OpenBSD/src 7u9hKeMsys/kern exec_elf.c

   unzero'd padding bytes in struct reg and struct fpreg (both machine dependent)
   leak kernel stack contents.
   from Andrew Griffiths at Calif
VersionDeltaFile
1.198+3-1sys/kern/exec_elf.c
+3-11 files

OpenBSD/src RdVCBWzusr.sbin/vmd virtio.c

   A privileged guest can program an out-of-layout Virtio 1.x `queue_avail`
   address for the `vioscsi` device and then notify the queue. The host-side
   `vioscsi` device process dereferences a pointer derived from the unchecked
   offset and terminates with `SIGSEGV`.
   from Quarkslab
   ok hshoexer, mlarkin
VersionDeltaFile
1.139+22-5usr.sbin/vmd/virtio.c
+22-51 files

OpenBSD/src iDE4FFFusr.sbin/vmd vioscsi.c

   A privileged guest can notify an invalid virtio-scsi queue index. The
   host-side `vioscsi` device process uses the guest-controlled value as an array
   index without a bounds check, interprets adjacent process memory as virtqueue
   metadata, and terminates with `SIGSEGV`.
   from Quarkslab
   ok hshoexer, mlarkin
VersionDeltaFile
1.30+17-2usr.sbin/vmd/vioscsi.c
+17-21 files

OpenBSD/src Coz8abhusr.sbin/vmd virtio.c

   Do not call `fatalx()` on malformed guest-provided descriptor lengths. Reject
   the request and return without terminating the VM process.
   from Quarkslab
   ok hshoexer, mlarkin
VersionDeltaFile
1.138+5-3usr.sbin/vmd/virtio.c
+5-31 files

OpenBSD/src ZYxxLX3usr.sbin/vmd vioblk.c

   A privileged guest can notify one invalid virtio-block queue index and
   terminate the host-side `vioblk` device process. In the confirmed run, this
   also caused the VM event thread to exit unexpectedly.
   from Quarkslab
   ok hshoexer, mlarkin
VersionDeltaFile
1.30+2-2usr.sbin/vmd/vioblk.c
+2-21 files

OpenBSD/src jzP1s6kusr.sbin/vmd vioblk.c

   A privileged guest can make the host-side `vioblk` backend read a descriptor
   outside the configured virtqueue descriptor table and interpret the out-of-table
   entry as a block request descriptor. In the confirmed run, the guest-controlled
   out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
   value, and the device entered `DEVICE_NEEDS_RESET`.
   from Quarkslab
   ok hshoexer, mlarkin
VersionDeltaFile
1.29+6-1usr.sbin/vmd/vioblk.c
+6-11 files

OpenBSD/src wq3KSuwsys/arch/i386/stand/biosboot Makefile, sys/arch/i386/stand/boot Makefile

   with llvm22, -Ttext also requires --image-base to be specified

   with robert@
VersionDeltaFile
1.38+2-2sys/arch/i386/stand/pxeboot/Makefile
1.22+2-2sys/arch/i386/stand/mbr/Makefile
1.8+2-2sys/arch/i386/stand/cdbr/Makefile
1.41+2-2sys/arch/i386/stand/cdboot/Makefile
1.77+2-2sys/arch/i386/stand/boot/Makefile
1.31+2-2sys/arch/i386/stand/biosboot/Makefile
+12-126 files not shown
+24-2412 files

OpenBSD/src XDSqv5nsys/dev/ic qwx.c

   add volatile casts to qwx for arm64, as mglocker@ did in qwz
VersionDeltaFile
1.114+7-4sys/dev/ic/qwx.c
+7-41 files

OpenBSD/src 4pyxS2fsys/dev/pci if_qwx_pci.c

   reset qwx command ring "queued" counter when the command ring gets reset

   Should fix bogus "command ring overflow" errors observed in my dmesg.
VersionDeltaFile
1.34+2-1sys/dev/pci/if_qwx_pci.c
+2-11 files

OpenBSD/src 4PD51vwsys/dev/ic qwx.c

   ensure that qwx nq flags are always cleared when switching net80211 state

   similar fix found in mglocker@ qwz diffs
VersionDeltaFile
1.113+9-1sys/dev/ic/qwx.c
+9-11 files

OpenBSD/src LhfEzI3sys/dev/ic qwx.c

   fix number of tx/rx streams set in qwx mac config

   from kirill@ via qwz
VersionDeltaFile
1.112+3-3sys/dev/ic/qwx.c
+3-31 files

OpenBSD/src szIpe6Pusr.sbin/bgpd rde_update.c

   Revert a small part of the earlier adjout_prefix_dump diff.

   In up_process_prefix() bring back the path_id_tx hack for regular peers.
   A peer not using add-path send will set the path_id_tx to 0 and so
   adjout_prefix_first() will return the right match.

   This was undone because there is a problem with this when a peer switches
   mode (from add-path send back to no add-path). adjout_prefix_first()
   returns a prefix where path_id_tx is not 0 but adjout_prefix_update()
   expects that to be 0. This edge case is far less common and a better
   workaround can be found here.

   Fixes the addpath intergration test.
VersionDeltaFile
1.198+6-3usr.sbin/bgpd/rde_update.c
+6-31 files

OpenBSD/src 4CewE1Eusr.sbin/bgpd mrt.c

   In mrt_dump_entry_mp() improve the length calculation handling and stop
   using an uint16_t len that could overflow because of MAX_EXT_PKTSIZE.

   OK tb@
VersionDeltaFile
1.137+5-8usr.sbin/bgpd/mrt.c
+5-81 files

OpenBSD/src RTT9sPeusr.sbin/bgpd rde_rib.c

   Previous commit introduced a logic bug.

   Code needs to call ib_dump_free() for every context where
   id matches ctx->ctx_id and ctx->ctx_re is set (this skips
   adjout_prefix_dump contexts since there ctx_re is NULL).

   OK tb@
VersionDeltaFile
1.300+3-4usr.sbin/bgpd/rde_rib.c
+3-41 files

OpenBSD/src O4Yh2Ometc/etc.loongson login.conf, etc/etc.octeon login.conf

   Bump limit for the build user to 2560M for loongson and octeon

   from visa
VersionDeltaFile
1.23+3-3etc/etc.loongson/login.conf
1.20+3-3etc/etc.octeon/login.conf
+6-62 files

OpenBSD/src rngyc3Ousr.bin/tmux cmd-swap-pane.c

   Swap panes on z-index list as well.
VersionDeltaFile
1.47+11-1usr.bin/tmux/cmd-swap-pane.c
+11-11 files

OpenBSD/src 3IwNNO0sbin/ifconfig ifconfig.8

   sbin/ifconfig: document new nwflag uapsd

   OK: phessler@, stsp@
VersionDeltaFile
1.414+10-2sbin/ifconfig/ifconfig.8
+10-21 files

OpenBSD/src F3vEL5Tsys/dev/pci if_iwx.c if_iwxreg.h

   sys/iwx: enable uAPSD when supported by AP

   OK: phessler@, stsp@
VersionDeltaFile
1.229+127-1sys/dev/pci/if_iwx.c
1.75+5-1sys/dev/pci/if_iwxreg.h
+132-22 files

OpenBSD/src XayPATdsys/net80211 ieee80211_input.c ieee80211_output.c

   sys/ieee80211: add support of uAPSD

   OK: phessler@, stsp@
VersionDeltaFile
1.263+50-3sys/net80211/ieee80211_input.c
1.148+24-9sys/net80211/ieee80211_output.c
1.67+16-1sys/net80211/ieee80211.h
1.113+8-3sys/net80211/ieee80211_proto.c
1.46+6-3sys/net80211/ieee80211_ioctl.h
1.102+4-1sys/net80211/ieee80211_node.h
+108-201 files not shown
+111-217 files

OpenBSD/src AyH6W8xusr.bin/tmux server-client.c

   Do not try to use last pane if there isn't one.
VersionDeltaFile
1.460+3-2usr.bin/tmux/server-client.c
+3-21 files

OpenBSD/src XxtpN71usr.bin/tmux key-bindings.c

   Hide menu options that do not work for floating panes.
VersionDeltaFile
1.170+5-5usr.bin/tmux/key-bindings.c
+5-51 files

OpenBSD/src YBh5kkpsbin/iked pfkey.c, sbin/isakmpd pf_key_v2.c

   Avoid infinite loop when parsing PFKEY replies

   In bgpd, iked, isakmpd, ldpd and sasyncd we have similar code to
   parse PFKEY replies from the kernel.  To avoid an infinite loop on
   malformed replies validate the SADB extension size.

   For consistency with the other daemons rewrite the parsing loop of
   iked.

   sasyncd already validates the extension size, so no change needed.

   ok claudio@ tb@ tobhe@
VersionDeltaFile
1.86+8-6sbin/iked/pfkey.c
1.206+5-2sbin/isakmpd/pf_key_v2.c
1.74+3-1usr.sbin/bgpd/pfkey.c
1.14+3-1usr.sbin/ldpd/pfkey.c
+19-104 files

OpenBSD/src 39mz3RHusr.sbin/bgpd rde_adjout.c rde.c

   Adjust the adjout_prefix_dump walker to operate using the adjout_bid
   and stop using peer_get() in the walker.

   This fixes the peer_reaper walker which before this was not working
   at all. The peer reaper removed the peer from the RB tree before walking
   the table and so peer_get() would return NULL and abort the walk immediatly.

   Adjust the adjout_prefix_dump context to use the adjout_bid and stop using
   peer->conf.id and peer_get.

   To make this work the following changes are needed:
   - For the callback drop the struct rde_peer argument instead add a uint32_t
     bid argument.
   - adjout_prefix_first() also needs to switch to using the adjout bitmask id
     instead of using the peer directly.
   - also change adjout_prefix_next() just to be in sync with
     adjout_prefix_first()
   - In most callbacks use the arg pointer to pass in the peer
   - Adjust rde_dump_ctx_new() and rde_dump_adjout_upcall(). The latter now

    [8 lines not shown]
VersionDeltaFile
1.20+15-29usr.sbin/bgpd/rde_adjout.c
1.705+27-14usr.sbin/bgpd/rde.c
1.352+10-11usr.sbin/bgpd/rde.h
1.197+8-10usr.sbin/bgpd/rde_update.c
1.75+9-5usr.sbin/bgpd/rde_peer.c
+69-695 files

OpenBSD/src l7fqm4Wusr.sbin/bgpd rde_rib.c

   Ensure rib_dump_abort() only triggers for rib dumps and not for
   adjout prefix dumps by accident.

   OK tb@
VersionDeltaFile
1.299+2-2usr.sbin/bgpd/rde_rib.c
+2-21 files

OpenBSD/src tbmQHTZusr.sbin/bgpd parse.y bgpd.conf.5

   The extended nexthop capability only works with 'fib-update no'
   enfoce this in the parser.

   Right now there is no FIB support for IPv6 nexthops for IPv4 routes.
   Both the bgpd kroute.c code and the OpenBSD network stack are not ready
   for this. This feature is currently only used to allow some IXP to play
   with RFC8950 so no FIB support is fine for that use case.
   Protect other people from tripping over this thinking there is full support.

   Issue brought up by a report from 7Asecurity
   OK tb@
VersionDeltaFile
1.502+14-1usr.sbin/bgpd/parse.y
1.254+4-2usr.sbin/bgpd/bgpd.conf.5
+18-32 files

OpenBSD/src CLgS2jiusr.bin/tmux tty.c

   Use the correct ranges when a pane is covered by a popup in tty_draw_pane.
VersionDeltaFile
1.466+39-29usr.bin/tmux/tty.c
+39-291 files

OpenBSD/src Zokot5Xusr.bin/tmux screen-write.c

   Obscured check should not be true if pane is same size as window.
VersionDeltaFile
1.256+3-3usr.bin/tmux/screen-write.c
+3-31 files

OpenBSD/src VK5ou9Kusr.bin/tmux screen-write.c tmux.h

   Check visible ranges for collected cell output.
VersionDeltaFile
1.255+121-48usr.bin/tmux/screen-write.c
1.1328+3-4usr.bin/tmux/tmux.h
+124-522 files

OpenBSD/src lJEo30tusr.bin/ul ul.c

   Fix signed integer overflow in column position tracking

   OK millert@
VersionDeltaFile
1.24+5-4usr.bin/ul/ul.c
+5-41 files

OpenBSD/src EUnWEbxsys/net pf_norm.c

   pf(4) currently ignores fragment direction (in vs. out)
   in pf_frnode_compare() function.

   Issue noticed and reported by Frank Denis

   OK @bluhm
VersionDeltaFile
1.238+3-1sys/net/pf_norm.c
+3-11 files