floating point state leakage can be observed on AMD Zen/Zen+ (Zen 1)
This was discovered by the Rootsec research group at the CISPA Helmholtz
Center for Information Security. Rootsec named the problem
Floating Point Divider State Sampling (FP-DSS).
Do AMD's suggested mitigation, setting a chicken bit in an MSR.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.htmlhttps://roots.ec/blog/fpdss/
ok deraadt@ brynet@
Prevent buffer overflow by checking the correct counter.
An attacker on the same layer 2 network can send rogue router
advertisements, potentially crashing slaacd.
from Maurice Hieronymus (mhi AT mailbox.org), thanks!
from florian@; OK deraadt
this is errata/7.7/039_slaacd.patch.sig
Prevent buffer overflow by checking the correct counter.
An attacker on the same layer 2 network can send rogue router
advertisements, potentially crashing slaacd.
from Maurice Hieronymus (mhi AT mailbox.org), thanks!
from florian@; OK deraadt
this is errata/7.8/033_slaacd.patch.sig
The parking mutex uses data structures on the stack and expects CPUs to be
able to modify that data for other CPUs. Unfortunately on some sparc64
systems (sun4u systems that don't use Fujitsu SPARC64 CPUs) use a trick
where the interrupt stack is mapped using a fixed alias on each CPU. This
means a CPU can only access its own interrupt stack. Fix this by using
the "real" address of the interrupt stack. We still need the fixed alias
though to find our own "struct cpu_info" on these systems. So on
MULTIPROCESSOR kernel we need to use another locked TLB entry.
tested by bluhm@, claudio@, tb@, jca@, dlg@
ok dlg@, jca@
Copy SpacemiT K1 device trees onto the miniroot. With this, installs
should just work on the supported boards. Make sure you install with a
network connection such that fw_update can put the device trees into
your new install as well. Document that "make release" now needs the
riscv64-spacemit-dtb firmware installed.
ok deraadt@, jca@
Don't let malicious or confused scsi tape devices cause reading or writing
outside a mode sense/select buffer.
Original diff from Stanislav Fort of aisle.com with additional paranoia for
negative values.
Tweaks and ok from kettenis@
Revert last commit, rev. 1.446.
The change introduced a regression where sockets get stuck in FIN_WAIT_2
and LAST_ACK.
Noticed by anton@ since regress/sys/net/pflow fails.
Fix vmd(8) vionet reset race leading to broken networking.
A driver reset races with the device asynchronously notifying tx
and rx threads. The current design finishes the reset after the
threads pause and acknowledge the reset. This can clobber device
state because a driver doesn't need to wait before reconfiguring
the device. End result is device thinks it's in a blank slate while
driver thinks device is configured and device refuses to pass packets
thinking the driver isn't ready.
This removes that async reset design and ack message from the
threads. Reset occurs immediately while emulating the write to the
register. A generation counter is used to signal to tx and rx
threads that a reset occurred between they time they finished
processing virtqueues and the time they grabbed the write lock to
change interrupt state on the device so they can safely skip
raising irq lines.
Original bug reports by mbuhl@ and stsp@.
[4 lines not shown]
Attempt to load the right device tree from the riscv64-specmit-dtb
firmware package on SpacemiT K1 boards. The only viable way to do this
seems to be basing this on the "model" property of the root node of
the device tree provided by the device. This is still a bit of a guess
since the Milk-V Jupiter advertises itself as "spacemit k1-x evb board"
and the Banana Pi BPI-F3 seems to say it is a "spacemit k1-x deb1 board".
ok jca@
If you use the floppy, fw_update for some drivers will not work, you will
have to figure out the names of the missing firmwares and request them
manually.
The pci strings in the kernel have become too large, and I'm being told I
may not shorten them.
If you use the floppy, fw_update for some drivers will not work, you will
have to figure out the names of the missing firmwares and request them
manually.
The pci strings in the kernel have become too large, and I'm being told I
may not shorten them.
route_output() can not use the info struct late in its function
since the rtm struct that populated it was freed around the
rtm_report() call. In that case access to info.rti_info[RTAX_DST]
is a use-after-free. Cache the address family before handling the
route message so that the route_input call can use this value instead.
Report from Bruce Dang of Calif.io
OK deraadt@
Refine unveil(2) usage.
* Process man.conf(5) early before unveil(2) because it needs realpath(3).
* Rather than unveiling the whole file system for reading and execution,
only reveal the manpaths actually needed for reading, and /usr/share/locale/
if needed, and only reveal the pager binary for execution.
* Only reveal the whole file system for reading if input file names
are listed individually on the command line.
* Rather than unveiling /tmp unconditionally, only do so when it is
actually needed for the pager.
* When -O outfilename or -O tagfilename is specified, rather than
unveiling the current working directory for writing, only unveil
the specific filenames needed.
Using some feedback from deraadt@, in particular reducing the number
of vnodes that are held, and avoiding use of the "unveil" pledge(2).
Prepare for refining unveil(2) usage by providing a function manpath_unveil()
that makes the manpath directories accessible. Soon to be used by man(1),
spropos(1), and makewhatis(8).
Delete the pointless logic that remembers the original working directory.
It was never needed because manpath_add() in manpath.c has always been
using realpath(3) since the very beginning in 2011, so struct manpaths
only ever contains absolute paths.
The only exception is man.cgi(8), but that chdir(2)s to the right
directory beforehand and only ever uses one single manpath, ".".
This simplifies the code with no functional change.
Some mapchar emulops require a question mark character, so don't permit
loading if that is missing (bounded by firstchar and numchars).
An AI triage report made a hastly conclusion there were bigger problems
here but Miod figures it is just this ? problem.
diff from miod
report from Bruce Dang of Calif.io
vio: recover from missed RX interrupts
It seems at least on Oracle Cloud (arm64, KVM) and on vmd, sometimes rx
interrupts get lost. As a workaround, check the virtqueues in vio_rxtick(),
which allows to recover from this situation.
Diff from renaud@
tested by mbuhl@
ok stsp@
The struct kfino_vmentry copied to userland is 80, and (depending
on architecture?) has 7 bytes of padding at the end, which is
uninitialized. Use M_ZERO.
from tgs
