os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-21:01 to EN-21:05, SA-21:01, and SA-21:02.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2021-01-28 18:17:45 -08:00
parent a477da2013
commit 9030a72250
27 changed files with 3896 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
website/data/security/advisories.toml
View file

@ -1,6 +1,14 @@
# Sort advisories by year, month and day
# $FreeBSD$
[[advisories]]
name = "FreeBSD-SA-21:02.xenoom"
date = "2021-01-29"
[[advisories]]
name = "FreeBSD-SA-21:01.fsdisclosure"
date = "2021-01-29"
[[advisories]]
name = "FreeBSD-SA-20:33.openssl"
date = "2020-12-08"

20
website/data/security/errata.toml
View file

@ -1,6 +1,26 @@
# Sort errata notices by year, month and day
# $FreeBSD$
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:04.zfs"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:03.vnet"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:02.extattr"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:01.tzdata"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"

148
website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc Normal file
View file

@ -0,0 +1,148 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:01.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2021-01-29
Affects: All supported versions of FreeBSD.
Corrected: 2021-01-25 21:56:55 UTC (stable/12, 12.2-STABLE)
2021-01-29 01:20:49 UTC (releng/12.2, 12.2-RELEASE-p3)
2021-01-29 01:05:59 UTC (releng/12.1, 12.1-RELEASE-p13)
2021-01-25 21:57:06 UTC (stable/11, 11.4-STABLE)
2021-01-29 00:19:59 UTC (releng/11.4, 11.4-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The tzsetup(8) program allows the user to specify the default local timezone.
Based on the selected timezone, tzsetup(8) copies one of the files from
/usr/share/zoneinfo to /etc/localtime. This file actually controls the
conversion.
II. Problem Description
Several changes in Daylight Savings Time happened after previous FreeBSD
releases were released that would affect many people who live in different
countries. Because of these changes, the data in the zoneinfo files need to
be updated, and if the local timezone on the running system is affected,
tzsetup(8) needs to be run so the /etc/localtime is updated.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
IV. Workaround
The system administrator can install an updated timezone database from the
misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
V. Solution
Please note that some third party software, for instance PHP, Ruby, Java and
Perl, may be using different zoneinfo data source, in such cases this
software must be updated separately. For software packages that is installed
via binary packages, they can be upgraded by executing `pkg upgrade'.
Following the instructions in this Errata Notice will update all of the
zoneinfo files to be the same as what was released with FreeBSD release.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Restart all the affected
applications and daemons, or reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch
# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch.asc
# gpg --verify tzdata-2021a.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12 r369143
releng/12.2 r369171
releng/12.1 r369162
stable/11/ r369144
releng/11.4/ r369153
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:01.tzdata.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbfZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKOpA//Urdpqngx7TTrUYuIFijatPi+MWNWEgW04TPXfa7Vmp5bPFC/fJGJ0o2u
lMUVwodrlfX5GUvPENwC/xVVxlzGCX4ljpFbocJIBWczA6LQ+P0u4ibdgSWuh9IS
4Aj/MFrd6b+Ui7JY6LF+g0n9M6Tcprui9ZVef7AmcEAOcKQEdIA/kNEfOSnlBy8t
HgSVQOmVRbsWYN9B7ZfrsztaiPzFwLfm4Wu62CyrN7H1uSGve9JLrz56W1t3t7u+
pKaemOZM6g1efHWVYHUIJh7A7KPSNaLHY3tuQ5Sw6KetST9PCrGwwWVyn+0Cirwp
kL/1tjBAB31hsBNJxpvw6NSAazsUfMmKwmtaO9+Gy11ay5neCD2CPUNLCIa7KbjC
XT1PcrNnkodID0xdnNGy77toZwbjN81ADurLc+O63FycVugENB81ZtSJWTW7teIL
sIfh4A6yf+0szPU9/TIOZx9Qhnp2+Az2C39bgqmeWiv4SwTJnxvYZ6gqGaimdHtX
kIozG96X7qyBD4y1Zm45QRrABmb+3AbF1PyCj3pq1re/GpqFlm8ADog3VWE6FaWn
f/TlgtQtbknMcnWtpqXlvajWFa6vvq/2o7M7TRGPInQr0SA4gk5K6U9OQtrdKRGe
QugdkOMBRuJt1+RO/XAgtcTDpV7CI8QncCONWOItPq4+n5J7PyU=
=irIL
-----END PGP SIGNATURE-----

129
website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:02.extattr Errata Notice
The FreeBSD Project
Topic: UFS extattr corruption
Category: core
Module: UFS
Announced: 2021-01-29
Affects: FreeBSD 11.4
Corrected: 2021-01-18 18:54:32 UTC (stable/11, 11.4-STABLE)
2021-01-29 19:20:02 UTC (releng/11.4, 11.4-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Named extended attributes are meta-data associated with vnodes representing
files and directories. They exist as "name=value" pairs within a set of
namespaces. The UFS filesystem supports extended attributes.
II. Problem Description
Under certain conditions FreeBSD 11.x releases may produce a corrupt extattr
file, and later attempts to access these extended attributes may result in
system misbehavior. For example, lsextattr may spin at 100% CPU until the
system is shut down.
The issue that results in corrupt extattr data is not present in supported
FreeBSD 12.x versions.
III. Impact
The system may not function as required with extended attributes in use.
IV. Workaround
No workaround is available. Systems not using extended attributes are not
vulnerable.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.4]
# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch
# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch.asc
# gpg --verify extattr.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r369045
releng/11.4/ r369154
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244089>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:02.extattr.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbiRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKxMBAAjpesCOTrkqvjjKZmez8ACSUdaa7IYMLbJpeXW+0IbFVU/IQdK5/aq6r1
j/LytAbQ0yDlzfEggCeIWKGkbvaNs0eUVCx/1AOjWdxWePvrlpJ2GQNsHGZeWzBc
QUv9LEao0MQF9UGjd0JV81nTE2DT4a2F3WVdfuX2QfkWntfWwpXf3Uf3Cvi6Cpfy
rbZTkFeBmFvfgJu13co4re1gur8eYvMyNqcp+FO9OttEr/Fg5D/okQfp+0uZ1uIl
80WNZLwgnJG07FBVgcjbbVr/JJJqzVQh3opUa4+6UZaaHoRszs4jE4Mc22C0G4Ma
8vtBp4Z/Ndznv04TvTNiAyS3aAe0ums4yotZJBJEuVr1rA1lC6YgRVT9+qfsPcWT
SuVM16NS4VGVpN5SruptLbrbTHQARDAAWDbtP1fB8ccvBIonf0hh5AOcKFBxHHY3
NoKHLV373zTauvxqy7RKRAtnB2oB0uMT4j0lwJmn7CM1h+lL1GcVy1PTDVQ4mk+N
2/I51AcbURjmWqxTTORI6p8CgLsiwPfdsup5T2g/JPu2nc9COWL/WKCytP2pXji3
+Lu+SJldxUCx8JiiCSFma7ZG/sjB+B1vOajzULqBWUgTH6YpX8gV78amDHmzRq20
2is7fa+63ImVHtCZAIeSs/PGU2v+MDQ6eBNqFTccbgVvINEmMNE=
=XIov
-----END PGP SIGNATURE-----

130
website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc Normal file
View file

@ -0,0 +1,130 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:03.vnet Errata Notice
The FreeBSD Project
Topic: Panic when destroying VNET and epair simultaneously
Category: core
Module: kernel
Announced: 2021-01-29
Affects: FreeBSD 12.1 and later.
Corrected: 2020-12-15 15:33:28 UTC (stable/12, 12.2-STABLE)
2021-01-29 01:20:52 UTC (releng/12.2, 12.2-RELEASE-p3)
2021-01-29 01:06:03 UTC (releng/12.1, 12.1-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
VNET permits systems to be configured with multiple instances of the in-kernel
network stack.
The epair(4) interface provides a pair of virtual back-to-back connected
Ethernet interfaces.
II. Problem Description
Insufficient locking in the kernel meant that destroying an epair and a vnet
jail at the same time often resulted in panics.
III. Impact
Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic
the system.
IV. Workaround
The panic can be avoided by ensuring that epair interfaces are fully destroyed
before the vnet jails containing them are destroyed.
Systems not using vnet jails are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch
# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch.asc
# gpg --verify vnet.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368663
releng/12.2/ r369172
releng/12.1/ r369163
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238870>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:03.vnet.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKE3Q/+KQ96Grm2zOsWHVAl5Oz2TBdc7nGkIYSk59zFcmVMqduvKSjiJ3S1yLdX
NsPm3KyFYeU7L/QM9Owsk1DTSnRrlwhbcM3/x+662bcgP1RWe3XL6n9fQ2V5eESO
9wAKtwrkE5btGxp6WLNAZ1Ximb1rKtOi4hqLK1Rhqhl93ecw7gyp+Qs6ukj41cnT
8+9AwHjvzYokrUDP7lIsKMQ4C29Fw4o2/0RwCCEmLlGRWLOWGM910RjgaFat02Gi
nOLXXlI9mSApthMnlTun4cSn+rbzawyTXD8AIa/kwEd00yDej4IceBlqWXot8Sjw
aXqJuix5qs0aVJcrQ2g9bkytnSMeO79EpCLyy/PDMJ1NUcQG8oaN/EcxNjb/U9p2
sbjWSf4t1leTl76TWsGsNAWHkjUwMPYHDstG4jsRv+Y+m4sSWa6gYYitaOtK4paO
wDDqpWHFJXOCEIrL3+HJcwOWr4hxhmZFgKNXeZN6l5WCKY/Xqjxqt7zBSpixiz01
VEn3uNs1ePuEA80Ae+D8v4yzjjfuE5/MDfEsoaxtP6dalNtJlIaFhVgZYcsxpOfK
xKC8dzdnEyq970+ZW/2ESYBxGTcnVQMxASI73QYuaKbRkcVqgW6XjHJHh+0tNLkV
sPhgxy/eOkbsu9qcIOn+tTbNTo3CjW0/ZmdE0YX9XItgbGHFQvg=
=1ekp
-----END PGP SIGNATURE-----

130
website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc Normal file
View file

@ -0,0 +1,130 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:04.zfs Errata Notice
The FreeBSD Project
Topic: zfs recv fails to propagate snapshot deletion
Category: core
Module: zfs
Announced: 2021-01-29
Affects: FreeBSD 12.2
Corrected: 2020-12-01 08:15:18 UTC (stable/12, 12.2-STABLE)
2021-01-29 01:20:55 UTC (releng/12.2, 12.2-RELEASE-p3)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The zfs send/receive commands are used to efficiently copy datasets from one
location to another. With the -i or -I flags, zfs send can incrementally
update an already-copied dataset. When using the -R flag with zfs send and the
- -F flag with zfs receive, zfs receive will delete any snapshots on the
destination that have already been deleted on the source.
II. Problem Description
A regression in FreeBSD 12.2 causes zfs receive to fail to delete snapshots
that have been deleted on the source side.
III. Impact
Backup and replication systems based on ZFS send/receive that manage snapshots
solely on the source side will fail to delete snapshots on the destination
side. This may lead to out-of-space conditions on the destination.
IV. Workaround
Errant snapshots can be manually removed from the destination with "zfs destroy".
Backup and replication systems that don't use the -R flag with zfs send will be
unaffected. For example, sysutils/zrepl is unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that link directly to libzfs.so. A restart is not required
for daemons that invoke the zfs executable.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368233
releng/12.2/ r369173
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249438>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:04.zfs.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJhhw//ajaGQV4/Ln4SmgsyYS01De9bXSI26dBcZlfGDUDL4l/W4qF1KnsTuPXx
ubGoFDjAArT+AzAoTddQeKuty8VPR8UUCQfONgdWUvjlSZ3k1iLa6pTR/BHxSyZ3
rh7olc8wSt13JBOoafCjGkuzRNLtz7oqP0qrGB/aKSbU3IzCW8fHSFnIFVaRK/Nh
Zr9Lisp4mIBgBmAY3Oof50ONPrjoDEYff+G+52LSUSMIwGPVmEqFz1qrSzQ+SFO0
kylegth1sBeEgPQZAuyXX6liJpsL/AEdYQvosykmBw3DGQqt9glo+hl6CU7/g2dn
iA8O7tO0zgaHtWbAUQYdtHJKeqa5UbaDRKeDw3aXm6TwHmZN7BfQz6SWRK2QOhcc
btn5yP6QhbpTFmWRkWtSehn+eISolDF4iCG9St664xpNV7l0AzSXm8saVrR2/Eix
IPCK2nyhddyDyVCkkSaZw8rris5De8gAGsv0K+nvJqYhVMdbIyTnU62UzHrgPPXS
kAe0Z/FnPmcQ7GXN/dSIzd17WMqKwGgsHMbLFw/BMP+kaM++mMY7ZdyPyx1gapB+
qzvRhFoNKpNVGMaMK/y+BPB2Ak3OHj6lqPFptjd9HNlszVYuZ3Od25oQBO0dupQf
jsTSler1ShPYyOwG8QE0sXjpMYVZhFgsZXiZVUrACkfunuDnXtI=
=fhrM
-----END PGP SIGNATURE-----

125
website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc Normal file
View file

@ -0,0 +1,125 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:05.libatomic Errata Notice
The FreeBSD Project
Topic: Addition of atomic and bswap functions to libcompiler_rt
Category: core
Module: libcompiler_rt
Announced: 2021-01-29
Affects: FreeBSD 11.4
Corrected: 2020-09-12 16:33:05 UTC (stable/11, 11.4-STABLE)
2021-01-29 00:20:06 UTC (releng/11.4, 11.4-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
libcompiler_rt is a simple library that provides an implementation of low-level
target-specific functionality required by the Clang compiler.
II. Problem Description
The FreeBSD build system does not include all source files of libcompiler_rt.
In particular, it misses the atomic.c file, which implements atomic memory
routines for the i386 architecture.
III. Impact
When compiling software that makes use of atomic functions, as well as __bswap*
functions, the compiler emits calls to them expecting that these will be
available from libcompiler_rt. Due to this, the linker fails to resolve
mentioned functions and the build fails.
The problem occurs only when targeting the i386 platform.
IV. Workaround
The problem can be worked around by using GCC compiler to build the software.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch
# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch.asc
# gpg --verify libatomic.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r365661
releng/11.4/ r369155
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:05.libatomic.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKteBAAicm8nXlOWYeIu2qcgqKVEhWNwleLdfnAGPcs0ALuUEnSGZ2DIfsdl4J0
eTOeIJC9ELpHrSoaAtlrM7huEkdtMDRHrLWfSlW7Zev3B7ZQ+v+GsdYAw1h86Erf
uNt3iCvfhltDGVHVb0bGHQw2biIn9UD36CVOC9WqMhubLU/sjEy4FbjwRvVWUyRc
UtR+WUf6W8IZnd3iJOlF/YnxDcEWclMPFnEdKMgBByl0dSoVuwIQfwuWm6Wl4WjA
p1KUs+l/AUn5IJB7U7dLmB5tIGgvElzONwPb9S3M1BQaLDjS2+PLrE6/pxSpDNHS
y/Oo2652ZaGG1OWAGzemKinpllLelkywPjbQwEEkjelqPnPoVMWzjM4UwmF0S5gj
hnlB17BvH5qomMFnAiyVQO9cH85G4sKcKgVQSMU/gRzlrSMyqZ5ImLfltMOJi27H
U3SQ36LljP6cu55bDlswBmAe6Ria748d5z4efSs/DGfgeFSYlSYF7zTLZtbw8wcP
bXjeDVTMcAEGGjDFWjy2hU2zUhgQVBOSb1+IB3ziOHizUdOe9U5NaEZSoTA/S4rp
Hrf8P8LKN5BgWh6j+jXI18RpwGtRNbL4Ev0wP0iG7SXth8cRkjymzq4qcGsIBMh/
GjyNqC1CzzvQz4YDf6GqkOZWE3kAzUM+iyGyYpZIDdCx32Ir/e4=
=RTBx
-----END PGP SIGNATURE-----

150
website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc Normal file
View file

@ -0,0 +1,150 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:01.fsdisclosure Security Advisory
The FreeBSD Project
Topic: Uninitialized kernel stack leaks in several file systems
Category: core
Module: fs
Announced: 2021-01-29
Credits: Syed Faraz Abrar
Affects: All supported versions of FreeBSD.
Corrected: 2021-01-06 14:58:41 UTC (stable/12, 12.2-STABLE)
2021-01-29 01:20:59 UTC (releng/12.2, 12.2-RELEASE-p3)
2021-01-29 01:06:09 UTC (releng/12.1, 12.1-RELEASE-p13)
2021-01-18 19:16:24 UTC (stable/11, 11.4-STABLE)
2021-01-29 00:20:09 UTC (releng/11.4, 11.4-RELEASE-p7)
CVE Name: CVE-2020-25578, CVE-2020-25579
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The FreeBSD kernel exports file system directory entries to userspace
using the generic "dirent" structure. Individual file systems implement
VOP_READDIR to convert from the file system's internal directory entry
layout to the generic form. dirent structures can be fetched from
userspace using the getdirentries(2) system call.
II. Problem Description
Several file systems were not properly initializing the d_off field of
the dirent structures returned by VOP_READDIR. In particular, tmpfs(5),
smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result,
eight uninitialized kernel stack bytes may be leaked to userspace by
these file systems. This problem is not present in FreeBSD 11.
Additionally, msdosfs(5) was failing to zero-fill a pair of padding
fields in the dirent structure, resulting in a leak of three
uninitialized bytes.
III. Impact
Kernel stack disclosures may leak sensitive information which could be
used to compromise the security of the system.
IV. Workaround
Systems that do not have any of the affected file systems mounted are
not affected. To trigger the leaks, an unprivileged user must have read
access to a directory belonging to one of the mounted file systems.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch
# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch.asc
# gpg --verify fsdisclosure.12.patch.asc
[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch
# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch.asc
# gpg --verify fsdisclosure.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368969
releng/12.2/ r369175
releng/12.1/ r369165
stable/11/ r369047
releng/11.4/ r369156
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25578>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25579>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:01.fsdisclosure.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJr9xAAkZz7B1xlb66yVYXmyIo8eFf2ZyYPXxoH9hIxx1N7PxY6l9MeU9xzcYrf
tOYtsWyPxx+M+g0KZc2Q846zu3JySSBkGKT1Kx3aqMmfEqWMa6b2u/wM+rG/8NjR
qzsU9SfnzgcBg0tu4m55en+7muuiO3JopCbQDdTSl0EgOFkMI6cuMXc2lm9BAEKj
zpmKFbelSCIUjISpLASJzNKRfQV1UajpgyM/tWYSrlQwaejNkFOmBO1ylLBbigBo
bqH5xCsttGGUC91QmsEdcrF3pSNuHEtW5nT8sbAlm6ue8bjY9AGhEB1fkV877KDG
otN3sPe367uQA1AHWCq3qPseTgAV9pDW4Mctxi5VSz0P3tUzG+hqojtn+mDAvFob
DnFWFJnMZC6mueunp555LXlgFzA79Vberjo15240kEvaf4B+PiCqVLr9baK/2KyW
EEj3pn/ciGq/wBn5ZPoCDVk0hbcfVNxaXytHLDBZ7l/ti7ZC08SRyaPdhG8Tblbx
ha/6+/viGbBHktuTU5Vz48cHja9RnDq0EUiTmplinUDhyouVyG4i2Yrn3anMnhd5
atULlylJlEPGq1WNH0A7yiKqQa6Bu4OFMdJ69YIYskcn3FC2vjz0LpRb+soFOIAH
2/o0UAMup9buG8CbPVLoCRPyPrEw0liaUJEUlxTVPDc3AJGM0xM=
=gD1K
-----END PGP SIGNATURE-----

142
website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:02.xenoom Security Advisory
The FreeBSD Project
Topic: Xen guests can triger backend Out Of Memory
Category: contrib
Module: Xen
Announced: 2021-01-29
Credits: See Xen XSA-349 for details
Affects: All supported versions of FreeBSD.
Corrected: 2021-01-18 16:26:36 UTC (stable/12, 12.2-STABLE)
2021-01-29 01:21:04 UTC (releng/12.2, 12.2-RELEASE-p3)
2021-01-29 01:06:16 UTC (releng/12.1, 12.1-RELEASE-p13)
2021-01-21 09:14:50 UTC (stable/11, 11.4-STABLE)
2021-01-29 00:20:16 UTC (releng/11.4, 11.4-RELEASE-p7)
CVE Name: CVE-2020-29568
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host
domain).
II. Problem Description
Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch
events using a single thread. If the events are received faster than
the thread is able to handle, they will get queued.
As the queue is unbound, a guest may be able to trigger a OOM in
the backend.
III. Impact
A malicious guest can trigger an OOM in backends.
IV. Workaround
No workaround is available. FreeBSD systems not using Xen are not
affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch
# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch.asc
# gpg --verify xenoom.12.patch.asc
[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch
# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch.asc
# gpg --verify xenoom.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r369038
releng/12.2/ r369177
releng/12.1/ r369167
stable/11/ r369072
releng/11.4/ r369158
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://xenbits.xen.org/xsa/advisory-349.html>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29568>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:02.xenoom.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJjmhAAloDel7j9rgyDK8Ozk5wPJQlUM/1Ddc4e5Q5vdzT29mNdWKfXjH5SEkGq
Jx7w4fUronf8vsXn+bNXwn1u5PWGVTVX/Y4ljQ4JVwJ+NdxhxTuhNsbg7j2AZmdO
PsfI+eFX1xq8wr3oDUl3GTHHcUI1Ol259tsOgJE7ISriazgbRk8/QVowMgS3jdHA
OYJS8ADFWSO6d4TC2B5pvgC6NAiZjhgTDtjxzTnaWoUb0157JyhRh3Z2FQTBxoxU
3OQcTj7x7KBtbsiAI/Iq8Qu7JXyxtscVQfbXsk4Jt1uOskgsr8n9F+UGiP+GRIKb
0IsgNUlsPavINlNJjAwQWHtB8VJqH7LpG9t3/EMizUXjZAuRLxEjAFiHV8ju1U++
O9Xf9nB9auVrBn1WMYgH23bZ5D15W1HosEywifBw64R7CLDliD/HpJ3QaDEe3lCn
pB0jgxuoE5RCbTppgUZM7tLUrtwgih+lOiZcLcA5xS9hQo8TWBLIJNBf5rRjJA6q
/3vh5lOv/w8AHyBgA5395QIkkgw9dxy2o+LbtuVhdD/NbLX4GnNVMkQDsTF79PMT
8rl0Zn6Ldo0ypHAwPAVHektl+izuMftNQuQXSbEjkw/Xr1VCjIjllJET3K2e9X6z
4nPmq6t/0kuHWYSSDQAKdq/8Dosn3HLw1uQdst4ka7wf1Eon7Ow=
=3L3L
-----END PGP SIGNATURE-----

1498
website/static/security/patches/EN-21:01/tzdata-2021a.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbgVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL0kQ//RYNiBRCzjAawttj9Wz6ryKf1rTERp1FJ17NpLRzRHp/WnjTKZ4uyEqGn
pb4VWPbhVjiiCCyA0zvwGAOF5Yviv1UR79i5U+G0ErxVPdQKapqoQ240CY09eObG
rqKGLJIhdXIyEEPK9YrYYDUb0kAwOzpnvt3xgPH1sph0QT8fga0bffnr2sDthDu7
b5NOKMA51JkB1G2tlevHGUXrTnh+gZntXApSYVZ8/c8jKqnzAdcm9Co80hb8oVuC
yWwEM7s2v/HTF0NUPPIz3PfAETLWCzVHGb0ZjXdZO6rd1BV6Zm1TIZ4wRoNOzl5n
4PQGmEQckxojDcDIUImF9EDS+8SxxnP3cDUyN3vIqmTKUkVjAIStqqq5AfFZBs0+
CjvkX9v0LgaCNHfPPknUuldeORO4YLTc/6dj4Ern7gocHRE9/feBcHdV58XGQLB/
jI92wckBD0G738TCKQg74rX21A3564h/cbThmsGUP05C2D1vW+jT+v9DJy15LpG6
CIF9zU8IwLFKlzI28Oc8vLekgU/6E8z7V0+ObmpboRIVJTXetkRCN61SyIKSnJT+
nZgIgvd22jTFXJh6j18SmQS6cN2kEq22AtYLimNKEgrsGcT7uMrWyTJQ6vJiooqc
a5txbMB2R4uRNv810IpMl0li2J0kshNBsnmsv0UxNQcAVyORBm8=
=ynES
-----END PGP SIGNATURE-----

11
website/static/security/patches/EN-21:02/extattr.patch Normal file
View file

@ -0,0 +1,11 @@
--- sys/ufs/ffs/ffs_vnops.c.orig
+++ sys/ufs/ffs/ffs_vnops.c
@@ -1663,7 +1663,7 @@
*p++ = ap->a_attrnamespace;
*p++ = eapad2;
*p++ = strlen(ap->a_name);
- strcpy(p, ap->a_name);
+ memcpy(p, ap->a_name, strlen(ap->a_name));
p += strlen(ap->a_name);
bzero(p, eapad1);
p += eapad1;

18
website/static/security/patches/EN-21:02/extattr.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbilfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLRwQ//cPFjEPuSDNSMa6NcQnDKo7pZ+0jYON5t8CSMj9CqxKs3V/wa6F9rB78l
px6lkasBBFClmXH/lnVBrg8KTTD699Q8q7SHbydC7cG3XVB73QJnDjJrm6XgdcFt
RKF546+h50JQBXqlW5JRpCCzqMzqzdqa5eFGjJfPI16TjbAuz8ywOez1PHTuTmuS
lSJaT+UN78s5tD2D2WgQzzTG/o8umuJXisfCGFLsK7RI3p7c9N8QcrIGikrose9R
yu/NFpfs/5iIE40VtTb6J/4PcOBlzfdjDv4EgAyRKzhTkFxPDgh3cgfh/gtJg9CV
AZtf5K0qOufD79l1PA25znU3nf761VFQIyPv/sIT5nuhITm1WkPtV4mvHlN+bb9C
tVF4HkLx6raghE5XnIAg0cFndVlS+zwAmzety/75W0h0AUqofrn4jbdcmeFGogG+
BAtaPE39xWGJMT4R9zXMnF+mojX2GOqSKOyfshBrolsnkT9oEQQAVGb0N3ZxRT/2
tmvV2Q01d5NORvtBlD0yvJ/qkihiF0UrfG+I9GJ2+gMjibpU/iZik8y0msboBYIB
2zjf3DdNZY/n+hSN8cxN32maU0ZYl+he394rmMt0Lj1Ff7EuUz5RsKtzHoYPHoWm
mTnXK/PUrJTEdvYxUzMbOsfM41Pqq476XYl/7B6bU4ZnSNlTxNM=
=ntJx
-----END PGP SIGNATURE-----

291
website/static/security/patches/EN-21:03/vnet.patch Normal file
View file

@ -0,0 +1,291 @@
--- sys/net/if.c.orig
+++ sys/net/if.c
@@ -274,6 +274,8 @@
static void if_delgroups(struct ifnet *);
static void if_attach_internal(struct ifnet *, int, struct if_clone *);
static int if_detach_internal(struct ifnet *, int, struct if_clone **);
+static void if_link_ifnet(struct ifnet *);
+static bool if_unlink_ifnet(struct ifnet *, bool);
#ifdef VIMAGE
static void if_vmove(struct ifnet *, struct vnet *);
#endif
@@ -305,12 +307,8 @@
/*
* The global network interface list (V_ifnet) and related state (such as
- * if_index, if_indexlim, and ifindex_table) are protected by an sxlock and
- * an rwlock. Either may be acquired shared to stablize the list, but both
- * must be acquired writable to modify the list. This model allows us to
- * both stablize the interface list during interrupt thread processing, but
- * also to stablize it over long-running ioctls, without introducing priority
- * inversions and deadlocks.
+ * if_index, if_indexlim, and ifindex_table) are protected by an sxlock.
+ * This may be acquired to stabilise the list, or we may rely on NET_EPOCH.
*/
struct rwlock ifnet_rwlock;
RW_SYSINIT_FLAGS(ifnet_rw, &ifnet_rwlock, "ifnet_rw", RW_RECURSE);
@@ -317,6 +315,9 @@
struct sx ifnet_sxlock;
SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
+struct sx ifnet_detach_sxlock;
+SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
+
/*
* The allocation of network interfaces is a rather non-atomic affair; we
* need to select an index before we are ready to expose the interface for
@@ -476,17 +477,87 @@
}
VNET_SYSUNINIT(vnet_if_uninit, SI_SUB_INIT_IF, SI_ORDER_FIRST,
vnet_if_uninit, NULL);
+#endif
static void
+if_link_ifnet(struct ifnet *ifp)
+{
+
+ IFNET_WLOCK();
+ CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
+#ifdef VIMAGE
+ curvnet->vnet_ifcnt++;
+#endif
+ IFNET_WUNLOCK();
+}
+
+static bool
+if_unlink_ifnet(struct ifnet *ifp, bool vmove)
+{
+ struct ifnet *iter;
+ int found = 0;
+
+ IFNET_WLOCK();
+ CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
+ if (iter == ifp) {
+ CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
+ if (!vmove)
+ ifp->if_flags |= IFF_DYING;
+ found = 1;
+ break;
+ }
+#ifdef VIMAGE
+ curvnet->vnet_ifcnt--;
+#endif
+ IFNET_WUNLOCK();
+
+ return (found);
+}
+
+#ifdef VIMAGE
+static void
vnet_if_return(const void *unused __unused)
{
struct ifnet *ifp, *nifp;
+ struct ifnet **pending;
+ int found, i;
+ i = 0;
+
+ /*
+ * We need to protect our access to the V_ifnet tailq. Ordinarily we'd
+ * enter NET_EPOCH, but that's not possible, because if_vmove() calls
+ * if_detach_internal(), which waits for NET_EPOCH callbacks to
+ * complete. We can't do that from within NET_EPOCH.
+ *
+ * However, we can also use the IFNET_xLOCK, which is the V_ifnet
+ * read/write lock. We cannot hold the lock as we call if_vmove()
+ * though, as that presents LOR w.r.t ifnet_sx, in_multi_sx and iflib
+ * ctx lock.
+ */
+ IFNET_WLOCK();
+
+ pending = malloc(sizeof(struct ifnet *) * curvnet->vnet_ifcnt,
+ M_IFNET, M_WAITOK | M_ZERO);
+
/* Return all inherited interfaces to their parent vnets. */
CK_STAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
- if (ifp->if_home_vnet != ifp->if_vnet)
- if_vmove(ifp, ifp->if_home_vnet);
+ if (ifp->if_home_vnet != ifp->if_vnet) {
+ found = if_unlink_ifnet(ifp, true);
+ MPASS(found);
+
+ pending[i++] = ifp;
+ }
}
+ IFNET_WUNLOCK();
+
+ for (int j = 0; j < i; j++) {
+ sx_xlock(&ifnet_detach_sxlock);
+ if_vmove(pending[j], pending[j]->if_home_vnet);
+ sx_xunlock(&ifnet_detach_sxlock);
+ }
+
+ free(pending, M_IFNET);
}
VNET_SYSUNINIT(vnet_if_return, SI_SUB_VNET_DONE, SI_ORDER_ANY,
vnet_if_return, NULL);
@@ -894,12 +965,7 @@
}
#endif
- IFNET_WLOCK();
- CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
-#ifdef VIMAGE
- curvnet->vnet_ifcnt++;
-#endif
- IFNET_WUNLOCK();
+ if_link_ifnet(ifp);
if (domain_init_status >= 2)
if_attachdomain1(ifp);
@@ -1037,9 +1103,15 @@
void
if_detach(struct ifnet *ifp)
{
+ bool found;
CURVNET_SET_QUIET(ifp->if_vnet);
- if_detach_internal(ifp, 0, NULL);
+ found = if_unlink_ifnet(ifp, false);
+ if (found) {
+ sx_slock(&ifnet_detach_sxlock);
+ if_detach_internal(ifp, 0, NULL);
+ sx_sunlock(&ifnet_detach_sxlock);
+ }
CURVNET_RESTORE();
}
@@ -1059,8 +1131,6 @@
struct ifaddr *ifa;
int i;
struct domain *dp;
- struct ifnet *iter;
- int found = 0;
#ifdef VIMAGE
int shutdown;
@@ -1067,39 +1137,11 @@
shutdown = (ifp->if_vnet->vnet_state > SI_SUB_VNET &&
ifp->if_vnet->vnet_state < SI_SUB_VNET_DONE) ? 1 : 0;
#endif
- IFNET_WLOCK();
- CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
- if (iter == ifp) {
- CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
- if (!vmove)
- ifp->if_flags |= IFF_DYING;
- found = 1;
- break;
- }
- IFNET_WUNLOCK();
- if (!found) {
- /*
- * While we would want to panic here, we cannot
- * guarantee that the interface is indeed still on
- * the list given we don't hold locks all the way.
- */
- return (ENOENT);
-#if 0
- if (vmove)
- panic("%s: ifp=%p not on the ifnet tailq %p",
- __func__, ifp, &V_ifnet);
- else
- return; /* XXX this should panic as well? */
-#endif
- }
/*
* At this point we know the interface still was on the ifnet list
* and we removed it so we are in a stable state.
*/
-#ifdef VIMAGE
- curvnet->vnet_ifcnt--;
-#endif
epoch_wait_preempt(net_epoch_preempt);
/*
@@ -1326,6 +1368,7 @@
struct prison *pr;
struct ifnet *difp;
int shutdown;
+ bool found;
/* Try to find the prison within our visibility. */
sx_slock(&allprison_lock);
@@ -1362,6 +1405,9 @@
}
CURVNET_RESTORE();
+ found = if_unlink_ifnet(ifp, true);
+ MPASS(found);
+
/* Move the interface into the child jail/vnet. */
if_vmove(ifp, pr->pr_vnet);
@@ -1378,7 +1424,8 @@
struct prison *pr;
struct vnet *vnet_dst;
struct ifnet *ifp;
- int shutdown;
+ int shutdown;
+ bool found;
/* Try to find the prison within our visibility. */
sx_slock(&allprison_lock);
@@ -1416,6 +1463,8 @@
}
/* Get interface back from child jail/vnet. */
+ found = if_unlink_ifnet(ifp, true);
+ MPASS(found);
if_vmove(ifp, vnet_dst);
CURVNET_RESTORE();
@@ -3100,8 +3149,12 @@
goto out_noref;
case SIOCIFDESTROY:
error = priv_check(td, PRIV_NET_IFDESTROY);
- if (error == 0)
+
+ if (error == 0) {
+ sx_slock(&ifnet_detach_sxlock);
error = if_clone_destroy(ifr->ifr_name);
+ sx_sunlock(&ifnet_detach_sxlock);
+ }
goto out_noref;
case SIOCIFGCLONERS:
--- sys/net/if_var.h.orig
+++ sys/net/if_var.h
@@ -569,27 +569,11 @@
extern struct rwlock ifnet_rwlock;
extern struct sx ifnet_sxlock;
-#define IFNET_WLOCK() do { \
- sx_xlock(&ifnet_sxlock); \
- rw_wlock(&ifnet_rwlock); \
-} while (0)
-
-#define IFNET_WUNLOCK() do { \
- rw_wunlock(&ifnet_rwlock); \
- sx_xunlock(&ifnet_sxlock); \
-} while (0)
-
-/*
- * To assert the ifnet lock, you must know not only whether it's for read or
- * write, but also whether it was acquired with sleep support or not.
- */
-#define IFNET_RLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_SLOCKED)
+#define IFNET_WLOCK() sx_xlock(&ifnet_sxlock)
+#define IFNET_WUNLOCK() sx_xunlock(&ifnet_sxlock)
+#define IFNET_RLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_SLOCKED)
#define IFNET_RLOCK_NOSLEEP_ASSERT() MPASS(in_epoch(net_epoch_preempt))
-#define IFNET_WLOCK_ASSERT() do { \
- sx_assert(&ifnet_sxlock, SA_XLOCKED); \
- rw_assert(&ifnet_rwlock, RA_WLOCKED); \
-} while (0)
-
+#define IFNET_WLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_XLOCKED)
#define IFNET_RLOCK() sx_slock(&ifnet_sxlock)
#define IFNET_RLOCK_NOSLEEP() struct epoch_tracker ifnet_rlock_et; epoch_enter_preempt(net_epoch_preempt, &ifnet_rlock_et)
#define IFNET_RUNLOCK() sx_sunlock(&ifnet_sxlock)

18
website/static/security/patches/EN-21:03/vnet.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLRyQ//du+e1JRQvV+xth02xPmDbklqvfsH9ge20DeExN/grbrqv1nLkGBP0I1j
CnxMMDPsm33fATsxa6HndAcQXDO4bRf0E7qjE+bgC1gJevCrCptXI7LaOgTWrlpP
0iszfjqF0DIJhXL7MiFVDYkt5EBvPkvJMBo1q3A7HKG8YKzZHI6EUa6g+yspHip0
p4TKVexl7L4ERb0h8hDUIycAPSmK4lNn9SOlErD9mTUUYRp/xvkVdAV53xnuo2aD
zt/sqO7lPRP1oiOCp/8D2ZiMbtg6dzOKyw0xhfnsW8a/h0k7nthWKWL+KpyOQVpj
QZ/lYnzzqxu93/2cZSuGFpIUw3WKl67IlYNW0qtGsvXeFjpx85AqFyYueg00Wvew
jUQk0lONd6k2XkyMS/mYgYXOuadA5uzJwgffRuKNP7aVxXIXM+4PJFleJ86c0q2b
qRLUWeWC4l+1oYY+0YHEAzv0VWc+VQilcERgUXezwF40vbUIvc+AhAzUDIO919Yg
PBz8vAGiDPSfeveihTtuD9FTugw4oaM6mgxFBSnkrHK6EyNuwMk5kvHjx25rjuzX
eqVEE1gUaigGzXoy1FsFpUeaAr4/vZcwwVu9sZ2Oysyknm7c6j6q/kR1JzH8Y8am
H0NX4nlccagnfTy5aGPQWPrV8QHAmOYuzw6LltUZxcIMDdLSGH4=
=edmV
-----END PGP SIGNATURE-----

150
website/static/security/patches/EN-21:04/zfs.patch Normal file
View file

@ -0,0 +1,150 @@
--- cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c.orig
+++ cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c
@@ -613,8 +613,8 @@
const char *fromsnap;
const char *tosnap;
boolean_t recursive;
- boolean_t verbose;
boolean_t replicate;
+ boolean_t verbose;
/*
* The header nvlist is of the following format:
@@ -848,36 +848,36 @@
rv = -1;
goto out;
}
- VERIFY(0 == nvlist_add_uint64(nvfs, "origin",
- origin->zfs_dmustats.dds_guid));
+ fnvlist_add_uint64(nvfs, "origin",
+ origin->zfs_dmustats.dds_guid);
}
/* iterate over props */
- VERIFY(0 == nvlist_alloc(&nv, NV_UNIQUE_NAME, 0));
+ nv = fnvlist_alloc();
send_iterate_prop(zhp, nv);
- VERIFY(0 == nvlist_add_nvlist(nvfs, "props", nv));
- nvlist_free(nv);
+ fnvlist_add_nvlist(nvfs, "props", nv);
+ fnvlist_free(nv);
/* iterate over snaps, and set sd->parent_fromsnap_guid */
+ sd->parent_fromsnap_guid = 0;
+ sd->parent_snaps = fnvlist_alloc();
+ sd->snapprops = fnvlist_alloc();
if (!sd->replicate && fromsnap_txg != 0)
min_txg = fromsnap_txg;
if (!sd->replicate && tosnap_txg != 0)
max_txg = tosnap_txg;
- sd->parent_fromsnap_guid = 0;
- VERIFY(0 == nvlist_alloc(&sd->parent_snaps, NV_UNIQUE_NAME, 0));
- VERIFY(0 == nvlist_alloc(&sd->snapprops, NV_UNIQUE_NAME, 0));
(void) zfs_iter_snapshots_sorted(zhp, send_iterate_snap, sd,
min_txg, max_txg);
- VERIFY(0 == nvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps));
- VERIFY(0 == nvlist_add_nvlist(nvfs, "snapprops", sd->snapprops));
+ fnvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps);
+ fnvlist_add_nvlist(nvfs, "snapprops", sd->snapprops);
fnvlist_free(sd->parent_snaps);
fnvlist_free(sd->snapprops);
/* add this fs to nvlist */
(void) snprintf(guidstring, sizeof (guidstring),
"0x%llx", (longlong_t)guid);
- VERIFY(0 == nvlist_add_nvlist(sd->fss, guidstring, nvfs));
- nvlist_free(nvfs);
+ fnvlist_add_nvlist(sd->fss, guidstring, nvfs);
+ fnvlist_free(nvfs);
/* iterate over children */
if (sd->recursive)
@@ -894,13 +894,12 @@
static int
gather_nvlist(libzfs_handle_t *hdl, const char *fsname, const char *fromsnap,
- const char *tosnap, boolean_t recursive, boolean_t verbose,
- boolean_t replicate, nvlist_t **nvlp, avl_tree_t **avlp)
+ const char *tosnap, boolean_t recursive, boolean_t replicate,
+ boolean_t verbose, nvlist_t **nvlp, avl_tree_t **avlp)
{
zfs_handle_t *zhp;
- int error;
- uint64_t min_txg = 0, max_txg = 0;
send_data_t sd = { 0 };
+ int error;
zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
if (zhp == NULL)
@@ -911,8 +910,8 @@
sd.fromsnap = fromsnap;
sd.tosnap = tosnap;
sd.recursive = recursive;
- sd.verbose = verbose;
sd.replicate = replicate;
+ sd.verbose = verbose;
if ((error = send_iterate_fs(zhp, &sd)) != 0) {
nvlist_free(sd.fss);
@@ -1349,10 +1348,10 @@
dump_filesystem(zfs_handle_t *zhp, void *arg)
{
int rv = 0;
- uint64_t min_txg = 0, max_txg = 0;
send_dump_data_t *sdd = arg;
boolean_t missingfrom = B_FALSE;
zfs_cmd_t zc = { 0 };
+ uint64_t min_txg = 0, max_txg = 0;
(void) snprintf(zc.zc_name, sizeof (zc.zc_name), "%s@%s",
zhp->zfs_name, sdd->tosnap);
@@ -1853,8 +1852,8 @@
}
err = gather_nvlist(zhp->zfs_hdl, zhp->zfs_name,
- fromsnap, tosnap, flags->replicate, flags->verbose,
- flags->replicate, &fss, &fsavl);
+ fromsnap, tosnap, flags->replicate,
+ flags->replicate, flags->verbose, &fss, &fsavl);
if (err)
goto err_out;
VERIFY(0 == nvlist_add_nvlist(hdrnv, "fss", fss));
@@ -2497,7 +2496,7 @@
VERIFY(0 == nvlist_alloc(&deleted, NV_UNIQUE_NAME, 0));
if ((error = gather_nvlist(hdl, tofs, fromsnap, NULL,
- recursive, B_FALSE, B_FALSE, &local_nv, &local_avl)) != 0)
+ recursive, recursive, B_FALSE, &local_nv, &local_avl)) != 0)
return (error);
/*
--- sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h.orig
+++ sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h
@@ -881,6 +881,13 @@
VDEV_INITIALIZE_COMPLETE
} vdev_initializing_state_t;
+/*
+ * nvlist name constants. Facilitate restricting snapshot iteration range for
+ * the "list next snapshot" ioctl
+ */
+#define SNAP_ITER_MIN_TXG "snap_iter_min_txg"
+#define SNAP_ITER_MAX_TXG "snap_iter_max_txg"
+
/*
* Vdev statistics. Note: all fields should be 64-bit because this
* is passed between kernel and userland as an nvlist uint64 array.
@@ -1157,13 +1164,6 @@
#define ZCP_DEFAULT_MEMLIMIT (10 * 1024 * 1024)
#define ZCP_MAX_MEMLIMIT (10 * ZCP_DEFAULT_MEMLIMIT)
-/*
- * nvlist name constants. Facilitate restricting snapshot iteration range for
- * the "list next snapshot" ioctl
- */
-#define SNAP_ITER_MIN_TXG "snap_iter_min_txg"
-#define SNAP_ITER_MAX_TXG "snap_iter_max_txg"
-
/*
* Sysevent payload members. ZFS will generate the following sysevents with the
* given payloads:

18
website/static/security/patches/EN-21:04/zfs.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ9ow/9Hpft2BnP9cFpvRtXtc6J6Pw3s7iS36PHXJXiRTbif72pzUU0dhnGxXT1
AA8YX8BvyoHOFxUDqTRFcG+/B6HOpjGEq9aqNiBsGxmA8OXPdtjg1nhR23QH+NNt
tJ5YTVztO2tq/VHri41Ez0ttMMYDIpdPAGJIsnJwzFGMgsXKFcNGhG1IXhSzpJOo
ZE3R0117MWETR07LJjK7aY5sAvCPA0rtWqosh8DtGa1Qz8k3nNVq91qikAdG2/Ea
ymICIz/x1vp9J6SUlMt/2Y3t9V3pCyrL2VwyKbBzKZ+PrJUxM9HgA1w5sMn3ANe0
sT+Ijk3TbAkSkV01PgQsYIwX2mHAH38MKO5foq3oU3bLWCGkxu0jDlSvEgLCE5U+
4jcJpbH1k1uLOKaLXH3FcK3X0ahIWwOr7ckvcKmsem4f18VLcfQuZ7qHQq3oQT/B
ooIvF4Xvv/3kfMK2mdMGza6x5AhkJHp4+cDJhw7CVvTWuo+jb+dQYSlrOVOaaaSl
OQDEqSaja+xGh02asMrtdrCm5+DoMfQ+28jMkb2QyA6IHhUkEa8xa/JBka9o71rZ
45KIlM7aFxiCACi4LScUNGh94qPnNkG9Mgez1O91nhiFMVCaUSdEDNkz4HMRseli
hPD2/3rUJ9pRRFcXMbZHrtXK7gwJ+A8Fd++MgYvedwbjke+efe4=
=mdRJ
-----END PGP SIGNATURE-----

71
website/static/security/patches/EN-21:05/libatomic.patch Normal file
View file

@ -0,0 +1,71 @@
--- contrib/llvm-project/compiler-rt/lib/builtins/atomic.c.orig
+++ contrib/llvm-project/compiler-rt/lib/builtins/atomic.c
@@ -124,8 +124,8 @@
#define IS_LOCK_FREE_2 __c11_atomic_is_lock_free(2)
#define IS_LOCK_FREE_4 __c11_atomic_is_lock_free(4)
-/// 32 bit PowerPC doesn't support 8-byte lock_free atomics
-#if !defined(__powerpc64__) && defined(__powerpc__)
+/// 32 bit MIPS and PowerPC don't support 8-byte lock_free atomics
+#if defined(__mips__) || (!defined(__powerpc64__) && defined(__powerpc__))
#define IS_LOCK_FREE_8 0
#else
#define IS_LOCK_FREE_8 __c11_atomic_is_lock_free(8)
--- lib/libcompiler_rt/Makefile.inc.orig
+++ lib/libcompiler_rt/Makefile.inc
@@ -18,6 +18,8 @@
SRCF+= ashlti3
SRCF+= ashrdi3
SRCF+= ashrti3
+SRCF+= bswapdi2
+SRCF+= bswapsi2
SRCF+= clear_cache
SRCF+= clzdi2
SRCF+= clzsi2
@@ -117,6 +119,14 @@
SRCF+= umoddi3
SRCF+= umodti3
+# Enable compiler-rt's atomic implementation only for clang, as it uses clang
+# specific builtins, and gcc packages usually come with their own libatomic.
+# Exclude arm which has its own implementations of atomic functions, below.
+.if "${COMPILER_TYPE}" == "clang" && \
+ !(${MACHINE_CPUARCH} == "arm" || ${MACHINE_CPUARCH} == "armv6")
+SRCF+= atomic
+.endif
+
# Avoid using SSE2 instructions on i386, if unsupported.
.if ${MACHINE_CPUARCH} == "i386" && empty(MACHINE_CPU:Msse2)
SRCS+= floatdidf.c
@@ -215,12 +225,6 @@
SRCF+= stdatomic
.endif
-.if "${COMPILER_TYPE}" == "clang" && \
- (${MACHINE_ARCH} == "powerpc" || ${MACHINE_ARCH} == "powerpcspe")
-SRCS+= atomic.c
-CFLAGS.atomic.c+= -Wno-atomic-alignment
-.endif
-
.for file in ${SRCF}
.if ${MACHINE_ARCH:Marmv6*} && (!defined(CPUTYPE) || ${CPUTYPE:M*soft*} == "") \
&& exists(${CRTSRC}/${CRTARCH}/${file}vfp.S)
@@ -242,18 +246,9 @@
SRCS+= aeabi_memset.S
SRCS+= aeabi_uidivmod.S
SRCS+= aeabi_uldivmod.S
-SRCS+= bswapdi2.S
-SRCS+= bswapsi2.S
SRCS+= switch16.S
SRCS+= switch32.S
SRCS+= switch8.S
SRCS+= switchu8.S
SRCS+= sync_synchronize.S
.endif
-
-# GCC-6.3 on mips32 requires bswap32 built-in.
-.if ${MACHINE_CPUARCH} == "mips"
-SRCS+= bswapdi2.c
-SRCS+= bswapsi2.c
-.endif
-

18
website/static/security/patches/EN-21:05/libatomic.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cITKxAAipVfcvry45Ih14/dOrobd6s4NtFpck4x+CT9p/SMS5LLLFAJYpjazGtf
1WytYOv305wZo0toQQDZwTOwGdjPCdZyXzJFXfQGX2KpVA/pqEqY+SBxBEDbzU0X
4LKiijtGNDqikrb7Rs4m5DiOgcY0UFHvwisGvX4/1yHEx33cSPR6P90uLSwiIUlu
qxTa400oN79ICecRibtr1rjTRZbSoP/9p3Si2UFVLZPD/mXaYU626T70yIARaach
8oO8afQHVrvMfdDJrKIuas4DrbhORtZsst4mtmWRDuQlDAIcZuI43uLCjTjMVVjk
VsQlS/YprSGkzVyBz/hyKqPa8eYkmpmWekSW8mvyNudfjqCfHh6qFAZD9yqqufRr
am3nWKLqjIclLeF7/nBoyC9Vvhb+okCS3slkejm/4WDpgUoJWyd262Hj4jsviQ3f
8/MkhkAahSJJTXf9CVDM5iz4DpobCMc27mX/uctfeQrMzw6JMZ3IcSZ/k9mPqlR/
znhW4gSc1bCrN2t/UCaBeGvnL8eGa5ohhLIHGm3vekMvlpFmj3kPidmgjts1RoHA
gW0MWfYod54/WceTGC/RVwUQyQjjj4qlLrWZCmU2SAK5Atw54w+l/skj9HZlGJC3
0OBeQvqSOUszbn8H48+1l039t90rdCbYW5/suZfhoK6OeudbMmY=
=DgCX
-----END PGP SIGNATURE-----

10
website/static/security/patches/SA-21:01/fsdisclosure.11.patch Normal file
View file

@ -0,0 +1,10 @@
--- sys/fs/msdosfs/msdosfs_vnops.c.orig
+++ sys/fs/msdosfs/msdosfs_vnops.c
@@ -1701,6 +1701,7 @@
mbnambuf_flush(&nb, &dirbuf);
chksum = -1;
dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
+ dirent_terminate(&dirbuf);
if (uio->uio_resid < dirbuf.d_reclen) {
brelse(bp);
goto out;

18
website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ8HA/+PgmcD+mXjlONm6S2iODbNlot81XtSJFZBVvGsuez3YnDt4NV4TVivf+A
SFs/3olGaMxtAT/ME8dVrgAF8+cHcjBMj5Vd+SYEgYAS3gQsOm4jfzWTh+z0Wwm7
SGDgW3h9wMb7WKevudvZ9kI5xV5uOD3IeCs8zag5eNoOp+BvgPbOgP9GdqgP1WmT
vEFtk8g1PAXoOkDm89rdYf05oUHyC6FvVF1vxCTEypmHt97meIkOn71f+CBMBLTS
qyFf/DHeXjuWg6XNZckbShRXgJufv8cf2GkK/dX37VzX5qXk4HKsOckQTwxXLjtc
xQGXyhw2lCWlkJUS6yzeeH4elzl3Z+EPE9t1zrEq5fmwGCV2cGuDQbdgWTfr4LnZ
5uTFJ6RtAT66hnbTu0LWhsBh7JWTYih6Vhq/RDS/HaIt0tgf20xaiVEwbtshAfsR
djHU2KgFCua+Y0NHKsFlgE7wM1i7lcPC4oJQxVvgtK1Zac49VVgMn1M9V9K4iFrq
D2j9mcW4Bi8bWPH2c3MdqSZZo5s1VfWWPH5CEDGyYRWC9TR8MLbeu5svnQrPgTcm
CoQysqeP9/50LADgSwIgnEdyJizydAhecck5t6BbkimanUAfGKw4lH3d9xWP24y/
F3MmYHkrAw88np2rlmaVFnydu4I1stzUiE5Nyrp00ATybc2vny0=
=tSMc
-----END PGP SIGNATURE-----

166
website/static/security/patches/SA-21:01/fsdisclosure.12.patch Normal file
View file

@ -0,0 +1,166 @@
--- sys/fs/autofs/autofs_vnops.c.orig
+++ sys/fs/autofs/autofs_vnops.c
@@ -369,6 +369,7 @@
return (EINVAL);
dirent.d_fileno = fileno;
+ dirent.d_off = uio->uio_offset + reclen;
dirent.d_reclen = reclen;
dirent.d_type = DT_DIR;
dirent.d_namlen = namlen;
--- sys/fs/msdosfs/msdosfs_vnops.c.orig
+++ sys/fs/msdosfs/msdosfs_vnops.c
@@ -1687,6 +1687,7 @@
dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
/* NOTE: d_off is the offset of the *next* entry. */
dirbuf.d_off = offset + sizeof(struct direntry);
+ dirent_terminate(&dirbuf);
if (uio->uio_resid < dirbuf.d_reclen) {
brelse(bp);
goto out;
--- sys/fs/smbfs/smbfs_io.c.orig
+++ sys/fs/smbfs/smbfs_io.c
@@ -103,6 +103,7 @@
(np->n_parent ? np->n_parentino : 2);
if (de.d_fileno == 0)
de.d_fileno = 0x7ffffffd + offset;
+ de.d_off = offset + 1;
de.d_namlen = offset + 1;
de.d_name[0] = '.';
de.d_name[1] = '.';
@@ -153,6 +154,7 @@
bzero((caddr_t)&de, DE_SIZE);
de.d_reclen = DE_SIZE;
de.d_fileno = ctx->f_attr.fa_ino;
+ de.d_off = offset + 1;
de.d_type = (ctx->f_attr.fa_attr & SMB_FA_DIR) ? DT_DIR : DT_REG;
de.d_namlen = ctx->f_nmlen;
bcopy(ctx->f_name, de.d_name, de.d_namlen);
--- sys/fs/tmpfs/tmpfs_subr.c.orig
+++ sys/fs/tmpfs/tmpfs_subr.c
@@ -1188,6 +1188,7 @@
MPASS(uio->uio_offset == TMPFS_DIRCOOKIE_DOT);
dent.d_fileno = node->tn_id;
+ dent.d_off = TMPFS_DIRCOOKIE_DOTDOT;
dent.d_type = DT_DIR;
dent.d_namlen = 1;
dent.d_name[0] = '.';
@@ -1213,7 +1214,7 @@
*/
static int
tmpfs_dir_getdotdotdent(struct tmpfs_mount *tm, struct tmpfs_node *node,
- struct uio *uio)
+ struct uio *uio, off_t next)
{
struct tmpfs_node *parent;
struct dirent dent;
@@ -1234,6 +1235,7 @@
dent.d_fileno = parent->tn_id;
TMPFS_NODE_UNLOCK(parent);
+ dent.d_off = next;
dent.d_type = DT_DIR;
dent.d_namlen = 2;
dent.d_name[0] = '.';
@@ -1263,7 +1265,7 @@
struct uio *uio, int maxcookies, u_long *cookies, int *ncookies)
{
struct tmpfs_dir_cursor dc;
- struct tmpfs_dirent *de;
+ struct tmpfs_dirent *de, *nde;
off_t off;
int error;
@@ -1284,18 +1286,19 @@
error = tmpfs_dir_getdotdent(tm, node, uio);
if (error != 0)
return (error);
- uio->uio_offset = TMPFS_DIRCOOKIE_DOTDOT;
+ uio->uio_offset = off = TMPFS_DIRCOOKIE_DOTDOT;
if (cookies != NULL)
- cookies[(*ncookies)++] = off = uio->uio_offset;
+ cookies[(*ncookies)++] = off;
/* FALLTHROUGH */
case TMPFS_DIRCOOKIE_DOTDOT:
- error = tmpfs_dir_getdotdotdent(tm, node, uio);
+ de = tmpfs_dir_first(node, &dc);
+ off = tmpfs_dirent_cookie(de);
+ error = tmpfs_dir_getdotdotdent(tm, node, uio, off);
if (error != 0)
return (error);
- de = tmpfs_dir_first(node, &dc);
- uio->uio_offset = tmpfs_dirent_cookie(de);
+ uio->uio_offset = off;
if (cookies != NULL)
- cookies[(*ncookies)++] = off = uio->uio_offset;
+ cookies[(*ncookies)++] = off;
/* EOF. */
if (de == NULL)
return (0);
@@ -1310,13 +1313,17 @@
off = tmpfs_dirent_cookie(de);
}
- /* Read as much entries as possible; i.e., until we reach the end of
- * the directory or we exhaust uio space. */
+ /*
+ * Read as much entries as possible; i.e., until we reach the end of the
+ * directory or we exhaust uio space.
+ */
do {
struct dirent d;
- /* Create a dirent structure representing the current
- * tmpfs_node and fill it. */
+ /*
+ * Create a dirent structure representing the current tmpfs_node
+ * and fill it.
+ */
if (de->td_node == NULL) {
d.d_fileno = 1;
d.d_type = DT_WHT;
@@ -1360,20 +1367,27 @@
MPASS(de->td_namelen < sizeof(d.d_name));
(void)memcpy(d.d_name, de->ud.td_name, de->td_namelen);
d.d_reclen = GENERIC_DIRSIZ(&d);
- dirent_terminate(&d);
- /* Stop reading if the directory entry we are treating is
- * bigger than the amount of data that can be returned. */
+ /*
+ * Stop reading if the directory entry we are treating is bigger
+ * than the amount of data that can be returned.
+ */
if (d.d_reclen > uio->uio_resid) {
error = EJUSTRETURN;
break;
}
- /* Copy the new dirent structure into the output buffer and
- * advance pointers. */
+ nde = tmpfs_dir_next(node, &dc);
+ d.d_off = tmpfs_dirent_cookie(nde);
+ dirent_terminate(&d);
+
+ /*
+ * Copy the new dirent structure into the output buffer and
+ * advance pointers.
+ */
error = uiomove(&d, d.d_reclen, uio);
if (error == 0) {
- de = tmpfs_dir_next(node, &dc);
+ de = nde;
if (cookies != NULL) {
off = tmpfs_dirent_cookie(de);
MPASS(*ncookies < maxcookies);
--- sys/kern/uipc_mqueue.c.orig
+++ sys/kern/uipc_mqueue.c
@@ -1426,6 +1426,7 @@
if (!pn->mn_fileno)
mqfs_fileno_alloc(mi, pn);
entry.d_fileno = pn->mn_fileno;
+ entry.d_off = offset + entry.d_reclen;
for (i = 0; i < MQFS_NAMELEN - 1 && pn->mn_name[i] != '\0'; ++i)
entry.d_name[i] = pn->mn_name[i];
entry.d_namlen = i;

18
website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJY7A//cxfRPjkTLhctIEVx1PCFqEQ02Fj8rarjyKu8fWPrjB7zB9DuJPIMDfzs
VEupOfXlw0R71n+6UV3EuplbHF7jodX5g79FG0AqjrhzKmGVmN3azx/erbAQj46Q
ccRyGNltZLtji3iD9eespNNbuXkE0HB4hgR8uwbzTtEI12l9FybrRfR/Lo0EpakX
avnwAMSmbUp8IHvXJmiae6jNqW5qbXH0j0wUaQGIhF/ZgJtvZhRN2xbXWb7A0Uqm
DkUSatoFnTZ3YXKh1dY7wr9qUQujoO7tqvM1RMsgX+GGQNIwIzWsWJo6bcMNKmN+
bjVRQgLp8o2okApFKbEX535tzudGwet9xJGCrz8znUhgN0riUVsPy8/AbVFiLoWi
Rp8YlBTuuIQEG1naOlkdwbyoNXnIKajuA3s+BawdcpQEoB8o9OSd1jdQcdafZE6d
E9Oo/yIetviAmcu4Xt/KYXT2NbLIezDO26EYLsLver1qF9QE2A8syy3qld/mz4+n
Q90L/Qs4iN7nDzB0WenreA7YlG0rXjG5WyXxfxIpefdaSWvd51LUU56tGJEkGzAt
VT1kOyNKKI5zfV6K+pN3+0G7MPmfMN7au7UoAnC3C2QnbvvZZ4kxd/8+FerWyHrT
2CQAxwErn2hDLXJn9SDU8uQnXY3cJ3efO6lx9jwGQtCpJPzKd/A=
=DVI2
-----END PGP SIGNATURE-----

255
website/static/security/patches/SA-21:02/xenoom.11.patch Normal file
View file

@ -0,0 +1,255 @@
--- sys/dev/xen/balloon/balloon.c.orig
+++ sys/dev/xen/balloon/balloon.c
@@ -310,7 +310,8 @@
static struct xs_watch target_watch =
{
- .node = "memory/target"
+ .node = "memory/target",
+ .max_pending = 1,
};
/* React to a change in the target key */
--- sys/dev/xen/blkback/blkback.c.orig
+++ sys/dev/xen/blkback/blkback.c
@@ -3767,6 +3767,12 @@
xbb->hotplug_watch.callback = xbb_attach_disk;
KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
+ /*
+ * We don't care about the path updated, just about the value changes
+ * on that single node, hence there's no need to queue more that one
+ * event.
+ */
+ xbb->hotplug_watch.max_pending = 1;
sbuf_delete(watch_path);
error = xs_register_watch(&xbb->hotplug_watch);
if (error != 0) {
--- sys/dev/xen/control/control.c.orig
+++ sys/dev/xen/control/control.c
@@ -432,6 +432,12 @@
xctrl->xctrl_watch.node = "control/shutdown";
xctrl->xctrl_watch.callback = xctrl_on_watch_event;
xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
+ /*
+ * We don't care about the path updated, just about the value changes
+ * on that single node, hence there's no need to queue more that one
+ * event.
+ */
+ xctrl->xctrl_watch.max_pending = 1;
xs_register_watch(&xctrl->xctrl_watch);
if (xen_pv_domain())
--- sys/dev/xen/xenstore/xenstore.c.orig
+++ sys/dev/xen/xenstore/xenstore.c
@@ -668,12 +668,17 @@
mtx_lock(&xs.registered_watches_lock);
msg->u.watch.handle = find_watch(
msg->u.watch.vec[XS_WATCH_TOKEN]);
- if (msg->u.watch.handle != NULL) {
- mtx_lock(&xs.watch_events_lock);
+ mtx_lock(&xs.watch_events_lock);
+ if (msg->u.watch.handle != NULL &&
+ (!msg->u.watch.handle->max_pending ||
+ msg->u.watch.handle->pending <
+ msg->u.watch.handle->max_pending)) {
+ msg->u.watch.handle->pending++;
TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
wakeup(&xs.watch_events);
mtx_unlock(&xs.watch_events_lock);
} else {
+ mtx_unlock(&xs.watch_events_lock);
free(msg->u.watch.vec, M_XENSTORE);
free(msg, M_XENSTORE);
}
@@ -1045,8 +1050,10 @@
mtx_lock(&xs.watch_events_lock);
msg = TAILQ_FIRST(&xs.watch_events);
- if (msg)
+ if (msg) {
TAILQ_REMOVE(&xs.watch_events, msg, list);
+ msg->u.watch.handle->pending--;
+ }
mtx_unlock(&xs.watch_events_lock);
if (msg != NULL) {
@@ -1629,6 +1636,7 @@
char token[sizeof(watch) * 2 + 1];
int error;
+ watch->pending = 0;
sprintf(token, "%lX", (long)watch);
sx_slock(&xs.suspend_mutex);
--- sys/xen/xenbus/xenbus.c.orig
+++ sys/xen/xenbus/xenbus.c
@@ -102,48 +102,6 @@
return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
}
-int
-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch,
- xs_watch_cb_t *callback, uintptr_t callback_data)
-{
- int error;
-
- watch->node = path;
- watch->callback = callback;
- watch->callback_data = callback_data;
-
- error = xs_register_watch(watch);
-
- if (error) {
- watch->node = NULL;
- watch->callback = NULL;
- xenbus_dev_fatal(dev, error, "adding watch on %s", path);
- }
-
- return (error);
-}
-
-int
-xenbus_watch_path2(device_t dev, const char *path,
- const char *path2, struct xs_watch *watch,
- xs_watch_cb_t *callback, uintptr_t callback_data)
-{
- int error;
- char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
- M_XENBUS, M_WAITOK);
-
- strcpy(state, path);
- strcat(state, "/");
- strcat(state, path2);
-
- error = xenbus_watch_path(dev, state, watch, callback, callback_data);
- if (error) {
- free(state,M_XENBUS);
- }
-
- return (error);
-}
-
void
xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
{
--- sys/xen/xenbus/xenbusb.c.orig
+++ sys/xen/xenbus/xenbusb.c
@@ -702,10 +702,21 @@
ivars->xd_otherend_watch.node = statepath;
ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
+ /*
+ * Other end state node watch, limit to one pending event
+ * to prevent frontends from queuing too many events that
+ * could cause resource starvation.
+ */
+ ivars->xd_otherend_watch.max_pending = 1;
ivars->xd_local_watch.node = ivars->xd_node;
ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
+ /*
+ * Watch our local path, only writable by us or a privileged
+ * domain, no need to limit.
+ */
+ ivars->xd_local_watch.max_pending = 0;
mtx_lock(&xbs->xbs_lock);
xbs->xbs_connecting_children++;
@@ -764,6 +775,12 @@
xbs->xbs_device_watch.node = bus_node;
xbs->xbs_device_watch.callback = xenbusb_devices_changed;
xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
+ /*
+ * Allow for unlimited pending watches, as those are local paths
+ * either controlled by the guest or only writable by privileged
+ * domains.
+ */
+ xbs->xbs_device_watch.max_pending = 0;
TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
--- sys/xen/xenbus/xenbusvar.h.orig
+++ sys/xen/xenbus/xenbusvar.h
@@ -123,62 +123,6 @@
return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
}
-/**
- * Initialize and register a watch on the given path (client suplied storage).
- *
- * \param dev The XenBus device requesting the watch service.
- * \param path The XenStore path of the object to be watched. The
- * storage for this string must be stable for the lifetime
- * of the watch.
- * \param watch The watch object to use for this request. This object
- * must be stable for the lifetime of the watch.
- * \param callback The function to call when XenStore objects at or below
- * path are modified.
- * \param cb_data Client data that can be retrieved from the watch object
- * during the callback.
- *
- * \return On success, 0. Otherwise an errno value indicating the
- * type of failure.
- *
- * \note On error, the device 'dev' will be switched to the XenbusStateClosing
- * state and the returned error is saved in the per-device error node
- * for dev in the XenStore.
- */
-int xenbus_watch_path(device_t dev, char *path,
- struct xs_watch *watch,
- xs_watch_cb_t *callback,
- uintptr_t cb_data);
-
-/**
- * Initialize and register a watch at path/path2 in the XenStore.
- *
- * \param dev The XenBus device requesting the watch service.
- * \param path The base XenStore path of the object to be watched.
- * \param path2 The tail XenStore path of the object to be watched.
- * \param watch The watch object to use for this request. This object
- * must be stable for the lifetime of the watch.
- * \param callback The function to call when XenStore objects at or below
- * path are modified.
- * \param cb_data Client data that can be retrieved from the watch object
- * during the callback.
- *
- * \return On success, 0. Otherwise an errno value indicating the
- * type of failure.
- *
- * \note On error, \a dev will be switched to the XenbusStateClosing
- * state and the returned error is saved in the per-device error node
- * for \a dev in the XenStore.
- *
- * Similar to xenbus_watch_path, however the storage for the path to the
- * watched object is allocated from the heap and filled with "path '/' path2".
- * Should a call to this function succeed, it is the callers responsibility
- * to free watch->node using the M_XENBUS malloc type.
- */
-int xenbus_watch_path2(device_t dev, const char *path,
- const char *path2, struct xs_watch *watch,
- xs_watch_cb_t *callback,
- uintptr_t cb_data);
-
/**
* Grant access to the given ring_mfn to the peer of the given device.
*
--- sys/xen/xenstore/xenstorevar.h.orig
+++ sys/xen/xenstore/xenstorevar.h
@@ -72,6 +72,15 @@
/* Callback client data untouched by the XenStore watch mechanism. */
uintptr_t callback_data;
+
+ /* Maximum number of pending watch events to be delivered. */
+ unsigned int max_pending;
+
+ /*
+ * Private counter used by xenstore to keep track of the pending
+ * watches. Protected by xs.watch_events_lock.
+ */
+ unsigned int pending;
};
LIST_HEAD(xs_watch_list, xs_watch);

18
website/static/security/patches/SA-21:02/xenoom.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKfghAAkrse02lN4PZizc0OEsABoBTpTLLNFTTQ+3alY9MeYmLzgoP6crG6nETa
VwRh44ztjXeMB0/HUKu4rCcSbasYPLYAGZ+z8WCGmgVs30og7m6fC1eLb3zvlHxq
O4J9E3JhvQIPbhFpZMDMyjj+aS4SncgB7Hswcr3FGuUQkl9ySm7frV6umDHkwaiN
0wNEQVHQIQSVxawSG2+hMwVCDH/rxm2gLPpoTlQ4rwD3dsr6Ul8hCqPTTUV7vpRE
88AAv+xPgglWjNFo2LAYvtXjTiO3/v+TfiNnf47uwbMpmEaUKRDDirMqrAd8k6x4
UgbYC+Dils9Fbo+hc2P8kxwaDDb3xPk6RwPErCbQfyoF2w09YQeaIB5na9aRV43u
qCOj/3OFcuZxEqY1pWLWutD6HM2qi72Btm2U4dp/zFa6V7x4hRKrxmimM07uJGRy
/Pk3mBpLQLm0wbjSTR+8+RFM4fYRUQbJYZFINn99WDsL4zqD/KzL/ZW5e2pFjRcC
n2DuuMULHQ1ivBZmdMBOIvx5JUllHn5vazDVErIdILJhAb4ypFpuyFdkBUNO72Hn
dfrNrwABGi57nqxdAP8nIYTEUyUxm6q3vC4VXsoarYZvGECmWLrNWSADR7YtsMSi
7C9lanrEy3CH4eFwXkPTYAvmLgubQTm5pMxCZfM/qHSkUhVocBQ=
=6nop
-----END PGP SIGNATURE-----

300
website/static/security/patches/SA-21:02/xenoom.12.patch Normal file
View file

@ -0,0 +1,300 @@
--- sys/dev/xen/balloon/balloon.c.orig
+++ sys/dev/xen/balloon/balloon.c
@@ -310,7 +310,8 @@
static struct xs_watch target_watch =
{
- .node = "memory/target"
+ .node = "memory/target",
+ .max_pending = 1,
};
/* React to a change in the target key */
--- sys/dev/xen/blkback/blkback.c.orig
+++ sys/dev/xen/blkback/blkback.c
@@ -3768,6 +3768,12 @@
xbb->hotplug_watch.callback = xbb_attach_disk;
KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
+ /*
+ * We don't care about the path updated, just about the value changes
+ * on that single node, hence there's no need to queue more that one
+ * event.
+ */
+ xbb->hotplug_watch.max_pending = 1;
sbuf_delete(watch_path);
error = xs_register_watch(&xbb->hotplug_watch);
if (error != 0) {
--- sys/dev/xen/control/control.c.orig
+++ sys/dev/xen/control/control.c
@@ -432,6 +432,12 @@
xctrl->xctrl_watch.node = "control/shutdown";
xctrl->xctrl_watch.callback = xctrl_on_watch_event;
xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
+ /*
+ * We don't care about the path updated, just about the value changes
+ * on that single node, hence there's no need to queue more that one
+ * event.
+ */
+ xctrl->xctrl_watch.max_pending = 1;
xs_register_watch(&xctrl->xctrl_watch);
if (xen_pv_domain())
--- sys/dev/xen/xenstore/xenstore.c.orig
+++ sys/dev/xen/xenstore/xenstore.c
@@ -656,12 +656,17 @@
mtx_lock(&xs.registered_watches_lock);
msg->u.watch.handle = find_watch(
msg->u.watch.vec[XS_WATCH_TOKEN]);
- if (msg->u.watch.handle != NULL) {
- mtx_lock(&xs.watch_events_lock);
+ mtx_lock(&xs.watch_events_lock);
+ if (msg->u.watch.handle != NULL &&
+ (!msg->u.watch.handle->max_pending ||
+ msg->u.watch.handle->pending <
+ msg->u.watch.handle->max_pending)) {
+ msg->u.watch.handle->pending++;
TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
wakeup(&xs.watch_events);
mtx_unlock(&xs.watch_events_lock);
} else {
+ mtx_unlock(&xs.watch_events_lock);
free(msg->u.watch.vec, M_XENSTORE);
free(msg, M_XENSTORE);
}
@@ -983,8 +988,10 @@
mtx_lock(&xs.watch_events_lock);
msg = TAILQ_FIRST(&xs.watch_events);
- if (msg)
+ if (msg) {
TAILQ_REMOVE(&xs.watch_events, msg, list);
+ msg->u.watch.handle->pending--;
+ }
mtx_unlock(&xs.watch_events_lock);
if (msg != NULL) {
@@ -1578,6 +1585,7 @@
char token[sizeof(watch) * 2 + 1];
int error;
+ watch->pending = 0;
sprintf(token, "%lX", (long)watch);
mtx_lock(&xs.registered_watches_lock);
--- sys/dev/xen/xenstore/xenstore_dev.c.orig
+++ sys/dev/xen/xenstore/xenstore_dev.c
@@ -45,6 +45,7 @@
#include <sys/conf.h>
#include <sys/module.h>
#include <sys/selinfo.h>
+#include <sys/sysctl.h>
#include <sys/poll.h>
#include <xen/xen-os.h>
@@ -53,6 +54,8 @@
#include <xen/xenstore/xenstorevar.h>
#include <xen/xenstore/xenstore_internal.h>
+static unsigned int max_pending_watches = 1000;
+
struct xs_dev_transaction {
LIST_ENTRY(xs_dev_transaction) list;
struct xs_transaction handle;
@@ -335,6 +338,7 @@
watch->watch.node = strdup(wpath, M_XENSTORE);
watch->watch.callback = xs_dev_watch_cb;
watch->watch.callback_data = (uintptr_t)watch;
+ watch->watch.max_pending = max_pending_watches;
watch->token = strdup(wtoken, M_XENSTORE);
watch->user = u;
@@ -511,6 +515,17 @@
xs_dev_attach(device_t dev)
{
struct cdev *xs_cdev;
+ struct sysctl_ctx_list *sysctl_ctx;
+ struct sysctl_oid *sysctl_tree;
+
+ sysctl_ctx = device_get_sysctl_ctx(dev);
+ sysctl_tree = device_get_sysctl_tree(dev);
+ if (sysctl_ctx == NULL || sysctl_tree == NULL)
+ return (EINVAL);
+
+ SYSCTL_ADD_UINT(sysctl_ctx, SYSCTL_CHILDREN(sysctl_tree), OID_AUTO,
+ "max_pending_watch_events", CTLFLAG_RW, &max_pending_watches, 0,
+ "maximum amount of pending watch events to be delivered");
xs_cdev = make_dev_credf(MAKEDEV_ETERNAL, &xs_dev_cdevsw, 0, NULL,
UID_ROOT, GID_WHEEL, 0400, "xen/xenstore");
--- sys/xen/xenbus/xenbus.c.orig
+++ sys/xen/xenbus/xenbus.c
@@ -102,48 +102,6 @@
return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
}
-int
-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch,
- xs_watch_cb_t *callback, uintptr_t callback_data)
-{
- int error;
-
- watch->node = path;
- watch->callback = callback;
- watch->callback_data = callback_data;
-
- error = xs_register_watch(watch);
-
- if (error) {
- watch->node = NULL;
- watch->callback = NULL;
- xenbus_dev_fatal(dev, error, "adding watch on %s", path);
- }
-
- return (error);
-}
-
-int
-xenbus_watch_path2(device_t dev, const char *path,
- const char *path2, struct xs_watch *watch,
- xs_watch_cb_t *callback, uintptr_t callback_data)
-{
- int error;
- char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
- M_XENBUS, M_WAITOK);
-
- strcpy(state, path);
- strcat(state, "/");
- strcat(state, path2);
-
- error = xenbus_watch_path(dev, state, watch, callback, callback_data);
- if (error) {
- free(state,M_XENBUS);
- }
-
- return (error);
-}
-
void
xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
{
--- sys/xen/xenbus/xenbusb.c.orig
+++ sys/xen/xenbus/xenbusb.c
@@ -702,10 +702,21 @@
ivars->xd_otherend_watch.node = statepath;
ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
+ /*
+ * Other end state node watch, limit to one pending event
+ * to prevent frontends from queuing too many events that
+ * could cause resource starvation.
+ */
+ ivars->xd_otherend_watch.max_pending = 1;
ivars->xd_local_watch.node = ivars->xd_node;
ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
+ /*
+ * Watch our local path, only writable by us or a privileged
+ * domain, no need to limit.
+ */
+ ivars->xd_local_watch.max_pending = 0;
mtx_lock(&xbs->xbs_lock);
xbs->xbs_connecting_children++;
@@ -764,6 +775,12 @@
xbs->xbs_device_watch.node = bus_node;
xbs->xbs_device_watch.callback = xenbusb_devices_changed;
xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
+ /*
+ * Allow for unlimited pending watches, as those are local paths
+ * either controlled by the guest or only writable by privileged
+ * domains.
+ */
+ xbs->xbs_device_watch.max_pending = 0;
TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
--- sys/xen/xenbus/xenbusvar.h.orig
+++ sys/xen/xenbus/xenbusvar.h
@@ -123,62 +123,6 @@
return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
}
-/**
- * Initialize and register a watch on the given path (client suplied storage).
- *
- * \param dev The XenBus device requesting the watch service.
- * \param path The XenStore path of the object to be watched. The
- * storage for this string must be stable for the lifetime
- * of the watch.
- * \param watch The watch object to use for this request. This object
- * must be stable for the lifetime of the watch.
- * \param callback The function to call when XenStore objects at or below
- * path are modified.
- * \param cb_data Client data that can be retrieved from the watch object
- * during the callback.
- *
- * \return On success, 0. Otherwise an errno value indicating the
- * type of failure.
- *
- * \note On error, the device 'dev' will be switched to the XenbusStateClosing
- * state and the returned error is saved in the per-device error node
- * for dev in the XenStore.
- */
-int xenbus_watch_path(device_t dev, char *path,
- struct xs_watch *watch,
- xs_watch_cb_t *callback,
- uintptr_t cb_data);
-
-/**
- * Initialize and register a watch at path/path2 in the XenStore.
- *
- * \param dev The XenBus device requesting the watch service.
- * \param path The base XenStore path of the object to be watched.
- * \param path2 The tail XenStore path of the object to be watched.
- * \param watch The watch object to use for this request. This object
- * must be stable for the lifetime of the watch.
- * \param callback The function to call when XenStore objects at or below
- * path are modified.
- * \param cb_data Client data that can be retrieved from the watch object
- * during the callback.
- *
- * \return On success, 0. Otherwise an errno value indicating the
- * type of failure.
- *
- * \note On error, \a dev will be switched to the XenbusStateClosing
- * state and the returned error is saved in the per-device error node
- * for \a dev in the XenStore.
- *
- * Similar to xenbus_watch_path, however the storage for the path to the
- * watched object is allocated from the heap and filled with "path '/' path2".
- * Should a call to this function succeed, it is the callers responsibility
- * to free watch->node using the M_XENBUS malloc type.
- */
-int xenbus_watch_path2(device_t dev, const char *path,
- const char *path2, struct xs_watch *watch,
- xs_watch_cb_t *callback,
- uintptr_t cb_data);
-
/**
* Grant access to the given ring_mfn to the peer of the given device.
*
--- sys/xen/xenstore/xenstorevar.h.orig
+++ sys/xen/xenstore/xenstorevar.h
@@ -70,6 +70,15 @@
/* Callback client data untouched by the XenStore watch mechanism. */
uintptr_t callback_data;
+
+ /* Maximum number of pending watch events to be delivered. */
+ unsigned int max_pending;
+
+ /*
+ * Private counter used by xenstore to keep track of the pending
+ * watches. Protected by xs.watch_events_lock.
+ */
+ unsigned int pending;
};
LIST_HEAD(xs_watch_list, xs_watch);

18
website/static/security/patches/SA-21:02/xenoom.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJXhg/8CoCazqYQC72fjKzdu5rTqi88S+LCO2/oQ8sB81Xd9994aTcCiCT16MgW
oExB9ukEru7mz98ziwZiszkFGhnj8SvFqp8GaUdORILeLxN81Z8aUkXOAzZpk0yy
Yd9yMxSL5YRcgcrxJKetArt97Pdkx0e5paNMniKWYxuGMGE0IJXc/OJmb1Gj+ZTe
BSHInbD57GG6DYBDgLGm4Lu6FMrG+ukt2SUFxRQl0usgNE1zseXIjSxMPymh0I4j
guCo0gNxHow44xgEXOUD1X2K1hsr8TNxwvl5i9Pwv8MFubPU4qPcBOcMvM/i5YR2
3uvnK5oRqNjwS/EHUBZ2jonSmNN89mqdPjctaMNypcUPDsIqINw/Qd6TNnv3DjS1
34cNBWzBYt9ccf5JC/KWfDyZxWpOku18DdFOcsi9MSubmQaxj5SRMfh0QamZPZ3p
06JcJbcVZyRoMnD/NcFJTd6pfnrPKrJ9IVOvBesm3MpMsWywRQgVM79xly3HuhLV
M8JTm9TKNVJPNGEeXW8MzjYJO2hDgTMwt6SWkxhNMQnajr3weqV5u+5X1wjZsAzr
pWVXYZTkxNcyAcLvMahjuB6av4lc763MdqorgRHdpLdwr4w45pCLqxRR9O1OVY2g
k0uKTKB1WQAIeK2VTpM/ZjPuNc+k0sVyYR9Sy70P0k76drICqUk=
=5Wei
-----END PGP SIGNATURE-----