From owner-svn-src-releng@freebsd.org Wed Jul 24 12:50:48 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 27B55A73E6; Wed, 24 Jul 2019 12:50:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 09BF580B33; Wed, 24 Jul 2019 12:50:48 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA280E823; Wed, 24 Jul 2019 12:50:47 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCol6n071463; Wed, 24 Jul 2019 12:50:47 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCollM071461; Wed, 24 Jul 2019 12:50:47 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241250.x6OCollM071461@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:50:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350280 - in releng: 11.2/sys/x86/x86 11.3/sys/x86/x86 12.0/sys/x86/x86 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/x86/x86 11.3/sys/x86/x86 12.0/sys/x86/x86 X-SVN-Commit-Revision: 350280 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 09BF580B33 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:50:48 -0000 Author: gordon Date: Wed Jul 24 12:50:46 2019 New Revision: 350280 URL: https://svnweb.freebsd.org/changeset/base/350280 Log: Fix panic from Intel CPU vulnerability mitigation. Approved by: so Security: FreeBSD-EN-19:13.mds Modified: releng/11.2/sys/x86/x86/cpu_machdep.c releng/11.3/sys/x86/x86/cpu_machdep.c releng/12.0/sys/x86/x86/cpu_machdep.c Modified: releng/11.2/sys/x86/x86/cpu_machdep.c ============================================================================== --- releng/11.2/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:48:51 2019 (r350279) +++ releng/11.2/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:50:46 2019 (r350280) @@ -946,7 +946,6 @@ int hw_mds_disable; * architectural state except possibly %rflags. Also, it is always * called with interrupts disabled. */ -void (*mds_handler)(void); void mds_handler_void(void); void mds_handler_verw(void); void mds_handler_ivb(void); @@ -955,6 +954,7 @@ void mds_handler_skl_sse(void); void mds_handler_skl_avx(void); void mds_handler_skl_avx512(void); void mds_handler_silvermont(void); +void (*mds_handler)(void) = mds_handler_void; static int sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) Modified: releng/11.3/sys/x86/x86/cpu_machdep.c ============================================================================== --- releng/11.3/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:48:51 2019 (r350279) +++ releng/11.3/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:50:46 2019 (r350280) @@ -953,7 +953,6 @@ int hw_mds_disable; * architectural state except possibly %rflags. Also, it is always * called with interrupts disabled. */ -void (*mds_handler)(void); void mds_handler_void(void); void mds_handler_verw(void); void mds_handler_ivb(void); @@ -962,6 +961,7 @@ void mds_handler_skl_sse(void); void mds_handler_skl_avx(void); void mds_handler_skl_avx512(void); void mds_handler_silvermont(void); +void (*mds_handler)(void) = mds_handler_void; static int sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) Modified: releng/12.0/sys/x86/x86/cpu_machdep.c ============================================================================== --- releng/12.0/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:48:51 2019 (r350279) +++ releng/12.0/sys/x86/x86/cpu_machdep.c Wed Jul 24 12:50:46 2019 (r350280) @@ -924,7 +924,6 @@ int hw_mds_disable; * architectural state except possibly %rflags. Also, it is always * called with interrupts disabled. */ -void (*mds_handler)(void); void mds_handler_void(void); void mds_handler_verw(void); void mds_handler_ivb(void); @@ -933,6 +932,7 @@ void mds_handler_skl_sse(void); void mds_handler_skl_avx(void); void mds_handler_skl_avx512(void); void mds_handler_silvermont(void); +void (*mds_handler)(void) = mds_handler_void; static int sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) From owner-svn-src-releng@freebsd.org Wed Jul 24 12:51:54 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6B70A7460; Wed, 24 Jul 2019 12:51:54 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A944F80E5A; Wed, 24 Jul 2019 12:51:54 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 84D16E99D; Wed, 24 Jul 2019 12:51:54 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCpsBN072287; Wed, 24 Jul 2019 12:51:54 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCpqHo072277; Wed, 24 Jul 2019 12:51:52 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241251.x6OCpqHo072277@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:51:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350281 - in releng: 11.2/contrib/telnet/telnet 11.3/contrib/telnet/telnet 12.0/contrib/telnet/telnet X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/contrib/telnet/telnet 11.3/contrib/telnet/telnet 12.0/contrib/telnet/telnet X-SVN-Commit-Revision: 350281 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: A944F80E5A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.92)[-0.925,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:51:54 -0000 Author: gordon Date: Wed Jul 24 12:51:52 2019 New Revision: 350281 URL: https://svnweb.freebsd.org/changeset/base/350281 Log: Fix multiple telnet client vulnerabilities. Approved by: so Security: FreeBSD-SA-19:12.telnet Security: CVE-2019-0053 Modified: releng/11.2/contrib/telnet/telnet/commands.c releng/11.2/contrib/telnet/telnet/telnet.c releng/11.2/contrib/telnet/telnet/utilities.c releng/11.3/contrib/telnet/telnet/commands.c releng/11.3/contrib/telnet/telnet/telnet.c releng/11.3/contrib/telnet/telnet/utilities.c releng/12.0/contrib/telnet/telnet/commands.c releng/12.0/contrib/telnet/telnet/telnet.c releng/12.0/contrib/telnet/telnet/utilities.c Modified: releng/11.2/contrib/telnet/telnet/commands.c ============================================================================== --- releng/11.2/contrib/telnet/telnet/commands.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.2/contrib/telnet/telnet/commands.c Wed Jul 24 12:51:52 2019 (r350281) @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -1654,11 +1655,14 @@ env_init(void) || (strncmp((char *)ep->value, "unix:", 5) == 0))) { char hbuf[256+1]; char *cp2 = strchr((char *)ep->value, ':'); + size_t buflen; - gethostname(hbuf, 256); - hbuf[256] = '\0'; - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); - sprintf((char *)cp, "%s%s", hbuf, cp2); + gethostname(hbuf, sizeof(hbuf)); + hbuf[sizeof(hbuf)-1] = '\0'; + buflen = strlen(hbuf) + strlen(cp2) + 1; + cp = (char *)malloc(sizeof(char)*buflen); + assert(cp != NULL); + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); free(ep->value); ep->value = (unsigned char *)cp; } Modified: releng/11.2/contrib/telnet/telnet/telnet.c ============================================================================== --- releng/11.2/contrib/telnet/telnet/telnet.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.2/contrib/telnet/telnet/telnet.c Wed Jul 24 12:51:52 2019 (r350281) @@ -785,7 +785,7 @@ suboption(void) name = gettermname(); len = strlen(name) + 4 + 2; if (len < NETROOM()) { - sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, + snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, name, IAC, SE); ring_supply_data(&netoring, temp, len); printsub('>', &temp[2], len-2); @@ -807,7 +807,7 @@ suboption(void) TerminalSpeeds(&ispeed, &ospeed); - sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, + snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, TELQUAL_IS, ospeed, ispeed, IAC, SE); len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */ Modified: releng/11.2/contrib/telnet/telnet/utilities.c ============================================================================== --- releng/11.2/contrib/telnet/telnet/utilities.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.2/contrib/telnet/telnet/utilities.c Wed Jul 24 12:51:52 2019 (r350281) @@ -629,7 +629,7 @@ printsub(char direction, unsigned char *pointer, int l } { char tbuf[64]; - sprintf(tbuf, "%s%s%s%s%s", + snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s", pointer[2]&MODE_EDIT ? "|EDIT" : "", pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", Modified: releng/11.3/contrib/telnet/telnet/commands.c ============================================================================== --- releng/11.3/contrib/telnet/telnet/commands.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.3/contrib/telnet/telnet/commands.c Wed Jul 24 12:51:52 2019 (r350281) @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -1654,11 +1655,14 @@ env_init(void) || (strncmp((char *)ep->value, "unix:", 5) == 0))) { char hbuf[256+1]; char *cp2 = strchr((char *)ep->value, ':'); + size_t buflen; - gethostname(hbuf, 256); - hbuf[256] = '\0'; - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); - sprintf((char *)cp, "%s%s", hbuf, cp2); + gethostname(hbuf, sizeof(hbuf)); + hbuf[sizeof(hbuf)-1] = '\0'; + buflen = strlen(hbuf) + strlen(cp2) + 1; + cp = (char *)malloc(sizeof(char)*buflen); + assert(cp != NULL); + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); free(ep->value); ep->value = (unsigned char *)cp; } Modified: releng/11.3/contrib/telnet/telnet/telnet.c ============================================================================== --- releng/11.3/contrib/telnet/telnet/telnet.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.3/contrib/telnet/telnet/telnet.c Wed Jul 24 12:51:52 2019 (r350281) @@ -785,7 +785,7 @@ suboption(void) name = gettermname(); len = strlen(name) + 4 + 2; if (len < NETROOM()) { - sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, + snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, name, IAC, SE); ring_supply_data(&netoring, temp, len); printsub('>', &temp[2], len-2); @@ -807,7 +807,7 @@ suboption(void) TerminalSpeeds(&ispeed, &ospeed); - sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, + snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, TELQUAL_IS, ospeed, ispeed, IAC, SE); len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */ Modified: releng/11.3/contrib/telnet/telnet/utilities.c ============================================================================== --- releng/11.3/contrib/telnet/telnet/utilities.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/11.3/contrib/telnet/telnet/utilities.c Wed Jul 24 12:51:52 2019 (r350281) @@ -629,7 +629,7 @@ printsub(char direction, unsigned char *pointer, int l } { char tbuf[64]; - sprintf(tbuf, "%s%s%s%s%s", + snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s", pointer[2]&MODE_EDIT ? "|EDIT" : "", pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", Modified: releng/12.0/contrib/telnet/telnet/commands.c ============================================================================== --- releng/12.0/contrib/telnet/telnet/commands.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/12.0/contrib/telnet/telnet/commands.c Wed Jul 24 12:51:52 2019 (r350281) @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -1654,11 +1655,14 @@ env_init(void) || (strncmp((char *)ep->value, "unix:", 5) == 0))) { char hbuf[256+1]; char *cp2 = strchr((char *)ep->value, ':'); + size_t buflen; - gethostname(hbuf, 256); - hbuf[256] = '\0'; - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); - sprintf((char *)cp, "%s%s", hbuf, cp2); + gethostname(hbuf, sizeof(hbuf)); + hbuf[sizeof(hbuf)-1] = '\0'; + buflen = strlen(hbuf) + strlen(cp2) + 1; + cp = (char *)malloc(sizeof(char)*buflen); + assert(cp != NULL); + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); free(ep->value); ep->value = (unsigned char *)cp; } Modified: releng/12.0/contrib/telnet/telnet/telnet.c ============================================================================== --- releng/12.0/contrib/telnet/telnet/telnet.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/12.0/contrib/telnet/telnet/telnet.c Wed Jul 24 12:51:52 2019 (r350281) @@ -785,7 +785,7 @@ suboption(void) name = gettermname(); len = strlen(name) + 4 + 2; if (len < NETROOM()) { - sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, + snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, name, IAC, SE); ring_supply_data(&netoring, temp, len); printsub('>', &temp[2], len-2); @@ -807,7 +807,7 @@ suboption(void) TerminalSpeeds(&ispeed, &ospeed); - sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, + snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, TELQUAL_IS, ospeed, ispeed, IAC, SE); len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */ Modified: releng/12.0/contrib/telnet/telnet/utilities.c ============================================================================== --- releng/12.0/contrib/telnet/telnet/utilities.c Wed Jul 24 12:50:46 2019 (r350280) +++ releng/12.0/contrib/telnet/telnet/utilities.c Wed Jul 24 12:51:52 2019 (r350281) @@ -629,7 +629,7 @@ printsub(char direction, unsigned char *pointer, int l } { char tbuf[64]; - sprintf(tbuf, "%s%s%s%s%s", + snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s", pointer[2]&MODE_EDIT ? "|EDIT" : "", pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "", pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "", From owner-svn-src-releng@freebsd.org Wed Jul 24 12:53:07 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9E104A7673; Wed, 24 Jul 2019 12:53:07 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F24E8102C; Wed, 24 Jul 2019 12:53:07 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5AC75E9E4; Wed, 24 Jul 2019 12:53:07 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCr73u076209; Wed, 24 Jul 2019 12:53:07 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCr6EY076207; Wed, 24 Jul 2019 12:53:06 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241253.x6OCr6EY076207@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:53:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350282 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 350282 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 7F24E8102C X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.926,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:53:07 -0000 Author: gordon Date: Wed Jul 24 12:53:06 2019 New Revision: 350282 URL: https://svnweb.freebsd.org/changeset/base/350282 Log: Fix pts write-after-free. Approved by: so Security: FreeBSD-SA-19:13.pts Security: CVE-2019-5606 Modified: releng/11.2/sys/kern/tty.c releng/11.3/sys/kern/tty.c releng/12.0/sys/kern/tty.c Modified: releng/11.2/sys/kern/tty.c ============================================================================== --- releng/11.2/sys/kern/tty.c Wed Jul 24 12:51:52 2019 (r350281) +++ releng/11.2/sys/kern/tty.c Wed Jul 24 12:53:06 2019 (r350282) @@ -230,9 +230,6 @@ ttydev_leave(struct tty *tp) tp->t_flags |= TF_OPENCLOSE; - /* Stop asynchronous I/O. */ - funsetown(&tp->t_sigio); - /* Remove console TTY. */ if (constty == tp) constty_clear(); @@ -1122,6 +1119,9 @@ tty_rel_free(struct tty *tp) tty_unlock(tp); return; } + + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); /* TTY can be deallocated. */ dev = tp->t_dev; Modified: releng/11.3/sys/kern/tty.c ============================================================================== --- releng/11.3/sys/kern/tty.c Wed Jul 24 12:51:52 2019 (r350281) +++ releng/11.3/sys/kern/tty.c Wed Jul 24 12:53:06 2019 (r350282) @@ -230,9 +230,6 @@ ttydev_leave(struct tty *tp) tp->t_flags |= TF_OPENCLOSE; - /* Stop asynchronous I/O. */ - funsetown(&tp->t_sigio); - /* Remove console TTY. */ if (constty == tp) constty_clear(); @@ -1122,6 +1119,12 @@ tty_rel_free(struct tty *tp) tty_unlock(tp); return; } + + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); + + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); /* TTY can be deallocated. */ dev = tp->t_dev; Modified: releng/12.0/sys/kern/tty.c ============================================================================== --- releng/12.0/sys/kern/tty.c Wed Jul 24 12:51:52 2019 (r350281) +++ releng/12.0/sys/kern/tty.c Wed Jul 24 12:53:06 2019 (r350282) @@ -231,9 +231,6 @@ ttydev_leave(struct tty *tp) tp->t_flags |= TF_OPENCLOSE; - /* Stop asynchronous I/O. */ - funsetown(&tp->t_sigio); - /* Remove console TTY. */ if (constty == tp) constty_clear(); @@ -1123,6 +1120,9 @@ tty_rel_free(struct tty *tp) tty_unlock(tp); return; } + + /* Stop asynchronous I/O. */ + funsetown(&tp->t_sigio); /* TTY can be deallocated. */ dev = tp->t_dev; From owner-svn-src-releng@freebsd.org Wed Jul 24 12:54:11 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23C43A76E9; Wed, 24 Jul 2019 12:54:11 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 05A7A8119B; Wed, 24 Jul 2019 12:54:11 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D2405E9E5; Wed, 24 Jul 2019 12:54:10 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCsAou076298; Wed, 24 Jul 2019 12:54:10 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCsABl076296; Wed, 24 Jul 2019 12:54:10 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241254.x6OCsABl076296@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:54:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350283 - in releng: 11.2/sys/compat/freebsd32 11.3/sys/compat/freebsd32 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/compat/freebsd32 11.3/sys/compat/freebsd32 X-SVN-Commit-Revision: 350283 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 05A7A8119B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.926,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:54:11 -0000 Author: gordon Date: Wed Jul 24 12:54:10 2019 New Revision: 350283 URL: https://svnweb.freebsd.org/changeset/base/350283 Log: Fix kernel memory disclosure in freebsd32_ioctl. Approved by: so Security: FreeBSD-SA-19:14.freebsd32 Security: CVE-2019-5605 Modified: releng/11.2/sys/compat/freebsd32/freebsd32_ioctl.c releng/11.3/sys/compat/freebsd32/freebsd32_ioctl.c Modified: releng/11.2/sys/compat/freebsd32/freebsd32_ioctl.c ============================================================================== --- releng/11.2/sys/compat/freebsd32/freebsd32_ioctl.c Wed Jul 24 12:53:06 2019 (r350282) +++ releng/11.2/sys/compat/freebsd32/freebsd32_ioctl.c Wed Jul 24 12:54:10 2019 (r350283) @@ -262,6 +262,8 @@ freebsd32_ioctl_pciocgetconf(struct thread *td, vm_offset_t addr; int error; + memset(&pmc, 0, sizeof(pmc)); + memset(&pc32, 0, sizeof(pc32)); if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0) return (error); Modified: releng/11.3/sys/compat/freebsd32/freebsd32_ioctl.c ============================================================================== --- releng/11.3/sys/compat/freebsd32/freebsd32_ioctl.c Wed Jul 24 12:53:06 2019 (r350282) +++ releng/11.3/sys/compat/freebsd32/freebsd32_ioctl.c Wed Jul 24 12:54:10 2019 (r350283) @@ -262,6 +262,8 @@ freebsd32_ioctl_pciocgetconf(struct thread *td, vm_offset_t addr; int error; + memset(&pmc, 0, sizeof(pmc)); + memset(&pc32, 0, sizeof(pc32)); if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0) return (error); From owner-svn-src-releng@freebsd.org Wed Jul 24 12:55:17 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6B7C8A7768; Wed, 24 Jul 2019 12:55:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D0C581300; Wed, 24 Jul 2019 12:55:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0F1B8E9E7; Wed, 24 Jul 2019 12:55:17 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCtGj3076439; Wed, 24 Jul 2019 12:55:16 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCtGcQ076435; Wed, 24 Jul 2019 12:55:16 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241255.x6OCtGcQ076435@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:55:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350284 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 350284 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4D0C581300 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:55:17 -0000 Author: gordon Date: Wed Jul 24 12:55:16 2019 New Revision: 350284 URL: https://svnweb.freebsd.org/changeset/base/350284 Log: Fix reference count overflow in mqueuefs. Approved by: so Security: FreeBSD-SA-19:15.mqueuefs Security: CVE-2019-5603 Modified: releng/11.2/sys/kern/uipc_mqueue.c releng/11.3/sys/kern/uipc_mqueue.c releng/12.0/sys/kern/uipc_mqueue.c Modified: releng/11.2/sys/kern/uipc_mqueue.c ============================================================================== --- releng/11.2/sys/kern/uipc_mqueue.c Wed Jul 24 12:54:10 2019 (r350283) +++ releng/11.2/sys/kern/uipc_mqueue.c Wed Jul 24 12:55:16 2019 (r350284) @@ -2266,13 +2266,14 @@ sys_kmq_timedreceive(struct thread *td, struct kmq_tim if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2291,13 +2292,14 @@ sys_kmq_timedsend(struct thread *td, struct kmq_timeds if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2815,7 +2817,7 @@ freebsd32_kmq_timedreceive(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2824,6 +2826,7 @@ freebsd32_kmq_timedreceive(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } Modified: releng/11.3/sys/kern/uipc_mqueue.c ============================================================================== --- releng/11.3/sys/kern/uipc_mqueue.c Wed Jul 24 12:54:10 2019 (r350283) +++ releng/11.3/sys/kern/uipc_mqueue.c Wed Jul 24 12:55:16 2019 (r350284) @@ -2266,13 +2266,14 @@ sys_kmq_timedreceive(struct thread *td, struct kmq_tim if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2291,13 +2292,14 @@ sys_kmq_timedsend(struct thread *td, struct kmq_timeds if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2815,7 +2817,7 @@ freebsd32_kmq_timedreceive(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2824,6 +2826,7 @@ freebsd32_kmq_timedreceive(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } Modified: releng/12.0/sys/kern/uipc_mqueue.c ============================================================================== --- releng/12.0/sys/kern/uipc_mqueue.c Wed Jul 24 12:54:10 2019 (r350283) +++ releng/12.0/sys/kern/uipc_mqueue.c Wed Jul 24 12:55:16 2019 (r350284) @@ -2275,13 +2275,14 @@ sys_kmq_timedreceive(struct thread *td, struct kmq_tim if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2301,13 +2302,14 @@ sys_kmq_timedsend(struct thread *td, struct kmq_timeds if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets, sizeof(ets)); if (error != 0) - return (error); + goto out; abs_timeout = &ets; } else abs_timeout = NULL; waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } @@ -2826,7 +2828,7 @@ freebsd32_kmq_timedreceive(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2835,6 +2837,7 @@ freebsd32_kmq_timedreceive(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } From owner-svn-src-releng@freebsd.org Wed Jul 24 12:56:08 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 08DDFA77DC; Wed, 24 Jul 2019 12:56:08 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DFE0C81454; Wed, 24 Jul 2019 12:56:07 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA90CE9E8; Wed, 24 Jul 2019 12:56:07 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCu7AN076545; Wed, 24 Jul 2019 12:56:07 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCu7xM076540; Wed, 24 Jul 2019 12:56:07 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241256.x6OCu7xM076540@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:56:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350285 - in releng: 11.2/usr.sbin/bhyve 11.3/usr.sbin/bhyve 12.0/usr.sbin/bhyve X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/usr.sbin/bhyve 11.3/usr.sbin/bhyve 12.0/usr.sbin/bhyve X-SVN-Commit-Revision: 350285 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: DFE0C81454 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:56:08 -0000 Author: gordon Date: Wed Jul 24 12:56:06 2019 New Revision: 350285 URL: https://svnweb.freebsd.org/changeset/base/350285 Log: Fix byhve out-of-bounds read in XHCI device. Approved by: so Security: FreeBSD-SA-19:16.bhyve Security: CVE-2019-5604 Modified: releng/11.2/usr.sbin/bhyve/pci_xhci.c releng/11.3/usr.sbin/bhyve/pci_xhci.c releng/12.0/usr.sbin/bhyve/pci_xhci.c Modified: releng/11.2/usr.sbin/bhyve/pci_xhci.c ============================================================================== --- releng/11.2/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:55:16 2019 (r350284) +++ releng/11.2/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:56:06 2019 (r350285) @@ -1898,6 +1898,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui return; } + if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) { + DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid)); + return; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); @@ -1923,6 +1928,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui /* get next trb work item */ if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { + struct xhci_stream_ctx *sctx; + + /* + * Stream IDs of 0, 65535 (any stream), and 65534 + * (prime) are invalid. + */ + if (streamid == 0 || streamid == 65534 || streamid == 65535) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } + + sctx = NULL; + pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx); + if (sctx == NULL) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } sctx_tr = &devep->ep_sctx_trbs[streamid]; ringaddr = sctx_tr->ringaddr; ccs = sctx_tr->ccs; @@ -1931,6 +1953,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT, trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT)); } else { + if (streamid != 0) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } ringaddr = devep->ep_ringaddr; ccs = devep->ep_ccs; trb = devep->ep_tr; Modified: releng/11.3/usr.sbin/bhyve/pci_xhci.c ============================================================================== --- releng/11.3/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:55:16 2019 (r350284) +++ releng/11.3/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:56:06 2019 (r350285) @@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui return; } + if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) { + DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid)); + return; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); @@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui /* get next trb work item */ if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { + struct xhci_stream_ctx *sctx; + + /* + * Stream IDs of 0, 65535 (any stream), and 65534 + * (prime) are invalid. + */ + if (streamid == 0 || streamid == 65534 || streamid == 65535) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } + + sctx = NULL; + pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx); + if (sctx == NULL) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } sctx_tr = &devep->ep_sctx_trbs[streamid]; ringaddr = sctx_tr->ringaddr; ccs = sctx_tr->ccs; @@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT, trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT)); } else { + if (streamid != 0) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } ringaddr = devep->ep_ringaddr; ccs = devep->ep_ccs; trb = devep->ep_tr; Modified: releng/12.0/usr.sbin/bhyve/pci_xhci.c ============================================================================== --- releng/12.0/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:55:16 2019 (r350284) +++ releng/12.0/usr.sbin/bhyve/pci_xhci.c Wed Jul 24 12:56:06 2019 (r350285) @@ -1900,6 +1900,11 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui return; } + if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) { + DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid)); + return; + } + dev = XHCI_SLOTDEV_PTR(sc, slot); devep = &dev->eps[epid]; dev_ctx = pci_xhci_get_dev_ctx(sc, slot); @@ -1925,6 +1930,23 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui /* get next trb work item */ if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) { + struct xhci_stream_ctx *sctx; + + /* + * Stream IDs of 0, 65535 (any stream), and 65534 + * (prime) are invalid. + */ + if (streamid == 0 || streamid == 65534 || streamid == 65535) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } + + sctx = NULL; + pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx); + if (sctx == NULL) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } sctx_tr = &devep->ep_sctx_trbs[streamid]; ringaddr = sctx_tr->ringaddr; ccs = sctx_tr->ccs; @@ -1933,6 +1955,10 @@ pci_xhci_device_doorbell(struct pci_xhci_softc *sc, ui streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT, trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT)); } else { + if (streamid != 0) { + DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid)); + return; + } ringaddr = devep->ep_ringaddr; ccs = devep->ep_ccs; trb = devep->ep_tr; From owner-svn-src-releng@freebsd.org Wed Jul 24 12:57:51 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0E024A785A; Wed, 24 Jul 2019 12:57:51 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E36A4815DD; Wed, 24 Jul 2019 12:57:50 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D3B2EE9E9; Wed, 24 Jul 2019 12:57:50 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCvoFH076686; Wed, 24 Jul 2019 12:57:50 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCvo64076684; Wed, 24 Jul 2019 12:57:50 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241257.x6OCvo64076684@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:57:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350286 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 350286 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: E36A4815DD X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:57:51 -0000 Author: gordon Date: Wed Jul 24 12:57:49 2019 New Revision: 350286 URL: https://svnweb.freebsd.org/changeset/base/350286 Log: Fix file descriptor reference count leak. Approved by: so Security: FreeBSD-SA-19:17.fd Security: CVE-2019-5607 Modified: releng/11.2/sys/kern/uipc_usrreq.c releng/11.3/sys/kern/uipc_usrreq.c releng/12.0/sys/kern/uipc_usrreq.c Modified: releng/11.2/sys/kern/uipc_usrreq.c ============================================================================== --- releng/11.2/sys/kern/uipc_usrreq.c Wed Jul 24 12:56:06 2019 (r350285) +++ releng/11.2/sys/kern/uipc_usrreq.c Wed Jul 24 12:57:49 2019 (r350286) @@ -1896,29 +1896,52 @@ unp_init(void) UNP_DEFERRED_LOCK_INIT(); } +static void +unp_internalize_cleanup_rights(struct mbuf *control) +{ + struct cmsghdr *cp; + struct mbuf *m; + void *data; + socklen_t datalen; + + for (m = control; m != NULL; m = m->m_next) { + cp = mtod(m, struct cmsghdr *); + if (cp->cmsg_level != SOL_SOCKET || + cp->cmsg_type != SCM_RIGHTS) + continue; + data = CMSG_DATA(cp); + datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; + unp_freerights(data, datalen / sizeof(struct filedesc *)); + } +} + static int unp_internalize(struct mbuf **controlp, struct thread *td) { - struct mbuf *control = *controlp; - struct proc *p = td->td_proc; - struct filedesc *fdesc = p->p_fd; + struct mbuf *control, **initial_controlp; + struct proc *p; + struct filedesc *fdesc; struct bintime *bt; - struct cmsghdr *cm = mtod(control, struct cmsghdr *); + struct cmsghdr *cm; struct cmsgcred *cmcred; struct filedescent *fde, **fdep, *fdev; struct file *fp; struct timeval *tv; - int i, *fdp; void *data; - socklen_t clen = control->m_len, datalen; - int error, oldfds; + socklen_t clen, datalen; + int i, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + p = td->td_proc; + fdesc = p->p_fd; error = 0; + control = *controlp; + clen = control->m_len; *controlp = NULL; - while (cm != NULL) { + initial_controlp = controlp; + for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; @@ -2045,6 +2068,8 @@ unp_internalize(struct mbuf **controlp, struct thread } out: + if (error != 0 && initial_controlp != NULL) + unp_internalize_cleanup_rights(*initial_controlp); m_freem(control); return (error); } Modified: releng/11.3/sys/kern/uipc_usrreq.c ============================================================================== --- releng/11.3/sys/kern/uipc_usrreq.c Wed Jul 24 12:56:06 2019 (r350285) +++ releng/11.3/sys/kern/uipc_usrreq.c Wed Jul 24 12:57:49 2019 (r350286) @@ -1908,30 +1908,53 @@ unp_init(void) UNP_DEFERRED_LOCK_INIT(); } +static void +unp_internalize_cleanup_rights(struct mbuf *control) +{ + struct cmsghdr *cp; + struct mbuf *m; + void *data; + socklen_t datalen; + + for (m = control; m != NULL; m = m->m_next) { + cp = mtod(m, struct cmsghdr *); + if (cp->cmsg_level != SOL_SOCKET || + cp->cmsg_type != SCM_RIGHTS) + continue; + data = CMSG_DATA(cp); + datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; + unp_freerights(data, datalen / sizeof(struct filedesc *)); + } +} + static int unp_internalize(struct mbuf **controlp, struct thread *td) { - struct mbuf *control = *controlp; - struct proc *p = td->td_proc; - struct filedesc *fdesc = p->p_fd; + struct mbuf *control, **initial_controlp; + struct proc *p; + struct filedesc *fdesc; struct bintime *bt; - struct cmsghdr *cm = mtod(control, struct cmsghdr *); + struct cmsghdr *cm; struct cmsgcred *cmcred; struct filedescent *fde, **fdep, *fdev; struct file *fp; struct timeval *tv; struct timespec *ts; - int i, *fdp; void *data; - socklen_t clen = control->m_len, datalen; - int error, oldfds; + socklen_t clen, datalen; + int i, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + p = td->td_proc; + fdesc = p->p_fd; error = 0; + control = *controlp; + clen = control->m_len; *controlp = NULL; - while (cm != NULL) { + initial_controlp = controlp; + for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; @@ -2082,6 +2105,8 @@ unp_internalize(struct mbuf **controlp, struct thread } out: + if (error != 0 && initial_controlp != NULL) + unp_internalize_cleanup_rights(*initial_controlp); m_freem(control); return (error); } Modified: releng/12.0/sys/kern/uipc_usrreq.c ============================================================================== --- releng/12.0/sys/kern/uipc_usrreq.c Wed Jul 24 12:56:06 2019 (r350285) +++ releng/12.0/sys/kern/uipc_usrreq.c Wed Jul 24 12:57:49 2019 (r350286) @@ -2123,30 +2123,53 @@ unp_init(void) UNP_DEFERRED_LOCK_INIT(); } +static void +unp_internalize_cleanup_rights(struct mbuf *control) +{ + struct cmsghdr *cp; + struct mbuf *m; + void *data; + socklen_t datalen; + + for (m = control; m != NULL; m = m->m_next) { + cp = mtod(m, struct cmsghdr *); + if (cp->cmsg_level != SOL_SOCKET || + cp->cmsg_type != SCM_RIGHTS) + continue; + data = CMSG_DATA(cp); + datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; + unp_freerights(data, datalen / sizeof(struct filedesc *)); + } +} + static int unp_internalize(struct mbuf **controlp, struct thread *td) { - struct mbuf *control = *controlp; - struct proc *p = td->td_proc; - struct filedesc *fdesc = p->p_fd; + struct mbuf *control, **initial_controlp; + struct proc *p; + struct filedesc *fdesc; struct bintime *bt; - struct cmsghdr *cm = mtod(control, struct cmsghdr *); + struct cmsghdr *cm; struct cmsgcred *cmcred; struct filedescent *fde, **fdep, *fdev; struct file *fp; struct timeval *tv; struct timespec *ts; - int i, *fdp; void *data; - socklen_t clen = control->m_len, datalen; - int error, oldfds; + socklen_t clen, datalen; + int i, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + p = td->td_proc; + fdesc = p->p_fd; error = 0; + control = *controlp; + clen = control->m_len; *controlp = NULL; - while (cm != NULL) { + initial_controlp = controlp; + for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; @@ -2297,6 +2320,8 @@ unp_internalize(struct mbuf **controlp, struct thread } out: + if (error != 0 && initial_controlp != NULL) + unp_internalize_cleanup_rights(*initial_controlp); m_freem(control); return (error); } From owner-svn-src-releng@freebsd.org Wed Jul 24 12:58:23 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2E53A78BE; Wed, 24 Jul 2019 12:58:23 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D5D718171E; Wed, 24 Jul 2019 12:58:23 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id ACD6DE9EA; Wed, 24 Jul 2019 12:58:23 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6OCwNXA076770; Wed, 24 Jul 2019 12:58:23 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6OCwM8G076764; Wed, 24 Jul 2019 12:58:22 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201907241258.x6OCwM8G076764@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 24 Jul 2019 12:58:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r350287 - in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Commit-Revision: 350287 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D5D718171E X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.92 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2019 12:58:24 -0000 Author: gordon Date: Wed Jul 24 12:58:21 2019 New Revision: 350287 URL: https://svnweb.freebsd.org/changeset/base/350287 Log: Bump version information and update UPDATING. Approved by: so Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.3/UPDATING releng/11.3/sys/conf/newvers.sh releng/12.0/UPDATING releng/12.0/sys/conf/newvers.sh Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Wed Jul 24 12:57:49 2019 (r350286) +++ releng/11.2/UPDATING Wed Jul 24 12:58:21 2019 (r350287) @@ -16,6 +16,28 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190724 p12 FreeBSD-EN-19:13.mds + FreeBSD-SA-19:12.telnet + FreeBSD-SA-19:13.pts + FreeBSD-SA-19:14.freebsd32 + FreeBSD-SA-19:15.mqueuefs + FreeBSD-SA-19:16.bhyve + FreeBSD-SA-19:17.fd + + Fix panic from Intel CPU vulnerability mitigation. [EN-19:13.mds] + + Fix multiple telnet client vulnerabilities. [SA-19:12.telnet] + + Fix pts write-after-free. [SA-19:13.pts] + + Fix kernel memory disclosure in freebsd32_ioctl. [SA-19:14.freebsd32] + + Fix reference count overflow in mqueuefs. [SA-19:15.mqueuefs] + + Fix byhve out-of-bounds read in XHCI device. [SA-19:16.bhyve] + + Fix file descriptor reference count leak. [SA-19:17.fd] + 20190702 p11 FreeBSD-EN-19:12.tzdata FreeBSD-SA-19:09.iconv FreeBSD-SA-19:10.ufs Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Wed Jul 24 12:57:49 2019 (r350286) +++ releng/11.2/sys/conf/newvers.sh Wed Jul 24 12:58:21 2019 (r350287) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.3/UPDATING ============================================================================== --- releng/11.3/UPDATING Wed Jul 24 12:57:49 2019 (r350286) +++ releng/11.3/UPDATING Wed Jul 24 12:58:21 2019 (r350287) @@ -16,10 +16,32 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190724 p1 FreeBSD-EN-19:13.mds + FreeBSD-SA-19:12.telnet + FreeBSD-SA-19:13.pts + FreeBSD-SA-19:14.freebsd32 + FreeBSD-SA-19:15.mqueuefs + FreeBSD-SA-19:16.bhyve + FreeBSD-SA-19:17.fd + + Fix panic from Intel CPU vulnerability mitigation. [EN-19:13.mds] + + Fix multiple telnet client vulnerabilities. [SA-19:12.telnet] + + Fix pts write-after-free. [SA-19:13.pts] + + Fix kernel memory disclosure in freebsd32_ioctl. [SA-19:14.freebsd32] + + Fix reference count overflow in mqueuefs. [SA-19:15.mqueuefs] + + Fix byhve out-of-bounds read in XHCI device. [SA-19:16.bhyve] + + Fix file descriptor reference count leak. [SA-19:17.fd] + 20190709: 11.3-RELEASE. -20190702 p1 FreeBSD-EN-19:12.tzdata +20190702 FreeBSD-EN-19:12.tzdata FreeBSD-SA-19:09.iconv FreeBSD-SA-19:11.cd_ioctl Modified: releng/11.3/sys/conf/newvers.sh ============================================================================== --- releng/11.3/sys/conf/newvers.sh Wed Jul 24 12:57:49 2019 (r350286) +++ releng/11.3/sys/conf/newvers.sh Wed Jul 24 12:58:21 2019 (r350287) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.3" -BRANCH="RELEASE" +BRANCH="RELEASE-p1" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/12.0/UPDATING ============================================================================== --- releng/12.0/UPDATING Wed Jul 24 12:57:49 2019 (r350286) +++ releng/12.0/UPDATING Wed Jul 24 12:58:21 2019 (r350287) @@ -16,6 +16,25 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190724 p8 FreeBSD-EN-19:13.mds + FreeBSD-SA-19:12.telnet + FreeBSD-SA-19:13.pts + FreeBSD-SA-19:15.mqueuefs + FreeBSD-SA-19:16.bhyve + FreeBSD-SA-19:17.fd + + Fix panic from Intel CPU vulnerability mitigation. [EN-19:13.mds] + + Fix multiple telnet client vulnerabilities. [SA-19:12.telnet] + + Fix pts write-after-free. [SA-19:13.pts] + + Fix reference count overflow in mqueuefs. [SA-19:15.mqueuefs] + + Fix byhve out-of-bounds read in XHCI device. [SA-19:16.bhyve] + + Fix file descriptor reference count leak. [SA-19:17.fd] + 20190702 p7 FreeBSD-EN-19:12.tzdata FreeBSD-SA-19:09.iconv FreeBSD-SA-19:10.ufs Modified: releng/12.0/sys/conf/newvers.sh ============================================================================== --- releng/12.0/sys/conf/newvers.sh Wed Jul 24 12:57:49 2019 (r350286) +++ releng/12.0/sys/conf/newvers.sh Wed Jul 24 12:58:21 2019 (r350287) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.0" -BRANCH="RELEASE-p7" +BRANCH="RELEASE-p8" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi