via patch +sys/arch/sparc/sparc/timerreg.h 1.10 via patch + + Fix time goes backwards problems on sparc. + [mrg, ticket #1519] + +bin/ksh/history.c1.18 via patch + + Use 0600 as the mode for histfile. PR bin/52480 + [maya, ticket #1520] + +sys/arch/macppc/dev/snapper.c 1.42 + + Fix issue with audio being downpitched. PR 52949. + [sevan, ticket #1522] + +sys/netipsec/xform_ah.c1.77 via patch +sys/netipsec/xform_esp.c 1.73 via patch +sys/netipsec/xform_ipip.c 1.56-1.57 via patch + + Several fixes in IPsec: strengthen sanity checks (AH/ESP), and + fix possible use-after-free (Tunnel). + [maxv, ticket #1532] + +sys/dev/sbus/be.c1.86 + + Fix spl leak. + [msaitoh, ticket #1533] + +lib/libc/arch/powerpc/gen/swapcontext.S 1.8 via patch +lib/libc/arch/powerpc/genassym.cf 1.5 via patch + + PIC code clobbers %r30 so we need to update the saved oucp with + caller's %r30 manually. Makes old context happy when it needs + to do more function calls after restore. + [uwe, ticket #1534] + +sys/net/if_mpls.c1.31-1.33 via patch +sys/netmpls/mpls_ttl.c1.9 via patch + + Fix several memory corruptions and inconsistencies in MPLS. + [maxv, ticket #1535] + +sys/netipsec/ipsec_input.c 1.57-1.58 + + Fix out-of-bounds read. + [maxv, ticket #1536] + +sys/dev/ppbus/if_plip.c1.28 + + Fix spl leak. + [msaitoh, ticket #1537] + +share/man/man4/altq.41.3 + + Update URL for the cited paper + [sevan, ticket #1538] +
CVS commit: [netbsd-6] src/share/man/man4
Module Name:src Committed By: snj Date: Tue Mar 13 17:52:37 UTC 2018 Modified Files: src/share/man/man4 [netbsd-6]: altq.4 Log Message: Pull up following revision(s) (requested by sevan in ticket #1538): share/man/man4/altq.4: 1.3 Update URL for the cited paper To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.4.1 src/share/man/man4/altq.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/man/man4/altq.4 diff -u src/share/man/man4/altq.4:1.2 src/share/man/man4/altq.4:1.2.4.1 --- src/share/man/man4/altq.4:1.2 Thu Jun 23 07:47:22 2011 +++ src/share/man/man4/altq.4 Tue Mar 13 17:52:37 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: altq.4,v 1.2 2011/06/23 07:47:22 wiz Exp $ +.\" $NetBSD: altq.4,v 1.2.4.1 2018/03/13 17:52:37 snj Exp $ .\" .\" Copyright (c) 2011 Jukka Ruohonen .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE .\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 22, 2011 +.Dd March 08, 2018 .Dt ALTQ 4 .Os .Sh NAME @@ -77,7 +77,7 @@ are required in order to use a certain n .%D March, 2004 .%C Taipei, Taiwan .%O Asia BSD conference -.%U http://www.sonycsl.co.jp/~kjc/papers/fittingtheory.pdf +.%U http://www.sonycsl.co.jp/person/kjc/papers/fittingtheory.pdf .Re .\" .Sh HISTORY .\"
CVS commit: [netbsd-6] src/sys/dev/ppbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:48:21 UTC 2018 Modified Files: src/sys/dev/ppbus [netbsd-6]: if_plip.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1537): sys/dev/ppbus/if_plip.c: 1.28 spl leak, found by Mootja To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.24.14.1 src/sys/dev/ppbus/if_plip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ppbus/if_plip.c diff -u src/sys/dev/ppbus/if_plip.c:1.24 src/sys/dev/ppbus/if_plip.c:1.24.14.1 --- src/sys/dev/ppbus/if_plip.c:1.24 Mon Apr 5 07:21:47 2010 +++ src/sys/dev/ppbus/if_plip.c Tue Mar 13 17:48:21 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $ */ +/* $NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $ */ /*- * Copyright (c) 1997 Poul-Henning Kamp @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24 2010/04/05 07:21:47 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_plip.c,v 1.24.14.1 2018/03/13 17:48:21 snj Exp $"); /* * Parallel port TCP/IP interfaces added. I looked at the driver from @@ -445,6 +445,7 @@ lpioctl(struct ifnet *ifp, u_long cmd, v case AF_INET: break; default: + splx(s); return EAFNOSUPPORT; } break;
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:47:14 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1536): sys/netipsec/ipsec_input.c: 1.57-1.58 Extend these #ifdef notyet. The m_copydata's in these branches are wrong, we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload. -- Argh, in my previous commit in this file I forgot to fix the IPv6 entry point; apply the same fix there. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.2.1 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.29.2.1 --- src/sys/netipsec/ipsec_input.c:1.29 Wed Jan 25 21:58:10 2012 +++ src/sys/netipsec/ipsec_input.c Tue Mar 13 17:47:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29.2.1 2018/03/13 17:47:14 snj Exp $"); /* * IPsec input processing. @@ -332,14 +332,15 @@ ipsec4_common_input_cb(struct mbuf *m, s ip->ip_len = htons(m->m_pkthdr.len); prot = ip->ip_p; +#ifdef notyet /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn); -#ifdef notyet /* XXX PROXY address isn't recorded in SAH */ /* * Check that the inner source address is the same as @@ -367,7 +368,6 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #if INET6 /* IPv6-in-IP encapsulation. */ @@ -375,9 +375,9 @@ ipsec4_common_input_cb(struct mbuf *m, s struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -403,9 +403,9 @@ ipsec4_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET6 */ +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was @@ -651,15 +651,16 @@ ipsec6_common_input_cb(struct mbuf *m, s /* Save protocol */ m_copydata(m, protoff, 1, &prot); +#ifdef notyet #ifdef INET /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP) { struct ip ipn; /* ipn will now contain the inner IPv4 header */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip), &ipn); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -683,18 +684,16 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } #endif /* INET */ - /* IPv6-in-IP encapsulation */ if (prot == IPPROTO_IPV6) { struct ip6_hdr ip6n; /* ip6n will now contain the inner IPv6 header. */ + /* XXX: check m_pkthdr.len */ m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n); -#ifdef notyet /* * Check that the inner source address is the same as * the proxy address, if available. @@ -719,8 +718,8 @@ ipsec6_common_input_cb(struct mbuf *m, s error = EACCES; goto bad; } -#endif /*XXX*/ } +#endif /* notyet */ /* * Record what we've done to the packet (under what SA it was
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Tue Mar 13 17:42:41 UTC 2018 Modified Files: src/sys/net [netbsd-6]: if_mpls.c src/sys/netmpls [netbsd-6]: mpls_ttl.c Log Message: Pull up following revision(s) (requested by uwe in ticket #1534): sys/net/if_mpls.c: 1.31-1.33 via patch sys/netmpls/mpls_ttl.c: 1.9 via patch Style, and fix several bugs: - ip4_check(), mpls_unlabel_inet() and mpls_unlabel_inet6() perform pullups, so we need to pass the updated pointers back - in mpls_lse() the route is not always freed Looks a little better now. -- Kick MPLS packets earlier. -- Several changes: * In mpls_unlabel_inet, copy the label locally. It's not incorrect to keep a pointer on the mbuf, but it's bug-friendly. * In mpls_label_inetX, fix the length check. Meanwhile add an XXX: we just want to make sure that m_copydata won't fail, but if we were guaranteed that m has M_PKTHDR set, we could simply check the length against m->m_pkthdr.len. To generate a diff of this commit: cvs rdiff -u -r1.8.8.1 -r1.8.8.2 src/sys/net/if_mpls.c cvs rdiff -u -r1.3 -r1.3.18.1 src/sys/netmpls/mpls_ttl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_mpls.c diff -u src/sys/net/if_mpls.c:1.8.8.1 src/sys/net/if_mpls.c:1.8.8.2 --- src/sys/net/if_mpls.c:1.8.8.1 Tue Jul 30 03:05:39 2013 +++ src/sys/net/if_mpls.c Tue Mar 13 17:42:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $ */ +/* $NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $ */ /* * Copyright (c) 2010 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.1 2013/07/30 03:05:39 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_mpls.c,v 1.8.8.2 2018/03/13 17:42:41 snj Exp $"); #include "opt_inet.h" #include "opt_mpls.h" @@ -83,12 +83,12 @@ static int mpls_send_frame(struct mbuf * static int mpls_lse(struct mbuf *); #ifdef INET -static int mpls_unlabel_inet(struct mbuf *); +static struct mbuf *mpls_unlabel_inet(struct mbuf *, int *error); static struct mbuf *mpls_label_inet(struct mbuf *, union mpls_shim *, uint); #endif #ifdef INET6 -static int mpls_unlabel_inet6(struct mbuf *); +static struct mbuf *mpls_unlabel_inet6(struct mbuf *, int *error); static struct mbuf *mpls_label_inet6(struct mbuf *, union mpls_shim *, uint); #endif @@ -308,6 +308,12 @@ mpls_lse(struct mbuf *m) int error = ENOBUFS; uint psize = sizeof(struct sockaddr_mpls); + /* If we're not accepting MPLS frames, leave now. */ + if (!mpls_accept) { + error = EINVAL; + goto done; + } + if (m->m_len < sizeof(union mpls_shim) && (m = m_pullup(m, sizeof(union mpls_shim))) == NULL) goto done; @@ -316,10 +322,7 @@ mpls_lse(struct mbuf *m) dst.smpls_family = AF_MPLS; dst.smpls_addr.s_addr = ntohl(mtod(m, union mpls_shim *)->s_addr); - /* Check if we're accepting MPLS Frames */ error = EINVAL; - if (!mpls_accept) - goto done; /* TTL decrement */ if ((m = mpls_ttl_dec(m)) == NULL) @@ -331,15 +334,17 @@ mpls_lse(struct mbuf *m) #ifdef INET case MPLS_LABEL_IPV4NULL: /* Pop shim and push mbuf to IP stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet(m, &error); + } break; #endif #ifdef INET6 case MPLS_LABEL_IPV6NULL: /* Pop shim and push mbuf to IPv6 stack */ - if (dst.smpls_addr.shim.bos) -error = mpls_unlabel_inet6(m); + if (dst.smpls_addr.shim.bos) { +m = mpls_unlabel_inet6(m, &error); + } break; #endif case MPLS_LABEL_RTALERT: /* Yeah, I'm all alerted */ @@ -393,8 +398,10 @@ mpls_lse(struct mbuf *m) tshim.shim.bos = tshim.shim.exp = 0; tshim.shim.ttl = mpls_defttl; if (tshim.shim.label != MPLS_LABEL_IMPLNULL && - ((m = mpls_prepend_shim(m, &tshim)) == NULL)) - return ENOBUFS; + ((m = mpls_prepend_shim(m, &tshim)) == NULL)) { + error = ENOBUFS; + goto done; + } psize += sizeof(tshim); } @@ -439,11 +446,9 @@ mpls_send_frame(struct mbuf *m, struct i return 0; } - - #ifdef INET -static int -mpls_unlabel_inet(struct mbuf *m) +static struct mbuf * +mpls_unlabel_inet(struct mbuf *m, int *error) { int s, iphlen; struct ip *iph; @@ -451,7 +456,6 @@ mpls_unlabel_inet(struct mbuf *m) struct ifqueue *inq; if (mpls_mapttl_inet || mpls_mapprec_inet) { - /* get shim info */ ms = mtod(m, union mpls_shim *); ms->s_addr = ntohl(ms->s_addr); @@ -460,23 +464,29 @@ mpls_unlabel_inet(struct mbuf *m) m_adj(m, sizeof(union mpls_shim)); /* get ip header */ - if (m->m_len < sizeof (struct ip) && - (m = m_pullup(m, sizeof(struct ip))) == NULL) - return ENOBUFS; + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { + *error = ENOBUFS; + return NULL; + } + iph = mtod(m, struct ip *
CVS commit: [netbsd-6] src/lib/libc/arch/powerpc
Module Name:src Committed By: snj Date: Tue Mar 13 17:27:39 UTC 2018 Modified Files: src/lib/libc/arch/powerpc [netbsd-6]: genassym.cf src/lib/libc/arch/powerpc/gen [netbsd-6]: swapcontext.S Log Message: Pull up following revision(s) (requested by uwe in ticket #1534): lib/libc/arch/powerpc/genassym.cf: 1.5 via patch lib/libc/arch/powerpc/gen/swapcontext.S: 1.8 via patch PIC code clobbers %r30 so we need to update the saved oucp with caller's %r30 manually. Makes old context happy when it needs to do more function calls after restore. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.8.1 src/lib/libc/arch/powerpc/genassym.cf cvs rdiff -u -r1.6 -r1.6.8.1 src/lib/libc/arch/powerpc/gen/swapcontext.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/arch/powerpc/genassym.cf diff -u src/lib/libc/arch/powerpc/genassym.cf:1.3 src/lib/libc/arch/powerpc/genassym.cf:1.3.8.1 --- src/lib/libc/arch/powerpc/genassym.cf:1.3 Tue Jan 18 01:23:24 2011 +++ src/lib/libc/arch/powerpc/genassym.cf Tue Mar 13 17:27:39 2018 @@ -1,4 +1,4 @@ -# $NetBSD: genassym.cf,v 1.3 2011/01/18 01:23:24 matt Exp $ +# $NetBSD: genassym.cf,v 1.3.8.1 2018/03/13 17:27:39 snj Exp $ # # Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -42,6 +42,7 @@ define CALLFRAME_R31 offsetof(struct cal define UC_GREGS_R1 offsetof(ucontext_t, uc_mcontext.__gregs[_REG_R1]) define UC_GREGS_R3 offsetof(ucontext_t, uc_mcontext.__gregs[_REG_R3]) +define UC_GREGS_R30 offsetof(ucontext_t, uc_mcontext.__gregs[_REG_R30]) define UC_GREGS_PC offsetof(ucontext_t, uc_mcontext.__gregs[_REG_PC]) define SIG_BLOCK SIG_BLOCK Index: src/lib/libc/arch/powerpc/gen/swapcontext.S diff -u src/lib/libc/arch/powerpc/gen/swapcontext.S:1.6 src/lib/libc/arch/powerpc/gen/swapcontext.S:1.6.8.1 --- src/lib/libc/arch/powerpc/gen/swapcontext.S:1.6 Sun Jan 16 02:43:10 2011 +++ src/lib/libc/arch/powerpc/gen/swapcontext.S Tue Mar 13 17:27:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: swapcontext.S,v 1.6 2011/01/16 02:43:10 matt Exp $ */ +/* $NetBSD: swapcontext.S,v 1.6.8.1 2018/03/13 17:27:39 snj Exp $ */ /*- * Copyright (c) 2001 The NetBSD Foundation, Inc. @@ -32,7 +32,7 @@ #include "SYS.h" #include "assym.h" -__RCSID("$NetBSD: swapcontext.S,v 1.6 2011/01/16 02:43:10 matt Exp $") +__RCSID("$NetBSD: swapcontext.S,v 1.6.8.1 2018/03/13 17:27:39 snj Exp $") #define XCALLFRAMELEN (((2+3)*SZREG + CALLFRAMELEN - 1) & -CALLFRAMELEN) #define XCALLFRAME_R30 (XCALLFRAMELEN-1*SZREG) @@ -57,6 +57,10 @@ ENTRY(swapcontext) stw %r0,UC_GREGS_PC(%r11) # pc <- lr addi %r0,%r1,XCALLFRAMELEN stw %r0,UC_GREGS_R1(%r11) # adjust sp +#ifdef PIC + lwz %r0,XCALLFRAME_R30(%r1) + stw %r0,UC_GREGS_R30(%r11) # caller's r30 +#endif lwz %r3,XCALLFRAME_UCP(%r1) # load ucp bl PIC_PLT(_C_LABEL(setcontext)) # setcontext(ucp) 1:
CVS commit: [netbsd-6] src/sys/dev/sbus
Module Name:src Committed By: snj Date: Tue Mar 13 17:20:25 UTC 2018 Modified Files: src/sys/dev/sbus [netbsd-6]: be.c Log Message: Pull up following revision(s) (requested by msaitoh in ticket #1533): sys/dev/sbus/be.c: 1.86 spl leak, found by Mootja a long time ago To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.78.2.1 src/sys/dev/sbus/be.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/sbus/be.c diff -u src/sys/dev/sbus/be.c:1.78 src/sys/dev/sbus/be.c:1.78.2.1 --- src/sys/dev/sbus/be.c:1.78 Thu Feb 2 19:43:06 2012 +++ src/sys/dev/sbus/be.c Tue Mar 13 17:20:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $ */ +/* $NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -57,7 +57,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78 2012/02/02 19:43:06 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: be.c,v 1.78.2.1 2018/03/13 17:20:25 snj Exp $"); #include "opt_ddb.h" #include "opt_inet.h" @@ -1126,6 +1126,7 @@ beinit(struct ifnet *ifp) callout_reset(&sc->sc_tick_ch, hz, be_tick, sc); + splx(s); return 0; out: splx(s);
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: snj Date: Tue Mar 13 17:18:16 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c xform_esp.c xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1532): sys/netipsec/xform_ah.c: 1.77 via patch sys/netipsec/xform_esp.c: 1.73 via patch sys/netipsec/xform_ipip.c: 1.56-1.57 via patch Reinforce and clarify. -- Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. -- Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. -- As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6. To generate a diff of this commit: cvs rdiff -u -r1.37.2.3 -r1.37.2.4 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.40 -r1.40.2.1 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.28.8.1 -r1.28.8.2 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.3 src/sys/netipsec/xform_ah.c:1.37.2.4 --- src/sys/netipsec/xform_ah.c:1.37.2.3 Thu Feb 15 16:49:04 2018 +++ src/sys/netipsec/xform_ah.c Tue Mar 13 17:18:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.4 2018/03/13 17:18:15 snj Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -498,54 +498,45 @@ ah_massage_headers(struct mbuf **m0, int nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ - for (off = 0; off < skip - sizeof(struct ip6_hdr);) + for (off = 0; off < skip - sizeof(struct ip6_hdr);) { + int noff; + switch (nxt) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: -ip6e = (struct ip6_ext *) (ptr + off); +ip6e = (struct ip6_ext *)(ptr + off); +noff = off + ((ip6e->ip6e_len + 1) << 3); + +/* Sanity check. */ +if (noff > skip - sizeof(struct ip6_hdr)) { + goto error6; +} /* - * Process the mutable/immutable - * options -- borrows heavily from the - * KAME code. + * Zero out mutable options. */ for (count = off + sizeof(struct ip6_ext); - count < off + ((ip6e->ip6e_len + 1) << 3);) { + count < noff;) { if (ptr[count] == IP6OPT_PAD1) { count++; - continue; /* Skip padding. */ - } - - /* Sanity check. */ - if (count > off + - ((ip6e->ip6e_len + 1) << 3)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; + continue; } ad = ptr[count + 1] + 2; - /* If mutable option, zeroize. */ - if (ptr[count] & IP6OPT_MUTABLE) - memcpy(ptr + count, ipseczeroes, - ad); + if (count + ad > noff) { + goto error6; + } + + if (ptr[count] & IP6OPT_MUTABLE) { + memset(ptr + count, 0, ad); + } count += ad; +} - /* Sanity check. */ - if (count > - skip - sizeof(struct ip6_hdr)) { - m_freem(m); - - /* Free, if we allocated. */ - if (alloc) - free(ptr, M_XDATA); - return EINVAL; - } +if (count != noff) { + goto error6; } /* Advance. */ @@ -603,11 +594,13 @@ ah_massage_headers(struct mbuf **m0, int default: DPRINTF(("ah_massage_headers: unexpected " "IPv6 header type %d", off)); +error6: if (alloc) free(ptr, M_XDATA); m_freem(m); return EINVAL; } + } /* Copyback and free, if we allocated. */ if (alloc) { Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.40 src/sys/netipsec/xform_esp.c:1.40.2.1 --- src/sys/netipsec/xform_esp.c:1.40 Wed Jan 25 20:31:23 2012 +++ src/sys/netipsec/xform_esp.c Tue Mar 13 17:18:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $ */ +/* $NetBSD: xform_esp.c,v 1.40.2.1 2018/03/13 17:18:15 snj Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 droc
CVS commit: [netbsd-6] src/sys/arch/macppc/dev
Module Name:src Committed By: snj Date: Tue Mar 13 17:09:15 UTC 2018 Modified Files: src/sys/arch/macppc/dev [netbsd-6]: snapper.c Log Message: Pull up following revision(s) (requested by sevan in ticket #1522): sys/arch/macppc/dev/snapper.c: 1.42 Fix issue with audio being downpitched, thanks to "it seems that snapper_init should be called before audio_attach_mi, as snapper init is setting the rate to 44100 after the hardware format has been configured by audio_attach_mi. audio_attach_mi should be the last thing called during an attach of an audio device so the audio device is ready to be configured when audio_attach_mi is called." Resolves PR port-macppc/52949 To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.38.4.1 src/sys/arch/macppc/dev/snapper.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/macppc/dev/snapper.c diff -u src/sys/arch/macppc/dev/snapper.c:1.38 src/sys/arch/macppc/dev/snapper.c:1.38.4.1 --- src/sys/arch/macppc/dev/snapper.c:1.38 Thu Nov 24 03:35:57 2011 +++ src/sys/arch/macppc/dev/snapper.c Tue Mar 13 17:09:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $ */ +/* $NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $ */ /* Id: snapper.c,v 1.11 2002/10/31 17:42:13 tsubai Exp */ /* Id: i2s.c,v 1.12 2005/01/15 14:32:35 tsubai Exp */ @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38 2011/11/24 03:35:57 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: snapper.c,v 1.38.4.1 2018/03/13 17:09:15 snj Exp $"); #include #include @@ -839,10 +839,10 @@ snapper_defer(device_t dev) break; } - audio_attach_mi(&snapper_hw_if, sc, sc->sc_dev); - /* ki2c_setmode(sc->sc_i2c, I2C_STDSUBMODE); */ snapper_init(sc, sc->sc_node); + + audio_attach_mi(&snapper_hw_if, sc, sc->sc_dev); } static int
CVS commit: [netbsd-6] src/bin/ksh
Module Name:src Committed By: snj Date: Tue Mar 13 17:01:57 UTC 2018 Modified Files: src/bin/ksh [netbsd-6]: history.c Log Message: Pull up following revision(s) (requested by maya in ticket #1520): bin/ksh/history.c: 1.18 Use 0600 as the mode for histfile here too. pointed out by John D. Baker in PR bin/52480 To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.11.4.1 src/bin/ksh/history.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/bin/ksh/history.c diff -u src/bin/ksh/history.c:1.11 src/bin/ksh/history.c:1.11.4.1 --- src/bin/ksh/history.c:1.11 Wed Aug 31 16:24:54 2011 +++ src/bin/ksh/history.c Tue Mar 13 17:01:57 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: history.c,v 1.11 2011/08/31 16:24:54 plunky Exp $ */ +/* $NetBSD: history.c,v 1.11.4.1 2018/03/13 17:01:57 snj Exp $ */ /* * command history @@ -19,7 +19,7 @@ #include #ifndef lint -__RCSID("$NetBSD: history.c,v 1.11 2011/08/31 16:24:54 plunky Exp $"); +__RCSID("$NetBSD: history.c,v 1.11.4.1 2018/03/13 17:01:57 snj Exp $"); #endif @@ -757,7 +757,7 @@ hist_finish() else hp = histlist; - fd = open(hname, O_WRONLY | O_CREAT | O_TRUNC | O_EXLOCK, 0777); + fd = open(hname, O_WRONLY | O_CREAT | O_TRUNC | O_EXLOCK, 0600); /* Remove anything written before we got the lock */ ftruncate(fd, 0); if (fd >= 0 && (fh = fdopen(fd, "w"))) {
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Tue Mar 13 16:48:05 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: timer.c timer_sun4m.c timerreg.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1519): sys/arch/sparc/sparc/timer_sun4m.c: 1.33 1.34 1.31 sys/arch/sparc/sparc/timer.c: 1.33 sys/arch/sparc/sparc/timer.c: 1.33 1.34 sys/arch/sparc/sparc/timerreg.h: 1.33 1.34 1.31 1.10 fix time goes backwards problems on sparc. there are a few things here: - there's a race between reading the limit register (which clears the interrupt and the limit bit) and increasing the latest offset. this can happen easily if an interrupt comes between the read and the call to tickle_tc() that increases the offset (i obverved this actually happening.) - in early boot, sometimes the counter can cycle twice before the tickle happens. to handle these issues, add two workarounds: - if the limit bit isn't set, but the counter value is less than the previous value, and the offset hasn't changed, use the same fixup as if the limit bit was set. this handles the first case above. - add a hard-workaround for never allowing returning a smaller value (except during 32 bit overflow): if the result is less than the last result, add fixups until it does (or until it would overflow.) the first workaround fixes general run-time issues, and the second fixes issues only seen during boot. also expand some comments in timer_sun4m.c and re-enable the sun4m sub-microsecond tmr_ustolim4m() support (but it's always called with at least 'tick' microseconds, so the end result is the same.) fix hang at 4B microseconds (1h12 or so), and simplify part of the previous To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.8.1 src/sys/arch/sparc/sparc/timer.c cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/arch/sparc/sparc/timer_sun4m.c cvs rdiff -u -r1.9 -r1.9.118.1 src/sys/arch/sparc/sparc/timerreg.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/timer.c diff -u src/sys/arch/sparc/sparc/timer.c:1.29 src/sys/arch/sparc/sparc/timer.c:1.29.8.1 --- src/sys/arch/sparc/sparc/timer.c:1.29 Sun Jul 17 23:18:23 2011 +++ src/sys/arch/sparc/sparc/timer.c Tue Mar 13 16:48:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $ */ +/* $NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $ */ /* * Copyright (c) 1992, 1993 @@ -60,7 +60,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29 2011/07/17 23:18:23 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: timer.c,v 1.29.8.1 2018/03/13 16:48:05 snj Exp $"); #include #include @@ -83,56 +83,93 @@ static u_int timer_get_timecount(struct * timecounter local state */ static struct counter { - volatile u_int *cntreg; /* counter register */ + __cpu_simple_lock_t lock; /* protects access to offset, reg, last* */ + volatile u_int *cntreg; /* counter register to read */ u_int limit; /* limit we count up to */ u_int offset; /* accumulated offet due to wraps */ u_int shift; /* scaling for valid bits */ u_int mask; /* valid bit mask */ -} cntr; + u_int lastcnt; /* the last* values are used to notice */ + u_int lastres; /* and fix up cases where it would appear */ + u_int lastoffset; /* time went backwards. */ +} cntr __aligned(CACHE_LINE_SIZE); /* * define timecounter */ static struct timecounter counter_timecounter = { - timer_get_timecount, /* get_timecount */ - 0, /* no poll_pps */ - ~0u, /* counter_mask */ - 0, /* frequency - set at initialisation */ - "timer-counter", /* name */ - 100, /* quality */ - &cntr /* private reference */ + .tc_get_timecount = timer_get_timecount, + .tc_poll_pps = NULL, + .tc_counter_mask = ~0u, + .tc_frequency = 0, + .tc_name = "timer-counter", + .tc_quality = 100, + .tc_priv = &cntr, }; /* * timer_get_timecount provide current counter value */ +__attribute__((__optimize__("Os"))) static u_int timer_get_timecount(struct timecounter *tc) { - struct counter *ctr = (struct counter *)tc->tc_priv; - - u_int c, res, r; + u_int cnt, res, fixup, offset; int s; - + /* + * We use splhigh/__cpu_simple_lock here as we don't want + * any mutex or lockdebug overhead. The lock protects a + * bunch of the members of cntr that are written here to + * deal with the various minor races to be observed and + * worked around. + */ s = splhigh(); - res = c = *ctr->cntreg; + __cpu_simple_lock(&cntr.lock); + res = cnt = *cntr.cntreg; res &= ~TMR_LIMIT; + offset = cntr.offset; - if (c != res) { - r = ctr->limit; + /* + * There are 3 cases here: + * - limit reached, interrupt not yet processed. + * - count reset but offset the same, race between handling + * the interrupt and tickle_tc() updating the offset. + * - normal case. + * + * For the first two case
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Mar 13 16:43:06 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1518): sys/netinet6/ip6_forward.c: 1.89-1.90 via patch Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.2.1 --- src/sys/netinet6/ip6_forward.c:1.69 Mon Dec 19 11:59:58 2011 +++ src/sys/netinet6/ip6_forward.c Tue Mar 13 16:43:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt) IP6_STATINC(IP6_STAT_REDIRECTSENT); else { #ifdef GATEWAY - if (m->m_flags & M_CANFASTFWD) -ip6flow_create(&ip6_forward_rt, m); + if (mcopy->m_flags & M_CANFASTFWD) +ip6flow_create(&ip6_forward_rt, mcopy); #endif if (mcopy) goto freecopy;
CVS commit: [netbsd-6] src/sys/dev
Module Name:src Committed By: snj Date: Tue Mar 13 16:38:28 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: fss.c Log Message: Pull up following revision(s) (requested by hannken in ticket #1516): sys/dev/fss.c: 1.101-1.103 Bounds check against media size for non-persistent snapshots. -- Treat partial read from backing store as I/O error. -- Pass residual back to b_resid for persistent snapshots. To generate a diff of this commit: cvs rdiff -u -r1.81.4.4 -r1.81.4.5 src/sys/dev/fss.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/fss.c diff -u src/sys/dev/fss.c:1.81.4.4 src/sys/dev/fss.c:1.81.4.5 --- src/sys/dev/fss.c:1.81.4.4 Sat Aug 27 14:47:47 2016 +++ src/sys/dev/fss.c Tue Mar 13 16:38:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $ */ +/* $NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $ */ /*- * Copyright (c) 2003 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.4 2016/08/27 14:47:47 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: fss.c,v 1.81.4.5 2018/03/13 16:38:28 snj Exp $"); #include #include @@ -90,7 +90,7 @@ static void fss_softc_free(struct fss_so static int fss_read_cluster(struct fss_softc *, u_int32_t); static void fss_bs_thread(void *); static int fss_bs_io(struct fss_softc *, fss_io_type, -u_int32_t, off_t, int, void *); +u_int32_t, off_t, int, void *, size_t *); static u_int32_t *fss_bs_indir(struct fss_softc *, u_int32_t); static kmutex_t fss_device_lock; /* Protect all units. */ @@ -266,20 +266,26 @@ fss_strategy(struct buf *bp) mutex_enter(&sc->sc_slock); if (write || !FSS_ISVALID(sc)) { - - mutex_exit(&sc->sc_slock); - bp->b_error = (write ? EROFS : ENXIO); - bp->b_resid = bp->b_bcount; - biodone(bp); - return; + goto done; } + /* Check bounds for non-persistent snapshots. */ + if ((sc->sc_flags & FSS_PERSISTENT) == 0 && + bounds_check_with_mediasize(bp, DEV_BSIZE, + btodb(FSS_CLTOB(sc, sc->sc_clcount - 1) + sc->sc_clresid)) <= 0) + goto done; bp->b_rawblkno = bp->b_blkno; bufq_put(sc->sc_bufq, bp); cv_signal(&sc->sc_work_cv); mutex_exit(&sc->sc_slock); + return; + +done: + mutex_exit(&sc->sc_slock); + bp->b_resid = bp->b_bcount; + biodone(bp); } int @@ -993,6 +999,8 @@ restart: todo -= len; } error = biowait(mbp); + if (error == 0 && mbp->b_resid != 0) + error = EIO; putiobuf(mbp); mutex_enter(&sc->sc_slock); @@ -1014,7 +1022,7 @@ restart: */ static int fss_bs_io(struct fss_softc *sc, fss_io_type rw, -u_int32_t cl, off_t off, int len, void *data) +u_int32_t cl, off_t off, int len, void *data, size_t *resid) { int error; @@ -1025,7 +1033,7 @@ fss_bs_io(struct fss_softc *sc, fss_io_t error = vn_rdwr((rw == FSS_READ ? UIO_READ : UIO_WRITE), sc->sc_bs_vp, data, len, off, UIO_SYSSPACE, IO_ADV_ENCODE(POSIX_FADV_NOREUSE) | IO_NODELOCKED, - sc->sc_bs_lwp->l_cred, NULL, NULL); + sc->sc_bs_lwp->l_cred, resid, NULL); if (error == 0) { mutex_enter(sc->sc_bs_vp->v_interlock); error = VOP_PUTPAGES(sc->sc_bs_vp, trunc_page(off), @@ -1054,7 +1062,7 @@ fss_bs_indir(struct fss_softc *sc, u_int if (sc->sc_indir_dirty) { if (fss_bs_io(sc, FSS_WRITE, sc->sc_indir_cur, 0, - FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0) + FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0) return NULL; setbit(sc->sc_indir_valid, sc->sc_indir_cur); } @@ -1064,7 +1072,7 @@ fss_bs_indir(struct fss_softc *sc, u_int if (isset(sc->sc_indir_valid, sc->sc_indir_cur)) { if (fss_bs_io(sc, FSS_READ, sc->sc_indir_cur, 0, - FSS_CLSIZE(sc), (void *)sc->sc_indir_data) != 0) + FSS_CLSIZE(sc), (void *)sc->sc_indir_data, NULL) != 0) return NULL; } else memset(sc->sc_indir_data, 0, FSS_CLSIZE(sc)); @@ -1085,6 +1093,7 @@ fss_bs_thread(void *arg) long off; char *addr; u_int32_t c, cl, ch, *indirp; + size_t resid; struct buf *bp, *nbp; struct fss_softc *sc; struct fss_cache *scp, *scl; @@ -1121,14 +1130,18 @@ fss_bs_thread(void *arg) disk_busy(sc->sc_dkdev); error = fss_bs_io(sc, FSS_READ, 0, dbtob(bp->b_blkno), bp->b_bcount, -bp->b_data); +bp->b_data, &resid); +if (error) + resid = bp->b_bcount; disk_unbusy(sc->sc_dkdev, (error ? 0 : bp->b_bcount), is_read); - } else + } else { error = ENXIO; +resid = bp->b_bcount; + } bp->b_error = error; - bp->b_resid = (error ? bp->b_bcount : 0); + bp->b_resid = resid; biodone(bp); mutex_enter(&sc->sc_slock); @@ -1149,7 +1162,7 @@ fss_bs_thread(void *arg) indirp = fss_bs_indir(sc, scp->fc_cluster); if (indirp != NULL) { error = fss_bs_io(sc, FSS_WRITE, sc->sc_clnext, -0, FSS_CLSIZE(sc), scp->fc_data); +0, FSS_CLSIZE(sc), scp->fc_data, NULL); } else
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sat Mar 3 20:50:38 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1512, 1513, 1515 To generate a diff of this commit: cvs rdiff -u -r1.1.2.325 -r1.1.2.326 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.325 src/doc/CHANGES-6.2:1.1.2.326 --- src/doc/CHANGES-6.2:1.1.2.325 Mon Feb 19 20:56:37 2018 +++ src/doc/CHANGES-6.2 Sat Mar 3 20:50:38 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.325 2018/02/19 20:56:37 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.326 2018/03/03 20:50:38 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21073,3 +21073,23 @@ sys/arch/x86/x86/vm_machdep.c 1.30 via Prevent unrestricted userland access to I/O ports in XEN. [maxv, ticket #1517] +sys/dev/rndpseudo.cpatch +sys/kern/subr_cprng.cpatch +sys/sys/cprng.h patch + + Fix panic when waiting with kqueue/kevent for a read from + /dev/random. + [riastradh, ticket #1512] + +sys/arch/sparc/sparc/locore.s 1.269 + + Avoid an instruction requiring a higher alignment than we + are guaranteed. PR port-sparc/52721: ddb errors on ps command + [maya, ticket #1513] + +dist/pf/etc/pf.os1.4-1.5 + + Synchronise with r1.27 from OpenBSD + Add DragonFly BSD fingerprints. + [sevan, ticket #1515] +
CVS commit: [netbsd-6] src/dist/pf/etc
Module Name:src Committed By: snj Date: Sat Mar 3 20:49:18 UTC 2018 Modified Files: src/dist/pf/etc [netbsd-6]: pf.os Log Message: Pull up following revision(s) (requested by sevan in ticket #1515): dist/pf/etc/pf.os: 1.4-1.5 Synchronise with r1.27 from OpenBSD -- Add DragonFly BSD fingerprints. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.20.1 src/dist/pf/etc/pf.os Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/etc/pf.os diff -u src/dist/pf/etc/pf.os:1.3 src/dist/pf/etc/pf.os:1.3.20.1 --- src/dist/pf/etc/pf.os:1.3 Wed Jun 18 09:06:25 2008 +++ src/dist/pf/etc/pf.os Sat Mar 3 20:49:18 2018 @@ -1,5 +1,5 @@ -# $NetBSD: pf.os,v 1.3 2008/06/18 09:06:25 yamt Exp $ -# $OpenBSD: pf.os,v 1.21 2006/07/28 21:51:12 david Exp $ +# $NetBSD: pf.os,v 1.3.20.1 2018/03/03 20:49:18 snj Exp $ +# $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $ # passive OS fingerprinting # - # @@ -226,7 +226,13 @@ S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linu S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7 S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7 -S4:64:1:60:M*,S,T,N,W7: Linux:2.6:8:Linux 2.6.8 and newer (?) + +S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1) +S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2) +S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3) +T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4) + +S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0 S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4) S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 @@ -299,13 +305,27 @@ S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts: # - OpenBSD - 16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) -16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0::OpenBSD 3.0-4.0 -16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:no-df:OpenBSD 3.0-4.0 (scrub no-df) +16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8 +16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df) 57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0 57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df) 65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera) +16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9 +16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df) + +16384:64:1:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1::OpenBSD 6.1 +16384:64:0:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df) + +# - DragonFly BSD - + +57344:64:1:60:M*,N,W0,N,N,T: DragonFly:1.0:A:DragonFly 1.0A +57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:1.2-1.12::DragonFly 1.2-1.12 +5840:64:1:60:M*,S,T,N,W4: DragonFly:2.0-2.1::DragonFly 2.0-2.1 +57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:2.2-2.3::DragonFly 2.2-2.3 +57344:64:0:64:M*,N,W5,N,N,S,N,N,T: DragonFly:2.4-2.7::DragonFly 2.4-2.7 + # - Solaris - S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 @@ -362,7 +382,7 @@ S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:b # - Windows - # Windows TCP/IP stack is a mess. For most recent XP, 2000 and -# even 98, the pathlevel, not the actual OS version, is more +# even 98, the patchlevel, not the actual OS version, is more # relevant to the signature. They share the same code, so it would # seem. Luckily for us, almost all Windows 9x boxes have an # awkward MSS of 536, which I use to tell one from another @@ -426,6 +446,8 @@ S44:128:1:48:M*,N,N,S: Windows:XP:SP1: 32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4 32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4 +8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7 + # Odds, ends, mods: S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco
CVS commit: [netbsd-6] src/sys/arch/sparc/sparc
Module Name:src Committed By: snj Date: Sat Mar 3 20:47:24 UTC 2018 Modified Files: src/sys/arch/sparc/sparc [netbsd-6]: locore.s Log Message: Pull up following revision(s) (requested by maya in ticket #1513): sys/arch/sparc/sparc/locore.s: 1.269 Avoid an instruction requiring a higher alignment than we are guaranteed Fixes PR port-sparc/52721: ddb errors on ps command Thanks to mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.265 -r1.265.8.1 src/sys/arch/sparc/sparc/locore.s Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc/sparc/locore.s diff -u src/sys/arch/sparc/sparc/locore.s:1.265 src/sys/arch/sparc/sparc/locore.s:1.265.8.1 --- src/sys/arch/sparc/sparc/locore.s:1.265 Mon Aug 15 02:19:44 2011 +++ src/sys/arch/sparc/sparc/locore.s Sat Mar 3 20:47:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: locore.s,v 1.265 2011/08/15 02:19:44 mrg Exp $ */ +/* $NetBSD: locore.s,v 1.265.8.1 2018/03/03 20:47:24 snj Exp $ */ /* * Copyright (c) 1996 Paul Kranenburg @@ -6286,8 +6286,9 @@ ENTRY(longjmp) cmp %fp, %g7 ! compare against desired frame bl,a 1b ! if below, restore !pop frame and loop - be,a 2f ! if there, - ldd [%g1+0], %o2 !fetch return %sp and pc, and get out + ld [%g1+0], %o2 ! fetch return %sp + be,a 2f ! we're there, get out + ld [%g1+4], %o3 ! fetch return pc Llongjmpbotch: ! otherwise, went too far; bomb out
CVS commit: [netbsd-6] src/sys
Module Name:src Committed By: snj Date: Sat Mar 3 20:44:39 UTC 2018 Modified Files: src/sys/dev [netbsd-6]: rndpseudo.c src/sys/kern [netbsd-6]: subr_cprng.c src/sys/sys [netbsd-6]: cprng.h Log Message: Apply patch (requested by riastradh in ticket #1512): Fix panic when waiting with kqueue/kevent for a read from /dev/random. To generate a diff of this commit: cvs rdiff -u -r1.6.2.3 -r1.6.2.4 src/sys/dev/rndpseudo.c cvs rdiff -u -r1.5.2.8 -r1.5.2.9 src/sys/kern/subr_cprng.c cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/sys/sys/cprng.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/rndpseudo.c diff -u src/sys/dev/rndpseudo.c:1.6.2.3 src/sys/dev/rndpseudo.c:1.6.2.4 --- src/sys/dev/rndpseudo.c:1.6.2.3 Mon May 21 16:49:54 2012 +++ src/sys/dev/rndpseudo.c Sat Mar 3 20:44:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $ */ +/* $NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $ */ /*- * Copyright (c) 1997-2011 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.3 2012/05/21 16:49:54 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rndpseudo.c,v 1.6.2.4 2018/03/03 20:44:38 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -673,13 +673,13 @@ rnd_poll(struct file *fp, int events) } } + mutex_enter(&ctx->cprng->mtx); if (cprng_strong_ready(ctx->cprng)) { revents |= events & (POLLIN | POLLRDNORM); } else { - mutex_enter(&ctx->cprng->mtx); selrecord(curlwp, &ctx->cprng->selq); - mutex_exit(&ctx->cprng->mtx); } + mutex_exit(&ctx->cprng->mtx); return (revents); } @@ -731,12 +731,24 @@ static int filt_rndread(struct knote *kn, long hint) { cprng_strong_t *c = kn->kn_hook; + int ret; + if (hint & NOTE_SUBMIT) + KASSERT(mutex_owned(&c->mtx)); + else + mutex_enter(&c->mtx); if (cprng_strong_ready(c)) { kn->kn_data = RND_TEMP_BUFFER_SIZE; - return 1; + ret = 1; + } else { + ret = 0; } - return 0; + if (hint & NOTE_SUBMIT) + KASSERT(mutex_owned(&c->mtx)); + else + mutex_exit(&c->mtx); + + return ret; } static const struct filterops rnd_seltrue_filtops = Index: src/sys/kern/subr_cprng.c diff -u src/sys/kern/subr_cprng.c:1.5.2.8 src/sys/kern/subr_cprng.c:1.5.2.9 --- src/sys/kern/subr_cprng.c:1.5.2.8 Fri Mar 29 00:44:28 2013 +++ src/sys/kern/subr_cprng.c Sat Mar 3 20:44:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $ */ +/* $NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -46,7 +46,7 @@ #include -__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.8 2013/03/29 00:44:28 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_cprng.c,v 1.5.2.9 2018/03/03 20:44:38 snj Exp $"); void cprng_init(void) @@ -95,7 +95,7 @@ cprng_strong_doreseed(cprng_strong_t *co if (c->flags & CPRNG_USE_CV) { cv_broadcast(&c->cv); } - selnotify(&c->selq, 0, 0); + selnotify(&c->selq, 0, NOTE_SUBMIT); } static void @@ -397,7 +397,7 @@ cprng_strong_setflags(cprng_strong_t *co if (c->flags & CPRNG_USE_CV) { cv_broadcast(&c->cv); } - selnotify(&c->selq, 0, 0); + selnotify(&c->selq, 0, NOTE_SUBMIT); } } c->flags = flags; Index: src/sys/sys/cprng.h diff -u src/sys/sys/cprng.h:1.4.2.1 src/sys/sys/cprng.h:1.4.2.2 --- src/sys/sys/cprng.h:1.4.2.1 Fri Apr 20 23:35:20 2012 +++ src/sys/sys/cprng.h Sat Mar 3 20:44:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: cprng.h,v 1.4.2.1 2012/04/20 23:35:20 riz Exp $ */ +/* $NetBSD: cprng.h,v 1.4.2.2 2018/03/03 20:44:39 snj Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -121,12 +121,11 @@ static inline int cprng_strong_ready(cprng_strong_t *c) { int ret = 0; - - mutex_enter(&c->mtx); + + KASSERT(mutex_owned(&c->mtx)); if (c->drbg.reseed_counter < NIST_CTR_DRBG_RESEED_INTERVAL) { ret = 1; } - mutex_exit(&c->mtx); return ret; }
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Mon Feb 19 20:56:37 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1517 To generate a diff of this commit: cvs rdiff -u -r1.1.2.324 -r1.1.2.325 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.324 src/doc/CHANGES-6.2:1.1.2.325 --- src/doc/CHANGES-6.2:1.1.2.324 Fri Feb 16 18:10:40 2018 +++ src/doc/CHANGES-6.2 Mon Feb 19 20:56:37 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.324 2018/02/16 18:10:40 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.325 2018/02/19 20:56:37 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21064,3 +21064,12 @@ sys/netipsec/ipsec.c1.130 Fix inverted logic that could crash the kernel. [maxv, ticket #1531] +sys/arch/amd64/amd64/machdep.c 1.280 via patch +sys/arch/amd64/include/segments.h 1.34 via patch +sys/arch/i386/i386/machdep.c 1.800 via patch +sys/arch/i386/include/segments.h 1.64 via patch +sys/arch/x86/x86/vm_machdep.c 1.30 via patch + + Prevent unrestricted userland access to I/O ports in XEN. + [maxv, ticket #1517] +
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: snj Date: Mon Feb 19 20:54:38 UTC 2018 Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: machdep.c src/sys/arch/amd64/include [netbsd-6]: segments.h src/sys/arch/i386/i386 [netbsd-6]: machdep.c src/sys/arch/i386/include [netbsd-6]: segments.h src/sys/arch/x86/x86 [netbsd-6]: vm_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1517): sys/arch/amd64/amd64/machdep.c: 1.280 via patch sys/arch/amd64/include/segments.h: 1.34 via patch sys/arch/i386/i386/machdep.c: 1.800 sys/arch/i386/include/segments.h: 1.64 sys/arch/x86/x86/vm_machdep.c: 1.30 Fix a huge privilege separation vulnerability in Xen-amd64. On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL equals SEL_UPL. While Xen can make a distinction between usermode and kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes to read and write to the CPU ports. It is easy, then, to completely escalate privileges; by reprogramming the PIC, by reading the ATA disks, by intercepting the keyboard interrupts (keylogger), etc. Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use the ports but not userland. I didn't test this change on i386, but it seems fine enough. To generate a diff of this commit: cvs rdiff -u -r1.175.2.9 -r1.175.2.10 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.22 -r1.22.10.1 src/sys/arch/amd64/include/segments.h cvs rdiff -u -r1.717.2.8 -r1.717.2.9 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.54 -r1.54.10.1 src/sys/arch/i386/include/segments.h cvs rdiff -u -r1.14 -r1.14.2.1 src/sys/arch/x86/x86/vm_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/amd64/amd64/machdep.c diff -u src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 src/sys/arch/amd64/amd64/machdep.c:1.175.2.10 --- src/sys/arch/amd64/amd64/machdep.c:1.175.2.9 Tue Aug 8 12:00:35 2017 +++ src/sys/arch/amd64/amd64/machdep.c Mon Feb 19 20:54:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $ */ +/* $NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011 @@ -111,7 +111,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.9 2017/08/08 12:00:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.175.2.10 2018/02/19 20:54:37 snj Exp $"); /* #define XENDEBUG_LOW */ @@ -477,7 +477,7 @@ x86_64_proc0_tss_ldt_init(void) pcb->pcb_fs = 0; pcb->pcb_gs = 0; pcb->pcb_rsp0 = (uvm_lwp_getuarea(l) + KSTACK_SIZE - 16) & ~0xf; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; pmap_kernel()->pm_ldt_sel = GSYSSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; Index: src/sys/arch/amd64/include/segments.h diff -u src/sys/arch/amd64/include/segments.h:1.22 src/sys/arch/amd64/include/segments.h:1.22.10.1 --- src/sys/arch/amd64/include/segments.h:1.22 Mon Feb 7 03:54:45 2011 +++ src/sys/arch/amd64/include/segments.h Mon Feb 19 20:54:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: segments.h,v 1.22 2011/02/07 03:54:45 chs Exp $ */ +/* $NetBSD: segments.h,v 1.22.10.1 2018/02/19 20:54:37 snj Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -107,6 +107,12 @@ #define ISLDT(s) ((s) & SEL_LDT) /* is it local or global */ #define SEL_LDT 4 /* local descriptor table */ +#ifdef XEN +#define IOPL_KPL 1 +#else +#define IOPL_KPL SEL_KPL +#endif + /* Dynamically allocated TSSs and LDTs start (byte offset) */ #define SYSSEL_START (NGDT_MEM << 3) #define DYNSEL_START (SYSSEL_START + (NGDT_SYS << 4)) Index: src/sys/arch/i386/i386/machdep.c diff -u src/sys/arch/i386/i386/machdep.c:1.717.2.8 src/sys/arch/i386/i386/machdep.c:1.717.2.9 --- src/sys/arch/i386/i386/machdep.c:1.717.2.8 Tue Aug 8 12:00:35 2017 +++ src/sys/arch/i386/i386/machdep.c Mon Feb 19 20:54:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $ */ +/* $NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998, 2000, 2004, 2006, 2008, 2009 @@ -67,7 +67,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.8 2017/08/08 12:00:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.717.2.9 2018/02/19 20:54:38 snj Exp $"); #include "opt_beep.h" #include "opt_compat_ibcs2.h" @@ -509,7 +509,7 @@ i386_proc0_tss_ldt_init(void) pmap_kernel()->pm_ldt_sel = GSEL(GLDT_SEL, SEL_KPL); pcb->pcb_cr0 = rcr0() & ~CR0_TS; pcb->pcb_esp0 = uvm_lwp_getuarea(l) + KSTACK_SIZE - 16; - pcb->pcb_iopl = SEL_KPL; + pcb->pcb_iopl = IOPL_KPL; l->l_md.md_regs = (struct trapframe *)pcb->pcb_esp0 - 1; memcpy(&pcb->pcb_fsd, &gdt[GUDATA_SEL], sizeof(pcb->pcb_fsd));
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Fri Feb 16 18:10:40 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1531 To generate a diff of this commit: cvs rdiff -u -r1.1.2.323 -r1.1.2.324 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.323 src/doc/CHANGES-6.2:1.1.2.324 --- src/doc/CHANGES-6.2:1.1.2.323 Thu Feb 15 14:49:40 2018 +++ src/doc/CHANGES-6.2 Fri Feb 16 18:10:40 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.323 2018/02/15 14:49:40 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.324 2018/02/16 18:10:40 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21059,3 +21059,8 @@ sys/netipsec/xform_ipip.c 1.44 via pat Fix IPv6-IPsec-AH tunnels. [maxv, ticket #1529] +sys/netipsec/ipsec.c1.130 + + Fix inverted logic that could crash the kernel. + [maxv, ticket #1531] +
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 18:10:09 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1531): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.8.1 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.55 src/sys/netipsec/ipsec.c:1.55.8.1 --- src/sys/netipsec/ipsec.c:1.55 Thu Jun 9 19:54:18 2011 +++ src/sys/netipsec/ipsec.c Fri Feb 16 18:10:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $ */ +/* $NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55 2011/06/09 19:54:18 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.55.8.1 2018/02/16 18:10:09 martin Exp $"); /* * IPsec controller part. @@ -979,7 +979,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se spidx->dst.sin.sin_port = uh.uh_dport; return; case IPPROTO_AH: - if (m->m_pkthdr.len > off + sizeof(ip6e)) + if (off + sizeof(ip6e) > m->m_pkthdr.len) goto done; /* XXX sigh, this works but is totally bogus */ m_copydata(m, off, sizeof(ip6e), &ip6e);
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 16:49:05 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Fix previous (Ticket #1530) To generate a diff of this commit: cvs rdiff -u -r1.37.2.2 -r1.37.2.3 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.2 src/sys/netipsec/xform_ah.c:1.37.2.3 --- src/sys/netipsec/xform_ah.c:1.37.2.2 Thu Feb 15 08:08:19 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 16:49:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.3 2018/02/15 16:49:04 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -687,11 +687,10 @@ ah_input(struct mbuf *m, const struct se return EACCES; } if (skip + authsize + rplen > m->m_pkthdr.len) { - char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" " for packet in SA %s/%08lx\n", __func__, m->m_pkthdr.len, (u_long)(skip + authsize + rplen), - ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_BADAUTHL); m_freem(m);
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Feb 15 14:49:41 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1529 To generate a diff of this commit: cvs rdiff -u -r1.1.2.322 -r1.1.2.323 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.322 src/doc/CHANGES-6.2:1.1.2.323 --- src/doc/CHANGES-6.2:1.1.2.322 Thu Feb 15 08:08:58 2018 +++ src/doc/CHANGES-6.2 Thu Feb 15 14:49:40 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.322 2018/02/15 08:08:58 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.323 2018/02/15 14:49:40 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21054,3 +21054,8 @@ sys/netipsec/xform_ah.c1.80-1.81 via Fix use-after-free and and add more consistency checks. [maxv, ticket #1530] +sys/netipsec/xform_ipip.c 1.44 via patch + + Fix IPv6-IPsec-AH tunnels. + [maxv, ticket #1529] +
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 14:49:00 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1529): sys/netipsec/xform_ipip.c: revision 1.44 via patch PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right, don't forget to subtract the ipv6 header length. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.28 src/sys/netipsec/xform_ipip.c:1.28.8.1 --- src/sys/netipsec/xform_ipip.c:1.28 Sun Jul 17 20:54:54 2011 +++ src/sys/netipsec/xform_ipip.c Thu Feb 15 14:49:00 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28 2011/07/17 20:54:54 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.8.1 2018/02/15 14:49:00 martin Exp $"); /* * IP-inside-IP processing @@ -566,7 +566,7 @@ ipip_output( ip6o->ip6_flow = 0; ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; ip6o->ip6_vfc |= IPV6_VERSION; - ip6o->ip6_plen = htons(m->m_pkthdr.len); + ip6o->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6o)); ip6o->ip6_hlim = ip_defttl; ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr;
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Feb 15 08:08:58 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1530 To generate a diff of this commit: cvs rdiff -u -r1.1.2.321 -r1.1.2.322 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.321 src/doc/CHANGES-6.2:1.1.2.322 --- src/doc/CHANGES-6.2:1.1.2.321 Sat Feb 10 04:26:35 2018 +++ src/doc/CHANGES-6.2 Thu Feb 15 08:08:58 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.321 2018/02/10 04:26:35 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.322 2018/02/15 08:08:58 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21049,3 +21049,8 @@ sys/dist/pf/net/pf.c1.78 via patch Fix signedness bug in PF. PR/44059. [maxv, ticket #1527] +sys/netipsec/xform_ah.c1.80-1.81 via patch + + Fix use-after-free and and add more consistency checks. + [maxv, ticket #1530] +
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 08:08:19 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1530): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.37.2.1 -r1.37.2.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37.2.1 src/sys/netipsec/xform_ah.c:1.37.2.2 --- src/sys/netipsec/xform_ah.c:1.37.2.1 Mon Jan 29 19:25:51 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 08:08:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.2 2018/02/15 08:08:19 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -636,6 +636,7 @@ ah_input(struct mbuf *m, const struct se struct m_tag *mtag; struct newah *ah; int hl, rplen, authsize, error; + uint8_t nxt; struct cryptodesc *crda; struct cryptop *crp; @@ -660,6 +661,8 @@ ah_input(struct mbuf *m, const struct se return ENOBUFS; } + nxt = ah->ah_nxt; + /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { AH_STATINC(AH_STAT_REPLAY); @@ -683,6 +686,18 @@ ah_input(struct mbuf *m, const struct se m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + char buf[IPSEC_ADDRSTRLEN]; + DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long)(skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AH_STATINC(AH_STAT_BADAUTHL); + m_freem(m); + return EACCES; + } + AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -780,7 +795,7 @@ ah_input(struct mbuf *m, const struct se tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = nxt; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = mtag; /* Save the mtag we've identified. */
CVS commit: [netbsd-6] src/sys/dist/pf/net
Module Name:src Committed By: snj Date: Sat Feb 10 04:25:38 UTC 2018 Modified Files: src/sys/dist/pf/net [netbsd-6]: pf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1527): sys/dist/pf/net/pf.c: revision 1.78 via patch Oh, what is this. Fix a remotely-triggerable integer overflow: the way we define TCPOLEN_SACK makes it unsigned, and the comparison in the while() is unsigned too. That's not the expected behavior, the original code wanted a signed comparison. It's pretty easy to make 'hlen' go negative and trigger a buffer overflow. This bug was reported 8 years ago by Lucio Albornoz in PR/44059. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.68.2.1 src/sys/dist/pf/net/pf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dist/pf/net/pf.c diff -u src/sys/dist/pf/net/pf.c:1.68 src/sys/dist/pf/net/pf.c:1.68.2.1 --- src/sys/dist/pf/net/pf.c:1.68 Mon Dec 19 16:10:07 2011 +++ src/sys/dist/pf/net/pf.c Sat Feb 10 04:25:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $ */ +/* $NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $ */ /* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */ /* @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68 2011/12/19 16:10:07 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.68.2.1 2018/02/10 04:25:37 snj Exp $"); #include "pflog.h" @@ -1590,7 +1590,7 @@ pf_modulate_sack(struct mbuf *m, int off struct sackblk sack; #ifdef __NetBSD__ -#define TCPOLEN_SACK (2 * sizeof(uint32_t)) +#define TCPOLEN_SACK 8 /* 2*sizeof(tcp_seq) */ #endif #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sat Feb 10 04:26:35 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1527 To generate a diff of this commit: cvs rdiff -u -r1.1.2.320 -r1.1.2.321 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.320 src/doc/CHANGES-6.2:1.1.2.321 --- src/doc/CHANGES-6.2:1.1.2.320 Fri Feb 9 14:10:35 2018 +++ src/doc/CHANGES-6.2 Sat Feb 10 04:26:35 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.320 2018/02/09 14:10:35 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.321 2018/02/10 04:26:35 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21044,3 +21044,8 @@ sys/netinet/ip_input.c1.366 Disable LSRR/SSRR by default. [maxv, ticket #1526] +sys/dist/pf/net/pf.c1.78 via patch + + Fix signedness bug in PF. PR/44059. + [maxv, ticket #1527] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Fri Feb 9 14:10:35 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1526 To generate a diff of this commit: cvs rdiff -u -r1.1.2.319 -r1.1.2.320 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.319 src/doc/CHANGES-6.2:1.1.2.320 --- src/doc/CHANGES-6.2:1.1.2.319 Fri Feb 2 13:10:44 2018 +++ src/doc/CHANGES-6.2 Fri Feb 9 14:10:35 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.319 2018/02/02 13:10:44 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.320 2018/02/09 14:10:35 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21039,3 +21039,8 @@ sys/netinet6/nd6_nbr.c1.145 (via pat Fix memory leak. [maxv, ticket #1525] +sys/netinet/ip_input.c1.366 + + Disable LSRR/SSRR by default. + [maxv, ticket #1526] +
CVS commit: [netbsd-6] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 14:09:35 UTC 2018 Modified Files: src/sys/netinet [netbsd-6]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1526): sys/netinet/ip_input.c: revision 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.298 -r1.298.2.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.2.1 --- src/sys/netinet/ip_input.c:1.298 Mon Jan 9 14:31:22 2012 +++ src/sys/netinet/ip_input.c Fri Feb 9 14:09:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $ */ +/* $NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.2.1 2018/02/09 14:09:35 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Fri Feb 2 13:10:45 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1525 To generate a diff of this commit: cvs rdiff -u -r1.1.2.318 -r1.1.2.319 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.318 src/doc/CHANGES-6.2:1.1.2.319 --- src/doc/CHANGES-6.2:1.1.2.318 Fri Feb 2 11:07:50 2018 +++ src/doc/CHANGES-6.2 Fri Feb 2 13:10:44 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.318 2018/02/02 11:07:50 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.319 2018/02/02 13:10:44 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21034,3 +21034,8 @@ sys/netinet6/ip6_mroute.c 1.120 Fix a use-after-free in the Pim6 entry point. [maxv, ticket #1524] +sys/netinet6/nd6_nbr.c1.145 (via patch) + + Fix memory leak. + [maxv, ticket #1525] +
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 13:10:00 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1525): sys/netinet6/nd6_nbr.c: revision 1.145 (patch) Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.2.1 --- src/sys/netinet6/nd6_nbr.c:1.95 Mon Dec 19 11:59:58 2011 +++ src/sys/netinet6/nd6_nbr.c Fri Feb 2 13:10:00 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.2.1 2018/02/02 13:10:00 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in taddr6 = nd_na->nd_na_target; if (in6_setscope(&taddr6, ifp, NULL)) - return; /* XXX: impossible */ + goto bad; if (IN6_IS_ADDR_MULTICAST(&taddr6)) { nd6log((LOG_ERR,
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Fri Feb 2 11:07:50 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1524 To generate a diff of this commit: cvs rdiff -u -r1.1.2.317 -r1.1.2.318 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.317 src/doc/CHANGES-6.2:1.1.2.318 --- src/doc/CHANGES-6.2:1.1.2.317 Tue Jan 30 18:45:16 2018 +++ src/doc/CHANGES-6.2 Fri Feb 2 11:07:50 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.317 2018/01/30 18:45:16 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.318 2018/02/02 11:07:50 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21029,3 +21029,8 @@ sys/netinet6/ipcomp_input.c adjust oth [maxv, ticket #1523] +sys/netinet6/ip6_mroute.c 1.120 + + Fix a use-after-free in the Pim6 entry point. + [maxv, ticket #1524] +
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:07:12 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1524): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.103 -r1.103.2.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_mroute.c diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.2.1 --- src/sys/netinet6/ip6_mroute.c:1.103 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/ip6_mroute.c Fri Feb 2 11:07:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $ */ /* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */ /* @@ -117,7 +117,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.2.1 2018/02/02 11:07:12 martin Exp $"); #include "opt_inet.h" #include "opt_mrouting.h" @@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, (eip6->ip6_vfc & IPV6_VERSION)); #endif m_freem(m); - return (IPPROTO_NONE); + return (IPPROTO_DONE); } /* verify the inner packet is destined to a mcast group */
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.8.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.8.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.8.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:16 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.316 src/doc/CHANGES-6.2:1.1.2.317 --- src/doc/CHANGES-6.2:1.1.2.316 Mon Jan 29 19:27:05 2018 +++ src/doc/CHANGES-6.2 Tue Jan 30 18:45:16 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.316 2018/01/29 19:27:05 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.317 2018/01/30 18:45:16 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21017,3 +21017,15 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1521] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) +sys/netinet6/ah_input.cadjust other callers (patch) +sys/netinet6/esp_input.c adjust other callers (patch) +sys/netinet6/ipcomp_input.c adjust other callers (patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1523] + +
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.3 --- src/sys/netinet6/frag6.c:1.52.2.2 Thu Oct 25 17:23:33 2012 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $ */ +/* $NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -461,6 +453,21 @@ insert: m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.136.2.1 src/sys/netinet6/ip6_input.c:1.136.2.2 --- src/sys/netinet6/ip6_input.c:1.136.2.1 Mon Jul 8 07:40:07 2013 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $ */ +/* $NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This function supposes that
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Mon Jan 29 19:27:06 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1521 To generate a diff of this commit: cvs rdiff -u -r1.1.2.315 -r1.1.2.316 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.315 src/doc/CHANGES-6.2:1.1.2.316 --- src/doc/CHANGES-6.2:1.1.2.315 Sat Jan 13 22:32:24 2018 +++ src/doc/CHANGES-6.2 Mon Jan 29 19:27:05 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.315 2018/01/13 22:32:24 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.316 2018/01/29 19:27:05 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21012,3 +21012,8 @@ xsrc/xfree/xc/lib/font/fontfile/fontdir. Fix CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612. [mrg, ticket #1514] +sys/netipsec/xform_ah.c1.76 + + Fix a remote DoS vulnerability in IPsec-AH. + [maxv, ticket #1521] +
CVS commit: [netbsd-6] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Jan 29 19:25:51 UTC 2018 Modified Files: src/sys/netipsec [netbsd-6]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1521): sys/netipsec/xform_ah.c: revision 1.76 Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.2.1 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.37 src/sys/netipsec/xform_ah.c:1.37.2.1 --- src/sys/netipsec/xform_ah.c:1.37 Thu Jan 26 21:10:24 2012 +++ src/sys/netipsec/xform_ah.c Mon Jan 29 19:25:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $ */ +/* $NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37 2012/01/26 21:10:24 drochner Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.2.1 2018/01/29 19:25:51 martin Exp $"); #include "opt_inet.h" #ifdef __FreeBSD__ @@ -527,12 +527,12 @@ ah_massage_headers(struct mbuf **m0, int return EINVAL; } - ad = ptr[count + 1]; + ad = ptr[count + 1] + 2; /* If mutable option, zeroize. */ if (ptr[count] & IP6OPT_MUTABLE) memcpy(ptr + count, ipseczeroes, - ptr[count + 1]); + ad); count += ad;
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sat Jan 13 22:32:25 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1514 To generate a diff of this commit: cvs rdiff -u -r1.1.2.314 -r1.1.2.315 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.314 src/doc/CHANGES-6.2:1.1.2.315 --- src/doc/CHANGES-6.2:1.1.2.314 Sun Nov 5 20:32:27 2017 +++ src/doc/CHANGES-6.2 Sat Jan 13 22:32:24 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.314 2017/11/05 20:32:27 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.315 2018/01/13 22:32:24 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20996,3 +20996,19 @@ xsrc/xfree/xc/programs/Xserver/render/re apply fixes for CVEs 2017-12176 to 2017-12187 [mrg, ticket #1511] +xsrc/external/mit/libXcursor/dist/src/file.c patch +xsrc/external/mit/libXcursor/dist/src/library.c patch +xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c patch +xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c patch +xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c patch +xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c patch +xsrc/xfree/xc/lib/Xcursor/file.c patch +xsrc/xfree/xc/lib/Xcursor/library.c patch +xsrc/xfree/xc/lib/font/bitmap/pcfread.c patch +xsrc/xfree/xc/lib/font/fontfile/dirfile.c patch +xsrc/xfree/xc/lib/font/fontfile/fileio.c patch +xsrc/xfree/xc/lib/font/fontfile/fontdir.c patch + + Fix CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612. + [mrg, ticket #1514] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sun Nov 5 20:32:27 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1508, 1509, 1511 To generate a diff of this commit: cvs rdiff -u -r1.1.2.313 -r1.1.2.314 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.313 src/doc/CHANGES-6.2:1.1.2.314 --- src/doc/CHANGES-6.2:1.1.2.313 Tue Oct 17 15:59:22 2017 +++ src/doc/CHANGES-6.2 Sun Nov 5 20:32:27 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.313 2017/10/17 15:59:22 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.314 2017/11/05 20:32:27 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20959,3 +20959,40 @@ external/bsd/wpa/dist/wpa_supplicant/wnm CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 [spz, ticket #1507] +etc/namedb/root.cache1.23 + + Update root.cache to 2017102400 (October 24, 2017). + [taca, ticket #1508] + +external/bsd/nvi/dist/common/recover.c 1.6-1.9 via patch to dist/nvi/common/recover.c +external/bsd/nvi/usr.bin/recover/virecover 1.2-1.3 via patch to usr.bin/nvi/recover/virecover + + Fix vulnerabilities in the handling of recovery files. + [spz, ticket #1509] + +xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c patch +xsrc/external/mit/xorg-server/dist/Xext/saver.c patch +xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c patch +xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c patch +xsrc/external/mit/xorg-server/dist/dbe/dbe.c patch +xsrc/external/mit/xorg-server/dist/dix/dispatch.c patch +xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c patch +xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c patch +xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c patch +xsrc/external/mit/xorg-server/dist/render/render.c patch +xsrc/external/mit/xorg-server/dist/xfixes/cursor.c patch +xsrc/external/mit/xorg-server/dist/xfixes/region.c patch +xsrc/external/mit/xorg-server/dist/xfixes/saveset.c patch +xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c patch +xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c patch +xsrc/xfree/xc/programs/Xserver/Xext/saver.c patch +xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c patch +xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c patch +xsrc/xfree/xc/programs/Xserver/dbe/dbe.c patch +xsrc/xfree/xc/programs/Xserver/dix/dispatch.c patch +xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c patch +xsrc/xfree/xc/programs/Xserver/render/render.c patch + + apply fixes for CVEs 2017-12176 to 2017-12187 + [mrg, ticket #1511] +
CVS commit: [netbsd-6] src
Module Name:src Committed By: snj Date: Sun Nov 5 20:04:34 UTC 2017 Modified Files: src/dist/nvi/common [netbsd-6]: recover.c src/usr.bin/nvi/recover [netbsd-6]: virecover Log Message: Pull up following revision(s) (requested by spz in ticket #1509): external/bsd/nvi/usr.bin/recover/virecover: 1.2-1.3 via patch external/bsd/nvi/dist/common/recover.c: revision 1.6-1.9 via patch be more careful about opening recovery files... in particular deal with people trying to get 'vi -r' stuck using named pipes, symlink attacks, and coercing others opening recovery files they did not create. Put back the tests for "no files matched" (in a different way than they were written previously - but that's just style.) This is not csh... Use the correct test operator to test for an empty file (rather than testing for an empty file name...) Write test ('[') commands in a way that is defined to work, rather than just happens to - we can afford the (negligible) performance hit here. - don't use command substitution to glob a pattern into a list of filenames; it is less efficient than doing it directly and does not handle whitespace in filenames properly. - change test to [ - quote variables Deal safely with recovery mail files. oops, accidendally committed an earlier non-working version; fixed. Don't use popenve() for portability; forking an extra shell here is not an issue. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.10.1 src/dist/nvi/common/recover.c cvs rdiff -u -r1.1 -r1.1.22.1 src/usr.bin/nvi/recover/virecover Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/nvi/common/recover.c diff -u src/dist/nvi/common/recover.c:1.3 src/dist/nvi/common/recover.c:1.3.10.1 --- src/dist/nvi/common/recover.c:1.3 Sun Jan 18 03:45:50 2009 +++ src/dist/nvi/common/recover.c Sun Nov 5 20:04:34 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: recover.c,v 1.3 2009/01/18 03:45:50 lukem Exp $ */ +/* $NetBSD: recover.c,v 1.3.10.1 2017/11/05 20:04:34 snj Exp $ */ /*- * Copyright (c) 1993, 1994 @@ -112,7 +112,7 @@ static const char sccsid[] = "Id: recove #define VI_PHEADER "X-vi-recover-path: " static int rcv_copy __P((SCR *, int, char *)); -static void rcv_email __P((SCR *, char *)); +static void rcv_email __P((SCR *, const char *)); static char *rcv_gets __P((char *, size_t, int)); static int rcv_mailfile __P((SCR *, int, char *)); static int rcv_mktemp __P((SCR *, char *, const char *, int)); @@ -470,6 +470,23 @@ err: if (!issync) } /* + * Since vi creates recovery files only accessible by the user, files + * accessible by group or others are probably malicious so avoid them. + * This is simpler than checking for getuid() == st.st_uid and we want + * to preserve the functionality that root can recover anything which + * means that root should know better and be careful. + */ +static int +checkok(int fd) +{ + struct stat sb; + + return fstat(fd, &sb) != -1 && S_ISREG(sb.st_mode) && + (sb.st_mode & (S_IRWXG|S_IRWXO)) == 0; +} + + +/* * people making love * never exactly the same * just like a snowflake @@ -513,9 +530,14 @@ rcv_list(SCR *sp) * if we're using fcntl(2), there's no way to lock a file * descriptor that's not open for writing. */ - if ((fp = fopen(dp->d_name, "r+")) == NULL) + if ((fp = fopen(dp->d_name, "r+efl")) == NULL) continue; + if (!checkok(fileno(fp))) { + (void)fclose(fp); + continue; + } + switch (file_lock(sp, NULL, NULL, fileno(fp), 1)) { case LOCK_FAILED: /* @@ -626,9 +648,16 @@ rcv_read(SCR *sp, FREF *frp) * if we're using fcntl(2), there's no way to lock a file * descriptor that's not open for writing. */ - if ((fd = open(recpath, O_RDWR, 0)) == -1) + if ((fd = open(recpath, O_RDWR|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC, + 0)) == -1) continue; + if (!checkok(fd)) { + (void)close(fd); + continue; + } + + switch (file_lock(sp, NULL, NULL, fd, 1)) { case LOCK_FAILED: /* @@ -836,24 +865,48 @@ rcv_mktemp(SCR *sp, char *path, const ch * Send email. */ static void -rcv_email(SCR *sp, char *fname) +rcv_email(SCR *sp, const char *fname) { struct stat sb; - char buf[MAXPATHLEN * 2 + 20]; + char buf[BUFSIZ]; + FILE *fin, *fout; + size_t l; - if (_PATH_SENDMAIL[0] != '/' || stat(_PATH_SENDMAIL, &sb)) + if (_PATH_SENDMAIL[0] != '/' || stat(_PATH_SENDMAIL, &sb) == -1) { msgq_str(sp, M_SYSERR, _PATH_SENDMAIL, "071|not sending email: %s"); - else { - /* - * !!! - * If you need to port this to a system that doesn't have - * sendmail, the -t flag causes sendmail to read the message - * for the recipients instead of specifying them some other - * way. - */ - (void)snprintf(buf, sizeof(buf), - "%s -t < %s", _PATH_SENDMAIL, fname); - (void)system(buf); + return; } + + /* + * !!! + * If you need to port this to a system
CVS commit: [netbsd-6] src/etc/namedb
Module Name:src Committed By: snj Date: Sun Nov 5 19:55:18 UTC 2017 Modified Files: src/etc/namedb [netbsd-6]: root.cache Log Message: Pull up following revision(s) (requested by taca in ticket #1508): etc/namedb/root.cache: revision 1.23 Update root.cache to 2017102400 (October 24, 2017). B.ROOT-SERVERS.NET's IPv4 and IPv6 address has changed. To generate a diff of this commit: cvs rdiff -u -r1.16.4.7 -r1.16.4.8 src/etc/namedb/root.cache Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/etc/namedb/root.cache diff -u src/etc/namedb/root.cache:1.16.4.7 src/etc/namedb/root.cache:1.16.4.8 --- src/etc/namedb/root.cache:1.16.4.7 Fri Nov 11 06:59:50 2016 +++ src/etc/namedb/root.cache Sun Nov 5 19:55:18 2017 @@ -1,4 +1,4 @@ -; $NetBSD: root.cache,v 1.16.4.7 2016/11/11 06:59:50 snj Exp $ +; $NetBSD: root.cache,v 1.16.4.8 2017/11/05 19:55:18 snj Exp $ ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " @@ -10,10 +10,10 @@ ; on server FTP.INTERNIC.NET ; -OR-RS.INTERNIC.NET ; -; last update:October 20, 2016 -; related version of root zone: 2016102001 +; last update:October 24, 2017 +; related version of root zone: 2017102400 ; -; formerly NS.INTERNIC.NET +; FORMERLY NS.INTERNIC.NET ; .360 NSA.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 360 A 198.41.0.4 @@ -22,8 +22,8 @@ A.ROOT-SERVERS.NET. 360 AA ; FORMERLY NS1.ISI.EDU ; .360 NSB.ROOT-SERVERS.NET. -B.ROOT-SERVERS.NET. 360 A 192.228.79.201 -B.ROOT-SERVERS.NET. 360 2001:500:84::b +B.ROOT-SERVERS.NET. 360 A 199.9.14.201 +B.ROOT-SERVERS.NET. 360 2001:500:200::b ; ; FORMERLY C.PSI.NET ;
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Oct 17 15:59:22 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1507 To generate a diff of this commit: cvs rdiff -u -r1.1.2.312 -r1.1.2.313 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.312 src/doc/CHANGES-6.2:1.1.2.313 --- src/doc/CHANGES-6.2:1.1.2.312 Tue Oct 17 15:44:00 2017 +++ src/doc/CHANGES-6.2 Tue Oct 17 15:59:22 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.312 2017/10/17 15:44:00 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.313 2017/10/17 15:59:22 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20942,3 +20942,20 @@ sys/fs/msdosfs/msdosfs_vfsops.c 1.128 for media with sectors >= 32kByte. PR 52485. [mlelstv, ticket #1506] +external/bsd/wpa/dist/src/ap/ieee802_11.c 1.2 +external/bsd/wpa/dist/src/ap/wpa_auth.c 1.10 +external/bsd/wpa/dist/src/ap/wpa_auth.h 1.2 +external/bsd/wpa/dist/src/ap/wpa_auth_ft.c 1.2 +external/bsd/wpa/dist/src/ap/wpa_auth_i.h 1.2 +external/bsd/wpa/dist/src/common/wpa_common.h 1.3 +external/bsd/wpa/dist/src/rsn_supp/tdls.c 1.2 +external/bsd/wpa/dist/src/rsn_supp/wpa.c 1.2 +external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c 1.2 +external/bsd/wpa/dist/src/rsn_supp/wpa_i.h 1.2 +external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c 1.4 + + Apply upstream patches for CVE-2017-13077 CVE-2017-13078 + CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 + CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 + [spz, ticket #1507] +
CVS commit: [netbsd-6] src/external/bsd/wpa/dist
Module Name:src Committed By: martin Date: Tue Oct 17 15:58:49 UTC 2017 Modified Files: src/external/bsd/wpa/dist/src/ap [netbsd-6]: ieee802_11.c wpa_auth.c wpa_auth.h wpa_auth_ft.c wpa_auth_i.h src/external/bsd/wpa/dist/src/common [netbsd-6]: wpa_common.h src/external/bsd/wpa/dist/src/rsn_supp [netbsd-6]: tdls.c wpa.c wpa_ft.c wpa_i.h src/external/bsd/wpa/dist/wpa_supplicant [netbsd-6]: wnm_sta.c Log Message: Pull up following revision(s) (requested by spz in ticket #1507): external/bsd/wpa/dist/src/ap/ieee802_11.c: revision 1.2 external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c: revision 1.2 external/bsd/wpa/dist/src/ap/wpa_auth_i.h: revision 1.2 external/bsd/wpa/dist/src/rsn_supp/wpa.c: revision 1.2 external/bsd/wpa/dist/src/rsn_supp/wpa_i.h: revision 1.2 external/bsd/wpa/dist/src/ap/wpa_auth.h: revision 1.2 external/bsd/wpa/dist/src/rsn_supp/tdls.c: revision 1.2 external/bsd/wpa/dist/src/common/wpa_common.h: revision 1.3 external/bsd/wpa/dist/src/ap/wpa_auth_ft.c: revision 1.2 external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c: revision 1.4 external/bsd/wpa/dist/src/ap/wpa_auth.c: revision 1.10 apply patches from upstream, namely from https://w1.fi/security/2017-1/";>https://w1.fi/security/2017-1/ : rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch 02-Oct-2017 16:19 6.1K rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch 02-Oct-2017 16:19 7.7K rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch 02-Oct-2017 16:19 6.7K rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch 02-Oct-2017 16:19 2.5K rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 02-Oct-2017 16:19 1.9K rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch 02-Oct-2017 16:19 4.2K rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch 02-Oct-2017 16:19 1.6K rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 02-Oct-2017 16:19 2.7K for CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 (see https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt";>https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt for details) To generate a diff of this commit: cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ src/external/bsd/wpa/dist/src/ap/ieee802_11.c \ src/external/bsd/wpa/dist/src/ap/wpa_auth_ft.c cvs rdiff -u -r1.3.4.1 -r1.3.4.2 src/external/bsd/wpa/dist/src/ap/wpa_auth.c cvs rdiff -u -r1.1.1.1.8.1 -r1.1.1.1.8.2 \ src/external/bsd/wpa/dist/src/ap/wpa_auth.h \ src/external/bsd/wpa/dist/src/ap/wpa_auth_i.h cvs rdiff -u -r1.1.1.1.8.1 -r1.1.1.1.8.2 \ src/external/bsd/wpa/dist/src/common/wpa_common.h cvs rdiff -u -r1.1.1.5.10.2 -r1.1.1.5.10.3 \ src/external/bsd/wpa/dist/src/rsn_supp/tdls.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ src/external/bsd/wpa/dist/src/rsn_supp/wpa.c cvs rdiff -u -r1.1.1.1.8.1 -r1.1.1.1.8.2 \ src/external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c \ src/external/bsd/wpa/dist/src/rsn_supp/wpa_i.h cvs rdiff -u -r1.3.10.2 -r1.3.10.3 \ src/external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/wpa/dist/src/ap/ieee802_11.c diff -u src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.4.1 src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.4.2 --- src/external/bsd/wpa/dist/src/ap/ieee802_11.c:1.1.1.2.4.1 Wed Aug 30 05:48:09 2017 +++ src/external/bsd/wpa/dist/src/ap/ieee802_11.c Tue Oct 17 15:58:49 2017 @@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hos { struct ieee80211_ht_capabilities ht_cap; struct ieee80211_vht_capabilities vht_cap; + int set = 1; /* * Remove the STA entry to ensure the STA PS state gets cleared and @@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hos * FT-over-the-DS, where a station re-associates back to the same AP but * skips the authentication flow, or if working with a driver that * does not support full AP client state. + * + * Skip this if the STA has already completed FT reassociation and the + * TK has been configured since the TX/RX PN must not be reset to 0 for + * the same key. */ - if (!sta->added_unassoc) + if (!sta->added_unassoc && + (!(sta->flags & WLAN_STA_AUTHORIZED) || + !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { hostapd_drv_sta_remove(hapd, sta->addr); + wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); + set = 0; + } #ifdef CONFIG_IEEE80211N if (sta->flags & WLAN_STA_HT) @@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hos
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Oct 17 15:44:00 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ammend #1502 To generate a diff of this commit: cvs rdiff -u -r1.1.2.311 -r1.1.2.312 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.311 src/doc/CHANGES-6.2:1.1.2.312 --- src/doc/CHANGES-6.2:1.1.2.311 Fri Oct 13 08:06:09 2017 +++ src/doc/CHANGES-6.2 Tue Oct 17 15:44:00 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.311 2017/10/13 08:06:09 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.312 2017/10/17 15:44:00 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20936,7 +20936,7 @@ sys/arch/i386/i386/i386_trap.S 1.12 vi use %ss instead of %ds in trap06 [maxv, ticket #1505] -sys/fs/msdosfs/msdosfs_vfsops.c 1.128 +sys/fs/msdosfs/msdosfs_vfsops.c 1.128 via patch Add more sanity checks for BPB parameters. Handle FAT12 format for media with sectors >= 32kByte. PR 52485.
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: martin Date: Tue Oct 17 15:43:09 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Apply patch form mlelstv to fix the build after pullup #1506 To generate a diff of this commit: cvs rdiff -u -r1.93.6.4 -r1.93.6.5 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/msdosfs/msdosfs_vfsops.c diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.5 --- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 Fri Oct 13 08:05:30 2017 +++ src/sys/fs/msdosfs/msdosfs_vfsops.c Tue Oct 17 15:43:09 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $ */ +/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $ */ /*- * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.5 2017/10/17 15:43:09 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -712,8 +712,8 @@ msdosfs_mountfs(struct vnode *devvp, str /* validate cluster count against FAT */ if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) { - DPRINTF("maxcluster %lu outside of mask %#lx\n", - pmp->pm_maxcluster, pmp->pm_fatmask); + DPRINTF(("maxcluster %lu outside of mask %#lx\n", + pmp->pm_maxcluster, pmp->pm_fatmask)); error = EINVAL; goto error_exit; } @@ -723,8 +723,8 @@ msdosfs_mountfs(struct vnode *devvp, str fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec); if (pmp->pm_FATsecs != fatblocksecs) { - DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, - fatblocksecs); + DPRINTF(("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, + fatblocksecs)); error = EINVAL; goto error_exit; }
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Fri Oct 13 08:06:09 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1504-1506 To generate a diff of this commit: cvs rdiff -u -r1.1.2.310 -r1.1.2.311 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.310 src/doc/CHANGES-6.2:1.1.2.311 --- src/doc/CHANGES-6.2:1.1.2.310 Mon Sep 11 04:46:21 2017 +++ src/doc/CHANGES-6.2 Fri Oct 13 08:06:09 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.310 2017/09/11 04:46:21 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.311 2017/10/13 08:06:09 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20926,3 +20926,19 @@ crypto/external/bsd/heimdal/include/roke getpw*() internal buffers. [mlelstv, ticket #1503] +usr.sbin/syslogd/syslogd.c 1.124 + + Use looked up remote host for remote message without a hostname + [ginsbach, ticket #1504] + +sys/arch/i386/i386/i386_trap.S 1.12 via patch + + use %ss instead of %ds in trap06 + [maxv, ticket #1505] + +sys/fs/msdosfs/msdosfs_vfsops.c 1.128 + + Add more sanity checks for BPB parameters. Handle FAT12 format + for media with sectors >= 32kByte. PR 52485. + [mlelstv, ticket #1506] +
CVS commit: [netbsd-6] src/sys/fs/msdosfs
Module Name:src Committed By: snj Date: Fri Oct 13 08:05:30 UTC 2017 Modified Files: src/sys/fs/msdosfs [netbsd-6]: msdosfs_vfsops.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1506): sys/fs/msdosfs/msdosfs_vfsops.c: revision 1.128 Add more sanity checks for BPB parameters. Handle FAT12 format for media with sectors >= 32kByte. Does fix PR 52485. To generate a diff of this commit: cvs rdiff -u -r1.93.6.3 -r1.93.6.4 src/sys/fs/msdosfs/msdosfs_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/fs/msdosfs/msdosfs_vfsops.c diff -u src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3 src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.4 --- src/sys/fs/msdosfs/msdosfs_vfsops.c:1.93.6.3 Sun Nov 9 06:37:00 2014 +++ src/sys/fs/msdosfs/msdosfs_vfsops.c Fri Oct 13 08:05:30 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $ */ +/* $NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $ */ /*- * Copyright (C) 1994, 1995, 1997 Wolfgang Solfrank. @@ -48,7 +48,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.3 2014/11/09 06:37:00 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: msdosfs_vfsops.c,v 1.93.6.4 2017/10/13 08:05:30 snj Exp $"); #if defined(_KERNEL_OPT) #include "opt_compat_netbsd.h" @@ -479,6 +479,7 @@ msdosfs_mountfs(struct vnode *devvp, str int ronly, error, BlkPerSec; uint64_t psize; unsigned secsize; + u_long fatbytes, fatblocksecs; /* Flush out any old buffers remaining from a previous use. */ if ((error = vinvalbuf(devvp, V_SAVE, l->l_cred, l, 0, 0)) != 0) @@ -708,12 +709,40 @@ msdosfs_mountfs(struct vnode *devvp, str pmp->pm_fatdiv = 1; } } - if (FAT12(pmp)) - pmp->pm_fatblocksize = 3 * pmp->pm_BytesPerSec; - else + + /* validate cluster count against FAT */ + if ((pmp->pm_maxcluster & pmp->pm_fatmask) != pmp->pm_maxcluster) { + DPRINTF("maxcluster %lu outside of mask %#lx\n", + pmp->pm_maxcluster, pmp->pm_fatmask); + error = EINVAL; + goto error_exit; + } + + /* validate FAT size */ + fatbytes = (pmp->pm_maxcluster+1) * pmp->pm_fatmult / pmp->pm_fatdiv; + fatblocksecs = howmany(fatbytes, pmp->pm_BytesPerSec); + + if (pmp->pm_FATsecs != fatblocksecs) { + DPRINTF("FATsecs %lu != real %lu\n", pmp->pm_FATsecs, + fatblocksecs); + error = EINVAL; + goto error_exit; + } + + if (FAT12(pmp)) { + /* + * limit block size to what is needed to read a FAT block + * to not exceed MAXBSIZE + */ + pmp->pm_fatblocksec = min(3, fatblocksecs); + pmp->pm_fatblocksize = pmp->pm_fatblocksec + * pmp->pm_BytesPerSec; + } else { pmp->pm_fatblocksize = MAXBSIZE; + pmp->pm_fatblocksec = pmp->pm_fatblocksize + / pmp->pm_BytesPerSec; + } - pmp->pm_fatblocksec = pmp->pm_fatblocksize / pmp->pm_BytesPerSec; pmp->pm_bnshift = ffs(pmp->pm_BytesPerSec) - 1; /*
CVS commit: [netbsd-6] src/sys/arch/i386/i386
Module Name:src Committed By: snj Date: Fri Oct 13 08:03:04 UTC 2017 Modified Files: src/sys/arch/i386/i386 [netbsd-6]: vector.S Log Message: Pull up following revision(s) (requested by maxv in ticket #1505): sys/arch/i386/i386/i386_trap.S: revision 1.12 via patch Pfff, use %ss and not %ds. The latter is controlled by userland, the former contains the kernel value (flat); FreeBSD fixed this too a few weeks ago. As I said earlier, this dtrace code is complete bullshit. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/arch/i386/i386/vector.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/i386/vector.S diff -u src/sys/arch/i386/i386/vector.S:1.59 src/sys/arch/i386/i386/vector.S:1.59.8.1 --- src/sys/arch/i386/i386/vector.S:1.59 Sun Jun 12 03:35:42 2011 +++ src/sys/arch/i386/i386/vector.S Fri Oct 13 08:03:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $ */ +/* $NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $ */ /* * Copyright 2002 (c) Wasabi Systems, Inc. @@ -65,7 +65,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59 2011/06/12 03:35:42 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: vector.S,v 1.59.8.1 2017/10/13 08:03:03 snj Exp $"); #include "opt_ddb.h" #include "opt_multiprocessor.h" @@ -773,7 +773,7 @@ IDTVEC(trap05) SUPERALIGN_TEXT IDTVEC(trap06) /* Check if there is no DTrace hook registered. */ - cmpl $0,dtrace_invop_jump_addr + cmpl $0,%ss:dtrace_invop_jump_addr je norm_ill /* Check if this is a user fault. */
CVS commit: [netbsd-6] src/usr.sbin/syslogd
Module Name:src Committed By: snj Date: Fri Oct 13 07:57:51 UTC 2017 Modified Files: src/usr.sbin/syslogd [netbsd-6]: syslogd.c Log Message: Pull up following revision(s) (requested by ginsbach in ticket #1504): usr.sbin/syslogd/syslogd.c: revision 1.124 Use looked up remote host for remote message without a hostname An incoming remote message may not necessarily have a hostname between the timestamp and the message. The the source of the remote sender is already looked up so use that hostname/IP address rather than the local hostname. To generate a diff of this commit: cvs rdiff -u -r1.105.4.2 -r1.105.4.3 src/usr.sbin/syslogd/syslogd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/syslogd/syslogd.c diff -u src/usr.sbin/syslogd/syslogd.c:1.105.4.2 src/usr.sbin/syslogd/syslogd.c:1.105.4.3 --- src/usr.sbin/syslogd/syslogd.c:1.105.4.2 Thu Aug 31 15:10:29 2017 +++ src/usr.sbin/syslogd/syslogd.c Fri Oct 13 07:57:51 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: syslogd.c,v 1.105.4.2 2017/08/31 15:10:29 martin Exp $ */ +/* $NetBSD: syslogd.c,v 1.105.4.3 2017/10/13 07:57:51 snj Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -39,7 +39,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 19 #if 0 static char sccsid[] = "@(#)syslogd.c 8.3 (Berkeley) 4/4/94"; #else -__RCSID("$NetBSD: syslogd.c,v 1.105.4.2 2017/08/31 15:10:29 martin Exp $"); +__RCSID("$NetBSD: syslogd.c,v 1.105.4.3 2017/10/13 07:57:51 snj Exp $"); #endif #endif /* not lint */ @@ -1272,7 +1272,7 @@ printline_bsdsyslog(const char *hname, c } else if (*p == '[' || (*p == ':' && (*(p+1) == ' ' || *(p+1) == '\0'))) { /* no host in message */ - buffer->host = LocalFQDN; + buffer->host = strdup(hname); buffer->prog = strndup(start, p - start); break; } else {
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Mon Sep 11 04:46:22 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1503 To generate a diff of this commit: cvs rdiff -u -r1.1.2.309 -r1.1.2.310 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.309 src/doc/CHANGES-6.2:1.1.2.310 --- src/doc/CHANGES-6.2:1.1.2.309 Sat Sep 9 16:54:40 2017 +++ src/doc/CHANGES-6.2 Mon Sep 11 04:46:21 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.309 2017/09/09 16:54:40 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.310 2017/09/11 04:46:21 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20902,9 +20902,27 @@ sys/arch/sparc64/sparc64/compat_13_machd sys/compat/linux32/arch/amd64/linux32_machdep.c 1.39 - Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. [maxv, ticket #1502] +crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4 1.1 +crypto/external/bsd/heimdal/dist/configure.ac 1.3 +crypto/external/bsd/heimdal/dist/kcm/client.c 1.3 +crypto/external/bsd/heimdal/dist/kcm/config.c 1.3 +crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c 1.3 +crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c 1.3 +crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c 1.3 +crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c 1.3 +crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c 1.3 +crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c 1.3 +crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in 1.5 +crypto/external/bsd/heimdal/include/config.h 1.9 +crypto/external/bsd/heimdal/include/roken.h 1.8 + + - Always use rk_getpwnam_r + - Use getpwuid_r instead of getpwuid, so that we don't trash + getpw*() internal buffers. + [mlelstv, ticket #1503] +
CVS commit: [netbsd-6] src/crypto/external/bsd/heimdal
Module Name:src Committed By: snj Date: Mon Sep 11 04:43:23 UTC 2017 Modified Files: src/crypto/external/bsd/heimdal/dist [netbsd-6]: configure.ac src/crypto/external/bsd/heimdal/dist/kcm [netbsd-6]: client.c config.c src/crypto/external/bsd/heimdal/dist/lib/gssapi/mech [netbsd-6]: gss_pname_to_uid.c src/crypto/external/bsd/heimdal/dist/lib/hx509 [netbsd-6]: softp11.c src/crypto/external/bsd/heimdal/dist/lib/krb5 [netbsd-6]: config_file.c get_default_principal.c kuserok.c src/crypto/external/bsd/heimdal/dist/lib/roken [netbsd-6]: getxxyyy.c roken.h.in src/crypto/external/bsd/heimdal/include [netbsd-6]: config.h roken.h Added Files: src/crypto/external/bsd/heimdal/dist/cf [netbsd-6]: check-getpwuid_r-posix.m4 Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1503): crypto/external/bsd/heimdal/include/config.h: revision 1.9 crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c: revision 1.3 crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c: revision 1.3 crypto/external/bsd/heimdal/dist/configure.ac: revision 1.3 crypto/external/bsd/heimdal/dist/kcm/config.c: revision 1.3 crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c: revision 1.3 crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4: revision 1.1 crypto/external/bsd/heimdal/include/roken.h: revision 1.8 crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c: revision 1.3 crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c: revision 1.3 crypto/external/bsd/heimdal/dist/kcm/client.c: revision 1.3 crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c: revision 1.3 crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in: revision 1.5 always use rk_getpwnam_r... -- This is why we have libroken... -- Use getpwuid_r instead of getpwuid, so that we don't trash getpw*() internal buffers. kde does (kdm/client/backend.c): p = getpwnam(); pam_setcred() (which calls getpwuid in pam_afslog); setusercontext(...,p,p->pw_uid,...) (now with trashed p data...) To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.6.1 -r1.1.1.1.6.2 \ src/crypto/external/bsd/heimdal/dist/configure.ac cvs rdiff -u -r0 -r1.1.6.2 \ src/crypto/external/bsd/heimdal/dist/cf/check-getpwuid_r-posix.m4 cvs rdiff -u -r1.1.1.1.6.1 -r1.1.1.1.6.2 \ src/crypto/external/bsd/heimdal/dist/kcm/client.c \ src/crypto/external/bsd/heimdal/dist/kcm/config.c cvs rdiff -u -r1.2.12.2 -r1.2.12.3 \ src/crypto/external/bsd/heimdal/dist/lib/gssapi/mech/gss_pname_to_uid.c cvs rdiff -u -r1.1.1.1.6.1 -r1.1.1.1.6.2 \ src/crypto/external/bsd/heimdal/dist/lib/hx509/softp11.c cvs rdiff -u -r1.1.1.1.6.1 -r1.1.1.1.6.2 \ src/crypto/external/bsd/heimdal/dist/lib/krb5/config_file.c \ src/crypto/external/bsd/heimdal/dist/lib/krb5/get_default_principal.c \ src/crypto/external/bsd/heimdal/dist/lib/krb5/kuserok.c cvs rdiff -u -r1.2.22.2 -r1.2.22.3 \ src/crypto/external/bsd/heimdal/dist/lib/roken/getxxyyy.c cvs rdiff -u -r1.2.6.1 -r1.2.6.2 \ src/crypto/external/bsd/heimdal/dist/lib/roken/roken.h.in cvs rdiff -u -r1.4.2.1 -r1.4.2.2 \ src/crypto/external/bsd/heimdal/include/config.h cvs rdiff -u -r1.3.6.1 -r1.3.6.2 \ src/crypto/external/bsd/heimdal/include/roken.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/heimdal/dist/configure.ac diff -u src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.6.1 src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.6.2 --- src/crypto/external/bsd/heimdal/dist/configure.ac:1.1.1.1.6.1 Wed Aug 30 07:10:48 2017 +++ src/crypto/external/bsd/heimdal/dist/configure.ac Mon Sep 11 04:43:22 2017 @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_REVISION($Revision: 1.1.1.1.6.1 $) +AC_REVISION($Revision: 1.1.1.1.6.2 $) AC_PREREQ(2.62) test -z "$CFLAGS" && CFLAGS="-g" AC_INIT([Heimdal],[7.99.1],[https://github.com/heimdal/heimdal/issues]) @@ -514,6 +514,7 @@ KRB_CAPABILITIES rk_DLADDR AC_CHECK_GETPWNAM_R_POSIX +AC_CHECK_GETPWUID_R_POSIX dnl detect doors on solaris if test "$enable_pthread_support" != no; then Index: src/crypto/external/bsd/heimdal/dist/kcm/client.c diff -u src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.6.1 src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.6.2 --- src/crypto/external/bsd/heimdal/dist/kcm/client.c:1.1.1.1.6.1 Wed Aug 30 07:10:50 2017 +++ src/crypto/external/bsd/heimdal/dist/kcm/client.c Mon Sep 11 04:43:22 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: client.c,v 1.1.1.1.6.1 2017/08/30 07:10:50 snj Exp $ */ +/* $NetBSD: client.c,v 1.1.1.1.6.2 2017/09/11 04:43:22 snj Exp $ */ /* * Copyright (c) 2005, PADL Software Pty Ltd. @@ -174,8 +174
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sat Sep 9 16:54:40 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1502 To generate a diff of this commit: cvs rdiff -u -r1.1.2.308 -r1.1.2.309 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.308 src/doc/CHANGES-6.2:1.1.2.309 --- src/doc/CHANGES-6.2:1.1.2.308 Mon Sep 4 16:05:39 2017 +++ src/doc/CHANGES-6.2 Sat Sep 9 16:54:40 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.308 2017/09/04 16:05:39 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.309 2017/09/09 16:54:40 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20900,3 +20900,11 @@ sys/arch/sparc64/sparc64/compat_13_machd in %pstate and get kernel privileges on the hardware. [maxv, ticket #1501] +sys/compat/linux32/arch/amd64/linux32_machdep.c 1.39 + + + Fix a ring0 escalation vulnerability in compat_linux32 where the + index of %cs is controlled by userland, making it easy to trigger + the page fault and get kernel privileges. + [maxv, ticket #1502] +
CVS commit: [netbsd-6] src/sys/compat/linux32/arch/amd64
Module Name:src Committed By: snj Date: Sat Sep 9 16:53:36 UTC 2017 Modified Files: src/sys/compat/linux32/arch/amd64 [netbsd-6]: linux32_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1502): sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.39 Fix a ring0 escalation vulnerability in compat_linux32 where the index of %cs is controlled by userland, making it easy to trigger the page fault and get kernel privileges. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.10.1 \ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/compat/linux32/arch/amd64/linux32_machdep.c diff -u src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29.10.1 --- src/sys/compat/linux32/arch/amd64/linux32_machdep.c:1.29 Fri Mar 4 22:25:31 2011 +++ src/sys/compat/linux32/arch/amd64/linux32_machdep.c Sat Sep 9 16:53:36 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $ */ +/* $NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $ */ /*- * Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved. @@ -31,7 +31,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29 2011/03/04 22:25:31 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux32_machdep.c,v 1.29.10.1 2017/09/09 16:53:36 snj Exp $"); #include #include @@ -428,8 +428,9 @@ linux32_restore_sigcontext(struct lwp *l /* * Check for security violations. */ - if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0 || - !USERMODE(scp->sc_cs, scp->sc_eflags)) + if (((scp->sc_eflags ^ tf->tf_rflags) & PSL_USERSTATIC) != 0) + return EINVAL; + if (!VALID_USER_CSEL32(scp->sc_cs)) return EINVAL; if (scp->sc_fs != 0 && !VALID_USER_DSEL32(scp->sc_fs) &&
CVS commit: [netbsd-6] src/sys/arch/sparc64/sparc64
Module Name:src Committed By: snj Date: Mon Sep 4 16:05:13 UTC 2017 Modified Files: src/sys/arch/sparc64/sparc64 [netbsd-6]: compat_13_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1501): sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24 Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get kernel privileges on the hardware. ok martin To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.18.1 \ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/sparc64/sparc64/compat_13_machdep.c diff -u src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23.18.1 --- src/sys/arch/sparc64/sparc64/compat_13_machdep.c:1.23 Sat Nov 21 04:16:52 2009 +++ src/sys/arch/sparc64/sparc64/compat_13_machdep.c Mon Sep 4 16:05:13 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $ */ +/* $NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $ */ /*- * Copyright (c) 1996, 1997, 1998 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23 2009/11/21 04:16:52 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: compat_13_machdep.c,v 1.23.18.1 2017/09/04 16:05:13 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_ddb.h" @@ -129,7 +129,7 @@ compat_13_sys_sigreturn(struct lwp *l, c return (EINVAL); /* take only psr ICC field */ #ifdef __arch64__ - tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | scp->sc_tstate; + tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | (scp->sc_tstate & TSTATE_CCR); #else tf->tf_tstate = (int64_t)(tf->tf_tstate & ~TSTATE_CCR) | PSRCC_TO_TSTATE(scp->sc_psr); #endif
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Mon Sep 4 16:05:39 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Pull up following revision(s) (requested by maxv in ticket #1501): sys/arch/sparc64/sparc64/compat_13_machdep.c: revision 1.24 Apply only CCR. Otherwise userland could set PSTATE_PRIV in %pstate and get kernel privileges on the hardware. ok martin To generate a diff of this commit: cvs rdiff -u -r1.1.2.307 -r1.1.2.308 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.307 src/doc/CHANGES-6.2:1.1.2.308 --- src/doc/CHANGES-6.2:1.1.2.307 Thu Aug 31 15:20:47 2017 +++ src/doc/CHANGES-6.2 Mon Sep 4 16:05:39 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.307 2017/08/31 15:20:47 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.308 2017/09/04 16:05:39 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20894,3 +20894,9 @@ sys/arch/mips/mips/bds_emul.S 1.9 Fix FPU emulation. [mrg, ticket #1499] +sys/arch/sparc64/sparc64/compat_13_machdep.c 1.24 + + Apply only CCR. Otherwise userland could set PSTATE_PRIV + in %pstate and get kernel privileges on the hardware. + [maxv, ticket #1501] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Aug 31 15:20:47 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Note tickets #1494 - #1496, #1498, #1499 To generate a diff of this commit: cvs rdiff -u -r1.1.2.306 -r1.1.2.307 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.306 src/doc/CHANGES-6.2:1.1.2.307 --- src/doc/CHANGES-6.2:1.1.2.306 Wed Aug 30 07:12:21 2017 +++ src/doc/CHANGES-6.2 Thu Aug 31 15:20:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.306 2017/08/30 07:12:21 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.307 2017/08/31 15:20:47 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -20863,3 +20863,34 @@ usr.sbin/racoon/Makefile 1.28 Update Heimdal to 7.1. [mrg, ticket #1493] +lib/libc/rpc/rpcb_st_xdr.c 1.12 + + Add missing xdr_rpcbs_rmtcalllist_ptr call in xdr_rpcb_stat. + [ginsbach, ticket #1494] + +lib/libc/stdlib/merge.c1.15 + + Gracefully handle a zero number of members argument in mergesort(3). + [ginsbach, ticket #1495] + +usr.sbin/syslogd/syslogd.c 1.123 + + Fixed incorrect syslogd(8) internal time conversions that could + result in incorrect timestamp values being logged. + [ginsbach, ticket #1496] + +external/bsd/cron/dist/database.c 1.8 + + Allow crontab files being writable by owner. + [ginsbach, ticket #1498] + +sys/arch/evbmips/conf/MALTA 1.88 +sys/arch/evbmips/conf/MALTA32 1.4 +sys/arch/evbmips/conf/MALTA64 1.8 +sys/arch/mips/mips/bds_emul.S 1.9 + + Re-enable the NOFPU and (renamed) FPEMUL options. None of the Malta + CPU daughter cards currently supported by NetBSD have an FPU. + Fix FPU emulation. + [mrg, ticket #1499] +
CVS commit: [netbsd-6] src/sys/arch
Module Name:src Committed By: martin Date: Thu Aug 31 15:18:12 UTC 2017 Modified Files: src/sys/arch/evbmips/conf [netbsd-6]: MALTA MALTA32 MALTA64 src/sys/arch/mips/mips [netbsd-6]: bds_emul.S Log Message: Pull up following revision(s) (requested by mrg in ticket #1499): sys/arch/evbmips/conf/MALTA64: revision 1.8 sys/arch/evbmips/conf/MALTA32: revision 1.4 sys/arch/mips/mips/bds_emul.S: revision 1.9 sys/arch/evbmips/conf/MALTA: revision 1.88 Re-enable the NOFPU and (renamed) FPEMUL options. None of the Malta CPU daughter cards currently supported by NetBSD have an FPU. Detected on real hardware. gxemul wrongly supports an FPU on the 4Kc and 5Kc CPUs. Remove the NOFPU option. The main MALTA config file has this now. mips_emul_daddi and mips_emul_daddiu don't exist, but there are bcemul_daddi and bcemul_daddiu here that should be used. however, bcemul_daddi needed to be changed to use dadd not daddui. fixes FPEMUL and N64 kernels. ok simonb. To generate a diff of this commit: cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/arch/evbmips/conf/MALTA cvs rdiff -u -r1.3 -r1.3.2.1 src/sys/arch/evbmips/conf/MALTA32 cvs rdiff -u -r1.5.2.1 -r1.5.2.2 src/sys/arch/evbmips/conf/MALTA64 cvs rdiff -u -r1.6 -r1.6.2.1 src/sys/arch/mips/mips/bds_emul.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/evbmips/conf/MALTA diff -u src/sys/arch/evbmips/conf/MALTA:1.65.2.1 src/sys/arch/evbmips/conf/MALTA:1.65.2.2 --- src/sys/arch/evbmips/conf/MALTA:1.65.2.1 Mon Sep 17 18:40:12 2012 +++ src/sys/arch/evbmips/conf/MALTA Thu Aug 31 15:18:12 2017 @@ -1,17 +1,18 @@ -# $NetBSD: MALTA,v 1.65.2.1 2012/09/17 18:40:12 riz Exp $ +# $NetBSD: MALTA,v 1.65.2.2 2017/08/31 15:18:12 martin Exp $ include "arch/evbmips/conf/std.malta" #options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "MALTA-$Revision: 1.65.2.1 $" +#ident "MALTA-$Revision: 1.65.2.2 $" maxusers 32 options MIPS32 options MIPS64 -#options NOFPU # No FPU -#options FPEMUL # emulate FPU insn + +options NOFPU # No FPU +options FPEMUL # emulate FPU insn # Options for necessary to use MD # options MEMORY_DISK_HOOKS Index: src/sys/arch/evbmips/conf/MALTA32 diff -u src/sys/arch/evbmips/conf/MALTA32:1.3 src/sys/arch/evbmips/conf/MALTA32:1.3.2.1 --- src/sys/arch/evbmips/conf/MALTA32:1.3 Thu Feb 9 18:58:44 2012 +++ src/sys/arch/evbmips/conf/MALTA32 Thu Aug 31 15:18:12 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA32,v 1.3 2012/02/09 18:58:44 matt Exp $ +# $NetBSD: MALTA32,v 1.3.2.1 2017/08/31 15:18:12 martin Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="no" no options MIPS32 -options NOFPU # No FPU #options EXEC_ELF64 no ath* Index: src/sys/arch/evbmips/conf/MALTA64 diff -u src/sys/arch/evbmips/conf/MALTA64:1.5.2.1 src/sys/arch/evbmips/conf/MALTA64:1.5.2.2 --- src/sys/arch/evbmips/conf/MALTA64:1.5.2.1 Sat Oct 13 06:15:23 2012 +++ src/sys/arch/evbmips/conf/MALTA64 Thu Aug 31 15:18:12 2017 @@ -1,11 +1,10 @@ -# $NetBSD: MALTA64,v 1.5.2.1 2012/10/13 06:15:23 riz Exp $ +# $NetBSD: MALTA64,v 1.5.2.2 2017/08/31 15:18:12 martin Exp $ # include "arch/evbmips/conf/MALTA" makeoptions LP64="yes" no options MIPS32 -options NOFPU # No FPU options EXEC_ELF64 options COMPAT_NETBSD32 no options SYMTAB_SPACE Index: src/sys/arch/mips/mips/bds_emul.S diff -u src/sys/arch/mips/mips/bds_emul.S:1.6 src/sys/arch/mips/mips/bds_emul.S:1.6.2.1 --- src/sys/arch/mips/mips/bds_emul.S:1.6 Sun Dec 25 11:51:15 2011 +++ src/sys/arch/mips/mips/bds_emul.S Thu Aug 31 15:18:12 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bds_emul.S,v 1.6 2011/12/25 11:51:15 kiyohara Exp $ */ +/* $NetBSD: bds_emul.S,v 1.6.2.1 2017/08/31 15:18:12 martin Exp $ */ /* * Copyright (c) 1992, 1993 @@ -101,8 +101,8 @@ bcemul_optbl: PTR_WORD bcemul_sigill # 030 LDL (*) PTR_WORD bcemul_sigill # 031 LDR (*) #else - PTR_WORD _C_LABEL(mips_emul_daddi) # 030 DADDI (*) - PTR_WORD _C_LABEL(mips_emul_daddiu) # 031 DADDIU (*) + PTR_WORD bcemul_daddi # 030 DADDI (*) + PTR_WORD bcemul_daddiu # 031 DADDIU (*) PTR_WORD _C_LABEL(mips_emul_ldl) # 032 LDL (*) PTR_WORD _C_LABEL(mips_emul_ldr) # 033 LDR (*) #endif @@ -191,7 +191,7 @@ bcemul_uimmed_prologue: #ifndef __mips_o32 bcemul_daddi: bal bcemul_immed_prologue - daddiu t0, v0, v1 + dadd t0, v0, v1 b bcemul_check_add_overflow #endif
CVS commit: [netbsd-6] src/external/bsd/cron/dist
Module Name:src Committed By: martin Date: Thu Aug 31 15:14:56 UTC 2017 Modified Files: src/external/bsd/cron/dist [netbsd-6]: database.c Log Message: Pull up following revision(s) (requested by ginsbach in ticket #1498): external/bsd/cron/dist/database.c: revision 1.8 PR/47362: Brian Marcotte: cron is too restrictive on file permissions Allow file being writable by owner. XXX: pullup to 6. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.7.4.1 src/external/bsd/cron/dist/database.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/external/bsd/cron/dist/database.c diff -u src/external/bsd/cron/dist/database.c:1.7 src/external/bsd/cron/dist/database.c:1.7.4.1 --- src/external/bsd/cron/dist/database.c:1.7 Fri Oct 14 14:38:20 2011 +++ src/external/bsd/cron/dist/database.c Thu Aug 31 15:14:56 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: database.c,v 1.7 2011/10/14 14:38:20 christos Exp $ */ +/* $NetBSD: database.c,v 1.7.4.1 2017/08/31 15:14:56 martin Exp $ */ /* Copyright 1988,1990,1993,1994 by Paul Vixie * All rights reserved @@ -25,7 +25,7 @@ #if 0 static char rcsid[] = "Id: database.c,v 1.7 2004/01/23 18:56:42 vixie Exp"; #else -__RCSID("$NetBSD: database.c,v 1.7 2011/10/14 14:38:20 christos Exp $"); +__RCSID("$NetBSD: database.c,v 1.7.4.1 2017/08/31 15:14:56 martin Exp $"); #endif #endif @@ -237,7 +237,7 @@ process_crontab(const char *uname, const { struct passwd *pw = NULL; int crontab_fd = OK - 1; - mode_t eqmode = 0600, badmode = 0; + mode_t eqmode = 0400, badmode = 0; user *u; if (fname == NULL) { @@ -272,7 +272,7 @@ process_crontab(const char *uname, const log_it(fname, getpid(), "NOT REGULAR", tabname); goto next_crontab; } - if ((eqmode && (statbuf->st_mode & 0) != eqmode) || + if ((eqmode && (statbuf->st_mode & 07577) != eqmode) || (badmode && (statbuf->st_mode & badmode) != 0)) { log_it(fname, getpid(), "BAD FILE MODE", tabname); goto next_crontab;
CVS commit: [netbsd-6] src/usr.sbin/syslogd
Module Name:src Committed By: martin Date: Thu Aug 31 15:10:29 UTC 2017 Modified Files: src/usr.sbin/syslogd [netbsd-6]: syslogd.c Log Message: Pull up following revision(s) (requested by ginsbach in ticket #1496): usr.sbin/syslogd/syslogd.c: revision 1.123 PR/51234: Onno van der Linden: syslogd sometimes incorrectly handles iso to bsd time conversion To generate a diff of this commit: cvs rdiff -u -r1.105.4.1 -r1.105.4.2 src/usr.sbin/syslogd/syslogd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/syslogd/syslogd.c diff -u src/usr.sbin/syslogd/syslogd.c:1.105.4.1 src/usr.sbin/syslogd/syslogd.c:1.105.4.2 --- src/usr.sbin/syslogd/syslogd.c:1.105.4.1 Thu Jun 13 07:11:11 2013 +++ src/usr.sbin/syslogd/syslogd.c Thu Aug 31 15:10:29 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: syslogd.c,v 1.105.4.1 2013/06/13 07:11:11 msaitoh Exp $ */ +/* $NetBSD: syslogd.c,v 1.105.4.2 2017/08/31 15:10:29 martin Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -39,7 +39,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 19 #if 0 static char sccsid[] = "@(#)syslogd.c 8.3 (Berkeley) 4/4/94"; #else -__RCSID("$NetBSD: syslogd.c,v 1.105.4.1 2013/06/13 07:11:11 msaitoh Exp $"); +__RCSID("$NetBSD: syslogd.c,v 1.105.4.2 2017/08/31 15:10:29 martin Exp $"); #endif #endif /* not lint */ @@ -1739,27 +1739,28 @@ check_timestamp(unsigned char *from_buf, struct tm parsed; time_t timeval; char tsbuf[MAX_TIMESTAMPLEN]; - int i = 0; + int i = 0, j; DPRINTF(D_CALL, "check_timestamp(): convert ISO->BSD\n"); for(i = 0; i < MAX_TIMESTAMPLEN && from_buf[i] != '\0' && from_buf[i] != '.' && from_buf[i] != ' '; i++) tsbuf[i] = from_buf[i]; /* copy date & time */ + j = i; for(; i < MAX_TIMESTAMPLEN && from_buf[i] != '\0' && from_buf[i] != '+' && from_buf[i] != '-' && from_buf[i] != 'Z' && from_buf[i] != ' '; i++) ; /* skip fraction digits */ for(; i < MAX_TIMESTAMPLEN && from_buf[i] != '\0' - && from_buf[i] != ':' && from_buf[i] != ' ' ; i++) - tsbuf[i] = from_buf[i]; /* copy TZ */ + && from_buf[i] != ':' && from_buf[i] != ' ' ; i++, j++) + tsbuf[j] = from_buf[i]; /* copy TZ */ if (from_buf[i] == ':') i++; /* skip colon */ for(; i < MAX_TIMESTAMPLEN && from_buf[i] != '\0' - && from_buf[i] != ' ' ; i++) - tsbuf[i] = from_buf[i]; /* copy TZ */ + && from_buf[i] != ' ' ; i++, j++) + tsbuf[j] = from_buf[i]; /* copy TZ */ (void)memset(&parsed, 0, sizeof(parsed)); - parsed.tm_isdst = -1; (void)strptime(tsbuf, "%FT%T%z", &parsed); + parsed.tm_isdst = -1; timeval = mktime(&parsed); *to_buf = strndup(make_timestamp(&timeval, false),
CVS commit: [netbsd-6] src/lib/libc/stdlib
Module Name:src Committed By: martin Date: Thu Aug 31 15:05:50 UTC 2017 Modified Files: src/lib/libc/stdlib [netbsd-6]: merge.c Log Message: Pull up following revision(s) (requested by ginsbach in ticket #1495): lib/libc/stdlib/merge.c: revision 1.15 PR lib/50316: Gracefully handle a zero number of members argument. Taken from FreeBSD (which fixed this same issue long ago). XXX: pullup-8 XXX: pullup-7 XXX: pullup-6 To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.13.6.1 src/lib/libc/stdlib/merge.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/stdlib/merge.c diff -u src/lib/libc/stdlib/merge.c:1.13 src/lib/libc/stdlib/merge.c:1.13.6.1 --- src/lib/libc/stdlib/merge.c:1.13 Wed May 18 19:36:36 2011 +++ src/lib/libc/stdlib/merge.c Thu Aug 31 15:05:50 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: merge.c,v 1.13 2011/05/18 19:36:36 dsl Exp $ */ +/* $NetBSD: merge.c,v 1.13.6.1 2017/08/31 15:05:50 martin Exp $ */ /*- * Copyright (c) 1992, 1993 @@ -37,7 +37,7 @@ #if 0 static char sccsid[] = "from: @(#)merge.c 8.2 (Berkeley) 2/14/94"; #else -__RCSID("$NetBSD: merge.c,v 1.13 2011/05/18 19:36:36 dsl Exp $"); +__RCSID("$NetBSD: merge.c,v 1.13.6.1 2017/08/31 15:05:50 martin Exp $"); #endif #endif /* LIBC_SCCS and not lint */ @@ -128,6 +128,9 @@ mergesort(base, nmemb, size, cmp) return (-1); } + if (nmemb == 0) + return (0); + /* * XXX * Stupid subtraction for the Cray.
CVS commit: [netbsd-6] src/lib/libc/rpc
Module Name:src Committed By: martin Date: Thu Aug 31 13:43:19 UTC 2017 Modified Files: src/lib/libc/rpc [netbsd-6]: rpcb_st_xdr.c Log Message: Pull up following revision(s) (requested by ginsbach in ticket #1494): lib/libc/rpc/rpcb_st_xdr.c: revision 1.12 PR lib/15802: Shuuichirou Murata: Add missing xdr_rpcbs_rmtcalllist_ptr There was a missing call to xdr_rpcbs_rmtcalllist_ptr in xdr_rpcb_stat. This fixes issues with RPCBPROC_GETSTAT not working correctly with systems that correctly implement the XDR encode/decode routine. XXX: pullup-8 XXX: pullup-7 XXX: pullup-6 To generate a diff of this commit: cvs rdiff -u -r1.7.46.1 -r1.7.46.2 src/lib/libc/rpc/rpcb_st_xdr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/lib/libc/rpc/rpcb_st_xdr.c diff -u src/lib/libc/rpc/rpcb_st_xdr.c:1.7.46.1 src/lib/libc/rpc/rpcb_st_xdr.c:1.7.46.2 --- src/lib/libc/rpc/rpcb_st_xdr.c:1.7.46.1 Thu Mar 14 22:03:09 2013 +++ src/lib/libc/rpc/rpcb_st_xdr.c Thu Aug 31 13:43:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: rpcb_st_xdr.c,v 1.7.46.1 2013/03/14 22:03:09 riz Exp $ */ +/* $NetBSD: rpcb_st_xdr.c,v 1.7.46.2 2017/08/31 13:43:19 martin Exp $ */ /* * Copyright (c) 2010, Oracle America, Inc. @@ -42,7 +42,7 @@ #include #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: rpcb_st_xdr.c,v 1.7.46.1 2013/03/14 22:03:09 riz Exp $"); +__RCSID("$NetBSD: rpcb_st_xdr.c,v 1.7.46.2 2017/08/31 13:43:19 martin Exp $"); #endif #include "namespace.h" @@ -269,6 +269,9 @@ xdr_rpcb_stat(xdrs, objp) if (!xdr_rpcbs_addrlist_ptr(xdrs, &objp->addrinfo)) { return (FALSE); } + if (!xdr_rpcbs_rmtcalllist_ptr(xdrs, &objp->rmtinfo)) { + return (FALSE); + } return (TRUE); }
CVS commit: [netbsd-6] src
Module Name:src Committed By: snj Date: Wed Aug 30 05:48:19 UTC 2017 Modified Files: src/doc [netbsd-6]: 3RDPARTY src/external/bsd/wpa/bin [netbsd-6]: Makefile.inc src/external/bsd/wpa/bin/hostapd [netbsd-6]: Makefile aes-xinternal.c hostapd.8 hostapd.conf.5 src/external/bsd/wpa/bin/hostapd_cli [netbsd-6]: Makefile hostapd_cli.8 src/external/bsd/wpa/bin/wpa_cli [netbsd-6]: Makefile wpa_cli.8 src/external/bsd/wpa/bin/wpa_passphrase [netbsd-6]: Makefile wpa_passphrase.8 src/external/bsd/wpa/bin/wpa_supplicant [netbsd-6]: Makefile aes-xinternal.c wpa_supplicant.8 wpa_supplicant.conf.5 src/external/bsd/wpa/dist [netbsd-6]: COPYING README src/external/bsd/wpa/dist/hostapd [netbsd-6]: ChangeLog Makefile README README-WPS config_file.c config_file.h ctrl_iface.c ctrl_iface.h defconfig eap_register.c eap_register.h hlr_auc_gw.c hlr_auc_gw.milenage_db hostapd.8 hostapd.conf hostapd.eap_user hostapd_cli.c main.c nt_password_hash.c src/external/bsd/wpa/dist/src [netbsd-6]: Makefile lib.rules src/external/bsd/wpa/dist/src/ap [netbsd-6]: Makefile accounting.c accounting.h ap_config.c ap_config.h ap_drv_ops.c ap_drv_ops.h ap_list.c ap_list.h ap_mlme.c ap_mlme.h authsrv.c authsrv.h beacon.c beacon.h ctrl_iface_ap.c ctrl_iface_ap.h drv_callbacks.c hostapd.c hostapd.h hw_features.c hw_features.h iapp.c iapp.h ieee802_11.c ieee802_11.h ieee802_11_auth.c ieee802_11_auth.h ieee802_11_ht.c ieee802_1x.c ieee802_1x.h peerkey_auth.c pmksa_cache_auth.c pmksa_cache_auth.h preauth_auth.c preauth_auth.h sta_info.c sta_info.h tkip_countermeasures.c tkip_countermeasures.h utils.c vlan_init.c vlan_init.h wmm.c wmm.h wpa_auth.c wpa_auth.h wpa_auth_ft.c wpa_auth_glue.c wpa_auth_glue.h wpa_auth_i.h wpa_auth_ie.c wpa_auth_ie.h wps_hostapd.c wps_hostapd.h src/external/bsd/wpa/dist/src/common [netbsd-6]: Makefile defs.h eapol_common.h ieee802_11_common.c ieee802_11_common.h ieee802_11_defs.h privsep_commands.h version.h wpa_common.c wpa_common.h wpa_ctrl.c wpa_ctrl.h src/external/bsd/wpa/dist/src/crypto [netbsd-6]: Makefile aes-cbc.c aes-ctr.c aes-eax.c aes-encblock.c aes-internal-dec.c aes-internal-enc.c aes-internal.c aes-omac1.c aes-unwrap.c aes-wrap.c aes.h aes_i.h aes_wrap.h crypto.h crypto_gnutls.c crypto_internal-cipher.c crypto_internal-modexp.c crypto_internal-rsa.c crypto_internal.c crypto_libtomcrypt.c crypto_none.c crypto_openssl.c des-internal.c des_i.h dh_group5.c dh_group5.h dh_groups.c dh_groups.h fips_prf_internal.c fips_prf_openssl.c md4-internal.c md5-internal.c md5.c md5.h md5_i.h milenage.c milenage.h ms_funcs.c ms_funcs.h rc4.c sha1-internal.c sha1-pbkdf2.c sha1-tlsprf.c sha1-tprf.c sha1.c sha1.h sha1_i.h sha256-internal.c sha256.c sha256.h tls.h tls_gnutls.c tls_internal.c tls_none.c tls_openssl.c src/external/bsd/wpa/dist/src/drivers [netbsd-6]: Makefile driver.h driver_atheros.c driver_bsd.c driver_hostap.c driver_hostap.h driver_ndis.c driver_ndis.h driver_ndis_.c driver_nl80211.c driver_none.c driver_privsep.c driver_roboswitch.c driver_wext.c driver_wext.h driver_wired.c drivers.c drivers.mak linux_ioctl.c linux_ioctl.h ndis_events.c netlink.c netlink.h nl80211_copy.h priv_netlink.h src/external/bsd/wpa/dist/src/eap_common [netbsd-6]: Makefile chap.c chap.h eap_common.c eap_common.h eap_defs.h eap_fast_common.c eap_fast_common.h eap_gpsk_common.c eap_gpsk_common.h eap_ikev2_common.c eap_ikev2_common.h eap_pax_common.c eap_pax_common.h eap_peap_common.c eap_peap_common.h eap_psk_common.c eap_psk_common.h eap_sake_common.c eap_sake_common.h eap_sim_common.c eap_sim_common.h eap_tlv_common.h eap_ttls.h eap_wsc_common.c eap_wsc_common.h ikev2_common.c ikev2_common.h src/external/bsd/wpa/dist/src/eap_peer [netbsd-6]: Makefile eap.c eap.h eap_aka.c eap_config.h eap_fast.c eap_fast_pac.c eap_fast_pac.h eap_gpsk.c eap_gtc.c eap_i.h eap_ikev2.c eap_leap.c eap_md5.c eap_methods.c eap_methods.h eap_mschapv2.c eap_otp.c eap_pax.c eap_peap.c eap_psk.c eap_sake.c eap_sim.c eap_tls.c eap_tls_common.c eap_tls_common.h eap_tnc.c eap_ttls.c eap_vendor_test.c eap_wsc.c ikev2.c ikev2.h mschapv2.c mschapv2.h tncc.c tncc.h src/external/bsd/wpa/dist/src/eap_server [netbsd-6]: Makefile eap.h eap_i.h eap_methods.h eap_server.c eap_server_aka.
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Mon Aug 28 06:35:10 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1491 To generate a diff of this commit: cvs rdiff -u -r1.1.2.304 -r1.1.2.305 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.304 src/doc/CHANGES-6.2:1.1.2.305 --- src/doc/CHANGES-6.2:1.1.2.304 Sat Aug 26 16:37:14 2017 +++ src/doc/CHANGES-6.2 Mon Aug 28 06:35:09 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.304 2017/08/26 16:37:14 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.305 2017/08/28 06:35:09 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -18603,3 +18603,26 @@ tests/lib/libc/stdlib/t_strtol.c 1.6, 1 largest valid numeric prefix, which is 0. [joerg, ticket #1460] +external/bsd/bind/dist/CHANGES patch +external/bsd/bind/dist/FAQ.xml patch +external/bsd/bind/dist/FAQ delete +external/bsd/bind/dist/HISTORY.md patch +external/bsd/bind/dist/OPTIONS patch +external/bsd/bind/dist/OPTIONS.md patch +external/bsd/bind/dist/README.md patch +external/bsd/bind/dist/HISTORY patch +external/bsd/bind/dist/Makefile.in patch +external/bsd/bind/dist/README patch +external/bsd/bind/dist/acconfig.h patch +external/bsd/bind/dist/bind.keys patch +external/bsd/bind/dist/config.h.in patch +external/bsd/bind/dist/configure patch +external/bsd/bind/dist/configure.in patch +external/bsd/bind/dist/isc-config.sh.1 patch +external/bsd/bind/dist/isc-config.sh.docbook patch +external/bsd/bind/dist/isc-config.sh.html patch +external/bsd/bind/dist/srcid external/bsd/bind/dist/version patch + + Update BIND to 9.9.11. + [mrg, ticket #1491] +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Sat Aug 26 16:37:14 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: 1466, 1460 To generate a diff of this commit: cvs rdiff -u -r1.1.2.303 -r1.1.2.304 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.303 src/doc/CHANGES-6.2:1.1.2.304 --- src/doc/CHANGES-6.2:1.1.2.303 Wed Aug 23 19:38:31 2017 +++ src/doc/CHANGES-6.2 Sat Aug 26 16:37:14 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.303 2017/08/23 19:38:31 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.304 2017/08/26 16:37:14 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -18587,3 +18587,19 @@ bin/rmdir/rmdir.c1.27 PR/48182: Fix rmdir -p handling of top-level (root) directory. [ginsbach, ticket #1490] +sys/arch/i386/conf/GENERIC patch + + i386 GENERIC: disable VM86 by default. + [maxv, ticket #1466] + +common/lib/libc/stdlib/_strtol.h 1.11 via patch +common/lib/libc/stdlib/_strtoul.h 1.11 via patch +tests/lib/libc/stdlib/t_strtol.c 1.6, 1.7 + + Fix testing of returned entptr, and fix three affected + tests. PR lib/49632 + + Fix ISO C compliance: strtol of "0xX" should give the + largest valid numeric prefix, which is 0. + [joerg, ticket #1460] +
CVS commit: [netbsd-6] src
Module Name:src Committed By: snj Date: Sat Aug 26 16:36:19 UTC 2017 Modified Files: src/common/lib/libc/stdlib [netbsd-6]: _strtol.h _strtoul.h src/tests/lib/libc/stdlib [netbsd-6]: t_strtol.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1460): common/lib/libc/stdlib/_strtol.h: 1.11 via patch common/lib/libc/stdlib/_strtoul.h: 1.11 via patch tests/lib/libc/stdlib/t_strtol.c: 1.6-1.7 Fix testing of returned entptr, and fix three affected tests. >From kamil@ via PR lib/49632 -- Fix ISO C compliance: strtol of "0xX" should give the largest valid numeric prefix, which is 0. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.8.1 src/common/lib/libc/stdlib/_strtol.h cvs rdiff -u -r1.1.22.1 -r1.1.22.2 src/common/lib/libc/stdlib/_strtoul.h cvs rdiff -u -r1.5 -r1.5.6.1 src/tests/lib/libc/stdlib/t_strtol.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/common/lib/libc/stdlib/_strtol.h diff -u src/common/lib/libc/stdlib/_strtol.h:1.2 src/common/lib/libc/stdlib/_strtol.h:1.2.8.1 --- src/common/lib/libc/stdlib/_strtol.h:1.2 Wed May 20 22:03:29 2009 +++ src/common/lib/libc/stdlib/_strtol.h Sat Aug 26 16:36:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: _strtol.h,v 1.2 2009/05/20 22:03:29 christos Exp $ */ +/* $NetBSD: _strtol.h,v 1.2.8.1 2017/08/26 16:36:19 snj Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -84,7 +84,10 @@ _FUNCNAME(const char *nptr, char **endpt c = *s++; } if ((base == 0 || base == 16) && - c == '0' && (*s == 'x' || *s == 'X')) { + c == '0' && (*s == 'x' || *s == 'X') && + ((s[1] >= '0' && s[1] <= '9') || + (s[1] >= 'a' && s[1] <= 'f') || + (s[1] >= 'A' && s[1] <= 'F'))) { c = s[1]; s += 2; base = 16; Index: src/common/lib/libc/stdlib/_strtoul.h diff -u src/common/lib/libc/stdlib/_strtoul.h:1.1.22.1 src/common/lib/libc/stdlib/_strtoul.h:1.1.22.2 --- src/common/lib/libc/stdlib/_strtoul.h:1.1.22.1 Tue Jul 11 21:09:29 2017 +++ src/common/lib/libc/stdlib/_strtoul.h Sat Aug 26 16:36:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: _strtoul.h,v 1.1.22.1 2017/07/11 21:09:29 snj Exp $ */ +/* $NetBSD: _strtoul.h,v 1.1.22.2 2017/08/26 16:36:19 snj Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -83,7 +83,10 @@ _FUNCNAME(const char *nptr, char **endpt c = *s++; } if ((base == 0 || base == 16) && - c == '0' && (*s == 'x' || *s == 'X')) { + c == '0' && (*s == 'x' || *s == 'X') && + ((s[1] >= '0' && s[1] <= '9') || + (s[1] >= 'a' && s[1] <= 'f') || + (s[1] >= 'A' && s[1] <= 'F'))) { c = s[1]; s += 2; base = 16; Index: src/tests/lib/libc/stdlib/t_strtol.c diff -u src/tests/lib/libc/stdlib/t_strtol.c:1.5 src/tests/lib/libc/stdlib/t_strtol.c:1.5.6.1 --- src/tests/lib/libc/stdlib/t_strtol.c:1.5 Tue Jun 14 02:45:58 2011 +++ src/tests/lib/libc/stdlib/t_strtol.c Sat Aug 26 16:36:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: t_strtol.c,v 1.5 2011/06/14 02:45:58 jruoho Exp $ */ +/* $NetBSD: t_strtol.c,v 1.5.6.1 2017/08/26 16:36:19 snj Exp $ */ /*- * Copyright (c) 2011 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: t_strtol.c,v 1.5 2011/06/14 02:45:58 jruoho Exp $"); +__RCSID("$NetBSD: t_strtol.c,v 1.5.6.1 2017/08/26 16:36:19 snj Exp $"); #include #include @@ -59,9 +59,10 @@ check(struct test *t, long int li, long atf_tc_fail_nonfatal("strtoll(%s, NULL, %d) failed " "(rv = %lld)", t->str, t->base, lli); - if (t->end != NULL && strcmp(t->end, end) != 0) - atf_tc_fail_nonfatal("invalid end pointer ('%s') from " - "strtol(%s, &end, %d)", end, t->str, t->base); + if ((t->end != NULL && strcmp(t->end, end) != 0) || + (t->end == NULL && *end != '\0')) + atf_tc_fail_nonfatal("invalid end pointer (%p) from " + "strtol(%p, &end, %d)", end, t->str, t->base); } ATF_TC(strtol_base); @@ -89,15 +90,21 @@ ATF_TC_BODY(strtol_base, tc) { "12579781", 123456789, 14, NULL }, { "AC89BC9", 123456789, 15, NULL }, { "75BCD15", 123456789, 16, NULL }, - { "123456789", 342391, 8, NULL }, - { "0123456789", 342391, 0, NULL }, + { "1234567", 342391, 8, NULL }, + { "01234567", 342391, 0, NULL }, { "0123456789", 123456789, 10, NULL }, - { "0x75bcd15", 123456789, 0, NULL }, + { "0x75bcd15", 123456789, 0, NULL }, + { " 0xX", 0, 0, "xX" }, + { " 0xX", 0, 16, "xX" }, + { " 0XX", 0, 0, "XX" }, + { " 0XX", 0, 16, "XX" }, }; long long int lli; long int li; - char *end; + long long int ulli; + long int uli; + char *end, *end2; size_t i; for (i = 0; i < __arraycount(t); i++) { @@ -105,7 +112,20 @@ ATF_TC_BODY(strtol_base, tc) li = strtol(t[i].str, &end, t[i].base); lli = strtoll(t[i].str, NULL, t[i].base); + uli = strtoul(t[i].str, &end2, t[i].base); + ulli = strtoull(t[i].str, NULL, t[i].base); + che
CVS commit: [netbsd-6] src/sys/arch/i386/conf
Module Name:src Committed By: snj Date: Sat Aug 26 16:26:46 UTC 2017 Modified Files: src/sys/arch/i386/conf [netbsd-6]: GENERIC Log Message: Apply patch (requested by maxv in ticket #1466): Disable vm86 by default. The use case is limited, and the potential for damage is too high. To generate a diff of this commit: cvs rdiff -u -r1.1066.2.7 -r1.1066.2.8 src/sys/arch/i386/conf/GENERIC Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/i386/conf/GENERIC diff -u src/sys/arch/i386/conf/GENERIC:1.1066.2.7 src/sys/arch/i386/conf/GENERIC:1.1066.2.8 --- src/sys/arch/i386/conf/GENERIC:1.1066.2.7 Wed Aug 15 15:33:00 2012 +++ src/sys/arch/i386/conf/GENERIC Sat Aug 26 16:26:46 2017 @@ -1,4 +1,4 @@ -# $NetBSD: GENERIC,v 1.1066.2.7 2012/08/15 15:33:00 sborrill Exp $ +# $NetBSD: GENERIC,v 1.1066.2.8 2017/08/26 16:26:46 snj Exp $ # # GENERIC machine description file # @@ -22,12 +22,12 @@ include "arch/i386/conf/std.i386" options INCLUDE_CONFIG_FILE # embed config file in kernel binary -#ident "GENERIC-$Revision: 1.1066.2.7 $" +#ident "GENERIC-$Revision: 1.1066.2.8 $" maxusers 64 # estimated number of users # CPU-related options. -options VM86 # virtual 8086 emulation +#options VM86 # virtual 8086 emulation options USER_LDT # user-settable LDT; used by WINE #options PAE # PAE mode (36 bits physical addressing)
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: snj Date: Wed Aug 23 19:38:32 UTC 2017 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: add to 1481 To generate a diff of this commit: cvs rdiff -u -r1.1.2.302 -r1.1.2.303 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.302 src/doc/CHANGES-6.2:1.1.2.303 --- src/doc/CHANGES-6.2:1.1.2.302 Mon Aug 21 23:31:29 2017 +++ src/doc/CHANGES-6.2 Wed Aug 23 19:38:31 2017 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.302 2017/08/21 23:31:29 snj Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.303 2017/08/23 19:38:31 snj Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -18511,6 +18511,7 @@ sys/dev/vnd.c 1.260, 1.262 sys/compat/ibcs2/ibcs2_exec_coff.c 1.27-1.29 sys/compat/ibcs2/ibcs2_ioctl.c 1.46 sys/compat/ibcs2/ibcs2_stat.c 1.49-1.50 +sys/lib/libkern/Makefile.libkern 1.19 Out of bound read and endless loop in exec_ibcs2_coff_prep_zmagic(). Infoleak in ibcs2_sys_ioctl.