From owner-svn-src-releng@freebsd.org Tue Feb 5 17:54:13 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0114D14C28D7; Tue, 5 Feb 2019 17:54:13 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9295F8626D; Tue, 5 Feb 2019 17:54:12 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 38A9C215FC; Tue, 5 Feb 2019 17:54:10 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15HsAnX040777; Tue, 5 Feb 2019 17:54:10 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15Hs9Ub040775; Tue, 5 Feb 2019 17:54:09 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051754.x15Hs9Ub040775@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 17:54:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343783 - releng/12.0/sys/cddl/dev/dtrace/amd64 X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: releng/12.0/sys/cddl/dev/dtrace/amd64 X-SVN-Commit-Revision: 343783 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 9295F8626D X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.973,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 17:54:13 -0000 Author: emaste Date: Tue Feb 5 17:54:09 2019 New Revision: 343783 URL: https://svnweb.freebsd.org/changeset/base/343783 Log: MFS12 r342267: dtrace: fix userspace access on boxes with SMAP Approved by: so Sponsored by: The FreeBSD Foundation Modified: releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_asm.S releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_isa.c Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_asm.S ============================================================================== --- releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_asm.S Tue Feb 5 17:54:02 2019 (r343782) +++ releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_asm.S Tue Feb 5 17:54:09 2019 (r343783) @@ -208,7 +208,7 @@ dtrace_caller(int aframes) void dtrace_copy(uintptr_t src, uintptr_t dest, size_t size) */ - ENTRY(dtrace_copy) + ENTRY(dtrace_copy_nosmap) pushq %rbp movq %rsp, %rbp @@ -218,14 +218,28 @@ dtrace_copy(uintptr_t src, uintptr_t dest, size_t size smovb /* move from %ds:rsi to %ed:rdi */ leave ret - END(dtrace_copy) + END(dtrace_copy_nosmap) + ENTRY(dtrace_copy_smap) + pushq %rbp + movq %rsp, %rbp + + xchgq %rdi, %rsi /* make %rsi source, %rdi dest */ + movq %rdx, %rcx /* load count */ + stac + repz /* repeat for count ... */ + smovb /* move from %ds:rsi to %ed:rdi */ + clac + leave + ret + END(dtrace_copy_smap) + /* void dtrace_copystr(uintptr_t uaddr, uintptr_t kaddr, size_t size, volatile uint16_t *flags) */ - ENTRY(dtrace_copystr) + ENTRY(dtrace_copystr_nosmap) pushq %rbp movq %rsp, %rbp @@ -248,55 +262,120 @@ dtrace_copystr(uintptr_t uaddr, uintptr_t kaddr, size_ leave ret - END(dtrace_copystr) + END(dtrace_copystr_nosmap) + ENTRY(dtrace_copystr_smap) + pushq %rbp + movq %rsp, %rbp + + stac +0: + movb (%rdi), %al /* load from source */ + movb %al, (%rsi) /* store to destination */ + addq $1, %rdi /* increment source pointer */ + addq $1, %rsi /* increment destination pointer */ + subq $1, %rdx /* decrement remaining count */ + cmpb $0, %al + je 2f + testq $0xfff, %rdx /* test if count is 4k-aligned */ + jnz 1f /* if not, continue with copying */ + testq $CPU_DTRACE_BADADDR, (%rcx) /* load and test dtrace flags */ + jnz 2f +1: + cmpq $0, %rdx + jne 0b +2: + clac + leave + ret + + END(dtrace_copystr_smap) + /* uintptr_t dtrace_fulword(void *addr) */ - ENTRY(dtrace_fulword) + ENTRY(dtrace_fulword_nosmap) movq (%rdi), %rax ret - END(dtrace_fulword) + END(dtrace_fulword_nosmap) + ENTRY(dtrace_fulword_smap) + stac + movq (%rdi), %rax + clac + ret + END(dtrace_fulword_smap) + /* uint8_t dtrace_fuword8_nocheck(void *addr) */ - ENTRY(dtrace_fuword8_nocheck) + ENTRY(dtrace_fuword8_nocheck_nosmap) xorq %rax, %rax movb (%rdi), %al ret - END(dtrace_fuword8_nocheck) + END(dtrace_fuword8_nocheck_nosmap) + ENTRY(dtrace_fuword8_nocheck_smap) + stac + xorq %rax, %rax + movb (%rdi), %al + clac + ret + END(dtrace_fuword8_nocheck_smap) + /* uint16_t dtrace_fuword16_nocheck(void *addr) */ - ENTRY(dtrace_fuword16_nocheck) + ENTRY(dtrace_fuword16_nocheck_nosmap) xorq %rax, %rax movw (%rdi), %ax ret - END(dtrace_fuword16_nocheck) + END(dtrace_fuword16_nocheck_nosmap) + ENTRY(dtrace_fuword16_nocheck_smap) + stac + xorq %rax, %rax + movw (%rdi), %ax + clac + ret + END(dtrace_fuword16_nocheck_smap) + /* uint32_t dtrace_fuword32_nocheck(void *addr) */ - ENTRY(dtrace_fuword32_nocheck) + ENTRY(dtrace_fuword32_nocheck_nosmap) xorq %rax, %rax movl (%rdi), %eax ret - END(dtrace_fuword32_nocheck) + END(dtrace_fuword32_nocheck_nosmap) + ENTRY(dtrace_fuword32_nocheck_smap) + stac + xorq %rax, %rax + movl (%rdi), %eax + clac + ret + END(dtrace_fuword32_nocheck_smap) + /* uint64_t dtrace_fuword64_nocheck(void *addr) */ - ENTRY(dtrace_fuword64_nocheck) + ENTRY(dtrace_fuword64_nocheck_nosmap) movq (%rdi), %rax ret - END(dtrace_fuword64_nocheck) + END(dtrace_fuword64_nocheck_nosmap) + + ENTRY(dtrace_fuword64_nocheck_smap) + stac + movq (%rdi), %rax + clac + ret + END(dtrace_fuword64_nocheck_smap) /* void Modified: releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_isa.c ============================================================================== --- releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_isa.c Tue Feb 5 17:54:02 2019 (r343782) +++ releng/12.0/sys/cddl/dev/dtrace/amd64/dtrace_isa.c Tue Feb 5 17:54:09 2019 (r343783) @@ -37,6 +37,7 @@ #include #include #include +#include #include #include @@ -663,4 +664,71 @@ dtrace_fuword64(void *uaddr) return (0); } return (dtrace_fuword64_nocheck(uaddr)); +} + +/* + * ifunc resolvers for SMAP support + */ +void dtrace_copy_nosmap(uintptr_t, uintptr_t, size_t); +void dtrace_copy_smap(uintptr_t, uintptr_t, size_t); +DEFINE_IFUNC(, void, dtrace_copy, (uintptr_t, uintptr_t, size_t), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_copy_smap : dtrace_copy_nosmap); +} + +void dtrace_copystr_nosmap(uintptr_t, uintptr_t, size_t, volatile uint16_t *); +void dtrace_copystr_smap(uintptr_t, uintptr_t, size_t, volatile uint16_t *); +DEFINE_IFUNC(, void, dtrace_copystr, (uintptr_t, uintptr_t, size_t, + volatile uint16_t *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_copystr_smap : dtrace_copystr_nosmap); +} + +uintptr_t dtrace_fulword_nosmap(void *); +uintptr_t dtrace_fulword_smap(void *); +DEFINE_IFUNC(, uintptr_t, dtrace_fulword, (void *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_fulword_smap : dtrace_fulword_nosmap); +} + +uint8_t dtrace_fuword8_nocheck_nosmap(void *); +uint8_t dtrace_fuword8_nocheck_smap(void *); +DEFINE_IFUNC(, uint8_t, dtrace_fuword8_nocheck, (void *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_fuword8_nocheck_smap : dtrace_fuword8_nocheck_nosmap); +} + +uint16_t dtrace_fuword16_nocheck_nosmap(void *); +uint16_t dtrace_fuword16_nocheck_smap(void *); +DEFINE_IFUNC(, uint16_t, dtrace_fuword16_nocheck, (void *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_fuword16_nocheck_smap : dtrace_fuword16_nocheck_nosmap); +} + +uint32_t dtrace_fuword32_nocheck_nosmap(void *); +uint32_t dtrace_fuword32_nocheck_smap(void *); +DEFINE_IFUNC(, uint32_t, dtrace_fuword32_nocheck, (void *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_fuword32_nocheck_smap : dtrace_fuword32_nocheck_nosmap); +} + +uint64_t dtrace_fuword64_nocheck_nosmap(void *); +uint64_t dtrace_fuword64_nocheck_smap(void *); +DEFINE_IFUNC(, uint64_t, dtrace_fuword64_nocheck, (void *), static) +{ + + return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ? + dtrace_fuword64_nocheck_smap : dtrace_fuword64_nocheck_nosmap); } From owner-svn-src-releng@freebsd.org Tue Feb 5 17:59:51 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 657F714C2C35; Tue, 5 Feb 2019 17:59:51 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D53A869D2; Tue, 5 Feb 2019 17:59:51 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F3AEF21602; Tue, 5 Feb 2019 17:59:50 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15HxoYT041368; Tue, 5 Feb 2019 17:59:50 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15HxoUF041367; Tue, 5 Feb 2019 17:59:50 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051759.x15HxoUF041367@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 17:59:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343787 - in releng/12.0/sys: netinet netinet6 X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: in releng/12.0/sys: netinet netinet6 X-SVN-Commit-Revision: 343787 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 0D53A869D2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.973,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 17:59:51 -0000 Author: emaste Date: Tue Feb 5 17:59:50 2019 New Revision: 343787 URL: https://svnweb.freebsd.org/changeset/base/343787 Log: MFS12 r343454: Fix an LLE lookup race PR: 234296 Submitted by: markj Approved by: so Modified: releng/12.0/sys/netinet/in.c releng/12.0/sys/netinet6/in6.c Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/netinet/in.c ============================================================================== --- releng/12.0/sys/netinet/in.c Tue Feb 5 17:57:30 2019 (r343786) +++ releng/12.0/sys/netinet/in.c Tue Feb 5 17:59:50 2019 (r343787) @@ -1372,15 +1372,13 @@ in_lltable_lookup(struct lltable *llt, u_int flags, co IF_AFDATA_LOCK_ASSERT(llt->llt_ifp); KASSERT(l3addr->sa_family == AF_INET, ("sin_family %d", l3addr->sa_family)); - lle = in_lltable_find_dst(llt, sin->sin_addr); + KASSERT((flags & (LLE_UNLOCKED | LLE_EXCLUSIVE)) != + (LLE_UNLOCKED | LLE_EXCLUSIVE), + ("wrong lle request flags: %#x", flags)); + lle = in_lltable_find_dst(llt, sin->sin_addr); if (lle == NULL) return (NULL); - - KASSERT((flags & (LLE_UNLOCKED|LLE_EXCLUSIVE)) != - (LLE_UNLOCKED|LLE_EXCLUSIVE),("wrong lle request flags: 0x%X", - flags)); - if (flags & LLE_UNLOCKED) return (lle); @@ -1389,6 +1387,17 @@ in_lltable_lookup(struct lltable *llt, u_int flags, co else LLE_RLOCK(lle); + /* + * If the afdata lock is not held, the LLE may have been unlinked while + * we were blocked on the LLE lock. Check for this case. + */ + if (__predict_false((lle->la_flags & LLE_LINKED) == 0)) { + if (flags & LLE_EXCLUSIVE) + LLE_WUNLOCK(lle); + else + LLE_RUNLOCK(lle); + return (NULL); + } return (lle); } Modified: releng/12.0/sys/netinet6/in6.c ============================================================================== --- releng/12.0/sys/netinet6/in6.c Tue Feb 5 17:57:30 2019 (r343786) +++ releng/12.0/sys/netinet6/in6.c Tue Feb 5 17:59:50 2019 (r343787) @@ -2311,16 +2311,13 @@ in6_lltable_lookup(struct lltable *llt, u_int flags, IF_AFDATA_LOCK_ASSERT(llt->llt_ifp); KASSERT(l3addr->sa_family == AF_INET6, ("sin_family %d", l3addr->sa_family)); + KASSERT((flags & (LLE_UNLOCKED | LLE_EXCLUSIVE)) != + (LLE_UNLOCKED | LLE_EXCLUSIVE), + ("wrong lle request flags: %#x", flags)); lle = in6_lltable_find_dst(llt, &sin6->sin6_addr); - if (lle == NULL) return (NULL); - - KASSERT((flags & (LLE_UNLOCKED|LLE_EXCLUSIVE)) != - (LLE_UNLOCKED|LLE_EXCLUSIVE),("wrong lle request flags: 0x%X", - flags)); - if (flags & LLE_UNLOCKED) return (lle); @@ -2328,6 +2325,18 @@ in6_lltable_lookup(struct lltable *llt, u_int flags, LLE_WLOCK(lle); else LLE_RLOCK(lle); + + /* + * If the afdata lock is not held, the LLE may have been unlinked while + * we were blocked on the LLE lock. Check for this case. + */ + if (__predict_false((lle->la_flags & LLE_LINKED) == 0)) { + if (flags & LLE_EXCLUSIVE) + LLE_WUNLOCK(lle); + else + LLE_RUNLOCK(lle); + return (NULL); + } return (lle); } From owner-svn-src-releng@freebsd.org Tue Feb 5 18:05:06 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10C9C14C344C; Tue, 5 Feb 2019 18:05:06 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A4D438720F; Tue, 5 Feb 2019 18:05:05 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 987BB217B0; Tue, 5 Feb 2019 18:05:05 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15I55Ea046777; Tue, 5 Feb 2019 18:05:05 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15I55P2046776; Tue, 5 Feb 2019 18:05:05 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051805.x15I55P2046776@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 18:05:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343788 - releng/12.0/sys/amd64/amd64 X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: releng/12.0/sys/amd64/amd64 X-SVN-Commit-Revision: 343788 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: A4D438720F X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:05:06 -0000 Author: emaste Date: Tue Feb 5 18:05:05 2019 New Revision: 343788 URL: https://svnweb.freebsd.org/changeset/base/343788 Log: MFS12 r343781: amd64: clear callee-preserved registers on syscall exit Submitted by: kib Approved by: so Security: CVE-2019-5595 Security: FreeBSD-SA-19:01.syscall Modified: releng/12.0/sys/amd64/amd64/exception.S Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/amd64/amd64/exception.S ============================================================================== --- releng/12.0/sys/amd64/amd64/exception.S Tue Feb 5 17:59:50 2019 (r343787) +++ releng/12.0/sys/amd64/amd64/exception.S Tue Feb 5 18:05:05 2019 (r343788) @@ -521,12 +521,14 @@ fast_syscall_common: movq TF_RFLAGS(%rsp),%r11 /* original %rflags */ movq TF_RIP(%rsp),%rcx /* original %rip */ movq TF_RSP(%rsp),%rsp /* user stack pointer */ + xorl %r8d,%r8d /* zero the rest of GPRs */ + xorl %r10d,%r10d cmpq $~0,PCPU(UCR3) je 2f movq PCPU(UCR3),%r9 movq %r9,%cr3 - xorl %r9d,%r9d -2: swapgs +2: xorl %r9d,%r9d + swapgs sysretq 3: /* AST scheduled. */ From owner-svn-src-releng@freebsd.org Tue Feb 5 18:07:46 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31B2B14C3599; Tue, 5 Feb 2019 18:07:46 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9110873C4; Tue, 5 Feb 2019 18:07:45 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B7B31217B2; Tue, 5 Feb 2019 18:07:45 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15I7jQj046919; Tue, 5 Feb 2019 18:07:45 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15I7jM6046918; Tue, 5 Feb 2019 18:07:45 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051807.x15I7jM6046918@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 18:07:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343789 - releng/11.2/sys/amd64/amd64 X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: releng/11.2/sys/amd64/amd64 X-SVN-Commit-Revision: 343789 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C9110873C4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:07:46 -0000 Author: emaste Date: Tue Feb 5 18:07:45 2019 New Revision: 343789 URL: https://svnweb.freebsd.org/changeset/base/343789 Log: amd64: clear callee-preserved registers on syscall exit Submitted by: kib Approved by: so Security: CVE-2019-5595 Security: FreeBSD-SA-19:01.syscall Modified: releng/11.2/sys/amd64/amd64/exception.S Modified: releng/11.2/sys/amd64/amd64/exception.S ============================================================================== --- releng/11.2/sys/amd64/amd64/exception.S Tue Feb 5 18:05:05 2019 (r343788) +++ releng/11.2/sys/amd64/amd64/exception.S Tue Feb 5 18:07:45 2019 (r343789) @@ -496,12 +496,14 @@ fast_syscall_common: movq TF_RFLAGS(%rsp),%r11 /* original %rflags */ movq TF_RIP(%rsp),%rcx /* original %rip */ movq TF_RSP(%rsp),%rsp /* user stack pointer */ + xorl %r8d,%r8d /* zero the rest of GPRs */ + xorl %r10d,%r10d cmpb $0,pti je 2f movq PCPU(UCR3),%r9 movq %r9,%cr3 - xorl %r9d,%r9d -2: swapgs +2: xorl %r9d,%r9d + swapgs sysretq 3: /* AST scheduled. */ From owner-svn-src-releng@freebsd.org Tue Feb 5 18:11:16 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78DFD14C387A; Tue, 5 Feb 2019 18:11:16 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1FA87877A4; Tue, 5 Feb 2019 18:11:16 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0D90D217F7; Tue, 5 Feb 2019 18:11:16 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15IBFfN048692; Tue, 5 Feb 2019 18:11:15 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15IBFCm048691; Tue, 5 Feb 2019 18:11:15 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051811.x15IBFCm048691@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 18:11:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343790 - releng/12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: releng/12.0/sys/kern X-SVN-Commit-Revision: 343790 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 1FA87877A4 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:11:16 -0000 Author: emaste Date: Tue Feb 5 18:11:15 2019 New Revision: 343790 URL: https://svnweb.freebsd.org/changeset/base/343790 Log: MFS12 r343785: Avoid leaking fp references when truncating SCM_RIGHTS control messages. Submitted by: markj Approved by: so Security: CVE-2019-5596 Modified: releng/12.0/sys/kern/uipc_syscalls.c Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/kern/uipc_syscalls.c ============================================================================== --- releng/12.0/sys/kern/uipc_syscalls.c Tue Feb 5 18:07:45 2019 (r343789) +++ releng/12.0/sys/kern/uipc_syscalls.c Tue Feb 5 18:11:15 2019 (r343790) @@ -1607,8 +1607,10 @@ m_dispose_extcontrolm(struct mbuf *m) fd = *fds++; error = fget(td, fd, &cap_no_rights, &fp); - if (error == 0) + if (error == 0) { fdclose(td, fp, fd); + fdrop(fp, td); + } } } clen -= datalen; From owner-svn-src-releng@freebsd.org Tue Feb 5 18:20:35 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65F9D14C403A; Tue, 5 Feb 2019 18:20:35 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0CB418843B; Tue, 5 Feb 2019 18:20:35 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F2F02219A0; Tue, 5 Feb 2019 18:20:34 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15IKYEx052497; Tue, 5 Feb 2019 18:20:34 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15IKY3r052495; Tue, 5 Feb 2019 18:20:34 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051820.x15IKY3r052495@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 18:20:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343792 - in releng/12.0: . sys/conf X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: in releng/12.0: . sys/conf X-SVN-Commit-Revision: 343792 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 0CB418843B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:20:35 -0000 Author: emaste Date: Tue Feb 5 18:20:34 2019 New Revision: 343792 URL: https://svnweb.freebsd.org/changeset/base/343792 Log: UPDATING and newvers entries for 12.0-p3 Approved by: so Security: FreeBSD-SA-19:01.syscall Security: FreeBSD-SA-19:02.fd Security: FreeBSD-EN-19:06.dtrace Security: FreeBSD-EN-19:07.lle Modified: releng/12.0/UPDATING releng/12.0/sys/conf/newvers.sh Modified: releng/12.0/UPDATING ============================================================================== --- releng/12.0/UPDATING Tue Feb 5 18:16:14 2019 (r343791) +++ releng/12.0/UPDATING Tue Feb 5 18:20:34 2019 (r343792) @@ -16,6 +16,21 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190205: p3 FreeBSD-SA-19:01.syscall + FreeBSD-SA-19:02.fd + FreeBSD-EN-19:06.dtrace + FreeBSD-EN-19:07.lle + + amd64: clear callee-preserved registers on syscall exit + [SA-19:01.syscall] + + Avoid leaking fp references when truncating SCM_RIGHTS control messages. + [SA-19:02.fd] + + dtrace: fix userspace access on boxes with SMAP [EN-19:06.dtrace] + + Fix an LLE lookup race [EN-19:07.lle] + 20190109: p2 FreeBSD-EN-19:01.cc_cubic FreeBSD-EN-19:02.tcp FreeBSD-EN-19:03.sqlite Modified: releng/12.0/sys/conf/newvers.sh ============================================================================== --- releng/12.0/sys/conf/newvers.sh Tue Feb 5 18:16:14 2019 (r343791) +++ releng/12.0/sys/conf/newvers.sh Tue Feb 5 18:20:34 2019 (r343792) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Feb 5 18:22:22 2019 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44CC214C427D; Tue, 5 Feb 2019 18:22:22 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DF37D886D8; Tue, 5 Feb 2019 18:22:21 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D2AF821B34; Tue, 5 Feb 2019 18:22:21 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x15IMLco057243; Tue, 5 Feb 2019 18:22:21 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x15IMLFL057239; Tue, 5 Feb 2019 18:22:21 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902051822.x15IMLFL057239@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 5 Feb 2019 18:22:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r343793 - in releng/11.2: . sys/conf X-SVN-Group: releng X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: in releng/11.2: . sys/conf X-SVN-Commit-Revision: 343793 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: DF37D886D8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:22:22 -0000 Author: emaste Date: Tue Feb 5 18:22:21 2019 New Revision: 343793 URL: https://svnweb.freebsd.org/changeset/base/343793 Log: UPDATING and newvers entries for 11.2-p9 Approved by: so Security: FreeBSD-SA-19:01.syscall Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Feb 5 18:20:34 2019 (r343792) +++ releng/11.2/UPDATING Tue Feb 5 18:22:21 2019 (r343793) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190205 p9 FreeBSD-SA-19:01.syscall + + amd64: clear callee-preserved registers on syscall exit + [SA-19:01.syscall] + 20190109 p8 FreeBSD-EN-19:03.sqlite FreeBSD-EN-19:04.tzdata FreeBSD-EN-19:05.kqueue Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Feb 5 18:20:34 2019 (r343792) +++ releng/11.2/sys/conf/newvers.sh Tue Feb 5 18:22:21 2019 (r343793) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi