Add EN-19:16, EN-19:17, and SA-19:22 to SA-19:24.

Approved by:	so

share/security/advisories/FreeBSD-EN-19:16.bhyve.asc

@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:16.bhyve                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Bhyve instruction emulation improvements (opcode 03H and F7H)
+
+Category:       core
+Module:         bhyve
+Announced:      2019-08-20
+Credits:        John Baldwin, Jason Tubnor
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-07-07 17:30:23 UTC (stable/12, 12.0-STABLE)
+                2019-08-20 17:45:44 UTC (releng/12.0, 12.0-RELEASE-p10)
+                2019-07-07 17:31:13 UTC (stable/11, 11.3-STABLE)
+                2019-08-20 17:45:44 UTC (releng/11.3, 11.3-RELEASE-p3)
+
+Note: This errata notice does not update FreeBSD 11.2.  FreeBSD 11.2
+users affected by this update should upgrade to FreeBSD 11.3.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines, using hardware virtualization in Intel and AMD
+CPUs.  Some instructions are not handled by hardware virtualization and must
+be emulated by the hypervisor.
+
+II.  Problem Description
+
+Some newer software uses instructions previously not handled by bhyve's
+instruction emulation.  This errata notice adds emulation for two instruction
+opcodes, to enable flash variable storage in OVMF and to support guest
+operating systems compiled with Clang 8.0.0 that use the TEST instruction
+against local APIC registers (such as OpenBSD 6.6).
+
+III. Impact
+
+Guest firmware or operating systems using unsupported instructions caused
+bhyve to exit with a "Failed to emulate instruction" error.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.3, FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Start the applicable virtual machines.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r349808
+releng/12.0/                                                      r351256
+stable/11/                                                        r349809
+releng/11.3/                                                      r351256
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238794>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:16.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPfFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJzqA//XiWRn/psT+I8r7MSiS6K2bJASZlFGUDnVqLsFAnj2XoZlSp265dZw0R7
+t++kBPu0Q9vm3FphkE/J3e4fR9PyCsa5QpEvTeXE9v1RixrkmmLT56ukR3BgivKa
+rmCTjkwLikmRb8qrRMly9ERjwySKlUZmOMHX1xte33WTi2eVwZUfNg9xNq1c4YGi
+QvIABOa1xTZHr0oyeZfmuEyhSDRD+jzb+mOboX9TFQSfAUwC16VDCAHu5SwXNeQS
+l4/FxrYf0yupf2bqwWmfeRlAE25nHGErsaXiQwqdPZB3SUTECpDcl5BCwPwA+pr3
+Jf7lxTPrp/NLi7sghgofOX5AwbiVacYxN45P4JNjBB5OpDut+e196VkzO1IAXVRb
+spyc/zKE6BWYRT2KOeNlMzmQXmDIjZERuumV98DQQEAAw52p+RWdEU3IlfZ+plW7
+bF8P/OmJ5DDcdW1XeONIzFaal4VFjauDsmPt5QTyb/SpX/20hvTT3/QCbDJJiRu3
+5Lf7RPMK63r+uFwLz58XrGJwimYdKCn67nC+o1k/j9Izc63+At9h0tU2XR2u7V8c
+iuQaGkeBT/OjtVg6/IjCs4SbT24wbmP1LecUtQyFzZkHdNkdw7+67Ty2Y3jGE3GG
+sCpU88b0PIh2pJ+4oJ28WwH2M55VnxuId5N0uosrAGSo/C1kYWY=
+=CkK1
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-19:17.ipfw.asc

@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:17.ipfw                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ipfw(8) jail keyword broken prior to jail startup
+
+Category:       core
+Module:         ipfw
+Announced:      2019-08-20
+Affects:        FreeBSD 11.3
+Corrected:      2019-08-15 17:40:48 UTC (stable/12, 12.0-STABLE)
+                2019-08-15 17:40:48 UTC (stable/11, 11.3-STABLE)
+                2019-08-20 17:46:40 UTC (releng/11.3, 11.3-RELEASE-p3)
+
+Note that this issue was introduced after the FreeBSD 11.2 and 12.0 releases.
+FreeBSD 11.3 is the only affected release.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ipfw(8) utility configures rules for the ipfw(4) firewall.  The jail
+keyword applies the rule for packets pertaining to the given jail, named by
+the argument.
+
+II.  Problem Description
+
+The jail argument no longer allowed jids to be specified before a jail was
+created.  Attempts to use the jail keyword in this scenario would result in
+"jail <jid> not found" errors, when previously these rules would apply to
+any jail with the given jid that was subsequently started.
+
+III. Impact
+
+The ipfw(4) firewall will reject rules that attempt to use the jail
+keyword prior to jail startup, and these rules will not be applied.
+
+IV.  Workaround
+
+The system administrator can apply jail-based firewall rules after jail
+creation.
+
+Systems that do not use ipfw(4) are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch.asc
+# gpg --verify ipfw.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+Restart jails to apply firewall rules, if required.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r351094
+stable/11/                                                        r351094
+releng/11.3/                                                      r351258
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:17.ipfw.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPf5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIDTg//ca9BaMVV04yzSaIqgcuxCs5nM6eQMJehRKWP+Ibt6bUUnUYlS8V1HOBD
+eUS0eW9GiO2QkrVmttxrC2IwJSutVzUXMP/zkLEyb91LJ13+YkuLKSaj14pucA+S
+VNy1CH8Sry/PnA+bcFQxgpTAl8EGaTAzT0znRgdvooe26JbHw0y8941t88Mr3giN
+vCPnfAdaT0MjKSdKgykA+xKKgY1+fwA1vUFOYybNzg+eN10gU2qRQfksFc4VpnNd
+7J3j5I2n/1Y1KxsbEagGXK0JOztZa1PhqsAYuj4iAMhM8Nw+vdAtVX8DYyqHEe2m
+hjJyGPu1Lrihrx2PUH5GVv0KXHbLVRnZ/N7Xs3hPsUZWBuSrcU2r3cdqe1nB055D
+PQMr6m+Ydr0DXnySShd5Kow26IBDVJQ+YrGkK88CdMT2YGnarqcg/RaT/eIoJ654
+lKvl5XeOL/P9apU567HzYoAUVlvxMAD2pEd2+NGr9gi3bXfAg2Usjeekwo7BRRMo
+Ddmec7Ql/wBU0RED67l+TYIM2IDNj5ofua6WrSrs8QCIeNXnYi8kBLTBwKBiz5Fw
+scisoACv92zexrIpac1RoAT/+OdWUgwtCx7axyLybbEsAC2FDfSDVqlJfq0m+DFY
+/R3Bezk1Ek+U4KUpQr6I1DSBU+1Uo8DljfwkwH8DVn+aWy3194Q=
+=8VPw
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-19:22.mbuf.asc

@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:22.mbuf                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          IPv6 remote Denial-of-Service
+
+Category:       kernel
+Module:         net
+Announced:      2019-08-20
+Credits:        Clement Lecigne
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE)
+                2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10)
+                2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE)
+                2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3)
+                2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name:       CVE-2019-5611
+
+For general information regarding FreeBSD Security Advisories, including
+descriptions of the fields above, security branches, and the following
+sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+mbufs are a unit of memory management mostly used in the kernel for network
+packets and socket buffers.  m_pulldown(9) is a function to arrange the data
+in a chain of mbufs.
+
+II.  Problem Description
+
+Due do a missing check in the code of m_pulldown(9) data returned may not be
+contiguous as requested by the caller.
+
+III. Impact
+
+Extra checks in the IPv6 code catch the error condition and trigger a kernel
+panic leading to a remote DoS (denial-of-service) attack with certain
+Ethernet interfaces.  At this point it is unknown if any other than the IPv6
+code paths can trigger a similar condition.
+
+IV.  Workaround
+
+For the currently known attack vector systems with IPv6 not enabled are not
+vulnerable.
+
+On systems with IPv6 active, IPv6 fragmentation may be disabled, or
+a firewall can be used to filter out packets with certain or excessive
+amounts of extension headers in a first fragment.  These rules may be
+dependent on the operational needs of each site.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc
+# gpg --verify mbuf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r350828
+releng/12.0/                                                      r351259
+stable/11/                                                        r350829
+releng/11.3/                                                      r351259
+releng/11.2/                                                      r351259
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o
+VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U
+Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr
+6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB
+jPbG7u23C3a2KcRImCWM2vJ5dZFoa0Mz5+vHzaSMwPT49KRRRRkcd7+azqUfbGg0
+k9Py6KuwGhclNmehpUth0NlvR89JV58Fbkh7TaCWHV51hAWoH/1EQdJNY9yb0eAZ
+AgsvAiotWU1VNDcF2xWaf5m3VE87jl0/Bz9BgpVFI0kHuof4OwiG9PkdFI1q0Yl2
+TdkksZj1iRETN8/Qt5HGzY1pGQFRc7b+nE9GIfIUcEH1B7d7Gb58DVElZ95Og+EF
+bGwR6/e7r39mBsqs0qloYgk/2c6B4vuFyt8b9Yhuw4ns0SpO4cP9XYXawUff7+p3
+oLo7dqPKn8fMRLhT0/QZfPRyluUshVvJW1Yg9HWdYMYm7wFAilemnMWMxJKIUOmt
+pkQx3e6Tvk3VNkls4yv7GbApO5iMNXaBvC2JYMP0GUiQ1FOkB9M=
+=ip7/
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-19:23.midi.asc

@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:23.midi                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          kernel memory disclosure from /dev/midistat
+
+Category:       core
+Module:         sound
+Announced:      2019-08-20
+Credits:        Peter Holm, Mark Johnston
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE)
+                2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10)
+                2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE)
+                2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3)
+                2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name:       CVE-2019-5612
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+/dev/midistat is a device file which can be read to obtain a
+human-readable list of the available MIDI-capable devices in the system.
+
+II.  Problem Description
+
+The kernel driver for /dev/midistat implements a handler for read(2).
+This handler is not thread-safe, and a multi-threaded program can
+exploit races in the handler to cause it to copy out kernel memory
+outside the boundaries of midistat's data buffer.
+
+III. Impact
+
+The races allow a program to read kernel memory within a 4GB window
+centered at midistat's data buffer.  The buffer is allocated each
+time the device is opened, so an attacker is not limited to a static
+4GB region of memory.
+
+On 32-bit platforms, an attempt to trigger the race may cause a page
+fault in kernel mode, leading to a panic.
+
+IV.  Workaround
+
+No workaround is available.  Custom kernels without "device sound"
+are not vulnerable.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc
+# gpg --verify midi.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r351264
+releng/12.0/                                                      r351260
+stable/11/                                                        r351265
+releng/11.3/                                                      r351260
+releng/11.2/                                                      r351260
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN
+v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+
++pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ
+hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n
+w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u
+5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49BgqTb
+sr6p5hO3ZB6gOfJIm3WeYIc9dXsqQcWC/Y8hp7zO/Ef29jBHaa76ZX3uGgKGgyoo
+UcoEjIx4ZpiqQxUEigKdlpEQdUtCIOSZ1NjSYDRFuCURDI07o1Oi8/HSdb9tNRe4
+IxfmT7G+oBGbhjZ/bziC/tZX/whXzBdo6eNIBC8XW8hrTDIXVCyqls3igiSqxoFA
+WMpQN2gEZ6Yug0zpRCn4fj+dvBobpAle7F/gwZdFeWU/wtDiLQHnBOxPaobR56Qy
+fIoVVGufmnjbSReSGh1WtFhDt+uJ8zal/EqGWi3IBIFpxjhAuP0=
+=I8mB
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc

@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:24.mqueuefs                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Reference count overflow in mqueue filesystem 32-bit compat
+
+Category:       core
+Module:         kernel
+Announced:      2019-08-20
+Credits:        Karsten König, Secfault Security
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE)
+                2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10)
+                2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE)
+                2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3)
+                2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name:       CVE-2019-5603
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+Note: This issue is related to the previously disclosed SA-19:15.mqueuefs.
+It is another instance of the same bug and as such shares the same CVE.
+
+I.   Background
+
+mqueuefs(5) implements POSIX message queue file system which can be used
+by processes as a communication mechanism.
+
+'struct file' represents open files, directories, sockets and other
+entities.
+
+II.  Problem Description
+
+System calls operating on file descriptors obtain a reference to
+relevant struct file which due to a programming error was not always put
+back, which in turn could be used to overflow the counter of affected
+struct file.
+
+III. Impact
+
+A local user can use this flaw to obtain access to files, directories,
+sockets, etc., opened by processes owned by other users.  If obtained
+struct file represents a directory from outside of user's jail, it can
+be used to access files outside of the jail.  If the user in question is
+a jailed root they can obtain root privileges on the host system.
+
+IV.  Workaround
+
+No workaround is available.  Note that the mqueuefs file system is not
+enabled by default.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc
+# gpg --verify mqueuefs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r351255
+releng/12.0/                                                      r351261
+stable/11/                                                        r351257
+releng/11.3/                                                      r351261
+releng/11.2/                                                      r351261
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:24.mqueuefs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs
+Ec4zOXvE5MzYfA+E9jyRa6c4h7OY7uSSym15wCjLLi+DWPJ1lcCPAv01JuAgSw9E
+GkLOprdk2aETTe1jc3DjXv0q56JZM79vegL2Nn/AJd7GZqSI4Qxf0M+87eWFMxd6
+dFlvZtnh4QGuSC8w+ls5LpcGHfr8T6w4WwNv6hfvxu//Bg/6BRYKEIAnAu/P+udd
+LrZO5lY9IwdaLQckk44nCr02lHVG/G3JgyW2iWAn5tm0CPkQmbawbc6V2WN+lwYf
+ynn0ORfKWZpeLN6hd1QedlBhyEblUdjveVy9vaJI2KieHdRMlb56/HsPQqwZLdgV
+QrpambGJ4J+48gYcgOXsOn52kIG7iKLfyEsiH4mrQtlZEjfluWt0cGcNuMLNqgPc
+WZC1Kqpx3OI00u2M+85xnM8V4VL7iQnX7WWoe8qICZDksAsm4LDTwOP4HdfXkCgs
+iSibovwF9ZcKwZjB8AZ+smjRyHGb2KEs+WlGI+ASE5UF8jYshCEZWKfJFd59BJZx
+uw/lngCium0OgQ0Bzt0NnqR663kzSE1f7ZGLJtoc5+xaWbnTbifykYsM88hO/+/v
+LH/fYRdgXkDTtShiMgppx/YrfTF33+hea18CdNdtdPJmH99lPmE=
+=1dwe
+-----END PGP SIGNATURE-----

share/security/patches/EN-19:16/bhyve.patch

@@ -0,0 +1,239 @@
+--- sys/amd64/vmm/vmm_instruction_emul.c.orig
++++ sys/amd64/vmm/vmm_instruction_emul.c
+@@ -77,6 +77,8 @@
+ 	VIE_OP_TYPE_STOS,
+ 	VIE_OP_TYPE_BITTEST,
+ 	VIE_OP_TYPE_TWOB_GRP15,
++	VIE_OP_TYPE_ADD,
++	VIE_OP_TYPE_TEST,
+ 	VIE_OP_TYPE_LAST
+ };
+ 
+@@ -112,6 +114,10 @@
+ };
+ 
+ static const struct vie_op one_byte_opcodes[256] = {
++	[0x03] = {
++		.op_byte = 0x03,
++		.op_type = VIE_OP_TYPE_ADD,
++	},
+ 	[0x0F] = {
+ 		.op_byte = 0x0F,
+ 		.op_type = VIE_OP_TYPE_TWO_BYTE
+@@ -216,6 +222,12 @@
+ 		.op_byte = 0x8F,
+ 		.op_type = VIE_OP_TYPE_POP,
+ 	},
++	[0xF7] = {
++		/* XXX Group 3 extended opcode - not just TEST */
++		.op_byte = 0xF7,
++		.op_type = VIE_OP_TYPE_TEST,
++		.op_flags = VIE_OP_F_IMM,
++	},
+ 	[0xFF] = {
+ 		/* XXX Group 5 extended opcode - not just PUSH */
+ 		.op_byte = 0xFF,
+@@ -410,6 +422,76 @@
+ 		return (getcc64(x, y));
+ }
+ 
++/*
++ * Macro creation of functions getaddflags{8,16,32,64}
++ */
++#define	GETADDFLAGS(sz)							\
++static u_long								\
++getaddflags##sz(uint##sz##_t x, uint##sz##_t y)				\
++{									\
++	u_long rflags;							\
++									\
++	__asm __volatile("add %2,%1; pushfq; popq %0" :			\
++	    "=r" (rflags), "+r" (x) : "m" (y));				\
++	return (rflags);						\
++} struct __hack
++
++GETADDFLAGS(8);
++GETADDFLAGS(16);
++GETADDFLAGS(32);
++GETADDFLAGS(64);
++
++static u_long
++getaddflags(int opsize, uint64_t x, uint64_t y)
++{
++	KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
++	    ("getaddflags: invalid operand size %d", opsize));
++
++	if (opsize == 1)
++		return (getaddflags8(x, y));
++	else if (opsize == 2)
++		return (getaddflags16(x, y));
++	else if (opsize == 4)
++		return (getaddflags32(x, y));
++	else
++		return (getaddflags64(x, y));
++}
++
++/*
++ * Return the status flags that would result from doing (x & y).
++ */
++#define	GETANDFLAGS(sz)							\
++static u_long								\
++getandflags##sz(uint##sz##_t x, uint##sz##_t y)				\
++{									\
++	u_long rflags;							\
++									\
++	__asm __volatile("and %2,%1; pushfq; popq %0" :			\
++	    "=r" (rflags), "+r" (x) : "m" (y));				\
++	return (rflags);						\
++} struct __hack
++
++GETANDFLAGS(8);
++GETANDFLAGS(16);
++GETANDFLAGS(32);
++GETANDFLAGS(64);
++
++static u_long
++getandflags(int opsize, uint64_t x, uint64_t y)
++{
++	KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
++	    ("getandflags: invalid operand size %d", opsize));
++
++	if (opsize == 1)
++		return (getandflags8(x, y));
++	else if (opsize == 2)
++		return (getandflags16(x, y));
++	else if (opsize == 4)
++		return (getandflags32(x, y));
++	else
++		return (getandflags64(x, y));
++}
++
+ static int
+ emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
+ 	    mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
+@@ -1179,6 +1261,111 @@
+ }
+ 
+ static int
++emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
++    mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
++{
++	int error, size;
++	uint64_t op1, rflags, rflags2;
++
++	size = vie->opsize;
++	error = EINVAL;
++
++	switch (vie->op.op_byte) {
++	case 0xF7:
++		/*
++		 * F7 /0		test r/m16, imm16
++		 * F7 /0		test r/m32, imm32
++		 * REX.W + F7 /0	test r/m64, imm32 sign-extended to 64
++		 *
++		 * Test mem (ModRM:r/m) with immediate and set status
++		 * flags according to the results.  The comparison is
++		 * performed by anding the immediate from the first
++		 * operand and then setting the status flags.
++		 */
++		if ((vie->reg & 7) != 0)
++			return (EINVAL);
++
++		error = memread(vm, vcpuid, gpa, &op1, size, arg);
++		if (error)
++			return (error);
++
++		rflags2 = getandflags(size, op1, vie->immediate);
++		break;
++	default:
++		return (EINVAL);
++	}
++	error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
++	if (error)
++		return (error);
++
++	/*
++	 * OF and CF are cleared; the SF, ZF and PF flags are set according
++	 * to the result; AF is undefined.
++	 */
++	rflags &= ~RFLAGS_STATUS_BITS;
++	rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
++
++	error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
++	return (error);
++}
++
++static int
++emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
++	    mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
++{
++	int error, size;
++	uint64_t nval, rflags, rflags2, val1, val2;
++	enum vm_reg_name reg;
++
++	size = vie->opsize;
++	error = EINVAL;
++
++	switch (vie->op.op_byte) {
++	case 0x03:
++		/*
++		 * ADD r/m to r and store the result in r
++		 *
++		 * 03/r            ADD r16, r/m16
++		 * 03/r            ADD r32, r/m32
++		 * REX.W + 03/r    ADD r64, r/m64
++		 */
++
++		/* get the first operand */
++		reg = gpr_map[vie->reg];
++		error = vie_read_register(vm, vcpuid, reg, &val1);
++		if (error)
++			break;
++
++		/* get the second operand */
++		error = memread(vm, vcpuid, gpa, &val2, size, arg);
++		if (error)
++			break;
++
++		/* perform the operation and write the result */
++		nval = val1 + val2;
++		error = vie_update_register(vm, vcpuid, reg, nval, size);
++		break;
++	default:
++		break;
++	}
++
++	if (!error) {
++		rflags2 = getaddflags(size, val1, val2);
++		error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
++		    &rflags);
++		if (error)
++			return (error);
++
++		rflags &= ~RFLAGS_STATUS_BITS;
++		rflags |= rflags2 & RFLAGS_STATUS_BITS;
++		error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
++		    rflags, 8);
++	}
++
++	return (error);
++}
++
++static int
+ emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
+ 	    mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
+ {
+@@ -1543,6 +1730,14 @@
+ 		error = emulate_twob_group15(vm, vcpuid, gpa, vie,
+ 		    memread, memwrite, memarg);
+ 		break;
++	case VIE_OP_TYPE_ADD:
++		error = emulate_add(vm, vcpuid, gpa, vie, memread,
++		    memwrite, memarg);
++		break;
++	case VIE_OP_TYPE_TEST:
++		error = emulate_test(vm, vcpuid, gpa, vie,
++		    memread, memwrite, memarg);
++		break;
+ 	default:
+ 		error = EINVAL;
+ 		break;

share/security/patches/EN-19:16/bhyve.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJHuA//cW9cKXRVjNzTpfYVFy5yLbREVsE2nsGzTETuWXhx/aJNoEz6hPo0f169
+K2OQfz4rxhaFzA0BbwTRpFeYXRbV6e+iwgcWfNlYKiNpJi5RCMDsKQ4XsaH6gPKi
+swqliOl4uHLcuJeGhzkQ1fYyXjGxMJvOqpTs9brOj1btimCF0MJ/j9EpuWVX+lKH
+HVt8CyqX6HtixN8WF7ghs6D3hQUamhLNLJanoDicjuxE7uJr3P/ZVrc1ETI1uKO/
+LVFM94oXmRDzkMyEkRNFyoYyc0fCSS2FJrDY6EnfqcMs9IrtS2iC7Cjj8zWzEKtR
+FEVyCiruDNbQftF7/cMquksqNIhdlifVKGRFT13WvFkm2iVDNypTtO6eXDCHaxZe
+Z8KKEoPBoJDux9/VSnt038zLCNVOxrFGaDrupRL2xZTrgmCF56WN8lALNVzmrZlN
+0u0RwGM21xgdzt/58zmFfdlMI9hGfbsDTE1Wwj38eZd+qRzR3o+VxMgnFu0vxAcD
+R12fi8xOe9QoS13O5OCb3ouxK9mUrd0a56kSBO/rRHt4DD+u+FCN33u/0uBDgI06
+Av7p5Hjt0/C89fuFZzMOPD98a0PcSUhdmXOlMAQUotMvhXRbl4nKiGsOVDpmCYz6
+pow+Sf971OXGXEWyaf3UBIfhlANMrANAFTNljuhGOoLtQRrpw0w=
+=Tmxy
+-----END PGP SIGNATURE-----

share/security/patches/EN-19:17/ipfw.patch

@@ -0,0 +1,33 @@
+--- sbin/ipfw/ipfw2.c.orig
++++ sbin/ipfw/ipfw2.c
+@@ -4662,12 +4662,27 @@
+ 		case TOK_JAIL:
+ 			NEED1("jail requires argument");
+ 		    {
++			char *end;
+ 			int jid;
+ 
+ 			cmd->opcode = O_JAIL;
+-			jid = jail_getid(*av);
+-			if (jid < 0)
+-				errx(EX_DATAERR, "%s", jail_errmsg);
++			/*
++			 * If av is a number, then we'll just pass it as-is.  If
++			 * it's a name, try to resolve that to a jid.
++			 *
++			 * We save the jail_getid(3) call for a fallback because
++			 * it entails an unconditional trip to the kernel to
++			 * either validate a jid or resolve a name to a jid.
++			 * This specific token doesn't currently require a
++			 * jid to be an active jail, so we save a transition
++			 * by simply using a number that we're given.
++			 */
++			jid = strtoul(*av, &end, 10);
++			if (*end != '\0') {
++				jid = jail_getid(*av);
++				if (jid < 0)
++				    errx(EX_DATAERR, "%s", jail_errmsg);
++			}
+ 			cmd32->d[0] = (uint32_t)jid;
+ 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
+ 			av++;

share/security/patches/EN-19:17/ipfw.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJoZQ//ZnkPQW6u638iGHQh1f7iqJCF/Q1kbdsKTNNvVEmWJPvcaB7kuTN4xXIt
+Lji51yk1hlVIrol+mmelvidJTkJbKu/GWR1/T4NlZ8Q0gSVZaGK3AZpMbbDI0ZSP
+tyOUD0pPUtsHf6d2oD6ozSAnH+Jk3OxoSwQ6z4PWNGDss69QQcVolpDEC9AXUHJ3
+vVBfk2+lJS5L0HmVIJxWgcS3ce3Qg9LB9VXbJRJ/nLsgMKtE6NHc9gYsnCf2e+r2
+3LTEeZI36BmsIEk7AB/0QN37ghlmpheyDDgd7HjV/PRJL7yWYvppWV3Jvp2yyWpu
+B/zaRKV/KopT+zx0ySiw5yO2R2WBVwNaUpFiRTwPTtJr4P9Ou/v1FkA5demupcUb
+RClgAPTRvBzg7KxC62qJ0h8Bf72ZH5ZPFSfrz548qGduUQ1DVxY3W3+K4aHsRCar
+E14NSZMHI+o5XPvZ+jEVkQV5rRqO0qU7dt+SHDju/0kEXAp+LK3Sn19dOoyD1b+L
+04t0kaYWMvKHHT3SIZMwuXqUU/L3OqrmlI/9/gQe9GSJjkmiABWgxXk8xQPPx+30
+Riij6j12PS2BAU4gj8EN+AuSUajemfXmm8oKd/J/IowEHV79Z2MTbJ8lZbD/Es/V
+ptH7Uf7Sb17mnYsMg7VrznDztFP0w9UuHETuHQM3PVJGqGiej1o=
+=JRT2
+-----END PGP SIGNATURE-----

share/security/patches/SA-19:22/mbuf.patch

@@ -0,0 +1,11 @@
+--- sys/kern/uipc_mbuf2.c.orig
++++ sys/kern/uipc_mbuf2.c
+@@ -216,7 +216,7 @@
+ 		goto ok;
+ 	}
+ 	if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen
+-	 && writable) {
++	 && writable && n->m_next->m_len >= tlen) {
+ 		n->m_next->m_data -= hlen;
+ 		n->m_next->m_len += hlen;
+ 		bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);

share/security/patches/SA-19:22/mbuf.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhtfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKtvg/+Kx/TZnaO5CSvdJP4UCqLAnjYvCd2iJnBLGaqspvZA38uhLguvu0qI6Nb
+Ijeg0R26JSruqlTCFD2NZi64b76ErMsymlwSJfbNheNU/Mk16MYNPvvTeAv/0LcU
+OHNBNTcQ40mb5whr/yDp6fJk1IE+yDU0nryNaP3gSw91fKO4CrCbmZhK8+XbjudA
+YlqmvcbbHlet7DJ4UUONwo1SZpF/l7CmjTFA++rHMxAwPD2jodU3js3kJjgv6JOj
+53jqIOyxSJNHRQqjRMjJ3m/Ctf1DHJa8LQkt8dFtMB9bWJ2qeYlJsm8Sosie8hD4
+gVPFEZP3m0qF8Zpbm2jXn0QkZ620l/jGmbn2ZfFikB0slSYWO5b2zcl1KiwsVCnv
+Bfx9OuIRtrFLmv3yi6lBKdEKZFzXN6/nXf0PdTvwKqszfJIveCMVOtjdbzzxfHwf
+r5MiTkLvcytnlpQybn3jCxSi2Kdmsted7BUXlClRN/ySFUxiJpP0HRURsnD3gOtj
+LaJS1FWcsrDvShjbXAon+vp59OewnmuJyDGizcRMOsHTK2yl97TR0cq0kcWi3X4R
+6O+d8OfKx7goQ03Oa/G4KVJZTzrk9OAXNcV4iZSHCRc9XqaeoZdNe6zu5Acs030J
+JGCe0vC23wb7dDYY042rTRBfnvURF8TyYUmWGCWYiUBd85mHxiQ=
+=v2wC
+-----END PGP SIGNATURE-----

share/security/patches/SA-19:23/midi.patch

@@ -0,0 +1,333 @@
+--- sys/dev/sound/midi/midi.c.orig
++++ sys/dev/sound/midi/midi.c
+@@ -40,6 +40,7 @@
+ __FBSDID("$FreeBSD$");
+ 
+ #include <sys/param.h>
++#include <sys/systm.h>
+ #include <sys/queue.h>
+ #include <sys/kernel.h>
+ #include <sys/lock.h>
+@@ -49,10 +50,8 @@
+ #include <sys/conf.h>
+ #include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+-#include <sys/types.h>
+ #include <sys/malloc.h>
+-#include <sys/param.h>
+-#include <sys/systm.h>
++#include <sys/sx.h>
+ #include <sys/proc.h>
+ #include <sys/fcntl.h>
+ #include <sys/types.h>
+@@ -187,10 +186,9 @@
+  * /dev/midistat variables and declarations, protected by midistat_lock
+  */
+ 
+-static struct mtx midistat_lock;
++static struct sx midistat_lock;
+ static int      midistat_isopen = 0;
+ static struct sbuf midistat_sbuf;
+-static int      midistat_bufptr;
+ static struct cdev *midistat_dev;
+ 
+ /*
+@@ -289,7 +287,7 @@
+ 	MIDI_TYPE *buf;
+ 
+ 	MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel));
+-	mtx_lock(&midistat_lock);
++	sx_xlock(&midistat_lock);
+ 	/*
+ 	 * Protect against call with existing unit/channel or auto-allocate a
+ 	 * new unit number.
+@@ -316,13 +314,8 @@
+ 		unit = i + 1;
+ 
+ 	MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel));
+-	m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO);
+-	if (m == NULL)
+-		goto err0;
+-
+-	m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO);
+-	if (m->synth == NULL)
+-		goto err1;
++	m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO);
++	m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO);
+ 	kobj_init((kobj_t)m->synth, &midisynth_class);
+ 	m->synth->m = m;
+ 	kobj_init((kobj_t)m, cls);
+@@ -331,7 +324,7 @@
+ 
+ 	MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize));
+ 	if (!inqsize && !outqsize)
+-		goto err2;
++		goto err1;
+ 
+ 	mtx_init(&m->lock, "raw midi", NULL, 0);
+ 	mtx_init(&m->qlock, "q raw midi", NULL, 0);
+@@ -356,8 +349,7 @@
+ 
+ 	if ((inqsize && !MIDIQ_BUF(m->inq)) ||
+ 	    (outqsize && !MIDIQ_BUF(m->outq)))
+-		goto err3;
+-
++		goto err2;
+ 
+ 	m->busy = 0;
+ 	m->flags = 0;
+@@ -366,14 +358,14 @@
+ 	m->cookie = cookie;
+ 
+ 	if (MPU_INIT(m, cookie))
+-		goto err3;
++		goto err2;
+ 
+ 	mtx_unlock(&m->lock);
+ 	mtx_unlock(&m->qlock);
+ 
+ 	TAILQ_INSERT_TAIL(&midi_devs, m, link);
+ 
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 
+ 	m->dev = make_dev(&midi_cdevsw,
+ 	    MIDIMKMINOR(unit, MIDI_DEV_RAW, channel),
+@@ -382,16 +374,19 @@
+ 
+ 	return m;
+ 
+-err3:	mtx_destroy(&m->qlock);
++err2:
++	mtx_destroy(&m->qlock);
+ 	mtx_destroy(&m->lock);
+ 
+ 	if (MIDIQ_BUF(m->inq))
+ 		free(MIDIQ_BUF(m->inq), M_MIDI);
+ 	if (MIDIQ_BUF(m->outq))
+ 		free(MIDIQ_BUF(m->outq), M_MIDI);
+-err2:	free(m->synth, M_MIDI);
+-err1:	free(m, M_MIDI);
+-err0:	mtx_unlock(&midistat_lock);
++err1:
++	free(m->synth, M_MIDI);
++	free(m, M_MIDI);
++err0:
++	sx_xunlock(&midistat_lock);
+ 	MIDI_DEBUG(1, printf("midi_init ended in error\n"));
+ 	return NULL;
+ }
+@@ -409,7 +404,7 @@
+ 	int err;
+ 
+ 	err = EBUSY;
+-	mtx_lock(&midistat_lock);
++	sx_xlock(&midistat_lock);
+ 	mtx_lock(&m->lock);
+ 	if (m->busy) {
+ 		if (!(m->rchan || m->wchan))
+@@ -428,8 +423,10 @@
+ 	if (!err)
+ 		goto exit;
+ 
+-err:	mtx_unlock(&m->lock);
+-exit:	mtx_unlock(&midistat_lock);
++err:
++	mtx_unlock(&m->lock);
++exit:
++	sx_xunlock(&midistat_lock);
+ 	return err;
+ }
+ 
+@@ -941,27 +938,22 @@
+ 	int error;
+ 
+ 	MIDI_DEBUG(1, printf("midistat_open\n"));
+-	mtx_lock(&midistat_lock);
+ 
++	sx_xlock(&midistat_lock);
+ 	if (midistat_isopen) {
+-		mtx_unlock(&midistat_lock);
++		sx_xunlock(&midistat_lock);
+ 		return EBUSY;
+ 	}
+ 	midistat_isopen = 1;
+-	mtx_unlock(&midistat_lock);
+-
+ 	if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) {
+ 		error = ENXIO;
+-		mtx_lock(&midistat_lock);
+ 		goto out;
+ 	}
+-	mtx_lock(&midistat_lock);
+-	midistat_bufptr = 0;
+ 	error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM;
+-
+-out:	if (error)
++out:
++	if (error)
+ 		midistat_isopen = 0;
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 	return error;
+ }
+ 
+@@ -969,40 +961,40 @@
+ midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td)
+ {
+ 	MIDI_DEBUG(1, printf("midistat_close\n"));
+-	mtx_lock(&midistat_lock);
++	sx_xlock(&midistat_lock);
+ 	if (!midistat_isopen) {
+-		mtx_unlock(&midistat_lock);
++		sx_xunlock(&midistat_lock);
+ 		return EBADF;
+ 	}
+ 	sbuf_delete(&midistat_sbuf);
+ 	midistat_isopen = 0;
+-
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 	return 0;
+ }
+ 
+ static int
+-midistat_read(struct cdev *i_dev, struct uio *buf, int flag)
++midistat_read(struct cdev *i_dev, struct uio *uio, int flag)
+ {
+-	int l, err;
++	long l;
++	int err;
+ 
+ 	MIDI_DEBUG(4, printf("midistat_read\n"));
+-	mtx_lock(&midistat_lock);
++	sx_xlock(&midistat_lock);
+ 	if (!midistat_isopen) {
+-		mtx_unlock(&midistat_lock);
++		sx_xunlock(&midistat_lock);
+ 		return EBADF;
+ 	}
+-	l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr);
++	if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) {
++		sx_xunlock(&midistat_lock);
++		return EINVAL;
++	}
+ 	err = 0;
++	l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset);
+ 	if (l > 0) {
+-		mtx_unlock(&midistat_lock);
+-		err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l,
+-		    buf);
+-		mtx_lock(&midistat_lock);
+-	} else
+-		l = 0;
+-	midistat_bufptr += l;
+-	mtx_unlock(&midistat_lock);
++		err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l,
++		    uio);
++	}
++	sx_xunlock(&midistat_lock);
+ 	return err;
+ }
+ 
+@@ -1015,7 +1007,7 @@
+ {
+ 	struct snd_midi *m;
+ 
+-	mtx_assert(&midistat_lock, MA_OWNED);
++	sx_assert(&midistat_lock, SA_XLOCKED);
+ 
+ 	sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n");
+ 	if (TAILQ_EMPTY(&midi_devs)) {
+@@ -1378,8 +1370,7 @@
+ static int
+ midi_destroy(struct snd_midi *m, int midiuninit)
+ {
+-
+-	mtx_assert(&midistat_lock, MA_OWNED);
++	sx_assert(&midistat_lock, SA_XLOCKED);
+ 	mtx_assert(&m->lock, MA_OWNED);
+ 
+ 	MIDI_DEBUG(3, printf("midi_destroy\n"));
+@@ -1405,8 +1396,8 @@
+ static int
+ midi_load(void)
+ {
+-	mtx_init(&midistat_lock, "midistat lock", NULL, 0);
+-	TAILQ_INIT(&midi_devs);		/* Initialize the queue. */
++	sx_init(&midistat_lock, "midistat lock");
++	TAILQ_INIT(&midi_devs);
+ 
+ 	midistat_dev = make_dev(&midistat_cdevsw,
+ 	    MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0),
+@@ -1423,7 +1414,7 @@
+ 
+ 	MIDI_DEBUG(1, printf("midi_unload()\n"));
+ 	retval = EBUSY;
+-	mtx_lock(&midistat_lock);
++	sx_xlock(&midistat_lock);
+ 	if (midistat_isopen)
+ 		goto exit0;
+ 
+@@ -1436,20 +1427,19 @@
+ 		if (retval)
+ 			goto exit1;
+ 	}
+-
+-	mtx_unlock(&midistat_lock);	/* XXX */
+-
++	sx_xunlock(&midistat_lock);
+ 	destroy_dev(midistat_dev);
++
+ 	/*
+ 	 * Made it here then unload is complete
+ 	 */
+-	mtx_destroy(&midistat_lock);
++	sx_destroy(&midistat_lock);
+ 	return 0;
+ 
+ exit1:
+ 	mtx_unlock(&m->lock);
+ exit0:
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 	if (retval)
+ 		MIDI_DEBUG(2, printf("midi_unload: failed\n"));
+ 	return retval;
+@@ -1498,13 +1488,11 @@
+ 	int retval = 0;
+ 	struct snd_midi *m;
+ 
+-	mtx_lock(&midistat_lock);
+-
++	sx_xlock(&midistat_lock);
+ 	TAILQ_FOREACH(m, &midi_devs, link) {
+ 		retval++;
+ 	}
+-
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 	return retval;
+ }
+ 
+@@ -1520,17 +1508,15 @@
+ 	struct snd_midi *m;
+ 	int retval = 0;
+ 
+-	mtx_lock(&midistat_lock);
+-
++	sx_xlock(&midistat_lock);
+ 	TAILQ_FOREACH(m, &midi_devs, link) {
+ 		if (unit == retval) {
+-			mtx_unlock(&midistat_lock);
++			sx_xunlock(&midistat_lock);
+ 			return (kobj_t)m->synth;
+ 		}
+ 		retval++;
+ 	}
+-
+-	mtx_unlock(&midistat_lock);
++	sx_xunlock(&midistat_lock);
+ 	return NULL;
+ }
+ 

share/security/patches/SA-19:23/midi.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPh5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKlVg//VZ6BqKXoW5f0HEA3wVdn9if3Fxux4q4hJw80AAJ+Zq+zF8zKCgZRaOS9
+nO+q5zj54IdSBKyGScqJ0owYE2gKdqdXz1/uYTz8cxjiUV+/JNtyPydHrt2eznYI
+9vbeShyCI48BnR74b9EiFY/2Naq0YICv3CHBR9oWSaPkYdLPdF4QSpKwrRSID0Ok
+bnomM8kGAUzpAtPoCMTpn9CJT+J/DCyXzvl3Npcn6m/iZCVtx94rktmWaoTYRNeD
+FkG77hMNkBQFJ3IkJjFJKSswwCky87F8u/2TF6vDyvYvfzpuuOFBS09AET8TmutV
+AmjA64tKltOALunaB5y0w/xXQiL/EoSY29UdH173xjh7/U/OFBA0cL//lFQOiTiE
+LuT0MCxsvk2A6WFglQTw8QMtcx3hez8GYzCmy/gJgVv6889c/l61eYR1TUqxNUKJ
++lzi9q1tX7M1vZmNwEUJLavwvSCJfqMMLO75C0Az8VKfI8HJDLrAeexrLWYK6Ayz
+/TRJx8GHS3lHNcVlBFg1LrvPdDGkOoO9EAIPvP3aUG6d256J/zVUHxvb6iFA4YG5
+9ptHQIXtqGGQTfNUl4WEUjb5+7U9C+QkuW7DCQTcuKEEjohA0SoY77/QU/ZrKX4+
+/G5wlR2hZ6Q9T9QVm1SMAY+rpu4znVWdObt2wsvgSbcNZKsyfF0=
+=Ditr
+-----END PGP SIGNATURE-----

share/security/patches/SA-19:24/mqueuefs.patch

@@ -0,0 +1,19 @@
+--- sys/kern/uipc_mqueue.c.orig
++++ sys/kern/uipc_mqueue.c
+@@ -2806,7 +2806,7 @@
+ 	if (uap->abs_timeout != NULL) {
+ 		error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
+ 		if (error != 0)
+-			return (error);
++			goto out;
+ 		CP(ets32, ets, tv_sec);
+ 		CP(ets32, ets, tv_nsec);
+ 		abs_timeout = &ets;
+@@ -2815,6 +2815,7 @@
+ 	waitok = !(fp->f_flag & O_NONBLOCK);
+ 	error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
+ 		uap->msg_prio, waitok, abs_timeout);
++out:
+ 	fdrop(fp, td);
+ 	return (error);
+ }

share/security/patches/SA-19:24/mqueuefs.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPiJfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKBYQ//SP6pcenVbNJrwNgR25HXKLfJ4osBPxMSVPE3nN5inPfJWAVnL1gNGQSR
+E01Pmxkz/4DrBjPhVlXUkFY7WCZu6QYgBRjFb8WadTGtUS+zg+/hz+/517OclRms
+KvKwZqnYVKDD2141X7Ign4h5EWQek6gkkhOmkMg6ROa2nl932l9RKguRvd6V1hDO
+c+JYhnpcOCj+lTLVF8ZTnOXMgVEVJs9RsBLWlwesDMLKCM4uSAY+p5IoXYiBvUVM
+hqd38u/Lr2QrijWpXwDk4XylxzWoUY+ben4ODtAPuVD0KxyA5h+39xRKCqrgrUfF
+3rYRi/ytSWVElVetitNAJcLrsv1Ho7mhKdTBuVj7zEXto+qtpxaJ/dbYaTUl5dwE
+mQzLOP/XcRpMr2Ryf1MmUxsRlF11g2GcKn2dufycPtiRuTzSDtVmHTLUK1hFsXvT
+QO6Mvfml+far/4ZPvn6Q6KwBoudiUpUiEkwPt2/Nb6ynnHWdUk4av6Kbcu7UlkiR
+a+oPTDlos+p0/IKyjwuBgOFjXC2OKZpELjgL3pmPrhOTEPKLduiFhfsiywN04ofx
+Zh0065kQFnSPenUAsO8s8WNx2gf+JhqG3HZs2Die6lTRmxJsiHYGZ8IpNaPig+W4
+VVJe+iQ7NTQ3gGieWHwnZd2DTvmhoUWnh1usw2XuX8Atug8JCuI=
+=Mzmh
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,23 @@
     <month>
       <name>8</name>
 
+      <day>
+	<name>20</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-19:24.mqueuefs</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-19:23.midi</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-19:22.mbuf</name>
+	</advisory>
+
+      </day>
+
       <day>
 	<name>6</name>
 

share/xml/notices.xml

@@ -10,6 +10,19 @@
     <month>
       <name>8</name>
 
+      <day>
+	<name>20</name>
+
+	<notice>
+	  <name>FreeBSD-EN-19:17.ipfw</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-19:16.bhyve</name>
+	</notice>
+
+      </day>
+
       <day>
 	<name>6</name>