HardenedBSD/src c4c4a4bcrypto .gitignore, crypto/openssl configdata.pm

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+0-36,871crypto/openssl/configdata.pm
+110-210usr.sbin/quot/quot.c
+206-0tools/test/stress2/misc/unionfs20.sh
+0-133crypto/openssl/util/wrap.pl
+102-0usr.sbin/quot/tests/quot_test.sh
+78-0crypto/.gitignore
+496-37,21423 files not shown
+618-37,33529 files

HardenedBSD/src dff0414crypto .gitignore, crypto/openssl configdata.pm

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+0-36,871crypto/openssl/configdata.pm
+110-210usr.sbin/quot/quot.c
+206-0tools/test/stress2/misc/unionfs20.sh
+0-133crypto/openssl/util/wrap.pl
+102-0usr.sbin/quot/tests/quot_test.sh
+78-0crypto/.gitignore
+496-37,21423 files not shown
+618-37,33529 files

HardenedBSD/src aa870a1etc/mtree BSD.tests.dist, usr.sbin/quot quot.c Makefile

quot: Add tests

To facilitate the task, we change the comparison function so that users
with equal filesystem usage are sorted by UID, and add an undocumented
option that prevents quot from replacing numerical UIDs with names.  We
also switch from getfsfile(3) to getmntpoint(3) so the first line is
identical regardless of whether we pass quot a mountpoint or a device.

Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D53133
DeltaFile
+102-0usr.sbin/quot/tests/quot_test.sh
+13-6usr.sbin/quot/quot.c
+5-1usr.sbin/quot/Makefile
+4-0usr.sbin/quot/tests/Makefile
+2-0etc/mtree/BSD.tests.dist
+126-75 files

HardenedBSD/src 8209311usr.sbin/quot quot.c quot.8

quot: Drop the -h option

There was probably a time, more than 30 years ago, when the actual
size of a file had to be calculated and this option saved time, but
all it does today is give incorrect results for no benefit.

Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D53132
DeltaFile
+4-32usr.sbin/quot/quot.c
+1-5usr.sbin/quot/quot.8
+5-372 files

HardenedBSD/src 0eaca4ausr.sbin/quot quot.c

quot: Drop the COMPAT version

We've had this code for 30 years, but there has never been a way to
build it.  We have no idea if it still works, or if it ever worked.

Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D53131
DeltaFile
+0-54usr.sbin/quot/quot.c
+0-541 files

HardenedBSD/src 195b00eusr.sbin/quot quot.c quot.8

quot: Clean up

* Fix numerous style violations.
* Modernize somewhat.
* Don't bother examining errno after calling get_inode(), as it always
  exits on error.
* Fix confusing wording in the manual page.

The code remains somewhat idiosyncratic, e.g. in its insistance on
counting down rather than up in simple for loops, but in the absence
of comprehensive automated tests, the risk of introducing bugs exceeds
the benefit of rewriting these into more idiomatic forms.

Reviewed by:    obiwac
Differential Revision:  https://reviews.freebsd.org/D53130
DeltaFile
+103-124usr.sbin/quot/quot.c
+3-4usr.sbin/quot/quot.8
+0-2usr.sbin/quot/Makefile
+106-1303 files

HardenedBSD/src 5854d1cusr.sbin/quot quot.c

quot: Fix benign buffer overflow

If it encounters an inode whose owner does not have a pw entry, quot
allocates a 7-byte buffer (8 in practice, since that is the minimum
allocation size) and uses it to store the numeric uid preceded by a
hash character.  This will overflow the allocated buffer if the UID
exceeds 6 decimal digits.  Avoid this by using asprintf() instead.

While here, simplify the common case as well using strdup().

Reported by:    Igor Gabriel Sousa e Souza <igor at bsdtrust.com>
MFC after:      3 days
Reviewed by:    obiwac, emaste
Differential Revision:  https://reviews.freebsd.org/D53129
DeltaFile
+2-6usr.sbin/quot/quot.c
+2-61 files

HardenedBSD/src c0f17d6usr.bin/tar Makefile

tar: Move to the utilities package

tar(1) is not a core runtime utility; in particular, nothing in
/etc/rc.d/* requires it.  Move it to utilities, which is also
where cpio(1) lives.

This removes the dependency from runtime to libarchive.

MFC after:      3 days
Reviewed by:    manu, emaste
Sponsored by:   https://www.patreon.com/bsdivy
Differential Revision:  https://reviews.freebsd.org/D53059
DeltaFile
+0-1usr.bin/tar/Makefile
+0-11 files

HardenedBSD/src e757a92share/mk bsd.man.mk

bsd.man.mk: Support MANGROUPS.yes

Similar to SUBDIR and CONFGROUPS, this allows the use of
MANGROUPS.${MK_FOO}, simplifying Makefile logic for optional
manpages.

MFC after:      3 seconds
Reviewed by:    emaste
Sponsored by:   https://www.patreon.com/bsdivy
Differential Revision:  https://reviews.freebsd.org/D53126
DeltaFile
+8-0share/mk/bsd.man.mk
+8-01 files

HardenedBSD/src c26d6bfusr.sbin/arp arp.c arp_netlink.c

arp: fix adding proxy entries for P2P interfaces

The old rtsock implementation used in-kernel workaround to do so.
When route to specified destination address used P2P interface, the
kernel did the search with ifa_ifwithnet() for most suitable network
and then add proxy entry to this interface.

Use similar approach with netlink implementation. We already have
get_ether_addr() function that does almost the same thing as
ifa_ifwithnet(). Use it when we find that destination route uses
P2P interface and then try to guess suitable interface. This should
fix the use of netlink-based arp(8) in mpd5.

Rename get_ether_addr() to get_ifinfo(), since now it is used to find
only ifindex in case when hwaddr is specified by user.
Also make set_nl() and delete_nl() prototype similar to rtsock.
And allow '-i' to be used with '-S', since we already allow the same
for '-s'.


    [5 lines not shown]
DeltaFile
+20-12usr.sbin/arp/arp.c
+16-4usr.sbin/arp/arp_netlink.c
+4-5usr.sbin/arp/arp.h
+40-213 files

HardenedBSD/src 86db3c7tools/test/stress2/misc unionfs20.sh

stress2: Added a regression test
DeltaFile
+206-0tools/test/stress2/misc/unionfs20.sh
+206-01 files

HardenedBSD/src c2fa94astand/i386/boot2 Makefile, stand/i386/gptboot Makefile

stand/i386: quiet gcc -Warray-bounds

GCC has started to warn about memory accesses under address 0x1000.
Tweak it to 0x400 for stand/i386 to avoid warnings for access to BIOS
data area memory and above but still retain most of the warning value.

Reviewed by:    dab, imp
Differential Revision:  https://reviews.freebsd.org/D53036
DeltaFile
+2-1stand/i386/boot2/Makefile
+2-1stand/i386/gptboot/Makefile
+2-1stand/i386/gptzfsboot/Makefile
+2-1stand/i386/isoboot/Makefile
+8-44 files

HardenedBSD/src 97388e7crypto/openssl BSDmakefile, crypto/openssl/freebsd dump_version_from_configdata.pl

OpenSSL: install .pc files from the exporters subdir

The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).

Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.

This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].

References:
1. https://github.com/openssl/openssl/issues/28803

    [4 lines not shown]
DeltaFile
+0-21crypto/openssl/freebsd/dump_version_from_configdata.pl
+0-20crypto/openssl/BSDmakefile
+3-9secure/lib/libcrypto/Makefile.inc
+0-2secure/lib/libcrypto/Makefile.version
+3-524 files

HardenedBSD/src d271d2ccrypto .gitignore, crypto/openssl configdata.pm libcrypto.pc

crypto/openssl: remove autogenerated files

These files contain build host paths and other configuration details
that can be regenerated via the standard vendor import process. Don't
clutter up the FreeBSD tree with these files.

Add the paths to .gitignore to prevent them from accidentally being
added in a future update.

MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D53044
DeltaFile
+0-36,871crypto/openssl/configdata.pm
+0-133crypto/openssl/util/wrap.pl
+78-0crypto/.gitignore
+0-13crypto/openssl/libcrypto.pc
+0-11crypto/openssl/libssl.pc
+0-9crypto/openssl/openssl.pc
+78-37,0376 files

HardenedBSD/src 3b64423etc/mtree BSD.tests.dist, secure/lib/libcrypto Makefile

openssl: add a simple smoke test for the legacy provider

This change adds a simple smoke test for the legacy provider to ensure
that the provider doesn't break in the future when performing updates.

This is not a functional or system test; the OpenSSL test suite does a
much better job at doing this than we can.

MFC after:              1 week
Differential Revision:  https://reviews.freebsd.org/D53045
DeltaFile
+40-0secure/lib/libcrypto/tests/libcrypto_test.sh
+5-0secure/lib/libcrypto/tests/Makefile
+3-0secure/lib/libcrypto/Makefile
+2-0etc/mtree/BSD.tests.dist
+50-04 files

HardenedBSD/src 3607b45release/scripts pkg-stage.sh, sys/conf NOTES

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+15-18sys/netinet/tcp_syncache.c
+1-1sys/conf/NOTES
+1-1release/scripts/pkg-stage.sh
+17-203 files

HardenedBSD/src 8d4f391release/scripts pkg-stage.sh, sys/conf NOTES

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+15-18sys/netinet/tcp_syncache.c
+1-1release/scripts/pkg-stage.sh
+1-1sys/conf/NOTES
+17-203 files

HardenedBSD/src dadc1cerelease/scripts pkg-stage.sh, usr.bin/sockstat main.c sockstat.1

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+11-5usr.bin/sockstat/main.c
+3-1usr.bin/sockstat/sockstat.1
+1-1release/scripts/pkg-stage.sh
+15-73 files

HardenedBSD/src f6923c0usr.bin/sockstat main.c sockstat.1

sockstat: improve handling of path state

Only suppress the path state column when producing traditional text
output. When generating html output, always include the column.
Please note that when generating json or xml output, optional fields
like the path state are only generated if they is applicable. This
has not been changed.
The changes in this patch were suggested by asomers.

Reviewed by:            asomers
Fixes:                  746eadecaa7d ("sockstat: show path state column only when useful")
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D53005

(cherry picked from commit 97e858f5b335ae8f98619f9cee8ab9a0501cd06d)
DeltaFile
+5-3usr.bin/sockstat/main.c
+3-2usr.bin/sockstat/sockstat.1
+8-52 files

HardenedBSD/src 9a0a114usr.bin/sockstat main.c sockstat.1

sockstat: show path state column only when useful

Showing the path state column is only useful, if there is at least one
SCTP endpoint shown, which is not in the state CLOSED or LISTEN.
Don't show it when it is not useful.

Reviewed by:            rrs
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D52986

(cherry picked from commit 746eadecaa7dc8913721cbaa9be4e603bd36ea49)
DeltaFile
+6-2usr.bin/sockstat/main.c
+2-1usr.bin/sockstat/sockstat.1
+8-32 files

HardenedBSD/src aafdbf8sys/netinet tcp_syncache.c

tcp: cleanup of syncache_expand()

* Consistently free the string after unlocking the sch, if possible.
* Remove the failure handling in case of sc != NULL, since this is
  not possible anymore.
* Remove the use of goto and instead return 0 in the three cases.
The only change in behavior is that in three out of the four cases,
where 0 is returned, *lsop is not set to NULL anymore. So the behavior
is now consistent and also documented in a comment. The current in
tree callers only look at *lsop, if and only if syncache_expand()
returns 1.

Reviewed by:            Peter Lei
MFC after:              3 days
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D52948
DeltaFile
+15-18sys/netinet/tcp_syncache.c
+15-181 files

HardenedBSD/src c1e7e8fsys/conf NOTES

Add FENESTRASX to LINT to avoid breakage
DeltaFile
+1-1sys/conf/NOTES
+1-11 files

HardenedBSD/src ecd943arelease/scripts pkg-stage.sh

pkg-stage: Correct /packages permissions

Include /packages in the METALOG used to create dvd1.iso.  Previously
we used an expression ^./packages/ (with a trailing /) which did not
match /packages itself, and then with no METALOG entry /packages on
dvd1.iso ended up with mode d---------.

PR:             290222
Reviewed by:    cperciva
MFC after:      1 minute
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 2db11dda840c4889aeb719761cdafa62730083a2)
DeltaFile
+1-1release/scripts/pkg-stage.sh
+1-11 files

HardenedBSD/src 2db11ddrelease/scripts pkg-stage.sh

pkg-stage: Correct /packages permissions

Include /packages in the METALOG used to create dvd1.iso.  Previously
we used an expression ^./packages/ (with a trailing /) which did not
match /packages itself, and then with no METALOG entry /packages on
dvd1.iso ended up with mode d---------.

PR:             290222
Reviewed by:    cperciva
MFC after:      1 minute
Sponsored by:   The FreeBSD Foundation
DeltaFile
+1-1release/scripts/pkg-stage.sh
+1-11 files

HardenedBSD/src 8505a1dsys/dev/hptmv entry.c, sys/dev/ixl ixl_pf_main.c if_ixl.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+94-16sys/dev/ixl/ixl_pf_main.c
+16-17sys/dev/hptmv/entry.c
+25-2sys/dev/ixl/if_ixl.c
+8-16sys/vm/vm_glue.c
+7-7sys/dev/ocs_fc/ocs_mgmt.c
+6-7sys/dev/tws/tws.c
+156-6530 files not shown
+224-12236 files

HardenedBSD/src c9747a5sys/dev/hptmv entry.c, sys/dev/ixl ixl_pf_main.c if_ixl.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+94-16sys/dev/ixl/ixl_pf_main.c
+16-17sys/dev/hptmv/entry.c
+25-2sys/dev/ixl/if_ixl.c
+8-16sys/vm/vm_glue.c
+7-7sys/dev/ocs_fc/ocs_mgmt.c
+6-7sys/dev/tws/tws.c
+156-6530 files not shown
+224-12236 files

HardenedBSD/src db59989tools/tools/nanobsd/rescue/Files/root ZFS_Create.txt, tools/tools/netrate/tcpp README

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master
DeltaFile
+4-4tools/tools/nanobsd/rescue/Files/root/ZFS_Create.txt
+1-1tools/tools/netrate/tcpp/README
+1-1tools/tools/sysdoc/tunables.mdoc
+6-63 files

HardenedBSD/src 3ccf96c. Makefile.inc1, sbin/ping/tests Makefile

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+8-7Makefile.inc1
+4-4tools/tools/nanobsd/rescue/Files/root/ZFS_Create.txt
+2-1sbin/ping/tests/Makefile
+1-1tools/tools/netrate/tcpp/README
+1-1tools/tools/sysdoc/tunables.mdoc
+16-145 files

HardenedBSD/src 3b9b644sys/vm vm_glue.c

vm: Fix iterator usage in vm_thread_stack_create()

After commit 7a79d0669761 we no longer hold the VM object lock when
initializing or advancing the domainset iterator in
vm_thread_stack_create().

We could lift the lock out of vm_thread_stack_back() but that poses
complications since we cannot allocate KVA with a VM object lock held.

Instead of overridding the object's iterator, just borrow that of the
current thread.  Kernel stacks are basically always allocated with a
DOMAINSET_POLICY_PREFER policy, so it's not very important to maintain a
global iterator for round-robin allocation.

As a part of this, fix up flag handling: make sure we handle
M_NOWAIT/M_WAITOK from the caller.  Delete a comment in vm_thread_new()
which refers to a non-existent consideration (stack swapping has been
removed).  I suspect vm_thread_new() can use M_WAITOK but opted not to
make that change here.

    [6 lines not shown]
DeltaFile
+8-16sys/vm/vm_glue.c
+8-161 files

HardenedBSD/src 0050289sys/crypto/chacha20 chacha.c, sys/dev/hptmv entry.c gui_lib.c

style(9): white space after ; and around binary operators

in for() loops.  Also, use 'while', where only the
conditional test of 'for' was used.

Reviewed by: sjg
DeltaFile
+16-17sys/dev/hptmv/entry.c
+7-7sys/dev/ocs_fc/ocs_mgmt.c
+6-7sys/dev/tws/tws.c
+5-7sys/dev/hptmv/gui_lib.c
+6-6sys/dev/sym/sym_hipd.c
+3-3sys/crypto/chacha20/chacha.c
+43-4724 files not shown
+82-8630 files