os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Publish SA-16:15 revised, SA-16:32, EN-16:17, EN-16:18.

Browse source
This commit is contained in:
Gleb Smirnoff 2016-10-25 17:32:49 +00:00
parent d8fcebec14
commit d25bbfa0fb
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=49582
14 changed files with 843 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

235
share/security/patches/EN-16:17/vm.patch Normal file
View file

@ -0,0 +1,235 @@
--- sys/kern/vfs_subr.c.orig
+++ sys/kern/vfs_subr.c
@@ -2934,7 +2934,13 @@
TAILQ_EMPTY(&vp->v_bufobj.bo_clean.bv_hd) &&
vp->v_bufobj.bo_clean.bv_cnt == 0,
("vp %p bufobj not invalidated", vp));
- vp->v_bufobj.bo_flag |= BO_DEAD;
+
+ /*
+ * For VMIO bufobj, BO_DEAD is set in vm_object_terminate()
+ * after the object's page queue is flushed.
+ */
+ if (vp->v_bufobj.bo_object == NULL)
+ vp->v_bufobj.bo_flag |= BO_DEAD;
BO_UNLOCK(&vp->v_bufobj);
/*
--- sys/vm/vm_fault.c.orig
+++ sys/vm/vm_fault.c
@@ -286,7 +286,7 @@
vm_prot_t prot;
long ahead, behind;
int alloc_req, era, faultcount, nera, reqpage, result;
- boolean_t growstack, is_first_object_locked, wired;
+ boolean_t dead, growstack, is_first_object_locked, wired;
int map_generation;
vm_object_t next_object;
vm_page_t marray[VM_FAULT_READ_MAX];
@@ -423,11 +423,18 @@
fs.pindex = fs.first_pindex;
while (TRUE) {
/*
- * If the object is dead, we stop here
+ * If the object is marked for imminent termination,
+ * we retry here, since the collapse pass has raced
+ * with us. Otherwise, if we see terminally dead
+ * object, return fail.
*/
- if (fs.object->flags & OBJ_DEAD) {
+ if ((fs.object->flags & OBJ_DEAD) != 0) {
+ dead = fs.object->type == OBJT_DEAD;
unlock_and_deallocate(&fs);
- return (KERN_PROTECTION_FAILURE);
+ if (dead)
+ return (KERN_PROTECTION_FAILURE);
+ pause("vmf_de", 1);
+ goto RetryFault;
}
/*
--- sys/vm/vm_meter.c.orig
+++ sys/vm/vm_meter.c
@@ -93,30 +93,32 @@
CTLFLAG_MPSAFE, NULL, 0, sysctl_vm_loadavg, "S,loadavg",
"Machine loadaverage history");
+/*
+ * This function aims to determine if the object is mapped,
+ * specifically, if it is referenced by a vm_map_entry. Because
+ * objects occasionally acquire transient references that do not
+ * represent a mapping, the method used here is inexact. However, it
+ * has very low overhead and is good enough for the advisory
+ * vm.vmtotal sysctl.
+ */
+static bool
+is_object_active(vm_object_t obj)
+{
+
+ return (obj->ref_count > obj->shadow_count);
+}
+
static int
vmtotal(SYSCTL_HANDLER_ARGS)
{
- struct proc *p;
struct vmtotal total;
- vm_map_entry_t entry;
vm_object_t object;
- vm_map_t map;
- int paging;
+ struct proc *p;
struct thread *td;
- struct vmspace *vm;
bzero(&total, sizeof(total));
+
/*
- * Mark all objects as inactive.
- */
- mtx_lock(&vm_object_list_mtx);
- TAILQ_FOREACH(object, &vm_object_list, object_list) {
- VM_OBJECT_WLOCK(object);
- vm_object_clear_flag(object, OBJ_ACTIVE);
- VM_OBJECT_WUNLOCK(object);
- }
- mtx_unlock(&vm_object_list_mtx);
- /*
* Calculate process statistics.
*/
sx_slock(&allproc_lock);
@@ -136,11 +138,15 @@
case TDS_INHIBITED:
if (TD_IS_SWAPPED(td))
total.t_sw++;
- else if (TD_IS_SLEEPING(td) &&
- td->td_priority <= PZERO)
- total.t_dw++;
- else
- total.t_sl++;
+ else if (TD_IS_SLEEPING(td)) {
+ if (td->td_priority <= PZERO)
+ total.t_dw++;
+ else
+ total.t_sl++;
+ if (td->td_wchan ==
+ &cnt.v_free_count)
+ total.t_pw++;
+ }
break;
case TDS_CAN_RUN:
@@ -158,29 +164,6 @@
}
}
PROC_UNLOCK(p);
- /*
- * Note active objects.
- */
- paging = 0;
- vm = vmspace_acquire_ref(p);
- if (vm == NULL)
- continue;
- map = &vm->vm_map;
- vm_map_lock_read(map);
- for (entry = map->header.next;
- entry != &map->header; entry = entry->next) {
- if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) ||
- (object = entry->object.vm_object) == NULL)
- continue;
- VM_OBJECT_WLOCK(object);
- vm_object_set_flag(object, OBJ_ACTIVE);
- paging |= object->paging_in_progress;
- VM_OBJECT_WUNLOCK(object);
- }
- vm_map_unlock_read(map);
- vmspace_free(vm);
- if (paging)
- total.t_pw++;
}
sx_sunlock(&allproc_lock);
/*
@@ -206,9 +189,18 @@
*/
continue;
}
+ if (object->ref_count == 1 &&
+ (object->flags & OBJ_NOSPLIT) != 0) {
+ /*
+ * Also skip otherwise unreferenced swap
+ * objects backing tmpfs vnodes, and POSIX or
+ * SysV shared memory.
+ */
+ continue;
+ }
total.t_vm += object->size;
total.t_rm += object->resident_page_count;
- if (object->flags & OBJ_ACTIVE) {
+ if (is_object_active(object)) {
total.t_avm += object->size;
total.t_arm += object->resident_page_count;
}
@@ -216,7 +208,7 @@
/* shared object */
total.t_vmshr += object->size;
total.t_rmshr += object->resident_page_count;
- if (object->flags & OBJ_ACTIVE) {
+ if (is_object_active(object)) {
total.t_avmshr += object->size;
total.t_armshr += object->resident_page_count;
}
--- sys/vm/vm_object.c.orig
+++ sys/vm/vm_object.c
@@ -737,6 +737,10 @@
vinvalbuf(vp, V_SAVE, 0, 0);
+ BO_LOCK(&vp->v_bufobj);
+ vp->v_bufobj.bo_flag |= BO_DEAD;
+ BO_UNLOCK(&vp->v_bufobj);
+
VM_OBJECT_WLOCK(object);
}
@@ -1722,6 +1726,9 @@
* case.
*/
if (backing_object->ref_count == 1) {
+ vm_object_pip_add(object, 1);
+ vm_object_pip_add(backing_object, 1);
+
/*
* If there is exactly one reference to the backing
* object, we can collapse it into the parent.
@@ -1793,11 +1800,13 @@
KASSERT(backing_object->ref_count == 1, (
"backing_object %p was somehow re-referenced during collapse!",
backing_object));
+ vm_object_pip_wakeup(backing_object);
backing_object->type = OBJT_DEAD;
backing_object->ref_count = 0;
VM_OBJECT_WUNLOCK(backing_object);
vm_object_destroy(backing_object);
+ vm_object_pip_wakeup(object);
object_collapses++;
} else {
vm_object_t new_backing_object;
@@ -2130,6 +2139,7 @@
*/
if (!reserved && !swap_reserve_by_cred(ptoa(next_size),
prev_object->cred)) {
+ VM_OBJECT_WUNLOCK(prev_object);
return (FALSE);
}
prev_object->charge += ptoa(next_size);
--- sys/vm/vm_object.h.orig
+++ sys/vm/vm_object.h
@@ -181,7 +181,6 @@
*/
#define OBJ_FICTITIOUS 0x0001 /* (c) contains fictitious pages */
#define OBJ_UNMANAGED 0x0002 /* (c) contains unmanaged pages */
-#define OBJ_ACTIVE 0x0004 /* active objects */
#define OBJ_DEAD 0x0008 /* dead objects (during rundown) */
#define OBJ_NOSPLIT 0x0010 /* dont split this object */
#define OBJ_PIPWNT 0x0040 /* paging in progress wanted */

16
share/security/patches/EN-16:17/vm.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJYD5UZAAoJEO1n7NZdz2rnveQP/18XosglN8If641FhVryq35Y
JHRydPexwxGiYPyviA4Q97PmZVJoeXCLzzXBQG5aznHLTd3LzBmiKpjTU5c7l8XC
sfbEXoHP7z3Qoxwopx8mCzxmGYOhbCGajXBlP9pIkZV1cqW802AD0W7PUfNpg9Bv
/2Z/GTChrXZsX8uVUka8S7y8Bm+bGXr2dDuf/P9EWIjRmW/2QFdmTAI5WGxLXA03
NdIs2YrAB5BmMJmRFueV38NvvDaBmFtfUPtDM+ZAwMfEu6yGB20sj4OR9bT5DLt4
SuhaCY6CEaaPSOWMYq9TTpCQt/hL6G7S6ij+T76wF7WbqKl1wJWf7i89MeAtv6B+
lsSSb52oHqxL1KVTUiv4j47QPxc5wNmhtkDiTn5VYP81Nnw/f2tLtQnUeUPAcIBn
YMFGU+zuKaZmjoQeU0EG31q4UtUwIjHMs4cn9zwgYAj0oK+85UU4UgYh1PM68sbB
wu6kwqJirb/zGZHzC8YD+Ypfp2c/6dYnPk9Mxu/6FCP5MHuTX6/+wlqI92cGM8Fo
x9nROaTsZB+Kx3drNSiYiroyeKlrDPrapoTwg68NNjjI/Wgs/Mr9QVN/DvSAOlpH
V54wGrm0GL8IQlnEWA+knE+8nRHsiTb3Wnz123QQLDk4ah6/hvRfaBn57R1oVlYT
wi0AfTZtOXd8uZHwPP5q
=NTrZ
-----END PGP SIGNATURE-----

34
share/security/patches/EN-16:18/loader.patch Normal file
View file

@ -0,0 +1,34 @@
--- sys/boot/geli/geliboot.c.orig
+++ sys/boot/geli/geliboot.c
@@ -77,17 +77,25 @@
int error;
off_t alignsector;
- alignsector = (lastsector * DEV_BSIZE) &
- ~(off_t)(DEV_GELIBOOT_BSIZE - 1);
+ alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE);
+ if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) {
+ /* Don't read past the end of the disk */
+ alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE
+ - DEV_GELIBOOT_BSIZE;
+ }
error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE);
if (error != 0) {
return (error);
}
- /* Extract the last DEV_BSIZE bytes from the block. */
- error = eli_metadata_decode(buf + (DEV_GELIBOOT_BSIZE - DEV_BSIZE),
- &md);
+ /* Extract the last 4k sector of the disk. */
+ error = eli_metadata_decode(buf, &md);
if (error != 0) {
- return (error);
+ /* Try the last 512 byte sector instead. */
+ error = eli_metadata_decode(buf +
+ (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md);
+ if (error != 0) {
+ return (error);
+ }
}
if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) {

16
share/security/patches/EN-16:18/loader.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJYD5UaAAoJEO1n7NZdz2rnZeQP/A7rKnV8s+QKgS2KypSuk9pO
N0DQsAx/M3qIOvkkCE3JjfV/iYpQZ8qVbFodI+Q6gy8EXPttEKotc9+Fqf3gyIvD
+YGeCmeALRqjziCqg5Yzfm+Vq4jhHK0EPxjzaPFTSfrWY1zKTnO9UILWBOeX+rff
mYKWch2UzmXDLoOGm25v9Ov5tMyzTNDRqoMWUFPIbCt054Q1UqJBLKrlUXSRLQyi
uc0Zhs3es27MfBE37ZEjGnm5hn8Zx9krsyqVuYp+ZWrugn4W/Ur36QEzETd7b3ZF
MBDPQz8rJ1degserJDVPD3bF5aADjylNtsKffwo65F2qLnK6OcGjqRY93aQeJcjv
bxDn1pqYsC/uT76k05AK+1IaFCXRufek4g+Z5BMsaGQyhmaqfN2opzAnrEmXnPY7
0FI3p8uu6xH6JkfaOQwO71DvD00907/cAJq3HHUvbWSrgB/6ksqxQoElu/l8QyzG
X2wDkwVKA9fF5ExMTDquvt725enikdoPCp3T2CiCfRv6N/xTuH/M54V0b/F+vHCT
24eLVbdrdgQhrw0Hqk6bYhxt3VzpkIQPxNot8IpbtfJfJersrsDDC5o7PvSj04YJ
01A9gTm/XGqSRfdET2GmoYvX+zbnQ10EuqXh57boPKDA8WuwmOvrsEylXW3BUpaz
jx167sv08GgW5fdZmVxe
=6m5C
-----END PGP SIGNATURE-----

21
share/security/patches/SA-16:15/sysarch-01.patch Normal file
View file

@ -0,0 +1,21 @@
--- sys/amd64/amd64/sys_machdep.c.orig
+++ sys/amd64/amd64/sys_machdep.c
@@ -608,6 +608,8 @@
largest_ld = uap->start + uap->num;
if (largest_ld > max_ldt_segment)
largest_ld = max_ldt_segment;
+ if (largest_ld < uap->start)
+ return (EINVAL);
i = largest_ld - uap->start;
mtx_lock(&dt_lock);
bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
@@ -620,7 +622,8 @@
/* verify range of descriptors to modify */
largest_ld = uap->start + uap->num;
if (uap->start >= max_ldt_segment ||
- largest_ld > max_ldt_segment)
+ largest_ld > max_ldt_segment ||
+ largest_ld < uap->start)
return (EINVAL);
}

16
share/security/patches/SA-16:15/sysarch-01.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJYD5VaAAoJEO1n7NZdz2rn4WAP/3JhfEQ0ZUNAcMR3VGpKHEE3
wWW3a0Y2vOBqRZwz3+tXKC2iaGj1jmgZ3gLIEDGrvqD952X2vbqAyliYpPbGwH5e
g1bKn0A07Ede/rSdiCS2/j2ys3l9jV0hNc4M6mx703+QpwqoL3U2b7lIiT3AcaWx
ZqOvnoiVOMLB7hXzeprI+EQMq92A5oNg79kM2K7wPepQlM2l3imbUv1kyTr+QqR6
oMpV1lYw5YEG22d29Kh2BRBnCpy6wpek9ZynLmQ+hkPTPnsLA8phymjwT51SnoHx
QfIlR9L/PhgpNgGyTSWM+rG0z2unETHztNkszFVg5zgDmjHI/l2MGEKCHZ3k8WA9
a20rIvZu3uXUqcnhtluFY64e5qS71fuWFZ6j4DvTUib0Xuu71BHoHmWF1ek32rTv
Z0IOfV56QSl9syGEMQQ8hdHIQcg2TQ/mBpwOUEIr37dotUKQH8lOXYgL0tVRglQw
iV0VroPCmUeMIEDb41DrL6K3zH4R6/n5bE3zFiWBIpCa4pCycyLYWEZzemfTc1rn
0Q18PiWTCoizta2JngTvO9HUnsgCZ/gkl+6homU5OPvK4z2OcuLQY+Re1MhIfAe8
wtgJa9gyB6+kV8W0I6ZIpQMU//dpyOrRxXOY5bgy51vNxDt4EPWhf5PQZn4WFprN
tlJAYOs6yjZ/71OrHziO
=8ocC
-----END PGP SIGNATURE-----

17
share/security/patches/SA-16:32/bhyve.patch Normal file
View file

@ -0,0 +1,17 @@
--- usr.sbin/bhyve/vga.c.orig
+++ usr.sbin/bhyve/vga.c
@@ -161,10 +161,10 @@
*/
struct {
uint8_t dac_state;
- int dac_rd_index;
- int dac_rd_subindex;
- int dac_wr_index;
- int dac_wr_subindex;
+ uint8_t dac_rd_index;
+ uint8_t dac_rd_subindex;
+ uint8_t dac_wr_index;
+ uint8_t dac_wr_subindex;
uint8_t dac_palette[3 * 256];
uint32_t dac_palette_rgb[256];
} vga_dac;

16
share/security/patches/SA-16:32/bhyve.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJYD5UcAAoJEO1n7NZdz2rno3UQALGbFZ52rbPAMch04Vd2B+1U
7SYydFXf3/ZBV3ldp6wpiWvbGw8E5wmqkw7vZD3IYfeUQ1KT+FjDGrXtVI5KqvLB
14hxqJzIP5+B4dNwTN03MhlNBCEiyRnNEIin2Z443v3Ub4KwnHNrwubiw+TKh8pb
k3hqFFIw5eBm+9PgHYM533RjTfPo6OgB3Pcz31aE8ukS8bwIxkWu3aCKCXLEhbk2
lYl0ACthDTxoCh0ZzDQLGFlhKGk/aiByqu6lSw3yvT9X+JpfEwQq6Pgi1PDKEazi
6M6kx5mky772CzYrwpzFN3znUOG9mTaNKbB8/up88SfkmAuKRnfGOrZlL4cap4NP
JvaeErYqdzyCUOZ2HWQTY6kkpm8kfWhORKD15fQa+VmojAxOgyubxqV008RypSYy
0YxVv0W3U9CrcL03o7B7QdXBiA4uvto0ZLBhqLR6spLxaAYVyeUnV2Zcg593xh9e
zGeYR8Y40GdvmbX2X9mJir1Dm6gvVkGkm31ZRDRVbvL8Cy72Hzi+W6clogwwT+O5
xpM+Ti565IleHf0AxA0Pp1UI86duV3mUkJGe7nlrQwHOxDsK/mBU0sR+qrw3jvDJ
48e+3mn62HmonpV9vhI+XWkvmbnjti5YJzRCcT5aAwaS6DF8fUbjbnXoX+SO1nQV
ScohGEhHQCRosWesJVNh
=JYG2
-----END PGP SIGNATURE-----