isakmpd(8): Fix NULL dereference in message_alloc_reply() callers
message_alloc_reply() dereferences the returned pointer of
message_alloc() without a NULL check. Add one so callers can handle
the failure.
Also add NULL checks at both call sites in exchange.c.
test & ok sthen
isakmpd(8): Fix possible unaligned 32 bit read
When validating IPsec SPIs in a DELETE message, access to the
32 bit SPI value might be unaligned. On platforms requiring strict
alignment, this would cause termination of isakmpd by signal.
To avoid this, memcpy(3) the SPI value to a local variable.
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [2/2]
Similar to message_validate_delete() also validate in
ipsec_handle_leftover_payload() that the provided number of SPIs
actually fit in the payload. This is redundant as we already would
bail out in message_validate_delete().
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [1/2]
The number of SPIs provided in a DELETE message is not properly
validated. This might cause a read beyond the message end. However,
the outside read is limited to 4 bytes for IPsec SAs and 16 bytes
for ISAKMP SAs. A crash is possible, but seems unlikely to me.
test & ok sthen
isakmpd(8): Validate proposal and transform sizes
Check
- that a proposal payload fits within the outer SA payload,
- that the provided SPI and the following transform header fit within
the proposal, and
- transforms fit within the outer proposal payload.
It's already ensured that we never read outside the message. However,
within the message the mentioned payloads might be misinterpreted due
to malformed size values.
test & ok sthen
in inteldrm_burner_cb() call fb_blank() instead of drm_fb_helper_blank()
this indirectly calls intel_fbdev_blank(), which does
drm_fb_helper_blank() followed by intel_fbdev_invalidate()
avoids on screen garbage when wscons screen blanking is enabled on
mvs' Alder Lake and Gemini Lake machines.
Replace refresh-from-pane in copy mode with a way to automatically
update as pane content changes. This is toggled by pressing r. GitHub
issue 5165 from Barrett Ruth.
While grouped sessions are being killed, it can leave session which are
not really useful as targets (no active pane or current window) in the
tree. Make cmd_find_best_session skip these. GitHub issue 5167.
Implement mwx_mac_init for 7921 and 7925.
Almost all is the same in mwx_mac_init() only the DCR0 and DCR1 registers
live in different locations on 7925.
Also make mwx_mac_wtbl_update() work on both chips. MT7925 uses a
different register and register layout for MT_WTBL_UPDATE.
Use temporary buffer to copyout login name within sys_getlogin_r().
Load the session pointer to the `s' variable after new login name
was copied from the userland within sys_setlogin().
ok deraadt claudio
In inteldrm_activate(), move the rasops_show_screen() call to before
drm_client_dev_restore(). The same order as inteldrm_doswitch() and
inteldrm_enter_ddb().
x509_verify: fix incorrect purpose check in the non-legacy path
If a purpose is configured on the verify context (which it currently
never is), this check would only accept certificates for which the
purpose check fails. Also, this code is not currently reachable from
public API since x509_verify() is only ever called with a legacy xsc
set on the verify ctx, so x509_verify_ccert_extensions() takes the
path returning 1 earlier.
X509_check_purpose() is one of these strange legacy APIs. It returns -1
on error, 0 if the cert fails the purpose check, 1 if it passes it and
values between 2 and 5 indicate various legacy garbage meaning that the
cert might possibly have been fit for this purpose until around a quarter
century ago. While for CA certs the checks in "No we don't care about ..."
exclude return values > 1, it is still possible for the S/MIME purpose
to return 2 due to a workaround for some buggy NS certs, for example.
In short: anything but 1 means unfit for the purpose or at best dubious,
so reject such certs.
[4 lines not shown]
drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
From Jouni Hogander
21bfa15a89d888d37e4881d64fc473cb85f4697a in linux-6.18.y/6.18.35
3549a9649dc7c5fc586ab12f675279283cdcb2a7 in mainline linux
drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
From Ziyi Guo
f059b4c493df3e54fe3ffe4658009c31864275da in linux-6.18.y/6.18.35
a1ba4594232c87c3b8defd6f89a2e40f8b08395d in mainline linux
drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
From Christian Koenig
fa372f4e8aeff6d0d3dd2f14b9165b4013e72a6d in linux-6.18.y/6.18.35
1c824497d8acd3187d585d6187cedc1897dcc871 in mainline linux
