os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add today's advisories.

Browse source 
Approved by:	so
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Gordon Tetlow 2018-05-08 17:24:52 +00:00
parent 1a92f8ff7f
commit 73d16f03cd
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=51632
15 changed files with 2297 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
share/security/advisories/FreeBSD-EN-18:05.mem.asc Normal file
View file

@ -0,0 +1,152 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:05.mem Errata Notice
The FreeBSD Project
Topic: Multiple small kernel memory disclosures
Category: core
Module: kernel
Announced: 2018-05-08
Credits: Ilja van Sprundel, IOActive
Vlad Tsyrklevich
Affects: All supported versions of FreeBSD.
Corrected: 2018-04-08 20:50:16 UTC (stable/11, 11.1-STABLE)
2018-05-08 17:14:54 UTC (releng/11.1, 11.1-RELEASE-p10)
2018-04-09 12:55:09 UTC (stable/10, 10.4-STABLE)
2018-05-08 17:14:54 UTC (releng/10.4, 10.4-RELEASE-p9)
CVE Name: CVE-2018-6920, CVE-2018-6921
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes drivers for Atheros wireless interfaces, a TCP network
stack, and the ability to execute Linux binaries.
II. Problem Description
Due to insufficient initialization of memory copied to userland in the
components described above small amounts of kernel memory may be disclosed
to userland processes.
The disclosure in the Atheros wireless driver and Linux subsystem applies to
both FreeBSD 10.x and 11.x (CVE-2018-6920).
The disclosure in the TCP network stack was introduced in 11.0. As such,
only FreeBSD 11.x is affected by this issue (CVE-2018-6921).
III. Impact
A user who can access these drivers, use TCP sockets, or execute Linux
binaries may be able to read the contents of small portions of kernel memory.
Such memory might contain sensitive information, such as portions of the file
cache or terminal buffers. This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way; for example,
a terminal buffer might include a user-entered password.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Afterward, reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.11.1.patch
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.11.1.patch.asc
# gpg --verify mem.11.1.patch.asc
[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.10.4.patch
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.10.4.patch.asc
# gpg --verify mem.10.4.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r332321
releng/10.4/ r333372
stable/11/ r332303
releng/11.1/ r333372
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6920>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6921>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3F5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLEJw/+O78dItjByrV33QHG6FG99Sk2tMvYJaD5jmM7qUiV2TiumFz4n8a3IjDe
kEmH68jkHxkSvWHvpOKMYx/CzzGG1UkMQvrFseGO6d/azZMqY4V3WqXeKcD6lwLI
qggFdIBDr2ltGQ19jLuD8ucfuyC8DurdhiEzn1s7e2YjpPaCgNSc9kHf/+Ez/MBu
v9ozlq/uS9+tLWHCoY6r4WFXWBrT96LFs9O+5TMVXZ+1ZuIvj4/2y+7HtgJalt85
5+bce0+qFdmk/gpcw7SQOZ1ngeXPWi9fDOv7LR+YkDaHcpJP9sXp9Ej2Tro97CMK
oQ0QGiJ+h1iGuYIw76chchZ5mK+UEVSbdxK70fpPC1zi+g8l0smVSpOs8oNFGX0m
F0pHhIz3LwMMDyZgJsEMUIkBF7nbKS8Mc+noq9DOaOjZjb0yyBFbc8s82LIdbOhO
IIJftNF1NSlH4tKJtFdet/TrxHX/UZ0xp52SHev+U3c3gXaoP4EUHQ71R/lnlyJc
R+H6G/xZjcsNrklKgJJMV+5znKbjDaqavaaAxo17eRqLG/M4ZIac3xzqJUyeuUPY
RnErPTRQzGL4C9CldxjIfI+iY3f2uTsNclzonV98kcLxbRdMsNIybUV6mNBYVmlx
4A6IN3zP1+bsbjOdZMhpAUIjsflj/KzdF/f4/BjoCgBv3O030ec=
=jxlW
-----END PGP SIGNATURE-----

147
share/security/advisories/FreeBSD-EN-18:06.tzdata.asc Normal file
View file

@ -0,0 +1,147 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:06.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2018-05-08
Credits: Philip Paeps
Affects: All supported versions of FreeBSD.
Corrected: 2018-05-07 06:58:19 UTC (stable/11, 11.2-PRERELEASE)
2018-05-08 17:18:24 UTC (releng/11.1, 11.1-RELEASE-p10)
2018-05-07 07:02:26 UTC (stable/10, 10.4-STABLE)
2018-05-08 17:18:24 UTC (releng/10.4, 10.4-RELEASE-p9)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The tzsetup(8) program allows the user to specify the default local timezone.
Based on the selected timezone, tzsetup(8) copies one of the files from
/usr/share/zoneinfo to /etc/localtime. This file actually controls the
conversion.
II. Problem Description
Several changes in Daylight Savings Time happened after previous FreeBSD
releases were released that would affect many people who live in different
countries. Because of these changes, the data in the zoneinfo files need to
be updated, and if the local timezone on the running system is affected,
tzsetup(8) needs to be run so the /etc/localtime is updated.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
IV. Workaround
The system administrator can install an updated timezone database from the
misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
V. Solution
Please note that some third party software, for instance PHP, Ruby, Java and
Perl, may be using different zoneinfo data source, in such cases this
software must be updated separately. For software packages that is installed
via binary packages, they can be upgraded by executing `pkg upgrade'.
Following the instructions in this Errata Notice will update all of the
zoneinfo files to be the same as what was released with FreeBSD release.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Restart all the affected
applications and daemons, or reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-18:06/tzdata-2018e.patch
# fetch https://security.FreeBSD.org/patches/EN-18:06/tzdata-2018e.patch.asc
# gpg --verify tzdata-2018e.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r333313
releng/10.4/ r333375
stable/11/ r333312
releng/11.1/ r333375
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:06.tzdata.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3G1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIzdg//a6Vn9B/eW4na7jAcX4rUCUJGBFE1A4MhX4NGULx+L4v6qkcdj4O6CWYR
rbqNRzEtb5oF0We9K0XyekigmOVmb5TwDXHbjiaw13DrLWM4WhEAerRP04DrDV7k
31SGAq92L3oP4u8FrxwdtKZ2TY5naH/3GdGEL0JJmUaqUSrtLeiOvqVwCKZIy7i9
Q4DqQh7cEtBK5J8V+VqqbKNKOTPKS0uH27UAjzPhTc+GbZ4YRnD4YKVfNZMEDmiy
5TgXJrVOX+eJZlB1jgZXJY38wZtQELbs+2I2haNvzKz3Ypt7Rtan9MxAWkBkC+g6
/tbiJFYaJ5GC0CTBymBa8gm5oqvpWzb3h3kNpld4SDyO1iDcIcD7/+VqnNoFynVa
Fgf/icLc3Ck48n0ZZQlkGk22kTmBwe69p6QLnL5cuDbm3ZpRM/+1GjguG2Ow5eYD
Y6p6eMozALZh2JdHdxAtKEuSfc03UOMcEu2kBtVE/XtoJqPb+2SmaSRvXmMiio2E
TPjjdAzUUITDcESmyJLmHoqwHR40i2+ZSwH6BbD/1qeoH7PSXS+/Nh/wv2KEsC0S
tbAYiwuj4uDlgPIPm0tr2xDB+2BaSVe/0AituXyzFQVnrNJHisLrk0tZ7Y3WmN0B
Fn/5LIRGjT51Sw/0D0XpedwcdWoUQ9vz/FpoC6xQDcaXhW/ViDo=
=0QUF
-----END PGP SIGNATURE-----

141
share/security/advisories/FreeBSD-SA-18:06.debugreg.asc Normal file
View file

@ -0,0 +1,141 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-18:06.debugreg Security Advisory
The FreeBSD Project
Topic: Mishandling of x86 debug exceptions
Category: core
Module: kernel
Announced: 2018-05-08
Credits: Nick Peterson, Everdox Tech LLC
https://www.linkedin.com/in/everdox
Andy Lutomirski
Affects: All supported versions of FreeBSD.
Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE)
2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10)
2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE)
2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9)
CVE Name: CVE-2018-8897
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
On x86 architecture systems, the stack is represented by the combination of
a stack segment and a stack pointer, which must remain in sync for proper
operation. Instructions related to manipulating the stack segment have
special handling to facilitate consistency with changes to the stack pointer.
II. Problem Description
The MOV SS and POP SS instructions inhibit debug exceptions until the
instruction boundary following the next instruction. If that instruction is
a system call or similar instruction that transfers control to the operating
system, the debug exception will be handled in the kernel context instead of
the user context.
III. Impact
An authenticated local attacker may be able to read sensitive data in kernel
memory, control low-level operating system functions, or may panic the
system.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
using either a binary or source code patch, and then reboot.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc
# gpg --verify debugreg.11.1.patch.asc
[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch
# fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc
# gpg --verify debugreg.10.4.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile and install your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r333370
releng/10.4/ r333371
stable/11/ r333369
releng/11.1/ r333371
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:06.debugreg.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3HhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK/jhAAmPPCFZRMvbyG0VBCBqo5COFZ/32IMOWFDGMlsSi+CEgcGM51SzYZi97c
zsT/2RgMsvBdggk41wvXqp1gKxgIbJe22af7l+D18e6rDEesueJqSiizcHmfGQul
X+ZRUkFxTkCNz0Ajp4clqbavuHNiCmiKmH/0X8LMk31SXIVE3oH0Pphf0W8qJqxz
4k2nvc6NoPWEMVA0rsj3n6sB0NhvV1ddLLmGpoDgedSyz77PCDgWGMoh5ny5sY12
tHNB1r+gL624Y0l8xoyVJP0Snk0emzeQQ5HOTa8DRIwD/a0Uxy+xKcvDMorW9U6M
zsxrMs9EwSJYpwLxsQ/YVTgFvyQbkHXFXg56hxqUvnnEEahGfF47d/9x2lyzDr8r
H+ncl9a+PfOCJ5OcwkjzorQv+Pq65JFlc15bxLS+zyU4g6yJDnHdk7Azbc60Uwq/
chauKmosm1I1CVH60JG00rmvoiX7b5ZRdEGEzAFt4XIX+EuXPnI84C5DxiD1YG+3
n7IygNZNGtGfIrNhWEn2VK+VGzFEm2p4RkreWbGwrWQIxfd5gOJxvjAPSwjgy5rl
dwRW7bMzowIGnrlzCF18Qc2xnFD31JPYDdsI+Fa8d1YkCVWRZ79VX57Locw50/de
c5nZRJGk4AQ1lXxkNTkxWnstfb/q8fBVPkIEQKVHpVnGiI/pQpQ=
=Oyxs
-----END PGP SIGNATURE-----

115
share/security/patches/EN-18:05/mem.10.4.patch Normal file
View file

@ -0,0 +1,115 @@
--- sys/compat/linux/linux_ioctl.c.orig
+++ sys/compat/linux/linux_ioctl.c
@@ -246,6 +246,7 @@
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2426,6 +2427,7 @@
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
--- sys/compat/linux/linux_ipc.c.orig
+++ sys/compat/linux/linux_ipc.c
@@ -516,6 +516,9 @@
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid, 0, sizeof(linux_semid));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -661,6 +664,8 @@
struct l_msqid_ds linux_msqid;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid, 0, sizeof(linux_msqid));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
@@ -667,6 +672,7 @@
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -789,6 +795,10 @@
struct shmid_ds bsd_shmid;
int error;
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid, 0, sizeof(linux_shmid));
+ memset(&linux_shminfo, 0, sizeof(linux_shminfo));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_INFO: {
--- sys/dev/ath/if_ath_btcoex.c.orig
+++ sys/dev/ath/if_ath_btcoex.c
@@ -321,7 +321,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -330,6 +330,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_lna_div.c.orig
+++ sys/dev/ath/if_ath_lna_div.c
@@ -185,7 +185,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -194,6 +194,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_spectral.c.orig
+++ sys/dev/ath/if_ath_spectral.c
@@ -210,7 +210,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -273,6 +273,7 @@
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;

18
share/security/patches/EN-18:05/mem.10.4.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrxvPRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL+ag/9G31jTLcccP2zEVMkQImlpbok+NQ6S/68DSgLfyht72mBR+Auhr+uN6i4
9Rd3+UDwA5ZLOYt7QcZpV5xAJKAp9JtV8gNA0TFpWsRY2OYzDXL2EbyVonhutib5
X5a0ClXjMOP99OZTWKMxQvLMZOa4p6DLOxZZfHyqbKdiDVOQCvLX2PSpHEQWCAZg
d6ciw3Hs/H6AwT7ILwBlrWlax/O3RcMApRroeOIfKp1tVgoujvPlfHXGGIgXnEjr
OfzLO6VBdaBYmKXQL3+zSweJtQXqby75JvLeS4+8SNwSyW4SOX+wgA63Q1imD6az
Max+FPo459kGf1bp5sgmtn1r4AsWuCFEBE93tYnAWA5RXXyZwdjN0UBbKmoENZwb
0eUuwymanPpJZ+LBRjlXS7fjpE3r9Dal9khxQnZ4L4mICYYyDqdTmCmXt/Dh+fTB
7SwCb+ptVmZqvZfg7Xmp4Kk9lIDaPXxjlUTfmQK26iiV/sR53RP3hgDMT9HXfxdQ
BuF5eRkOgT5oGTljqOpsZuxpSRTvVGpnTzRQ3ORq9kxv2pk9+z37A2RkHWbw95H6
JnmnrZrjUYjYXxnMn7TyFlEgrkWicQN1a3QOCq4hBOMgqfID8Q/doNTcvomchX1w
R+z+l737NWCTOvFN7DBL7GQcmzidTI7LwdEIVxK7+c0csSrycp0=
=nC9i
-----END PGP SIGNATURE-----

139
share/security/patches/EN-18:05/mem.11.1.patch Normal file
View file

@ -0,0 +1,139 @@
--- sys/compat/linux/linux_ioctl.c.orig
+++ sys/compat/linux/linux_ioctl.c
@@ -253,6 +253,7 @@
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2477,6 +2478,7 @@
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
--- sys/compat/linux/linux_ipc.c.orig
+++ sys/compat/linux/linux_ipc.c
@@ -548,6 +548,9 @@
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid64, 0, sizeof(linux_semid64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -702,6 +705,8 @@
struct l_msqid64_ds linux_msqid64;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid64, 0, sizeof(linux_msqid64));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
@@ -708,6 +713,7 @@
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -833,6 +839,10 @@
struct shmid_ds bsd_shmid;
int error;
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid64, 0, sizeof(linux_shmid64));
+ memset(&linux_shminfo64, 0, sizeof(linux_shminfo64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_INFO: {
--- sys/dev/ath/if_ath_btcoex.c.orig
+++ sys/dev/ath/if_ath_btcoex.c
@@ -457,7 +457,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -466,6 +466,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_ioctl.c.orig
+++ sys/dev/ath/if_ath_ioctl.c
@@ -197,7 +197,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
--- sys/dev/ath/if_ath_lna_div.c.orig
+++ sys/dev/ath/if_ath_lna_div.c
@@ -187,7 +187,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -196,6 +196,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_spectral.c.orig
+++ sys/dev/ath/if_ath_spectral.c
@@ -212,7 +212,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -275,6 +275,7 @@
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/netinet/tcp_usrreq.c.orig
+++ sys/netinet/tcp_usrreq.c
@@ -1495,7 +1495,9 @@
return (error);
} else if ((sopt->sopt_dir == SOPT_GET) &&
(sopt->sopt_name == TCP_FUNCTION_BLK)) {
- strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+ strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+ TCP_FUNCTION_NAME_LEN_MAX);
+ fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
fsn.pcbcnt = tp->t_fb->tfb_refcnt;
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &fsn, sizeof fsn);

18
share/security/patches/EN-18:05/mem.11.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrxvQJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIwxQ//bgsLVPJ63nz0rDnWhF3qOLtJbE0ZTE2F5XRraNRaUVBx7ZpCyirSHnsU
CZvNVDtPxRGzxxgzPXj4gjtRuFK7VK5uKMG+tAL1i2A7S9ukbIOsD6y5R1VO3Vnj
uYPqGZgo437tnzgSCo/z7WAW98tDPzcbHJIO3gNNAG7Tu9+xfinLFP2GhFkYlsij
K/tplIX8OiT4X4Qcn4x3LNUIS9bXxMcX7ogkPqLEYlCOVT4h7IXXBJa6Z+IkSwSv
Y8xOmdDwp33t+JbEZt2NGMNG3evT1aYR/v0/GHPEjruPmK+fMSI5EmJOPPGn0zMn
7/vPiDacXDnyGIORFaerC0kZkQjaSwunzzO4npqBmj+jD7ALTtpyCY8fpHqPlERH
LkA+3xZDZqcgRVyVEWYq7exyyXNe2BkkENP8BZaZGUCPA9+uJ8dsDcw5D8DghMBG
KvbBcr+7zIiWRYM9rWwLS1t4y7GpC9DJxqvgAy2S7w8MGZsS6zGPsgt91cG71m+T
S+uEcuu1x3xowI6ODOTc3ISxD+V20yE464UdBYyN21zE67yuWRJXdMzIqQUbgSuU
W8w4z3sNFUlh1phVi9pCteX0Vgvt+YHEkd2NG0zoHp7//1a5vtSoSMgAN746eanP
MVdI7kaTjrjzJaaKPtb5zKdznLUH06mHspeI2qXrtb7XoRpSt2o=
=Q1kJ
-----END PGP SIGNATURE-----

837
share/security/patches/EN-18:06/tzdata-2018e.patch Normal file
View file

@ -0,0 +1,837 @@
--- contrib/tzdata/Makefile.orig
+++ contrib/tzdata/Makefile
@@ -21,7 +21,7 @@
# Change the line below for your time zone (after finding the zone you want in
# the time zone files, or adding it to a time zone file).
-# Alternately, if you discover you've got the wrong time zone, you can just
+# Alternatively, if you discover you've got the wrong time zone, you can just
# zic -l rightzone
# to correct things.
# Use the command
@@ -38,7 +38,7 @@
# template file are used to determine "spring forward" and "fall back" days and
# times; the environment variable itself specifies UT offsets of standard and
# daylight saving time.
-# Alternately, if you discover you've got the wrong time zone, you can just
+# Alternatively, if you discover you've got the wrong time zone, you can just
# zic -p rightzone
# to correct things.
# Use the command
@@ -236,14 +236,16 @@
$(GCC_INSTRUMENT) \
-Wall -Wextra \
-Walloc-size-larger-than=100000 -Warray-bounds=2 \
- -Wbad-function-cast -Wcast-align -Wdate-time \
+ -Wbad-function-cast -Wcast-align=strict -Wdate-time \
-Wdeclaration-after-statement -Wdouble-promotion \
-Wformat=2 -Wformat-overflow=2 -Wformat-signedness -Wformat-truncation \
-Winit-self -Wjump-misses-init -Wlogical-op \
-Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
-Wold-style-definition -Woverlength-strings -Wpointer-arith \
- -Wshadow -Wshift-overflow=2 -Wstrict-prototypes -Wstringop-overflow=5 \
+ -Wshadow -Wshift-overflow=2 -Wstrict-prototypes -Wstringop-overflow=4 \
+ -Wstringop-truncation -Wsuggest-attribute=cold \
-Wsuggest-attribute=const -Wsuggest-attribute=format \
+ -Wsuggest-attribute=malloc \
-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure \
-Wtrampolines -Wundef -Wuninitialized -Wunused \
-Wvariadic-macros -Wvla -Wwrite-strings \
@@ -514,6 +516,7 @@
tzfile.5 tzfile.h tzselect.8 tzselect.ksh \
workman.sh yearistype.sh \
zdump.8 zdump.c zic.8 zic.c \
+ ziguard.awk zishrink.awk \
zone.tab zone1970.tab zoneinfo2tdf.pl
# And for the benefit of csh users on systems that assume the user
@@ -559,8 +562,8 @@
# These files can be tailored by setting BACKWARD, PACKRATDATA, etc.
vanguard.zi main.zi rearguard.zi: $(DSTDATA_ZI_DEPS)
- $(AWK) -v outfile='$@' -f ziguard.awk $(TDATA) $(PACKRATDATA) \
- >$@.out
+ $(AWK) -v DATAFORM=`expr $@ : '\(.*\).zi'` -f ziguard.awk \
+ $(TDATA) $(PACKRATDATA) >$@.out
mv $@.out $@
tzdata.zi: $(DATAFORM).zi version
version=`sed 1q version` && \
@@ -900,6 +903,13 @@
done
rm -fr time_t.dir
+TRADITIONAL_ASC = \
+ tzcode$(VERSION).tar.gz.asc \
+ tzdata$(VERSION).tar.gz.asc
+ALL_ASC = $(TRADITIONAL_ASC) \
+ tzdata$(VERSION)-rearguard.tar.gz.asc \
+ tzdb-$(VERSION).tar.lz.asc
+
tarballs traditional_tarballs signatures traditional_signatures: version
VERSION=`cat version` && \
$(MAKE) VERSION="$$VERSION" $@_version
@@ -907,12 +917,13 @@
# These *_version rules are intended for use if VERSION is set by some
# other means. Ordinarily these rules are used only by the above
# non-_version rules, which set VERSION on the 'make' command line.
-tarballs_version: traditional_tarballs_version tzdb-$(VERSION).tar.lz
+tarballs_version: traditional_tarballs_version \
+ tzdata$(VERSION)-rearguard.tar.gz \
+ tzdb-$(VERSION).tar.lz
traditional_tarballs_version: \
tzcode$(VERSION).tar.gz tzdata$(VERSION).tar.gz
-signatures_version: traditional_signatures_version tzdb-$(VERSION).tar.lz.asc
-traditional_signatures_version: \
- tzcode$(VERSION).tar.gz.asc tzdata$(VERSION).tar.gz.asc \
+signatures_version: $(ALL_ASC)
+traditional_signatures_version: $(TRADITIONAL_ASC)
tzcode$(VERSION).tar.gz: set-timestamps.out
LC_ALL=C && export LC_ALL && \
@@ -927,6 +938,26 @@
gzip $(GZIPFLAGS) >$@.out
mv $@.out $@
+tzdata$(VERSION)-rearguard.tar.gz: rearguard.zi set-timestamps.out
+ rm -fr tzdata$(VERSION)-rearguard.dir
+ mkdir tzdata$(VERSION)-rearguard.dir
+ ln $(COMMON) $(DATA) $(MISC) tzdata$(VERSION)-rearguard.dir
+ cd tzdata$(VERSION)-rearguard.dir && \
+ rm -f $(TDATA) $(PACKRATDATA) version
+ for f in $(TDATA) $(PACKRATDATA); do \
+ rearf=tzdata$(VERSION)-rearguard.dir/$$f; \
+ $(AWK) -v DATAFORM=rearguard -f ziguard.awk $$f >$$rearf && \
+ touch -cmr `ls -t ziguard.awk $$f` $$rearf || exit; \
+ done
+ sed '1s/$$/-rearguard/' \
+ <version >tzdata$(VERSION)-rearguard.dir/version
+ touch -cmr version tzdata$(VERSION)-rearguard.dir/version
+ LC_ALL=C && export LC_ALL && \
+ (cd tzdata$(VERSION)-rearguard.dir && \
+ tar $(TARFLAGS) -cf - $(COMMON) $(DATA) $(MISC) | \
+ gzip $(GZIPFLAGS)) >$@.out
+ mv $@.out $@
+
tzdb-$(VERSION).tar.lz: set-timestamps.out
rm -fr tzdb-$(VERSION)
mkdir tzdb-$(VERSION)
@@ -937,12 +968,10 @@
mv $@.out $@
tzcode$(VERSION).tar.gz.asc: tzcode$(VERSION).tar.gz
- gpg --armor --detach-sign $?
-
tzdata$(VERSION).tar.gz.asc: tzdata$(VERSION).tar.gz
- gpg --armor --detach-sign $?
-
+tzdata$(VERSION)-rearguard.tar.gz.asc: tzdata$(VERSION)-rearguard.tar.gz
tzdb-$(VERSION).tar.lz.asc: tzdb-$(VERSION).tar.lz
+$(ALL_ASC):
gpg --armor --detach-sign $?
typecheck:
--- contrib/tzdata/NEWS.orig
+++ contrib/tzdata/NEWS
@@ -1,5 +1,69 @@
News for the tz database
+Release 2018e - 2018-05-01 23:42:51 -0700
+
+ Briefly:
+
+ North Korea switches back to +09 on 2018-05-05.
+ The main format uses negative DST again, for Ireland etc.
+ 'make tarballs' now also builds a rearguard tarball.
+ New 's' and 'd' suffixes in SAVE columns of Rule and Zone lines.
+
+ Changes to past and future time stamps
+
+ North Korea switches back from +0830 to +09 on 2018-05-05.
+ (Thanks to Kang Seonghoon, Arthur David Olson, Seo Sanghyeon,
+ and Tim Parenti.)
+
+ Bring back the negative-DST changes of 2018a, except be more
+ compatible with data parsers that do not support negative DST.
+ Also, this now affects historical time stamps in Namibia and the
+ former Czechoslovakia, not just Ireland. The main format now uses
+ negative DST to model time stamps in Europe/Dublin (from 1971 on),
+ Europe/Prague (1946/7), and Africa/Windhoek (1994/2017). This
+ does not affect UT offsets, only time zone abbreviations and the
+ tm_isdst flag. Also, this does not affect rearguard or vanguard
+ formats; effectively the main format now uses vanguard instead of
+ rearguard format. Data parsers that do not support negative DST
+ can still use data from the rearguard tarball described below.
+
+ Changes to build procedure
+
+ The command 'make tarballs' now also builds the tarball
+ tzdataVERSION-rearguard.tar.gz, which is like tzdataVERSION.tar.gz
+ except that it uses rearguard format intended for trailing-edge
+ data parsers.
+
+ Changes to data format and to code
+
+ The SAVE column of Rule and Zone lines can now have an 's' or 'd'
+ suffix, which specifies whether the adjusted time is standard time
+ or daylight saving time. If no suffix is given, daylight saving
+ time is used if and only if the SAVE column is nonzero; this is
+ the longstanding behavior. Although this new feature is not used
+ in tzdata, it could be used to specify the legal time in Namibia
+ 1994-2017, as opposed to the popular time (see below).
+
+ Changes to past time stamps
+
+ From 1994 through 2017 Namibia observed DST in winter, not summer.
+ That is, it used negative DST, as Ireland still does. This change
+ does not affect UTC offsets; it affects only the tm_isdst flag and
+ the abbreviation used during summer, which is now CAT, not WAST.
+ Although (as noted by Michael Deckers) summer and winter time were
+ both simply called "standard time" in Namibian law, in common
+ practice winter time was considered to be DST (as noted by Stephen
+ Colebourne). The full effect of this change is only in vanguard
+ format; in rearguard and main format, the tm_isdst flag is still
+ zero in winter and nonzero in summer.
+
+ In 1946/7 Czechoslovakia also observed negative DST in winter.
+ The full effect of this change is only in vanguard format; in
+ rearguard and main formats, it is modeled as plain GMT without
+ daylight saving. Also, the dates of some 1944/5 DST transitions
+ in Czechoslovakia have been changed.
+
+
Release 2018d - 2018-03-22 07:05:46 -0700
Briefly:
@@ -39,7 +103,7 @@
Enderbury and Kiritimati skipped New Year's Eve 1994, not
New Year's Day 1995. (Thanks to Kerry Shetline.)
- Fix the 1912-01-01 transition for Portugual and its colonies.
+ Fix the 1912-01-01 transition for Portugal and its colonies.
This transition was at 00:00 according to the new UT offset, not
according to the old one. Also assume that Cape Verde switched on
the same date as the rest, not in 1907. This affects
--- contrib/tzdata/africa.orig
+++ contrib/tzdata/africa
@@ -6,7 +6,7 @@
# tz@iana.org for general use in the future). For more, please see
# the file CONTRIBUTING in the tz distribution.
-# From Paul Eggert (2017-02-20):
+# From Paul Eggert (2017-04-09):
#
# Unless otherwise specified, the source for data through 1990 is:
# Thomas G. Shanks and Rique Pottenger, The International Atlas (6th edition),
@@ -52,7 +52,7 @@
# cannot now come up with solid citations.
#
# I invented the following abbreviations; corrections are welcome!
-# +02 WAST West Africa Summer Time
+# +02 WAST West Africa Summer Time (no longer used)
# +03 CAST Central Africa Summer Time (no longer used)
# +03 SAST South Africa Summer Time (no longer used)
# +03 EAT East Africa Time
@@ -967,6 +967,10 @@
# commence at OOhOO on Monday 21 March 1994 and shall end at 02h00 on
# Sunday 4 September 1994.
+# From Michael Deckers (2017-04-06):
+# ... both summer and winter time are called "standard"
+# (which differs from the use in Ireland) ...
+
# From Petronella Sibeene (2007-03-30):
# http://allafrica.com/stories/200703300178.html
# While the entire country changes its time, Katima Mulilo and other
@@ -992,10 +996,26 @@
# the same time they would normally start DST, the first Sunday in September:
# https://www.timeanddate.com/news/time/namibia-new-time-zone.html
+# From Paul Eggert (2017-04-09):
+# Before the change, summer and winter time were both standard time legally.
+# However in common parlance, winter time was considered to be DST. See, e.g.:
+# http://www.nbc.na/news/namibias-winter-time-could-be-scrapped.2706
+# https://zone.my.na/news/times-are-changing-in-namibia
+# https://www.newera.com.na/2017/02/23/namibias-winter-time-might-be-repealed/
+# Use plain "WAT" and "CAT" for the time zone abbreviations, to be compatible
+# with Namibia's neighbors.
+
# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S
-Rule Namibia 1994 only - Mar 21 0:00 0 -
-Rule Namibia 1994 2016 - Sep Sun>=1 2:00 1:00 S
-Rule Namibia 1995 2017 - Apr Sun>=1 2:00 0 -
+# Vanguard section, for zic and other parsers that support negative DST.
+Rule Namibia 1994 only - Mar 21 0:00 -1:00 WAT
+Rule Namibia 1994 2017 - Sep Sun>=1 2:00 0 CAT
+Rule Namibia 1995 2017 - Apr Sun>=1 2:00 -1:00 WAT
+# Rearguard section, for parsers that do not support negative DST.
+#Rule Namibia 1994 only - Mar 21 0:00 0 WAT
+#Rule Namibia 1994 2017 - Sep Sun>=1 2:00 1:00 CAT
+#Rule Namibia 1995 2017 - Apr Sun>=1 2:00 0 WAT
+# End of rearguard section.
+
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8
1:30 - +0130 1903 Mar
@@ -1002,9 +1022,16 @@
2:00 - SAST 1942 Sep 20 2:00
2:00 1:00 SAST 1943 Mar 21 2:00
2:00 - SAST 1990 Mar 21 # independence
- 2:00 - CAT 1994 Mar 21 0:00
- 1:00 Namibia WA%sT 2017 Sep 3 2:00
- 2:00 - CAT
+# Vanguard section, for zic and other parsers that support negative DST.
+ 2:00 Namibia %s
+# Rearguard section, for parsers that do not support negative DST.
+# 2:00 - CAT 1994 Mar 21 0:00
+# From Paul Eggert (2017-04-07):
+# The official date of the 2017 rule change was 2017-10-24. See:
+# http://www.lac.org.na/laws/annoSTAT/Namibian%20Time%20Act%209%20of%202017.pdf
+# 1:00 Namibia %s 2017 Oct 24
+# 2:00 - CAT
+# End of rearguard section.
# Niger
# See Africa/Lagos.
--- contrib/tzdata/asia.orig
+++ contrib/tzdata/asia
@@ -1983,6 +1983,19 @@
# There is no common English-language abbreviation for this time zone.
# Use KST, as that's what we already use for 1954-1961 in ROK.
+# From Kang Seonghoon (2018-04-29):
+# North Korea will revert its time zone from UTC+8:30 (PYT; Pyongyang
+# Time) back to UTC+9 (KST; Korea Standard Time).
+#
+# From Seo Sanghyeon (2018-04-30):
+# Rodong Sinmun 2018-04-30 announced Pyongyang Time transition plan.
+# https://www.nknews.org/kcna/wp-content/uploads/sites/5/2018/04/rodong-2018-04-30.pdf
+# ... the transition date is 2018-05-05 ... Citation should be Decree
+# No. 2232 of April 30, 2018, of the Presidium of the Supreme People's
+# Assembly, as published in Rodong Sinmun.
+# From Tim Parenti (2018-04-29):
+# It appears to be the front page story at the top in the right-most column.
+
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Asia/Seoul 8:27:52 - LMT 1908 Apr 1
8:30 - KST 1912 Jan 1
@@ -1994,7 +2007,8 @@
8:30 - KST 1912 Jan 1
9:00 - JST 1945 Aug 24
9:00 - KST 2015 Aug 15 00:00
- 8:30 - KST
+ 8:30 - KST 2018 May 5
+ 9:00 - KST
###############################################################################
@@ -2658,7 +2672,7 @@
# From Sharef Mustafa (2018-03-16):
# Palestine summer time will start on Mar 24th 2018 by advancing the
# clock by 60 minutes as per Palestinian cabinet decision published on
-# the offical website, though the decree did not specify the exact
+# the official website, though the decree did not specify the exact
# time of the time shift.
# http://www.palestinecabinet.gov.ps/Website/AR/NDecrees/ViewFile.ashx?ID=e7a42ab7-ee23-435a-b9c8-a4f7e81f3817
#
--- contrib/tzdata/australasia.orig
+++ contrib/tzdata/australasia
@@ -1085,6 +1085,15 @@
# (1999-09-27) writes that Giles Meteorological Station uses
# South Australian time even though it's located in Western Australia.
+# From Paul Eggert (2018-04-01):
+# The Guardian Express of Perth, Australia reported today that the
+# government decided to advance the clocks permanently on January 1,
+# 2019, from UT +08 to UT +09. The article noted that an exemption
+# would be made for people aged 61 and over, who "can apply in writing
+# to have the extra hour of sunshine removed from their area." See:
+# Daylight saving coming to WA in 2019. Guardian Express. 2018-04-01.
+# https://www.communitynews.com.au/guardian-express/news/exclusive-daylight-savings-coming-wa-summer-2018/
+
# Queensland
# From Paul Eggert (2018-02-26):
--- contrib/tzdata/europe.orig
+++ contrib/tzdata/europe
@@ -528,13 +528,13 @@
# summer and negative daylight saving time in winter. It is for when
# negative SAVE values are used.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
-#Rule Eire 1971 only - Oct 31 2:00u -1:00 GMT
-#Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 IST
-#Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 GMT
-#Rule Eire 1981 max - Mar lastSun 1:00u 0 IST
-#Rule Eire 1981 1989 - Oct Sun>=23 1:00u -1:00 GMT
-#Rule Eire 1990 1995 - Oct Sun>=22 1:00u -1:00 GMT
-#Rule Eire 1996 max - Oct lastSun 1:00u -1:00 GMT
+Rule Eire 1971 only - Oct 31 2:00u -1:00 -
+Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 -
+Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 -
+Rule Eire 1981 max - Mar lastSun 1:00u 0 -
+Rule Eire 1981 1989 - Oct Sun>=23 1:00u -1:00 -
+Rule Eire 1990 1995 - Oct Sun>=22 1:00u -1:00 -
+Rule Eire 1996 max - Oct lastSun 1:00u -1:00 -
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Europe/Dublin -0:25:00 - LMT 1880 Aug 2
@@ -548,11 +548,11 @@
0:00 - GMT 1948 Apr 18 2:00s
0:00 GB-Eire GMT/IST 1968 Oct 27
# The next line is for when negative SAVE values are used.
-# 1:00 Eire IST/GMT
+ 1:00 Eire IST/GMT
# These three lines are for when SAVE values are always nonnegative.
- 1:00 - IST 1971 Oct 31 2:00u
- 0:00 GB-Eire GMT/IST 1996
- 0:00 EU GMT/IST
+# 1:00 - IST 1971 Oct 31 2:00u
+# 0:00 GB-Eire GMT/IST 1996
+# 0:00 EU GMT/IST
###############################################################################
@@ -970,18 +970,30 @@
# Please see the 'asia' file for Asia/Nicosia.
# Czech Republic / Czechia
+#
+# From Paul Eggert (2018-04-15):
+# The source for Czech data is: Kdy začíná a končí letní čas. 2018-04-15.
+# https://kalendar.beda.cz/kdy-zacina-a-konci-letni-cas
+# We know of no English-language name for historical Czech winter time;
+# abbreviate it as "GMT", as it happened to be GMT.
+#
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
-Rule Czech 1945 only - Apr 8 2:00s 1:00 S
-Rule Czech 1945 only - Nov 18 2:00s 0 -
+Rule Czech 1945 only - Apr Mon>=1 2:00s 1:00 S
+Rule Czech 1945 only - Oct 1 2:00s 0 -
Rule Czech 1946 only - May 6 2:00s 1:00 S
Rule Czech 1946 1949 - Oct Sun>=1 2:00s 0 -
-Rule Czech 1947 only - Apr 20 2:00s 1:00 S
-Rule Czech 1948 only - Apr 18 2:00s 1:00 S
+Rule Czech 1947 1948 - Apr Sun>=15 2:00s 1:00 S
Rule Czech 1949 only - Apr 9 2:00s 1:00 S
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Europe/Prague 0:57:44 - LMT 1850
0:57:44 - PMT 1891 Oct # Prague Mean Time
- 1:00 C-Eur CE%sT 1944 Sep 17 2:00s
+ 1:00 C-Eur CE%sT 1945 May 9
+ 1:00 Czech CE%sT 1946 Dec 1 3:00
+# Vanguard section, for zic and other parsers that support negative DST.
+ 1:00 -1:00 GMT 1947 Feb 23 2:00
+# Rearguard section, for parsers that do not support negative DST.
+# 0:00 - GMT 1947 Feb 23 2:00
+# End of rearguard section.
1:00 Czech CE%sT 1979
1:00 EU CE%sT
# Use Europe/Prague also for Slovakia.
@@ -2016,7 +2028,7 @@
Rule Neth 1945 only - Apr 2 2:00s 1:00 S
Rule Neth 1945 only - Sep 16 2:00s 0 -
#
-# Amsterdam Mean Time was +00:19:32.13 exactly, but the .13 is omitted
+# Amsterdam Mean Time was +00:19:32.13, but the .13 is omitted
# below because the current format requires GMTOFF to be an integer.
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Europe/Amsterdam 0:19:32 - LMT 1835
--- contrib/tzdata/theory.html.orig
+++ contrib/tzdata/theory.html
@@ -32,7 +32,7 @@
It organizes <a href="tz-link.html">time zone and daylight saving time
data</a> by partitioning the world into <a
href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">regions</a>
-whose clocks all agree about timestamps that occur after the of the <a
+whose clocks all agree about timestamps that occur after the <a
href="https://en.wikipedia.org/wiki/Unix_time">POSIX Epoch</a>
(1970-01-01 00:00:00 <a
href="https://en.wikipedia.org/wiki/Coordinated_Universal_Time"><abbr
@@ -53,7 +53,7 @@
applications requiring accurate handling of all past times everywhere,
as it would take far too much effort and guesswork to record all
details of pre-1970 civil timekeeping.
-Athough some information outside the scope of the database is
+Although some information outside the scope of the database is
collected in a file <code>backzone</code> that is distributed along
with the database proper, this file is less reliable and does not
necessarily follow database guidelines.
@@ -68,7 +68,7 @@
href="https://en.wikipedia.org/wiki/Unix">UNIX</a>-like systems.
As of this writing, the current edition of POSIX is: <a
href="http://pubs.opengroup.org/onlinepubs/9699919799/"> The Open
-Group Base Specifications Issue 7</a>, IEEE Std 1003.1-2008, 2016
+Group Base Specifications Issue 7</a>, IEEE Std 1003.1-2017, 2018
Edition.
Because the database's scope encompasses real-world changes to civil
timekeeping, its model for describing time is more complex than the
@@ -79,7 +79,7 @@
can change at times.
Whether and when a <code><abbr>tz</abbr></code> region changes its
clock, and even the region's notional base offset from UTC, are variable.
-It doesn't even really make sense to talk about a region's
+It does not always make sense to talk about a region's
"base offset", since it is not necessarily a single number.
</p>
@@ -92,8 +92,8 @@
corresponds to a set of time zone rules.
Inexperienced users are not expected to select these names unaided.
Distributors should provide documentation and/or a simple selection
-interface that explains the names; for one example, see the 'tzselect'
-program in the <code><abbr>tz</abbr></code> code.
+interface that explains the names; for one example, see the
+<code>tzselect</code> program in the <code><abbr>tz</abbr></code> code.
The <a href="http://cldr.unicode.org/">Unicode Common Locale Data
Repository</a> contains data that may be useful for other selection
interfaces.
@@ -137,6 +137,9 @@
North and South America share the same area, '<code>America</code>'.
Typical names are '<code>Africa/Cairo</code>',
'<code>America/New_York</code>', and '<code>Pacific/Honolulu</code>'.
+Some names are further qualified to help avoid confusion; for example,
+'<code>America/Indiana/Petersburg</code>' distinguishes Petersburg,
+Indiana from other Petersburgs in America.
</p>
<p>
@@ -159,7 +162,8 @@
<code>TZ</code> strings</a>.
A file name component must not exceed 14 characters or start with
'<code>-</code>'.
- E.g., prefer '<code>Brunei</code>' to '<code>Bandar_Seri_Begawan</code>'.
+ E.g., prefer <code>Asia/Brunei</code> to
+ <code>Asia/Bandar_Seri_Begawan</code>.
Exceptions: see the discussion of legacy names below.
</li>
<li>
@@ -177,8 +181,8 @@
name <var>AB</var> (ignoring case), then <var>B</var> must not
start with '<code>/</code>', as a regular file cannot have the
same name as a directory in POSIX.
- For example, '<code>America/New_York</code>' precludes
- '<code>America/New_York/Bronx</code>'.
+ For example, <code>America/New_York</code> precludes
+ <code>America/New_York/Bronx</code>.
</li>
<li>
Uninhabited regions like the North Pole and Bouvet Island
@@ -193,7 +197,7 @@
</li>
<li>
If all the clocks in a region have agreed since 1970,
- don't bother to include more than one location
+ do not bother to include more than one location
even if subregions' clocks disagreed before 1970.
Otherwise these tables would become annoyingly large.
</li>
@@ -200,8 +204,9 @@
<li>
If a name is ambiguous, use a less ambiguous alternative;
e.g., many cities are named San José and Georgetown, so
- prefer '<code>Costa_Rica</code>' to '<code>San_Jose</code>' and
- '<code>Guyana</code>' to '<code>Georgetown</code>'.
+ prefer <code>America/Costa_Rica</code> to
+ <code>America/San_Jose</code> and <code>America/Guyana</code>
+ to <code>America/Georgetown</code>.
</li>
<li>
Keep locations compact.
@@ -208,35 +213,40 @@
Use cities or small islands, not countries or regions, so that any
future changes do not split individual locations into different
<code><abbr>tz</abbr></code> regions.
- E.g., prefer '<code>Paris</code>' to '<code>France</code>', since
+ E.g., prefer <code>Europe/Paris</code> to <code>Europe/France</code>,
+ since
<a href="https://en.wikipedia.org/wiki/Time_in_France#History">France
has had multiple time zones</a>.
</li>
<li>
- Use mainstream English spelling, e.g., prefer '<code>Rome</code>'
- to '<code>Roma</code>', and prefer '<code>Athens</code>' to the
- Greek '<code>Αθήνα</code>' or the Romanized '<code>Athína</code>'.
+ Use mainstream English spelling, e.g., prefer
+ <code>Europe/Rome</code> to <code>Europe/Roma</code>, and
+ prefer <code>Europe/Athens</code> to the Greek
+ <code>Europe/Αθήνα</code> or the Romanized
+ <code>Europe/Athína</code>.
The POSIX file name restrictions encourage this guideline.
</li>
<li>
Use the most populous among locations in a region,
- e.g., prefer '<code>Shanghai</code>' to
- '<code>Beijing</code>'.
+ e.g., prefer <code>Asia/Shanghai</code> to
+ <code>Asia/Beijing</code>.
Among locations with similar populations, pick the best-known
- location, e.g., prefer '<code>Rome</code>' to
- '<code>Milan</code>'.
+ location, e.g., prefer <code>Europe/Rome</code> to
+ <code>Europe/Milan</code>.
</li>
<li>
- Use the singular form, e.g., prefer '<code>Canary</code>' to
- '<code>Canaries</code>'.
+ Use the singular form, e.g., prefer <code>Atlantic/Canary</code> to
+ <code>Atlantic/Canaries</code>.
</li>
<li>
Omit common suffixes like '<code>_Islands</code>' and
'<code>_City</code>', unless that would lead to ambiguity.
- E.g., prefer '<code>Cayman</code>' to
- '<code>Cayman_Islands</code>' and '<code>Guatemala</code>' to
- '<code>Guatemala_City</code>', but prefer
- '<code>Mexico_City</code>' to '<code>Mexico</code>'
+ E.g., prefer <code>America/Cayman</code> to
+ <code>America/Cayman_Islands</code> and
+ <code>America/Guatemala</code> to
+ <code>America/Guatemala_City</code>, but prefer
+ <code>America/Mexico_City</code> to
+ <code>America/Mexico</code>
because <a href="https://en.wikipedia.org/wiki/Time_in_Mexico">the
country of Mexico has several time zones</a>.
</li>
@@ -245,13 +255,14 @@
</li>
<li>
Omit '<code>.</code>' from abbreviations in names.
- E.g., prefer '<code>St_Helena</code>' to '<code>St._Helena</code>'.
+ E.g., prefer <code>Atlantic/St_Helena</code> to
+ <code>Atlantic/St._Helena</code>.
</li>
<li>
Do not change established names if they only marginally violate
the above guidelines.
- For example, don't change the existing name '<code>Rome</code>' to
- '<code>Milan</code>' merely because Milan's population has grown
+ For example, do not change the existing name <code>Europe/Rome</code> to
+ <code>Europe/Milan</code> merely because Milan's population has grown
to be somewhat greater than Rome's.
</li>
<li>
@@ -318,8 +329,10 @@
Use three to six characters that are ASCII alphanumerics or
'<code>+</code>' or '<code>-</code>'.
Previous editions of this database also used characters like
- '<code> </code>' and '<code>?</code>', but these characters have a
- special meaning to the shell and cause commands like
+ space and '<code>?</code>', but these characters have a
+ special meaning to the
+ <a href="https://en.wikipedia.org/wiki/Unix_shell">UNIX shell</a>
+ and cause commands like
'<code><a href="http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#set">set</a>
`<a href="http://pubs.opengroup.org/onlinepubs/9699919799/utilities/date.html">date</a>`</code>'
to have unexpected effects.
@@ -688,7 +701,7 @@
subsecond accuracy is needed.
</li>
<li>
- Civil time was not based on atomic time before 1972, and we don't
+ Civil time was not based on atomic time before 1972, and we do not
know the history of
<a href="https://en.wikipedia.org/wiki/Earth's_rotation">earth's
rotation</a> accurately enough to map <a
@@ -720,7 +733,7 @@
Ideally it would contain information about when data entries are
incomplete or dicey.
Partial temporal knowledge is a field of active research, though,
- and it's not clear how to apply it here.
+ and it is not clear how to apply it here.
</li>
</ul>
@@ -764,7 +777,7 @@
Unfortunately, the POSIX
<code>TZ</code> string takes a form that is hard to describe and
is error-prone in practice.
- Also, POSIX <code>TZ</code> strings can't deal with daylight
+ Also, POSIX <code>TZ</code> strings cannot deal with daylight
saving time rules not based on the Gregorian calendar (as in
Iran), or with situations where more than two time zone
abbreviations or <abbr>UT</abbr> offsets are used in an area.
@@ -874,7 +887,7 @@
need access to multiple time zone rulesets.
</li>
<li>
- In POSIX, there's no tamper-proof way for a process to learn the
+ In POSIX, there is no tamper-proof way for a process to learn the
system's best idea of local wall clock.
(This is important for applications that an administrator wants
used only at certain times &ndash; without regard to whether the
@@ -973,14 +986,16 @@
by subsequent calls to <code>localtime</code>.
Source code for portable applications that "must" run on local wall
clock time should call <code>tzsetwall</code>;
- if such code is moved to "old" systems that don't
- provide <code>tzsetwall</code>, you won't be able to generate an
+ if such code is moved to "old" systems that do not
+ provide <code>tzsetwall</code>, you will not be able to generate an
executable program.
(These functions also arrange for local wall clock time to
be used if <code>tzset</code> is called &ndash; directly or
- indirectly &ndash; and there's no <code>TZ</code> environment
+ indirectly &ndash; and there is no <code>TZ</code> environment
variable; portable applications should not, however, rely on this
- behavior since it's not the way SVR2 systems behave.)
+ behavior since it is not the way <a
+ href="https://en.wikipedia.org/wiki/UNIX_System_V#SVR2"><abbr>SVR2</abbr></a>
+ systems behave.)
</li>
<li>
Negative <code>time_t</code> values are supported, on systems
@@ -1040,7 +1055,7 @@
<li>
The <a href="https://en.wikipedia.org/wiki/Version_7_Unix">7th Edition
UNIX</a> <code>timezone</code> function is not present in this
- package; it's impossible to reliably map <code>timezone</code>'s
+ package; it is impossible to reliably map <code>timezone</code>'s
arguments (a "minutes west of <abbr>GMT</abbr>" value and a
"daylight saving time in effect" flag) to a time zone
abbreviation, and we refuse to guess.
@@ -1052,7 +1067,9 @@
zone abbreviation to use.
</li>
<li>
- The <abbr>4.2BSD</abbr> <code>gettimeofday</code> function is not
+ The <a
+ href="https://en.wikipedia.org/wiki/History_of_the_Berkeley_Software_Distribution#4.2BSD"><abbr>4.2BSD</abbr></a>
+ <code>gettimeofday</code> function is not
used in this package.
This formerly let users obtain the current <abbr>UTC</abbr> offset
and <abbr>DST</abbr> flag, but this functionality was removed in
@@ -1061,7 +1078,7 @@
<li>
In <abbr>SVR2</abbr>, time conversion fails for near-minimum or
near-maximum <code>time_t</code> values when doing conversions
- for places that don't use <abbr>UT</abbr>.
+ for places that do not use <abbr>UT</abbr>.
This package takes care to do these conversions correctly.
A comment in the source code tells how to get compatibly wrong
results.
@@ -1155,10 +1172,10 @@
Calendrical issues are a bit out of scope for a time zone database,
but they indicate the sort of problems that we would run into if we
extended the time zone database further into the past.
-An excellent resource in this area is Nachum Dershowitz and Edward M.
-Reingold, <cite><a
-href="https://www.cs.tau.ac.il/~nachum/calendar-book/third-edition/">Calendrical
-Calculations: Third Edition</a></cite>, Cambridge University Press (2008).
+An excellent resource in this area is Edward M. Reingold
+and Nachum Dershowitz, <cite><a
+href="https://www.cambridge.org/fr/academic/subjects/computer-science/computing-general-interest/calendrical-calculations-ultimate-edition-4th-edition">Calendrical
+Calculations: The Ultimate Edition</a></cite>, Cambridge University Press (2018).
Other information and sources are given in the file '<code>calendars</code>'
in the <code><abbr>tz</abbr></code> distribution.
They sometimes disagree.
@@ -1170,11 +1187,11 @@
<p>
Some people's work schedules
use <a href="https://en.wikipedia.org/wiki/Timekeeping on Mars">Mars time</a>.
-Jet Propulsion Laboratory (JPL) coordinators have kept Mars time on
-and off at least since 1997 for the
+Jet Propulsion Laboratory (JPL) coordinators kept Mars time on
+and off during the
<a href="https://en.wikipedia.org/wiki/Mars_Pathfinder#End_of_mission">Mars
Pathfinder</a> mission.
-Some of their family members have also adapted to Mars time.
+Some of their family members also adapted to Mars time.
Dozens of special Mars watches were built for JPL workers who kept
Mars time during the Mars Exploration Rovers mission (2004).
These timepieces look like normal Seikos and Citizens but use Mars
@@ -1262,7 +1279,7 @@
Jia-Rui Chong,
"<a href="http://articles.latimes.com/2004/jan/14/science/sci-marstime14">Workdays
Fit for a Martian</a>", <cite>Los Angeles Times</cite>
- (2004-01-14), pp A1, A20-A21.
+ (2004-01-14), pp A1, A20&ndash;A21.
</li>
<li>
Tom Chmielewski,
--- contrib/tzdata/version.orig
+++ contrib/tzdata/version
@@ -1 +1 @@
-2018d
+2018e
--- contrib/tzdata/ziguard.awk.orig
+++ contrib/tzdata/ziguard.awk
@@ -13,20 +13,31 @@
# rearguard format.
BEGIN {
- dst_type["vanguard.zi"] = 1
- dst_type["main.zi"] = 1
- dst_type["rearguard.zi"] = 1
+ dataform_type["vanguard"] = 1
+ dataform_type["main"] = 1
+ dataform_type["rearguard"] = 1
- # The command line should set OUTFILE to the name of the output file.
- if (!dst_type[outfile]) exit 1
- vanguard = outfile == "vanguard.zi"
+ # The command line should set DATAFORM.
+ if (!dataform_type[DATAFORM]) exit 1
+ vanguard = DATAFORM == "vanguard"
}
/^Zone/ { zone = $2 }
-outfile != "main.zi" {
+DATAFORM != "main" {
in_comment = /^#/
+ uncomment = comment_out = 0
+ # If the line should differ due to Czechoslovakia using negative SAVE values,
+ # uncomment the desired version and comment out the undesired one.
+ if (zone == "Europe/Prague" && /1947 Feb 23/) {
+ if (($(in_comment + 2) != "-") == vanguard) {
+ uncomment = in_comment
+ } else {
+ comment_out = !in_comment
+ }
+ }
+
# If this line should differ due to Ireland using negative SAVE values,
# uncomment the desired version and comment out the undesired one.
Rule_Eire = /^#?Rule[\t ]+Eire[\t ]/
@@ -37,11 +48,38 @@
if ((Rule_Eire \
|| (Zone_Dublin_post_1968 && $(in_comment + 3) == "IST/GMT")) \
== vanguard) {
- sub(/^#/, "")
- } else if (/^[^#]/) {
- sub(/^/, "#")
+ uncomment = in_comment
+ } else {
+ comment_out = !in_comment
}
}
+
+ # If this line should differ due to Namibia using Rule SAVE suffixes,
+ # uncomment the desired version and comment out the undesired one.
+ Rule_Namibia = /^#?Rule[\t ]+Namibia[\t ]/
+ Zone_using_Namibia_rule \
+ = (zone == "Africa/Windhoek" \
+ && ($(in_comment + 2) == "Namibia" \
+ || (1994 <= $(in_comment + 4) && $(in_comment + 4) <= 2017) \
+ || in_comment + 3 == NF))
+ if (Rule_Namibia || Zone_using_Namibia_rule) {
+ if ((Rule_Namibia \
+ ? ($(in_comment + 9) ~ /^-/ \
+ || ($(in_comment + 9) == 0 && $(in_comment + 10) == "CAT")) \
+ : $(in_comment + 1) == "2:00" && $(in_comment + 2) == "Namibia") \
+ == vanguard) {
+ uncomment = in_comment
+ } else {
+ comment_out = !in_comment
+ }
+ }
+
+ if (uncomment) {
+ sub(/^#/, "")
+ }
+ if (comment_out) {
+ sub(/^/, "#")
+ }
}
# If a Link line is followed by a Zone line for the same data, comment

18
share/security/patches/EN-18:06/tzdata-2018e.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrxvQlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIEgg//XFE1ecg9Ig1L76g4/e73j2ebLpT6bF1XIlyPnZJJZ2sMbH9jpyrdFb8D
mkbmrY2N/NIEx6m5Mx/Go6SQ41tQosdlEZVezu4C1j4SKlcCIctKsRhdi8sdYXFm
tuWjTjBeWQ9IvoPjMDYt7WmkrX5hR5vTiXFvFlB9w3Ao7TSIwuwLtlBFySEG1eKR
+rJs7AqeSLR5tdppJA1q3N2WOGmSBAZu0kz23xJu3EKTcxIhV1LQ9rbi0HhxY00d
yyvf/yWV7z0slPyuug5V5a+EaVm3FGflWes/Uv0ZBkNtCgy2KlcgeJjWpQoi3ziL
5rqshQBGEkYxa+DKJiJz2hP4B+MnIgYQtUSmenOLMH4T7RMpNtBNdFbVOOJojokQ
dnHWrrlSdjyNuLcyARqRgah2+T+p9pIyMKCcsE5AKI3d8q20flsUSThZa2cuBWZe
p4XrdBPo+9bPr6v4rduJkE3ZnudHmDLTjhG9aCQ2CYyoqu2CRFeCxbW40rhHg7T1
jre7xjDQ0rDnuOxzF7CfXFKChN6cJRtKox6wj9lcvg4v/fXh93Z85oJytzYXPQIg
0n64N0fGerdswVYGwqHxz8T1lURESc11mtZ1rhHWDv12S/Cbszfvh0tqoaewOTpP
Jzdmb+MVzKaCu0jNjmAm3K7QmZ8FtXTXCiq+hEhWlnGusNvFMrQ=
=t6qO
-----END PGP SIGNATURE-----

295
share/security/patches/SA-18:06/debugreg.10.4.patch Normal file
View file

@ -0,0 +1,295 @@
--- sys/amd64/amd64/exception.S.orig
+++ sys/amd64/amd64/exception.S
@@ -108,8 +108,6 @@
movq $0,TF_ADDR(%rsp) ; \
movq $0,TF_ERR(%rsp) ; \
jmp alltraps_noen
-IDTVEC(dbg)
- TRAP_NOEN(T_TRCTRAP)
IDTVEC(bpt)
TRAP_NOEN(T_BPTFLT)
#ifdef KDTRACE_HOOKS
@@ -436,6 +434,101 @@
sysret
/*
+ * DB# handler is very similar to NM#, because 'mov/pop %ss' delay
+ * generation of exception until the next instruction is executed,
+ * which might be a kernel entry. So we must execute the handler
+ * on IST stack and be ready for non-kernel GSBASE.
+ */
+IDTVEC(dbg)
+ subq $TF_RIP,%rsp
+ movl $(T_TRCTRAP),TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
+ movq $0,TF_ERR(%rsp)
+ movq %rdi,TF_RDI(%rsp)
+ movq %rsi,TF_RSI(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ movq %r8,TF_R8(%rsp)
+ movq %r9,TF_R9(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rbx,TF_RBX(%rsp)
+ movq %rbp,TF_RBP(%rsp)
+ movq %r10,TF_R10(%rsp)
+ movq %r11,TF_R11(%rsp)
+ movq %r12,TF_R12(%rsp)
+ movq %r13,TF_R13(%rsp)
+ movq %r14,TF_R14(%rsp)
+ movq %r15,TF_R15(%rsp)
+ movw %fs,TF_FS(%rsp)
+ movw %gs,TF_GS(%rsp)
+ movw %es,TF_ES(%rsp)
+ movw %ds,TF_DS(%rsp)
+ movl $TF_HASSEGS,TF_FLAGS(%rsp)
+ cld
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
+ jnz dbg_fromuserspace
+ /*
+ * We've interrupted the kernel. Preserve GS.base in %r12.
+ */
+ movl $MSR_GSBASE,%ecx
+ rdmsr
+ movq %rax,%r12
+ shlq $32,%rdx
+ orq %rdx,%r12
+ /* Retrieve and load the canonical value for GS.base. */
+ movq TF_SIZE(%rsp),%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ FAKE_MCOUNT(TF_RIP(%rsp))
+ movq %rsp,%rdi
+ call trap
+ MEXITCOUNT
+ /*
+ * Put back the preserved MSR_GSBASE value.
+ */
+ movl $MSR_GSBASE,%ecx
+ movq %r12,%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ movq TF_RDI(%rsp),%rdi
+ movq TF_RSI(%rsp),%rsi
+ movq TF_RDX(%rsp),%rdx
+ movq TF_RCX(%rsp),%rcx
+ movq TF_R8(%rsp),%r8
+ movq TF_R9(%rsp),%r9
+ movq TF_RAX(%rsp),%rax
+ movq TF_RBX(%rsp),%rbx
+ movq TF_RBP(%rsp),%rbp
+ movq TF_R10(%rsp),%r10
+ movq TF_R11(%rsp),%r11
+ movq TF_R12(%rsp),%r12
+ movq TF_R13(%rsp),%r13
+ movq TF_R14(%rsp),%r14
+ movq TF_R15(%rsp),%r15
+ addq $TF_RIP,%rsp
+ jmp doreti_iret
+dbg_fromuserspace:
+ /*
+ * Switch to kernel GSBASE and kernel page table, and copy frame
+ * from the IST stack to the normal kernel stack, since trap()
+ * re-enables interrupts, and since we might trap on DB# while
+ * in trap().
+ */
+ swapgs
+ movq PCPU(RSP0),%rax
+ movl $TF_SIZE,%ecx
+ subq %rcx,%rax
+ movq %rax,%rdi
+ movq %rsp,%rsi
+ rep;movsb
+ movq %rax,%rsp
+ movq PCPU(CURPCB),%rdi
+ orl $PCB_FULL_IRET,PCB_FLAGS(%rdi)
+ jmp calltrap
+
+/*
* NMI handling is special.
*
* First, NMIs do not respect the state of the processor's RFLAGS.IF
--- sys/amd64/amd64/machdep.c.orig
+++ sys/amd64/amd64/machdep.c
@@ -1023,6 +1023,7 @@
static char dblfault_stack[PAGE_SIZE] __aligned(16);
static char nmi0_stack[PAGE_SIZE] __aligned(16);
+static char dbg0_stack[PAGE_SIZE] __aligned(16);
CTASSERT(sizeof(struct nmi_pcpu) == 16);
struct amd64tss common_tss[MAXCPU];
@@ -1908,7 +1909,7 @@
for (x = 0; x < NIDT; x++)
setidt(x, &IDTVEC(rsvd), SDT_SYSIGT, SEL_KPL, 0);
setidt(IDT_DE, &IDTVEC(div), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_DB, &IDTVEC(dbg), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_DB, &IDTVEC(dbg), SDT_SYSIGT, SEL_KPL, 4);
setidt(IDT_NMI, &IDTVEC(nmi), SDT_SYSIGT, SEL_KPL, 2);
setidt(IDT_BP, &IDTVEC(bpt), SDT_SYSIGT, SEL_UPL, 0);
setidt(IDT_OF, &IDTVEC(ofl), SDT_SYSIGT, SEL_KPL, 0);
@@ -1966,6 +1967,13 @@
np->np_pcpu = (register_t) pc;
common_tss[0].tss_ist2 = (long) np;
+ /*
+ * DB# stack, runs on ist4.
+ */
+ np = ((struct nmi_pcpu *) &dbg0_stack[sizeof(dbg0_stack)]) - 1;
+ np->np_pcpu = (register_t) pc;
+ common_tss[0].tss_ist4 = (long) np;
+
/* Set the IO permission bitmap (empty due to tss seg limit) */
common_tss[0].tss_iobase = sizeof(struct amd64tss) +
IOPAGES * PAGE_SIZE;
--- sys/amd64/amd64/mp_machdep.c.orig
+++ sys/amd64/amd64/mp_machdep.c
@@ -98,6 +98,7 @@
/* Temporary variables for init_secondary() */
char *doublefault_stack;
char *nmi_stack;
+char *dbg_stack;
void *dpcpu;
struct pcb stoppcbs[MAXCPU];
@@ -647,6 +648,10 @@
np = ((struct nmi_pcpu *) &nmi_stack[PAGE_SIZE]) - 1;
common_tss[cpu].tss_ist2 = (long) np;
+ /* The DB# stack runs on IST4. */
+ np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1;
+ common_tss[cpu].tss_ist4 = (long) np;
+
/* Prepare private GDT */
gdt_segs[GPROC0_SEL].ssd_base = (long) &common_tss[cpu];
for (x = 0; x < NGDT; x++) {
@@ -682,6 +687,10 @@
/* Save the per-cpu pointer for use by the NMI handler. */
np->np_pcpu = (register_t) pc;
+ /* Save the per-cpu pointer for use by the DB# handler. */
+ np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1;
+ np->np_pcpu = (register_t) pc;
+
wrmsr(MSR_FSBASE, 0); /* User value */
wrmsr(MSR_GSBASE, (u_int64_t)pc);
wrmsr(MSR_KGSBASE, (u_int64_t)pc); /* XXX User value while we're in the kernel */
@@ -970,6 +979,8 @@
PAGE_SIZE, M_WAITOK | M_ZERO);
nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
M_WAITOK | M_ZERO);
+ dbg_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
+ M_WAITOK | M_ZERO);
dpcpu = (void *)kmem_malloc(kernel_arena, DPCPU_SIZE,
M_WAITOK | M_ZERO);
--- sys/amd64/amd64/trap.c.orig
+++ sys/amd64/amd64/trap.c
@@ -45,6 +45,7 @@
*/
#include "opt_clock.h"
+#include "opt_compat.h"
#include "opt_cpu.h"
#include "opt_hwpmc_hooks.h"
#include "opt_isa.h"
@@ -98,6 +99,9 @@
#include <sys/dtrace_bsd.h>
#endif
+extern inthand_t IDTVEC(bpt), IDTVEC(dbg), IDTVEC(fast_syscall),
+ IDTVEC(fast_syscall32), IDTVEC(int0x80_syscall);
+
extern void trap(struct trapframe *frame);
extern void syscall(struct trapframe *frame);
void dblfault_handler(struct trapframe *frame);
@@ -549,7 +553,40 @@
load_dr6(rdr6() & 0xfffffff0);
goto out;
}
+
/*
+ * Malicious user code can configure a debug
+ * register watchpoint to trap on data access
+ * to the top of stack and then execute 'pop
+ * %ss; int 3'. Due to exception deferral for
+ * 'pop %ss', the CPU will not interrupt 'int
+ * 3' to raise the DB# exception for the debug
+ * register but will postpone the DB# until
+ * execution of the first instruction of the
+ * BP# handler (in kernel mode). Normally the
+ * previous check would ignore DB# exceptions
+ * for watchpoints on user addresses raised in
+ * kernel mode. However, some CPU errata
+ * include cases where DB# exceptions do not
+ * properly set bits in %dr6, e.g. Haswell
+ * HSD23 and Skylake-X SKZ24.
+ *
+ * A deferred DB# can also be raised on the
+ * first instructions of system call entry
+ * points or single-step traps via similar use
+ * of 'pop %ss' or 'mov xxx, %ss'.
+ */
+ if (frame->tf_rip == (uintptr_t)IDTVEC(fast_syscall) ||
+#ifdef COMPAT_FREEBSD32
+ frame->tf_rip ==
+ (uintptr_t)IDTVEC(int0x80_syscall) ||
+#endif
+ frame->tf_rip == (uintptr_t)IDTVEC(bpt) ||
+ frame->tf_rip == (uintptr_t)IDTVEC(dbg) ||
+ /* Needed for AMD. */
+ frame->tf_rip == (uintptr_t)IDTVEC(fast_syscall32))
+ return;
+ /*
* FALLTHROUGH (TRCTRAP kernel mode, kernel address)
*/
case T_BPTFLT:
--- sys/i386/i386/trap.c.orig
+++ sys/i386/i386/trap.c
@@ -116,6 +116,8 @@
extern inthand_t IDTVEC(lcall_syscall);
+extern inthand_t IDTVEC(bpt), IDTVEC(dbg), IDTVEC(int0x80_syscall);
+
#define MAX_TRAP_MSG 32
static char *trap_msg[] = {
"", /* 0 unused */
@@ -683,7 +685,35 @@
load_dr6(rdr6() & 0xfffffff0);
goto out;
}
+
/*
+ * Malicious user code can configure a debug
+ * register watchpoint to trap on data access
+ * to the top of stack and then execute 'pop
+ * %ss; int 3'. Due to exception deferral for
+ * 'pop %ss', the CPU will not interrupt 'int
+ * 3' to raise the DB# exception for the debug
+ * register but will postpone the DB# until
+ * execution of the first instruction of the
+ * BP# handler (in kernel mode). Normally the
+ * previous check would ignore DB# exceptions
+ * for watchpoints on user addresses raised in
+ * kernel mode. However, some CPU errata
+ * include cases where DB# exceptions do not
+ * properly set bits in %dr6, e.g. Haswell
+ * HSD23 and Skylake-X SKZ24.
+ *
+ * A deferred DB# can also be raised on the
+ * first instructions of system call entry
+ * points or single-step traps via similar use
+ * of 'pop %ss' or 'mov xxx, %ss'.
+ */
+ if (frame->tf_eip ==
+ (uintptr_t)IDTVEC(int0x80_syscall) ||
+ frame->tf_eip == (uintptr_t)IDTVEC(bpt) ||
+ frame->tf_eip == (uintptr_t)IDTVEC(dbg))
+ return;
+ /*
* FALLTHROUGH (TRCTRAP kernel mode, kernel address)
*/
case T_BPTFLT:

18
share/security/patches/SA-18:06/debugreg.10.4.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrxw1dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJZkw//eSdjhBGww2Q/GXezM9AkyNHgqYL3FuWpP2TPght7YbfoZYHrpzn3oPbC
JfqtNrh0rBVKxBag3+aZ7VZ2ktGqjiNEVUtQGfYSWBhtaRz7o6H1jkpYWKNqjYWA
/7cNi4+5FqSa1SmC+aPnM6jR+BI8k7lsW9CrCA3AgB/wfswzbd5X2SjUgeDWACnO
1bEC4hEBd4I57Gk0S++3iHhM1LKANVoLDZsCU7sF+6aWxQNxjnswLvG0UjIdAwsQ
T9g20sShkZBJrAD+IQEEqkxrW/0RVoO6RuS3bQXw8U4ZeIhOV0RzV7EsEtcGJIzg
HZTiSm6jfxvjtvA52yG4TgnCknGI5quKlWTCj4CI+YnXxCu7NruDg1bOowyel1Of
2FjX7c1oEDenVTDBMD9T/o2UpOc/L8xXZtoqLR4iHXSCS2yPo4ikJnJHNVXseEZg
6HlRH+0p0OJ4ciGwN0xt4W5n+0J/8p2xlPPOGhjfDLFg+NiXbFyIWNCZlz6PO8Kc
+sMQ1Oq14bIqXlrwAq5EaGJWxXILC2VC+qU9XnRNTskGhLVc3I/9qcaOE2QLjH9Z
ufa6cRHw3KOn2Yd+b06/OzlRhVUn5dCSIXWiTt4RnPF9IFWK6WESjPkC89p4OcxN
wFP5VGRbjyANbeD/IWksFlN+I6Ss0+eROhIBG6vgt+Lra1g62js=
=4kXk
-----END PGP SIGNATURE-----

351
share/security/patches/SA-18:06/debugreg.11.1.patch Normal file
View file

@ -0,0 +1,351 @@
--- sys/amd64/amd64/exception.S.orig
+++ sys/amd64/amd64/exception.S
@@ -116,7 +116,6 @@
jmp alltraps_noen
.endm
- TRAP_NOEN dbg, T_TRCTRAP
TRAP_NOEN bpt, T_BPTFLT
#ifdef KDTRACE_HOOKS
TRAP_NOEN dtrace_ret, T_DTRACE_RET
@@ -509,6 +508,121 @@
sysret
/*
+ * DB# handler is very similar to NM#, because 'mov/pop %ss' delay
+ * generation of exception until the next instruction is executed,
+ * which might be a kernel entry. So we must execute the handler
+ * on IST stack and be ready for non-kernel GSBASE.
+ */
+IDTVEC(dbg)
+ subq $TF_RIP,%rsp
+ movl $(T_TRCTRAP),TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
+ movq $0,TF_ERR(%rsp)
+ movq %rdi,TF_RDI(%rsp)
+ movq %rsi,TF_RSI(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ movq %r8,TF_R8(%rsp)
+ movq %r9,TF_R9(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rbx,TF_RBX(%rsp)
+ movq %rbp,TF_RBP(%rsp)
+ movq %r10,TF_R10(%rsp)
+ movq %r11,TF_R11(%rsp)
+ movq %r12,TF_R12(%rsp)
+ movq %r13,TF_R13(%rsp)
+ movq %r14,TF_R14(%rsp)
+ movq %r15,TF_R15(%rsp)
+ SAVE_SEGS
+ movl $TF_HASSEGS,TF_FLAGS(%rsp)
+ cld
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
+ jnz dbg_fromuserspace
+ /*
+ * We've interrupted the kernel. Preserve GS.base in %r12,
+ * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
+ */
+ movl $MSR_GSBASE,%ecx
+ rdmsr
+ movq %rax,%r12
+ shlq $32,%rdx
+ orq %rdx,%r12
+ /* Retrieve and load the canonical value for GS.base. */
+ movq TF_SIZE(%rsp),%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ movq %cr3,%r13
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je 2f
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ rdmsr
+ movl %eax,%r14d
+ call handle_ibrs_entry
+2: FAKE_MCOUNT(TF_RIP(%rsp))
+ movq %rsp,%rdi
+ call trap
+ MEXITCOUNT
+ testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je 3f
+ movl %r14d,%eax
+ xorl %edx,%edx
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ wrmsr
+ /*
+ * Put back the preserved MSR_GSBASE value.
+ */
+3: movl $MSR_GSBASE,%ecx
+ movq %r12,%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ movq %r13,%cr3
+ RESTORE_REGS
+ addq $TF_RIP,%rsp
+ jmp doreti_iret
+dbg_fromuserspace:
+ /*
+ * Switch to kernel GSBASE and kernel page table, and copy frame
+ * from the IST stack to the normal kernel stack, since trap()
+ * re-enables interrupts, and since we might trap on DB# while
+ * in trap().
+ */
+ swapgs
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: movq PCPU(RSP0),%rax
+ movl $TF_SIZE,%ecx
+ subq %rcx,%rax
+ movq %rax,%rdi
+ movq %rsp,%rsi
+ rep;movsb
+ movq %rax,%rsp
+ call handle_ibrs_entry
+ movq PCPU(CURPCB),%rdi
+ orl $PCB_FULL_IRET,PCB_FLAGS(%rdi)
+ testb $CPUID_STDEXT_FSGSBASE,cpu_stdext_feature(%rip)
+ jz 3f
+ cmpw $KUF32SEL,TF_FS(%rsp)
+ jne 2f
+ rdfsbase %rax
+ movq %rax,PCB_FSBASE(%rdi)
+2: cmpw $KUG32SEL,TF_GS(%rsp)
+ jne 3f
+ movl $MSR_KGSBASE,%ecx
+ rdmsr
+ shlq $32,%rdx
+ orq %rdx,%rax
+ movq %rax,PCB_GSBASE(%rdi)
+3: jmp calltrap
+
+/*
* NMI handling is special.
*
* First, NMIs do not respect the state of the processor's RFLAGS.IF
--- sys/amd64/amd64/machdep.c.orig
+++ sys/amd64/amd64/machdep.c
@@ -675,6 +675,7 @@
static char dblfault_stack[PAGE_SIZE] __aligned(16);
static char mce0_stack[PAGE_SIZE] __aligned(16);
static char nmi0_stack[PAGE_SIZE] __aligned(16);
+static char dbg0_stack[PAGE_SIZE] __aligned(16);
CTASSERT(sizeof(struct nmi_pcpu) == 16);
struct amd64tss common_tss[MAXCPU];
@@ -827,7 +828,7 @@
IDTVEC(tss), IDTVEC(missing), IDTVEC(stk), IDTVEC(prot),
IDTVEC(page), IDTVEC(mchk), IDTVEC(rsvd), IDTVEC(fpu), IDTVEC(align),
IDTVEC(xmm), IDTVEC(dblfault),
- IDTVEC(div_pti), IDTVEC(dbg_pti), IDTVEC(bpt_pti),
+ IDTVEC(div_pti), IDTVEC(bpt_pti),
IDTVEC(ofl_pti), IDTVEC(bnd_pti), IDTVEC(ill_pti), IDTVEC(dna_pti),
IDTVEC(fpusegm_pti), IDTVEC(tss_pti), IDTVEC(missing_pti),
IDTVEC(stk_pti), IDTVEC(prot_pti), IDTVEC(page_pti),
@@ -1637,8 +1638,7 @@
SEL_KPL, 0);
setidt(IDT_DE, pti ? &IDTVEC(div_pti) : &IDTVEC(div), SDT_SYSIGT,
SEL_KPL, 0);
- setidt(IDT_DB, pti ? &IDTVEC(dbg_pti) : &IDTVEC(dbg), SDT_SYSIGT,
- SEL_KPL, 0);
+ setidt(IDT_DB, &IDTVEC(dbg), SDT_SYSIGT, SEL_KPL, 4);
setidt(IDT_NMI, &IDTVEC(nmi), SDT_SYSIGT, SEL_KPL, 2);
setidt(IDT_BP, pti ? &IDTVEC(bpt_pti) : &IDTVEC(bpt), SDT_SYSIGT,
SEL_UPL, 0);
@@ -1720,6 +1720,13 @@
np = ((struct nmi_pcpu *) &mce0_stack[sizeof(mce0_stack)]) - 1;
np->np_pcpu = (register_t) pc;
common_tss[0].tss_ist3 = (long) np;
+
+ /*
+ * DB# stack, runs on ist4.
+ */
+ np = ((struct nmi_pcpu *) &dbg0_stack[sizeof(dbg0_stack)]) - 1;
+ np->np_pcpu = (register_t) pc;
+ common_tss[0].tss_ist4 = (long) np;
/* Set the IO permission bitmap (empty due to tss seg limit) */
common_tss[0].tss_iobase = sizeof(struct amd64tss) + IOPERM_BITMAP_SIZE;
--- sys/amd64/amd64/mp_machdep.c.orig
+++ sys/amd64/amd64/mp_machdep.c
@@ -87,6 +87,7 @@
char *doublefault_stack;
char *mce_stack;
char *nmi_stack;
+char *dbg_stack;
/*
* Local data and functions.
@@ -225,6 +226,10 @@
np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1;
common_tss[cpu].tss_ist3 = (long) np;
+ /* The DB# stack runs on IST4. */
+ np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1;
+ common_tss[cpu].tss_ist4 = (long) np;
+
/* Prepare private GDT */
gdt_segs[GPROC0_SEL].ssd_base = (long) &common_tss[cpu];
for (x = 0; x < NGDT; x++) {
@@ -270,6 +275,10 @@
np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1;
np->np_pcpu = (register_t) pc;
+ /* Save the per-cpu pointer for use by the DB# handler. */
+ np = ((struct nmi_pcpu *) &dbg_stack[PAGE_SIZE]) - 1;
+ np->np_pcpu = (register_t) pc;
+
wrmsr(MSR_FSBASE, 0); /* User value */
wrmsr(MSR_GSBASE, (u_int64_t)pc);
wrmsr(MSR_KGSBASE, (u_int64_t)pc); /* XXX User value while we're in the kernel */
@@ -368,6 +377,8 @@
M_WAITOK | M_ZERO);
nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
M_WAITOK | M_ZERO);
+ dbg_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
+ M_WAITOK | M_ZERO);
dpcpu = (void *)kmem_malloc(kernel_arena, DPCPU_SIZE,
M_WAITOK | M_ZERO);
--- sys/amd64/amd64/pmap.c.orig
+++ sys/amd64/amd64/pmap.c
@@ -7565,6 +7565,9 @@
/* MC# stack IST 3 */
va = common_tss[i].tss_ist3 + sizeof(struct nmi_pcpu);
pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false);
+ /* DB# stack IST 4 */
+ va = common_tss[i].tss_ist4 + sizeof(struct nmi_pcpu);
+ pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false);
}
pmap_pti_add_kva_locked((vm_offset_t)kernphys + KERNBASE,
(vm_offset_t)etext, true);
--- sys/amd64/amd64/trap.c.orig
+++ sys/amd64/amd64/trap.c
@@ -45,6 +45,7 @@
*/
#include "opt_clock.h"
+#include "opt_compat.h"
#include "opt_cpu.h"
#include "opt_hwpmc_hooks.h"
#include "opt_isa.h"
@@ -99,6 +100,11 @@
#include <sys/dtrace_bsd.h>
#endif
+extern inthand_t IDTVEC(bpt), IDTVEC(bpt_pti), IDTVEC(dbg),
+ IDTVEC(fast_syscall), IDTVEC(fast_syscall_pti), IDTVEC(fast_syscall32),
+ IDTVEC(int0x80_syscall_pti), IDTVEC(int0x80_syscall);
+
+
extern void __noinline trap(struct trapframe *frame);
extern void trap_check(struct trapframe *frame);
extern void syscall(struct trapframe *frame);
@@ -536,7 +542,53 @@
load_dr6(rdr6() & ~0xf);
goto out;
}
+
/*
+ * Malicious user code can configure a debug
+ * register watchpoint to trap on data access
+ * to the top of stack and then execute 'pop
+ * %ss; int 3'. Due to exception deferral for
+ * 'pop %ss', the CPU will not interrupt 'int
+ * 3' to raise the DB# exception for the debug
+ * register but will postpone the DB# until
+ * execution of the first instruction of the
+ * BP# handler (in kernel mode). Normally the
+ * previous check would ignore DB# exceptions
+ * for watchpoints on user addresses raised in
+ * kernel mode. However, some CPU errata
+ * include cases where DB# exceptions do not
+ * properly set bits in %dr6, e.g. Haswell
+ * HSD23 and Skylake-X SKZ24.
+ *
+ * A deferred DB# can also be raised on the
+ * first instructions of system call entry
+ * points or single-step traps via similar use
+ * of 'pop %ss' or 'mov xxx, %ss'.
+ */
+ if (pti) {
+ if (frame->tf_rip ==
+ (uintptr_t)IDTVEC(fast_syscall_pti) ||
+#ifdef COMPAT_FREEBSD32
+ frame->tf_rip ==
+ (uintptr_t)IDTVEC(int0x80_syscall_pti) ||
+#endif
+ frame->tf_rip == (uintptr_t)IDTVEC(bpt_pti))
+ return;
+ } else {
+ if (frame->tf_rip ==
+ (uintptr_t)IDTVEC(fast_syscall) ||
+#ifdef COMPAT_FREEBSD32
+ frame->tf_rip ==
+ (uintptr_t)IDTVEC(int0x80_syscall) ||
+#endif
+ frame->tf_rip == (uintptr_t)IDTVEC(bpt))
+ return;
+ }
+ if (frame->tf_rip == (uintptr_t)IDTVEC(dbg) ||
+ /* Needed for AMD. */
+ frame->tf_rip == (uintptr_t)IDTVEC(fast_syscall32))
+ return;
+ /*
* FALLTHROUGH (TRCTRAP kernel mode, kernel address)
*/
case T_BPTFLT:
--- sys/i386/i386/trap.c.orig
+++ sys/i386/i386/trap.c
@@ -116,6 +116,8 @@
extern inthand_t IDTVEC(lcall_syscall);
+extern inthand_t IDTVEC(bpt), IDTVEC(dbg), IDTVEC(int0x80_syscall);
+
#define MAX_TRAP_MSG 32
static char *trap_msg[] = {
"", /* 0 unused */
@@ -668,7 +670,35 @@
load_dr6(rdr6() & ~0xf);
goto out;
}
+
/*
+ * Malicious user code can configure a debug
+ * register watchpoint to trap on data access
+ * to the top of stack and then execute 'pop
+ * %ss; int 3'. Due to exception deferral for
+ * 'pop %ss', the CPU will not interrupt 'int
+ * 3' to raise the DB# exception for the debug
+ * register but will postpone the DB# until
+ * execution of the first instruction of the
+ * BP# handler (in kernel mode). Normally the
+ * previous check would ignore DB# exceptions
+ * for watchpoints on user addresses raised in
+ * kernel mode. However, some CPU errata
+ * include cases where DB# exceptions do not
+ * properly set bits in %dr6, e.g. Haswell
+ * HSD23 and Skylake-X SKZ24.
+ *
+ * A deferred DB# can also be raised on the
+ * first instructions of system call entry
+ * points or single-step traps via similar use
+ * of 'pop %ss' or 'mov xxx, %ss'.
+ */
+ if (frame->tf_eip ==
+ (uintptr_t)IDTVEC(int0x80_syscall) ||
+ frame->tf_eip == (uintptr_t)IDTVEC(bpt) ||
+ frame->tf_eip == (uintptr_t)IDTVEC(dbg))
+ return;
+ /*
* FALLTHROUGH (TRCTRAP kernel mode, kernel address)
*/
case T_BPTFLT:

18
share/security/patches/SA-18:06/debugreg.11.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrxw2RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJlSBAAkuyBE359un4LyuLYWmE+xqM0v766eFkagBW8MSu8zEgNNXAM4fvNdsYq
teZ1UWK45Nx3fslOu3FLBam3T4YcKcMO3pgFirg/hLsSsMCQT7vo4l7U5WECgKg1
Yp2gJOq+Dm8lkUqvSLYG4gvOCaPRTOY9aQFY8TW+WWjrl4L9O5orUcARGAuESBPc
NhdMxfRcWHbIjpzluu+aps2qTDUdf3swJGe50qHH78Iz6pW7VEYEDOI+O6UAw2BD
E+LAyo1HTW8pH0FvzZAFWxYy+bKXAQNdklF0bs40amFkZupYlGqa4cJljXz5ih9R
E2CKdiFeaoXYnfkPDQnIEt78LOYzS3dLNsoKub7VyR2Q2uaW89MobU5BIocJ/mXD
KcTwiUKVyQWtSpxEB3K/aTfCpse1lOiv7vmVKNhiZk8ZDvQx4UcCwLQLZUvOPFNT
axJCyT5wSB3rTF4IRfuF3YsBGC71ymK9hDnsn+qlhJADkdrfYlPnF74je7yT3W11
OdnK7vNflQU/fT7PUXJUIGEXAbsFYEbz2gCPgiRyb/weuTLfZbOrvrDn4cmFHSFx
oFHqJtwkct5jPBBy4G0ydbeBJW+RUr2sOGXsMqyUBcEzcAzrTy1eA6/KAfH1jxIM
2q/R8tLUyklAuC8Si5Vukg21WWLzOjk+2E260TtjtAkJY4xwIiA=
=zp4W
-----END PGP SIGNATURE-----

13
share/xml/advisories.xml
View file

@ -7,6 +7,19 @@
<year> <year>
<name>2018</name> <name>2018</name>
<month>
<name>5</name>
<day>
<name>8</name>
<advisory>
<name>FreeBSD-SA-18:06.debugreg</name>
</advisory>
</day>
</month>
<month> <month>
<name>4</name> <name>4</name>

17
share/xml/notices.xml
View file

@ -7,6 +7,23 @@
<year> <year>
<name>2018</name> <name>2018</name>
<month>
<name>5</name>
<day>
<name>8</name>
<notice>
<name>FreeBSD-EN-18:06.tzdata</name>
</notice>
<notice>
<name>FreeBSD-EN-18:05.mem</name>
</notice>
</day>
</month>
<month> <month>
<name>4</name> <name>4</name>