Fix memory corruption bugs in BSM record parsing
fetch_newgroups_tok(3): clamp group count to AUDIT_MAX_GROUPS before the
loop to prevent a stack buffer overflow when a crafted record specifies
more than 16 groups.
fetch_execarg_tok(3), fetch_execenv_tok(3): add a bounds check at the
top of the string-walking loop to prevent an out-of-bounds read when the
previous string's nul byte is the last byte of the record buffer.
fetch_sock_unix_tok(3): clamp the memchr search length to the number of
bytes remaining in the buffer to prevent an out-of-bounds read on short
tokens. Also clamp slen to sizeof(path) to prevent a one-byte overflow
when no nul byte is found within the path data.
fetch_socket_tok: fix copy-paste error where the remote address was
written into l_addr instead of r_addr.
Previously reported by: @haginara
[13 lines not shown]
mac_seeotheruids: allow specificgid to be a list of groups
The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons. From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.
Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.
Reviewed by: csjp, des (earlier version)
Sponsored by: Klara, Inc.
(cherry picked from commit b675ff8eedc9ac93cdf1cfe33185b7a1a027df37)
mac_seeotheruids: allow specificgid to be a list of groups
The specificgid functionality has historically allowed only a single
group to be exempt, but in practice one might want a few services to
be exempt for reasons. From a security perspective, we probably don't
want to encourage unrelated users to be grouped together solely for
this purpose, as that creates one point of shared access that could be
used for nefarious purposes.
Normalize the group list as we do cr_groups to allow for linear matching
rather than quadratic, we just need to account for the differences in
FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs.
earlier versions, where cr_groups[0] is the egid and the rest is
sorted.
Reviewed by: csjp, des (earlier version)
Sponsored by: Klara, Inc.
(cherry picked from commit b675ff8eedc9ac93cdf1cfe33185b7a1a027df37)
Fix memory corruption bugs in BSM record parsing
fetch_newgroups_tok(3): clamp group count to AUDIT_MAX_GROUPS before the
loop to prevent a stack buffer overflow when a crafted record specifies
more than 16 groups.
fetch_execarg_tok(3), fetch_execenv_tok(3): add a bounds check at the
top of the string-walking loop to prevent an out-of-bounds read when the
previous string's nul byte is the last byte of the record buffer.
fetch_sock_unix_tok(3): clamp the memchr search length to the number of
bytes remaining in the buffer to prevent an out-of-bounds read on short
tokens. Also clamp slen to sizeof(path) to prevent a one-byte overflow
when no nul byte is found within the path data.
fetch_socket_tok: fix copy-paste error where the remote address was
written into l_addr instead of r_addr.
Previously reported by: @haginara
[13 lines not shown]
cron: log when a crontab path is too long
Log via syslog when snprintf truncates the crontab path, instead of
silently skipping the entry.
Signed-off-by: Christos Longros <chris.longros at gmail.com>
Reviewed by: bcr, kevans
Differential Revision: https://reviews.freebsd.org/D56235
tests/sys/arch/amd64: add a program to check INT $0x80 behavior on amd64
Requested and reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D56654
libifconfig: Skip bridge VLAN config for span members
bridge(4) doesn't support BRDGGIFVLANSET for span members, which
means if a span interface is configured, libifconfig will fail to
fetch bridge members. Skip this for IFBIF_SPAN members.
PR: 292634
MFC after: 3 days
Reported by: Emrion <kmachine at free.fr>
Reviewed by: pouria, zlei
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56694
efibootmgr: Show attributes, category and optional data when verbose
Also rework a bit the way device path are displayed for consistency.
Signed-off-by: stephane.rochoy at stormshield.eu
Reviewed by: imp
Sponsored by: Stormshield
Pull-Request: https://github.com/freebsd/freebsd-src/pull/2167
efivar: Move dump functions into libefivar
To allow their use by efibootmgr.
Signed-off-by: stephane.rochoy at stormshield.eu
Reviewed by: imp
Sponsored by: Stormshield
Pull-Request: https://github.com/freebsd/freebsd-src/pull/2167
ctld: kernel-sourced portal groups are not dummies
The current and historical versions of ctld would flag our initial set
of kernel ports as dummies, because their portal groups were empty since
portals come from the configuration on-disk.
As a result, we would never try to remove a kernel port at startup that
didn't exist in the configuration (possibly a feature if you wanted
concurrent ctld(8)), and we would always try to port->kernel_add() on
ports in the configuration (even if they actually did have an existing
kernel port).
Flag these portal groups as kernel groups so that we avoid trying to add
ports that already exist. It may be the case that the kernel_remove()
loop in conf::apply() needs to do something other than the current
`oldport->is_dummy()` to avoid removing ports that it isn't supposed to
be managing, but that wuld also seem to apply to LUNs that would be
removed today.
[2 lines not shown]
libiscsiutil: preserve errno across warning logs
Various calls in the implementation can clobber errno; preserve it for
the caller since none of these will bubble up pass/fail to simplify
some future error handling in ctld.
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D56539
bsdinstall: fix root password prompt with backslashes
Use "read -r" to set the root password in "bsdinstall rootpass" to
prevent issues with passwords containing one or more backslash
characters.
PR: 294781
Discussed with: tuexen, crest
Approved by: khorben
MFC after: 3 days
Event: Wiesbaden Hackathon 202604
(cherry picked from commit 1566386b90d34dea7f30a0e6b511e178bd0d50b8)
Makefile.inc1: Only copy locales to INSTALLTMP on FreeBSD
Makefile.inc1 copies locales to ${INSTALLTMP} to avoid issues when
running make installworld on a live system. However, this can break
on non-FreeBSD systems, e.g. on openSUSE where /usr/share/locales
has mode 0555, which means after we copy it, we can't delete it,
so the build fails.
Since this functionality is only useful when installing over a
live system, disable it when the build host is not FreeBSD.
MFC after: 2 weeks
Reviewed by: kevans, emaste
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56677
packages: Make create-sets.sh more robust
Use ${PKG_CMD} rather than bare 'pkg' to fix the build when pkg is
not in the tools path. Provide a default in case it's not set for
some reason (e.g., running the script by hand).
Since set -- $(...) does not trigger an exit from set -e if the
command fails, this failure was silent and resulted in sets not
being built correctly if we failed to run pkg. Use a temporary
variable, which does trigger set -e, to fail correctly.
MFC after: 2 weeks
Reviewed by: sjg
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56676
llvm: Move libprivatelldb to the lldb package
Set PACKAGE=lldb in lldb.pre.mk rather than in individual Makefiles;
change lib/clang/Makefile.inc from PACKAGE=clang to PACKAGE?=clang to
avoid overwriting it.
This is safe to MFC to stable/15 since the moved library will be
picked up automatically by pkg.
MFC after: 2 weeks
Reviewed by: emaste
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56674
acpi: Remove userland bits on non-ACPI platforms
ACPI is only supported on amd64, arm64 and i386. Don't install the
power_profile rc script or devd configuration on other platforms.
This avoids creating a useless FreeBSD-acpi package on those platforms.
MFC after: 2 weeks
Reviewed by: imp
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56650
hwpmc: Add IBS capability control policy
Reject unsupported AMD IBS and PMU control bits before programming the
MSRs.
Initialize IBS fetch/op allow masks from CPUID feature bits and validate
user-provided IBS control values against those masks. Keep the
load-latency filter dependency on L3MissOnly, but avoid decoding fields
that are already constrained by the mask.
Apply the same reserved-bit policy to the AMD PMU raw-config path by
checking core, L3, and data fabric configs against subclass-specific
masks.
Fix the IBS CPUID feature bit definitions used by the policy.
Reviewed by: mhorne, Ali Mashtizadeh <ali at mashtizadeh.com>
Sponsored by: AMD
Signed-off-by: Andre Silva <andasilv at amd.com>
Pull Request: https://github.com/freebsd/freebsd-src/pull/2140
hwpmc: Add extra_mask sysctls per counter type
Expose kern.hwpmc.{ibs_fetch,ibs_op,amd_core,amd_l3,amd_df}_extra_mask
as RWTUN uint64s that OR into the CPUID-derived allow mask at
validation time. Default 0, so the strict policy applies unless an
administrator opts bits back in — intended for testing the wrmsr_safe
path in PR #2157.
Reviewed by: mhorne, Ali Mashtizadeh <ali at mashtizadeh.com>
Sponsored by: AMD
Signed-off-by: Andre Silva <andasilv at amd.com>
Pull Request: https://github.com/freebsd/freebsd-src/pull/2140
hwpmc_ibs: Add external error handling
Add EXTERR_CAT_HWPMC_IBS to the external error categories and replace generic
EINVAL returns in ibs_allocate_pmc() with EXTERROR() calls that provide
detailed error messages.
This will be augmented with additional cases in the near future.
Reviewed by: mhorne
Sponsored by: AMD
Signed-off-by: Andre Silva <andasilv at amd.com>
Pull Request: https://github.com/freebsd/freebsd-src/pull/2134
sys.net.if_wg.wg_key_peerdev_makeshared: Add require metadata
Add require.user root and require.kmods if_wg to
wg_key_peerdev_makeshared_head(), consistent with the other wg tests.
Without if_wg.ko causes ifconfig wg create to fail with EINVAL. The
test also needs root to create jails.
Sponsored by: The FreeBSD Foundation
Vendor import of smart at 1.0.2
smart/diskhealth is a command line application to monitor disk health
from a storage device via SMART.
Reviewed by: fuz, jrm
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D56638
bsdinstall: Improve auto-partition message
Manually tuning ZFS for systems with <8GB ram hasn't been necessary at
least since the switch to OpenZFS. We have users reporting using 1GB RAM
with no manual tuning/issues. Further, the page this links to is a stale
wiki page, which is causing complaints. Remove this misleading note and
replace it with a similar message for UFS. While here, reword that note
to be a bit clearer.
PR: 287719
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D50971
vt_core: make sure the driver's functions exist
These are NULL if they're not implemented. Make sure all the functions
we need are there before doing anything.
Also invert the first if statment to lessen the indentation a bit.
Reported by: Quentin Thébault <quentin.thebault at defenso.fr>
MFC after: 3 days
(cherry picked from commit d1854272b646306de6546f8e5702e8072051d7f6)
vt_core: delay the shutdown splash event handler
Even though the functions are currently executed in the correct order,
there's no garuntee that this will always be the case.
Reported by: kevans
Discussed with: kevans
Fixes: 4b862c713ac5556ab4bd1828b47c5eb9cb28e067
MFC after: 3 days
(cherry picked from commit e72c59315e7a2bedd654ac7c6e82dd3ceba30ed2)
