Date: Wed, 15 Aug 2018 05:17:29 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52127 - in head/share: security/advisories security/patches/SA-18:08 security/patches/SA-18:09 security/patches/SA-18:10 security/patches/SA-18:11 xml Message-ID: <201808150517.w7F5HTl7082754@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Aug 15 05:17:29 2018 New Revision: 52127 URL: https://svnweb.freebsd.org/changeset/doc/52127 Log: Add SA-18:09-SA-18:11, refresh SA-18:08. Added: head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:10.ip.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc (contents, props changed) head/share/security/patches/SA-18:08/tcp-man-10.patch (contents, props changed) head/share/security/patches/SA-18:08/tcp-man-10.patch.asc (contents, props changed) head/share/security/patches/SA-18:08/tcp-man-11.patch (contents, props changed) head/share/security/patches/SA-18:08/tcp-man-11.patch.asc (contents, props changed) head/share/security/patches/SA-18:09/ head/share/security/patches/SA-18:09/l1tf-11.1.patch (contents, props changed) head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc (contents, props changed) head/share/security/patches/SA-18:09/l1tf-11.2.patch (contents, props changed) head/share/security/patches/SA-18:09/l1tf-11.2.patch.asc (contents, props changed) head/share/security/patches/SA-18:10/ head/share/security/patches/SA-18:10/ip.patch (contents, props changed) head/share/security/patches/SA-18:10/ip.patch.asc (contents, props changed) head/share/security/patches/SA-18:11/ head/share/security/patches/SA-18:11/hostapd-10.patch (contents, props changed) head/share/security/patches/SA-18:11/hostapd-10.patch.asc (contents, props changed) head/share/security/patches/SA-18:11/hostapd.patch (contents, props changed) head/share/security/patches/SA-18:11/hostapd.patch.asc (contents, props changed) Modified: head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc head/share/xml/advisories.xml Modified: head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc ============================================================================== --- head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc Tue Aug 14 20:23:19 2018 (r52126) +++ head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -15,16 +15,22 @@ Credits: Juha-Matti Tilli <juha-matti.tilli@iki and Nokia Bell Labs Affects: All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) - 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1) - 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12) + 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) + 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) - 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10) + 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. + +0. Revision history + +v1.0 2018-08-06 Initial release. +v1.1 2018-08-14 Fixed documentation date in manual pages. + I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite @@ -108,6 +114,19 @@ detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc +[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have +little impact to runtime behavior. + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc +# gpg --verify tcp-man-10.patch.asc + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch +# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc +# gpg --verify tcp-man-11.patch.asc + b) Apply the patch. Execute the following commands as root: # cd /usr/src @@ -125,10 +144,10 @@ affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r337392 -releng/10.4/ r337389 +releng/10.4/ r337832 stable/11/ r337391 -releng/11.1/ r337388 -releng/11.2/ r337387 +releng/11.1/ r337828 +releng/11.2/ r337828 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the @@ -152,17 +171,17 @@ The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.2.9 (FreeBSD) -iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltosd4ACgkQ05eS9J6n -5cKLRRAApitUTx46nToGtbCr/fzEZtYpjU0L/kMDwFw8ngfrb3MR4yht087t8JK1 -jZlbeKRQwYjN+ecLrO3QdWoM4LavQK/cYuWq2tCpJiwqXK15rDJGBJjlBiAsmupF -fGGSD2DcJ/Jz7zTKDkjybCh83QGGTt/HBZRYLc85ipJPHgPQQtnD/OLjFK34Lr45 -vEss9AAkBEe4ZWiSltrQYzqMYf8+sCz/OYP+NGluz4eUjuzKogqyLIAA29auqoNp -UY5tIUhf8dcB9oeARxWlvmxTKSLB5kevF5jsBzxB8Ap1xUfLFip02h6ApL0xuWz2 -ouX/gN8KBgmJoNIP+GbBY29sQCEY0GTIR9q/dO1ZB3CePJFQsvWjtNeBBjIK66On -xJSSrUXDPANfcePbnCN9JdsclSEJ0+EBYol3hSWVY8bX3OMcOZw1wRXXCwN0T3of -QQwbuP0ORt5OdsOObwaxDJEWLEma7N2swWF5YR0oQl0+ETvkIsqFilsTlY6qEB/L -WG9G1Y9uVn++AJs7HzI+vKVEhhwtJep+7ks28sH5J0LQiUGYfwRACYfVLgi6iXNV -YKPB4hUFd2d8QaYWdgU92YBJWrR8bqyDdetifMEG5tP+TFCeNCh6SMpRnL7Lzns+ -hkZiRHJeIT7tGu77xZknFI6ghDHOdemtZ/QiL0NsrM05spWkdIA= -=HNsD +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztakACgkQ05eS9J6n +5cLN1A//XMCorSih94rs9zvkRPj8g3eN4es5QD9QzI9IwLlfK8DTvtMM9XUKsNT2 +vxgJK8Mnl6N5NddRyiV8o0CioRQF+cmN4cnMhf0LRN6Rv0PqWpsbuuRdWgVtm/aV +yHNEvnY32RbaZ6YQWmAhG9b+7JztWCpv2MawIaIdy6QFWmHV50ElDj5k1QBHauDd +2+P3u3+ohbXNMAZGQjIMQwxIgU7BRTVKASa/GzkPSCwQHFabbtm7aL/jEhzySfdl +bA6ZsMPhr0QqLORKqt8kAUzzFgpVdSRLCa+a8H9phi3CqPDEzGCDdseiCw4mJ+VU +EhFu616EKw7V9G7FXpnK3Z+E0aHe6UYlf4swUzXluWJrtO/n5bD++ObZaSUOPH0l +arcOUe8S5dnHiZ8Gg9BqtT6nKQMPXHgGh8W3U53CPt0USJsUWMPd0GPVYt2QnbkX +27leNs7e1+Njes4PuhOJ+wunn1iye+eTVilqaGkuFC+YKiOJVs9pNJovBTalTsfB +XqQO52DesrJ/C0xo3AaaNGfNB4JhG3rqR2tPiqubNQcEIocTJ7LkGy0lKXiDbIra +UA7fDszAG5l5RSyRtgQ4QPd+EzvYguX1vccFGqItDX9aZdQDspnnViKl/FJNzb19 +p9fEa+ZVjV65N836RhCtRx7allqhTAX4yQFXIrUiwQ3ssLNAx1s= +=sl/Z -----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:09.l1tf Security Advisory + The FreeBSD Project + +Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure + +Category: core +Module: Kernel +Announced: 2018-08-14 +Affects: All supported versions of FreeBSD. +Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) + 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) + 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) +CVE Name: CVE-2018-3620, CVE-2018-3646 + +Special Note: Speculative execution vulnerability mitigation remains a work + in progress. This advisory addresses the issue in FreeBSD + 11.1 and later. We expect to update this advisory to include + 10.4 at a later time. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +When a program accesses data in memory via a logical address it is translated +to a physical address in RAM by the CPU. Accessing an unmapped logical +address results in what is known as a terminal fault. + +II. Problem Description + +On certain Intel 64-bit x86 systems there is a period of time during terminal +fault handling where the CPU may use speculative execution to try to load +data. The CPU may speculatively access the level 1 data cache (L1D). Data +which would otherwise be protected may then be determined by using side +channel methods. + +This issue affects bhyve on FreeBSD/amd64 systems. + +III. Impact + +An attacker executing user code, or kernel code inside of a virtual machine, +may be able to read secret data from the kernel or from another virtual +machine. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +30 "Rebooting for security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch +# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc +# gpg --verify l1tf-11.2.patch.asc + +[FreeBSD 11.1] +# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch +# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc +# gpg --verify l1tf-11.1.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +CVE-2018-3620 (L1 Terminal Fault-OS) +- ------------------------------------ +FreeBSD reserves the the memory page at physical address 0, so it will not +contain secret data. FreeBSD zeros the paging data structures for unmapped +addresses, so that speculatively executed L1 Terminal Faults will access only +the reserved, unused page. + +CVE-2018-3646 (L1 Terminal Fault-VMM) +- ------------------------------------- +Patched systems flush the L1 data cache prior to guest entry, so that there +is no secret data in cache for a terminal fault (from the the guest) to +access. + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r337794 +releng/11.1/ r337828 +releng/11.2/ r337828 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +More information on L1 Terminal Fault is available at: + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646>; + +<URL:https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault>; + +<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html>; + +The FreeBSD Security Team thanks Intel for disclosing the issue. + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztc8ACgkQ05eS9J6n +5cLwEhAAos2Bnilthrbd+uQr1IGASD96aZZ5iXvn1Ibls03Vtd0kG9EcU30gFVG0 +HSg47qT7r5qJQUdhuSYxspgS9ZxXpRez1vnAz7cSGHL9FdecyfHWmHvGor5tz84/ +CgX4jCCAZfqDBquYD+ioqiLX7p1ZTRKfHBQOHcGgMfMq8UQUsg1YriXabEqnavU6 +W0h/eCGBo/Dbvl7004Gx0hKmDO2YQxt9aPWfInXWx1VOMf+wNWpcrvU6rJ4kOnL9 +7BXi+c5+vwlVXDvjrTwP9X+9DDa0MJcMoy2JCyCa/0W7lQ9nADLfUiXLsTvLDo6V +6/sooFbqlO+Qz37XHlXOXaoVGZGw+NtJRcnD+w8ueP9ts02SsECoxofN8tPOzGsT +T285qAwv8D8uuBLU3dc9y+assEe3j/4Aqb1Eil6Eh1MsHypEvyN5z9+PIpbN2tWK +qqCtzgqx037Jvjo6DwjwMUd+DikObGjZyK4pwP8KIeccOIBrUAA1Xel7Xr74xuwq +LwqtcHb2MWeFD0Mw+oW9viuJKrxyu6aiQfU6FsuGVmHjtXGxi+aWyGQqed+q8FcU +w/J6fq4kmBVVqNNrAMc/bWKU3IXAj4c48H0CSiCoX4dE4waRQ+cEetKkSWVGYnXj +3QdoyPsiqo8Goo34Cn0Ipf9GWDeNVv32iz0fXtr4LtoVZKCx9oc= +=G5SD +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:10.ip.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:10.ip.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,172 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:10.ip Security Advisory + The FreeBSD Project + +Topic: Resource exhaustion in IP fragment reassembly + +Category: core +Module: inet +Announced: 2018-08-14 +Credits: Juha-Matti Tilli <juha-matti.tilli@iki.fi> from + Aalto University, Department of Communications and Networking + and Nokia Bell Labs +Affects: All supported versions of FreeBSD. +Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE) + 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) + 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) +CVE Name: CVE-2018-6923 + +Special note: Due to source code differences in FreeBSD 10-stable a patch + is not yet available for FreeBSD 10.4. This will follow at + a later date. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of +packets which are too big to traverse all the links between two end +stations. Any router along the path between two end hosts may fragment +packets which are larger than a link's maximum transmission unit +(MTU). FreeBSD's implementation of some IPv4 protocols (such as the +Transmission Control Protocol [TCP]) perform path MTU discovery to +avoid the need for fragmentation. + +IP version 6 (IPv6) retains the concept of packet fragmentation. It +changed the fragmentation operation to require that the originating +end-system perform path MTU discovery and fragment packets which are +too large for any MTU along the path between two end systems. + +While all hosts attached to the Internet are required to support +fragmentation and reassembly, many hosts will encounter very few +legitimate fragmented packets due to the operation of path MTU discovery. + +II. Problem Description + +A researcher has notified us of a DoS attack applicable to another +operating system. While FreeBSD may not be vulnerable to that exact +attack, we have identified several places where inadequate DoS protection +could allow an attacker to consume system resources. + +It is not necessary that the attacker be able to establish two-way +communication to carry out these attacks. These attacks impact both +IPv4 and IPv6 fragment reassembly. + +III. Impact + +In the worst case, an attacker could send a stream of crafted +fragments with a low packet rate which would consume a substantial +amount of CPU. + +Other attack vectors allow an attacker to send a stream of crafted +fragments which could consume a large amount of CPU or all available +mbuf clusters on the system. + +These attacks could temporarily render a system unreachable through +network interfaces or temporarily render a system unresponsive. The +effects of the attack should clear within 60 seconds after the attack stops. + +IV. Workaround + +Disable fragment reassembly, using these commands: + % sysctl net.inet.ip.maxfragpackets=0 + % sysctl net.inet6.ip6.maxfrags=0 + +On systems compiled with VIMAGE, these sysctls will need to be +executed for each VNET. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or release or +security branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch +# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc +# gpg --verify ip.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r337804 +releng/11.1/ r337828 +releng/11.2/ r337828 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://www.kb.cert.org/vuls/id/641765>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n +5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ +vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN +NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt +1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA +ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic +PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW +tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE +FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O +I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS +dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx +bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w= +=ddfE +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,159 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:11.hostapd Security Advisory + The FreeBSD Project + +Topic: Unauthenticated EAPOL-Key Decryption Vulnerability + +Category: contrib +Module: wpa +Announced: 2018-08-14 +Credits: Mathy Vanhoef of the imec-DistriNet research group of + KU Leuven +Affects: All supported versions of FreeBSD. +Corrected: 2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE) + 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) + 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) + 2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE) + 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) +CVE Name: CVE-2018-14526 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The wpa_supplicant(8) utility is a client (supplicant) with support for WPA +and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop and laptop +computers as well as embedded systems. Supplicant is the IEEE 802.1X/WPA +component that is used in the client stations. It implements key negotiation +with a WPA Authenticator and it controls the roaming and IEEE 802.11 +authentication/association of the wlan(4) driver. + +The wpa_supplicant(8) utility is designed to be a "daemon" program that runs +in the background and acts as the backend component controlling the wireless +connection. The wpa_supplicant(8) utility supports separate frontend programs +and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with +wpa_supplicant(8). + +II. Problem Description + +When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC +flag set, the data field was decrypted first without verifying the MIC. When +the dta field was encrypted using RC4, for example, when negotiating TKIP as +a pairwise cipher, the unauthenticated but decrypted data was subsequently +processed. This opened wpa_supplicant(8) to abuse by decryption and recovery +of sensitive information contained in EAPOL-Key messages. + +See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt +for a detailed description of the bug. + +III. Impact + +All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for +example, the group key. + +IV. Workaround + +Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in +wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'. + +This can also be mitigated by removing TKIP as a cipher on the AP. + +Systems and users who do not use WPA2 TKIP are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch +# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc +# gpg --verify hostapd.patch.asc + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch +# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc +# gpg --verify hostapd-10.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r337832 +releng/10.4/ r337829 +stable/11/ r337831 +releng/11.1/ r337828 +releng/11.2/ r337828 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.hostapd.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztf8ACgkQ05eS9J6n +5cJ2kRAAiuef2NM6sG/OJhjIi3zTNZRTmO2S7BcaD8w7RDmH0rp1XPzTRs8CyWxo +zLfoubOwIucS1nQGHHYhwTYSXw7lFvGWbebuzhNcEUOc8a1TrpLlyinqF8KDgfNd +RSkTR1OTF91BEjlYKjuIFKUZ6OxUCpgUrprneEyn5wV/0eLkRv3VNqUuAwkTqU/i +X7pnFd2BXPpvKTatefpGjnYmo3j3oJSiQeXcPM9zgcm6n9ZD+KiC48vdvbZGmERt +HsMzUy0Z+OehKMJ+RvemWTiEwEFO7BK/FFgGH8LAgrwd0xff2RDU7S0NeCd+p76g +y98aUg0WF6RqHXU/xHeHpljHxzrWP3Msb56NqB+phFuEKvVoVimGL54P6/sBSbq+ +eACFcTUcf88MLry41zKBchSmekzSdzeV1S6kQGG74W7DfYY/UdF/4ves/eNqO13l +J5PjjusPn5IS+IP1omA6imJNHoEUrKR4ZW6KXZEfF7NdtcLGRebrAGySdqD0jHPP +23fkVQRmEL23fwtlONxNhvrF/oA09/oHS++MUEUxF6b6BRyq0sQ/aBXU5GpoI8VQ +5nDcASCloson18oA91T125bwD1bt6yLeTaFWhRJj6eeEI5HcJchZ9m1kGflNxEO9 +vM6bvIEPmF1IcR304i1os2JMgWHOAtOKxlsZpnwGs9U0qJu9/nw= +=34YE +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:08/tcp-man-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-man-10.patch Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,11 @@ +--- share/man/man4/tcp.4.orig ++++ share/man/man4/tcp.4 +@@ -38,7 +38,7 @@ + .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd October 13, 2014 ++.Dd August 6, 2018 + .Dt TCP 4 + .Os + .Sh NAME Added: head/share/security/patches/SA-18:08/tcp-man-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-man-10.patch.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztboACgkQ05eS9J6n +5cJtEQ/8CDdSUbL4aWI2tt1NTAxMoLirMte4r4oR6R3L3prOQWzqKc8m2KV73pgI +5hSAbcyW8pINgJ4gIX8FwXd+g1bfiz/9Fq7J7IEeZHbNPUo150NCsHC8LPG4oupz +6UmjGybX/J4nBrKMVqC88p7sWeukvCQm2d8fcKJQgUPQ8d9lgjRFn2MeaKEGR36j +rhQRK0GSQC7PLgsxzmHAnPtMBqnBNxP9GAyv/O+GX4pAX4PVf6GevQZMYMMPZYNE +yC8vOclIBuSuOlXaEtanCB7w3WT4M+x6VUwM8NSTq30uQe3NMUvzbzlv+YE2xx0Q +3XYncGma86rL0FqrqcgLZLoWHJAubqlxonCJNSNXS0o8I77njPffkKx1nDFtpUt2 +IdIleTaltinZXq1mAoPqtrt/nOa9x1C4hihvrIStIYAi/0rLdB8rCGJgMjD8twG7 +W7GUTJxDz2F/dp/y3zomwg69cjdXadh8JWHoPwscPObFhWUml3/WnPLw8iw0ae4A +TE8+npZUir8zbbxevcZrQxZA/FasfVIEZJytBkIs6z9t+bxa6stBeR/tWU1qgYPx +oSebDN09tpb3Qzb8uUKNHjuF9La6BXmstjzuh8F/FgPqfImIGQaTkvb0/jcZtvJt +GatGGPBnZCJWZvy5wvHkNYbUxO81A6dvBJd0kYbS8Q4vYLrzjHo= +=tsh3 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:08/tcp-man-11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-man-11.patch Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,11 @@ +--- share/man/man4/tcp.4.orig ++++ share/man/man4/tcp.4 +@@ -34,7 +34,7 @@ + .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 + .\" $FreeBSD$ + .\" +-.Dd February 6, 2017 ++.Dd August 6, 2018 + .Dt TCP 4 + .Os + .Sh NAME Added: head/share/security/patches/SA-18:08/tcp-man-11.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:08/tcp-man-11.patch.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztbgACgkQ05eS9J6n +5cJfvA//VV3j4T6xmYhMFYQ9fzExzBAfzmJjhmVeeAS/JBrKcHhsZgVuIk1E7CD/ +U1hqrlnwlPgG76UNe3tsXaDxhhYOFo4jH3COwE6zXJaXjDDv0H3rfc3TjbJD22fw +ktz0P2P9DP0uxb1M2f73yrVvQokPlI5cWQ4yQa0MCyVWNUtCKJPIzK27hupjNo7L +sDepUOR7809n2vHD1uXrkwAi4OfMYLkxDtf0Yt31EJ8+/ZeL8qg6caP2QPElAnws +3P45z/SqVg3ygmBR9WhF0UK98a7FuyDI79/KZSMBIAOkl7nwe09HZjjvFNYlXnPq +l7duHMVcC87VhZ0IaNQ1fEDIcyyXws7pVQpWNuA6HGOjLFYSGrJWCzek/yPsTO+S +m631sRGWs/YyyY49S1D5P/6MaAGT2WjOnSX3q8wy+2WkKDPdQSlj85MZvRKKXY5u +5KgvqWH6w/hxtHHDE+9Bk8dDfW7aHBGSy/lV5I2VorgE3dyp1vWTMuOacWeMJqhN +twzlLEn7QCZgkEocb6rqK+fVuG3Sx+QJPa8pKBj3LgsnHTd8mJRcWWtzG50LvNcO +orzUHwYht0gWrSfsfsS5OXfMUrOeEfpxtAB0FYh+2Sr+1jEtaAqBA4S9yHUnNUtS +jLcoPClf+s4FVvm1khHLihhKHp/BMFoha8zeQKudrod4UNxSQxM= +=r2Sc +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:09/l1tf-11.1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:09/l1tf-11.1.patch Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,213 @@ +--- sys/amd64/amd64/pmap.c.orig ++++ sys/amd64/amd64/pmap.c +@@ -1206,6 +1206,9 @@ + vm_size_t s; + int error, i, pv_npg; + ++ /* L1TF, reserve page @0 unconditionally */ ++ vm_page_blacklist_add(0, bootverbose); ++ + /* + * Initialize the vm page array entries for the kernel pmap's + * page table pages. +--- sys/amd64/vmm/intel/vmx.c.orig ++++ sys/amd64/vmm/intel/vmx.c +@@ -183,6 +183,12 @@ + SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD, + &vpid_alloc_failed, 0, NULL); + ++static int guest_l1d_flush; ++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD, ++ &guest_l1d_flush, 0, NULL); ++ ++uint64_t vmx_msr_flush_cmd; ++ + /* + * Use the last page below 4GB as the APIC access address. This address is + * occupied by the boot firmware so it is guaranteed that it will not conflict +@@ -718,6 +724,12 @@ + return (error); + } + ++ guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0; ++ TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush); ++ if (guest_l1d_flush && ++ (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0) ++ vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D; ++ + /* + * Stash the cr0 and cr4 bits that must be fixed to 0 or 1 + */ +--- sys/amd64/vmm/intel/vmx_genassym.c.orig ++++ sys/amd64/vmm/intel/vmx_genassym.c +@@ -36,6 +36,7 @@ + + #include <vm/vm.h> + #include <vm/pmap.h> ++#include <vm/vm_param.h> + + #include <machine/vmm.h> + #include "vmx_cpufunc.h" +@@ -86,3 +87,6 @@ + + ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL)); + ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL)); ++ ++ASSYM(PAGE_SIZE, PAGE_SIZE); ++ASSYM(KERNBASE, KERNBASE); +--- sys/amd64/vmm/intel/vmx_support.S.orig ++++ sys/amd64/vmm/intel/vmx_support.S +@@ -28,6 +28,7 @@ + */ + + #include <machine/asmacros.h> ++#include <machine/specialreg.h> + + #include "vmx_assym.h" + +@@ -136,9 +137,47 @@ + jbe invept_error /* Check invept instruction error */ + + guest_restore: +- cmpl $0, %edx ++ ++ /* ++ * Flush L1D cache if requested. Use IA32_FLUSH_CMD MSR if available, ++ * otherwise load enough of the data from the zero_region to flush ++ * existing L1D content. ++ */ ++#define L1D_FLUSH_SIZE (64 * 1024) ++ movl %edx, %r8d ++ cmpb $0, guest_l1d_flush(%rip) ++ je after_l1d ++ movq vmx_msr_flush_cmd(%rip), %rax ++ testq %rax, %rax ++ jz 1f ++ movq %rax, %rdx ++ shrq $32, %rdx ++ movl $MSR_IA32_FLUSH_CMD, %ecx ++ wrmsr ++ jmp after_l1d ++1: movq $KERNBASE, %r9 ++ movq $-L1D_FLUSH_SIZE, %rcx ++ /* ++ * pass 1: Preload TLB. ++ * Kernel text is mapped using superpages. TLB preload is ++ * done for the benefit of older CPUs which split 2M page ++ * into 4k TLB entries. ++ */ ++2: movb L1D_FLUSH_SIZE(%r9, %rcx), %al ++ addq $PAGE_SIZE, %rcx ++ jne 2b ++ xorl %eax, %eax ++ cpuid ++ movq $-L1D_FLUSH_SIZE, %rcx ++ /* pass 2: Read each cache line */ ++3: movb L1D_FLUSH_SIZE(%r9, %rcx), %al ++ addq $64, %rcx ++ jne 3b ++ lfence ++#undef L1D_FLUSH_SIZE ++after_l1d: ++ cmpl $0, %r8d + je do_launch +- + VMX_GUEST_RESTORE + vmresume + /* +--- sys/vm/vm_page.c.orig ++++ sys/vm/vm_page.c +@@ -290,6 +290,27 @@ + return (0); + } + ++bool ++vm_page_blacklist_add(vm_paddr_t pa, bool verbose) ++{ ++ vm_page_t m; ++ int ret; ++ ++ m = vm_phys_paddr_to_vm_page(pa); ++ if (m == NULL) ++ return (true); /* page does not exist, no failure */ ++ ++ mtx_lock(&vm_page_queue_free_mtx); ++ ret = vm_phys_unfree_page(m); ++ mtx_unlock(&vm_page_queue_free_mtx); ++ if (ret) { ++ TAILQ_INSERT_TAIL(&blacklist_head, m, listq); ++ if (verbose) ++ printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa); ++ } ++ return (ret); ++} ++ + /* + * vm_page_blacklist_check: + * +@@ -301,26 +322,13 @@ + vm_page_blacklist_check(char *list, char *end) + { + vm_paddr_t pa; +- vm_page_t m; + char *next; +- int ret; + + next = list; + while (next != NULL) { + if ((pa = vm_page_blacklist_next(&next, end)) == 0) + continue; +- m = vm_phys_paddr_to_vm_page(pa); +- if (m == NULL) +- continue; +- mtx_lock(&vm_page_queue_free_mtx); +- ret = vm_phys_unfree_page(m); +- mtx_unlock(&vm_page_queue_free_mtx); +- if (ret == TRUE) { +- TAILQ_INSERT_TAIL(&blacklist_head, m, listq); +- if (bootverbose) +- printf("Skipping page with pa 0x%jx\n", +- (uintmax_t)pa); +- } ++ vm_page_blacklist_add(pa, bootverbose); + } + } + +--- sys/vm/vm_page.h.orig ++++ sys/vm/vm_page.h +@@ -448,6 +448,7 @@ + u_long npages, vm_paddr_t low, vm_paddr_t high, u_long alignment, + vm_paddr_t boundary, vm_memattr_t memattr); + vm_page_t vm_page_alloc_freelist(int, int); ++bool vm_page_blacklist_add(vm_paddr_t pa, bool verbose); + vm_page_t vm_page_grab (vm_object_t, vm_pindex_t, int); + int vm_page_try_to_free (vm_page_t); + void vm_page_deactivate (vm_page_t); +--- sys/x86/include/specialreg.h.orig ++++ sys/x86/include/specialreg.h +@@ -378,6 +378,7 @@ + */ + #define CPUID_STDEXT3_IBPB 0x04000000 + #define CPUID_STDEXT3_STIBP 0x08000000 ++#define CPUID_STDEXT3_L1D_FLUSH 0x10000000 + #define CPUID_STDEXT3_ARCH_CAP 0x20000000 + + /* MSR IA32_ARCH_CAP(ABILITIES) bits */ +@@ -427,6 +428,7 @@ + #define MSR_IA32_EXT_CONFIG 0x0ee /* Undocumented. Core Solo/Duo only */ + #define MSR_MTRRcap 0x0fe + #define MSR_IA32_ARCH_CAP 0x10a ++#define MSR_IA32_FLUSH_CMD 0x10b + #define MSR_BBL_CR_ADDR 0x116 + #define MSR_BBL_CR_DECC 0x118 + #define MSR_BBL_CR_CTL 0x119 +@@ -580,6 +582,9 @@ + /* MSR IA32_PRED_CMD */ + #define IA32_PRED_CMD_IBPB_BARRIER 0x0000000000000001ULL + ++/* MSR IA32_FLUSH_CMD */ ++#define IA32_FLUSH_CMD_L1D 0x00000001 ++ + /* + * PAT modes. + */ Added: head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.9 (FreeBSD) + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztdsACgkQ05eS9J6n +5cItLA//UjGUEP8QwggeT/drm99htP1lpABfxgLjaBFvXDQ8pFJU2D8bm0X/jHBW +ExM4TO1H2K6gKtJMXC1gCgL9DXy6ukqI7DDKjG2vt46U8533DQ715C4HInj5+mdp +hvdJVFKbLKVA4jqv0Z+LGeM/yhC5vLCJ+Upirfz42pLWUdmW1a5zbT0pEXsKldxJ +cTRWfKck7TKbND9cYczaRKl7YjaJNUY8x2FZ3aq607dxWMbreW1sP1VnC2W/EJOa +fX6G7WC38uZ5RzLL0GoyEUoA83ljcQLYjGWEH0Kr90AfRw6geh2ViajYWMaRj4Kg +0/Jax7pn5xI14FaREwMybz7Lj+l2DpYfpToYs9Uh4mg/Ug8orLellD+tEBP88NyY +aWRPYYc3um08osZ6f96RRdH8bOoYgyW+0HV7hO1ZBrIZiAwLdh7nSLoBPEGoGA/e +XumkfRbwCc5gODH4NYDuCGFppQ2qQ+vfws97kFWULoia8PM/bseFICv9lbZ3c3wc +7ImNHSHRCDk8lanX8ivTEN2MqEtQBIXwMJuLy6L2s2SPFaaH8Tzt6VNcFvDMONQb +iXpUoejcLFdeQV1tisnOTsJ6bZayHQjuE6mvLmbSSVjWhh1X3ZStoqhU44AGnmiC +LjEmQ03E/pCYfA4YV3trqAsE4dqgNTReiiK2P0edkIlo72g42x0= +=8Mzj +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:09/l1tf-11.2.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:09/l1tf-11.2.patch Wed Aug 15 05:17:29 2018 (r52127) @@ -0,0 +1,145 @@ +--- sys/amd64/amd64/pmap.c.orig ++++ sys/amd64/amd64/pmap.c +@@ -1215,6 +1215,9 @@ + vm_size_t s; + int error, i, pv_npg, ret, skz63; + ++ /* L1TF, reserve page @0 unconditionally */ ++ vm_page_blacklist_add(0, bootverbose); ++ + /* Detect bare-metal Skylake Server and Skylake-X. */ + if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL && + CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) { +--- sys/amd64/vmm/intel/vmx.c.orig ++++ sys/amd64/vmm/intel/vmx.c +@@ -185,6 +185,12 @@ + SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD, + &vpid_alloc_failed, 0, NULL); + ++static int guest_l1d_flush; ++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD, ++ &guest_l1d_flush, 0, NULL); ++ ++uint64_t vmx_msr_flush_cmd; ++ + /* + * Use the last page below 4GB as the APIC access address. This address is + * occupied by the boot firmware so it is guaranteed that it will not conflict +@@ -720,6 +726,12 @@ + return (error); + } + ++ guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0; ++ TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush); ++ if (guest_l1d_flush && ++ (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0) ++ vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D; ++ + /* + * Stash the cr0 and cr4 bits that must be fixed to 0 or 1 + */ +--- sys/amd64/vmm/intel/vmx_genassym.c.orig ++++ sys/amd64/vmm/intel/vmx_genassym.c +@@ -36,6 +36,7 @@ + + #include <vm/vm.h> + #include <vm/pmap.h> ++#include <vm/vm_param.h> + + #include <machine/vmm.h> + #include "vmx_cpufunc.h" +@@ -86,3 +87,6 @@ + + ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL)); + ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL)); ++ ++ASSYM(PAGE_SIZE, PAGE_SIZE); ++ASSYM(KERNBASE, KERNBASE); +--- sys/amd64/vmm/intel/vmx_support.S.orig ++++ sys/amd64/vmm/intel/vmx_support.S +@@ -28,6 +28,7 @@ + */ + + #include <machine/asmacros.h> ++#include <machine/specialreg.h> + + #include "vmx_assym.h" + +@@ -173,9 +174,47 @@ + jbe invept_error /* Check invept instruction error */ + + guest_restore: +- cmpl $0, %edx +- je do_launch + ++ /* ++ * Flush L1D cache if requested. Use IA32_FLUSH_CMD MSR if available, ++ * otherwise load enough of the data from the zero_region to flush ++ * existing L1D content. ++ */ ++#define L1D_FLUSH_SIZE (64 * 1024) ++ movl %edx, %r8d ++ cmpb $0, guest_l1d_flush(%rip) ++ je after_l1d ++ movq vmx_msr_flush_cmd(%rip), %rax ++ testq %rax, %rax ++ jz 1f ++ movq %rax, %rdx ++ shrq $32, %rdx ++ movl $MSR_IA32_FLUSH_CMD, %ecx ++ wrmsr ++ jmp after_l1d ++1: movq $KERNBASE, %r9 ++ movq $-L1D_FLUSH_SIZE, %rcx ++ /* ++ * pass 1: Preload TLB. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808150517.w7F5HTl7082754>