Size is the number of wide characters, not the number of bytes.
The correct amount of memory was allocated but the stored size did
not match the allocation due to being multiplied by sizeof(wchar_t).
Spotted by Frank Denis using the Swival Security Scanner
OK deraadt@
When I added UF_PLEDGEOPEN in the sys_fchflags() chunk I mistakenly
used the wrong vnode operation.
spotted by Frank Denis using the Swival Security Scanner
ok claudio
Frank Denis using the Swival Security Scanner concludes that
kill(0,sig) should not be allowed because of a source code comment.
Actually, kill of the default pgid 0 MUST be allowed or large amounts
of userland software won't work. What pledge prevents is playing with
other process groups (ie. -pid where pid is not 0) which require
permission from the "proc" pledge. Killing the default pgrp 0 is a
common way for privsep (and other) software to tear itself down it's
process trees, for cases where a pipe read of 0 doesn't work.
The current behaviour is intentional, and the proposed diff was not
considered nor tested for consequences.
Change the comment very subtly to see which AI/human collaboration fails next.
Use the correct struct itemerval when recording the old value for ktrace.
This fixes a potential information leak from an uninitializes stack
variable.
Found by Frank Denis using the Swival Security Scanner.
ok deraadt@
Discard queued data and clear offsets when turning pane off to prevent
later read of data that has been removed. From Aaron Campbell in GitHub
issue 5054.
In eigrp the TLV encoding includes the header length in the length encoding.
So check that the minimal length is at least that of the TLV header.
OK renato@
Unlike all other TLV encodings in ldp the sub-tlv includes the header size
in its length. Therefore check that the size is at least that of the header.
OK renato@
rpki-client: convert ip.c and mft.c to ASN1_BIT_STRING_get_length()
This isn't the greatest of APIs, but we're going to be stuck with it
since better APIs depend on libcrypto not doing the implicit truncation
nonsense, which only OpenSSL 4 and BoringSSL dropped by now.
Some of the error checks become now unreachable. This will be cleaned
up another time.
ok claudio job
rpki-client: convert ccr.c to ASN1_BIT_STRING_set1()
This becomes slightly simpler and more correct with this change.
In particular, this now makes sure that the unused bits are set
to 0 as required by the DER.
ok claudio job
Limit all from of ASPATH attributes to 750 elements
Having super long ASPATH attributes can lead to various issues including
attribute length overflows. Especially the transformation of 2-byte ASPATH
attributes to 4-byte ones can trigger overflows. Because of this limit the
number and therefor the maximum size of an ASPATH.
Our default config has a limit of 100 elements on paths. That limit is
already much larger then what is seen in the DFZ (max ~20). The limit of
750 is again much larger and is really just a safeguard.
OK tb@
Prevent overflow of the uint8_t length value in attr_optadd.
bin_of_attrs() jumps from 240 to 256 elements but the length of the
others attributes array is limited to a uint8_t type and overflows.
Switch type of the local length value to int and make sure that the
maximum length of UCHAR_MAX is not exceeded.
OK tb@
Re-evaluate prefixes if just PREFIX_FLAG_FILTERED changed
With the introduction of 'rde rib Loc-RIB include filtered' it is possible
that prefixes change from filtered to unfiltered state during a filter
reload. In that case prefix_update() takes a shortcut path since no other
attributes change and that path is missing a call to prefix_evaluate().
Add the missing prefix_evaluate() call in this codepath so that prefixes
are correctly redistributed in that case.
OK tb@
openssl: centralize speed benchmark timer handling
The speed benchmark currently arms alarm() from print_message() and
pkey_print_message(), making the output helpers also control benchmark
lifetime. This hidden coupling makes the code harder to maintain and led to
missing alarm cleanup on Windows, as reported in #1245.
Move alarm setup and run-state initialization into speed-specific timer
helpers so benchmark timing is controlled explicitly at the start and stop
points.
ok tb joshua
Handle HCR_EL2.E2H RES1 behaviour
An implementation is allowed to make HCR_EL2.E2H RES1, which means
that the CPU behaves as if this bit was 1, even if it reads as 0
or can be written with 0.
While the architecture advertises this via ID_AA64MMFR4_EL1.E2H0,
hypervisors cannot always expose this to a guest if the hardware
doesn't implemtn FEAT_FGT.
Instead, detect the effects of HCR_EL2.E2H being RES1 by checking
for the aliasing property between accessors targetting the same
register (FAR_ELx in this case). This gives a reliable litmus test
for CPUs that are stuck in VHE mode.
From Marc Zyngier <maz at kernel.org>
When running in VHE host mode, HCR_EL2.TGE must be set, as otherwise
a bunch of problems occur:
- EL0 is guest EL0, not host, and the kernel will catch fire on the
first ERET to EL0
- EL1 TLB invalidations target the guest, and not the host
Make sure that HCR_EL2.TGE is set, instead of relying on firmware
to have set it (when booting with UEFI, only the first CPU is
correctly configured).
From Marc Zyngier <maz at kernel.org>
