Document today updates:

FreeBSD-16:04.hyperv
FreeBSD-16:05.hv_netvsc
FreeBSD-SA-16:14.openssh
FreeBSD-SA-16:15.sysarch

share/security/patches/EN-16:04/hyperv.patch

@@ -0,0 +1,48 @@
+--- sys/dev/hyperv/utilities/hv_kvp.c.orig
++++ sys/dev/hyperv/utilities/hv_kvp.c
+@@ -44,6 +44,7 @@
+ #include <sys/reboot.h>
+ #include <sys/lock.h>
+ #include <sys/taskqueue.h>
++#include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+ #include <sys/poll.h>
+ #include <sys/proc.h>
+@@ -114,6 +115,8 @@
+ static struct hv_kvp_msg *hv_kvp_dev_buf;
+ struct proc *daemon_task;
+ 
++static struct selinfo hv_kvp_selinfo;
++
+ /*
+  * Global state to track and synchronize multiple
+  * KVP transaction requests from the host.
+@@ -628,6 +631,9 @@
+ 
+ 	/* Send the msg to user via function deamon_read - setting sema */
+ 	sema_post(&kvp_globals.dev_sema);
++
++	/* We should wake up the daemon, in case it's doing poll() */
++	selwakeup(&hv_kvp_selinfo);
+ }
+ 
+ 
+@@ -940,7 +946,7 @@
+  * for daemon to read.
+  */
+ static int
+-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
+ {
+ 	int revents = 0;
+ 
+@@ -953,6 +959,9 @@
+ 	 */
+ 	if (kvp_globals.daemon_busy == true)
+ 		revents = POLLIN;
++	else
++		selrecord(td, &hv_kvp_selinfo);
++
+ 	mtx_unlock(&kvp_globals.pending_mutex);
+ 
+ 	return (revents);

share/security/patches/EN-16:04/hyperv.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJW6eTNAAoJEO1n7NZdz2rncSgQALit1G2h1OmIqsoK70jv9SuZ
+TUiuIeubcbcw2jvhaOiR2PFSr7nI/2K03mhoWZk7g8klG38WKIRd9FONfGim4gTi
+eqJTlu/uERLvPUsfrlYZ1XAIkG9xQVXR5BlCAZC3cbE+SL6arBnCMwdGb9WYojR7
+t9iS7Q1tUi3BmH73gPtDC34fIQVvO1SVeAqrtggPbeWu0aS4Orr4y/LtNKltN3Fu
+Szzj4fNn6Sr0FHNn3dH6v6QSvuodeCOqwEsEC4mn0b2YYbP3p5XTZJVOEZGuQjjV
+SBHbTFBPnkeTpcPRls41vMPvEK8xwm+0ISoZSUseudt0LMSB7KsydLZ7tZ2erT8R
+xEKpVIhFWhu9K0gydYyjaNncVIgkp4RMcIdOXmrr6CTDwpz2UYOmEoMm7y3Gfepn
+bp+Azu59DsgK0l5YqgPPdNksP2LFwUl+4y+7CoO99KzBaVt79cf8jRFz+Qa3ejX0
+Sb0CRdQL41F06EAaxbj+kRLhUCt8aqRGcBODwLdzEyoByA+MfsU4aI2+6sMZ6+CF
++bByt5Q2vbN8Ke4MukczOYx9xk3oZ5Dh9LobaDM1ymq5YhTfcNNSjHplrk4bmx4n
+fsKkEw4q2zxaEvglBeCdK7k4JsJyWgCmo7R0K9d/qo+MWu3dS4F6vC6zqCFG3V8P
+03wCEqy0B0RTcoZSgH7Q
+=rIbe
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:05/hv_netvsc.patch

@@ -0,0 +1,28 @@
+--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
+@@ -128,6 +128,15 @@
+ #define HV_NV_SC_PTR_OFFSET_IN_BUF         0
+ #define HV_NV_PACKET_OFFSET_IN_BUF         16
+ 
++/*
++ * A unified flag for all outbound check sum flags is useful,
++ * and it helps avoiding unnecessary check sum calculation in
++ * network forwarding scenario.
++ */
++#define HV_CSUM_FOR_OUTBOUND						\
++    (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO|		\
++    CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP|		\
++    CSUM_IP6_TSO|CSUM_IP6_ISCSI)
+ 
+ /*
+  * Data types
+@@ -570,7 +579,8 @@
+ 			    packet->vlan_tci & 0xfff;
+ 		}
+ 
+-		if (0 == m_head->m_pkthdr.csum_flags) {
++		/* Only check the flags for outbound and ignore the ones for inbound */
++		if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
+ 			goto pre_send;
+ 		}
+ 

share/security/patches/EN-16:05/hv_netvsc.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJW6eSgAAoJEO1n7NZdz2rnTWYQAOrx8JpIRuiqkHBHKMuzKTuN
+IRL/Jmas4XfNDim45g2mZdKFPqW6LwcquKreET6bD6ld+vO9XWD3WVkAoEClzn41
+uo9PJ0gtiKR3M6UupQWeT86lVFIAGmN51vpNb7+IL9saRgl5iqhlnP3ctOI/W1Mn
+NfRh4bg/9OQN9eYWRzN2Se5cHO45GTbEgrAdcpFYqItyREwdQV/O/DyGOBnaSWFR
+xIcmMxGwF6unuJ3Ah1nG0HVid3s2z4ih/KW68k5WXlasERe7NmR39UN4FgPLUC08
+nR/Jvi3vSd6qSiiHxZQGK9ZvWFKGAy9e6w1bhA8+zkciH3i+4b/3d5yr3F9og6Ol
+cxshafgPwC647laEPEW2n3ZEw2elDISD097MhJhu0Yp0Y5VI9LM2bPUTZhfknT6j
+Xm1fHthkNJ9OJbD3zsZXtMDY7q3MO6Fg6YnYO0N5V30pn4yHHEyHO6Yqx+lXKeEn
+Ig/IDYlo6g8USEBht8ZleOumjuGWrRZ1uHXobPClERbdkntI8xwnRhyiXYRp3P0X
+lrrJmlvrN7A4d3HEjOtUC/H1XRxjCIbZJGBDdDRShiEmBPNMqSCIQWqVDDApqZZJ
+N2MudpAPKPGGHCM2DL90PYp0FZJg3paEUYTtp7jEyjwaD605C36VzcVgYPHfWCa8
+zektJEKNcu4ciRJN2f0N
+=nPnm
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:14/openssh-xauth.patch

@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);

share/security/patches/SA-16:14/openssh-xauth.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJW6eThAAoJEO1n7NZdz2rnZqoP/RS674pw04h0UWqQQOJSSioN
+eNWOepSLNydoyL+XBkeOFwJ2n8j17TGP+ClBNAl9AQJa6u6hNQfu2jqJyd6cUcDE
+fIDKuVXFraRixlh/mLKB105Wfx5nnfz3buwGiLc0vgLkoV1M6dUVWQAu34oEb72Q
+mqei/7ob5zw0IObC1PUkp2ar7BmkPjOdl264bpY+mlGe5+bRa142JbK8W+ZubMS7
+Bi5L73Z9dSRxM0toXw1trSU2OBx3+IOeF+JC1YM+zy/g88peldUuiYUUhYQrUsQ3
+Joahl/BvTPml5wpOWUEcdr+PMVTkCT+SYSKxWg8/sIfkESAU2J1AYHHVJbeF8ja1
+1dkCEOwGDrZ2zGmCyZeLLKyDvN8Do56DWz0vmgXxcTY4PKWyn4myWqGQBXVnmfcT
+Lm3leUSqFNtFptUovLOgQxMGXPSQFEuOURw/Ze1jytT+y2gLCfga9NxO0dtVEBoC
+yC9swFSOq24N4hTkLYw0W0d3Ms5waUx04KayI/Xkh/dNu5Zvg6nwqlf+Rw1jR2/Q
+EBMBqV8OxMpKBf0wZkEGu6ed72dOzUZ/G7uUi9UNzlRfmjPxFXp7NB0QLsMQQoCp
+PEfX3HaeGtapNrEOoezZ15ou1UNJu0GWQEHmnB6l2ian42M0UeiBWqkwRfVDWdeO
+X12SMxZqWG+rayyhEski
+=gZFi
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:15/sysarch.patch

@@ -0,0 +1,13 @@
+--- sys/amd64/amd64/sys_machdep.c.orig
++++ sys/amd64/amd64/sys_machdep.c
+@@ -580,8 +580,8 @@
+ 	struct i386_ldt_args *uap;
+ 	struct user_segment_descriptor *descs;
+ {
+-	int error = 0, i;
+-	int largest_ld;
++	int error = 0;
++	unsigned int largest_ld, i;
+ 	struct mdproc *mdp = &td->td_proc->p_md;
+ 	struct proc_ldt *pldt;
+ 	struct user_segment_descriptor *dp;

share/security/patches/SA-16:15/sysarch.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJW6eUyAAoJEO1n7NZdz2rnaSIQAJTQUQ1TymgrFTpruBnZXlti
+EM1Q0DikCelD6mycM7qVMvl3n3QMgbs1tYlzHnt+Mt7UGqLBwKJH8vbAUf4Tb4mK
+kWSHXtGivmQQoinCNJ5W2gJG4k+47eYvNKAtty4VI65tvzWWTRBaXtR065okqmzy
+DPqu40pv6Liw9MwTvvw/+aoI7AY1AK/ao7lbBzDL7BYy0iHrsWWIqJiDU9UFxJ8H
+7EFZRMvavG13yKZsEjiRk+3UzF/xZ8bguvOvrz37GT51bT6EuwFxkYRqxc/YgD+0
+uxds5o2Ot77qOxCQDVIOvHkhFNQhwonJKGbVbZ3ZAEhFs2DKbu198RIaXviiizwk
+DJefFdXpDRN8qGkjAxo0ycggaqnreQt8YRSObpZdSzeTilyQddwbZ2JYCzswwpkJ
+MrPK0RjB3IJPEJJ6W7wqwVXoQaC7N8VYZ/K13GgEYktLQCxGWWvSIKqQ+X+wKbjN
+ibW6ep4ChZTo59jsPexkqXzZ4KSPZEfiLiRYwwAYgSYHwPBcuKVCAx6aPiyF9jN3
+BTTQ+QCI+7IOzggKjBGn05moc1WEiumWi/KJ8KkSGc5v8ilfFRGJ98YYVG+1BNja
+GO7STPpIeOcvuQKDG2brUeTI8Z67gQ4ly9D5NTg6b7iPFsz8S71fmJH3rH5kF16f
+1gEAuD/03MUEpkFcG2ZW
+=bUiv
+-----END PGP SIGNATURE-----