Do KN_DETACHED flag check before kn->kn_ptr.p_process dereference in
proc_filtops handlers. After filt_proc() sets KN_DETACHED flag, the
kn->kn_ptr.p_process is not valid anymore.
ok visa
Enable the GXTP7936 touchscreen on the Samsung Galaxy Book4 Edge,
for now by polling since interrupts still don't work.
ihidev:
On a "finger lift" poll event, pass up the empty packet to the sub-driver.
Previously the empty packet was dropped.
hidms:
If we receive the empty packet due to "finger lift", don't set the pointer
position to 0,0 to prevent snapping to the upper left corner of the screen.
ok kirill@
If pstat -d encountered an error doing kvm_read, it would report the error,
but still attempt to print the (uninitialized and unread) data.
This changes it to fail correctly.
acct(8) and quotactl(8) can see files beyond unveil. These are root-only
system calls, also obviously blocked by all pledge.
However there is a circumstance of root running with unveil but without pledge
(quite rare in the tree) and there are some gaps. These two fixes are a
stopgap because I think we should re-design how namei handles this.
From ivan at Quarkslab
ok dgl
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
[26 lines not shown]
A privileged guest can make the host-side `vioblk` backend read a descriptor
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
A privileged guest can notify one invalid virtio-block queue index and
terminate the host-side `vioblk` device process. In the confirmed run, this
also caused the VM event thread to exit unexpectedly.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
the request and return without terminating the VM process.
from Quarkslab
from deraadt@; ok hshoexer, mlarkin
[37 lines not shown]
Validate encrypted queue buffer sizes before processing auth tag
and IV data: current callers already treat malformed input as a
decrypt failure but rejecting truncated buffers earlier makes
boundary conditions more explicit.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session
references after teardown.
This is mainly a robustness fix inside the privsep model: stale
references may permit lateral effects between smtpd processes after
another compromise.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping
stack residue in these transient buffers unnecessarily weakens
compartmentalization and may aid lateral movement inside the privsep
[24 lines not shown]
Validate encrypted queue buffer sizes before processing auth tag
and IV data: current callers already treat malformed input as a
decrypt failure but rejecting truncated buffers earlier makes
boundary conditions more explicit.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Ensure pending asynchronous lookups do not retain dangling smtp_session
references after teardown.
This is mainly a robustness fix inside the privsep model: stale
references may permit lateral effects between smtpd processes after
another compromise.
from gilles@; diff by Stuart Thomas <stuart.thomas at triageforge.co.uk>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping
stack residue in these transient buffers unnecessarily weakens
compartmentalization and may aid lateral movement inside the privsep
[24 lines not shown]