Date: Tue, 9 Jun 2020 16:36:54 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54224 - in head/share: security/advisories security/patches/EN-20:11 security/patches/EN-20:12 security/patches/SA-20:17 xml Message-ID: <202006091636.059GasQl002033@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Tue Jun 9 16:36:54 2020 New Revision: 54224 URL: https://svnweb.freebsd.org/changeset/doc/54224 Log: Add EN-20:10, EN-20:11, and SA-20:17. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-20:11.ena.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:12.iflib.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:17.usb.asc (contents, props changed) head/share/security/patches/EN-20:11/ head/share/security/patches/EN-20:11/ena.patch (contents, props changed) head/share/security/patches/EN-20:11/ena.patch.asc (contents, props changed) head/share/security/patches/EN-20:12/ head/share/security/patches/EN-20:12/iflib.patch (contents, props changed) head/share/security/patches/EN-20:12/iflib.patch.asc (contents, props changed) head/share/security/patches/SA-20:17/ head/share/security/patches/SA-20:17/usb.patch (contents, props changed) head/share/security/patches/SA-20:17/usb.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-20:11.ena.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:11.ena.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:11.ena Errata Notice + The FreeBSD Project + +Topic: Stability issues in ena(4) driver + +Category: core +Module: ena +Announced: 2020-06-09 +Credits: Colin Percival +Affects: FreeBSD 12.1 +Corrected: 2020-05-12 18:44:41 UTC (stable/12, 12.1-STABLE) + 2020-06-09 16:10:57 UTC (releng/12.1, 12.1-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The ena(4) driver is used to access the Elastic Network Adapter network +interface on recent Amazon Elastic Compute Cloud (EC2) instances. It is +designed to make full use of the EC2 network, operating at up to 100 Gbps. + +II. Problem Description + +The ena(4) driver attempts to allocate a large number of 16 kB mbuf clusters +to use as buffers for received packets. Under low memory conditions, the +process of attempting to allocate these buffers may take a long time. + +On FreeBSD 12.x, these allocations are attempted from an interrupt thread +running at high priority, and can subsequently starve other parts of the +system of CPU time. + +It appears that systems using the ZFS filesystem may be more likely to +experience this issue, possibly due to the memory pressure created by the +allocation of memory to the ZFS ARC. + +III. Impact + +The system may become unresponsive, appearing to "lock up" for periods of +several seconds. The ena(4) driver may log errors such as + + The number of lost tx completion is above the threshold (129 > 128). + +and reset the device; the nvme(4) driver may also experience timeouts +resulting in a range of errors being reported and the device being reset, +and in some cases causing kernel panics. + +IV. Workaround + +No workaround is available. Systems which are not part of the Amazon +Elastic Compute Cloud (EC2) are not affected; nor are older EC2 instance +types, which lack the Elastic Network Adapter hardware. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/EN-20:11/ena.patch +# fetch https://security.FreeBSD.org/patches/EN-20:11/ena.patch.asc +# gpg --verify ena.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +NOTE: This patch can have a small (~2%) impact on the throughput of the +ena(4) device. The original performance can be restored -- at the expense +of latency spikes and system instability under memory pressure -- by adding +the following to /boot/loader.conf: + + hw.ena.enable_9k_mbufs="1" + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r360985 +releng/12.1/ r361970 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:11.ena.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuERfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cITew/+MQpJIKHrlWjqcR9fvAeqR4rX3aBVNMkambeTa2nKY4/PH8XzVLnKvyuE +O7ZtzaU3bz5xYkyYnlYSGstTRWk/BRCRgpZvzlPWVsvsFINgCHO5QsKHVyC0+/M2 +Do3qRwxYDYPh0+Bz8QGuQGmpfMNpsuA//rfa12Ywp7jqu3IP8+0bBuWM71J7Bkyf +WhEJIehFiU9iGUFS2LF7000CzIwmcTitCtYJFxxwaYYHGHT5nMtljcrsKK9I1N+Q +f3mQ7dK8ryQ+H+CupfHodAYUeZyJbj/xVggdnzY45R1B9Tdr15VMPuurcqXyXIft +Uj4UzdDUNgbUw4WQqfvqn8CDAT0V54NRhDs8AkYWn+GqaDDSnvcsKnI/V2UJgqTn +Wp8ZClq7bF0mcBp7g1t97peseZsP+papJKsaVLKrTT+dw1x/aWz1cvK51x5UPWoW +qaiFVMf5l9R0ZDcQxsyN/7gyHnZRR8X1wl1gVPVcJ8EEWs6Gh4sRTzXSDMDqsA/P +89hA6vPVeOmBqKM3BlR8MrDPIALjzxNvzu65NMLMcebyPudaY9a2GEd8acw6mwxh +hQ015y9+MoMV8xD3gfjNLdQS7899eK1MwXu1UZPcUEOlYErAhjoGo51N4D6mfU62 +7sDoy2Yt380Nmp57nUoanHkADzXPn8OV8fvlsTN6a0J4ZLu+KNM= +=FDu4 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:12.iflib.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:12.iflib.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:12.iflib Errata Notice + The FreeBSD Project + +Topic: iflib watchdog timeout resetting idle queues + +Category: core +Module: kernel +Announced: 2020-06-09 +Affects: FreeBSD 12.1 +Corrected: 2020-01-10 18:29:05 UTC (stable/12, 12.1-STABLE) + 2020-06-09 16:11:54 UTC (releng/12.1, 12.1-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +iflib is a framework that contains common code for network drivers to use, +reducing code duplication. One function it contains is a "watchdog" that +periodically checks the driver's software Tx queues to see if they're hung. + +II. Problem Description + +The iflib watchdog would sometimes trigger a false positive queue hang just +after a link state change. + +III. Impact + +The iflib framework would print messages for the affected devices such as + +"igb0: TX(2) desc avail = 1024, pidx = 0" + +and would stop allowing Tx traffic to be sent. + +IV. Workaround + +No workaround is available. Systems that do not use iflib-based interfaces +are not vulnerable. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:12/iflib.patch +# fetch https://security.FreeBSD.org/patches/EN-20:12/iflib.patch.asc +# gpg --verify iflib.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r356605 +releng/12.1/ r361971 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239240> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:12.iflib.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuQlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJl3RAAhIgmZfpK3r2qBuwC0EypnqtndvjEHGTTdcUhwY0iBjrDxt6AnHPMO/i/ +DEZkNJI6uCxSaybjVcnNob7lJ4p2o9rrAF+pExR4LycxJa0y8oZM5xIdqwwfY484 +Tge4/N4garWeA0ALetGXCrAf62t7ZLRgyWldH4tt4m0Mu7AIGkfPGivWK6kpmB5c +O/GKv6fe4TiyPSAQroUQrNawdO9tQTDhXjGknRZ3iyu9tp/zeOkgtMAEnc3zdv0T +J3sFqGGt/Mt2dL0KoqfUNK54k5vgUU+oV22+z2pf9TGtby4yUq0FTOxl+V5qE6hk +aQHndYgklOo56AaSkA3GW1DoIOyU7VQtsA5hpbHXotiJo1P5BoNIa3IwMfLBmW45 +sD7f/vpyX5Mga9KqcvYIgRxCNvYpu8Dq0nKiVQboABAdplFLorTdHPJmSqmeoomO +diEQk3cSotrav1b8xl2IfZYk8TaC5B7gm9UuU6ag6UM/vasr1kRcz5+7DxDOCP1d +2CbaKqPnpGAxyGmd+DLO7EMkOIBPiKfoCtBfgLXRypD6ypEW/xAUmGtR6yIFCtJ/ +USAHRwrm0jteVOXYrpS3cvBYsXkEowcMK1n8ghIqUfDHtvebLK2m5ubhF2E1F0Gv +6Nw6i0dt1Csrhg7CyrWqzY83iB7N3tPvqN45QaFMEBRqnnsLPpQ= +=VqeW +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:17.usb.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:17.usb.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:17.usb Security Advisory + The FreeBSD Project + +Topic: USB HID descriptor parsing error + +Category: core +Module: kernel +Announced: 2020-06-09 +Credits: Andy Nguyen, Google +Affects: All supported versions of FreeBSD. +Corrected: 2020-06-08 09:32:57 UTC (stable/12, 12.1-STABLE) + 2020-06-09 16:13:54 UTC (releng/12.1, 12.1-RELEASE-p6) + 2020-06-08 09:33:37 UTC (stable/11, 11.4-STABLE) + 2020-06-09 16:13:54 UTC (releng/11.4, 11.4-RC2-p1) + 2020-06-09 16:13:54 UTC (releng/11.3, 11.3-RELEASE-p10) +CVE Name: CVE-2020-7456 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +USB Human Interface Device (HID) descriptors may push/pop the current state +to allow description of items residing in a so-called union. FreeBSD +supports 4 such pop levels. + +II. Problem Description + +If the push/pop level is not restored within the processing of the same HID +item, an invalid memory location may be used for subsequent HID item +processing. + +III. Impact + +An attacker with physical access to a USB port may be able to use a specially +crafted USB device to gain kernel or user-space code execution. + +IV. Workaround + +Setting "sysctl hw.usb.disable_enumeration=1" disables USB device +enumeration preventing the error from occurring. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch +# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch.asc +# gpg --verify usb.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r361918 +releng/12.1/ r361972 +stable/11/ r361919 +releng/11.4/ r361972 +releng/11.3/ r361972 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7456> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:17.usb.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuFhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJ4Iw/6AuTNBD33WaEZTW7mAfigc1sp8cjnKCvm+DObx1CNpSr9fxiy+Dy5DMjg +/Hv4ijv4flte3txXohdXvYcAKqYrbP1BBr6ptlQYE/V+61sTtxV18XGnID1fgSOZ +WPHGaXMAUNeeVxJSEVJ5rJ+lRo90Rlp/n9pMZlU+tIDFjE0BQ5lJkicg/xgFO9rg +tRaeotoXmdNo3HlkMfXnIZ8q5tOQrcsfSZP6DgQWKspinCJTVTr1eQ9p6mHNV7Ip +XZGuXNaktYxwNk2oWP2dmk6FAkyldReyi856DurhOldmAxPbY5zh4NfwOuL78pSa +draF1up4Vkb/aSQHN1xkaOjlBEmLYHgzND83M9gnE2RdtGVLeerI6Gdd6Pp4D8a2 +vPgWZOQfO82lUjSx/B/XHCA0Ztu4uinPuCkrf9vcteg/juJxQRRyFWUfqGbo3qpC +U9a1AN9Ojgy0eFDKTo7vWUf34kB1RApEEt3y3XNwwbwDWtKdWMRLJfD4oIhbB6Re +URYpBUv5wnkhOq5LR15VJc6jL/DZxqsjByALwtnEdNH6bAYM+6WTmnTYFgUyuvlF +n2tZeD5LXM0GLs377edmAeGR7TUd+rFfndEGFKiDXeSNrmb0Ro6E4vvbUwu5PalA +kf+suJS0noAH+SPmk0YyxKm12plPxyO2zLFIMRpjWz6v1joH+Qk= +=4v1s +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:11/ena.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:11/ena.patch Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,87 @@ +--- sys/dev/ena/ena.c.orig ++++ sys/dev/ena/ena.c +@@ -200,6 +200,19 @@ + SYSCTL_INT(_hw_ena, OID_AUTO, log_level, CTLFLAG_RWTUN, + &ena_log_level, 0, "Logging level indicating verbosity of the logs"); + ++/* ++ * Use 9k mbufs for the Rx buffers. Default to 0 (use page size mbufs instead). ++ * Using 9k mbufs in low memory conditions might cause allocation to take a lot ++ * of time and lead to the OS instability as it needs to look for the contiguous ++ * pages. ++ * However, page size mbufs has a bit smaller throughput than 9k mbufs, so if ++ * the network performance is the priority, the 9k mbufs can be used. ++ */ ++int ena_enable_9k_mbufs = 0; ++SYSCTL_INT(_hw_ena, OID_AUTO, enable_9k_mbufs, CTLFLAG_RDTUN, ++ &ena_enable_9k_mbufs, 0, "Use 9 kB mbufs for Rx descriptors"); ++#define ena_mbuf_sz (ena_enable_9k_mbufs ? MJUM9BYTES : MJUMPAGESIZE) ++ + static ena_vendor_info_t ena_vendor_info_array[] = { + { PCI_VENDOR_ID_AMAZON, PCI_DEV_ID_ENA_PF, 0}, + { PCI_VENDOR_ID_AMAZON, PCI_DEV_ID_ENA_LLQ_PF, 0}, +@@ -470,6 +483,7 @@ + rxr->que = que; + + rxr->empty_rx_queue = 0; ++ rxr->rx_mbuf_sz = ena_mbuf_sz; + } + } + +@@ -548,9 +562,9 @@ + ENA_DMA_BIT_MASK(adapter->dma_width), /* lowaddr of excl window */ + BUS_SPACE_MAXADDR, /* highaddr of excl window */ + NULL, NULL, /* filter, filterarg */ +- MJUM16BYTES, /* maxsize */ ++ ena_mbuf_sz, /* maxsize */ + adapter->max_rx_sgl_size, /* nsegments */ +- MJUM16BYTES, /* maxsegsize */ ++ ena_mbuf_sz, /* maxsegsize */ + 0, /* flags */ + NULL, /* lockfunc */ + NULL, /* lockarg */ +@@ -957,7 +971,8 @@ + return (0); + + /* Get mbuf using UMA allocator */ +- rx_info->mbuf = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); ++ rx_info->mbuf = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, ++ rx_ring->rx_mbuf_sz); + + if (unlikely(rx_info->mbuf == NULL)) { + counter_u64_add(rx_ring->rx_stats.mjum_alloc_fail, 1); +@@ -968,7 +983,7 @@ + } + mlen = MCLBYTES; + } else { +- mlen = MJUM16BYTES; ++ mlen = rx_ring->rx_mbuf_sz; + } + /* Set mbuf length*/ + rx_info->mbuf->m_pkthdr.len = rx_info->mbuf->m_len = mlen; +--- sys/dev/ena/ena.h.orig ++++ sys/dev/ena/ena.h +@@ -41,7 +41,7 @@ + + #define DRV_MODULE_VER_MAJOR 0 + #define DRV_MODULE_VER_MINOR 8 +-#define DRV_MODULE_VER_SUBMINOR 4 ++#define DRV_MODULE_VER_SUBMINOR 5 + + #define DRV_MODULE_NAME "ena" + +@@ -238,8 +238,12 @@ + + /* Determines if device will use LLQ or normal mode for TX */ + enum ena_admin_placement_policy_type tx_mem_queue_type; +- /* The maximum length the driver can push to the device (For LLQ) */ +- uint8_t tx_max_header_size; ++ union { ++ /* The maximum length the driver can push to the device (For LLQ) */ ++ uint8_t tx_max_header_size; ++ /* The maximum (and default) mbuf size for the Rx descriptor. */ ++ uint16_t rx_mbuf_sz; ++ }; + + struct ena_com_rx_buf_info ena_bufs[ENA_PKT_MAX_BUFS]; + Added: head/share/security/patches/EN-20:11/ena.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:11/ena.patch.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuG1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJufBAAkAgRwDCM4+HShm0Zag36TMJDelC7b3IeBd+NkwLvWHZvThcqbFEEr7xw +X19EceBGVwapmKvMDWtJRZst8NTpRNBzxoN4aAg6a/cVQwWFUD9rGp65pAyLL0FT +QBDyRZCEaSCzbu/hDSP3sD8okv+76lrlOInWkVq9SVhSxG3oWdufnmaosjgNlWDN +JPU8soIf3eLCxehmGmSGJHwZo7ZZ6kC/41kVmmEHRG7aNwmSE3wu+Ih3bN7DA0PL +UyUcpNAG3Bt+vm2hc/yIIv0QJUX+bXLMmaF2o2fTmPoqITHxeeCkt6HXT0176i+P +gs4t0bJ7PeDy3GTy7VIYJJyPkA53ZqYsxLGm43dZMqGsKPH1j1wNBZ34KpPgcU0W +8NukbpLxVpr00wMn992dG0fzowZSs1wk6woLwS//PBgxgEp10Eo9KUglWXnA2fHR +ciTtzY6coDO7raUvPq0UHE3onyt9Mz5vkhNJ0yL6Ra+LyNX2gu3YmJSeNtfeossY +V/ni+Eo/kCNW6yBBhp4YVPnmkTISRLIYTIav+NYhlUp+Jqd9m2ziJbzm+Dsk9aUT +lbAOwoHde6OZxJO5SyX0bdVE2+vzuOANQT64kP3uh8wbPGYWN6q3FAucctMIaJ9e +hLoYn+p3lnQmgg6yEVRJkWJeNs1mRzPDGq6asgYZJiAZAGiwvKA= +=3wLT +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:12/iflib.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:12/iflib.patch Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,15 @@ +--- sys/net/iflib.c.orig ++++ sys/net/iflib.c +@@ -2301,8 +2301,11 @@ + (sctx->isc_pause_frames == 0))) + goto hung; + +- if (ifmp_ring_is_stalled(txq->ift_br)) ++ if (txq->ift_qstatus != IFLIB_QUEUE_IDLE && ++ ifmp_ring_is_stalled(txq->ift_br)) { ++ KASSERT(ctx->ifc_link_state == LINK_STATE_UP, ("queue can't be marked as hung if interface is down")); + txq->ift_qstatus = IFLIB_QUEUE_HUNG; ++ } + txq->ift_cleaned_prev = txq->ift_cleaned; + } + #ifdef DEV_NETMAP Added: head/share/security/patches/EN-20:12/iflib.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:12/iflib.patch.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuHRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLzsA/+N7MQ0mOSS3yDLZQkq90Yg7ohwmKo+HWPLeFGVkL/iZzIavouNHJ61Ayt +BQSO0qHtcCOZulb1o36HwC48uGdiNbb32xO2zEmV0Ieu068iSK3oiRraYVzBBHCI +7CtROQy0nP0a12wvEqvYnUC4VGD/IEswhaEvzM4d+pNxg0CUSxh/svbSifizckf8 +kVPALJSawd8Dw67AfhFXjdl8xUSIG+uspqC/Yg2dOljbSZ9Yb5Kr0iO2a+aOxm6v +wboT1b77kQFMwQ7VMMX1rAnJigwliZ3qnwXa8Plrp+yNbOZDaHvOTTRNrB3tnTCJ +WVKwsfRdlQ6q6xtQJDUsWv8/MQ5p1Xfp9iJbV8PF/mvaCAWUT0i9+WIzDiME3sRM +gpyfMZCdUFW1bsQMlwSVY20y0+gWLs5qwHxsUDkdvw5P0ze78XwfXJJxI7qyoM9R +RfqeOwTPfKdMI1ggeInVbESsGL2K3VDzzkXFmeXSIPv4v6jLTn+UgaoOjHI8M7e9 +6B+82hgR4C65YVs7zPa5ZdSSvhDswJC4rzMLIrNVa5PIkeZVv9civ124P78sxeUX +4ckrcB1lmCwZNtp0/5+iC+z2OWhwN6kFS+AA0Mmf+PRDM/8kfLbylQV1l9qRdb5Q +POEI4z8zxDnHlUAXqz8/wO5/dzWmEUG0ymvzFDflCUd4+NzfI6o= +=qyuD +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-20:17/usb.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-20:17/usb.patch Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,112 @@ +--- lib/libusbhid/parse.c.orig ++++ lib/libusbhid/parse.c +@@ -403,26 +403,28 @@ + s->loc_count = dval & mask; + break; + case 10: /* Push */ ++ /* stop parsing, if invalid push level */ ++ if ((s->pushlevel + 1) >= MAXPUSH) ++ return (0); + s->pushlevel ++; +- if (s->pushlevel < MAXPUSH) { +- s->cur[s->pushlevel] = *c; +- /* store size and count */ +- c->report_size = s->loc_size; +- c->report_count = s->loc_count; +- /* update current item pointer */ +- c = &s->cur[s->pushlevel]; +- } ++ s->cur[s->pushlevel] = *c; ++ /* store size and count */ ++ c->report_size = s->loc_size; ++ c->report_count = s->loc_count; ++ /* update current item pointer */ ++ c = &s->cur[s->pushlevel]; + break; + case 11: /* Pop */ ++ /* stop parsing, if invalid push level */ ++ if (s->pushlevel == 0) ++ return (0); + s->pushlevel --; +- if (s->pushlevel < MAXPUSH) { +- c = &s->cur[s->pushlevel]; +- /* restore size and count */ +- s->loc_size = c->report_size; +- s->loc_count = c->report_count; +- c->report_size = 0; +- c->report_count = 0; +- } ++ c = &s->cur[s->pushlevel]; ++ /* restore size and count */ ++ s->loc_size = c->report_size; ++ s->loc_count = c->report_count; ++ c->report_size = 0; ++ c->report_count = 0; + break; + default: + break; +--- sys/dev/usb/usb_hid.c.orig ++++ sys/dev/usb/usb_hid.c +@@ -436,36 +436,36 @@ + s->loc_count = dval & mask; + break; + case 10: /* Push */ ++ /* stop parsing, if invalid push level */ ++ if ((s->pushlevel + 1) >= MAXPUSH) { ++ DPRINTFN(0, "Cannot push item @ %d\n", s->pushlevel); ++ return (0); ++ } + s->pushlevel ++; +- if (s->pushlevel < MAXPUSH) { +- s->cur[s->pushlevel] = *c; +- /* store size and count */ +- c->loc.size = s->loc_size; +- c->loc.count = s->loc_count; +- /* update current item pointer */ +- c = &s->cur[s->pushlevel]; +- } else { +- DPRINTFN(0, "Cannot push " +- "item @ %d\n", s->pushlevel); +- } ++ s->cur[s->pushlevel] = *c; ++ /* store size and count */ ++ c->loc.size = s->loc_size; ++ c->loc.count = s->loc_count; ++ /* update current item pointer */ ++ c = &s->cur[s->pushlevel]; + break; + case 11: /* Pop */ ++ /* stop parsing, if invalid push level */ ++ if (s->pushlevel == 0) { ++ DPRINTFN(0, "Cannot pop item @ 0\n"); ++ return (0); ++ } + s->pushlevel --; +- if (s->pushlevel < MAXPUSH) { +- /* preserve position */ +- oldpos = c->loc.pos; +- c = &s->cur[s->pushlevel]; +- /* restore size and count */ +- s->loc_size = c->loc.size; +- s->loc_count = c->loc.count; +- /* set default item location */ +- c->loc.pos = oldpos; +- c->loc.size = 0; +- c->loc.count = 0; +- } else { +- DPRINTFN(0, "Cannot pop " +- "item @ %d\n", s->pushlevel); +- } ++ /* preserve position */ ++ oldpos = c->loc.pos; ++ c = &s->cur[s->pushlevel]; ++ /* restore size and count */ ++ s->loc_size = c->loc.size; ++ s->loc_count = c->loc.count; ++ /* set default item location */ ++ c->loc.pos = oldpos; ++ c->loc.size = 0; ++ c->loc.count = 0; + break; + default: + DPRINTFN(0, "Global bTag=%d\n", bTag); Added: head/share/security/patches/SA-20:17/usb.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-20:17/usb.patch.asc Tue Jun 9 16:36:54 2020 (r54224) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuHtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJLJQ//f4TcAEnnsKfnofV3rXJpfzYvmVwiSfTjZjqqtkFPOmr2tiL3HHARS1XP +uYO4wC42dkzWt+P1VC5qggzaBSno3npXSKhGuMKz8xYnOLTuxec/A8cEWxKJU2o7 +LofYtF3reX4nn2nASngrL7ZraGTcqyG5YGSQrrmY4l1v+M0Cn9+pAy0vGig1Sb0F +nWvf29W3GOCHSxuUv4BL9/EDTufxbbHa5+dYJkXzlwqGoVh1XKw3eB83CsdRJA1G +TF06PPTAiyn4p+YDCnpbjLJ2uiAeCl3wRoVUcMupjwq/R3CAVTS6NonSBS+Y8okB +BxOtkGUwkTLPBcFmmH5zpUM7m1T8vgm8tlTbyYAQCxXG+JZ0iAWYSTFwt9iUdLPg +hkgQOrtbQxxqiOaecS0jFhDXN0H1QZwZZd9cmDRk73s3CMawL7yXFBgwYUYo293d +JWbHBJh0LFYr9lSk3pbIWgbm/0NTGLbYG6sny0k4jFlPU1FnHAJ01LHeAEAndfay +OL/2urC7WYCowXs/GxjCH9sYkZiE8M59NEfd3N9yk5n8uGWevaLV9Nuv9LT7kHWX ++vVy3rbi+G0CLDiS9RnYTu4R2z/+8viuOy5yJlY6BiS7U760slhmVIVVqVOEveC7 +CGThrfTmVdmQo+2rn3PZrhlCs+YZ6+rIJD+7fB4Ud4yoxVQe93U= +=L/yA +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Jun 9 13:22:43 2020 (r54223) +++ head/share/xml/advisories.xml Tue Jun 9 16:36:54 2020 (r54224) @@ -8,6 +8,19 @@ <name>2020</name> <month> + <name>6</name> + + <day> + <name>9</name> + + <advisory> + <name>FreeBSD-SA-20:17.usb</name> + </advisory> + + </day> + </month> + + <month> <name>5</name> <day> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Tue Jun 9 13:22:43 2020 (r54223) +++ head/share/xml/notices.xml Tue Jun 9 16:36:54 2020 (r54224) @@ -8,6 +8,23 @@ <name>2020</name> <month> + <name>6</name> + + <day> + <name>9</name> + + <notice> + <name>FreeBSD-EN-20:12.iflib</name> + </notice> + + <notice> + <name>FreeBSD-EN-20:11.ena</name> + </notice> + + </day> + </month> + + <month> <name>5</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006091636.059GasQl002033>