os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-18:15 and EN-18:16 through EN-18:18.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2018-12-19 19:51:24 +00:00
parent ffcc9c2f58
commit c187b39df1
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=52700
14 changed files with 854 additions and 0 deletions

126
share/security/advisories/FreeBSD-EN-18:16.ptrace.asc Normal file
View file

@ -0,0 +1,126 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:16.ptrace Errata Notice
The FreeBSD Project
Topic: kernel panic upon ptrace attach to stopped process
Category: core
Module: kernel
Announced: 2018-12-19
Credits: John Baldwin, Konstantin Belousov
Affects: FreeBSD 11.2
Corrected: 2018-11-09 17:43:23 UTC (stable/11, 11.2-STABLE)
2018-12-19 17:52:56 UTC (releng/11.2, 11.2-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ptrace(2) is a system call used by debuggers and related utilities
to take control of a process and inspect its state. To use the
interface, a debugger must first attach to a target process. Once
attached, the ptrace interface allows the debugger to intercept events,
such as signal delivery, involving the target process.
II. Problem Description
The ptrace(2) implementation in FreeBSD 11.2 contains a bug such that
a ptrace attach operation will trigger a kernel panic if the target
process is in a stopped state.
III. Impact
Users debugging a problem with, for example, gdb, may cause the system to
crash.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for FreeBSD errata update"
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:16/ptrace.patch
# fetch https://security.FreeBSD.org/patches/EN-18:16/ptrace.patch.asc
# gpg --verify ptrace.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r340290
releng/11.2/ r342224
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:16.ptrace.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwanjhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKOqQ//fJgy4vjyoteYlSq6DagrgleiA9DkM13OsGxqGPOyA5+H+aI4ZtD3mqcK
u9p1eP3AA3sF5RLMvOpAMvJPYv1XMmHLm/15vGhjiLT7xK82jzH9Ic72hBnv6xm6
lzp2L7dUKQaXwv6AUR9tF6MQXRBlC5FtI3Tf8ajUsNHCA+lMXx2pjYoG6/gWroXn
ycotsBYRicW6n6fJ+tTv9eVEI237+l+KUzqNH26e9Q6wkWtv4UNB5/FAauN6zovF
AJSLs9eTa7QlxsGbJwh/EYuSjw085n9jIFVeMQPN3kIvDHbk59mymSpE6W37QRj0
c1Kq/nBI4WARrWvRf5KdZYXVJ/iKU3ndulE2gfmetbmHzCM4c7FcQaPqLM5htvfz
sUbu3o3Vq/0/XFj1nyxjX8YIxdveRaopi8rWASyq7JfsieUZt5RPSZM9QgbmoB45
9fLCFMdMT2kBAUknIxoxlMAOzZV9p0d41Vu6M83Km5TC5iGItpYusScPh6qmxxC9
WQwh6MzeabGEIFcxv6mCj4IcWGdDevcCIUW/mQBzPFJTdFQwq+A6HdHsNHJSQYZy
okY/P/CzUjupMYMLdbLjsxx7256Tm4wC2PVtvsyVZY/82IT0HGBq7pAp38R+3ANQ
FieQ+S0F0IKZlyNnGGghbH+YYIsehqC24eoymeUFZDias7vyq1A=
=5T6c
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-EN-18:17.vm.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:17.vm Errata Notice
The FreeBSD Project
Topic: Kernel panic under load on Intel "Skylake" CPUs
Category: core
Module: kernel
Announced: 2018-12-19
Credits: Mark Johnston
Affects: FreeBSD 11.2
Corrected: 2018-12-02 18:08:27 UTC (stable/11, 11.2-STABLE)
2018-19-19 18:00:58 UTC (releng/11.2, 11.2-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The physical page allocator is a component of the kernel responsible for
tracking usage of the system's RAM by the kernel and by userland
applications. It maintains lists of unused memory pages which may be
returned by the allocator upon demand. It also maintains an integer
count of the number of pages stored in these lists.
II. Problem Description
The kernel contains handling for an Intel erratum affecting Skylake-X
CPUs. The erratum description states that a processor may hang when
performing a certain synchronization operation within a particular 4MB
region of physical memory. FreeBSD works around the erratum by using
a blacklisting mechanism to ensure that the physical page allocator
never returns pages in that region. However, this blacklisting
mechanism contained a bug such that the removal of pages in the region
was not reflected in the free page count.
III. Impact
The discrepancy between the free page count and the physical page
allocator's state can trigger a NULL pointer dereference when the
system is under heavy load, resulting in a panic.
IV. Workaround
Only systems using a Skylake-X or Skylake Server CPU are affected.
Affected systems can work around the problem by setting the
"hw.skz63_enable" to 0 in /boot/loader.conf, causing the handling for
the Intel erratum to be disabled upon a reboot of the system. However,
this raises the possibility of being affected by the erratum if software
running on the system makes use of Intel TSX.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch
# fetch https://security.FreeBSD.org/patches/EN-18:17/vm.patch.asc
# gpg --verify vm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r341401
releng/11.2/ r342225
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231296>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:17.vm.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwannZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKsAxAAkr/ufB1aKSSib0n/e6PXE1FOnjUGgpK+LiiSG+QdW/6oMv/yto+4Qbj2
3Ht3TPyuoTqwQmHHiSzpnnnRHGDrdffiRYQsziFR89c8iyw7Qni8BYlK2YLYYw9i
TVyT6sxkorpTPZpGQZNaRBwZoWCLaxBvfKC0wVcli9gByOfb5T5J4puUNT4EXIpb
eaimCWG24vsIkWlHeC/8ulHsjEEDBatyfWWl95i8JVMqBDdHZypryJkO0jBo5Uig
PIighKIqDiEwwvjtHfGh4iAn3mFINDbMDdjXyMWYqDbgvX3J6cCv6qaY7p2eizQN
taN1rbC+7MJIFEkTFASvbJq7KOc/PcXOLU4O3964HZbbowdQNwAxQAuMGN6GNLmJ
ydHE7Atei1Py8q3gg9uMpX0TVikzfOL6iBmdzEkg2mgXIeyISLn5BTuE/k9hkVwi
6Boeec1qshtx04gF0xzsp/KPropad4nV09/E4cuo5jHuaq3WgpnDVzVhGEmFZpY7
Z5B8vHqSc7Ng0xZoQYIcYbGCVBaWNF4WCf/1DZhU44mXkob+CRkv+kROFkfn8lY3
2Jzjp7LWqPv9CFxIJ7q4BnDTyhxkQksm646tII1JNMcjY0hzFjQDUrVmDRb8ak/E
LsJNDKicqGdCdrHeA8jZm7RxwAmdkhyF/uumPYxJg64Y9DU23SM=
=QgI2
-----END PGP SIGNATURE-----

131
share/security/advisories/FreeBSD-EN-18:18.zfs.asc Normal file
View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-18:18.zfs Errata Notice
The FreeBSD Project
Topic: ZFS vnode reclaim deadlock
Category: core
Module: kernel
Announced: 2018-12-19
Credits: Allan Jude
Affects: FreeBSD 11.2
Corrected: 2018-12-11 19:34:25 UTC (stable/11, 11.2-STABLE)
2018-12-19 18:05:50 UTC (releng/11.2, 11.2-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ZFS is one of several filesystems available on FreeBSD. ZFS supports
many advanced features, including checksumming, transparent compression,
and snapshots.
ZFS saves synchronous writes to the ZFS Intent Log (ZIL), which may be a
separate log device (SLOG), so they can be replayed in the event of a
power failure or system crash. This ensures that the contents of write()
calls that succeeded will still be available after the system
unexpectedly reboots.
II. Problem Description
There is a possible deadlock between zil_commit() and zfs_zget() during
the vnode reclaim process. If zfs_zget() is not able to take the vnode
exclusive lock, it will retry indefinately, blocking forward progress.
III. Impact
Processes may hang on the waitchan "zilog->zl_writer_lock".
IV. Workaround
Increasing the maximum number of vnodes (kern.maxvnodes) may decrease
the frequency of this deadlock. Systems not using ZFS are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:18/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-18:18/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r341828
releng/11.2/ r342226
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229614>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:18.zfs.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwan2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLKthAAq0CXErX6YRoMafBIhnMBgE+07l0FuIS0iHewgcf47jpTdmYp5BKk4n5Z
VUM9vo3zETHXmjedV3drTbJEQWG3H30R8P964YEPoUQjQ4D/AG+hlRKTerGkJx/w
CMMpSZEnRR5JDLrGaB2NfBKUu0s9sPWFMGbgOWYDxxiUUS5NwSYHPlaIu6MB4SXv
AyTwLLlCXf7sH+oQrosu4Pw4emQzEGP41I0N0Nt8Z+kvJdzQd32xGP1M/OsW29LL
SOZfXhERhwVx/2AYmOorkyVuHh1Q8OXbYckxfAXdKgRMm6rOEk3ZdPEH+lVTTw4l
RmFmz5AwU5icDAeILGNjiEPzeF3w8KT1x39CnSB5oofbnDEXcGsL92lHtQY3kkbK
PbUoJmjiGMwGr63HxU+CoR3meG8LJIHK1Bn/D3tSUs1GAZQHYbH6Vv/O2cidWxeD
/hIxffhSbuaN9lMy4gV8wQdxSRz/Am3AsYNVlS9EvCCvwB4lYZOf0GeEhgLFX56h
4w0XGBKy6FE/SHrNALWsyCJCnP1gN3njx/jwL8Dp3Vyqmft06w0KHw/xb5InYk4r
VPn+j1DkfWV97Gi8l+T8B7ir9W3KRDOlJUwInzeKRPojebdxlorM6BFtFsf90dXs
2xD1j/6m7RDqm+rGYPk6CdFJh95M5Roz0WJ1uCs89mpEHofW1kE=
=Gqpb
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-SA-18:15.bootpd.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-18:15.bootpd Security Advisory
The FreeBSD Project
Topic: bootpd buffer overflow
Category: core
Module: bootpd
Announced: 2018-12-19
Credits: Reno Robert
Affects: All supported versions of FreeBSD.
Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE)
2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1)
2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE)
2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7)
CVE Name: CVE-2018-17161
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bootpd utility implements an Internet Bootstrap Protocol (BOOTP)
server as defined in RFC951, RFC1532, and RFC1533.
II. Problem Description
Due to insufficient validation of network-provided data it may be possible
for a malicious attacker to craft a bootp packet which could cause a stack
buffer overflow.
III. Impact
It is possible that the buffer overflow could lead to a Denial of Service
or remote code execution.
IV. Workaround
Firewall rules may be used to limit reception of bootp packets to only
trusted networks or hosts. Note that the bootp protocol is typically
limited to a common layer 2 broadcast domain, although the bootpgw gateway
can forward bootp requests and responses between subnets.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart bootpd if it is running in standalone mode.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch
# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc
# gpg --verify bootpd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r342228
releng/12.0/ r342230
stable/11/ r348229
releng/11.2/ r342231
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba
Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC
NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7
YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD
TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/
S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD
AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F
21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA
DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56
oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykpy7qn/aJQehfPfcfbeA
dvQ5khiLr0rMUeg9HU6oHu8+Lp4X+wQc3lCF2rXe+oqRierywec=
=jlRR
-----END PGP SIGNATURE-----

152
share/security/patches/EN-18:16/ptrace.patch Normal file
View file

@ -0,0 +1,152 @@
--- sys/kern/sys_process.c.orig
+++ sys/kern/sys_process.c
@@ -869,7 +869,7 @@
}
/* not currently stopped */
- if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 ||
+ if ((p->p_flag & P_STOPPED_TRACE) == 0 ||
p->p_suspcount != p->p_numthreads ||
(p->p_flag & P_WAITED) == 0) {
error = EBUSY;
@@ -876,12 +876,6 @@
goto fail;
}
- if ((p->p_flag & P_STOPPED_TRACE) == 0) {
- static int count = 0;
- if (count++ == 0)
- printf("P_STOPPED_TRACE not set.\n");
- }
-
/* OK */
break;
}
@@ -926,11 +920,28 @@
if (p->p_pptr != td->td_proc) {
proc_reparent(p, td->td_proc);
}
- data = SIGSTOP;
CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid,
p->p_oppid);
- goto sendsig; /* in PT_CONTINUE below */
+ sx_xunlock(&proctree_lock);
+ proctree_locked = 0;
+ MPASS(p->p_xthread == NULL);
+ MPASS((p->p_flag & P_STOPPED_TRACE) == 0);
+
+ /*
+ * If already stopped due to a stop signal, clear the
+ * existing stop before triggering a traced SIGSTOP.
+ */
+ if ((p->p_flag & P_STOPPED_SIG) != 0) {
+ PROC_SLOCK(p);
+ p->p_flag &= ~(P_STOPPED_SIG | P_WAITED);
+ thread_unsuspend(p);
+ PROC_SUNLOCK(p);
+ }
+
+ kern_psignal(p, SIGSTOP);
+ break;
+
case PT_CLEARSTEP:
CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid,
p->p_pid);
@@ -1117,8 +1128,10 @@
sigqueue_delete(&td3->td_sigqueue,
SIGSTOP);
}
- td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP);
+ td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP |
+ TDB_SUSPEND);
}
+
if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) {
sigqueue_delete(&p->p_sigqueue, SIGSTOP);
p->p_flag2 &= ~P2_PTRACE_FSTP;
@@ -1129,54 +1142,45 @@
break;
}
+ sx_xunlock(&proctree_lock);
+ proctree_locked = 0;
+
sendsig:
- /*
+ MPASS(proctree_locked == 0);
+
+ /*
* Clear the pending event for the thread that just
* reported its event (p_xthread). This may not be
* the thread passed to PT_CONTINUE, PT_STEP, etc. if
* the debugger is resuming a different thread.
+ *
+ * Deliver any pending signal via the reporting thread.
*/
- td2 = p->p_xthread;
- if (proctree_locked) {
- sx_xunlock(&proctree_lock);
- proctree_locked = 0;
- }
+ MPASS(p->p_xthread != NULL);
+ p->p_xthread->td_dbgflags &= ~TDB_XSIG;
+ p->p_xthread->td_xsig = data;
+ p->p_xthread = NULL;
p->p_xsig = data;
- p->p_xthread = NULL;
- if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) {
- /* deliver or queue signal */
- td2->td_dbgflags &= ~TDB_XSIG;
- td2->td_xsig = data;
- /*
- * P_WKILLED is insurance that a PT_KILL/SIGKILL always
- * works immediately, even if another thread is
- * unsuspended first and attempts to handle a different
- * signal or if the POSIX.1b style signal queue cannot
- * accommodate any new signals.
- */
- if (data == SIGKILL)
- p->p_flag |= P_WKILLED;
+ /*
+ * P_WKILLED is insurance that a PT_KILL/SIGKILL
+ * always works immediately, even if another thread is
+ * unsuspended first and attempts to handle a
+ * different signal or if the POSIX.1b style signal
+ * queue cannot accommodate any new signals.
+ */
+ if (data == SIGKILL)
+ p->p_flag |= P_WKILLED;
- if (req == PT_DETACH) {
- FOREACH_THREAD_IN_PROC(p, td3)
- td3->td_dbgflags &= ~TDB_SUSPEND;
- }
- /*
- * unsuspend all threads, to not let a thread run,
- * you should use PT_SUSPEND to suspend it before
- * continuing process.
- */
- PROC_SLOCK(p);
- p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED);
- thread_unsuspend(p);
- PROC_SUNLOCK(p);
- if (req == PT_ATTACH)
- kern_psignal(p, data);
- } else {
- if (data)
- kern_psignal(p, data);
- }
+ /*
+ * Unsuspend all threads. To leave a thread
+ * suspended, use PT_SUSPEND to suspend it before
+ * continuing the process.
+ */
+ PROC_SLOCK(p);
+ p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED);
+ thread_unsuspend(p);
+ PROC_SUNLOCK(p);
break;
case PT_WRITE_I:

18
share/security/patches/EN-18:16/ptrace.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwankRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLE8Q/+JVnRMXEnZZ7d5ZDYHmLcdiWmx8WoSFVqR7uMZMUcxinhvPMtVGdKqRw2
upRV2WU8oZQ5LzGbXGPc/1fOqVjrObmiTdegRKWmFqXpoGb5cZ5Pp+NzC45BdhcD
BhQHujb/uAuviJNOz5anoOlP4lC/nATBtUjc1jfBhJJT9OTYhAXShB74mbwmK1yW
RaLx4P38psoCAHxhl7waBLpfN+HLJUNFcLRAkQ4347+pElaLOzOY+wW+TwDv2ONq
3J7+reDtROpT87/R2rPa5xk0v+/uaRISe1T3SKxb+6W/860SjvT3QCjrP2s2rESb
7uvd9yqLESd87BVvrI9znI7Egr5wmpy3GUrLSOPXk8ogAbdPU8TS844aXqxqmH+G
xOesYYSPpihHBex1zMtR7O66xXGBR0vljCjsQtRuu3sATnogDy3PAGFCUjgIbP2L
wo4DHo7ImwNcLuKHxWbvTLmUFl/UucWN00cFVy5CEGMXVUbZvLjZoJrZT2Q9C6b5
3+LtucyXt9gGR/p/QaphHSBrPpOx4F4vuxKmpB0hqRt/MhIV012ehHH+3ydGE4Zm
4y7FHii6bNpadIY236E2u0iMG5KVCy9J4SrBWX57D2fO3bXYPoLfq5Zg/HNvK56t
f8CRhERopkuJpoq9evT/Q/m74G9KznDHpixCTKycJ4klrzEAixY=
=bI0z
-----END PGP SIGNATURE-----

14
share/security/patches/EN-18:17/vm.patch Normal file
View file

@ -0,0 +1,14 @@
--- sys/vm/vm_page.c.orig
+++ sys/vm/vm_page.c
@@ -304,8 +304,10 @@
mtx_lock(&vm_page_queue_free_mtx);
ret = vm_phys_unfree_page(m);
+ if (ret != 0)
+ vm_phys_freecnt_adj(m, -1);
mtx_unlock(&vm_page_queue_free_mtx);
- if (ret) {
+ if (ret != 0) {
TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
if (verbose)
printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa);

18
share/security/patches/EN-18:17/vm.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwann1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIZdQ//ckpouBTa4BbaZmcle7mpC0oW4qCXfdA6VoMsUK+eBTbvXgMzKH0lwlro
Q3dwJKNM6k2TEX6Nz20Du13cK/cyz7IUTPN+fssaNucuE3bQ0DjABhRWpio/SyCt
S8CkqxnjNzH7qrhMLtxWyWyvu/vPxvZHwp1ys/Z9DqrySzAf/aSOyfyc5o1G46PS
rWUhhiwtmrO10/RLSdjdm1FQvrBW3raj9Lnw4oINHvggwvU/8sIk34MQqqbJH8Oo
8yYZ/vRoEw+h5Ok//QN+CC/9cmTM8WyDA4Mgxy8CkbrjZjZAVuSsnlHfK8hYxfaV
j+3GvRkwoYDeBYHlWkc0mO8+F5wg2SeyBMUDjJNa3z7QL4+gcT329A6Z3+/pJqiH
yBehEiDHjfbMm0HNItCVYtgYH5JLto1W/ckIf/Aqo/Q4JyrIMdDPviCWEURzyPAp
rgQxAQujUw1KOQANbT0ElD3kR93ILELU21wQHVTGH9IEt6pHVZ/MDNDN5B0Try51
t7UdJ4J5Azb9C9i+oM0gDV0QhOxFCk1GInOCDAoAfO9ELiWoBG7F568EwPCSLH/Q
CfF6M7aT7/2B2XWADj5TgW95JXe8Q7h/9jlKkSCT5jfrSUp97HcW/g1m0oSKEEnp
nzN8sLdQeDlyPWnSCVZUAj2KhlNMQR362FyiBRkmWuA3Jo6b7sY=
=f2RG
-----END PGP SIGNATURE-----

44
share/security/patches/EN-18:18/zfs.patch Normal file
View file

@ -0,0 +1,44 @@
--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c.orig
+++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c
@@ -1155,15 +1155,27 @@
*/
ASSERT3P(zp, !=, NULL);
ASSERT3U(zp->z_id, ==, obj_num);
- *zpp = zp;
- vp = ZTOV(zp);
-
- /* Don't let the vnode disappear after ZFS_OBJ_HOLD_EXIT. */
- VN_HOLD(vp);
+ if (zp->z_unlinked) {
+ err = SET_ERROR(ENOENT);
+ } else {
+ vp = ZTOV(zp);
+ /*
+ * Don't let the vnode disappear after
+ * ZFS_OBJ_HOLD_EXIT.
+ */
+ VN_HOLD(vp);
+ *zpp = zp;
+ err = 0;
+ }
sa_buf_rele(db, NULL);
ZFS_OBJ_HOLD_EXIT(zfsvfs, obj_num);
+ if (err) {
+ getnewvnode_drop_reserve();
+ return (err);
+ }
+
locked = VOP_ISLOCKED(vp);
VI_LOCK(vp);
if ((vp->v_iflag & VI_DOOMED) != 0 &&
@@ -1196,7 +1208,7 @@
}
VI_UNLOCK(vp);
getnewvnode_drop_reserve();
- return (0);
+ return (err);
}
/*

18
share/security/patches/EN-18:18/zfs.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwanpBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJMxA/9HdSKhs93mVCHCDsPMLhbE80hJtnU6qD2T7LnRPgfEviKj20ZQ4lYZ/Vg
5p28UFH3ubQ5Y0tRqJxhJGdFUwcNsBMa5VsUIrhD+xiVSr8dGVy0VcgFf3LoxE/b
Dm+3xM+vHYHyTIx3AKpS1ZQBHY6NbQa4zUhFG/BLvMrGx94tzWzCbgHkx3/qa4rT
uO++Z4tQb5ekFTjPrVNp37cvcZ0qli6TNBAZ/8HNsGKGYgUllZ22M/e7WQqmbqPC
yP6ILHqiMtMB5YADBQNE2/VtRVqzYtDA4Mj2QD6j2A4qUO5Cf4gxAR22qS0wpBv7
/QEHMX9v2VR+oZtGGVK5lTypxmw4Rr4S6+MWEkN7C0dCqT67ut38QSnShpaQLajo
SaoqnVIPbq56Ep7Qxom3zgaPph9zfS9n6dKPuAR2YC/gpUpskoo0ecboBepfMWzW
YtxDZC1Cj8D+b1CGkG849iEZVENK8JFQBH4/amX+PQZn5RVJPRCsGuqqjp98rDRl
vLlI1oLmrC5isAO1/rre42AW0HXSD/1HQ2a0IG49/QbNKM1FqwnL5VPnCoEbYvmh
AJa/y3xc6ejeatJ++pRJNfTed1Mh/kBaSlAGSEAinXtDkwqIh/oW3nbOLuvYhj/W
ij6dhFzcKaV+LwH08CNOVYkeLIP+YH8Vngc8xK70BxVexsv3vKs=
=YWPI
-----END PGP SIGNATURE-----

13
share/security/patches/SA-18:15/bootpd.patch Normal file
View file

@ -0,0 +1,13 @@
--- libexec/bootpd/bootpd.c.orig
+++ libexec/bootpd/bootpd.c
@@ -636,6 +636,10 @@
char *homedir, *bootfile;
int n;
+ if (bp->bp_htype >= hwinfocnt) {
+ report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype);
+ return;
+ }
bp->bp_file[sizeof(bp->bp_file)-1] = '\0';
/* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */

18
share/security/patches/SA-18:15/bootpd.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwangJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI1CQ//Xz4zLGczdRBddOo9DFvICnZc+OaJ4RZaPg9SIR4YZSNya1tjXNQIRX7M
ZwF2J3OIQajWnyG39FaNjdpku0Ga3oYJygkOGJpYpbqMPXzOpTd3uqfbW/jtTDGl
7e74Nkn/EAkjxws7+wodfw11aMpQWPrEWAC/HUeP69g7LQPEI9R8S+IsPJoE1e0i
Nqd8kZFzigT0/qUF5qpqFu5bqXtT6quaUePxLomvYHDKM+z8Iv/wK+CzrJ0EWDyW
yo8fhnoq2Mkzh1IJtH8UgFmgr70SRLaXinh1Zl0hUeKhkBorJwyZyCF4QJXZLdee
NLM1eVFpNuYqQYtvo9+e42FZurIZmVKhbQRXCw87xSbXFUR3Rw0raph2p07jlhOE
pmtJ1ByXYRXQkPG4lz8r0sLMvMMQyiX4wRfK/Hhu3sqEHPDzI78L1fpAOnG1j10t
bsfRF7VprbxntEBJiF0mB1E7Bouxl99xlcFw+W/O+ayjixvL2qRVANuQP+1EKLLu
vnaw+72uIZhXm8XrA3IXuXUB3A3D+KnvXoR5LaX0eUITjx+r1oH5+oGMzFTWHtSY
TCgs8sqL/K3D2yw2JL0NBhn74j+xF0nMCuZdif5F0gFYckuVhVCC8aS1iXbDK4XT
ImIrgLhbCRc+HFqdM2qWStUnpn3u7RvLkAblRqErWxEOMBp0Shw=
=idvx
-----END PGP SIGNATURE-----

9
share/xml/advisories.xml
View file

@ -10,6 +10,15 @@
<month>
<name>12</name>
<day>
<name>19</name>
<advisory>
<name>FreeBSD-SA-18:15.bootpd</name>
</advisory>
</day>
<day>
<name>04</name>

21
share/xml/notices.xml
View file

@ -7,6 +7,27 @@
<year>
<name>2018</name>
<month>
<name>12</name>
<day>
<name>19</name>
<notice>
<name>FreeBSD-EN-18:18.zfs</name>
</notice>
<notice>
<name>FreeBSD-EN-18:17.vm</name>
</notice>
<notice>
<name>FreeBSD-EN-18:16.ptrace</name>
</notice>
</day>
</month>
<month>
<name>11</name>