From owner-svn-src-releng@freebsd.org Tue Aug 20 17:45:45 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4D937D6DB6; Tue, 20 Aug 2019 17:45:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CdVx17ktz4bKZ; Tue, 20 Aug 2019 17:45:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 087FD6D85; Tue, 20 Aug 2019 17:45:45 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHjiHD060708; Tue, 20 Aug 2019 17:45:44 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHjiDT060705; Tue, 20 Aug 2019 17:45:44 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201745.x7KHjiDT060705@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:45:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351256 - in releng: 11.3/sys/amd64/vmm 12.0/sys/amd64/vmm X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.3/sys/amd64/vmm 12.0/sys/amd64/vmm X-SVN-Commit-Revision: 351256 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:45:45 -0000 Author: gordon Date: Tue Aug 20 17:45:44 2019 New Revision: 351256 URL: https://svnweb.freebsd.org/changeset/base/351256 Log: Add bhyve instruction emulation improvements (opcode 03H and F7H). Approved by: so Security: FreeBSD-EN-19:16.bhyve Modified: releng/11.3/sys/amd64/vmm/vmm_instruction_emul.c releng/12.0/sys/amd64/vmm/vmm_instruction_emul.c Modified: releng/11.3/sys/amd64/vmm/vmm_instruction_emul.c ============================================================================== --- releng/11.3/sys/amd64/vmm/vmm_instruction_emul.c Tue Aug 20 17:45:22 2019 (r351255) +++ releng/11.3/sys/amd64/vmm/vmm_instruction_emul.c Tue Aug 20 17:45:44 2019 (r351256) @@ -75,6 +75,8 @@ enum { VIE_OP_TYPE_STOS, VIE_OP_TYPE_BITTEST, VIE_OP_TYPE_TWOB_GRP15, + VIE_OP_TYPE_ADD, + VIE_OP_TYPE_TEST, VIE_OP_TYPE_LAST }; @@ -110,6 +112,10 @@ static const struct vie_op two_byte_opcodes[256] = { }; static const struct vie_op one_byte_opcodes[256] = { + [0x03] = { + .op_byte = 0x03, + .op_type = VIE_OP_TYPE_ADD, + }, [0x0F] = { .op_byte = 0x0F, .op_type = VIE_OP_TYPE_TWO_BYTE @@ -214,6 +220,12 @@ static const struct vie_op one_byte_opcodes[256] = { .op_byte = 0x8F, .op_type = VIE_OP_TYPE_POP, }, + [0xF7] = { + /* XXX Group 3 extended opcode - not just TEST */ + .op_byte = 0xF7, + .op_type = VIE_OP_TYPE_TEST, + .op_flags = VIE_OP_F_IMM, + }, [0xFF] = { /* XXX Group 5 extended opcode - not just PUSH */ .op_byte = 0xFF, @@ -408,6 +420,76 @@ getcc(int opsize, uint64_t x, uint64_t y) return (getcc64(x, y)); } +/* + * Macro creation of functions getaddflags{8,16,32,64} + */ +#define GETADDFLAGS(sz) \ +static u_long \ +getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \ +{ \ + u_long rflags; \ + \ + __asm __volatile("add %2,%1; pushfq; popq %0" : \ + "=r" (rflags), "+r" (x) : "m" (y)); \ + return (rflags); \ +} struct __hack + +GETADDFLAGS(8); +GETADDFLAGS(16); +GETADDFLAGS(32); +GETADDFLAGS(64); + +static u_long +getaddflags(int opsize, uint64_t x, uint64_t y) +{ + KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, + ("getaddflags: invalid operand size %d", opsize)); + + if (opsize == 1) + return (getaddflags8(x, y)); + else if (opsize == 2) + return (getaddflags16(x, y)); + else if (opsize == 4) + return (getaddflags32(x, y)); + else + return (getaddflags64(x, y)); +} + +/* + * Return the status flags that would result from doing (x & y). + */ +#define GETANDFLAGS(sz) \ +static u_long \ +getandflags##sz(uint##sz##_t x, uint##sz##_t y) \ +{ \ + u_long rflags; \ + \ + __asm __volatile("and %2,%1; pushfq; popq %0" : \ + "=r" (rflags), "+r" (x) : "m" (y)); \ + return (rflags); \ +} struct __hack + +GETANDFLAGS(8); +GETANDFLAGS(16); +GETANDFLAGS(32); +GETANDFLAGS(64); + +static u_long +getandflags(int opsize, uint64_t x, uint64_t y) +{ + KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, + ("getandflags: invalid operand size %d", opsize)); + + if (opsize == 1) + return (getandflags8(x, y)); + else if (opsize == 2) + return (getandflags16(x, y)); + else if (opsize == 4) + return (getandflags32(x, y)); + else + return (getandflags64(x, y)); +} + static int emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, mem_region_read_t memread, mem_region_write_t memwrite, void *arg) @@ -1177,6 +1259,111 @@ emulate_cmp(void *vm, int vcpuid, uint64_t gpa, struct } static int +emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) +{ + int error, size; + uint64_t op1, rflags, rflags2; + + size = vie->opsize; + error = EINVAL; + + switch (vie->op.op_byte) { + case 0xF7: + /* + * F7 /0 test r/m16, imm16 + * F7 /0 test r/m32, imm32 + * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64 + * + * Test mem (ModRM:r/m) with immediate and set status + * flags according to the results. The comparison is + * performed by anding the immediate from the first + * operand and then setting the status flags. + */ + if ((vie->reg & 7) != 0) + return (EINVAL); + + error = memread(vm, vcpuid, gpa, &op1, size, arg); + if (error) + return (error); + + rflags2 = getandflags(size, op1, vie->immediate); + break; + default: + return (EINVAL); + } + error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags); + if (error) + return (error); + + /* + * OF and CF are cleared; the SF, ZF and PF flags are set according + * to the result; AF is undefined. + */ + rflags &= ~RFLAGS_STATUS_BITS; + rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N); + + error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8); + return (error); +} + +static int +emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) +{ + int error, size; + uint64_t nval, rflags, rflags2, val1, val2; + enum vm_reg_name reg; + + size = vie->opsize; + error = EINVAL; + + switch (vie->op.op_byte) { + case 0x03: + /* + * ADD r/m to r and store the result in r + * + * 03/r ADD r16, r/m16 + * 03/r ADD r32, r/m32 + * REX.W + 03/r ADD r64, r/m64 + */ + + /* get the first operand */ + reg = gpr_map[vie->reg]; + error = vie_read_register(vm, vcpuid, reg, &val1); + if (error) + break; + + /* get the second operand */ + error = memread(vm, vcpuid, gpa, &val2, size, arg); + if (error) + break; + + /* perform the operation and write the result */ + nval = val1 + val2; + error = vie_update_register(vm, vcpuid, reg, nval, size); + break; + default: + break; + } + + if (!error) { + rflags2 = getaddflags(size, val1, val2); + error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, + &rflags); + if (error) + return (error); + + rflags &= ~RFLAGS_STATUS_BITS; + rflags |= rflags2 & RFLAGS_STATUS_BITS; + error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, + rflags, 8); + } + + return (error); +} + +static int emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, mem_region_read_t memread, mem_region_write_t memwrite, void *arg) { @@ -1539,6 +1726,14 @@ vmm_emulate_instruction(void *vm, int vcpuid, uint64_t break; case VIE_OP_TYPE_TWOB_GRP15: error = emulate_twob_group15(vm, vcpuid, gpa, vie, + memread, memwrite, memarg); + break; + case VIE_OP_TYPE_ADD: + error = emulate_add(vm, vcpuid, gpa, vie, memread, + memwrite, memarg); + break; + case VIE_OP_TYPE_TEST: + error = emulate_test(vm, vcpuid, gpa, vie, memread, memwrite, memarg); break; default: Modified: releng/12.0/sys/amd64/vmm/vmm_instruction_emul.c ============================================================================== --- releng/12.0/sys/amd64/vmm/vmm_instruction_emul.c Tue Aug 20 17:45:22 2019 (r351255) +++ releng/12.0/sys/amd64/vmm/vmm_instruction_emul.c Tue Aug 20 17:45:44 2019 (r351256) @@ -77,6 +77,8 @@ enum { VIE_OP_TYPE_STOS, VIE_OP_TYPE_BITTEST, VIE_OP_TYPE_TWOB_GRP15, + VIE_OP_TYPE_ADD, + VIE_OP_TYPE_TEST, VIE_OP_TYPE_LAST }; @@ -112,6 +114,10 @@ static const struct vie_op two_byte_opcodes[256] = { }; static const struct vie_op one_byte_opcodes[256] = { + [0x03] = { + .op_byte = 0x03, + .op_type = VIE_OP_TYPE_ADD, + }, [0x0F] = { .op_byte = 0x0F, .op_type = VIE_OP_TYPE_TWO_BYTE @@ -216,6 +222,12 @@ static const struct vie_op one_byte_opcodes[256] = { .op_byte = 0x8F, .op_type = VIE_OP_TYPE_POP, }, + [0xF7] = { + /* XXX Group 3 extended opcode - not just TEST */ + .op_byte = 0xF7, + .op_type = VIE_OP_TYPE_TEST, + .op_flags = VIE_OP_F_IMM, + }, [0xFF] = { /* XXX Group 5 extended opcode - not just PUSH */ .op_byte = 0xFF, @@ -410,6 +422,76 @@ getcc(int opsize, uint64_t x, uint64_t y) return (getcc64(x, y)); } +/* + * Macro creation of functions getaddflags{8,16,32,64} + */ +#define GETADDFLAGS(sz) \ +static u_long \ +getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \ +{ \ + u_long rflags; \ + \ + __asm __volatile("add %2,%1; pushfq; popq %0" : \ + "=r" (rflags), "+r" (x) : "m" (y)); \ + return (rflags); \ +} struct __hack + +GETADDFLAGS(8); +GETADDFLAGS(16); +GETADDFLAGS(32); +GETADDFLAGS(64); + +static u_long +getaddflags(int opsize, uint64_t x, uint64_t y) +{ + KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, + ("getaddflags: invalid operand size %d", opsize)); + + if (opsize == 1) + return (getaddflags8(x, y)); + else if (opsize == 2) + return (getaddflags16(x, y)); + else if (opsize == 4) + return (getaddflags32(x, y)); + else + return (getaddflags64(x, y)); +} + +/* + * Return the status flags that would result from doing (x & y). + */ +#define GETANDFLAGS(sz) \ +static u_long \ +getandflags##sz(uint##sz##_t x, uint##sz##_t y) \ +{ \ + u_long rflags; \ + \ + __asm __volatile("and %2,%1; pushfq; popq %0" : \ + "=r" (rflags), "+r" (x) : "m" (y)); \ + return (rflags); \ +} struct __hack + +GETANDFLAGS(8); +GETANDFLAGS(16); +GETANDFLAGS(32); +GETANDFLAGS(64); + +static u_long +getandflags(int opsize, uint64_t x, uint64_t y) +{ + KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8, + ("getandflags: invalid operand size %d", opsize)); + + if (opsize == 1) + return (getandflags8(x, y)); + else if (opsize == 2) + return (getandflags16(x, y)); + else if (opsize == 4) + return (getandflags32(x, y)); + else + return (getandflags64(x, y)); +} + static int emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, mem_region_read_t memread, mem_region_write_t memwrite, void *arg) @@ -1179,6 +1261,111 @@ emulate_cmp(void *vm, int vcpuid, uint64_t gpa, struct } static int +emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) +{ + int error, size; + uint64_t op1, rflags, rflags2; + + size = vie->opsize; + error = EINVAL; + + switch (vie->op.op_byte) { + case 0xF7: + /* + * F7 /0 test r/m16, imm16 + * F7 /0 test r/m32, imm32 + * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64 + * + * Test mem (ModRM:r/m) with immediate and set status + * flags according to the results. The comparison is + * performed by anding the immediate from the first + * operand and then setting the status flags. + */ + if ((vie->reg & 7) != 0) + return (EINVAL); + + error = memread(vm, vcpuid, gpa, &op1, size, arg); + if (error) + return (error); + + rflags2 = getandflags(size, op1, vie->immediate); + break; + default: + return (EINVAL); + } + error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags); + if (error) + return (error); + + /* + * OF and CF are cleared; the SF, ZF and PF flags are set according + * to the result; AF is undefined. + */ + rflags &= ~RFLAGS_STATUS_BITS; + rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N); + + error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8); + return (error); +} + +static int +emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, + mem_region_read_t memread, mem_region_write_t memwrite, void *arg) +{ + int error, size; + uint64_t nval, rflags, rflags2, val1, val2; + enum vm_reg_name reg; + + size = vie->opsize; + error = EINVAL; + + switch (vie->op.op_byte) { + case 0x03: + /* + * ADD r/m to r and store the result in r + * + * 03/r ADD r16, r/m16 + * 03/r ADD r32, r/m32 + * REX.W + 03/r ADD r64, r/m64 + */ + + /* get the first operand */ + reg = gpr_map[vie->reg]; + error = vie_read_register(vm, vcpuid, reg, &val1); + if (error) + break; + + /* get the second operand */ + error = memread(vm, vcpuid, gpa, &val2, size, arg); + if (error) + break; + + /* perform the operation and write the result */ + nval = val1 + val2; + error = vie_update_register(vm, vcpuid, reg, nval, size); + break; + default: + break; + } + + if (!error) { + rflags2 = getaddflags(size, val1, val2); + error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, + &rflags); + if (error) + return (error); + + rflags &= ~RFLAGS_STATUS_BITS; + rflags |= rflags2 & RFLAGS_STATUS_BITS; + error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, + rflags, 8); + } + + return (error); +} + +static int emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie, mem_region_read_t memread, mem_region_write_t memwrite, void *arg) { @@ -1541,6 +1728,14 @@ vmm_emulate_instruction(void *vm, int vcpuid, uint64_t break; case VIE_OP_TYPE_TWOB_GRP15: error = emulate_twob_group15(vm, vcpuid, gpa, vie, + memread, memwrite, memarg); + break; + case VIE_OP_TYPE_ADD: + error = emulate_add(vm, vcpuid, gpa, vie, memread, + memwrite, memarg); + break; + case VIE_OP_TYPE_TEST: + error = emulate_test(vm, vcpuid, gpa, vie, memread, memwrite, memarg); break; default: From owner-svn-src-releng@freebsd.org Tue Aug 20 17:46:41 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 784E5D6E81; Tue, 20 Aug 2019 17:46:41 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CdX12dP8z4bYs; Tue, 20 Aug 2019 17:46:41 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3C0496D87; Tue, 20 Aug 2019 17:46:41 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHkffE060848; Tue, 20 Aug 2019 17:46:41 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHkf4r060847; Tue, 20 Aug 2019 17:46:41 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201746.x7KHkf4r060847@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:46:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351258 - releng/11.3/sbin/ipfw X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.3/sbin/ipfw X-SVN-Commit-Revision: 351258 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:46:41 -0000 Author: gordon Date: Tue Aug 20 17:46:40 2019 New Revision: 351258 URL: https://svnweb.freebsd.org/changeset/base/351258 Log: Fix ipfw(8) jail keyword prior to jail startup. Approved by: so Security: FreeBSD-EN-19:17.ipfw Modified: releng/11.3/sbin/ipfw/ipfw2.c Modified: releng/11.3/sbin/ipfw/ipfw2.c ============================================================================== --- releng/11.3/sbin/ipfw/ipfw2.c Tue Aug 20 17:46:22 2019 (r351257) +++ releng/11.3/sbin/ipfw/ipfw2.c Tue Aug 20 17:46:40 2019 (r351258) @@ -4662,12 +4662,27 @@ read_options: case TOK_JAIL: NEED1("jail requires argument"); { + char *end; int jid; cmd->opcode = O_JAIL; - jid = jail_getid(*av); - if (jid < 0) - errx(EX_DATAERR, "%s", jail_errmsg); + /* + * If av is a number, then we'll just pass it as-is. If + * it's a name, try to resolve that to a jid. + * + * We save the jail_getid(3) call for a fallback because + * it entails an unconditional trip to the kernel to + * either validate a jid or resolve a name to a jid. + * This specific token doesn't currently require a + * jid to be an active jail, so we save a transition + * by simply using a number that we're given. + */ + jid = strtoul(*av, &end, 10); + if (*end != '\0') { + jid = jail_getid(*av); + if (jid < 0) + errx(EX_DATAERR, "%s", jail_errmsg); + } cmd32->d[0] = (uint32_t)jid; cmd->len |= F_INSN_SIZE(ipfw_insn_u32); av++; From owner-svn-src-releng@freebsd.org Tue Aug 20 17:49:34 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 81714D7000; Tue, 20 Aug 2019 17:49:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CdbL2qllz4brH; Tue, 20 Aug 2019 17:49:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 42D2B6D94; Tue, 20 Aug 2019 17:49:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHnYux061210; Tue, 20 Aug 2019 17:49:34 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHnXdU061205; Tue, 20 Aug 2019 17:49:33 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201749.x7KHnXdU061205@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:49:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351259 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 351259 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:49:34 -0000 Author: gordon Date: Tue Aug 20 17:49:33 2019 New Revision: 351259 URL: https://svnweb.freebsd.org/changeset/base/351259 Log: Fix IPv6 remote denial of service. Approved by: so Security: FreeBSD-SA-19:22.mbuf Security: CVE-2019-5611 Modified: releng/11.2/sys/kern/uipc_mbuf2.c releng/11.3/sys/kern/uipc_mbuf2.c releng/12.0/sys/kern/uipc_mbuf2.c Modified: releng/11.2/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/11.2/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/11.2/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); Modified: releng/11.3/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/11.3/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/11.3/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); Modified: releng/12.0/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/12.0/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/12.0/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -216,7 +216,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); From owner-svn-src-releng@freebsd.org Tue Aug 20 17:50:34 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC811D707E; Tue, 20 Aug 2019 17:50:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CdcV5KWgz4byW; Tue, 20 Aug 2019 17:50:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 99A6F6D9B; Tue, 20 Aug 2019 17:50:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHoYDS061347; Tue, 20 Aug 2019 17:50:34 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHoY8U061344; Tue, 20 Aug 2019 17:50:34 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201750.x7KHoY8U061344@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:50:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351260 - in releng: 11.2/sys/dev/sound/midi 11.3/sys/dev/sound/midi 12.0/sys/dev/sound/midi X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/dev/sound/midi 11.3/sys/dev/sound/midi 12.0/sys/dev/sound/midi X-SVN-Commit-Revision: 351260 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:50:34 -0000 Author: gordon Date: Tue Aug 20 17:50:33 2019 New Revision: 351260 URL: https://svnweb.freebsd.org/changeset/base/351260 Log: Fix kernel memory disclosure from /dev/midistat. Approved by: so Security: FreeBSD-SA-19:23.midi Security: CVE-2019-5612 Modified: releng/11.2/sys/dev/sound/midi/midi.c releng/11.3/sys/dev/sound/midi/midi.c releng/12.0/sys/dev/sound/midi/midi.c Modified: releng/11.2/sys/dev/sound/midi/midi.c ============================================================================== --- releng/11.2/sys/dev/sound/midi/midi.c Tue Aug 20 17:49:33 2019 (r351259) +++ releng/11.2/sys/dev/sound/midi/midi.c Tue Aug 20 17:50:33 2019 (r351260) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include #include @@ -47,10 +48,8 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include -#include -#include +#include #include #include #include @@ -185,10 +184,9 @@ TAILQ_HEAD(, snd_midi) midi_devs; * /dev/midistat variables and declarations, protected by midistat_lock */ -static struct mtx midistat_lock; +static struct sx midistat_lock; static int midistat_isopen = 0; static struct sbuf midistat_sbuf; -static int midistat_bufptr; static struct cdev *midistat_dev; /* @@ -287,7 +285,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_TYPE *buf; MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel)); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); /* * Protect against call with existing unit/channel or auto-allocate a * new unit number. @@ -314,13 +312,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi unit = i + 1; MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel)); - m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO); - if (m == NULL) - goto err0; - - m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO); - if (m->synth == NULL) - goto err1; + m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO); + m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO); kobj_init((kobj_t)m->synth, &midisynth_class); m->synth->m = m; kobj_init((kobj_t)m, cls); @@ -329,7 +322,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize)); if (!inqsize && !outqsize) - goto err2; + goto err1; mtx_init(&m->lock, "raw midi", NULL, 0); mtx_init(&m->qlock, "q raw midi", NULL, 0); @@ -354,9 +347,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi if ((inqsize && !MIDIQ_BUF(m->inq)) || (outqsize && !MIDIQ_BUF(m->outq))) - goto err3; + goto err2; - m->busy = 0; m->flags = 0; m->unit = unit; @@ -364,14 +356,14 @@ midi_init(kobj_class_t cls, int unit, int channel, voi m->cookie = cookie; if (MPU_INIT(m, cookie)) - goto err3; + goto err2; mtx_unlock(&m->lock); mtx_unlock(&m->qlock); TAILQ_INSERT_TAIL(&midi_devs, m, link); - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); m->dev = make_dev(&midi_cdevsw, MIDIMKMINOR(unit, MIDI_DEV_RAW, channel), @@ -380,16 +372,19 @@ midi_init(kobj_class_t cls, int unit, int channel, voi return m; -err3: mtx_destroy(&m->qlock); +err2: + mtx_destroy(&m->qlock); mtx_destroy(&m->lock); if (MIDIQ_BUF(m->inq)) free(MIDIQ_BUF(m->inq), M_MIDI); if (MIDIQ_BUF(m->outq)) free(MIDIQ_BUF(m->outq), M_MIDI); -err2: free(m->synth, M_MIDI); -err1: free(m, M_MIDI); -err0: mtx_unlock(&midistat_lock); +err1: + free(m->synth, M_MIDI); + free(m, M_MIDI); +err0: + sx_xunlock(&midistat_lock); MIDI_DEBUG(1, printf("midi_init ended in error\n")); return NULL; } @@ -407,7 +402,7 @@ midi_uninit(struct snd_midi *m) int err; err = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); mtx_lock(&m->lock); if (m->busy) { if (!(m->rchan || m->wchan)) @@ -426,8 +421,10 @@ midi_uninit(struct snd_midi *m) if (!err) goto exit; -err: mtx_unlock(&m->lock); -exit: mtx_unlock(&midistat_lock); +err: + mtx_unlock(&m->lock); +exit: + sx_xunlock(&midistat_lock); return err; } @@ -939,27 +936,22 @@ midistat_open(struct cdev *i_dev, int flags, int mode, int error; MIDI_DEBUG(1, printf("midistat_open\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBUSY; } midistat_isopen = 1; - mtx_unlock(&midistat_lock); - if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) { error = ENXIO; - mtx_lock(&midistat_lock); goto out; } - mtx_lock(&midistat_lock); - midistat_bufptr = 0; error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM; - -out: if (error) +out: + if (error) midistat_isopen = 0; - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return error; } @@ -967,40 +959,40 @@ static int midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td) { MIDI_DEBUG(1, printf("midistat_close\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } sbuf_delete(&midistat_sbuf); midistat_isopen = 0; - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return 0; } static int -midistat_read(struct cdev *i_dev, struct uio *buf, int flag) +midistat_read(struct cdev *i_dev, struct uio *uio, int flag) { - int l, err; + long l; + int err; MIDI_DEBUG(4, printf("midistat_read\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } - l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr); + if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) { + sx_xunlock(&midistat_lock); + return EINVAL; + } err = 0; + l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset); if (l > 0) { - mtx_unlock(&midistat_lock); - err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l, - buf); - mtx_lock(&midistat_lock); - } else - l = 0; - midistat_bufptr += l; - mtx_unlock(&midistat_lock); + err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l, + uio); + } + sx_xunlock(&midistat_lock); return err; } @@ -1013,7 +1005,7 @@ midistat_prepare(struct sbuf *s) { struct snd_midi *m; - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n"); if (TAILQ_EMPTY(&midi_devs)) { @@ -1376,8 +1368,7 @@ midisynth_bender(void *n, uint8_t chn, uint16_t val) static int midi_destroy(struct snd_midi *m, int midiuninit) { - - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); mtx_assert(&m->lock, MA_OWNED); MIDI_DEBUG(3, printf("midi_destroy\n")); @@ -1403,8 +1394,8 @@ midi_destroy(struct snd_midi *m, int midiuninit) static int midi_load(void) { - mtx_init(&midistat_lock, "midistat lock", NULL, 0); - TAILQ_INIT(&midi_devs); /* Initialize the queue. */ + sx_init(&midistat_lock, "midistat lock"); + TAILQ_INIT(&midi_devs); midistat_dev = make_dev(&midistat_cdevsw, MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0), @@ -1421,7 +1412,7 @@ midi_unload(void) MIDI_DEBUG(1, printf("midi_unload()\n")); retval = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) goto exit0; @@ -1434,20 +1425,19 @@ midi_unload(void) if (retval) goto exit1; } - - mtx_unlock(&midistat_lock); /* XXX */ - + sx_xunlock(&midistat_lock); destroy_dev(midistat_dev); + /* * Made it here then unload is complete */ - mtx_destroy(&midistat_lock); + sx_destroy(&midistat_lock); return 0; exit1: mtx_unlock(&m->lock); exit0: - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); if (retval) MIDI_DEBUG(2, printf("midi_unload: failed\n")); return retval; @@ -1500,13 +1490,11 @@ midimapper_open(void *arg1, void **cookie) int retval = 0; struct snd_midi *m; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return retval; } @@ -1522,17 +1510,15 @@ midimapper_fetch_synth(void *arg, void *cookie, int un struct snd_midi *m; int retval = 0; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { if (unit == retval) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return (kobj_t)m->synth; } retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return NULL; } Modified: releng/11.3/sys/dev/sound/midi/midi.c ============================================================================== --- releng/11.3/sys/dev/sound/midi/midi.c Tue Aug 20 17:49:33 2019 (r351259) +++ releng/11.3/sys/dev/sound/midi/midi.c Tue Aug 20 17:50:33 2019 (r351260) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include #include @@ -47,10 +48,8 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include -#include -#include +#include #include #include #include @@ -185,10 +184,9 @@ TAILQ_HEAD(, snd_midi) midi_devs; * /dev/midistat variables and declarations, protected by midistat_lock */ -static struct mtx midistat_lock; +static struct sx midistat_lock; static int midistat_isopen = 0; static struct sbuf midistat_sbuf; -static int midistat_bufptr; static struct cdev *midistat_dev; /* @@ -287,7 +285,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_TYPE *buf; MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel)); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); /* * Protect against call with existing unit/channel or auto-allocate a * new unit number. @@ -314,13 +312,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi unit = i + 1; MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel)); - m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO); - if (m == NULL) - goto err0; - - m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO); - if (m->synth == NULL) - goto err1; + m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO); + m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO); kobj_init((kobj_t)m->synth, &midisynth_class); m->synth->m = m; kobj_init((kobj_t)m, cls); @@ -329,7 +322,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize)); if (!inqsize && !outqsize) - goto err2; + goto err1; mtx_init(&m->lock, "raw midi", NULL, 0); mtx_init(&m->qlock, "q raw midi", NULL, 0); @@ -354,9 +347,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi if ((inqsize && !MIDIQ_BUF(m->inq)) || (outqsize && !MIDIQ_BUF(m->outq))) - goto err3; + goto err2; - m->busy = 0; m->flags = 0; m->unit = unit; @@ -364,14 +356,14 @@ midi_init(kobj_class_t cls, int unit, int channel, voi m->cookie = cookie; if (MPU_INIT(m, cookie)) - goto err3; + goto err2; mtx_unlock(&m->lock); mtx_unlock(&m->qlock); TAILQ_INSERT_TAIL(&midi_devs, m, link); - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); m->dev = make_dev(&midi_cdevsw, MIDIMKMINOR(unit, MIDI_DEV_RAW, channel), @@ -380,16 +372,19 @@ midi_init(kobj_class_t cls, int unit, int channel, voi return m; -err3: mtx_destroy(&m->qlock); +err2: + mtx_destroy(&m->qlock); mtx_destroy(&m->lock); if (MIDIQ_BUF(m->inq)) free(MIDIQ_BUF(m->inq), M_MIDI); if (MIDIQ_BUF(m->outq)) free(MIDIQ_BUF(m->outq), M_MIDI); -err2: free(m->synth, M_MIDI); -err1: free(m, M_MIDI); -err0: mtx_unlock(&midistat_lock); +err1: + free(m->synth, M_MIDI); + free(m, M_MIDI); +err0: + sx_xunlock(&midistat_lock); MIDI_DEBUG(1, printf("midi_init ended in error\n")); return NULL; } @@ -407,7 +402,7 @@ midi_uninit(struct snd_midi *m) int err; err = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); mtx_lock(&m->lock); if (m->busy) { if (!(m->rchan || m->wchan)) @@ -426,8 +421,10 @@ midi_uninit(struct snd_midi *m) if (!err) goto exit; -err: mtx_unlock(&m->lock); -exit: mtx_unlock(&midistat_lock); +err: + mtx_unlock(&m->lock); +exit: + sx_xunlock(&midistat_lock); return err; } @@ -939,27 +936,22 @@ midistat_open(struct cdev *i_dev, int flags, int mode, int error; MIDI_DEBUG(1, printf("midistat_open\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBUSY; } midistat_isopen = 1; - mtx_unlock(&midistat_lock); - if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) { error = ENXIO; - mtx_lock(&midistat_lock); goto out; } - mtx_lock(&midistat_lock); - midistat_bufptr = 0; error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM; - -out: if (error) +out: + if (error) midistat_isopen = 0; - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return error; } @@ -967,40 +959,40 @@ static int midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td) { MIDI_DEBUG(1, printf("midistat_close\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } sbuf_delete(&midistat_sbuf); midistat_isopen = 0; - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return 0; } static int -midistat_read(struct cdev *i_dev, struct uio *buf, int flag) +midistat_read(struct cdev *i_dev, struct uio *uio, int flag) { - int l, err; + long l; + int err; MIDI_DEBUG(4, printf("midistat_read\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } - l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr); + if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) { + sx_xunlock(&midistat_lock); + return EINVAL; + } err = 0; + l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset); if (l > 0) { - mtx_unlock(&midistat_lock); - err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l, - buf); - mtx_lock(&midistat_lock); - } else - l = 0; - midistat_bufptr += l; - mtx_unlock(&midistat_lock); + err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l, + uio); + } + sx_xunlock(&midistat_lock); return err; } @@ -1013,7 +1005,7 @@ midistat_prepare(struct sbuf *s) { struct snd_midi *m; - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n"); if (TAILQ_EMPTY(&midi_devs)) { @@ -1376,8 +1368,7 @@ midisynth_bender(void *n, uint8_t chn, uint16_t val) static int midi_destroy(struct snd_midi *m, int midiuninit) { - - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); mtx_assert(&m->lock, MA_OWNED); MIDI_DEBUG(3, printf("midi_destroy\n")); @@ -1403,8 +1394,8 @@ midi_destroy(struct snd_midi *m, int midiuninit) static int midi_load(void) { - mtx_init(&midistat_lock, "midistat lock", NULL, 0); - TAILQ_INIT(&midi_devs); /* Initialize the queue. */ + sx_init(&midistat_lock, "midistat lock"); + TAILQ_INIT(&midi_devs); midistat_dev = make_dev(&midistat_cdevsw, MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0), @@ -1421,7 +1412,7 @@ midi_unload(void) MIDI_DEBUG(1, printf("midi_unload()\n")); retval = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) goto exit0; @@ -1434,20 +1425,19 @@ midi_unload(void) if (retval) goto exit1; } - - mtx_unlock(&midistat_lock); /* XXX */ - + sx_xunlock(&midistat_lock); destroy_dev(midistat_dev); + /* * Made it here then unload is complete */ - mtx_destroy(&midistat_lock); + sx_destroy(&midistat_lock); return 0; exit1: mtx_unlock(&m->lock); exit0: - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); if (retval) MIDI_DEBUG(2, printf("midi_unload: failed\n")); return retval; @@ -1496,13 +1486,11 @@ midimapper_open(void *arg1, void **cookie) int retval = 0; struct snd_midi *m; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return retval; } @@ -1518,17 +1506,15 @@ midimapper_fetch_synth(void *arg, void *cookie, int un struct snd_midi *m; int retval = 0; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { if (unit == retval) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return (kobj_t)m->synth; } retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return NULL; } Modified: releng/12.0/sys/dev/sound/midi/midi.c ============================================================================== --- releng/12.0/sys/dev/sound/midi/midi.c Tue Aug 20 17:49:33 2019 (r351259) +++ releng/12.0/sys/dev/sound/midi/midi.c Tue Aug 20 17:50:33 2019 (r351260) @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include #include @@ -49,10 +50,8 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include -#include -#include +#include #include #include #include @@ -187,10 +186,9 @@ TAILQ_HEAD(, snd_midi) midi_devs; * /dev/midistat variables and declarations, protected by midistat_lock */ -static struct mtx midistat_lock; +static struct sx midistat_lock; static int midistat_isopen = 0; static struct sbuf midistat_sbuf; -static int midistat_bufptr; static struct cdev *midistat_dev; /* @@ -289,7 +287,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_TYPE *buf; MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel)); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); /* * Protect against call with existing unit/channel or auto-allocate a * new unit number. @@ -316,13 +314,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi unit = i + 1; MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel)); - m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO); - if (m == NULL) - goto err0; - - m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO); - if (m->synth == NULL) - goto err1; + m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO); + m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO); kobj_init((kobj_t)m->synth, &midisynth_class); m->synth->m = m; kobj_init((kobj_t)m, cls); @@ -331,7 +324,7 @@ midi_init(kobj_class_t cls, int unit, int channel, voi MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize)); if (!inqsize && !outqsize) - goto err2; + goto err1; mtx_init(&m->lock, "raw midi", NULL, 0); mtx_init(&m->qlock, "q raw midi", NULL, 0); @@ -356,9 +349,8 @@ midi_init(kobj_class_t cls, int unit, int channel, voi if ((inqsize && !MIDIQ_BUF(m->inq)) || (outqsize && !MIDIQ_BUF(m->outq))) - goto err3; + goto err2; - m->busy = 0; m->flags = 0; m->unit = unit; @@ -366,14 +358,14 @@ midi_init(kobj_class_t cls, int unit, int channel, voi m->cookie = cookie; if (MPU_INIT(m, cookie)) - goto err3; + goto err2; mtx_unlock(&m->lock); mtx_unlock(&m->qlock); TAILQ_INSERT_TAIL(&midi_devs, m, link); - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); m->dev = make_dev(&midi_cdevsw, MIDIMKMINOR(unit, MIDI_DEV_RAW, channel), @@ -382,16 +374,19 @@ midi_init(kobj_class_t cls, int unit, int channel, voi return m; -err3: mtx_destroy(&m->qlock); +err2: + mtx_destroy(&m->qlock); mtx_destroy(&m->lock); if (MIDIQ_BUF(m->inq)) free(MIDIQ_BUF(m->inq), M_MIDI); if (MIDIQ_BUF(m->outq)) free(MIDIQ_BUF(m->outq), M_MIDI); -err2: free(m->synth, M_MIDI); -err1: free(m, M_MIDI); -err0: mtx_unlock(&midistat_lock); +err1: + free(m->synth, M_MIDI); + free(m, M_MIDI); +err0: + sx_xunlock(&midistat_lock); MIDI_DEBUG(1, printf("midi_init ended in error\n")); return NULL; } @@ -409,7 +404,7 @@ midi_uninit(struct snd_midi *m) int err; err = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); mtx_lock(&m->lock); if (m->busy) { if (!(m->rchan || m->wchan)) @@ -428,8 +423,10 @@ midi_uninit(struct snd_midi *m) if (!err) goto exit; -err: mtx_unlock(&m->lock); -exit: mtx_unlock(&midistat_lock); +err: + mtx_unlock(&m->lock); +exit: + sx_xunlock(&midistat_lock); return err; } @@ -941,27 +938,22 @@ midistat_open(struct cdev *i_dev, int flags, int mode, int error; MIDI_DEBUG(1, printf("midistat_open\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBUSY; } midistat_isopen = 1; - mtx_unlock(&midistat_lock); - if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) { error = ENXIO; - mtx_lock(&midistat_lock); goto out; } - mtx_lock(&midistat_lock); - midistat_bufptr = 0; error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM; - -out: if (error) +out: + if (error) midistat_isopen = 0; - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return error; } @@ -969,40 +961,40 @@ static int midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td) { MIDI_DEBUG(1, printf("midistat_close\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } sbuf_delete(&midistat_sbuf); midistat_isopen = 0; - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return 0; } static int -midistat_read(struct cdev *i_dev, struct uio *buf, int flag) +midistat_read(struct cdev *i_dev, struct uio *uio, int flag) { - int l, err; + long l; + int err; MIDI_DEBUG(4, printf("midistat_read\n")); - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (!midistat_isopen) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return EBADF; } - l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr); + if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) { + sx_xunlock(&midistat_lock); + return EINVAL; + } err = 0; + l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset); if (l > 0) { - mtx_unlock(&midistat_lock); - err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l, - buf); - mtx_lock(&midistat_lock); - } else - l = 0; - midistat_bufptr += l; - mtx_unlock(&midistat_lock); + err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l, + uio); + } + sx_xunlock(&midistat_lock); return err; } @@ -1015,7 +1007,7 @@ midistat_prepare(struct sbuf *s) { struct snd_midi *m; - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n"); if (TAILQ_EMPTY(&midi_devs)) { @@ -1378,8 +1370,7 @@ midisynth_bender(void *n, uint8_t chn, uint16_t val) static int midi_destroy(struct snd_midi *m, int midiuninit) { - - mtx_assert(&midistat_lock, MA_OWNED); + sx_assert(&midistat_lock, SA_XLOCKED); mtx_assert(&m->lock, MA_OWNED); MIDI_DEBUG(3, printf("midi_destroy\n")); @@ -1405,8 +1396,8 @@ midi_destroy(struct snd_midi *m, int midiuninit) static int midi_load(void) { - mtx_init(&midistat_lock, "midistat lock", NULL, 0); - TAILQ_INIT(&midi_devs); /* Initialize the queue. */ + sx_init(&midistat_lock, "midistat lock"); + TAILQ_INIT(&midi_devs); midistat_dev = make_dev(&midistat_cdevsw, MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0), @@ -1423,7 +1414,7 @@ midi_unload(void) MIDI_DEBUG(1, printf("midi_unload()\n")); retval = EBUSY; - mtx_lock(&midistat_lock); + sx_xlock(&midistat_lock); if (midistat_isopen) goto exit0; @@ -1436,20 +1427,19 @@ midi_unload(void) if (retval) goto exit1; } - - mtx_unlock(&midistat_lock); /* XXX */ - + sx_xunlock(&midistat_lock); destroy_dev(midistat_dev); + /* * Made it here then unload is complete */ - mtx_destroy(&midistat_lock); + sx_destroy(&midistat_lock); return 0; exit1: mtx_unlock(&m->lock); exit0: - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); if (retval) MIDI_DEBUG(2, printf("midi_unload: failed\n")); return retval; @@ -1498,13 +1488,11 @@ midimapper_open(void *arg1, void **cookie) int retval = 0; struct snd_midi *m; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return retval; } @@ -1520,17 +1508,15 @@ midimapper_fetch_synth(void *arg, void *cookie, int un struct snd_midi *m; int retval = 0; - mtx_lock(&midistat_lock); - + sx_xlock(&midistat_lock); TAILQ_FOREACH(m, &midi_devs, link) { if (unit == retval) { - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return (kobj_t)m->synth; } retval++; } - - mtx_unlock(&midistat_lock); + sx_xunlock(&midistat_lock); return NULL; *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@freebsd.org Tue Aug 20 17:51:34 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 106CDD7109; Tue, 20 Aug 2019 17:51:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Cddd6b48z4cFv; Tue, 20 Aug 2019 17:51:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C3C2D6DEB; Tue, 20 Aug 2019 17:51:33 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHpXj8063059; Tue, 20 Aug 2019 17:51:33 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHpX7s063056; Tue, 20 Aug 2019 17:51:33 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201751.x7KHpX7s063056@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:51:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351261 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern X-SVN-Commit-Revision: 351261 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:51:34 -0000 Author: gordon Date: Tue Aug 20 17:51:32 2019 New Revision: 351261 URL: https://svnweb.freebsd.org/changeset/base/351261 Log: Fix reference count overflow in mqueuefs. Approved by: so Security: FreeBSD-SA-19:24.mqueuefs Security: CVE-2019-5603 Modified: releng/11.2/sys/kern/uipc_mqueue.c releng/11.3/sys/kern/uipc_mqueue.c releng/12.0/sys/kern/uipc_mqueue.c Modified: releng/11.2/sys/kern/uipc_mqueue.c ============================================================================== --- releng/11.2/sys/kern/uipc_mqueue.c Tue Aug 20 17:50:33 2019 (r351260) +++ releng/11.2/sys/kern/uipc_mqueue.c Tue Aug 20 17:51:32 2019 (r351261) @@ -2788,7 +2788,7 @@ freebsd32_kmq_timedsend(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2797,6 +2797,7 @@ freebsd32_kmq_timedsend(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } Modified: releng/11.3/sys/kern/uipc_mqueue.c ============================================================================== --- releng/11.3/sys/kern/uipc_mqueue.c Tue Aug 20 17:50:33 2019 (r351260) +++ releng/11.3/sys/kern/uipc_mqueue.c Tue Aug 20 17:51:32 2019 (r351261) @@ -2788,7 +2788,7 @@ freebsd32_kmq_timedsend(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2797,6 +2797,7 @@ freebsd32_kmq_timedsend(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } Modified: releng/12.0/sys/kern/uipc_mqueue.c ============================================================================== --- releng/12.0/sys/kern/uipc_mqueue.c Tue Aug 20 17:50:33 2019 (r351260) +++ releng/12.0/sys/kern/uipc_mqueue.c Tue Aug 20 17:51:32 2019 (r351261) @@ -2798,7 +2798,7 @@ freebsd32_kmq_timedsend(struct thread *td, if (uap->abs_timeout != NULL) { error = copyin(uap->abs_timeout, &ets32, sizeof(ets32)); if (error != 0) - return (error); + goto out; CP(ets32, ets, tv_sec); CP(ets32, ets, tv_nsec); abs_timeout = &ets; @@ -2807,6 +2807,7 @@ freebsd32_kmq_timedsend(struct thread *td, waitok = !(fp->f_flag & O_NONBLOCK); error = mqueue_send(mq, uap->msg_ptr, uap->msg_len, uap->msg_prio, waitok, abs_timeout); +out: fdrop(fp, td); return (error); } From owner-svn-src-releng@freebsd.org Tue Aug 20 17:52:29 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D331CD730C; Tue, 20 Aug 2019 17:52:29 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Cdfj5GGtz4cYQ; Tue, 20 Aug 2019 17:52:29 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 966166F44; Tue, 20 Aug 2019 17:52:29 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KHqTFo067147; Tue, 20 Aug 2019 17:52:29 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KHqSBb066779; Tue, 20 Aug 2019 17:52:28 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201752.x7KHqSBb066779@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 17:52:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351263 - in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng: 11.2 11.2/sys/conf 11.3 11.3/sys/conf 12.0 12.0/sys/conf X-SVN-Commit-Revision: 351263 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 17:52:29 -0000 Author: gordon Date: Tue Aug 20 17:52:28 2019 New Revision: 351263 URL: https://svnweb.freebsd.org/changeset/base/351263 Log: Bump version information and add UPDATING entries. Approved by: so Modified: releng/11.2/UPDATING releng/11.2/sys/conf/newvers.sh releng/11.3/UPDATING releng/11.3/sys/conf/newvers.sh releng/12.0/UPDATING releng/12.0/sys/conf/newvers.sh Modified: releng/11.2/UPDATING ============================================================================== --- releng/11.2/UPDATING Tue Aug 20 17:52:12 2019 (r351262) +++ releng/11.2/UPDATING Tue Aug 20 17:52:28 2019 (r351263) @@ -16,6 +16,16 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190820 p14 FreeBSD-SA-19:22.mbuf + FreeBSD-SA-19:23.midi + FreeBSD-SA-19:24.mqueuefs + + Fix IPv6 remote denial of service. [SA-19:22.mbuf] + + Fix kernel memory disclosure from /dev/midistat. [SA-19:23.midi] + + Fix reference count overflow in mqueuefs. [SA-19:24.mqueuefs] + 20190806 p13 FreeBSD-EN-19:15.libunwind FreeBSD-SA-19:18.bzip2 FreeBSD-SA-19:19.mldv2 Modified: releng/11.2/sys/conf/newvers.sh ============================================================================== --- releng/11.2/sys/conf/newvers.sh Tue Aug 20 17:52:12 2019 (r351262) +++ releng/11.2/sys/conf/newvers.sh Tue Aug 20 17:52:28 2019 (r351263) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.2" -BRANCH="RELEASE-p13" +BRANCH="RELEASE-p14" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/11.3/UPDATING ============================================================================== --- releng/11.3/UPDATING Tue Aug 20 17:52:12 2019 (r351262) +++ releng/11.3/UPDATING Tue Aug 20 17:52:28 2019 (r351263) @@ -16,6 +16,23 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190820 p3 FreeBSD-EN-19:16.bhyve + FreeBSD-SA-19:17.ipfw + FreeBSD-SA-19:22.mbuf + FreeBSD-SA-19:23.midi + FreeBSD-SA-19:24.mqueuefs + + Bhyve instruction emulation improvements (opcode 03H and F7H). + [EN-19:16.bhyve] + + Fix ipfw(8) jail keyword prior to jail startup. [EN-19:17.ipfw] + + Fix IPv6 remote denial of service. [SA-19:22.mbuf] + + Fix kernel memory disclosure from /dev/midistat. [SA-19:23.midi] + + Fix reference count overflow in mqueuefs. [SA-19:24.mqueuefs] + 20190806 p2 FreeBSD-SA-19:18.bzip2 FreeBSD-SA-19:19.mldv2 FreeBSD-SA-19:20.bsnmp Modified: releng/11.3/sys/conf/newvers.sh ============================================================================== --- releng/11.3/sys/conf/newvers.sh Tue Aug 20 17:52:12 2019 (r351262) +++ releng/11.3/sys/conf/newvers.sh Tue Aug 20 17:52:28 2019 (r351263) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.3" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/12.0/UPDATING ============================================================================== --- releng/12.0/UPDATING Tue Aug 20 17:52:12 2019 (r351262) +++ releng/12.0/UPDATING Tue Aug 20 17:52:28 2019 (r351263) @@ -16,6 +16,20 @@ from older versions of FreeBSD, try WITHOUT_CLANG and the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20190820 p10 FreeBSD-EN-19:16.bhyve + FreeBSD-SA-19:22.mbuf + FreeBSD-SA-19:23.midi + FreeBSD-SA-19:24.mqueuefs + + Bhyve instruction emulation improvements (opcode 03H and F7H). + [EN-19:16.bhyve] + + Fix IPv6 remote denial of service. [SA-19:22.mbuf] + + Fix kernel memory disclosure from /dev/midistat. [SA-19:23.midi] + + Fix reference count overflow in mqueuefs. [SA-19:24.mqueuefs] + 20190806 p9 FreeBSD-EN-19:14.epoch FreeBSD-EN-19:15.libunwind FreeBSD-SA-19:18.bzip2 Modified: releng/12.0/sys/conf/newvers.sh ============================================================================== --- releng/12.0/sys/conf/newvers.sh Tue Aug 20 17:52:12 2019 (r351262) +++ releng/12.0/sys/conf/newvers.sh Tue Aug 20 17:52:28 2019 (r351263) @@ -46,7 +46,7 @@ TYPE="FreeBSD" REVISION="12.0" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@freebsd.org Tue Aug 20 18:02:37 2019 Return-Path: Delivered-To: svn-src-releng@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0F74D79BF; Tue, 20 Aug 2019 18:02:37 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46CdtP5h8Vz4f7m; Tue, 20 Aug 2019 18:02:37 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A1F457119; Tue, 20 Aug 2019 18:02:37 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7KI2b9a073324; Tue, 20 Aug 2019 18:02:37 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7KI2bin073323; Tue, 20 Aug 2019 18:02:37 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201908201802.x7KI2bin073323@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 20 Aug 2019 18:02:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351272 - releng/11.3 X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.3 X-SVN-Commit-Revision: 351272 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 18:02:37 -0000 Author: gordon Date: Tue Aug 20 18:02:37 2019 New Revision: 351272 URL: https://svnweb.freebsd.org/changeset/base/351272 Log: That's EN-19:17.ipfw. It's not an SA. Reported by: kevans@ Approved by: so Modified: releng/11.3/UPDATING Modified: releng/11.3/UPDATING ============================================================================== --- releng/11.3/UPDATING Tue Aug 20 18:01:57 2019 (r351271) +++ releng/11.3/UPDATING Tue Aug 20 18:02:37 2019 (r351272) @@ -17,7 +17,7 @@ the tip of head, and then rebuild without this option. from older version of current across the gcc/clang cutover is a bit fragile. 20190820 p3 FreeBSD-EN-19:16.bhyve - FreeBSD-SA-19:17.ipfw + FreeBSD-EN-19:17.ipfw FreeBSD-SA-19:22.mbuf FreeBSD-SA-19:23.midi FreeBSD-SA-19:24.mqueuefs