CVS commit: src/sys/arch
Module Name:src Committed By: maxv Date: Thu Apr 5 08:43:07 UTC 2018 Modified Files: src/sys/arch/i386/i386: machdep.c src/sys/arch/x86/x86: cpu.c Log Message: Call cpu_speculation_init on i386 too. We don't have IBRS for i386, but we do have the AMD DIS_IND method. To generate a diff of this commit: cvs rdiff -u -r1.805 -r1.806 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.154 -r1.155 src/sys/arch/x86/x86/cpu.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:19:25 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove NAWIN_MP blocks (this code was experimental in the original driver and is not worth porting over) To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/arm/sunxi
Module Name:src Committed By: jmcneill Date: Thu Apr 5 10:21:39 UTC 2018 Modified Files: src/sys/arch/arm/sunxi: sunxi_debe.c Log Message: Remove AWIN_DEBE_FWINIT blocks To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/arm/sunxi/sunxi_debe.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/lib/libutil
Module Name:src Committed By: wiz Date: Thu Apr 5 11:07:00 UTC 2018 Modified Files: src/lib/libutil: opendisk.3 Log Message: Use mdoc macros. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/lib/libutil/opendisk.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:34:17 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.13 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:09 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.330 -r1.1.2.331 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:58 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:36:31 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.134 -r1.1.2.135 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:38:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.6.4.1 -r1.14.2.6.4.2 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:40:14 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1542 To generate a diff of this commit: cvs rdiff -u -r1.1.2.137 -r1.1.2.138 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:41:28 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:03 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.81 -r1.1.2.82 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:42:36 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.12.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:08 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:43:51 UTC 2018 Modified Files: src/sys/net/npf [netbsd-7-0]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1593: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.47.6.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:44:57 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1593 To generate a diff of this commit: cvs rdiff -u -r1.1.2.97 -r1.1.2.98 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:48:13 UTC 2018 Modified Files: src/sys/kern [netbsd-7]: uipc_mbuf.c src/sys/netinet [netbsd-7]: ip_reass.c src/sys/netinet6 [netbsd-7]: frag6.c src/sys/sys [netbsd-7]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.4.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.4.1 -r1.55.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155.2.1 -r1.155.2.2 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:49:19 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.82 -r1.1.2.83 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:50:17 UTC 2018 Modified Files: src/sys/kern [netbsd-7-1]: uipc_mbuf.c src/sys/netinet [netbsd-7-1]: ip_reass.c src/sys/netinet6 [netbsd-7-1]: frag6.c src/sys/sys [netbsd-7-1]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.6.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.10.1 -r1.55.10.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.8.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:52:22 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.5 -r1.1.2.6 src/doc/CHANGES-7.1.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 11:53:03 UTC 2018 Modified Files: src/sys/kern [netbsd-7-0]: uipc_mbuf.c src/sys/netinet [netbsd-7-0]: ip_reass.c src/sys/netinet6 [netbsd-7-0]: frag6.c src/sys/sys [netbsd-7-0]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #1594): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.158.4.1 -r1.158.4.1.2.1 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.9 -r1.9.8.1 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.155 -r1.155.4.1 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 11:54:36 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1594 To generate a diff of this commit: cvs rdiff -u -r1.1.2.98 -r1.1.2.99 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:11:20 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Fix the check, should be >=. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 14:14:27 UTC 2018 Modified Files: src/sys/arch/x86/x86: dbregs.c Log Message: Hum, don't let userland set bit 13, because this can crash the kernel. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/arch/x86/x86/dbregs.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:31:19 UTC 2018 Modified Files: src/sys/net [netbsd-8]: if_etherip.c src/sys/netinet [netbsd-8]: ip_etherip.c src/sys/netinet6 [netbsd-8]: ip6_etherip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #694): sys/netinet6/ip6_etherip.c: revision 1.22 sys/net/if_etherip.c: revision 1.41 sys/net/if_etherip.c: revision 1.42 sys/netinet/ip_etherip.c: revision 1.21 Don't call if_attach, do if_initialize+if_register, otherwise when an EtherIP packet is received the first KASSERT in if_input() fires. A few fixes: * Style. * Don't add M_PKTHDR manually, that's absolutely forbidden. Add a KASSERT to make sure it's already there. * Add a missing NULL check after m_pullup. To generate a diff of this commit: cvs rdiff -u -r1.38.10.2 -r1.38.10.3 src/sys/net/if_etherip.c cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet/ip_etherip.c cvs rdiff -u -r1.21 -r1.21.8.1 src/sys/netinet6/ip6_etherip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys
Module Name:src Committed By: martin Date: Thu Apr 5 14:33:42 UTC 2018 Modified Files: src/sys/kern [netbsd-8]: uipc_mbuf.c src/sys/netinet [netbsd-8]: ip_reass.c src/sys/netinet6 [netbsd-8]: frag6.c src/sys/sys [netbsd-8]: mbuf.h Log Message: Pull up following revision(s) (requested by maxv in ticket #695): sys/kern/uipc_mbuf.c: revision 1.182 sys/netinet6/frag6.c: revision 1.67 sys/netinet/ip_reass.c: revision 1.14 sys/sys/mbuf.h: revision 1.179 Remove M_PKTHDR from secondary mbufs when reassembling packets. This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction: m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); m_pkthdr.len is bigger than the actual mbuf chain. It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload. So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes. To generate a diff of this commit: cvs rdiff -u -r1.172.6.1 -r1.172.6.2 src/sys/kern/uipc_mbuf.c cvs rdiff -u -r1.11.8.1 -r1.11.8.2 src/sys/netinet/ip_reass.c cvs rdiff -u -r1.60.6.3 -r1.60.6.4 src/sys/netinet6/frag6.c cvs rdiff -u -r1.170.2.2 -r1.170.2.3 src/sys/sys/mbuf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/net
Module Name:src Committed By: martin Date: Thu Apr 5 14:41:07 UTC 2018 Modified Files: src/sys/net [netbsd-8]: route.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #697): sys/net/route.c: revision 1.208 Kill remaining rt->rt_refcnt++ To generate a diff of this commit: cvs rdiff -u -r1.194.6.7 -r1.194.6.8 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 14:42:36 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Tickets #694, #695, and #697 To generate a diff of this commit: cvs rdiff -u -r1.1.2.163 -r1.1.2.164 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/x86/x86
Module Name:src Committed By: maxv Date: Thu Apr 5 15:04:29 UTC 2018 Modified Files: src/sys/arch/x86/x86: spectre.c Log Message: Set the "method" string at boot time too. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/arch/x86/x86/spectre.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/make
Module Name:src Committed By: christos Date: Thu Apr 5 16:31:54 UTC 2018 Modified Files: src/usr.bin/make: parse.c Log Message: Appease the compiler gods; yes I know what I am doing adding to a literal string. To generate a diff of this commit: cvs rdiff -u -r1.228 -r1.229 src/usr.bin/make/parse.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/arch
Module Name:src
Committed By: martin
Date: Thu Apr 5 18:15:03 UTC 2018
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-8]: db_interface.c spl.S vector.S
src/sys/arch/i386/i386 [netbsd-8]: db_interface.c machdep.c spl.S
vector.S
src/sys/arch/x86/include [netbsd-8]: intr.h
src/sys/arch/x86/x86 [netbsd-8]: intr.c lapic.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #696):
sys/arch/amd64/amd64/vector.S: revision 1.62 (patch)
sys/arch/x86/include/intr.h: revision 1.55
sys/arch/i386/i386/vector.S: revision 1.77
sys/arch/i386/i386/db_interface.c: revision 1.82 (patch)
sys/arch/amd64/amd64/spl.S: revision 1.34 (patch)
sys/arch/amd64/amd64/db_interface.c: revision 1.33 (patch)
sys/arch/x86/x86/intr.c: revision 1.125
sys/arch/i386/i386/spl.S: revision 1.43 (patch)
sys/arch/i386/i386/machdep.c: revision 1.805 (patch)
sys/arch/x86/x86/lapic.c: revision 1.66 (patch)
Rename the DDB IPI IDT vectors for consistency. ok maxv@
Rename Xpreempt{recurse,resume} -> X{recurse,resume}_preempt so that
they fit the pattern. Also the debugger trap sniffer matches them
without adding special entries...
XXX: pullup-8.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.25.2.1 src/sys/arch/amd64/amd64/db_interface.c
cvs rdiff -u -r1.30 -r1.30.10.1 src/sys/arch/amd64/amd64/spl.S
cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/arch/amd64/amd64/vector.S
cvs rdiff -u -r1.72 -r1.72.2.1 src/sys/arch/i386/i386/db_interface.c
cvs rdiff -u -r1.782.6.4 -r1.782.6.5 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.40 -r1.40.22.1 src/sys/arch/i386/i386/spl.S
cvs rdiff -u -r1.69 -r1.69.2.1 src/sys/arch/i386/i386/vector.S
cvs rdiff -u -r1.50.2.1 -r1.50.2.2 src/sys/arch/x86/include/intr.h
cvs rdiff -u -r1.101.2.4 -r1.101.2.5 src/sys/arch/x86/x86/intr.c
cvs rdiff -u -r1.58.2.4 -r1.58.2.5 src/sys/arch/x86/x86/lapic.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Thu Apr 5 18:18:00 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #696 To generate a diff of this commit: cvs rdiff -u -r1.1.2.164 -r1.1.2.165 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/bin/ed
Module Name:src Committed By: christos Date: Thu Apr 5 18:44:57 UTC 2018 Modified Files: src/bin/ed: ed.1 main.c Log Message: add -S to disable ! commands. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/bin/ed/ed.1 cvs rdiff -u -r1.28 -r1.29 src/bin/ed/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.bin/patch
Module Name:src Committed By: christos Date: Thu Apr 5 18:50:10 UTC 2018 Modified Files: src/usr.bin/patch: pch.c Log Message: Pass -S to ed(1) so that patches containing ! commands don't run commands. Real cause of CVS-2018-0492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667) To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.bin/patch/pch.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/share/mk
Module Name:src Committed By: mrg Date: Thu Apr 5 22:38:58 UTC 2018 Modified Files: src/share/mk: bsd.own.mk Log Message: switch m68000 and m68k to GCC 6. ok mlelstv. To generate a diff of this commit: cvs rdiff -u -r1.1053 -r1.1054 src/share/mk/bsd.own.mk Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
