Mon, 14 May 2018 16:17:19 +0000 Pull up following revision(s) (requested by maxv in ticket #1605): netbsd-7-1
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:17:19 +0000] rev 319039
Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly.
Mon, 14 May 2018 16:21:48 +0000 Tickets #1604 and #1605 netbsd-7
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:21:48 +0000] rev 319038
Tickets #1604 and #1605
Mon, 14 May 2018 16:16:04 +0000 Pull up following revision(s) (requested by maxv in ticket #1605): netbsd-7
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:16:04 +0000] rev 319037
Pull up following revision(s) (requested by maxv in ticket #1605): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly.
Mon, 14 May 2018 16:11:09 +0000 Pull up following revision(s) (requested by pgoyette in ticket #1604): netbsd-7
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:11:09 +0000] rev 319036
Pull up following revision(s) (requested by pgoyette in ticket #1604): sys/dev/ic/hme.c: revision 1.97 Fix mis-placed right paren. kern/53271
Mon, 14 May 2018 16:08:15 +0000 Ticket #1548 netbsd-6
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:08:15 +0000] rev 319035
Ticket #1548
Mon, 14 May 2018 16:07:06 +0000 Pull up following revision(s) (requested by pgoyette in ticket #1548): netbsd-6
martin <martin@NetBSD.org> [Mon, 14 May 2018 16:07:06 +0000] rev 319034
Pull up following revision(s) (requested by pgoyette in ticket #1548): sys/dev/ic/hme.c: revision 1.97 Fix mis-placed right paren. kern/53271
Mon, 14 May 2018 12:44:40 +0000 Revert previous change in t_ptrace.c trunk
kamil <kamil@NetBSD.org> [Mon, 14 May 2018 12:44:40 +0000] rev 319033
Revert previous change in t_ptrace.c By a mistake this file started to include <sys/mman.h> This is not needed. The include was intended to be add just in t_ptrace_wait.c. Sponsored by <The NetBSD Foundation>
Mon, 14 May 2018 12:42:34 +0000 Simplify the x86_64_cve_2018_8897 ATF ptrace(2) test trunk
kamil <kamil@NetBSD.org> [Mon, 14 May 2018 12:42:34 +0000] rev 319032
Simplify the x86_64_cve_2018_8897 ATF ptrace(2) test Do not call _exit() from the child, ad this code shall not be reached. Put there assert(). No functional change. The test still passes. Sponsored by <The NetBSD Foundation>
Mon, 14 May 2018 09:21:36 +0000 Fix panic or hangup when "sysctl -w hw.ixgN.debug=1". trunk
msaitoh <msaitoh@NetBSD.org> [Mon, 14 May 2018 09:21:36 +0000] rev 319031
Fix panic or hangup when "sysctl -w hw.ixgN.debug=1". XXX pullup-8
Mon, 14 May 2018 06:52:33 +0000 End sentence with a dot. trunk
wiz <wiz@NetBSD.org> [Mon, 14 May 2018 06:52:33 +0000] rev 319030
End sentence with a dot.
(0) -300000 -100000 -30000 -10000 -3000 -1000 -300 -100 -10 +10 +100 +300 +1000 +3000 +10000 +30000 +100000 tip