From owner-svn-doc-head@freebsd.org Wed Nov 15 23:08:47 2017 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB07DDEA27C; Wed, 15 Nov 2017 23:08:47 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 668AA8082B; Wed, 15 Nov 2017 23:08:47 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFN8klk019316; Wed, 15 Nov 2017 23:08:46 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFN8jTY019309; Wed, 15 Nov 2017 23:08:45 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152308.vAFN8jTY019309@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 23:08:45 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r51201 - in head/share: security/advisories security/patches/SA-17:08 security/patches/SA-17:09 security/patches/SA-17:10 xml X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/SA-17:08 security/patches/SA-17:09 security/patches/SA-17:10 xml X-SVN-Commit-Revision: 51201 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 23:08:47 -0000 Author: gordon (src,ports committer) Date: Wed Nov 15 23:08:45 2017 New Revision: 51201 URL: https://svnweb.freebsd.org/changeset/doc/51201 Log: Add SA-17:08, SA-17:09, SA-17:10. Added: head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-17:09.shm.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc (contents, props changed) head/share/security/patches/SA-17:08/ head/share/security/patches/SA-17:08/ptrace.patch (contents, props changed) head/share/security/patches/SA-17:08/ptrace.patch.asc (contents, props changed) head/share/security/patches/SA-17:09/ head/share/security/patches/SA-17:09/shm-10.3.patch (contents, props changed) head/share/security/patches/SA-17:09/shm-10.3.patch.asc (contents, props changed) head/share/security/patches/SA-17:09/shm-10.patch (contents, props changed) head/share/security/patches/SA-17:09/shm-10.patch.asc (contents, props changed) head/share/security/patches/SA-17:10/ head/share/security/patches/SA-17:10/kldstat.patch (contents, props changed) head/share/security/patches/SA-17:10/kldstat.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:08.ptrace Security Advisory + The FreeBSD Project + +Topic: Kernel data leak via ptrace(PT_LWPINFO) + +Category: core +Module: ptrace +Announced: 2017-11-15 +Credits: John Baldwin +Affects: All supported versions of FreeBSD. +Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE) + 2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4) + 2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15) + 2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE) + 2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3) + 2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24) +CVE Name: CVE-2017-1086 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The ptrace(2) syscall provides the facility for a debugger to control the +execution of the target process and to obtain necessary status information +about it. The struct ptrace_lwpinfo structure is reported by one of the +ptrace(2) subcommand and contains a lot of the information about the stopped +thread (light-weight process or LWP, thus the name). + +II. Problem Description + +Not all information in the struct ptrace_lwpinfo is relevant for the state +of any thread, and the kernel does not fill the irrelevant bytes or short +strings. Since the structure filled by the kernel is allocated on the +kernel stack and copied to userspace, a leak of information of the kernel +stack of the thread is possible from the debugger. + +III. Impact + +Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) +call can be observed in userspace. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch +# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc +# gpg --verify ptrace.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r325643 +releng/10.3/ r325871 +releng/10.4/ r325870 +stable/11/ r325642 +releng/11.0/ r325869 +releng/11.1/ r325868 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD +RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P +audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO +6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J +aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxXtkZMvhNSGFCShGQTNpjGfAgIwOZD8mNFi +WvYbPgzwfeE4tsaStZ91SZ8wf2nxdRXhybDXEOCAJvicP6IqYA1Zfr7RG2N3swK7 +JKLXW7tiVu+zbRYYFiWYX4FIWatIlsTjpD0GyuZs0j2PCEu80z1muFnrp/dGg3Bn +APGVzIrkFjKvmXfkuFZFPMWCL+u9cUgOMNGkMFDXrLppLL7aXCGrz3BWECg581Pr +dnUrrz/iEcXGDcnTJ3Ff+OidqdhdpVQz59Ek90TMd5iO+nZ+xeVjVzxdLHb82/wt +KlgXRpwTg3Q72xDSF84UmRSkk1M/V5AZMrZiy2RjIwtvLqIJ9ZpLAMnrwTTWRDjB +YurHHNWKjMVkdKCdbpBVGRjNmS6XYS6QukmA4M85d2r0Dmb8J6Gd6juHc3Essrz+ +3qEMKAcYsSWbQ5ZSMywUOzM74Dk+wUTf7jCJ1IsSqn8hYHOqvUSF0ftwXkdS1+cv +GT25iduAMCdTP15Qp57Wlhv9WCF8eOUoYKHiSpXcVa6XMqazLy4= +=Uqz2 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-17:09.shm.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:09.shm.asc Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:09.shm Security Advisory + The FreeBSD Project + +Topic: POSIX shm allows jails to access global namespace + +Category: core +Module: shm +Announced: 2017-11-15 +Credits: Whitewinterwolf +Affects: FreeBSD 10.x +Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE) + 2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3) + 2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24) +CVE Name: CVE-2017-1087 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +POSIX shared memory objects allow realtime inter-process communication by +sharing a memory area through the use of a named path (see shm_open(2)). + +This is used by some multi-process applications to share data between running +processes, such as a common cache or to implement a producer-consumer model +where several worker processes handle requests pushed by a producer process. + +II. Problem Description + +Named paths are globally scoped, meaning a process located in one jail can +read and modify the content of POSIX shared memory objects created by a +process in another jail or the host system. + +III. Impact + +A malicious user that has access to a jailed system is able to abuse shared +memory by injecting malicious content in the shared memory region. This +memory region might be executed by applications trusting the shared memory, +like Squid. + +This issue could lead to a Denial of Service or local privilege escalation. + +IV. Workaround + +No workaround is available, but systems without jails or jails not having +local users are not vulnerable. + +V. Solution + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. +Reboot the system for the update to take effect. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +Reboot the system for the update to take effect. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.4, FreeBSD 10-STABLE] +# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch +# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc +# gpg --verify shm-10.patch.asc + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch +# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc +# gpg --verify shm-10.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r325783 +releng/10.3/ r325873 +releng/10.4/ r325874 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD +RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P +auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5 +zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij +wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl +jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0XdElW+okM+L4Q5Nt4Krm+DDp +L0fUG5tqS+a++53mNIGeGiBhomD0zZMJZ8LXe/FAACHPWA0yUMhCVrZTwzVTHhA7 +g5W1prFW3WYui7x1qF2LIA+SnGFTWXRlIhlAA/1n94Jl6shHnV6guZbzLAX0zk/C +6WFydhrYhmPXd3o5uWz+oQQHXQCcHeGrNc+fmPKg/bpkyJvgfLc6YaY2gEQmfIrI +3w/xqhN8mWVVhpHsHK+Wcz44T9uGH4NlYeDYy3TJ1ECri28fbxufAzr8hgbNRDtw +B8YTijrPUSjwKBG815oO5JsOmHVCkCkIRx7nW72bHIs8ralXX563HK3RPjlFzr2G +tzk9DF2w2TUQlgzS4wbZk9lXmlgvV0vRzsz+7jcJe1K+ZgyweNg+QIVet3BvobIA +zeiRFfZuhH3ExNoJKqfZhBtOiePD0JR6JnkhvjEJm1NoHvoDOAQ= +=epmQ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:10.kldstat Security Advisory + The FreeBSD Project + +Topic: Information leak in kldstat(2) + +Category: core +Module: kernel +Announced: 2017-11-15 +Credits: TJ Corley +Affects: All supported versions of FreeBSD. +Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) + 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) + 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) + 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) + 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) + 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) +CVE Name: CVE-2017-1088 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The kldstat(2) syscall provides information about loaded kld files. The +syscall takes a userland argument of struct kld_file_stat which is then +filled with data about the kld file requested. + +II. Problem Description + +The kernel does not properly clear the memory of the kld_file_stat +structure before filling the data. Since the structure filled by the +kernel is allocated on the kernel stack and copied to userspace, a leak +of information from the kernel stack is possible. + +III. Impact + +Some bytes from the kernel stack can be observed in userspace. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch +# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc +# gpg --verify kldstat.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r325867 +releng/10.3/ r325878 +releng/10.4/ r325877 +stable/11/ r325866 +releng/11.0/ r325876 +releng/11.1/ r325875 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD +RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P +audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM +pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7 +GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj +je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7 +2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5 +Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg +EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E +TNTQ/85nE4BklV1d9wiLy26C21W92IguZam0HdRYJHgEc9Mug+62MfqDzHf0w5HP +3pu8IV5KMwEjGxzaiDMETIZU+K5fkdzPDNBhscxZ6OOab4zQ0+pZgdT1CSbXV6Ru +xuOjSyBdz5vVdbq/298VJJ7hNyoP1MgnyaxPrG2ImNDKjUGqbtOgv0m3ISqtsyfs +pEvyO2MxWWZqdNhtGJuQpOYyzAMxfJdmdOz1PMFFayQiBR7F0ao= +=N2rs +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:08/ptrace.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:08/ptrace.patch Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,27 @@ +--- sys/kern/sys_process.c.orig ++++ sys/kern/sys_process.c +@@ -518,6 +518,7 @@ + struct ptrace_lwpinfo32 *pl32) + { + ++ bzero(pl32, sizeof(*pl32)); + pl32->pl_lwpid = pl->pl_lwpid; + pl32->pl_event = pl->pl_event; + pl32->pl_flags = pl->pl_flags; +@@ -1301,6 +1302,7 @@ + } else + #endif + pl = addr; ++ bzero(pl, sizeof(*pl)); + pl->pl_lwpid = td2->td_tid; + pl->pl_event = PL_EVENT_NONE; + pl->pl_flags = 0; +@@ -1321,8 +1323,6 @@ + pl->pl_siginfo = td2->td_dbgksi.ksi_info; + } + } +- if ((pl->pl_flags & PL_FLAG_SI) == 0) +- bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); + if (td2->td_dbgflags & TDB_SCE) + pl->pl_flags |= PL_FLAG_SCE; + else if (td2->td_dbgflags & TDB_SCX) Added: head/share/security/patches/SA-17:08/ptrace.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:08/ptrace.patch.asc Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxiVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD +RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P +aueBbRAApWCpppwWGjGogqxNVVeyROsWzCVGy4MGOT0ngU5mc2uwZA1zwbUZ0m1I +KGIGQGgkJLaU/pHJfjPmG6QGfGW2XY/VGd6EKY5P7dYXx54uGeb0OXU5e+6HLTMX +dWPkvAXeRQJuIY5A3L4K9lOiS6sLfpk759RlriuMRpqoBOZ4uQxynplYuuBJ/CRc +Tezy8LehBys2qDwhQa1wgoK/St5heh7TfOcoaumm9KvO7687DADE7bmU/iQ+XntL +eB/RVQTZ5yxDNe7z4oDsVwUwHFpwrln76feVDYVVdJFz8/dCszRenFhptrC145rY +W3o+LuczLdf+70vVY6ajLRypIpcvFEzO7X5DKafNFKG0ZvxrQp190+a4DAKJ6Vgh +8hB6Poz1aBObeJlnLNKPpcXQDwi3FCxyMardrTJG2bIAjqoS27eqF/RVhJpeXexs +plG2aRk4CdduOyrTYvvqDw2HkDB36kuE3gyFufV9DwMrPWtPQIEJcW9bPNGBdDi/ +LorKHPCXiX1/M8I9DMgOAmcGkaO/UtTqGFNZRrwuC9j2XpVk4gQfF5LUTdnf7FB3 +R0+/+HWYWpHm+OmuodToYgZ5X4+ftQpQztmvgArBLW83AcUUBL4ic7u5kOJCLUlT +QEseNpEHQBEIJzkOtq/nui//9kimTOWsC6rw7Raeoh/kUmurMjg= +=AJBS +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:09/shm-10.3.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:09/shm-10.3.patch Wed Nov 15 23:08:45 2017 (r51201) @@ -0,0 +1,1025 @@ +--- share/man/man9/osd.9.orig ++++ share/man/man9/osd.9 +@@ -25,7 +25,7 @@ + .\" + .\" $FreeBSD$ + .\" +-.Dd January 5, 2011 ++.Dd March 30, 2016 + .Dt OSD 9 + .Os + .Sh NAME +@@ -33,6 +33,9 @@ + .Nm osd_register , + .Nm osd_deregister , + .Nm osd_set , ++.Nm osd_reserve , ++.Nm osd_set_reserved , ++.Nm osd_free_reserved , + .Nm osd_get , + .Nm osd_del , + .Nm osd_call , +@@ -63,6 +66,22 @@ + .Fa "void *value" + .Fc + .Ft void * ++.Fo osd_reserve ++.Fa "u_int slot" ++.Fc ++.Ft int ++.Fo osd_set_reserved ++.Fa "u_int type" ++.Fa "struct osd *osd" ++.Fa "u_int slot" ++.Fa "void *rsv" ++.Fa "void *value" ++.Fc ++.Ft void ++.Fo osd_free_reserved ++.Fa "void *rsv" ++.Fc ++.Ft void * + .Fo osd_get + .Fa "u_int type" + .Fa "struct osd *osd" +@@ -198,6 +217,15 @@ + .Fa osd . + .Pp + The ++.Fn osd_set_reserved ++function does the same as ++.Fn osd_set , ++but with an extra argument ++.Fa rsv ++that is internal-use memory previously allocated via ++.Fn osd_reserve . ++.Pp ++The + .Fn osd_get + function returns the data pointer associated with a kernel data structure's + .Vt struct osd +@@ -324,6 +352,24 @@ + .Xr realloc 9 + calls. + .Pp ++It is possible for ++.Fn osd_set ++to fail to allocate this array. To ensure that such allocation succeeds, ++.Fn osd_reserve ++may be called (in a non-blocking context), and it will pre-allocate the ++memory via ++.Xr malloc 9 ++with M_WAITOK. ++Then this pre-allocated memory is passed to ++.Fn osd_set_reserved , ++which will use it if necessary or otherwise discard it. ++The memory may also be explicitly discarded by calling ++.Fn osd_free_reserved . ++As this method always allocates memory whether or not it is ultimately needed, ++it should be used only rarely, such as in the unlikely event that ++.Fn osd_set ++fails. ++.Pp + The + .Nm + API is geared towards slot identifiers storing pointers to the same underlying +@@ -359,15 +405,27 @@ + returns the slot identifier for the newly registered data type. + .Pp + .Fn osd_set +-returns zero on success or ENOMEM if the specified type/slot identifier pair ++and ++.Fn osd_set_reserved ++return zero on success or ENOMEM if the specified type/slot identifier pair + triggered an internal + .Xr realloc 9 +-which failed. ++which failed ++.Fn ( osd_set_reserved ++will always succeed when ++.Fa rsv ++is non-NULL). + .Pp + .Fn osd_get + returns the data pointer for the specified type/slot identifier pair, or NULL if + the slot has not been initialised yet. + .Pp ++.Fn osd_reserve ++returns a pointer suitable for passing to ++.Fn osd_set_reserved ++or ++.Fn osd_free_reserved . ++.Pp + .Fn osd_call + returns zero if no method is run or the method for each slot runs successfully. + If a method for a slot returns non-zero, +--- sys/kern/kern_osd.c.orig ++++ sys/kern/kern_osd.c +@@ -44,6 +44,23 @@ + + /* OSD (Object Specific Data) */ + ++/* ++ * Lock key: ++ * (m) osd_module_lock ++ * (o) osd_object_lock ++ * (l) osd_list_lock ++ */ ++struct osd_master { ++ struct sx osd_module_lock; ++ struct rmlock osd_object_lock; ++ struct mtx osd_list_lock; ++ LIST_HEAD(, osd) osd_list; /* (l) */ ++ osd_destructor_t *osd_destructors; /* (o) */ ++ osd_method_t *osd_methods; /* (m) */ ++ u_int osd_ntslots; /* (m) */ ++ const u_int osd_nmethods; ++}; ++ + static MALLOC_DEFINE(M_OSD, "osd", "Object Specific Data"); + + static int osd_debug = 0; +@@ -62,25 +79,12 @@ + int list_locked); + + /* +- * Lists of objects with OSD. +- * +- * Lock key: +- * (m) osd_module_lock +- * (o) osd_object_lock +- * (l) osd_list_lock ++ * List of objects with OSD. + */ +-static LIST_HEAD(, osd) osd_list[OSD_LAST + 1]; /* (m) */ +-static osd_method_t *osd_methods[OSD_LAST + 1]; /* (m) */ +-static u_int osd_nslots[OSD_LAST + 1]; /* (m) */ +-static osd_destructor_t *osd_destructors[OSD_LAST + 1]; /* (o) */ +-static const u_int osd_nmethods[OSD_LAST + 1] = { +- [OSD_JAIL] = PR_MAXMETHOD, ++struct osd_master osdm[OSD_LAST + 1] = { ++ [OSD_JAIL] = { .osd_nmethods = PR_MAXMETHOD }, + }; + +-static struct sx osd_module_lock[OSD_LAST + 1]; +-static struct rmlock osd_object_lock[OSD_LAST + 1]; +-static struct mtx osd_list_lock[OSD_LAST + 1]; +- + static void + osd_default_destructor(void *value __unused) + { +@@ -102,12 +106,12 @@ + if (destructor == NULL) + destructor = osd_default_destructor; + +- sx_xlock(&osd_module_lock[type]); ++ sx_xlock(&osdm[type].osd_module_lock); + /* + * First, we try to find unused slot. + */ +- for (i = 0; i < osd_nslots[type]; i++) { +- if (osd_destructors[type][i] == NULL) { ++ for (i = 0; i < osdm[type].osd_ntslots; i++) { ++ if (osdm[type].osd_destructors[i] == NULL) { + OSD_DEBUG("Unused slot found (type=%u, slot=%u).", + type, i); + break; +@@ -116,31 +120,31 @@ + /* + * If no unused slot was found, allocate one. + */ +- if (i == osd_nslots[type]) { +- osd_nslots[type]++; +- if (osd_nmethods[type] != 0) +- osd_methods[type] = realloc(osd_methods[type], +- sizeof(osd_method_t) * osd_nslots[type] * +- osd_nmethods[type], M_OSD, M_WAITOK); +- newptr = malloc(sizeof(osd_destructor_t) * osd_nslots[type], +- M_OSD, M_WAITOK); +- rm_wlock(&osd_object_lock[type]); +- bcopy(osd_destructors[type], newptr, ++ if (i == osdm[type].osd_ntslots) { ++ osdm[type].osd_ntslots++; ++ if (osdm[type].osd_nmethods != 0) ++ osdm[type].osd_methods = realloc(osdm[type].osd_methods, ++ sizeof(osd_method_t) * osdm[type].osd_ntslots * ++ osdm[type].osd_nmethods, M_OSD, M_WAITOK); ++ newptr = malloc(sizeof(osd_destructor_t) * ++ osdm[type].osd_ntslots, M_OSD, M_WAITOK); ++ rm_wlock(&osdm[type].osd_object_lock); ++ bcopy(osdm[type].osd_destructors, newptr, + sizeof(osd_destructor_t) * i); +- free(osd_destructors[type], M_OSD); +- osd_destructors[type] = newptr; +- rm_wunlock(&osd_object_lock[type]); ++ free(osdm[type].osd_destructors, M_OSD); ++ osdm[type].osd_destructors = newptr; ++ rm_wunlock(&osdm[type].osd_object_lock); + OSD_DEBUG("New slot allocated (type=%u, slot=%u).", + type, i + 1); + } + +- osd_destructors[type][i] = destructor; +- if (osd_nmethods[type] != 0) { +- for (m = 0; m < osd_nmethods[type]; m++) +- osd_methods[type][i * osd_nmethods[type] + m] = +- methods != NULL ? methods[m] : NULL; ++ osdm[type].osd_destructors[i] = destructor; ++ if (osdm[type].osd_nmethods != 0) { ++ for (m = 0; m < osdm[type].osd_nmethods; m++) ++ osdm[type].osd_methods[i * osdm[type].osd_nmethods + m] ++ = methods != NULL ? methods[m] : NULL; + } +- sx_xunlock(&osd_module_lock[type]); ++ sx_xunlock(&osdm[type].osd_module_lock); + return (i + 1); + } + +@@ -151,37 +155,37 @@ + + KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); + KASSERT(slot > 0, ("Invalid slot.")); +- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); ++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + +- sx_xlock(&osd_module_lock[type]); +- rm_wlock(&osd_object_lock[type]); ++ sx_xlock(&osdm[type].osd_module_lock); ++ rm_wlock(&osdm[type].osd_object_lock); + /* + * Free all OSD for the given slot. + */ +- mtx_lock(&osd_list_lock[type]); +- LIST_FOREACH_SAFE(osd, &osd_list[type], osd_next, tosd) ++ mtx_lock(&osdm[type].osd_list_lock); ++ LIST_FOREACH_SAFE(osd, &osdm[type].osd_list, osd_next, tosd) + do_osd_del(type, osd, slot, 1); +- mtx_unlock(&osd_list_lock[type]); ++ mtx_unlock(&osdm[type].osd_list_lock); + /* + * Set destructor to NULL to free the slot. + */ +- osd_destructors[type][slot - 1] = NULL; +- if (slot == osd_nslots[type]) { +- osd_nslots[type]--; +- osd_destructors[type] = realloc(osd_destructors[type], +- sizeof(osd_destructor_t) * osd_nslots[type], M_OSD, ++ osdm[type].osd_destructors[slot - 1] = NULL; ++ if (slot == osdm[type].osd_ntslots) { ++ osdm[type].osd_ntslots--; ++ osdm[type].osd_destructors = realloc(osdm[type].osd_destructors, ++ sizeof(osd_destructor_t) * osdm[type].osd_ntslots, M_OSD, + M_NOWAIT | M_ZERO); +- if (osd_nmethods[type] != 0) +- osd_methods[type] = realloc(osd_methods[type], +- sizeof(osd_method_t) * osd_nslots[type] * +- osd_nmethods[type], M_OSD, M_NOWAIT | M_ZERO); ++ if (osdm[type].osd_nmethods != 0) ++ osdm[type].osd_methods = realloc(osdm[type].osd_methods, ++ sizeof(osd_method_t) * osdm[type].osd_ntslots * ++ osdm[type].osd_nmethods, M_OSD, M_NOWAIT | M_ZERO); + /* + * We always reallocate to smaller size, so we assume it will + * always succeed. + */ +- KASSERT(osd_destructors[type] != NULL && +- (osd_nmethods[type] == 0 || osd_methods[type] != NULL), +- ("realloc() failed")); ++ KASSERT(osdm[type].osd_destructors != NULL && ++ (osdm[type].osd_nmethods == 0 || ++ osdm[type].osd_methods != NULL), ("realloc() failed")); + OSD_DEBUG("Deregistration of the last slot (type=%u, slot=%u).", + type, slot); + } else { +@@ -188,68 +192,105 @@ + OSD_DEBUG("Slot deregistration (type=%u, slot=%u).", + type, slot); + } +- rm_wunlock(&osd_object_lock[type]); +- sx_xunlock(&osd_module_lock[type]); ++ rm_wunlock(&osdm[type].osd_object_lock); ++ sx_xunlock(&osdm[type].osd_module_lock); + } + + int + osd_set(u_int type, struct osd *osd, u_int slot, void *value) + { ++ ++ return (osd_set_reserved(type, osd, slot, NULL, value)); ++} ++ ++void * ++osd_reserve(u_int slot) ++{ ++ ++ KASSERT(slot > 0, ("Invalid slot.")); ++ ++ OSD_DEBUG("Reserving slot array (slot=%u).", slot); ++ return (malloc(sizeof(void *) * slot, M_OSD, M_WAITOK | M_ZERO)); ++} ++ ++int ++osd_set_reserved(u_int type, struct osd *osd, u_int slot, void *rsv, ++ void *value) ++{ + struct rm_priotracker tracker; + + KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); + KASSERT(slot > 0, ("Invalid slot.")); +- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); ++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + +- rm_rlock(&osd_object_lock[type], &tracker); ++ rm_rlock(&osdm[type].osd_object_lock, &tracker); + if (slot > osd->osd_nslots) { ++ void *newptr; ++ + if (value == NULL) { + OSD_DEBUG( + "Not allocating null slot (type=%u, slot=%u).", + type, slot); +- rm_runlock(&osd_object_lock[type], &tracker); ++ rm_runlock(&osdm[type].osd_object_lock, &tracker); ++ if (rsv) ++ osd_free_reserved(rsv); + return (0); +- } else if (osd->osd_nslots == 0) { ++ } ++ ++ /* ++ * Too few slots allocated here, so we need to extend or create ++ * the array. ++ */ ++ if (rsv) { + /* +- * First OSD for this object, so we need to allocate +- * space and put it onto the list. ++ * Use the reserve passed in (assumed to be ++ * the right size). + */ +- osd->osd_slots = malloc(sizeof(void *) * slot, M_OSD, +- M_NOWAIT | M_ZERO); +- if (osd->osd_slots == NULL) { +- rm_runlock(&osd_object_lock[type], &tracker); +- return (ENOMEM); ++ newptr = rsv; ++ if (osd->osd_nslots != 0) { ++ memcpy(newptr, osd->osd_slots, ++ sizeof(void *) * osd->osd_nslots); ++ free(osd->osd_slots, M_OSD); + } +- osd->osd_nslots = slot; +- mtx_lock(&osd_list_lock[type]); +- LIST_INSERT_HEAD(&osd_list[type], osd, osd_next); +- mtx_unlock(&osd_list_lock[type]); +- OSD_DEBUG("Setting first slot (type=%u).", type); + } else { +- void *newptr; +- +- /* +- * Too few slots allocated here, needs to extend +- * the array. +- */ + newptr = realloc(osd->osd_slots, sizeof(void *) * slot, + M_OSD, M_NOWAIT | M_ZERO); + if (newptr == NULL) { +- rm_runlock(&osd_object_lock[type], &tracker); ++ rm_runlock(&osdm[type].osd_object_lock, ++ &tracker); + return (ENOMEM); + } +- osd->osd_slots = newptr; +- osd->osd_nslots = slot; ++ } ++ if (osd->osd_nslots == 0) { ++ /* ++ * First OSD for this object, so we need to put it ++ * onto the list. ++ */ ++ mtx_lock(&osdm[type].osd_list_lock); ++ LIST_INSERT_HEAD(&osdm[type].osd_list, osd, osd_next); ++ mtx_unlock(&osdm[type].osd_list_lock); ++ OSD_DEBUG("Setting first slot (type=%u).", type); ++ } else + OSD_DEBUG("Growing slots array (type=%u).", type); +- } +- } ++ osd->osd_slots = newptr; ++ osd->osd_nslots = slot; ++ } else if (rsv) ++ osd_free_reserved(rsv); + OSD_DEBUG("Setting slot value (type=%u, slot=%u, value=%p).", type, + slot, value); + osd->osd_slots[slot - 1] = value; +- rm_runlock(&osd_object_lock[type], &tracker); ++ rm_runlock(&osdm[type].osd_object_lock, &tracker); + return (0); + } + ++void ++osd_free_reserved(void *rsv) ++{ ++ ++ OSD_DEBUG("Discarding reserved slot array."); ++ free(rsv, M_OSD); ++} ++ + void * + osd_get(u_int type, struct osd *osd, u_int slot) + { +@@ -258,9 +299,9 @@ + + KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); + KASSERT(slot > 0, ("Invalid slot.")); +- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); ++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + +- rm_rlock(&osd_object_lock[type], &tracker); ++ rm_rlock(&osdm[type].osd_object_lock, &tracker); + if (slot > osd->osd_nslots) { + value = NULL; + OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot); +@@ -269,7 +310,7 @@ + OSD_DEBUG("Returning slot value (type=%u, slot=%u, value=%p).", + type, slot, value); + } +- rm_runlock(&osd_object_lock[type], &tracker); ++ rm_runlock(&osdm[type].osd_object_lock, &tracker); + return (value); + } + +@@ -278,9 +319,9 @@ + { + struct rm_priotracker tracker; + +- rm_rlock(&osd_object_lock[type], &tracker); ++ rm_rlock(&osdm[type].osd_object_lock, &tracker); + do_osd_del(type, osd, slot, 0); +- rm_runlock(&osd_object_lock[type], &tracker); ++ rm_runlock(&osdm[type].osd_object_lock, &tracker); + } + + static void +@@ -290,7 +331,7 @@ + + KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); + KASSERT(slot > 0, ("Invalid slot.")); +- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot.")); ++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot.")); + + OSD_DEBUG("Deleting slot (type=%u, slot=%u).", type, slot); + +@@ -299,7 +340,7 @@ + return; + } + if (osd->osd_slots[slot - 1] != NULL) { +- osd_destructors[type][slot - 1](osd->osd_slots[slot - 1]); ++ osdm[type].osd_destructors[slot - 1](osd->osd_slots[slot - 1]); + osd->osd_slots[slot - 1] = NULL; + } + for (i = osd->osd_nslots - 1; i >= 0; i--) { +@@ -313,10 +354,10 @@ + /* No values left for this object. */ + OSD_DEBUG("No more slots left (type=%u).", type); + if (!list_locked) +- mtx_lock(&osd_list_lock[type]); ++ mtx_lock(&osdm[type].osd_list_lock); + LIST_REMOVE(osd, osd_next); + if (!list_locked) +- mtx_unlock(&osd_list_lock[type]); ++ mtx_unlock(&osdm[type].osd_list_lock); + free(osd->osd_slots, M_OSD); + osd->osd_slots = NULL; + osd->osd_nslots = 0; +@@ -342,7 +383,7 @@ + int error, i; + + KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type.")); +- KASSERT(method < osd_nmethods[type], ("Invalid method.")); ++ KASSERT(method < osdm[type].osd_nmethods, ("Invalid method.")); + + /* + * Call this method for every slot that defines it, stopping if an +@@ -349,14 +390,14 @@ + * error is encountered. + */ + error = 0; +- sx_slock(&osd_module_lock[type]); +- for (i = 0; i < osd_nslots[type]; i++) { +- methodfun = +- osd_methods[type][i * osd_nmethods[type] + method]; ++ sx_slock(&osdm[type].osd_module_lock); ++ for (i = 0; i < osdm[type].osd_ntslots; i++) { ++ methodfun = osdm[type].osd_methods[i * osdm[type].osd_nmethods + ++ method]; + if (methodfun != NULL && (error = methodfun(obj, data)) != 0) + break; + } +- sx_sunlock(&osd_module_lock[type]); ++ sx_sunlock(&osdm[type].osd_module_lock); + return (error); + } *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***