Handle allocation failure and track correct mbuf length in IPComp.
In swcr_compdec() m_copyback(M_NOWAIT) may fail, but the error is
not checked. The mbuf chain could be too short, but the expected
length is returned as result. Then ipcomp_input() will not set
m->m_pkthdr.len to the actual length of the mbuf chain. This only
affects decompression, other cases do not need additional memory
for enlarging.
from bluhm@; OK deraadt@
IPComp decompression must not overflow mbuf cluster.
Check after decompressing an IPComp packet, that the content fits
into a mbuf cluster. m_copyback() assumes that it can allocate a
single mbuf cluster to enlarge the mbuf chain. That means the
decompressed data must not exceed MAXMCLBYTES. Prevent panic:
m_clget: request for 67948 byte cluster.
from bluhm@; reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
IPsec AH must contain replay counter.
Before reading the replay counter from packet header in ah_input(),
[10 lines not shown]
Handle allocation failure and track correct mbuf length in IPComp.
In swcr_compdec() m_copyback(M_NOWAIT) may fail, but the error is
not checked. The mbuf chain could be too short, but the expected
length is returned as result. Then ipcomp_input() will not set
m->m_pkthdr.len to the actual length of the mbuf chain. This only
affects decompression, other cases do not need additional memory
for enlarging.
from bluhm@; OK deraadt@
IPComp decompression must not overflow mbuf cluster.
Check after decompressing an IPComp packet, that the content fits
into a mbuf cluster. m_copyback() assumes that it can allocate a
single mbuf cluster to enlarge the mbuf chain. That means the
decompressed data must not exceed MAXMCLBYTES. Prevent panic:
m_clget: request for 67948 byte cluster.
from bluhm@; reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
IPsec AH must contain replay counter.
Before reading the replay counter from packet header in ah_input(),
[10 lines not shown]
Run monitor exabgp session on new IP 10.12.57.5.
10.12.57.2 is used in test1 and since exabgp retries immediatly the
idleHoldTime of that peer goes up quickly and blocks further connects.
Before this worked since bgpd sent the notification and the error count
was not increased and with this immediate retries were possible.
do not zero the entire qwx sc->hal structure during resume
The structure contains pointers to DMA allocations which are leaked and
replaced by new allocations during resume if we zero the entire structure.
At attach time, the structure comes pre-zeroed so an initial memset is
not needed either.
cleanup when nfsm_srvmtofh1() errors in nfsrv_rename()
corrects vnode references and namei_pool leak
reported by Andrew Griffiths of Calif
from jsg@; initial diff from deraadt@ ok miod@
remove use of struct nfsm_info in nfs_serv.c (the non-trivial part)
from jsg@; with and ok miod@
remove use of struct nfsm_info in nfs_serv.c
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_mtouio() to nfsd_mtouio()
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_strsiz() to nfsd_strsiz()
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_dissect() to nfsd_dissect()
from jsg@; with and ok miod@
[106 lines not shown]
cleanup when nfsm_srvmtofh1() errors in nfsrv_rename()
corrects vnode references and namei_pool leak
reported by Andrew Griffiths of Calif
from jsg@; initial diff from deraadt@ ok miod@
remove use of struct nfsm_info in nfs_serv.c (the non-trivial part)
from jsg@; with and ok miod@
remove use of struct nfsm_info in nfs_serv.c
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_mtouio() to nfsd_mtouio()
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_strsiz() to nfsd_strsiz()
from jsg@; with and ok miod@
convert nfs_serv.c from nfsm_dissect() to nfsd_dissect()
from jsg@; with and ok miod@
[106 lines not shown]
Do not zeroize already zeroed buffer in sysctl_sysvipc(). The
KERN_SYSVIPC_SEM_INFO case was a part of the big semaphores diff,
KERN_SYSVIPC_SHM_INFO case to the next one.
from mvs@; ok deraadt
Replace semid_ds with semid_ds_kern for in-kernel sysv semaphore
implementation.
Note, the buffer used for userland dlivery in sysctl_sysvipc() was
filled with zeros during allocation, we don't need extra zeroing.
from mvs@; ok deraadt millert
Make concurrent sys_msgrcv() wait until we finish message delivery. We
left acquired message in the queue while we are sleeping in msg_copyout().
Concurrent sys_msgrcv() could acquire and delete this message.
Reported-by: syzbot+c80235d951da9769a00f at syzkaller.appspotmail.com
from mvs@
Restore msgrcv(2) MSG_NOERROR/E2BIG error path. Silently truncate
message is not a good idea.
[74 lines not shown]
Do not zeroize already zeroed buffer in sysctl_sysvipc(). The
KERN_SYSVIPC_SEM_INFO case was a part of the big semaphores diff,
KERN_SYSVIPC_SHM_INFO case to the next one.
from mvs@; ok deraadt
Replace semid_ds with semid_ds_kern for in-kernel sysv semaphore
implementation.
Note, the buffer used for userland dlivery in sysctl_sysvipc() was
filled with zeros during allocation, we don't need extra zeroing.
from mvs@; ok deraadt millert
Make concurrent sys_msgrcv() wait until we finish message delivery. We
left acquired message in the queue while we are sleeping in msg_copyout().
Concurrent sys_msgrcv() could acquire and delete this message.
Reported-by: syzbot+c80235d951da9769a00f at syzkaller.appspotmail.com
from mvs@
Restore msgrcv(2) MSG_NOERROR/E2BIG error path. Silently truncate
message is not a good idea.
[74 lines not shown]
sys/exec.h includes machine/exec.h, no need to include both
from jsg@
unzero'd padding bytes in struct reg and struct fpreg (both machine dependent)
leak kernel stack contents.
from deraadt@; from Andrew Griffiths at Calif
Disable kbind() and pinsyscalls() for static binaries at the correct
time, which is inside exec_elf_makecmds(). Amusingly, it looks like
these protection mechanisms are not needed because other process state
protects against kbind use since we completed the switch to static pie.
Also any priviledged static binary (which we ship, setuid or daemon) is
not going to contain a pinsyscall or kbind slot in the loaded pinsyscalls
table, so they cannot perform those. Only synthetic binaries with their
own pinsyscalls table could play, but of course they won't run with
priviledge..
from deraadt@; from Andrew Griffiths at Calif
ok kettenis, andrew also approves of this approach
[21 lines not shown]
sys/exec.h includes machine/exec.h, no need to include both
from jsg@
unzero'd padding bytes in struct reg and struct fpreg (both machine dependent)
leak kernel stack contents.
from deraadt@; from Andrew Griffiths at Calif
Disable kbind() and pinsyscalls() for static binaries at the correct
time, which is inside exec_elf_makecmds(). Amusingly, it looks like
these protection mechanisms are not needed because other process state
protects against kbind use since we completed the switch to static pie.
Also any priviledged static binary (which we ship, setuid or daemon) is
not going to contain a pinsyscall or kbind slot in the loaded pinsyscalls
table, so they cannot perform those. Only synthetic binaries with their
own pinsyscalls table could play, but of course they won't run with
priviledge..
from deraadt@; from Andrew Griffiths at Calif
ok kettenis, andrew also approves of this approach
[21 lines not shown]