The description is listed in angle brackets after the device name
similar to device probe messages.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D47157
This is a follow-up to the fix for HYP-19, addressing another condition
where an overflow might still occur. (Spotted by jhb@, thanks!)
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46882
These were reported by `mandoc -T lint ...` as errors.
The rendered output (in ascii and html) is not affected by this commit.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1459
These were reported by `mandoc -T lint ...` as warnings:
- unusual Xr order
- unusual Xr punctuation
Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1464
When an exception class is unhandled by the kernel we handle it in
userspace by exiting the process. Rather than exiting raise an unknown
reason exception in the guest. The guest can then handle the exception
as it wishes.
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D46511
Add the ability to dump a specific ACPI table rather than all of them.
Sponsored by: Netflix
Reviewed by: andrew
Differential Revision: https://reviews.freebsd.org/D47082
Sort the ACPI signatures alphabetically and move it into a table we can iterate through
Sponsored by: Netflix
Reviewed by: andrew, markj
Differential Revision: https://reviews.freebsd.org/D47081
Clarify what's reported with -t (it's all the fixed acpi tables,
not just the listed ones). The listed tables are more fully decoded,
while all other tables just have their headers decoded.
Sponsored by: Netflix
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D47080
Switch from the long obsolete hint.0.acpi.rsdp to acpi.rsdp to get the
root of the ACPI tables.
MFC After: 1 week
Sponsored by: Netflix
Reviewed by: andrew, markj
Differential Revision: https://reviews.freebsd.org/D47079
By default, OpenZFS will perform metadata verification of the most
recent TXGs, but this can be very slow since all data in a pool
generated by makefs was logically written in a single transaction.
Avoid triggering this verification by default, but add an option to
restore the previous behaviour and enable it in regression test cases.
Reported by: cperciva
Tested by: cperciva (previous version)
MFC after: 2 weeks
In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.
An attacker could overload the host CPU.
Fix is to validate that doorbell values:
- Are for a valid (i.e., created) queue
- Are not the same as the previous value
- Fit within the available capacity
The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.
While in the neighborhood, remove a redundant bounds check.
Reported by: Synacktiv
MFC after: 1 week
Security: HYP-14
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46064
This reapplies 593d7a1634 to implement printing of SPCR v3 and SPCR v4
fields after ACPI actble3.h update. ACPIca used different names and
didn't do the weird nesting I did in the prior commit for better
co-existance.
Sponsored by: Netflix
This reverts commit 593d7a1634:
In preparation for importing new SPCR definitions, back out my hack
since it conflicts with the new definitions.
Sponsored by: Netflix
Exclude group read/write permissions as well. Otherwise, group wheel can
submit things w/o the normal accounting. While group wheel is generally
trusted on the machine, submitting jobs w/o checks is not one of the
functions we document for that group.
PR: 17289
Differential Revision: https://reviews.freebsd.org/D47040
instead of depending on devd and its socket, try to use nlsysevent
instead. This makes powerd independant from devd.
Approved by: des
Reviewed by: des
Differential Revission: https://reviews.freebsd.org/D46972
The libkldelf library was originally a part of kldxref(8). It exposed
ELF parsing helpers specialized in parsing KLDs and the kernel
executable. The library can be used to read metadata such as linker_set,
mod_depend, mod_version and PNP match info, and raw data from the ELF.
To promote the reuse of the facilities the ELF parsing code is separated
from kldxref(8) into a new private library.
kldxref(8) is modified to link against the libkldelf library.
Sponsored by: Juniper Networks, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D46719
These were reported by `mandoc -T lint ...` as errors; this commit only
handles unnecessary .El commands.
The rendered output (in ascii and html) is not affected by this commit.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1447
Print the complete list of url that have failed
PR: 281924
Co-authored-by: Baptiste Daroussin <bapt@FreeBSD.org>
Differential Revision: https://reviews.freebsd.org/D46983
.pkg is the default extension as of commit c244b1d8a3, falling back to
.txz if not found.
PR: 281924
Reviewed by: bapt
Fixes: a2aac2f5e5 ("pkg(7): when bootstrapping first search for pkg.bsd file then pkg.txz")
Fixes: c244b1d8a3 ("pkg: settle the uniq extension to .pkg instead of .bsd")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46977
The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.
Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.
Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Sponsored by: Alpha-Omega Project, The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021
The function hda_codec_command is vulnerable to buffer over-read, the
payload value is extracted from the command and used as an array index
without any validation.
Fortunately, the payload value is capped at 255, so the information
disclosure is limited and only a small part of .rodata of bhyve binary
can be disclosed.
The risk is low because the leaked information is not sensitive. An
attacker may be able to validate the version of the bhyve binary using
this information disclosure (layout of .rodata information, ex:
jmp_tables) before executing an exploit.
Reported by: Synacktiv
Reviewed by: christos, emaste
Security: HYP-13
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46098
The intended value is:
-offset indent
If there's any typo such that the value doesn't match the pre-defined
strings, then the offset is the same width as the value. So by chance,
"-offset -ident" ended up being a standard-width indent (since the
default indent is 6 chars, and "-ident" also has 6 chars), whereas
"-offset -indent" had a longer indent, and "-offset ident" had a shorter
one.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1436
- Place 'static' before other qualifiers (-Wold-style-declaration)
- Correct the order of arguments to calloc (-Wcalloc-transposed-args)
Reported by: GCC 14
Fixes: 1f903953fb bhyve: Add raw tcp to uart backend
In chroot mode tzsetup prepended the chroot path to the symlink target,
which is not correct. Use the same path for the symlink regardless of
chroot mode.
PR: 281332
Reported by: scf, Herbert J. Skuhra
Reviewed by: olce
Fixes: 5e16809c95 ("tzsetup: symlink /etc/localtime instead of co...")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46725
The program copies an input buffer to an output buffer without verifying
that the size of the input buffer is less than the size of the output
buffer, leading to a buffer overflow.
Inside the function pci_vtcon_control_send, the length of the iov buffer
is not validated before copy of the payload.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-19
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46105
Synchronize the error handling in nfsd. If you check other error
handlings in those same condition blocks, it uses nfsd_exit instead,
which will call killchildren() and call the rpcbind service to do
the service un-mapping.
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46442
Avoid a race condition when accessing guest memory, by reading memory
contents only once.
This has also been applied to _vq_record() in
sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-10
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45735
In the function ahci_handle_dsm_trim, if the call to read_prdt fails,
the variable buf[512] is used while it contains uninitialized data.
It is easy to make the call to read_prdt fail, for instance if
hdr->prdtl == NULL, the function will return without writing anything in
buf.
In addition, this code could be hardened by checking the value of done
before accessing &buf[done].
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-15
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46090
This page was getting pulled into `apropos unix` results due to
arguments being on the same line as a name macro in synopsis.
While here, tag spdx, fold a line slightly better, add loader.efi(8)
to see also and fix it's order.
MFC after: 3 days
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1430
Guests must set HDAC_CORBWP less than corb->size. Treat invalid values
as an error rather than entering an infinite loop.
Reported by: Synacktiv
Reviewed by: markj
Security: HYP-12
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46134
This is a follow-up to commit e72d86ad9c ("bhyve: improve input
validation in pci_xhci") -- introducing a helper for slot validation.
Co-authored-by: John Baldwin <jhb@FreeBSD.org>
Reviewed by: markj, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46696
