Date: Tue, 25 Oct 2016 17:32:49 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49582 - in head/share: security/advisories security/patches/EN-16:17 security/patches/EN-16:18 security/patches/SA-16:15 security/patches/SA-16:32 xml Message-ID: <201610251732.u9PHWnj1084319@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius (src committer) Date: Tue Oct 25 17:32:49 2016 New Revision: 49582 URL: https://svnweb.freebsd.org/changeset/doc/49582 Log: Publish SA-16:15 revised, SA-16:32, EN-16:17, EN-16:18. Added: head/share/security/advisories/FreeBSD-EN-16:17.vm.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-16:18.loader.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:32.bhyve.asc (contents, props changed) head/share/security/patches/EN-16:17/ head/share/security/patches/EN-16:17/vm.patch (contents, props changed) head/share/security/patches/EN-16:17/vm.patch.asc (contents, props changed) head/share/security/patches/EN-16:18/ head/share/security/patches/EN-16:18/loader.patch (contents, props changed) head/share/security/patches/EN-16:18/loader.patch.asc (contents, props changed) head/share/security/patches/SA-16:15/sysarch-01.patch (contents, props changed) head/share/security/patches/SA-16:15/sysarch-01.patch.asc (contents, props changed) head/share/security/patches/SA-16:32/ head/share/security/patches/SA-16:32/bhyve.patch (contents, props changed) head/share/security/patches/SA-16:32/bhyve.patch.asc (contents, props changed) Modified: head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-16:17.vm.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:17.vm.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:17.vm Errata Notice + The FreeBSD Project + +Topic: Virtual Memory issues + +Category: core +Module: Virtual Memory subsystem +Announced: 2016-10-25 +Credits: +Affects: FreeBSD 10.3 +Corrected: 2016-07-25 13:31:18 UTC (stable/10, 10.3-STABLE) + 2016-10-25 16:45:55 UTC (releng/10.3, 10.3-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security branches, +and the following sections, please visit +<URL:https://security.freebsd.org/>. + +I. Background + +The virtual memory subsystem manages address spaces of the processes, and +tightly cooperates with the file systems and process management to provide +the execution environment for the applications. + +II. Problem Description + +Due to increased parallelism and optimizations in several parts of the +system, the previously latent bugs in VM become much easier to trigger, +affecting a significant number of the FreeBSD users. The exact technical +details of the issues are provided in the commit messages of the merged +revisions, which are listed below with short summaries. + +r301184 prevent parallel object collapses, fixes object lifecycle +r301436 do not leak the vm object lock, fixes overcommit disable +r302243 avoid the active object marking for vm.vmtotal sysctl, fixes + "vodead" hangs +r302513 vm_fault() race with the vm_object_collapse(), fixes spurious + SIGSEGV +r303291 postpone BO_DEAD, fixes panic on fast vnode reclaim + +III. Impact + +Due to the bugs, spurious SIGSEGV might be delivered to processes, causing +hangs on the "vodead" state on filesystem operations might be observed, +system might hang or panic during rapid UFS vnodes reclamation. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/EN-16:17/vm.patch +# fetch https://security.FreeBSD.org/patches/EN-16:17/vm.patch.asc +# gpg --verify vm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r303291 +releng/10.3/ r307929 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204764> + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204426> + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-16:17.vm.asc +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYD5UUAAoJEO1n7NZdz2rnxWUQAJ/yL3KpTFuhaHnnOg84mpwE +KguSEpFB4BqxPVntuwuutyvRf1aibdrcjOESJ62U86Nw3Yn+umYFQaq6ySTzWhbY +6JlARZEGQa0kt+kP8etx1Z/AjCiplHFjhi1HSdq/nhnYwwVlrw5vu5IiN66Vu9vu +OyfjmC3Zxx9Zf8CByTk7S9qGzhrsJPZvlkgVnOgUEwEq+zbYFAYk+vNVvF7KwSI5 +WxlOhkt6OdJUTUV+lOl5xZlGU3LlvE+2/+LpOOyNbgK/alAuPpt3JGiVnRYje6YI +lQnJXdM6Y5cITawkOhaePNRlgIphSKOjiomlVfpzDVKaoEvKTaTA0QNcTG7cF5vD +AeO/k2J15ARJQo/SRmTGE2/kOC7RSlAPBAYcBYy83LXDRxrhWtkz12LHzGu85IBy +TzgWgJX9IBiQDXKBg+7BLzkWAb4lX5sg38fZzGn80GD2EhkZ8vSnzjQyCgVQdxKD +T4XVVbiRSDywxelhRI9L/xLTM8kPNbL4ZQLrtS5VvQt/PSNubcFMkLgvP+lbOvKB +eE44FX8jQrs5YNbFamksOHJ6qDSzQk4Rxk6Nd6BlYAD/xFT+h5MnqydBtl4cWua1 +zpaCUjqA2OxQHANiauFRj71fjjWfKF/pbEsfHaJmtyx55PyVwhgeATjbo02kuWug +sk7U5vuJxdMO+iRBHQKZ +=Jq+g +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-16:18.loader.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:18.loader.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:18 Errata Notice + The FreeBSD Project + +Topic: Loader may hang during boot + +Category: core +Module: loader +Announced: 2016-10-25 +Affects: FreeBSD 11.0 +Corrected: 2016-10-08 00:01:07 UTC (stable/11, 11.0-STABLE) + 2016-10-25 16:50:10 UTC (releng/11.0, 11.0-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The loader is the final stage (boot3) of the boot process and is responsible +for loading the kernel and starting the operating system. GELIBoot is a +feature present in the loader that allows it to boot the system from an +encrypted disks. + +II. Problem Description + +A programming error in GELIBoot causes the loader to attempt to read past +the end of the disk if the size of the final partition is not a multiple of +4 kB. + +III. Impact + +On most systems, reading past the end of the disk will result in the read +failing, and the boot process will continue normally. On some systems, the +read past the end of the disk will be retried a number of times and will +result in the boot process being slower than usual. On Amazon EC2 instances, +and possibly other virtualization platforms, this issue causes the boot +process to hang and never complete. + +IV. Workaround + +No workaround is available, but systems with 4 kB aligned partitions will not +result in an attempt to read past the end of the disk. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.0] +# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch +# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch.asc +# gpg --verify loader.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r306834 +releng/11.0/ r307930 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213196> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:18.loader.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYD5UZAAoJEO1n7NZdz2rnNNEQAL+Rdn8eEtmUU4AVfa1pnIrc +/+owfHzB6NS5N+qcsFJmWGyrP6X3HAgNTfiJuNdJBV8HgcAtCQCPie/jork9A/q1 +U0ur8FDr91Y6Cr2H8BINmf7Oe3vwY6S7pPbwbHaHCzAAI/JyDtjGlN4VlEr7lKh/ +3J6xizMDHTBj198SopMIDUWl+qFeLxEMb60WV0Z8NDRyQzV0yXbveUkg35FZhqaW +w/aAH0hTh3qhxjQCyh34GrJ/peuvPtWxZLfPP7zowIKKAGQR+PfFnN9PrGQFAzht +yQVk8WrvTrlzZbay6U5BGFcwaxVSgW8PLIHET01BAyd//HBGdfofEMcVXoiQqf5x +1kX0fdiop02JZX49rzknAGtLlUivniBSCZTnPZrFCjhOHE+TZhhhnqB/jT+RBazx +m5xFScvfcZZ8ZXK1e68Jn1/SpIOtX+lXmKpoFwE4HoPtJkZV3SDIRYgAsxuWRlMy +R0I7HuGc7RgJNSJWFhGWcUkyq0yZhy7+x0vVzV3tDZClYrv82ZbVxzTCSCH2se3L +TLnIruK3nPt4KPWPka7H0jaVzICjqJHzy30IsNMHYHZg8dQ0/CR7pYm2zgCu9B84 +qbemY0YKlhsccM0/R/P9OMNDTcxP6l/Yhqb9A/upBhn2Vlw9OGamvuKfgX4WOTIE +gOcI7hQW4U/U3ioTTS1T +=vmGn +-----END PGP SIGNATURE----- Modified: head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc ============================================================================== --- head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc Tue Oct 25 16:44:58 2016 (r49581) +++ head/share/security/advisories/FreeBSD-SA-16:15.sysarch.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -2,27 +2,36 @@ Hash: SHA512 ============================================================================= -FreeBSD-SA-16:15.sysarch Security Advisory +FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory The FreeBSD Project Topic: Incorrect argument validation in sysarch(2) Category: core Module: kernel -Announced: 2016-03-16 -Credits: Core Security +Announced: 2016-10-25 +Credits: Core Security, ahaha from Chaitin Tech Affects: All supported versions of FreeBSD. -Corrected: 2016-03-16 22:35:55 UTC (stable/10, 10.2-STABLE) - 2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14) - 2016-03-16 22:30:56 UTC (releng/10.1, 10.1-RELEASE-p31) - 2016-03-16 22:36:02 UTC (stable/9, 9.3-STABLE) - 2016-03-16 22:30:03 UTC (releng/9.3, 9.3-RELEASE-p39) +Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE) + 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) + 2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE) + 2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11) + 2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24) + 2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41) + 2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE) + 2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49) CVE Name: CVE-2016-1885 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. +0. Revision history + +v1.0 2016-03-16 Initial release. +v1.1 2016-10-25 Revised patch to address a problem pointed out by + ahaha from Chaitin Tech. + I. Background The IA-32 architecture allows programs to define segments, which provides @@ -38,10 +47,10 @@ II. Problem Description A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor -is cleared and the number of descriptors are provided. Due to invalid -use of a signed intermediate value in the bounds checking during argument -validity verification, unbound zero'ing of the process LDT and adjacent -memory can be initiated from usermode. +is cleared and the number of descriptors are provided. Due to lack +of sufficient bounds checking during argument validity verification, +unbound zero'ing of the process LDT and adjacent memory can be initiated +from usermode. III. Impact @@ -77,14 +86,27 @@ Reboot is required. The following patches have been verified to apply to the applicable FreeBSD release branches. +[*** v1.1 NOTE ***] If your sources are not yet patched using the initially +published advisory patches, then you need to apply both sysarch.patch and +sysarch-01.patch. If your sources are already updated, or patched with +patches from the initial advisory, then you need to apply sysarch-01.patch +only. + a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. +[ FreeBSD system not patched with original SA-16:15 patch] # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch # fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc # gpg --verify sysarch.patch.asc -b) Apply the patch. Execute the following commands as root: +[ FreeBSD system that has been patched with original SA-16:15 patch] +# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch +# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc +# gpg --verify sysarch-01.patch.asc + +b) Apply the patch(es). Execute the following commands as root for +every patch file downloaded: # cd /usr/src # patch < /path/to/patch @@ -100,11 +122,14 @@ affected branch. Branch/path Revision - ------------------------------------------------------------------------- -stable/9/ r296958 -releng/9.3/ r296953 -stable/10/ r296957 -releng/10.1/ r296954 -releng/10.2/ r296955 +stable/9/ r307941 +releng/9.3/ r307931 +stable/10/ r307940 +releng/10.1/ r307932 +releng/10.2/ r307933 +releng/10.3/ r307934 +stable/11/ r307938 +releng/11.0/ r307935 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the @@ -125,17 +150,17 @@ The latest revision of this advisory is <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc> -----BEGIN PGP SIGNATURE----- -iQIcBAEBCgAGBQJW6eO/AAoJEO1n7NZdz2rn0UMP/iU/orN0P6+Rsj9hY2B6M0VS -H6CMMVvketkIIWl9oKX9D/G0g/HyD8uFy06qL2OBz+h99h1oaF5ELl4G6TkF69Ra -yOKrLcWnyi3eWLUaPvGkrLakVpG0+pU3QRvBT+d0nsTarOMPq+nhooarMfAluF3p -c3bXEjzn/lTA5T0zTcGS2o9IgORvYrKRIGW0KJDsCWsDgVyWngsJAJdIrzwx022Q -ENoIGmgLnYsx7TY1cuMtdb3TVyJsZv8zjrrmcLzw67Vly7wShs22CKK23ydDDyy9 -xFYsbWA+X8CarV2uSk8xJCIbWjJSlfc9XvOlHLZEiT7PNCZIk2c2fNLENxHvyNl1 -vgIUBoD/wzzS5QqdnT4r726aQt3pNezns1NDxujwUovVn5nQaXnKOTJHsOthDJ99 -PakEMa93iZqOfzbVouBIBH1IPgNLHof9Jdq3wYiKhrQVJXRespdpCfh3/wdph9LB -ElBOTlrCcShV+N6deO4KI2wNK5h704D4hOMsqlInLwGQmGi7qa4ouWASgzQQmU/8 -6va3mJsgCvzHUpRCMQo7pIZm6SnOIYLdg7S4vV7P6q5oOIBnjFa8bK/Cq+zOR42e -gJs9ou65JTTC0KG+26wXaD2Wx8uriO/+ZfCT/YM29FUUqIdayqHxhACjF0lkY83P -02CAQXURVoI7kbjHaGT7 -=jV9z +iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H +WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2 +qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa +LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p +a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO +pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp +la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5 +A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH +H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3 +/cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf +V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G +YHOkZydbLPaXOXimZfut +=NWuL -----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:32.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:32.bhyve.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,125 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:32.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve - privilege escalation vulnerability + +Category: core +Module: bhyve +Announced: 2016-10-25 +Credits: Ilja van Sprundel, IOActive +Affects: FreeBSD 11.0 amd64 +Corrected: 2016-10-25 17:15:32 UTC (stable/11, 11.0-STABLE) + 2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2) + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve is a BSD licensed hypervisor that supports running a variety of +virtual machines (guests). + +II. Problem Description + +An unchecked array reference in the VGA device emulation code could +potentially allow guests access to the heap of the bhyve process. +Since the bhyve process is running as root, this may allow guests to +obtain full control of the hosts they are running on. + +III. Impact + +For bhyve virtual machines with the "fbuf" framebuffer device +configured, if exploited, a malicious guest could obtain full access +to not just the host system, but to other virtual machines running on +the system. + +IV. Workaround + +No workaround is available, however systems not using bhyve for +virtualization are not vulnerable. Additionally systems using bhyve +but without the "fbuf" framebuffer device configured are not +vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. Rather the bhyve process for vulnerable virtual +machines should be restarted. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 platforms +can be updated via the freebsd-update(8) utility. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the bhyve process(es). + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r307939 +releng/11.0/ r307935 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:32.bhyve.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJYD5UbAAoJEO1n7NZdz2rnOAcP/03LJPbzVE05gIkN+j8z4jz5 +Q/EX+zGgid5omIqslsiM6obDNupnH3HYE7Suv5sCJky9pyX8mv1g3jTkxXzm+32k +9rCcBtGdIviKKG8GNuMa56ZU5EvgUkwndn4qTi7KmZ/+1l8UGRCAsU04L6qQHwb2 +Si7WcgZLse+epkYAgzyje+YFR/Ib2xc3vdXXpj+uxlQWs6U3RZ95v+6M5ARhBHes +YJ34QKphy/PaT02hI9AvLU6aB4hkN5XVE2uHgpciNRLp0DF3XwqHRYbDx2bACifS +ge7hbpsSCZuOayYWdtw8gcbzJXxX1fMv1q9ntj5XLh/a4av7coHWYPHDYmIC7Inb +RNAhynR8W9SWFZ1EqUEWhKeWPwpKgiy1e4+CpDm5wbnj+CzJLc08tMU77jIUV6In +ilJkZ04sv25mjOdnjSkjt6PnXmT1n+UrWdKjOYsAkaWiHpAUzGT2dSgRfn8zh5wv +hc1368Z2v2v43HJ+Y4x0M0VVuuEydEHB+sWBhn8evxlQ6KIAC2sdi7juP4TLAgkj +A1kA3Oob4+pGlxzTGgHDE+/HzHnGEfmoWHS/u0dmDiUuTlQDKQCdCEUnjfRdJYuc +3fbigdY70d2wx6igs4VZszSQLu4c4ranewy3ORS1OghpOjnvO7mvJVUbseusLaNC +fYkumZ2XfUaJuya63z7z +=gyCa +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:17/vm.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:17/vm.patch Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,235 @@ +--- sys/kern/vfs_subr.c.orig ++++ sys/kern/vfs_subr.c +@@ -2934,7 +2934,13 @@ + TAILQ_EMPTY(&vp->v_bufobj.bo_clean.bv_hd) && + vp->v_bufobj.bo_clean.bv_cnt == 0, + ("vp %p bufobj not invalidated", vp)); +- vp->v_bufobj.bo_flag |= BO_DEAD; ++ ++ /* ++ * For VMIO bufobj, BO_DEAD is set in vm_object_terminate() ++ * after the object's page queue is flushed. ++ */ ++ if (vp->v_bufobj.bo_object == NULL) ++ vp->v_bufobj.bo_flag |= BO_DEAD; + BO_UNLOCK(&vp->v_bufobj); + + /* +--- sys/vm/vm_fault.c.orig ++++ sys/vm/vm_fault.c +@@ -286,7 +286,7 @@ + vm_prot_t prot; + long ahead, behind; + int alloc_req, era, faultcount, nera, reqpage, result; +- boolean_t growstack, is_first_object_locked, wired; ++ boolean_t dead, growstack, is_first_object_locked, wired; + int map_generation; + vm_object_t next_object; + vm_page_t marray[VM_FAULT_READ_MAX]; +@@ -423,11 +423,18 @@ + fs.pindex = fs.first_pindex; + while (TRUE) { + /* +- * If the object is dead, we stop here ++ * If the object is marked for imminent termination, ++ * we retry here, since the collapse pass has raced ++ * with us. Otherwise, if we see terminally dead ++ * object, return fail. + */ +- if (fs.object->flags & OBJ_DEAD) { ++ if ((fs.object->flags & OBJ_DEAD) != 0) { ++ dead = fs.object->type == OBJT_DEAD; + unlock_and_deallocate(&fs); +- return (KERN_PROTECTION_FAILURE); ++ if (dead) ++ return (KERN_PROTECTION_FAILURE); ++ pause("vmf_de", 1); ++ goto RetryFault; + } + + /* +--- sys/vm/vm_meter.c.orig ++++ sys/vm/vm_meter.c +@@ -93,30 +93,32 @@ + CTLFLAG_MPSAFE, NULL, 0, sysctl_vm_loadavg, "S,loadavg", + "Machine loadaverage history"); + ++/* ++ * This function aims to determine if the object is mapped, ++ * specifically, if it is referenced by a vm_map_entry. Because ++ * objects occasionally acquire transient references that do not ++ * represent a mapping, the method used here is inexact. However, it ++ * has very low overhead and is good enough for the advisory ++ * vm.vmtotal sysctl. ++ */ ++static bool ++is_object_active(vm_object_t obj) ++{ ++ ++ return (obj->ref_count > obj->shadow_count); ++} ++ + static int + vmtotal(SYSCTL_HANDLER_ARGS) + { +- struct proc *p; + struct vmtotal total; +- vm_map_entry_t entry; + vm_object_t object; +- vm_map_t map; +- int paging; ++ struct proc *p; + struct thread *td; +- struct vmspace *vm; + + bzero(&total, sizeof(total)); ++ + /* +- * Mark all objects as inactive. +- */ +- mtx_lock(&vm_object_list_mtx); +- TAILQ_FOREACH(object, &vm_object_list, object_list) { +- VM_OBJECT_WLOCK(object); +- vm_object_clear_flag(object, OBJ_ACTIVE); +- VM_OBJECT_WUNLOCK(object); +- } +- mtx_unlock(&vm_object_list_mtx); +- /* + * Calculate process statistics. + */ + sx_slock(&allproc_lock); +@@ -136,11 +138,15 @@ + case TDS_INHIBITED: + if (TD_IS_SWAPPED(td)) + total.t_sw++; +- else if (TD_IS_SLEEPING(td) && +- td->td_priority <= PZERO) +- total.t_dw++; +- else +- total.t_sl++; ++ else if (TD_IS_SLEEPING(td)) { ++ if (td->td_priority <= PZERO) ++ total.t_dw++; ++ else ++ total.t_sl++; ++ if (td->td_wchan == ++ &cnt.v_free_count) ++ total.t_pw++; ++ } + break; + + case TDS_CAN_RUN: +@@ -158,29 +164,6 @@ + } + } + PROC_UNLOCK(p); +- /* +- * Note active objects. +- */ +- paging = 0; +- vm = vmspace_acquire_ref(p); +- if (vm == NULL) +- continue; +- map = &vm->vm_map; +- vm_map_lock_read(map); +- for (entry = map->header.next; +- entry != &map->header; entry = entry->next) { +- if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) || +- (object = entry->object.vm_object) == NULL) +- continue; +- VM_OBJECT_WLOCK(object); +- vm_object_set_flag(object, OBJ_ACTIVE); +- paging |= object->paging_in_progress; +- VM_OBJECT_WUNLOCK(object); +- } +- vm_map_unlock_read(map); +- vmspace_free(vm); +- if (paging) +- total.t_pw++; + } + sx_sunlock(&allproc_lock); + /* +@@ -206,9 +189,18 @@ + */ + continue; + } ++ if (object->ref_count == 1 && ++ (object->flags & OBJ_NOSPLIT) != 0) { ++ /* ++ * Also skip otherwise unreferenced swap ++ * objects backing tmpfs vnodes, and POSIX or ++ * SysV shared memory. ++ */ ++ continue; ++ } + total.t_vm += object->size; + total.t_rm += object->resident_page_count; +- if (object->flags & OBJ_ACTIVE) { ++ if (is_object_active(object)) { + total.t_avm += object->size; + total.t_arm += object->resident_page_count; + } +@@ -216,7 +208,7 @@ + /* shared object */ + total.t_vmshr += object->size; + total.t_rmshr += object->resident_page_count; +- if (object->flags & OBJ_ACTIVE) { ++ if (is_object_active(object)) { + total.t_avmshr += object->size; + total.t_armshr += object->resident_page_count; + } +--- sys/vm/vm_object.c.orig ++++ sys/vm/vm_object.c +@@ -737,6 +737,10 @@ + + vinvalbuf(vp, V_SAVE, 0, 0); + ++ BO_LOCK(&vp->v_bufobj); ++ vp->v_bufobj.bo_flag |= BO_DEAD; ++ BO_UNLOCK(&vp->v_bufobj); ++ + VM_OBJECT_WLOCK(object); + } + +@@ -1722,6 +1726,9 @@ + * case. + */ + if (backing_object->ref_count == 1) { ++ vm_object_pip_add(object, 1); ++ vm_object_pip_add(backing_object, 1); ++ + /* + * If there is exactly one reference to the backing + * object, we can collapse it into the parent. +@@ -1793,11 +1800,13 @@ + KASSERT(backing_object->ref_count == 1, ( + "backing_object %p was somehow re-referenced during collapse!", + backing_object)); ++ vm_object_pip_wakeup(backing_object); + backing_object->type = OBJT_DEAD; + backing_object->ref_count = 0; + VM_OBJECT_WUNLOCK(backing_object); + vm_object_destroy(backing_object); + ++ vm_object_pip_wakeup(object); + object_collapses++; + } else { + vm_object_t new_backing_object; +@@ -2130,6 +2139,7 @@ + */ + if (!reserved && !swap_reserve_by_cred(ptoa(next_size), + prev_object->cred)) { ++ VM_OBJECT_WUNLOCK(prev_object); + return (FALSE); + } + prev_object->charge += ptoa(next_size); +--- sys/vm/vm_object.h.orig ++++ sys/vm/vm_object.h +@@ -181,7 +181,6 @@ + */ + #define OBJ_FICTITIOUS 0x0001 /* (c) contains fictitious pages */ + #define OBJ_UNMANAGED 0x0002 /* (c) contains unmanaged pages */ +-#define OBJ_ACTIVE 0x0004 /* active objects */ + #define OBJ_DEAD 0x0008 /* dead objects (during rundown) */ + #define OBJ_NOSPLIT 0x0010 /* dont split this object */ + #define OBJ_PIPWNT 0x0040 /* paging in progress wanted */ Added: head/share/security/patches/EN-16:17/vm.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:17/vm.patch.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJYD5UZAAoJEO1n7NZdz2rnveQP/18XosglN8If641FhVryq35Y +JHRydPexwxGiYPyviA4Q97PmZVJoeXCLzzXBQG5aznHLTd3LzBmiKpjTU5c7l8XC +sfbEXoHP7z3Qoxwopx8mCzxmGYOhbCGajXBlP9pIkZV1cqW802AD0W7PUfNpg9Bv +/2Z/GTChrXZsX8uVUka8S7y8Bm+bGXr2dDuf/P9EWIjRmW/2QFdmTAI5WGxLXA03 +NdIs2YrAB5BmMJmRFueV38NvvDaBmFtfUPtDM+ZAwMfEu6yGB20sj4OR9bT5DLt4 +SuhaCY6CEaaPSOWMYq9TTpCQt/hL6G7S6ij+T76wF7WbqKl1wJWf7i89MeAtv6B+ +lsSSb52oHqxL1KVTUiv4j47QPxc5wNmhtkDiTn5VYP81Nnw/f2tLtQnUeUPAcIBn +YMFGU+zuKaZmjoQeU0EG31q4UtUwIjHMs4cn9zwgYAj0oK+85UU4UgYh1PM68sbB +wu6kwqJirb/zGZHzC8YD+Ypfp2c/6dYnPk9Mxu/6FCP5MHuTX6/+wlqI92cGM8Fo +x9nROaTsZB+Kx3drNSiYiroyeKlrDPrapoTwg68NNjjI/Wgs/Mr9QVN/DvSAOlpH +V54wGrm0GL8IQlnEWA+knE+8nRHsiTb3Wnz123QQLDk4ah6/hvRfaBn57R1oVlYT +wi0AfTZtOXd8uZHwPP5q +=NTrZ +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:18/loader.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:18/loader.patch Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,34 @@ +--- sys/boot/geli/geliboot.c.orig ++++ sys/boot/geli/geliboot.c +@@ -77,17 +77,25 @@ + int error; + off_t alignsector; + +- alignsector = (lastsector * DEV_BSIZE) & +- ~(off_t)(DEV_GELIBOOT_BSIZE - 1); ++ alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE); ++ if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) { ++ /* Don't read past the end of the disk */ ++ alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE ++ - DEV_GELIBOOT_BSIZE; ++ } + error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE); + if (error != 0) { + return (error); + } +- /* Extract the last DEV_BSIZE bytes from the block. */ +- error = eli_metadata_decode(buf + (DEV_GELIBOOT_BSIZE - DEV_BSIZE), +- &md); ++ /* Extract the last 4k sector of the disk. */ ++ error = eli_metadata_decode(buf, &md); + if (error != 0) { +- return (error); ++ /* Try the last 512 byte sector instead. */ ++ error = eli_metadata_decode(buf + ++ (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md); ++ if (error != 0) { ++ return (error); ++ } + } + + if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) { Added: head/share/security/patches/EN-16:18/loader.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:18/loader.patch.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJYD5UaAAoJEO1n7NZdz2rnZeQP/A7rKnV8s+QKgS2KypSuk9pO +N0DQsAx/M3qIOvkkCE3JjfV/iYpQZ8qVbFodI+Q6gy8EXPttEKotc9+Fqf3gyIvD ++YGeCmeALRqjziCqg5Yzfm+Vq4jhHK0EPxjzaPFTSfrWY1zKTnO9UILWBOeX+rff +mYKWch2UzmXDLoOGm25v9Ov5tMyzTNDRqoMWUFPIbCt054Q1UqJBLKrlUXSRLQyi +uc0Zhs3es27MfBE37ZEjGnm5hn8Zx9krsyqVuYp+ZWrugn4W/Ur36QEzETd7b3ZF +MBDPQz8rJ1degserJDVPD3bF5aADjylNtsKffwo65F2qLnK6OcGjqRY93aQeJcjv +bxDn1pqYsC/uT76k05AK+1IaFCXRufek4g+Z5BMsaGQyhmaqfN2opzAnrEmXnPY7 +0FI3p8uu6xH6JkfaOQwO71DvD00907/cAJq3HHUvbWSrgB/6ksqxQoElu/l8QyzG +X2wDkwVKA9fF5ExMTDquvt725enikdoPCp3T2CiCfRv6N/xTuH/M54V0b/F+vHCT +24eLVbdrdgQhrw0Hqk6bYhxt3VzpkIQPxNot8IpbtfJfJersrsDDC5o7PvSj04YJ +01A9gTm/XGqSRfdET2GmoYvX+zbnQ10EuqXh57boPKDA8WuwmOvrsEylXW3BUpaz +jx167sv08GgW5fdZmVxe +=6m5C +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:15/sysarch-01.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:15/sysarch-01.patch Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,21 @@ +--- sys/amd64/amd64/sys_machdep.c.orig ++++ sys/amd64/amd64/sys_machdep.c +@@ -608,6 +608,8 @@ + largest_ld = uap->start + uap->num; + if (largest_ld > max_ldt_segment) + largest_ld = max_ldt_segment; ++ if (largest_ld < uap->start) ++ return (EINVAL); + i = largest_ld - uap->start; + mtx_lock(&dt_lock); + bzero(&((struct user_segment_descriptor *)(pldt->ldt_base)) +@@ -620,7 +622,8 @@ + /* verify range of descriptors to modify */ + largest_ld = uap->start + uap->num; + if (uap->start >= max_ldt_segment || +- largest_ld > max_ldt_segment) ++ largest_ld > max_ldt_segment || ++ largest_ld < uap->start) + return (EINVAL); + } + Added: head/share/security/patches/SA-16:15/sysarch-01.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:15/sysarch-01.patch.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJYD5VaAAoJEO1n7NZdz2rn4WAP/3JhfEQ0ZUNAcMR3VGpKHEE3 +wWW3a0Y2vOBqRZwz3+tXKC2iaGj1jmgZ3gLIEDGrvqD952X2vbqAyliYpPbGwH5e +g1bKn0A07Ede/rSdiCS2/j2ys3l9jV0hNc4M6mx703+QpwqoL3U2b7lIiT3AcaWx +ZqOvnoiVOMLB7hXzeprI+EQMq92A5oNg79kM2K7wPepQlM2l3imbUv1kyTr+QqR6 +oMpV1lYw5YEG22d29Kh2BRBnCpy6wpek9ZynLmQ+hkPTPnsLA8phymjwT51SnoHx +QfIlR9L/PhgpNgGyTSWM+rG0z2unETHztNkszFVg5zgDmjHI/l2MGEKCHZ3k8WA9 +a20rIvZu3uXUqcnhtluFY64e5qS71fuWFZ6j4DvTUib0Xuu71BHoHmWF1ek32rTv +Z0IOfV56QSl9syGEMQQ8hdHIQcg2TQ/mBpwOUEIr37dotUKQH8lOXYgL0tVRglQw +iV0VroPCmUeMIEDb41DrL6K3zH4R6/n5bE3zFiWBIpCa4pCycyLYWEZzemfTc1rn +0Q18PiWTCoizta2JngTvO9HUnsgCZ/gkl+6homU5OPvK4z2OcuLQY+Re1MhIfAe8 +wtgJa9gyB6+kV8W0I6ZIpQMU//dpyOrRxXOY5bgy51vNxDt4EPWhf5PQZn4WFprN +tlJAYOs6yjZ/71OrHziO +=8ocC +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:32/bhyve.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:32/bhyve.patch Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,17 @@ +--- usr.sbin/bhyve/vga.c.orig ++++ usr.sbin/bhyve/vga.c +@@ -161,10 +161,10 @@ + */ + struct { + uint8_t dac_state; +- int dac_rd_index; +- int dac_rd_subindex; +- int dac_wr_index; +- int dac_wr_subindex; ++ uint8_t dac_rd_index; ++ uint8_t dac_rd_subindex; ++ uint8_t dac_wr_index; ++ uint8_t dac_wr_subindex; + uint8_t dac_palette[3 * 256]; + uint32_t dac_palette_rgb[256]; + } vga_dac; Added: head/share/security/patches/SA-16:32/bhyve.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:32/bhyve.patch.asc Tue Oct 25 17:32:49 2016 (r49582) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJYD5UcAAoJEO1n7NZdz2rno3UQALGbFZ52rbPAMch04Vd2B+1U +7SYydFXf3/ZBV3ldp6wpiWvbGw8E5wmqkw7vZD3IYfeUQ1KT+FjDGrXtVI5KqvLB +14hxqJzIP5+B4dNwTN03MhlNBCEiyRnNEIin2Z443v3Ub4KwnHNrwubiw+TKh8pb +k3hqFFIw5eBm+9PgHYM533RjTfPo6OgB3Pcz31aE8ukS8bwIxkWu3aCKCXLEhbk2 +lYl0ACthDTxoCh0ZzDQLGFlhKGk/aiByqu6lSw3yvT9X+JpfEwQq6Pgi1PDKEazi +6M6kx5mky772CzYrwpzFN3znUOG9mTaNKbB8/up88SfkmAuKRnfGOrZlL4cap4NP +JvaeErYqdzyCUOZ2HWQTY6kkpm8kfWhORKD15fQa+VmojAxOgyubxqV008RypSYy +0YxVv0W3U9CrcL03o7B7QdXBiA4uvto0ZLBhqLR6spLxaAYVyeUnV2Zcg593xh9e +zGeYR8Y40GdvmbX2X9mJir1Dm6gvVkGkm31ZRDRVbvL8Cy72Hzi+W6clogwwT+O5 +xpM+Ti565IleHf0AxA0Pp1UI86duV3mUkJGe7nlrQwHOxDsK/mBU0sR+qrw3jvDJ +48e+3mn62HmonpV9vhI+XWkvmbnjti5YJzRCcT5aAwaS6DF8fUbjbnXoX+SO1nQV +ScohGEhHQCRosWesJVNh +=JYG2 +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Oct 25 16:44:58 2016 (r49581) +++ head/share/xml/advisories.xml Tue Oct 25 17:32:49 2016 (r49582) @@ -11,6 +11,18 @@ <name>10</name> <day> + <name>25</name> + + <advisory> + <name>FreeBSD-SA-16:32.bhyve</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-16:15.sysarch</name> + </advisory> + </day> + + <day> <name>10</name> <advisory> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Tue Oct 25 16:44:58 2016 (r49581) +++ head/share/xml/notices.xml Tue Oct 25 17:32:49 2016 (r49582) @@ -8,6 +8,22 @@ <name>2016</name> <month> + <name>10</name> + + <day> + <name>25</name> + + <notice> + <name>FreeBSD-EN-16:18.loader</name> + </notice> + + <notice> + <name>FreeBSD-EN-16:17.vm</name> + </notice> + </day> + </month> + + <month> <name>8</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610251732.u9PHWnj1084319>