These ones were unambiguous cases where the Foundation was the only
listed copyright holder.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 5c2bc3db20)
(cherry picked from commit f06d322e9d)
TPM is defined as an entropy and is called every 10 seconds. However it
was not registered and calls were discarded.
Signed-off-by: Jean-François Hren <jean-francois.hren@stormshield.eu>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1398
(cherry picked from commit d7c87526b1)
If beep cannot open /dev/dsp provide more information to aid the user
in diagnosing a problem.
Reviewed by: christos
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 83325e7b73)
(cherry picked from commit 7da246dc4f)
Note: imho, the proper solution would be to guarantee that upcalls
won't ever be called after soclose(), but this isn't the case, yet.
This change at least makes the node work the way it always worked.
Reviewed by: afedorov
Differential Revision: https://reviews.freebsd.org/D42636
PR: 272319
PR: 275106
Fixes: 779f106aa1
(cherry picked from commit efad7cbfdc)
- Provide listen upcall and set it on NGM_KSOCKET_LISTEN
- Mask EWOULDBLOCK on NGM_KSOCKET_ACCEPT
Reviewed by: afedorov
Differential Revision: https://reviews.freebsd.org/D42637
PR: 272319
PR: 275106
Fixes: 779f106aa1
(cherry picked from commit 43f7e21668)
'ushm_refcnt' is unsigned. Don't leave the impression it isn't.
No functional change (intended).
Reviewed by: kib
Approved by: emaste (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46126
(cherry picked from commit c75a18905e)
(cherry picked from commit 4938f55446)
This hardens against provoked use-after-free occurences should there be
reference counting leaks in the future (which is currently not the
case).
At the deepest level, umtx_shm_find_reg_unlocked() now returns EOVERFLOW
when it cannot grant an additional reference to the registry object, and
so will umtx_shm_find_reg(). umtx_shm_create_reg() will fail if calling
umtx_shm_find_reg() returns EOVERFLOW (meaning a SHM object for the
passed key already exists, but we can't acquire another reference on
it), avoiding the creation of a duplicate registry entry for a given key
(this wouldn't pose problem for the rest of the code in its current
form, but is expressly avoided for intelligibility and hardening
purposes).
Since umtx_shm_find_reg*(), and consequently the whole _umtx_op() system
call, can only return EOVERFLOW on such a bug manifesting, we don't
document that return value.
Reviewed by: kib, emaste
Approved by: emaste (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46126
(cherry picked from commit c3e6dfe55c)
(cherry picked from commit b20ae16087)
umtx_shm_unref_reg_locked() would unconditionally drop the "registry"
reference, tied to USHMF_LINKED.
This is not a problem for caller umtx_shm_object_terminated(), which
operates under the 'umtx_shm_lock' lock end-to-end, but it is for
indirect caller umtx_shm(), which drops the lock between
umtx_shm_find_reg() and the call to umtx_shm_unref_reg(true) that
deregisters the umtx shared region (from 'umtx_shm_registry';
umtx_shm_find_reg() only finds registered shared mutexes).
Thus, two concurrent user-space callers of _umtx_op() with UMTX_OP_SHM
and flags UMTX_SHM_DESTROY, both progressing past umtx_shm_find_reg()
but before umtx_shm_unref_reg(true), would then decrease twice the
reference count for the single reference standing for the shared mutex's
registration.
Reported by: Synacktiv
Reviewed by: kib
Approved by: emaste (mentor)
Security: FreeBSD-SA-24:14.umtx
Security: CVE-2024-43102
Security: CAP-01
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46126
(cherry picked from commit 62f40433ab)
(cherry picked from commit be7dc46139)
...into the only USHMF_LINKED, as they are always set or unset together.
This is both to stop giving the impression that they can be set/unset
independently, which they can't with the current code, and to make it
clearer that an upcoming reference counting fix is correct.
Reviewed by: kib
Approved by: emaste (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46126
(cherry picked from commit dd83da532c)
(cherry picked from commit 2d4511bb81)
This vulnerability is directly accessible to a guest VM through the
pci_virtio_scsi bhyve device.
In the function ctl_report_supported_opcodes() accessible from the VM,
the option RSO_OPTIONS_OC_ASA does not check the requested
service_action value before accessing &ctl_cmd_table[].
Reported by: Synacktiv
Reviewed by: asomers
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-42416
Security: HYP-06
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46027
(cherry picked from commit af438acbfd)
(cherry picked from commit 803e0c2ab2)
The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocation.
If one of these functions is called for the first time for a given LUN, a
kernel allocation is performed without the M_ZERO flag. Then a call to
ctl_read_buffer() returns the content of this allocation, which may
contain kernel data.
Reported by: Synacktiv
Reviewed by: asomers
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-8178
Security: HYP-05
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45952
(cherry picked from commit ea44766b78)
(cherry picked from commit cdfdb3b008)
The virtio_scsi device allows a guest VM to directly send SCSI commands
to the kernel driver exposed on /dev/cam/ctl. This setup makes the
vulnerability directly accessible from VMs through the pci_virtio_scsi
bhyve device.
The function ctl_write_buffer sets the CTL_FLAG_ALLOCATED flag, causing
the kern_data_ptr to be freed when the command finishes processing.
However, the buffer is still stored in lun->write_buffer, leading to a
Use-After-Free vulnerability.
Since the buffer needs to persist indefinitely, so it can be accessed by
READ BUFFER, do not set CTL_FLAG_ALLOCATED.
Reported by: Synacktiv
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-45063
Security: HYP-03
Sponsored by: Axcient
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46424
(cherry picked from commit 670b582db6)
(cherry picked from commit 29937d7a1a)
The function pci_xhci_find_stream validates that the streamid is valid
but the bound check accepts up to ep_MaxPStreams included.
The bug results in an out-of-bounds write on the heap with controlled
data.
Reported by: Synacktiv
Reviewed by: jhb
Security: FreeBSD-SA-24:12.bhyve
Security: CVE-2024-32668
Security: HYP-04
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45994
(cherry picked from commit 5c9308a413)
(cherry picked from commit 90af1336ed)
The nd6 code listens for RTM_DELETE events so that it can mark the
corresponding default router as inactive in the case where the default
route is deleted. A subsequent RA from the router may then reinstall
the default route.
Commit fedeb08b6a broke this for non-multipath routes, as
rib_decompose_notification() only invokes the callback for multipath
routes. Restore the old behaviour. Also ensure that we update the
router only for RTM_DELETE notifications, lost in commit 2259a03020.
Reviewed by: bz
Fixes: fedeb08b6a ("Introduce scalable route multipath.")
Fixes: 2259a03020 ("Rework part of routing code to reduce difference to D26449.")
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Bell Tower Integration
Differential Revision: https://reviews.freebsd.org/D46020
(cherry picked from commit a48df53e42)
During unpacking, we ensure that we do not read beyond the
declared size. However, unpack uses a function that copies
null-terminated strings. Prior to this commit, if the last string
was not null-terminated, it could result in copying data into a
buffer smaller than the allocated size.
Security: FreeBSD-24:09.libnv
Security: CVE-2024-45288
Security: CAP-03
Reported by: Synacktiv
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46138
(cherry picked from commit 3aaaca1b51)
Ensure that the calculation of size of array doesn't
overflow.
Security: FreeBSD-24:09.libnv
Security: CVE-2024-45287
Security: CAP-02
Reported by: Synacktiv
Reported by: Taylor R Campbell (NetBSD)
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46131
(cherry picked from commit 36fa90dbde)
If pf_icmp_state_lookup() finds a state but rejects it for not matching the
expected direction we should unlock the state (and NULL out *state). This
simplifies life for callers, and also ensures there's no confusion about what a
non-NULL returned state means.
Previously it could have been left in there by the caller, resulting in callers
unlocking the same state twice.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 0578fe4922)
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 3da3eb6081)
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
PR: 280701
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 2633ae8c4c8a
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5ab1e5f7e5)
Ensure that we rebuild the test binary when we add tests (i.e. modify
pfctl_test_list.inc).
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 250e074e5f)
Building with GCC failed with the following error message:
error: to be safe all intermediate pointers in cast from 'char **'
to 'const char **' must be 'const' qualified [-Werror=cast-qual]
This was caused by main() being declared with "char *argv[]" as the
3rd parameter, but argv later being passed cast to "const char**":
113 | if (BC_IS_BC) s = bc_main(argc, (const char**) argv);
| ^
This is fixed by declaring the 3rd parameter of main() as "const
char *argv[]".
Reported by: CI
(cherry picked from commit ef5752762b)
vendor/bc: upgrade to version 7.0.1
This update fixes building bc on FreeBSD with non-default compilers
(GCC-12, GCC-13). GCC warned about casting argv from non-const to const
and since warnings are treated as errors, the build failed.
(cherry picked from commit 1e19146fc7)
(cherry picked from commit 5b0dc99109)
This is a production release to fix three bugs, none of which
affects well formed scripts on FreeBSD:
The first bug is that bc/dc will exit on macOS when the terminal
is resized.
The second bug is that an array, which should only be a function
parameter, was accepted as part of larger expressions.
The third bug is that the value stack for dc was cleared on any error.
However, this is not how other dc behave. To bring dc more in line
with other implementations, this behavior was changed. This change is
why this version is a new major version.
(cherry picked from commit 54d20d67e2)
(cherry picked from commit 12e0d31664)
In the function pci_fbuf_baraddr the field sc->fbaddr was set with a
user-controlled value, even though the call to vm_mmap_memseg failed.
No security risk as currently sc->fbaddr is not really used in the
source code.
Reported by: Synacktiv
Reviewed by: emaste
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D46109
(cherry picked from commit 85707cfdad)
(cherry picked from commit 4a81e50133)
I've change enough of this file to add Arm as a copyright holder.
Add it after the "All rights reserved" line as that's not needed.
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46157
(cherry picked from commit 87940d2b33)
When enqueueing on an architecture with a weak memory model ensure
loading br->br_prod_head and br->br_cons_tail are ordered correctly.
If br_cons_tail is loaded first then other threads may perform a
dequeue and enqueue before br_prod_head is loaded. This will mean the
tail is one less than it should be and the code under the
prod_next == cons_tail check could incorrectly be skipped.
buf_ring_dequeue_mc has the same issue with br->br_prod_tail and
br->br_cons_head so needs the same fix.
Reported by: Ali Saidi <alisaidi@amazon.com>
Co-developed by: Ali Saidi <alisaidi@amazon.com>
Reviewed by: imp, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46155
(cherry picked from commit fe2445f47d)
As with br_cons_tail use an atomic load acquire to read br_prod_tail
in buf_ring_dequeue_mc and buf_ring_peek*.
On dequeue we need to ensure we don't read the entry from the buf_ring
until it is available and prod_tail has updated. There is already an
appropriate store in the enqueue path and an appropriate load in the
single consumer dequeue, we just need one in the other functions that
read from the buf_ring.
Reviewed by: imp, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46154
(cherry picked from commit 947754af55)
In the single consumer dequeue the consumer thread controls
br_cons_head. As such no ordering between this and other data are
required.
Reviewed by: alc, imp, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46153
(cherry picked from commit 7eb0fffc77)
Use an atomic operation with a memory barrier loading br_cons_tail
from the producer thread and storing to it in the consumer thread.
On dequeue we need to read the pointer value from the buf_ring before
moving the consumer tail as that indicates the entry is available to be
used. The store release atomic operation guarantees this.
In the enqueueing thread we then need to use a load acquire atomic
operation to ensure writing to this entry can only happen after the
tail has been read and checked.
Reported by: Ali Saidi <alisaidi@amazon.com>
Co-developed by: Ali Saidi <alisaidi@amazon.com>
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46152
(cherry picked from commit 44e1cfca41)
If a thread reads the head but then sleeps for long enough that
another thread fills the ring and leaves the new head with the
expected value then the cmpset can pass when it should have failed.
To work around this keep the full head and tail value and use the
upper bits as a generation count.
Reviewed by: kib
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46151
(cherry picked from commit 3cc603909e)
We are operating on uint32_t values, use uint32_t atomic functions.
Reviewed by: alc, imp, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46150
(cherry picked from commit 17a597bc13)
The only part of DEBUG_BUFRING we don't support in userspace is the
mutex checks. Add _KERNEL checks around these so we can enable the
extra debugging.
Reviewed by: alc, imp, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46149
(cherry picked from commit d3d34d56be)
I'm not able to find anything in the tree that ever defined it. Remove
as it's unused so is untested.
Reviewed by: alc, imp, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46148
(cherry picked from commit 5048308bdb)
This will be useful for adding test cases.
Reviewed by: andrew
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45869
(cherry picked from commit a161269b24)
This uart has the requirement for 32-bit sized and aligned memory
accesses. It is also described in the Serial Port Console Redirection
Table (SPCR) with a different interface type value.
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45834
(cherry picked from commit 9840598aa3)
Before entering the kernel exception level ensure sctlr_el2 and
sctlr_el1 are in a known state. The EOS flag needs to be set to ensure
an eret instruction is a context synchronization event.
Set spcr_el1 when entering the kernel from EL1 and use an eret
instruction to return to the caller. This ensures the CPU pstate is
consistent with the value in spcr_el1 as it is the only way to set it
directly.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45528
(cherry picked from commit 034c83fd7d)
In locore.S we need to configure access to the GICv3. To check if it's
available we read the id_aa64pfr0_el1 register, however we then only
check if a GICv3.0 or 4.0 is present. If the system has a GICv4.1 this
check would fail.
Move to checking if the GICV3+ is not absent so this will still work if
the field is updated again.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45530
(cherry picked from commit 57ef7935eb)
When entering the kernel with the E2H field set the layout of the
cnthctl_el2 register changes. Use the correct field locations to enable
access to the counter and timer registers from EL1.
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45529
(cherry picked from commit 997511dffe)
Split out the common parts of building the uart devinfo from ACPI
tables from the SPCR parser. This will be used when we support the DBG2
table to find the debug uart to be used by the kernel gdb stub.
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D44357
(cherry picked from commit 473c0b44ae)
Add a function like kva_alloc that allows us to specify the alignment
of the virtual address space returned.
Reviewed by: alc, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42788
(cherry picked from commit 839999e7ef)
The kernel_arena used in kva_alloc has the qcache disabled. vmem_alloc
will first try to use the qcache before falling back to vmem_xalloc.
Rather than trying to use the qcache in vmem_alloc just call
vmem_xalloc directly.
Reviewed by: alc, kib, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42831
(cherry picked from commit 8daee410d2)
It is defined as const char[] in config.c which is auto generated by
usr.sbin/config/kernconf.tmpl .
While here prefer macro SYSCTL_CONST_STRING to avoid casting.
MFC after: 1 week
(cherry picked from commit 0f64fc6a34)
(cherry picked from commit d6271b6507)
