Add SA-18:09-SA-18:11, refresh SA-18:08.

svn path=/head/; revision=52127

share/security/patches/SA-18:08/tcp-man-10.patch

@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -38,7 +38,7 @@
+ .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd October 13, 2014
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME

share/security/patches/SA-18:08/tcp-man-10.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztboACgkQ05eS9J6n
+5cJtEQ/8CDdSUbL4aWI2tt1NTAxMoLirMte4r4oR6R3L3prOQWzqKc8m2KV73pgI
+5hSAbcyW8pINgJ4gIX8FwXd+g1bfiz/9Fq7J7IEeZHbNPUo150NCsHC8LPG4oupz
+6UmjGybX/J4nBrKMVqC88p7sWeukvCQm2d8fcKJQgUPQ8d9lgjRFn2MeaKEGR36j
+rhQRK0GSQC7PLgsxzmHAnPtMBqnBNxP9GAyv/O+GX4pAX4PVf6GevQZMYMMPZYNE
+yC8vOclIBuSuOlXaEtanCB7w3WT4M+x6VUwM8NSTq30uQe3NMUvzbzlv+YE2xx0Q
+3XYncGma86rL0FqrqcgLZLoWHJAubqlxonCJNSNXS0o8I77njPffkKx1nDFtpUt2
+IdIleTaltinZXq1mAoPqtrt/nOa9x1C4hihvrIStIYAi/0rLdB8rCGJgMjD8twG7
+W7GUTJxDz2F/dp/y3zomwg69cjdXadh8JWHoPwscPObFhWUml3/WnPLw8iw0ae4A
+TE8+npZUir8zbbxevcZrQxZA/FasfVIEZJytBkIs6z9t+bxa6stBeR/tWU1qgYPx
+oSebDN09tpb3Qzb8uUKNHjuF9La6BXmstjzuh8F/FgPqfImIGQaTkvb0/jcZtvJt
+GatGGPBnZCJWZvy5wvHkNYbUxO81A6dvBJd0kYbS8Q4vYLrzjHo=
+=tsh3
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:08/tcp-man-11.patch

@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -34,7 +34,7 @@
+ .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd February 6, 2017
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME

share/security/patches/SA-18:08/tcp-man-11.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztbgACgkQ05eS9J6n
+5cJfvA//VV3j4T6xmYhMFYQ9fzExzBAfzmJjhmVeeAS/JBrKcHhsZgVuIk1E7CD/
+U1hqrlnwlPgG76UNe3tsXaDxhhYOFo4jH3COwE6zXJaXjDDv0H3rfc3TjbJD22fw
+ktz0P2P9DP0uxb1M2f73yrVvQokPlI5cWQ4yQa0MCyVWNUtCKJPIzK27hupjNo7L
+sDepUOR7809n2vHD1uXrkwAi4OfMYLkxDtf0Yt31EJ8+/ZeL8qg6caP2QPElAnws
+3P45z/SqVg3ygmBR9WhF0UK98a7FuyDI79/KZSMBIAOkl7nwe09HZjjvFNYlXnPq
+l7duHMVcC87VhZ0IaNQ1fEDIcyyXws7pVQpWNuA6HGOjLFYSGrJWCzek/yPsTO+S
+m631sRGWs/YyyY49S1D5P/6MaAGT2WjOnSX3q8wy+2WkKDPdQSlj85MZvRKKXY5u
+5KgvqWH6w/hxtHHDE+9Bk8dDfW7aHBGSy/lV5I2VorgE3dyp1vWTMuOacWeMJqhN
+twzlLEn7QCZgkEocb6rqK+fVuG3Sx+QJPa8pKBj3LgsnHTd8mJRcWWtzG50LvNcO
+orzUHwYht0gWrSfsfsS5OXfMUrOeEfpxtAB0FYh+2Sr+1jEtaAqBA4S9yHUnNUtS
+jLcoPClf+s4FVvm1khHLihhKHp/BMFoha8zeQKudrod4UNxSQxM=
+=r2Sc
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:09/l1tf-11.1.patch

@@ -0,0 +1,213 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1206,6 +1206,9 @@
+ 	vm_size_t s;
+ 	int error, i, pv_npg;
+ 
++	/* L1TF, reserve page @0 unconditionally */
++	vm_page_blacklist_add(0, bootverbose);
++
+ 	/*
+ 	 * Initialize the vm page array entries for the kernel pmap's
+ 	 * page table pages.
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -183,6 +183,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ 	    &vpid_alloc_failed, 0, NULL);
+ 
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++    &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+  * Use the last page below 4GB as the APIC access address. This address is
+  * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -718,6 +724,12 @@
+ 		return (error);
+ 	}
+ 
++	guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++	TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++	if (guest_l1d_flush &&
++	    (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++		vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ 	/*
+ 	 * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ 	 */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+ 
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+ 
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+ 
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+  */
+ 
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+ 
+ #include "vmx_assym.h"
+ 
+@@ -136,9 +137,47 @@
+ 	jbe	invept_error		/* Check invept instruction error */
+ 
+ guest_restore:
+-	cmpl	$0, %edx
++
++	/*
++	 * Flush L1D cache if requested.  Use IA32_FLUSH_CMD MSR if available,
++	 * otherwise load enough of the data from the zero_region to flush
++	 * existing L1D content.
++	 */
++#define	L1D_FLUSH_SIZE	(64 * 1024)
++	movl	%edx, %r8d
++	cmpb	$0, guest_l1d_flush(%rip)
++	je	after_l1d
++	movq	vmx_msr_flush_cmd(%rip), %rax
++	testq	%rax, %rax
++	jz	1f
++	movq	%rax, %rdx
++	shrq	$32, %rdx
++	movl	$MSR_IA32_FLUSH_CMD, %ecx
++	wrmsr
++	jmp	after_l1d
++1:	movq	$KERNBASE, %r9
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/*
++	 * pass 1: Preload TLB.
++	 * Kernel text is mapped using superpages.  TLB preload is
++	 * done for the benefit of older CPUs which split 2M page
++	 * into 4k TLB entries.
++	 */
++2:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$PAGE_SIZE, %rcx
++	jne	2b
++	xorl	%eax, %eax
++	cpuid
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/* pass 2: Read each cache line */
++3:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$64, %rcx
++	jne	3b
++	lfence
++#undef	L1D_FLUSH_SIZE
++after_l1d:
++	cmpl	$0, %r8d
+ 	je	do_launch
+-
+ 	VMX_GUEST_RESTORE
+ 	vmresume
+ 	/*
+--- sys/vm/vm_page.c.orig
++++ sys/vm/vm_page.c
+@@ -290,6 +290,27 @@
+ 	return (0);
+ }
+ 
++bool
++vm_page_blacklist_add(vm_paddr_t pa, bool verbose)
++{
++	vm_page_t m;
++	int ret;
++
++	m = vm_phys_paddr_to_vm_page(pa);
++	if (m == NULL)
++		return (true); /* page does not exist, no failure */
++
++	mtx_lock(&vm_page_queue_free_mtx);
++	ret = vm_phys_unfree_page(m);
++	mtx_unlock(&vm_page_queue_free_mtx);
++	if (ret) {
++		TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
++		if (verbose)
++			printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa);
++	}
++	return (ret);
++}
++
+ /*
+  *	vm_page_blacklist_check:
+  *
+@@ -301,26 +322,13 @@
+ vm_page_blacklist_check(char *list, char *end)
+ {
+ 	vm_paddr_t pa;
+-	vm_page_t m;
+ 	char *next;
+-	int ret;
+ 
+ 	next = list;
+ 	while (next != NULL) {
+ 		if ((pa = vm_page_blacklist_next(&next, end)) == 0)
+ 			continue;
+-		m = vm_phys_paddr_to_vm_page(pa);
+-		if (m == NULL)
+-			continue;
+-		mtx_lock(&vm_page_queue_free_mtx);
+-		ret = vm_phys_unfree_page(m);
+-		mtx_unlock(&vm_page_queue_free_mtx);
+-		if (ret == TRUE) {
+-			TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
+-			if (bootverbose)
+-				printf("Skipping page with pa 0x%jx\n",
+-				    (uintmax_t)pa);
+-		}
++		vm_page_blacklist_add(pa, bootverbose);
+ 	}
+ }
+ 
+--- sys/vm/vm_page.h.orig
++++ sys/vm/vm_page.h
+@@ -448,6 +448,7 @@
+     u_long npages, vm_paddr_t low, vm_paddr_t high, u_long alignment,
+     vm_paddr_t boundary, vm_memattr_t memattr);
+ vm_page_t vm_page_alloc_freelist(int, int);
++bool vm_page_blacklist_add(vm_paddr_t pa, bool verbose);
+ vm_page_t vm_page_grab (vm_object_t, vm_pindex_t, int);
+ int vm_page_try_to_free (vm_page_t);
+ void vm_page_deactivate (vm_page_t);
+--- sys/x86/include/specialreg.h.orig
++++ sys/x86/include/specialreg.h
+@@ -378,6 +378,7 @@
+  */
+ #define	CPUID_STDEXT3_IBPB	0x04000000
+ #define	CPUID_STDEXT3_STIBP	0x08000000
++#define	CPUID_STDEXT3_L1D_FLUSH	0x10000000
+ #define	CPUID_STDEXT3_ARCH_CAP	0x20000000
+ 
+ /* MSR IA32_ARCH_CAP(ABILITIES) bits */
+@@ -427,6 +428,7 @@
+ #define	MSR_IA32_EXT_CONFIG	0x0ee	/* Undocumented. Core Solo/Duo only */
+ #define	MSR_MTRRcap		0x0fe
+ #define	MSR_IA32_ARCH_CAP	0x10a
++#define	MSR_IA32_FLUSH_CMD	0x10b
+ #define	MSR_BBL_CR_ADDR		0x116
+ #define	MSR_BBL_CR_DECC		0x118
+ #define	MSR_BBL_CR_CTL		0x119
+@@ -580,6 +582,9 @@
+ /* MSR IA32_PRED_CMD */
+ #define	IA32_PRED_CMD_IBPB_BARRIER	0x0000000000000001ULL
+ 
++/* MSR IA32_FLUSH_CMD */
++#define	IA32_FLUSH_CMD_L1D	0x00000001
++
+ /*
+  * PAT modes.
+  */

share/security/patches/SA-18:09/l1tf-11.1.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztdsACgkQ05eS9J6n
+5cItLA//UjGUEP8QwggeT/drm99htP1lpABfxgLjaBFvXDQ8pFJU2D8bm0X/jHBW
+ExM4TO1H2K6gKtJMXC1gCgL9DXy6ukqI7DDKjG2vt46U8533DQ715C4HInj5+mdp
+hvdJVFKbLKVA4jqv0Z+LGeM/yhC5vLCJ+Upirfz42pLWUdmW1a5zbT0pEXsKldxJ
+cTRWfKck7TKbND9cYczaRKl7YjaJNUY8x2FZ3aq607dxWMbreW1sP1VnC2W/EJOa
+fX6G7WC38uZ5RzLL0GoyEUoA83ljcQLYjGWEH0Kr90AfRw6geh2ViajYWMaRj4Kg
+0/Jax7pn5xI14FaREwMybz7Lj+l2DpYfpToYs9Uh4mg/Ug8orLellD+tEBP88NyY
+aWRPYYc3um08osZ6f96RRdH8bOoYgyW+0HV7hO1ZBrIZiAwLdh7nSLoBPEGoGA/e
+XumkfRbwCc5gODH4NYDuCGFppQ2qQ+vfws97kFWULoia8PM/bseFICv9lbZ3c3wc
+7ImNHSHRCDk8lanX8ivTEN2MqEtQBIXwMJuLy6L2s2SPFaaH8Tzt6VNcFvDMONQb
+iXpUoejcLFdeQV1tisnOTsJ6bZayHQjuE6mvLmbSSVjWhh1X3ZStoqhU44AGnmiC
+LjEmQ03E/pCYfA4YV3trqAsE4dqgNTReiiK2P0edkIlo72g42x0=
+=8Mzj
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:09/l1tf-11.2.patch

@@ -0,0 +1,145 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1215,6 +1215,9 @@
+ 	vm_size_t s;
+ 	int error, i, pv_npg, ret, skz63;
+ 
++	/* L1TF, reserve page @0 unconditionally */
++	vm_page_blacklist_add(0, bootverbose);
++
+ 	/* Detect bare-metal Skylake Server and Skylake-X. */
+ 	if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL &&
+ 	    CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) {
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -185,6 +185,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ 	    &vpid_alloc_failed, 0, NULL);
+ 
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++    &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+  * Use the last page below 4GB as the APIC access address. This address is
+  * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -720,6 +726,12 @@
+ 		return (error);
+ 	}
+ 
++	guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++	TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++	if (guest_l1d_flush &&
++	    (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++		vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ 	/*
+ 	 * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ 	 */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+ 
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+ 
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+ 
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+  */
+ 
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+ 
+ #include "vmx_assym.h"
+ 
+@@ -173,9 +174,47 @@
+ 	jbe	invept_error		/* Check invept instruction error */
+ 
+ guest_restore:
+-	cmpl	$0, %edx
+-	je	do_launch
+ 
++	/*
++	 * Flush L1D cache if requested.  Use IA32_FLUSH_CMD MSR if available,
++	 * otherwise load enough of the data from the zero_region to flush
++	 * existing L1D content.
++	 */
++#define	L1D_FLUSH_SIZE	(64 * 1024)
++	movl	%edx, %r8d
++	cmpb	$0, guest_l1d_flush(%rip)
++	je	after_l1d
++	movq	vmx_msr_flush_cmd(%rip), %rax
++	testq	%rax, %rax
++	jz	1f
++	movq	%rax, %rdx
++	shrq	$32, %rdx
++	movl	$MSR_IA32_FLUSH_CMD, %ecx
++	wrmsr
++	jmp	after_l1d
++1:	movq	$KERNBASE, %r9
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/*
++	 * pass 1: Preload TLB.
++	 * Kernel text is mapped using superpages,  TLB preload is
++	 * done for the benefit of older CPUs which split 2M page
++	 * into 4k TLB entries.
++	 */
++2:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$PAGE_SIZE, %rcx
++	jne	2b
++	xorl	%eax, %eax
++	cpuid
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/* pass 2: Read each cache line */
++3:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$64, %rcx
++	jne	3b
++	lfence
++#undef	L1D_FLUSH_SIZE
++after_l1d:
++	cmpl	$0, %r8d
++	je	do_launch
+ 	VMX_GUEST_RESTORE
+ 	vmresume
+ 	/*
+--- sys/x86/include/specialreg.h.orig
++++ sys/x86/include/specialreg.h
+@@ -387,6 +387,7 @@
+  */
+ #define	CPUID_STDEXT3_IBPB	0x04000000
+ #define	CPUID_STDEXT3_STIBP	0x08000000
++#define	CPUID_STDEXT3_L1D_FLUSH	0x10000000
+ #define	CPUID_STDEXT3_ARCH_CAP	0x20000000
+ #define	CPUID_STDEXT3_SSBD	0x80000000
+ 
+@@ -438,6 +439,7 @@
+ #define	MSR_IA32_EXT_CONFIG	0x0ee	/* Undocumented. Core Solo/Duo only */
+ #define	MSR_MTRRcap		0x0fe
+ #define	MSR_IA32_ARCH_CAP	0x10a
++#define	MSR_IA32_FLUSH_CMD	0x10b
+ #define	MSR_BBL_CR_ADDR		0x116
+ #define	MSR_BBL_CR_DECC		0x118
+ #define	MSR_BBL_CR_CTL		0x119
+@@ -592,6 +594,9 @@
+ /* MSR IA32_PRED_CMD */
+ #define	IA32_PRED_CMD_IBPB_BARRIER	0x0000000000000001ULL
+ 
++/* MSR IA32_FLUSH_CMD */
++#define	IA32_FLUSH_CMD_L1D	0x00000001
++
+ /*
+  * PAT modes.
+  */

share/security/patches/SA-18:09/l1tf-11.2.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztd0ACgkQ05eS9J6n
+5cIGQQ//SWf3YET59okirsbCm/gF+ra8q1ohCRPaJbyS5ZJaWWWBNQRKX2ksphAF
+huamH+PmAlBvRmkjjVujbW5npPcZ00DpZVCC90awH1mLknlm5aIFpaFSe1oY/RUi
+cZjTSobjdTNyEwDX36GdQpq3xx4d0AmmvzmiLRb62MnzDTzMRQ4kPgAoMe1VP6QT
+z4KeSxS+rc1XjS+3d8qFB57/cxi8a3v60YAkOC7EfgqYUjGheuBa6wLFgsJyzm4/
+jil+Tm5Gp+GgyRzYuQNJSzgMtQaEfvBSkgLn1zIZGPMKfLWyo5Km4aFdtjsWmQaj
+XRQk91BhPJ3xXyvyUChkTckGrXuUMfkVarto5I2dIR9bXo9MXCpOgzLHfcSomGyQ
+JjMKqqjhmcg6aY1ptVHqnA5/NJAFNFUDnwAwsgPw8RPW8rcJjFY9KjmkPo3LRNkV
+x2AhAxjBj1jZ2JUMQiw4jQH25P/yX6COoJTCFisr4RJD0paGf3sPjTrIUN2SOHE9
+TorBvYWeaxgWs3e5yO/qOyUXt7C40ux3vzn2jfjersclJiKId4vIp0VLW4wUd+Et
+wjCZpYHt8BmN8YVRIV3a4hIHZ7tOQg12sv6DHeuzHBtDsKcgMcqZnhehalWGHAZ6
+NnJObTilJi3edXibluvNOgwElIT9l1a6rEv/eJ99rp3tSY0323Q=
+=gc08
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:10/ip.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztfIACgkQ05eS9J6n
+5cJ/BQ/9FjMAjlN0nLHm8OnoWIBRe2WTN/oi4/cQ+mliYClOLQB3fKaC7A43J0jJ
+AKXZsSwPlFujHyTMXr4Bnp1ws+JiAtFRqpKlgAOiv2M2jF1PJxEBFbw8Co9O/X4h
+wHI37BRsxxrp7UecxYEoaQsUF8ZTSqeuR2hyIwZLLc2wN3mziJsWjrNAHciwG1SK
+nYmdaSz8pzOmdcxM3jm3jle1EACwqoqo0aehuP+Bc4A0DhugK+wxP6KA1Ra7nojr
+VVKWgeKnyo0MUEXx/mA1kJ88DWolZVHxGUNk9jV4SQKC8p4/SowZvRn7k3M/f8I+
+Emub4mTo9pMyoQs2rbHGyhB1FYy9xI1Ax+BEpXL8z2TubO6r+AbmQP3cVLlfvbjS
+/GL9ibemyP6fRBqeJ+P4q+chvdE9BlQcZH1sVXfLaxbqq5zgeq9bwhtWclEm3Y/x
+XAKdCNRdTDV88s5jqA1COS3RNC5i2DCl1iFxIU1pme+kjyHC/YkPnRTckj8NjNCy
+kBdPba74yf86NAzzM3UD4vuzJ/Y2I2+tXbs+psIlKGEYBTjl8MQErVylvt+Ki9RE
+D6EkM4nqXyWAKlHgxJ4ifakx0IywXiZMssSRnSsQnwoWVIxCkTnU8iUgN/4ZgTb8
+Wb2yMX+ua1SACd/RWICrS8NTSuczyNvEHAeARg2es7lISTNG/gE=
+=TKXh
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:11/hostapd-10.patch

@@ -0,0 +1,20 @@
+--- contrib/wpa/src/rsn_supp/wpa.c.orig
++++ contrib/wpa/src/rsn_supp/wpa.c
+@@ -1829,6 +1829,17 @@
+ 
+ 	if (sm->proto == WPA_PROTO_RSN &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver))
+ 			goto out;
+ 		extra_len = WPA_GET_BE16(key->key_data_length);

share/security/patches/SA-18:11/hostapd-10.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztg0ACgkQ05eS9J6n
+5cKKBw/8DSDp5oTy7IkgB8PrPc3dCZg9tFeN19UYXs/wnBBX2eu4DdriU7vqn86d
+tGmCKxBMpALcprZaCmyKjk5hcQw7FVLe5N5kSmMbZYJBRJw9cODzGoZV4GabFt/X
+t6Lr9fuozfwEOyvzIgVPATOaBb6i9Pe5IbHoXNX4GtdzM65CpyW4qp1eIPb1dtYj
+pFKSbdz7IeUSXblYhZXiDYZ+dlhUGUrucxeD1ubFHTKWETYwdiJr7ERkqYgLLgA2
+Nc8uFrjLC4SiVjPSBVo8pQlXxvhUCqkBL8clJ0/FIiByUsoT5TdYRi2sSns5wJLk
+J3X0tSrOUI1+Nr69Q0GCIp0dy15ccvQMRcRJFZZFQ3weJz6WQd7iF9BHfZzbyQ1R
+B3jYVI2GBlWRD2BerDQQh6jwxs8Yd/b3sVCkKZNgk7v5Joh9UKszNF1msKiFLvtw
+yI82j5Xq+ZTj6Z/CvBGE6R6K7UymaAksn/BeV3rKVfgiITr3KMsK2IlP1hCjnZx1
+QbNanRDZ1cRqK87ic2IX9gBZR0j2YmZTPE+6lXEX7ufLJnArTKeqq1/CX1Q/iD3O
+V5YzO/gdOTBBnLdT4GdbMgMJ8ERGwCy1KCCC26rm6k4Rn01G3/pLyIcEWTbloqGr
+6sm4S9fLuRitriADzUj6Z4vAPtEkDPn29vyJAaVq2rII0h3s3r0=
+=mnWA
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:11/hostapd.patch

@@ -0,0 +1,20 @@
+--- contrib/wpa/src/rsn_supp/wpa.c.orig
++++ contrib/wpa/src/rsn_supp/wpa.c
+@@ -2072,6 +2072,17 @@
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;

share/security/patches/SA-18:11/hostapd.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztgkACgkQ05eS9J6n
+5cIE8Q/9GKu6n3za6wrVV1JctS7bbQx/lbPy2Q139jds+HW5fJ4QN0f6OOl5X5g+
+483GOFEPgWYV/tkz1suoZD+sZWDb7rrkAli5uo3igstp5JiIYXgFi81LxrmK2bUe
+tj0PYWoUmjTn7QqLw0ASxkZnDzQk3QlviEHqijtFkoKwXJ5yGWNib4khSBo03gV6
+hoquvRX5PLURUdgP1gdiOOShwE1KAvfG/IU/a6HrvzDi3V8PnwztdGxNtaVuovXw
+dgS8Uaq10JO9fmvXyjtbFNC2uo9p/LVsv+S3aHzbCpqAJ/inRWVf1JCq2tv5LqA3
+ATJUk4EWXhBAzVbe//SkT7gxxGBHqRea4ed2vZ6SeXg1bDHUiq9far88TNwrhxdn
+Rr2qUejC12zDl8c+ASQdJ7EItQI+/FgjodwZpUYiVHNtZT/xP4VPgdABwY7tYnsK
+kZWFJG16JymXLEJU4KSiStz/5hJav5ETdzr2rIk1AcjRUT5+RtH+4auyh8hzT621
+yrI6zypGyKoEWuBBW0vb2sBMmj5SaucJ7hNbq+gn/C4VdV9Ds+HVSWnS+eM+skv4
+d+6SA6Vo4keE83/H44TDDAoGi89CBDP6JjOjJ8837zJ1tRzIVdrvdcQp5RcP8RHx
+kprox8j6sMFyuX6YgQQG2ZfVJqCffHW44g3+vLszMcCw9rHUNPA=
+=R1kF
+-----END PGP SIGNATURE-----