Do KN_DETACHED flag check before kn->kn_ptr.p_process dereference in
proc_filtops handlers. After filt_proc() sets KN_DETACHED flag, the
kn->kn_ptr.p_process is not valid anymore.
ok visa
Enable the GXTP7936 touchscreen on the Samsung Galaxy Book4 Edge,
for now by polling since interrupts still don't work.
ihidev:
On a "finger lift" poll event, pass up the empty packet to the sub-driver.
Previously the empty packet was dropped.
hidms:
If we receive the empty packet due to "finger lift", don't set the pointer
position to 0,0 to prevent snapping to the upper left corner of the screen.
ok kirill@
If pstat -d encountered an error doing kvm_read, it would report the error,
but still attempt to print the (uninitialized and unread) data.
This changes it to fail correctly.
acct(8) and quotactl(8) can see files beyond unveil. These are root-only
system calls, also obviously blocked by all pledge.
However there is a circumstance of root running with unveil but without pledge
(quite rare in the tree) and there are some gaps. These two fixes are a
stopgap because I think we should re-design how namei handles this.
From ivan at Quarkslab
ok dgl
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
[26 lines not shown]
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
[37 lines not shown]
Validate encrypted queue buffer sizes before processing auth tag
and IV data: current callers already treat malformed input as a
decrypt failure but rejecting truncated buffers earlier makes
boundary conditions more explicit.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session
references after teardown.
This is mainly a robustness fix inside the privsep model: stale
references may permit lateral effects between smtpd processes after
another compromise.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping
stack residue in these transient buffers unnecessarily weakens
compartmentalization and may aid lateral movement inside the privsep
[24 lines not shown]
Validate encrypted queue buffer sizes before processing auth tag
and IV data: current callers already treat malformed input as a
decrypt failure but rejecting truncated buffers earlier makes
boundary conditions more explicit.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session
references after teardown.
This is mainly a robustness fix inside the privsep model: stale
references may permit lateral effects between smtpd processes after
another compromise.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping
stack residue in these transient buffers unnecessarily weakens
compartmentalization and may aid lateral movement inside the privsep
[24 lines not shown]
Replace the existing SHA-1 implementation in libc.
This leverages some of the recent code in libcrypto while retaining the
existing API and reusing SHA1_CTX definitions. The implementation uses
static inline functions instead of macros and spells out the full variable
rotations to follow the specification, rather than trying to outsmart the
compiler. A performance gain is seen across most architectures.
This also gives us a basis to provide per-architecture accelerated assembly
implementations, based on those in libcrypto.
With input from naddy@
ok naddy@ tb@
ntpd: use the usual error check for timegm(3).
Straightforward change. The code could use some refactoring to avoid two
consecutive timegm(3) calls on tm_tls. The layering is a bit strange here.
ok deraadt henning job
Fix uploads using chunked transfer-encoding
The current code is broken so rework server_read_httpchunks() to properly
implement chunked transfer-encoding. Chunked uploads only matter for
fastcgi handlers, so adjust them to operate with chunked uploads.
The problem is that the CGI spec mandates that CONTENT_LENGTH is set
but for chunked transfers the content-length header is actually not
allowed. Both fastcgi and cgi don't really need CONTENT_LENGTH since the
data is passed via FCGI_STDIN messages or a pipe and in both cases EOF
can be signaled just fine. Still some cgi/fastcgi handlers depend on the
presence of CONTENT_LENGTH and so those fail to process such chunked
uploads. For this reason add a config option to opt-in for chunked
uploads but by default any upload with transfer-encoding chunked will
result in a HTTP 400 error.
OK kirill@ rsadowski@
sk-usbhid: skip unsupported key types in read_rks()
When enumerating resident keys, encountering a credential with an
unsupported COSE key type (not ES256 or EdDSA) caused the entire
enumeration to abort via goto out, discarding all valid keys.
Move the key type check before the per-credential allocation so
unsupported types can be skipped with continue instead. This
preserves all valid resident keys on the token.
Patch from Akhilesh Arora via GHPR657
Actually set pollfd.events correctly for socket type channels;
previously we were throwing away the events we computed if the
channel had a c->sock distinct from it's other read and write
fds. Fortunately, it appears that this case happens rarely, if
ever.
Reported by Darafei Praliaskouski via GHPR660
When pane-border-indicators is set to "both" or "arrows", only draw
arrows on the active floating pane and no other floating panes. Also
there is no need to loop in screen_redraw_cell_border if only checking
one pane.
