From owner-svn-doc-head@freebsd.org Wed Dec 19 19:51:28 2018 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F15E13425E8; Wed, 19 Dec 2018 19:51:28 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 307686AC41; Wed, 19 Dec 2018 19:51:28 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 201591AA29; Wed, 19 Dec 2018 19:51:28 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wBJJpSHd053918; Wed, 19 Dec 2018 19:51:28 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wBJJpPIq053901; Wed, 19 Dec 2018 19:51:25 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201812191951.wBJJpPIq053901@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 19 Dec 2018 19:51:25 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52700 - in head/share: security/advisories security/patches/EN-18:16 security/patches/EN-18:17 security/patches/EN-18:18 security/patches/SA-18:15 xml X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/EN-18:16 security/patches/EN-18:17 security/patches/EN-18:18 security/patches/SA-18:15 xml X-SVN-Commit-Revision: 52700 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 307686AC41 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.97)[-0.967,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.998,0] X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Dec 2018 19:51:28 -0000 Author: gordon (src,ports committer) Date: Wed Dec 19 19:51:24 2018 New Revision: 52700 URL: https://svnweb.freebsd.org/changeset/doc/52700 Log: Add SA-18:15 and EN-18:16 through EN-18:18. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-18:16.ptrace.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:17.vm.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:18.zfs.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:15.bootpd.asc (contents, props changed) head/share/security/patches/EN-18:16/ head/share/security/patches/EN-18:16/ptrace.patch (contents, props changed) head/share/security/patches/EN-18:16/ptrace.patch.asc (contents, props changed) head/share/security/patches/EN-18:17/ head/share/security/patches/EN-18:17/vm.patch (contents, props changed) head/share/security/patches/EN-18:17/vm.patch.asc (contents, props changed) head/share/security/patches/EN-18:18/ head/share/security/patches/EN-18:18/zfs.patch (contents, props changed) head/share/security/patches/EN-18:18/zfs.patch.asc (contents, props changed) head/share/security/patches/SA-18:15/ head/share/security/patches/SA-18:15/bootpd.patch (contents, props changed) head/share/security/patches/SA-18:15/bootpd.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-18:16.ptrace.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:16.ptrace.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:16.ptrace Errata Notice + The FreeBSD Project + +Topic: kernel panic upon ptrace attach to stopped process + +Category: core +Module: kernel +Announced: 2018-12-19 +Credits: John Baldwin, Konstantin Belousov +Affects: FreeBSD 11.2 +Corrected: 2018-11-09 17:43:23 UTC (stable/11, 11.2-STABLE) + 2018-12-19 17:52:56 UTC (releng/11.2, 11.2-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ptrace(2) is a system call used by debuggers and related utilities +to take control of a process and inspect its state. To use the +interface, a debugger must first attach to a target process. Once +attached, the ptrace interface allows the debugger to intercept events, +such as signal delivery, involving the target process. + +II. Problem Description + +The ptrace(2) implementation in FreeBSD 11.2 contains a bug such that +a ptrace attach operation will trigger a kernel panic if the target +process is in a stopped state. + +III. Impact + +Users debugging a problem with, for example, gdb, may cause the system to +crash. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +30 "Rebooting for FreeBSD errata update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-18:16/ptrace.patch +# fetch https://security.FreeBSD.org/patches/EN-18:16/ptrace.patch.asc +# gpg --verify ptrace.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r340290 +releng/11.2/ r342224 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwanjhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKOqQ//fJgy4vjyoteYlSq6DagrgleiA9DkM13OsGxqGPOyA5+H+aI4ZtD3mqcK +u9p1eP3AA3sF5RLMvOpAMvJPYv1XMmHLm/15vGhjiLT7xK82jzH9Ic72hBnv6xm6 +lzp2L7dUKQaXwv6AUR9tF6MQXRBlC5FtI3Tf8ajUsNHCA+lMXx2pjYoG6/gWroXn +ycotsBYRicW6n6fJ+tTv9eVEI237+l+KUzqNH26e9Q6wkWtv4UNB5/FAauN6zovF +AJSLs9eTa7QlxsGbJwh/EYuSjw085n9jIFVeMQPN3kIvDHbk59mymSpE6W37QRj0 +c1Kq/nBI4WARrWvRf5KdZYXVJ/iKU3ndulE2gfmetbmHzCM4c7FcQaPqLM5htvfz +sUbu3o3Vq/0/XFj1nyxjX8YIxdveRaopi8rWASyq7JfsieUZt5RPSZM9QgbmoB45 +9fLCFMdMT2kBAUknIxoxlMAOzZV9p0d41Vu6M83Km5TC5iGItpYusScPh6qmxxC9 +WQwh6MzeabGEIFcxv6mCj4IcWGdDevcCIUW/mQBzPFJTdFQwq+A6HdHsNHJSQYZy +okY/P/CzUjupMYMLdbLjsxx7256Tm4wC2PVtvsyVZY/82IT0HGBq7pAp38R+3ANQ +FieQ+S0F0IKZlyNnGGghbH+YYIsehqC24eoymeUFZDias7vyq1A= +=5T6c +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:17.vm.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:17.vm.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:17.vm Errata Notice + The FreeBSD Project + +Topic: Kernel panic under load on Intel "Skylake" CPUs + +Category: core +Module: kernel +Announced: 2018-12-19 +Credits: Mark Johnston +Affects: FreeBSD 11.2 +Corrected: 2018-12-02 18:08:27 UTC (stable/11, 11.2-STABLE) + 2018-19-19 18:00:58 UTC (releng/11.2, 11.2-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The physical page allocator is a component of the kernel responsible for +tracking usage of the system's RAM by the kernel and by userland +applications. It maintains lists of unused memory pages which may be +returned by the allocator upon demand. It also maintains an integer +count of the number of pages stored in these lists. + +II. Problem Description + +The kernel contains handling for an Intel erratum affecting Skylake-X +CPUs. The erratum description states that a processor may hang when +performing a certain synchronization operation within a particular 4MB +region of physical memory. FreeBSD works around the erratum by using +a blacklisting mechanism to ensure that the physical page allocator +never returns pages in that region. However, this blacklisting +mechanism contained a bug such that the removal of pages in the region +was not reflected in the free page count. + +III. Impact + +The discrepancy between the free page count and the physical page +allocator's state can trigger a NULL pointer dereference when the +system is under heavy load, resulting in a panic. + +IV. Workaround + +Only systems using a Skylake-X or Skylake Server CPU are affected. + +Affected systems can work around the problem by setting the +"hw.skz63_enable" to 0 in /boot/loader.conf, causing the handling for +the Intel erratum to be disabled upon a reboot of the system. However, +this raises the possibility of being affected by the erratum if software +running on the system makes use of Intel TSX. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +Reboot the system + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch +# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch.asc +# gpg --verify vm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r341401 +releng/11.2/ r342225 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwannZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKsAxAAkr/ufB1aKSSib0n/e6PXE1FOnjUGgpK+LiiSG+QdW/6oMv/yto+4Qbj2 +3Ht3TPyuoTqwQmHHiSzpnnnRHGDrdffiRYQsziFR89c8iyw7Qni8BYlK2YLYYw9i +TVyT6sxkorpTPZpGQZNaRBwZoWCLaxBvfKC0wVcli9gByOfb5T5J4puUNT4EXIpb +eaimCWG24vsIkWlHeC/8ulHsjEEDBatyfWWl95i8JVMqBDdHZypryJkO0jBo5Uig +PIighKIqDiEwwvjtHfGh4iAn3mFINDbMDdjXyMWYqDbgvX3J6cCv6qaY7p2eizQN +taN1rbC+7MJIFEkTFASvbJq7KOc/PcXOLU4O3964HZbbowdQNwAxQAuMGN6GNLmJ +ydHE7Atei1Py8q3gg9uMpX0TVikzfOL6iBmdzEkg2mgXIeyISLn5BTuE/k9hkVwi +6Boeec1qshtx04gF0xzsp/KPropad4nV09/E4cuo5jHuaq3WgpnDVzVhGEmFZpY7 +Z5B8vHqSc7Ng0xZoQYIcYbGCVBaWNF4WCf/1DZhU44mXkob+CRkv+kROFkfn8lY3 +2Jzjp7LWqPv9CFxIJ7q4BnDTyhxkQksm646tII1JNMcjY0hzFjQDUrVmDRb8ak/E +LsJNDKicqGdCdrHeA8jZm7RxwAmdkhyF/uumPYxJg64Y9DU23SM= +=QgI2 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:18.zfs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:18.zfs.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:18.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS vnode reclaim deadlock + +Category: core +Module: kernel +Announced: 2018-12-19 +Credits: Allan Jude +Affects: FreeBSD 11.2 +Corrected: 2018-12-11 19:34:25 UTC (stable/11, 11.2-STABLE) + 2018-12-19 18:05:50 UTC (releng/11.2, 11.2-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +ZFS saves synchronous writes to the ZFS Intent Log (ZIL), which may be a +separate log device (SLOG), so they can be replayed in the event of a +power failure or system crash. This ensures that the contents of write() +calls that succeeded will still be available after the system +unexpectedly reboots. + +II. Problem Description + +There is a possible deadlock between zil_commit() and zfs_zget() during +the vnode reclaim process. If zfs_zget() is not able to take the vnode +exclusive lock, it will retry indefinately, blocking forward progress. + +III. Impact + +Processes may hang on the waitchan "zilog->zl_writer_lock". + +IV. Workaround + +Increasing the maximum number of vnodes (kern.maxvnodes) may decrease +the frequency of this deadlock. Systems not using ZFS are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-18:18/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-18:18/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r341828 +releng/11.2/ r342226 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwan2pfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLKthAAq0CXErX6YRoMafBIhnMBgE+07l0FuIS0iHewgcf47jpTdmYp5BKk4n5Z +VUM9vo3zETHXmjedV3drTbJEQWG3H30R8P964YEPoUQjQ4D/AG+hlRKTerGkJx/w +CMMpSZEnRR5JDLrGaB2NfBKUu0s9sPWFMGbgOWYDxxiUUS5NwSYHPlaIu6MB4SXv +AyTwLLlCXf7sH+oQrosu4Pw4emQzEGP41I0N0Nt8Z+kvJdzQd32xGP1M/OsW29LL +SOZfXhERhwVx/2AYmOorkyVuHh1Q8OXbYckxfAXdKgRMm6rOEk3ZdPEH+lVTTw4l +RmFmz5AwU5icDAeILGNjiEPzeF3w8KT1x39CnSB5oofbnDEXcGsL92lHtQY3kkbK +PbUoJmjiGMwGr63HxU+CoR3meG8LJIHK1Bn/D3tSUs1GAZQHYbH6Vv/O2cidWxeD +/hIxffhSbuaN9lMy4gV8wQdxSRz/Am3AsYNVlS9EvCCvwB4lYZOf0GeEhgLFX56h +4w0XGBKy6FE/SHrNALWsyCJCnP1gN3njx/jwL8Dp3Vyqmft06w0KHw/xb5InYk4r +VPn+j1DkfWV97Gi8l+T8B7ir9W3KRDOlJUwInzeKRPojebdxlorM6BFtFsf90dXs +2xD1j/6m7RDqm+rGYPk6CdFJh95M5Roz0WJ1uCs89mpEHofW1kE= +=Gqpb +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:15.bootpd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:15.bootpd.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:15.bootpd Security Advisory + The FreeBSD Project + +Topic: bootpd buffer overflow + +Category: core +Module: bootpd +Announced: 2018-12-19 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE) + 2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1) + 2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE) + 2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7) +CVE Name: CVE-2018-17161 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The bootpd utility implements an Internet Bootstrap Protocol (BOOTP) +server as defined in RFC951, RFC1532, and RFC1533. + +II. Problem Description + +Due to insufficient validation of network-provided data it may be possible +for a malicious attacker to craft a bootp packet which could cause a stack +buffer overflow. + +III. Impact + +It is possible that the buffer overflow could lead to a Denial of Service +or remote code execution. + +IV. Workaround + +Firewall rules may be used to limit reception of bootp packets to only +trusted networks or hosts. Note that the bootp protocol is typically +limited to a common layer 2 broadcast domain, although the bootpgw gateway +can forward bootp requests and responses between subnets. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. +Restart bootpd if it is running in standalone mode. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch +# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc +# gpg --verify bootpd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r342228 +releng/12.0/ r342230 +stable/11/ r348229 +releng/11.2/ r342231 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba +Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC +NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7 +YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD +TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/ +S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD +AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F +21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA +DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56 +oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykpy7qn/aJQehfPfcfbeA +dvQ5khiLr0rMUeg9HU6oHu8+Lp4X+wQc3lCF2rXe+oqRierywec= +=jlRR +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:16/ptrace.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:16/ptrace.patch Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,152 @@ +--- sys/kern/sys_process.c.orig ++++ sys/kern/sys_process.c +@@ -869,7 +869,7 @@ + } + + /* not currently stopped */ +- if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 || ++ if ((p->p_flag & P_STOPPED_TRACE) == 0 || + p->p_suspcount != p->p_numthreads || + (p->p_flag & P_WAITED) == 0) { + error = EBUSY; +@@ -876,12 +876,6 @@ + goto fail; + } + +- if ((p->p_flag & P_STOPPED_TRACE) == 0) { +- static int count = 0; +- if (count++ == 0) +- printf("P_STOPPED_TRACE not set.\n"); +- } +- + /* OK */ + break; + } +@@ -926,11 +920,28 @@ + if (p->p_pptr != td->td_proc) { + proc_reparent(p, td->td_proc); + } +- data = SIGSTOP; + CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, + p->p_oppid); +- goto sendsig; /* in PT_CONTINUE below */ + ++ sx_xunlock(&proctree_lock); ++ proctree_locked = 0; ++ MPASS(p->p_xthread == NULL); ++ MPASS((p->p_flag & P_STOPPED_TRACE) == 0); ++ ++ /* ++ * If already stopped due to a stop signal, clear the ++ * existing stop before triggering a traced SIGSTOP. ++ */ ++ if ((p->p_flag & P_STOPPED_SIG) != 0) { ++ PROC_SLOCK(p); ++ p->p_flag &= ~(P_STOPPED_SIG | P_WAITED); ++ thread_unsuspend(p); ++ PROC_SUNLOCK(p); ++ } ++ ++ kern_psignal(p, SIGSTOP); ++ break; ++ + case PT_CLEARSTEP: + CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, + p->p_pid); +@@ -1117,8 +1128,10 @@ + sigqueue_delete(&td3->td_sigqueue, + SIGSTOP); + } +- td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP); ++ td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP | ++ TDB_SUSPEND); + } ++ + if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) { + sigqueue_delete(&p->p_sigqueue, SIGSTOP); + p->p_flag2 &= ~P2_PTRACE_FSTP; +@@ -1129,54 +1142,45 @@ + break; + } + ++ sx_xunlock(&proctree_lock); ++ proctree_locked = 0; ++ + sendsig: +- /* ++ MPASS(proctree_locked == 0); ++ ++ /* + * Clear the pending event for the thread that just + * reported its event (p_xthread). This may not be + * the thread passed to PT_CONTINUE, PT_STEP, etc. if + * the debugger is resuming a different thread. ++ * ++ * Deliver any pending signal via the reporting thread. + */ +- td2 = p->p_xthread; +- if (proctree_locked) { +- sx_xunlock(&proctree_lock); +- proctree_locked = 0; +- } ++ MPASS(p->p_xthread != NULL); ++ p->p_xthread->td_dbgflags &= ~TDB_XSIG; ++ p->p_xthread->td_xsig = data; ++ p->p_xthread = NULL; + p->p_xsig = data; +- p->p_xthread = NULL; +- if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) { +- /* deliver or queue signal */ +- td2->td_dbgflags &= ~TDB_XSIG; +- td2->td_xsig = data; + +- /* +- * P_WKILLED is insurance that a PT_KILL/SIGKILL always +- * works immediately, even if another thread is +- * unsuspended first and attempts to handle a different +- * signal or if the POSIX.1b style signal queue cannot +- * accommodate any new signals. +- */ +- if (data == SIGKILL) +- p->p_flag |= P_WKILLED; ++ /* ++ * P_WKILLED is insurance that a PT_KILL/SIGKILL ++ * always works immediately, even if another thread is ++ * unsuspended first and attempts to handle a ++ * different signal or if the POSIX.1b style signal ++ * queue cannot accommodate any new signals. ++ */ ++ if (data == SIGKILL) ++ p->p_flag |= P_WKILLED; + +- if (req == PT_DETACH) { +- FOREACH_THREAD_IN_PROC(p, td3) +- td3->td_dbgflags &= ~TDB_SUSPEND; +- } +- /* +- * unsuspend all threads, to not let a thread run, +- * you should use PT_SUSPEND to suspend it before +- * continuing process. +- */ +- PROC_SLOCK(p); +- p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED); +- thread_unsuspend(p); +- PROC_SUNLOCK(p); +- if (req == PT_ATTACH) +- kern_psignal(p, data); +- } else { +- if (data) +- kern_psignal(p, data); +- } ++ /* ++ * Unsuspend all threads. To leave a thread ++ * suspended, use PT_SUSPEND to suspend it before ++ * continuing the process. ++ */ ++ PROC_SLOCK(p); ++ p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED); ++ thread_unsuspend(p); ++ PROC_SUNLOCK(p); + break; + + case PT_WRITE_I: Added: head/share/security/patches/EN-18:16/ptrace.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:16/ptrace.patch.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwankRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLE8Q/+JVnRMXEnZZ7d5ZDYHmLcdiWmx8WoSFVqR7uMZMUcxinhvPMtVGdKqRw2 +upRV2WU8oZQ5LzGbXGPc/1fOqVjrObmiTdegRKWmFqXpoGb5cZ5Pp+NzC45BdhcD +BhQHujb/uAuviJNOz5anoOlP4lC/nATBtUjc1jfBhJJT9OTYhAXShB74mbwmK1yW +RaLx4P38psoCAHxhl7waBLpfN+HLJUNFcLRAkQ4347+pElaLOzOY+wW+TwDv2ONq +3J7+reDtROpT87/R2rPa5xk0v+/uaRISe1T3SKxb+6W/860SjvT3QCjrP2s2rESb +7uvd9yqLESd87BVvrI9znI7Egr5wmpy3GUrLSOPXk8ogAbdPU8TS844aXqxqmH+G +xOesYYSPpihHBex1zMtR7O66xXGBR0vljCjsQtRuu3sATnogDy3PAGFCUjgIbP2L +wo4DHo7ImwNcLuKHxWbvTLmUFl/UucWN00cFVy5CEGMXVUbZvLjZoJrZT2Q9C6b5 +3+LtucyXt9gGR/p/QaphHSBrPpOx4F4vuxKmpB0hqRt/MhIV012ehHH+3ydGE4Zm +4y7FHii6bNpadIY236E2u0iMG5KVCy9J4SrBWX57D2fO3bXYPoLfq5Zg/HNvK56t +f8CRhERopkuJpoq9evT/Q/m74G9KznDHpixCTKycJ4klrzEAixY= +=bI0z +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:17/vm.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:17/vm.patch Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,14 @@ +--- sys/vm/vm_page.c.orig ++++ sys/vm/vm_page.c +@@ -304,8 +304,10 @@ + + mtx_lock(&vm_page_queue_free_mtx); + ret = vm_phys_unfree_page(m); ++ if (ret != 0) ++ vm_phys_freecnt_adj(m, -1); + mtx_unlock(&vm_page_queue_free_mtx); +- if (ret) { ++ if (ret != 0) { + TAILQ_INSERT_TAIL(&blacklist_head, m, listq); + if (verbose) + printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa); Added: head/share/security/patches/EN-18:17/vm.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:17/vm.patch.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwann1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIZdQ//ckpouBTa4BbaZmcle7mpC0oW4qCXfdA6VoMsUK+eBTbvXgMzKH0lwlro +Q3dwJKNM6k2TEX6Nz20Du13cK/cyz7IUTPN+fssaNucuE3bQ0DjABhRWpio/SyCt +S8CkqxnjNzH7qrhMLtxWyWyvu/vPxvZHwp1ys/Z9DqrySzAf/aSOyfyc5o1G46PS +rWUhhiwtmrO10/RLSdjdm1FQvrBW3raj9Lnw4oINHvggwvU/8sIk34MQqqbJH8Oo +8yYZ/vRoEw+h5Ok//QN+CC/9cmTM8WyDA4Mgxy8CkbrjZjZAVuSsnlHfK8hYxfaV +j+3GvRkwoYDeBYHlWkc0mO8+F5wg2SeyBMUDjJNa3z7QL4+gcT329A6Z3+/pJqiH +yBehEiDHjfbMm0HNItCVYtgYH5JLto1W/ckIf/Aqo/Q4JyrIMdDPviCWEURzyPAp +rgQxAQujUw1KOQANbT0ElD3kR93ILELU21wQHVTGH9IEt6pHVZ/MDNDN5B0Try51 +t7UdJ4J5Azb9C9i+oM0gDV0QhOxFCk1GInOCDAoAfO9ELiWoBG7F568EwPCSLH/Q +CfF6M7aT7/2B2XWADj5TgW95JXe8Q7h/9jlKkSCT5jfrSUp97HcW/g1m0oSKEEnp +nzN8sLdQeDlyPWnSCVZUAj2KhlNMQR362FyiBRkmWuA3Jo6b7sY= +=f2RG +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:18/zfs.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:18/zfs.patch Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,44 @@ +--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c.orig ++++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c +@@ -1155,15 +1155,27 @@ + */ + ASSERT3P(zp, !=, NULL); + ASSERT3U(zp->z_id, ==, obj_num); +- *zpp = zp; +- vp = ZTOV(zp); +- +- /* Don't let the vnode disappear after ZFS_OBJ_HOLD_EXIT. */ +- VN_HOLD(vp); ++ if (zp->z_unlinked) { ++ err = SET_ERROR(ENOENT); ++ } else { ++ vp = ZTOV(zp); ++ /* ++ * Don't let the vnode disappear after ++ * ZFS_OBJ_HOLD_EXIT. ++ */ ++ VN_HOLD(vp); ++ *zpp = zp; ++ err = 0; ++ } + + sa_buf_rele(db, NULL); + ZFS_OBJ_HOLD_EXIT(zfsvfs, obj_num); + ++ if (err) { ++ getnewvnode_drop_reserve(); ++ return (err); ++ } ++ + locked = VOP_ISLOCKED(vp); + VI_LOCK(vp); + if ((vp->v_iflag & VI_DOOMED) != 0 && +@@ -1196,7 +1208,7 @@ + } + VI_UNLOCK(vp); + getnewvnode_drop_reserve(); +- return (0); ++ return (err); + } + + /* Added: head/share/security/patches/EN-18:18/zfs.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:18/zfs.patch.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwanpBfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJMxA/9HdSKhs93mVCHCDsPMLhbE80hJtnU6qD2T7LnRPgfEviKj20ZQ4lYZ/Vg +5p28UFH3ubQ5Y0tRqJxhJGdFUwcNsBMa5VsUIrhD+xiVSr8dGVy0VcgFf3LoxE/b +Dm+3xM+vHYHyTIx3AKpS1ZQBHY6NbQa4zUhFG/BLvMrGx94tzWzCbgHkx3/qa4rT +uO++Z4tQb5ekFTjPrVNp37cvcZ0qli6TNBAZ/8HNsGKGYgUllZ22M/e7WQqmbqPC +yP6ILHqiMtMB5YADBQNE2/VtRVqzYtDA4Mj2QD6j2A4qUO5Cf4gxAR22qS0wpBv7 +/QEHMX9v2VR+oZtGGVK5lTypxmw4Rr4S6+MWEkN7C0dCqT67ut38QSnShpaQLajo +SaoqnVIPbq56Ep7Qxom3zgaPph9zfS9n6dKPuAR2YC/gpUpskoo0ecboBepfMWzW +YtxDZC1Cj8D+b1CGkG849iEZVENK8JFQBH4/amX+PQZn5RVJPRCsGuqqjp98rDRl +vLlI1oLmrC5isAO1/rre42AW0HXSD/1HQ2a0IG49/QbNKM1FqwnL5VPnCoEbYvmh +AJa/y3xc6ejeatJ++pRJNfTed1Mh/kBaSlAGSEAinXtDkwqIh/oW3nbOLuvYhj/W +ij6dhFzcKaV+LwH08CNOVYkeLIP+YH8Vngc8xK70BxVexsv3vKs= +=YWPI +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-18:15/bootpd.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:15/bootpd.patch Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,13 @@ +--- libexec/bootpd/bootpd.c.orig ++++ libexec/bootpd/bootpd.c +@@ -636,6 +636,10 @@ + char *homedir, *bootfile; + int n; + ++ if (bp->bp_htype >= hwinfocnt) { ++ report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); ++ return; ++ } + bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; + + /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */ Added: head/share/security/patches/SA-18:15/bootpd.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-18:15/bootpd.patch.asc Wed Dec 19 19:51:24 2018 (r52700) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwangJfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI1CQ//Xz4zLGczdRBddOo9DFvICnZc+OaJ4RZaPg9SIR4YZSNya1tjXNQIRX7M +ZwF2J3OIQajWnyG39FaNjdpku0Ga3oYJygkOGJpYpbqMPXzOpTd3uqfbW/jtTDGl +7e74Nkn/EAkjxws7+wodfw11aMpQWPrEWAC/HUeP69g7LQPEI9R8S+IsPJoE1e0i +Nqd8kZFzigT0/qUF5qpqFu5bqXtT6quaUePxLomvYHDKM+z8Iv/wK+CzrJ0EWDyW +yo8fhnoq2Mkzh1IJtH8UgFmgr70SRLaXinh1Zl0hUeKhkBorJwyZyCF4QJXZLdee +NLM1eVFpNuYqQYtvo9+e42FZurIZmVKhbQRXCw87xSbXFUR3Rw0raph2p07jlhOE +pmtJ1ByXYRXQkPG4lz8r0sLMvMMQyiX4wRfK/Hhu3sqEHPDzI78L1fpAOnG1j10t +bsfRF7VprbxntEBJiF0mB1E7Bouxl99xlcFw+W/O+ayjixvL2qRVANuQP+1EKLLu +vnaw+72uIZhXm8XrA3IXuXUB3A3D+KnvXoR5LaX0eUITjx+r1oH5+oGMzFTWHtSY +TCgs8sqL/K3D2yw2JL0NBhn74j+xF0nMCuZdif5F0gFYckuVhVCC8aS1iXbDK4XT +ImIrgLhbCRc+HFqdM2qWStUnpn3u7RvLkAblRqErWxEOMBp0Shw= +=idvx +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Dec 19 17:15:53 2018 (r52699) +++ head/share/xml/advisories.xml Wed Dec 19 19:51:24 2018 (r52700) @@ -11,6 +11,15 @@ 12 + 19 + + + FreeBSD-SA-18:15.bootpd + + + + + 04 Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Dec 19 17:15:53 2018 (r52699) +++ head/share/xml/notices.xml Wed Dec 19 19:51:24 2018 (r52700) @@ -8,6 +8,27 @@ 2018 + 12 + + + 19 + + + FreeBSD-EN-18:18.zfs + + + + FreeBSD-EN-18:17.vm + + + + FreeBSD-EN-18:16.ptrace + + + + + + 11