From owner-svn-doc-all@freebsd.org Wed Jul 12 08:31:18 2017 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB634D91100; Wed, 12 Jul 2017 08:31:18 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C9D67F15C; Wed, 12 Jul 2017 08:31:18 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6C8VH1u068171; Wed, 12 Jul 2017 08:31:17 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6C8VGAF068162; Wed, 12 Jul 2017 08:31:16 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201707120831.v6C8VGAF068162@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 12 Jul 2017 08:31:16 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50475 - in head/share: security/advisories security/patches/EN-17:06 security/patches/SA-17:05 xml X-SVN-Group: doc-head X-SVN-Commit-Author: delphij X-SVN-Commit-Paths: in head/share: security/advisories security/patches/EN-17:06 security/patches/SA-17:05 xml X-SVN-Commit-Revision: 50475 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2017 08:31:18 -0000 Author: delphij Date: Wed Jul 12 08:31:16 2017 New Revision: 50475 URL: https://svnweb.freebsd.org/changeset/doc/50475 Log: Add SA-17:05 and EN-17:06. Added: head/share/security/advisories/FreeBSD-EN-17:06.hyperv.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-17:05.heimdal.asc (contents, props changed) head/share/security/patches/EN-17:06/ head/share/security/patches/EN-17:06/hyperv.patch (contents, props changed) head/share/security/patches/EN-17:06/hyperv.patch.asc (contents, props changed) head/share/security/patches/SA-17:05/ head/share/security/patches/SA-17:05/heimdal.patch (contents, props changed) head/share/security/patches/SA-17:05/heimdal.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-17:06.hyperv.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-17:06.hyperv.asc Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-17:06.hyperv Errata Notice + The FreeBSD Project + +Topic: Boot compatibility improvements with Azure VMs + +Category: core +Module: hyperv/storvsc +Announced: 2017-07-12 +Credits: Microsoft OSTC +Affects: FreeBSD 10.3 +Corrected: 2016-10-19 08:45:19 UTC (stable/10, 10.3-STABLE) + 2017-07-12 08:07:55 UTC (releng/10.3, 10.3-RELEASE-p20) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Hyper-V is a default hypervisor provided on Windows server by Microsoft. +ATA driver is the legacy storage driver for FreeBSD on Hyperv, now they +are replaced by synthetic driver which has better performance. + +There are issues when attaching multiple synthetic storage driver for +FreeBSD 10.3 on some of Hyper-V hosts. + +CD/DVD cannot be detected in some circumstances which cause provisioning +fail on Azure. + +II. Problem Description + +The disk INQUIRY response is not complete for FreeBSD 10.3 on some +Hyper-V hosts, which will cause the disks will be detached during boot. + +An interrupt is missing if we allow intr_shuffle_irqs on Hyper-V. + +III. Impact + +FreeBSD 10.3 can not be boot properly on a guest system on Hyper-V host. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-17:06/hyperv.patch +# fetch https://security.FreeBSD.org/patches/EN-17:06/hyperv.patch.asc +# gpg --verify hyperv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r307623 +releng/10.3/ r320912 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlll2psACgkQ7Wfs1l3P +audtKRAA2OiRehFvElfsMARX+nBZazgKUGXfFRmWO8v8MCpI9jQtB9T8HItDWVHh +ZPbgM/AV3osUAmzdZOFwTpHbVbPQ8nO14n5inhC9u0J0wA0c5apfp54F2EXdgm6+ ++ckf+2lkisBI1YVewH8aPRNSIhueRJPEX79g7Z/EqxHJhq1wfGaJ6zDT8royE1F8 +q8uyawClGL1vS7ofW4IPVYQOgebf+s7vSF845JWQcqXeqpPU6Qt1kGP+wkTSx7HE +3tuRowym5EmzweP+U5DqE34Ryli7/jsDr0rgmVkVh5JEQfHznSadAAWsHj9bMimc +4Y2TSYdOhrPKV6Id/el5XWTSetUVPHMmQh6TTIWg10Ygr6CK0folZWnR5t2ym4np +HfzEdaUXJXZyj/5qy1mcFzR8JRifj9lmlRzBqZOOOwMakhSSYD7daouLK76SvH0K +gf4AgG0X6FUETD8N+rM+1RpvSfbeA9zktcPmxE/WCTtc8lIcQc/9CZY7zNOoi+du +LKU1MhWBQTk8zP5AHzAmHL+O+C6sF7uYVaUL6Ui3hqq2AjhnK+sxVX1QNT4kwgJ4 +h3sBliNUQ6kz1e2yTROj2v66OkFKYaSugLwyg15Qa6pfE7R448lCwZOe65rYYTyZ +u4yd5mACaO9mkYmQulxIO/Eit19kGvapBXF4CEHBt+WvqG8Cbdk= +=a6m2 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-17:05.heimdal.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:05.heimdal.asc Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:05.heimdal Security Advisory + The FreeBSD Project + +Topic: heimdal KDC-REP service name validation vulnerability + +Category: contrib +Module: heimdal +Announced: 2017-07-12 +Affects: All supported versions of FreeBSD. +Corrected: 2017-07-12 07:26:07 UTC (stable/11, 11.1-PRERELEASE) + 2017-07-12 08:07:16 UTC (releng/11.1, 11.1-RC2-p1) + 2017-07-12 08:07:16 UTC (releng/11.1, 11.1-RC1-p1) + 2017-07-12 07:26:07 UTC (stable/11, 11.1-BETA3-p1) + 2017-07-12 08:07:36 UTC (releng/11.0, 11.0-RELEASE-p11) + 2017-07-12 07:26:07 UTC (stable/10, 10.3-STABLE) + 2017-07-12 08:07:36 UTC (releng/10.3, 10.3-RELEASE-p20) +CVE Name: CVE-2017-11103 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +Heimdal implements the Kerberos 5 network authentication protocols. +The Kerberos protocol uses "ticket" to authenticate a client to a +service. + +A Key Distribution Center (KDC) is trusted by all principals registered +in that administrative "realm" to store a secret key in confidence, of +which, the proof of knowledge is used to verify the authenticity of a +principal. + + +II. Problem Description + +There is a programming error in Heimdal implementation that used an +unauthenticated, plain-text version of the KDC-REP service name found +in a ticket. + +III. Impact + +An attacker who has control to the network between a client and the +service it talks to will be able to impersonate the service, allowing +a successful man-in-the-middle (MITM) attack that circumvents the mutual +authentication. + +IV. Workaround + +No workaround is available, but only Kerberos enabled clients are +affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +A reboot is recommended. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is recommended. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:05/heimdal.patch +# fetch https://security.FreeBSD.org/patches/SA-17:05/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r320907 +releng/10.3/ r320912 +stable/11/ r320907 +releng/11.0/ r320911 +releng/11.1/ r320910 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlll2poACgkQ7Wfs1l3P +auf+8BAA13v5XSuifFibb4T+UY6tnCJgeRoCKYzwYIgx6glcDZyDUAuK0OtT5Skc +2EK24SUe2371sKYkLJ0pULKU5suRqWmzVKvSXGpexcYj8h+B9VCHuQc6tM87v3nA +/Nct5Svwxf+oBcI2MkVrn80NXsi5AfkBMzbgzXKGp3yGdMgbSpUx1uixN8QNtYSb +9nuZZPlXRa7GJDqLuVZwkZQVq1EXnSWwSNH/Oq8DuW7VrTWGJHflS0i/azxTvT+2 +6zZCtCRkYd/875Bn7COxN5F597xwT76XDz5cQzOBH9hk0p+0hxfjAVSf7m5tbl1A +g3qBvXmAhavLvtJfwVFtkwZeAzkLiU1FlcNdoFTFmBwzUYvob41K+JPud1sEUFmu +4w5PXWPq3CbjvwzabOwFRlaA9XMBv8JSgATET3rk6ECjQ6I9+ptYkAXtpiCFXtxq +09kw5dbsqwJ3RQsw/ZtNdbQhhoEG3rNTOCLkLYM3VPwPaCaDAFXN2OGRf6lE21HX +QZQ57OypjTfd7OaSeM6kVeF/xYxh3AoxPsPdqTxphBOF+Ih0zCwcSVdXumuSqufq +daNo+qLV7/IqvY9p0YmHtLKGhwss8jVQBTObNW8JESxmWrDAwtUke0fxnqK9LKMT +vWbvNsgUaLFNEisMkY25VZCzgUiIDJu5JyhTMQtlqQOSNYB686k= +=enb2 +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-17:06/hyperv.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:06/hyperv.patch Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,538 @@ +--- sys/cam/ata/ata_xpt.c.orig ++++ sys/cam/ata/ata_xpt.c +@@ -40,6 +40,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -827,6 +828,7 @@ + { + struct ccb_pathinq cpi; + int16_t *ptr; ++ int veto = 0; + + ident_buf = &softc->ident_data; + for (ptr = (int16_t *)ident_buf; +@@ -833,6 +835,11 @@ + ptr < (int16_t *)ident_buf + sizeof(struct ata_params)/2; ptr++) { + *ptr = le16toh(*ptr); + } ++ EVENTHANDLER_INVOKE(ada_probe_veto, path, ident_buf, &veto); ++ if (veto) { ++ goto device_fail; ++ } ++ + if (strncmp(ident_buf->model, "FX", 2) && + strncmp(ident_buf->model, "NEC", 3) && + strncmp(ident_buf->model, "Pioneer", 7) && +--- sys/conf/files.amd64.orig ++++ sys/conf/files.amd64 +@@ -262,7 +262,6 @@ + dev/hyperv/netvsc/hv_net_vsc.c optional hyperv + dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c optional hyperv + dev/hyperv/netvsc/hv_rndis_filter.c optional hyperv +-dev/hyperv/stordisengage/hv_ata_pci_disengage.c optional hyperv + dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c optional hyperv + dev/hyperv/utilities/hv_kvp.c optional hyperv + dev/hyperv/utilities/hv_util.c optional hyperv +--- sys/conf/files.i386.orig ++++ sys/conf/files.i386 +@@ -240,7 +240,6 @@ + dev/hyperv/netvsc/hv_net_vsc.c optional hyperv + dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c optional hyperv + dev/hyperv/netvsc/hv_rndis_filter.c optional hyperv +-dev/hyperv/stordisengage/hv_ata_pci_disengage.c optional hyperv + dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c optional hyperv + dev/hyperv/utilities/hv_kvp.c optional hyperv + dev/hyperv/utilities/hv_util.c optional hyperv +--- sys/dev/hyperv/include/hyperv.h.orig ++++ sys/dev/hyperv/include/hyperv.h +@@ -124,6 +124,8 @@ + unsigned char data[16]; + } __packed hv_guid; + ++int snprintf_hv_guid(char *, size_t, const hv_guid *); ++ + #define HV_NIC_GUID \ + .data = {0x63, 0x51, 0x61, 0xF8, 0x3E, 0xDF, 0xc5, 0x46, \ + 0x91, 0x3F, 0xF2, 0xD2, 0xF9, 0x65, 0xED, 0x0E} +--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig ++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c +@@ -58,6 +58,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -198,6 +199,7 @@ + STORVSC_RINGBUFFER_SIZE} + }; + ++static eventhandler_tag storvsc_handler_tag; + /* + * Sense buffer size changed in win8; have a run-time + * variable to track the size we should use. +@@ -818,6 +820,7 @@ + * because the fields will be used later in storvsc_io_done(). + */ + request->vstor_packet.u.vm_srb.scsi_status = vm_srb->scsi_status; ++ request->vstor_packet.u.vm_srb.srb_status = vm_srb->srb_status; + request->vstor_packet.u.vm_srb.transfer_len = vm_srb->transfer_len; + + if (((vm_srb->scsi_status & 0xFF) == SCSI_STATUS_CHECK_COND) && +@@ -966,20 +969,13 @@ + static int + storvsc_probe(device_t dev) + { +- int ata_disk_enable = 0; + int ret = ENXIO; + + switch (storvsc_get_storage_type(dev)) { + case DRIVER_BLKVSC: + if(bootverbose) +- device_printf(dev, "DRIVER_BLKVSC-Emulated ATA/IDE probe\n"); +- if (!getenv_int("hw.ata.disk_enable", &ata_disk_enable)) { +- if(bootverbose) +- device_printf(dev, +- "Enlightened ATA/IDE detected\n"); +- ret = BUS_PROBE_DEFAULT; +- } else if(bootverbose) +- device_printf(dev, "Emulated ATA/IDE set (hw.ata.disk_enable set)\n"); ++ device_printf(dev, "Enlightened ATA/IDE detected\n"); ++ ret = BUS_PROBE_DEFAULT; + break; + case DRIVER_STORVSC: + if(bootverbose) +@@ -1967,28 +1963,17 @@ + return(0); + } + +-/* +- * SCSI Inquiry checks qualifier and type. +- * If qualifier is 011b, means the device server is not capable +- * of supporting a peripheral device on this logical unit, and +- * the type should be set to 1Fh. +- * +- * Return 1 if it is valid, 0 otherwise. +- */ +-static inline int +-is_inquiry_valid(const struct scsi_inquiry_data *inq_data) ++static uint32_t ++is_scsi_valid(const struct scsi_inquiry_data *inq_data) + { +- uint8_t type; +- if (SID_QUAL(inq_data) != SID_QUAL_LU_CONNECTED) { +- return (0); +- } ++ u_int8_t type; + type = SID_TYPE(inq_data); +- if (type == T_NODEVICE) { ++ if (type == T_NODEVICE) + return (0); +- } ++ if (SID_QUAL(inq_data) == SID_QUAL_BAD_LU) ++ return (0); + return (1); + } +- + /** + * @brief completion function before returning to CAM + * +@@ -2057,75 +2042,108 @@ + callout_drain(&reqp->callout); + } + #endif +- + ccb->ccb_h.status &= ~CAM_SIM_QUEUED; + ccb->ccb_h.status &= ~CAM_STATUS_MASK; + if (vm_srb->scsi_status == SCSI_STATUS_OK) { + const struct scsi_generic *cmd; +- /* +- * Check whether the data for INQUIRY cmd is valid or +- * not. Windows 10 and Windows 2016 send all zero +- * inquiry data to VM even for unpopulated slots. +- */ + cmd = (const struct scsi_generic *) + ((ccb->ccb_h.flags & CAM_CDB_POINTER) ? + csio->cdb_io.cdb_ptr : csio->cdb_io.cdb_bytes); +- if (cmd->opcode == INQUIRY) { +- /* +- * The host of Windows 10 or 2016 server will response +- * the inquiry request with invalid data for unexisted device: +- [0x7f 0x0 0x5 0x2 0x1f ... ] +- * But on windows 2012 R2, the response is: +- [0x7f 0x0 0x0 0x0 0x0 ] +- * That is why here wants to validate the inquiry response. +- * The validation will skip the INQUIRY whose response is short, +- * which is less than SHORT_INQUIRY_LENGTH (36). +- * +- * For more information about INQUIRY, please refer to: +- * ftp://ftp.avc-pioneer.com/Mtfuji_7/Proposal/Jun09/INQUIRY.pdf +- */ +- const struct scsi_inquiry_data *inq_data = +- (const struct scsi_inquiry_data *)csio->data_ptr; +- uint8_t* resp_buf = (uint8_t*)csio->data_ptr; +- /* Get the buffer length reported by host */ +- int resp_xfer_len = vm_srb->transfer_len; +- /* Get the available buffer length */ +- int resp_buf_len = resp_xfer_len >= 5 ? resp_buf[4] + 5 : 0; +- int data_len = (resp_buf_len < resp_xfer_len) ? resp_buf_len : resp_xfer_len; +- if (data_len < SHORT_INQUIRY_LENGTH) { +- ccb->ccb_h.status |= CAM_REQ_CMP; +- if (bootverbose && data_len >= 5) { +- mtx_lock(&sc->hs_lock); +- xpt_print(ccb->ccb_h.path, +- "storvsc skips the validation for short inquiry (%d)" +- " [%x %x %x %x %x]\n", +- data_len,resp_buf[0],resp_buf[1],resp_buf[2], +- resp_buf[3],resp_buf[4]); +- mtx_unlock(&sc->hs_lock); +- } +- } else if (is_inquiry_valid(inq_data) == 0) { +- ccb->ccb_h.status |= CAM_DEV_NOT_THERE; +- if (bootverbose && data_len >= 5) { +- mtx_lock(&sc->hs_lock); +- xpt_print(ccb->ccb_h.path, +- "storvsc uninstalled invalid device" +- " [%x %x %x %x %x]\n", +- resp_buf[0],resp_buf[1],resp_buf[2],resp_buf[3],resp_buf[4]); +- mtx_unlock(&sc->hs_lock); +- } +- } else { +- ccb->ccb_h.status |= CAM_REQ_CMP; ++ if (vm_srb->srb_status != SRB_STATUS_SUCCESS) { ++ /* ++ * If there are errors, for example, invalid LUN, ++ * host will inform VM through SRB status. ++ */ + if (bootverbose) { +- mtx_lock(&sc->hs_lock); +- xpt_print(ccb->ccb_h.path, +- "storvsc has passed inquiry response (%d) validation\n", +- data_len); +- mtx_unlock(&sc->hs_lock); ++ if (vm_srb->srb_status == SRB_STATUS_INVALID_LUN) { ++ xpt_print(ccb->ccb_h.path, ++ "invalid LUN %d for op: %s\n", ++ vm_srb->lun, ++ scsi_op_desc(cmd->opcode, NULL)); ++ } else { ++ xpt_print(ccb->ccb_h.path, ++ "Unknown SRB flag: %d for op: %s\n", ++ vm_srb->srb_status, ++ scsi_op_desc(cmd->opcode, NULL)); ++ } + } +- } ++ ++ /* ++ * XXX For a selection timeout, all of the LUNs ++ * on the target will be gone. It works for SCSI ++ * disks, but does not work for IDE disks. ++ * ++ * For CAM_DEV_NOT_THERE, CAM will only get ++ * rid of the device(s) specified by the path. ++ */ ++ if (storvsc_get_storage_type(sc->hs_dev->device) == ++ DRIVER_STORVSC) ++ ccb->ccb_h.status |= CAM_SEL_TIMEOUT; ++ else ++ ccb->ccb_h.status |= CAM_DEV_NOT_THERE; + } else { + ccb->ccb_h.status |= CAM_REQ_CMP; + } ++ ++ if (cmd->opcode == INQUIRY && ++ vm_srb->srb_status == SRB_STATUS_SUCCESS) { ++ int resp_xfer_len, resp_buf_len, data_len; ++ struct scsi_inquiry_data *inq_data = ++ (struct scsi_inquiry_data *)csio->data_ptr; ++ /* Get the buffer length reported by host */ ++ resp_xfer_len = vm_srb->transfer_len; ++ uint8_t *resp_buf = (uint8_t *)csio->data_ptr; ++ ++ /* Get the available buffer length */ ++ resp_buf_len = resp_xfer_len >= 5 ? resp_buf[4] + 5 : 0; ++ data_len = (resp_buf_len < resp_xfer_len) ? ++ resp_buf_len : resp_xfer_len; ++ if (bootverbose && data_len >= 5) { ++ xpt_print(ccb->ccb_h.path, "storvsc inquiry " ++ "(%d) [%x %x %x %x %x ... ]\n", data_len, ++ resp_buf[0], resp_buf[1], resp_buf[2], ++ resp_buf[3], resp_buf[4]); ++ } ++ /* ++ * XXX: Manually fix the wrong response returned from WS2012 ++ */ ++ if (!is_scsi_valid(inq_data) && ++ (vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN8_1 || ++ vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN8 || ++ vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN7)) { ++ if (data_len >= 4 && ++ (resp_buf[2] == 0 || resp_buf[3] == 0)) { ++ resp_buf[2] = 5; // verion=5 means SPC-3 ++ resp_buf[3] = 2; // resp fmt must be 2 ++ if (bootverbose) ++ xpt_print(ccb->ccb_h.path, ++ "fix version and resp fmt for 0x%x\n", ++ vmstor_proto_version); ++ } ++ } else if (data_len >= SHORT_INQUIRY_LENGTH) { ++ char vendor[16]; ++ ++ cam_strvis(vendor, inq_data->vendor, ++ sizeof(inq_data->vendor), sizeof(vendor)); ++ /* ++ * XXX: Upgrade SPC2 to SPC3 if host is WIN8 or ++ * WIN2012 R2 in order to support UNMAP feature. ++ */ ++ if (!strncmp(vendor, "Msft", 4) && ++ SID_ANSI_REV(inq_data) == SCSI_REV_SPC2 && ++ (vmstor_proto_version == ++ VMSTOR_PROTOCOL_VERSION_WIN8_1 || ++ vmstor_proto_version == ++ VMSTOR_PROTOCOL_VERSION_WIN8)) { ++ inq_data->version = SCSI_REV_SPC3; ++ if (bootverbose) { ++ xpt_print(ccb->ccb_h.path, ++ "storvsc upgrades " ++ "SPC2 to SPC3\n"); ++ } ++ } ++ } ++ } + } else { + mtx_lock(&sc->hs_lock); + xpt_print(ccb->ccb_h.path, +@@ -2193,3 +2211,51 @@ + return (DRIVER_UNKNOWN); + } + ++#define PCI_VENDOR_INTEL 0x8086 ++#define PCI_PRODUCT_PIIX4 0x7111 ++ ++static void ++storvsc_ada_probe_veto(void *arg __unused, struct cam_path *path, ++ struct ata_params *ident_buf __unused, int *veto) ++{ ++ /* ++ * Hyper-V should ignore ATA ++ */ ++ if (path->device->protocol == PROTO_ATA) { ++ struct ccb_pathinq cpi; ++ ++ bzero(&cpi, sizeof(cpi)); ++ xpt_setup_ccb(&cpi.ccb_h, path, CAM_PRIORITY_NONE); ++ cpi.ccb_h.func_code = XPT_PATH_INQ; ++ xpt_action((union ccb *)&cpi); ++ if (cpi.ccb_h.status == CAM_REQ_CMP && ++ cpi.hba_vendor == PCI_VENDOR_INTEL && ++ cpi.hba_device == PCI_PRODUCT_PIIX4) { ++ (*veto)++; ++ xpt_print(path, ++ "Disable ATA for vendor: %x, device: %x\n", ++ cpi.hba_vendor, cpi.hba_device); ++ } ++ } ++} ++ ++static void ++storvsc_sysinit(void *arg __unused) ++{ ++ if (vm_guest == VM_GUEST_HV) { ++ storvsc_handler_tag = EVENTHANDLER_REGISTER(ada_probe_veto, ++ storvsc_ada_probe_veto, NULL, EVENTHANDLER_PRI_ANY); ++ } ++} ++SYSINIT(storvsc_sys_init, SI_SUB_DRIVERS, SI_ORDER_SECOND, storvsc_sysinit, ++ NULL); ++ ++static void ++storvsc_sysuninit(void *arg __unused) ++{ ++ if (storvsc_handler_tag != NULL) { ++ EVENTHANDLER_DEREGISTER(ada_probe_veto, storvsc_handler_tag); ++ } ++} ++SYSUNINIT(storvsc_sys_uninit, SI_SUB_DRIVERS, SI_ORDER_SECOND, ++ storvsc_sysuninit, NULL); +--- sys/dev/hyperv/storvsc/hv_vstorage.h.orig ++++ sys/dev/hyperv/storvsc/hv_vstorage.h +@@ -249,10 +249,10 @@ + /** + * SRB Status Masks (can be combined with above status codes) + */ +-#define SRB_STATUS_QUEUE_FROZEN 0x40 +-#define SRB_STATUS_AUTOSENSE_VALID 0x80 ++#define SRB_STATUS_QUEUE_FROZEN 0x40 ++#define SRB_STATUS_AUTOSENSE_VALID 0x80 ++#define SRB_STATUS_INVALID_LUN 0X20 + +- + /** + * Packet flags + */ +--- sys/dev/hyperv/utilities/hv_kvp.c.orig ++++ sys/dev/hyperv/utilities/hv_kvp.c +@@ -311,28 +311,11 @@ + { + int err_ip, err_subnet, err_gway, err_dns, err_adap; + int UNUSED_FLAG = 1; +- int guid_index; + struct hv_device *hv_dev; /* GUID Data Structure */ + hn_softc_t *sc; /* hn softc structure */ + char if_name[4]; +- unsigned char guid_instance[40]; +- char *guid_data = NULL; + char buf[39]; + +- struct guid_extract { +- char a1[2]; +- char a2[2]; +- char a3[2]; +- char a4[2]; +- char b1[2]; +- char b2[2]; +- char c1[2]; +- char c2[2]; +- char d[4]; +- char e[12]; +- }; +- +- struct guid_extract *id; + device_t *devs; + int devcnt; + +@@ -359,17 +342,7 @@ + /* Trying to find GUID of Network Device */ + hv_dev = sc->hn_dev_obj; + +- for (guid_index = 0; guid_index < 16; guid_index++) { +- sprintf(&guid_instance[guid_index * 2], "%02x", +- hv_dev->device_id.data[guid_index]); +- } +- +- guid_data = (char *)guid_instance; +- id = (struct guid_extract *)guid_data; +- snprintf(buf, sizeof(buf), "{%.2s%.2s%.2s%.2s-%.2s%.2s-%.2s%.2s-%.4s-%s}", +- id->a4, id->a3, id->a2, id->a1, +- id->b2, id->b1, id->c2, id->c1, id->d, id->e); +- guid_data = NULL; ++ snprintf_hv_guid(buf, sizeof(buf), &hv_dev->device_id); + sprintf(if_name, "%s%d", "hn", device_get_unit(devs[devcnt])); + + if (strncmp(buf, (char *)umsg->body.kvp_ip_val.adapter_id, 39) == 0) { +--- sys/dev/hyperv/vmbus/hv_vmbus_drv_freebsd.c.orig ++++ sys/dev/hyperv/vmbus/hv_vmbus_drv_freebsd.c +@@ -59,6 +59,7 @@ + #include + #include + ++#include + #include "hv_vmbus_priv.h" + + #include +@@ -298,6 +299,23 @@ + return (ENOENT); + } + ++static int ++vmbus_child_pnpinfo_str(device_t dev, device_t child, char *buf, size_t buflen) ++{ ++ char guidbuf[40]; ++ struct hv_device *dev_ctx = device_get_ivars(child); ++ ++ strlcat(buf, "classid=", buflen); ++ snprintf_hv_guid(guidbuf, sizeof(guidbuf), &dev_ctx->class_id); ++ strlcat(buf, guidbuf, buflen); ++ ++ strlcat(buf, " deviceid=", buflen); ++ snprintf_hv_guid(guidbuf, sizeof(guidbuf), &dev_ctx->device_id); ++ strlcat(buf, guidbuf, buflen); ++ ++ return (0); ++} ++ + struct hv_device* + hv_vmbus_child_device_create( + hv_guid type, +@@ -324,15 +342,17 @@ + return (child_dev); + } + +-static void +-print_dev_guid(struct hv_device *dev) ++int ++snprintf_hv_guid(char *buf, size_t sz, const hv_guid *guid) + { +- int i; +- unsigned char guid_name[100]; +- for (i = 0; i < 32; i += 2) +- sprintf(&guid_name[i], "%02x", dev->class_id.data[i / 2]); +- if(bootverbose) +- printf("VMBUS: Class ID: %s\n", guid_name); ++ int cnt; ++ const unsigned char *d = guid->data; ++ ++ cnt = snprintf(buf, sz, ++ "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x", ++ d[3], d[2], d[1], d[0], d[5], d[4], d[7], d[6], ++ d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); ++ return (cnt); + } + + int +@@ -341,9 +361,12 @@ + device_t child; + int ret = 0; + +- print_dev_guid(child_dev); ++ if (bootverbose) { ++ char name[40]; ++ snprintf_hv_guid(name, sizeof(name), &child_dev->class_id); ++ printf("VMBUS: Class ID: %s\n", name); ++ } + +- + child = device_add_child(vmbus_devp, NULL, -1); + child_dev->device = child; + device_set_ivars(child, child_dev); +@@ -747,6 +770,7 @@ + DEVMETHOD(bus_print_child, bus_generic_print_child), + DEVMETHOD(bus_read_ivar, vmbus_read_ivar), + DEVMETHOD(bus_write_ivar, vmbus_write_ivar), ++ DEVMETHOD(bus_child_pnpinfo_str, vmbus_child_pnpinfo_str), + + { 0, 0 } }; + +--- sys/sys/eventhandler.h.orig ++++ sys/sys/eventhandler.h +@@ -283,4 +283,11 @@ + EVENTHANDLER_DECLARE(register_framebuffer, register_framebuffer_fn); + EVENTHANDLER_DECLARE(unregister_framebuffer, unregister_framebuffer_fn); + ++/* veto ada probing */ ++struct cam_path; ++struct ata_params; ++typedef void (*ada_probe_veto_fn)(void *, struct cam_path *, ++ struct ata_params *, int *); ++EVENTHANDLER_DECLARE(ada_probe_veto, ada_probe_veto_fn); ++ + #endif /* SYS_EVENTHANDLER_H */ +--- sys/x86/x86/intr_machdep.c.orig ++++ sys/x86/x86/intr_machdep.c +@@ -535,6 +535,9 @@ + if (mp_ncpus == 1) + return; + ++ /* Does not work properly on Hyper-V. */ ++ if (vm_guest == VM_GUEST_HV) ++ return; + /* Round-robin assign a CPU to each enabled source. */ + mtx_lock(&intr_table_lock); + assign_cpu = 1; Added: head/share/security/patches/EN-17:06/hyperv.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-17:06/hyperv.patch.asc Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlll2rgACgkQ7Wfs1l3P +aueyXRAAmp/GRpfdn8f9xMXP0W4QOsODfV7xVgxvaVTXLkBxT4o1710I2oVEh959 +7uXoXjJbGRepdj8U1CLrbusKjuTRM88hUR+QMrw0A82Iz+0FP1EQJU/kwLhl/CrJ +Uhrnjqr0pHfNlGczym35Qii6gRD1Kvt8A6EhpzQhXVWPhpooPGnjpJsJ/cPPbJmN +ywoi66JpgJHAJ94zH1qcdaKghirZ0D3f3rErWqZmAI7b4UGGGtHWtg04GcOXHdW5 +6cKuqRcn3cniWCs/dlHm/QEbhrsYYDKVAexzIxKlKnZt4L2b1od4Nwt2g5T0KNGD +kVRIeIi4gfQNLiymS1jtUK/2l9ryZwMNDgDKXXbCGYFDVlGjhF/zV24J56owq24a +9xUrA/eIt2aDkMXjbg/hCFooaaUW9bIEkfE7oGPZWOiv57Xl8tcVfxaCQhg7D7NI +cacKTep4pfXezD5nm5Jv/CIZhdgfs73kUuhknf3Aje7lGaQDGGjJm0Izpr5CDU09 +fybWoyzEkMdD41Yuf0JgRqh0fC+kWmu9fRAe9v6UBJWnhFnKUeUrC5fidVXCR5c0 +CdgV3kYUK2cH0jDGeQrjcZybR52WFfeHa9Wj8Ea7fzOfsEu1qr+mCg7Vnbqt1Rbx +WW8ob+UcPrxEYMSRJrg33Xr/EiTVpv2VA2zSwJIO7WNsR8NirbQ= +=wx6c +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:05/heimdal.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:05/heimdal.patch Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,13 @@ +--- crypto/heimdal/lib/krb5/ticket.c.orig ++++ crypto/heimdal/lib/krb5/ticket.c +@@ -713,8 +713,8 @@ + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ Added: head/share/security/patches/SA-17:05/heimdal.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:05/heimdal.patch.asc Wed Jul 12 08:31:16 2017 (r50475) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.21 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlll2rgACgkQ7Wfs1l3P +audDPBAA2J6IvRsymXj8EzCdEYI/DeoooD5wP2EuGxw166XH/UJgJC95LLEhpGsi +sZ6ePOCEIDqUlWhYZjJT6uI3ww8ZLzIQ6gHIlA+J9/IfLimlFhG6J2E6D+IKwAcC +4bhQOWeUT+HmiE3rRBtGsiND4Eos/LCzinSZR1oQMuiNpC+Z+Os+47EsDAM7zCRd +HQo7Ko+8VUpI47E8jNeummjziHnmczpXsSVuuord8gpegLFYFaAqKmhJoD8O33Cf +gVigMl/Oo039XlibJ6kivs+jY93iDAFb1ahQE1n/M8G0oMR1vExm6/ILDfjebA9z +rS/6DNvbEBPfx9QSjnE1l9KVbIaWJjIQYU0Mia0Bu2h83mtk8zPoG2q2nfFpAP4I +01wqv+zzVJjr3LULwZcAOGSTUSuXgZrnc5KBSM3ULs5ZZMgoCJ54oQjFXUkzQAqQ +DXyHX3Oq6abG2YUOyErlt2mqUvbUJl4XU3nC0Hdw76UIK46/ksXwfabt+W3ICeEf +ZX4YjMGWZU0XOJIfhmhgS6/Yr+F37ldac5D38I6AcnbgfBW8CiebtWyn5QNjoMOT +jxSSz3Rl5Lt1M2xjPP4jg2a5ivq7gz2JmNOjBtNCVWeq1hAP+0EryghDFENMQDhL +PZ7H+/201FUlxO9BQ5tOluGL0Nu4mtaLyeDUHZCwHYxQb+cz4/c= +=Wwzw +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Jul 12 01:13:40 2017 (r50474) +++ head/share/xml/advisories.xml Wed Jul 12 08:31:16 2017 (r50475) @@ -8,6 +8,18 @@ 2017 + 7 + + + 12 + + + FreeBSD-SA-17:05.heimdal + + + + + 4 Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Jul 12 01:13:40 2017 (r50474) +++ head/share/xml/notices.xml Wed Jul 12 08:31:16 2017 (r50475) @@ -8,6 +8,18 @@ 2017 + 7 + + + 12 + + + FreeBSD-EN-17:06.hyperv + + + + + 4