fir crashing with scalable TypeSizes
From 537f3d3a7588d226b86590f97c4401107585e1ce Mon Sep 17 00:00:00 2001
From: Jakob Koschel <jakobkoschel at google.com>
Date: Thu, 5 Mar 2026 01:11:44 +0100
Subject: [PATCH] [SafeStack] Fix crashing with scalable TypeSizes (#180547)
On e.g. aarch64 the TypeSize of scalar types can have a size that is not
known at compile time.
Currently when safestack occurs those it simply crashes as described in
https://github.com/llvm/llvm-project/issues/175868.
Provide a separate executable file for syslogd parent.
syslogd(8) forks and execs its parent process to keep privileged
parts separated. This parent process can be easily implemented as
a separate program. It gets its own main() and minimal debug logging
functions. The splitted parent process image is smaller, especially
without additional libs.
Use additional directories to build both parts. The rcctl script
has to be adopted, as the parent process has a different name.
OK deraadt@
Implement mwx_mac_tx_free() for MT7921 and add some extra bits to
mwx_txwi_put(). With this MT7921 is able to connect to an open WIFI.
This commit was done over mwx(4) with a MT7921
isakmpd(8): Fix NULL dereference in message_alloc_reply() callers
message_alloc_reply() dereferences the returned pointer of
message_alloc() without a NULL check. Add one so callers can handle
the failure.
Also add NULL checks at both call sites in exchange.c.
test & ok sthen
isakmpd(8): Fix possible unaligned 32 bit read
When validating IPsec SPIs in a DELETE message, access to the
32 bit SPI value might be unaligned. On platforms requiring strict
alignment, this would cause termination of isakmpd by signal.
To avoid this, memcpy(3) the SPI value to a local variable.
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [2/2]
Similar to message_validate_delete() also validate in
ipsec_handle_leftover_payload() that the provided number of SPIs
actually fit in the payload. This is redundant as we already would
bail out in message_validate_delete().
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [1/2]
The number of SPIs provided in a DELETE message is not properly
validated. This might cause a read beyond the message end. However,
the outside read is limited to 4 bytes for IPsec SAs and 16 bytes
for ISAKMP SAs. A crash is possible, but seems unlikely to me.
test & ok sthen
isakmpd(8): Validate proposal and transform sizes
Check
- that a proposal payload fits within the outer SA payload,
- that the provided SPI and the following transform header fit within
the proposal, and
- transforms fit within the outer proposal payload.
It's already ensured that we never read outside the message. However,
within the message the mentioned payloads might be misinterpreted due
to malformed size values.
test & ok sthen
in inteldrm_burner_cb() call fb_blank() instead of drm_fb_helper_blank()
this indirectly calls intel_fbdev_blank(), which does
drm_fb_helper_blank() followed by intel_fbdev_invalidate()
avoids on screen garbage when wscons screen blanking is enabled on
mvs' Alder Lake and Gemini Lake machines.
Replace refresh-from-pane in copy mode with a way to automatically
update as pane content changes. This is toggled by pressing r. GitHub
issue 5165 from Barrett Ruth.
While grouped sessions are being killed, it can leave session which are
not really useful as targets (no active pane or current window) in the
tree. Make cmd_find_best_session skip these. GitHub issue 5167.
Implement mwx_mac_init for 7921 and 7925.
Almost all is the same in mwx_mac_init() only the DCR0 and DCR1 registers
live in different locations on 7925.
Also make mwx_mac_wtbl_update() work on both chips. MT7925 uses a
different register and register layout for MT_WTBL_UPDATE.
Use temporary buffer to copyout login name within sys_getlogin_r().
Load the session pointer to the `s' variable after new login name
was copied from the userland within sys_setlogin().
ok deraadt claudio
