OpenBSD/src Ryxtfe7sys/netinet6 frag6.c

   frag6_input(): must always decrement counter when dropping fragment

   Currently frag6_input() does not decrement counter in one case:
   - it is processing fragment with offset 0 which arrives after
   the last fragment (fragment with max. offset)
   - there are more IPv6 extension headers between IPv6 header
   and IPv6 fragment header
   - re-assembled packet exceeds IPV6_MAXPACKET size limit

   if conditions above are met, then fragment gets dropped without
   decrementing counters. This commit fixes that.

   The issue was pointed out by Frank Denis.

   OK bluhm@
VersionDeltaFile
1.96+3-1sys/netinet6/frag6.c
+3-11 files

OpenBSD/src r0ZBVHwlib/libc/sys open.2

   correct mdoc macro ordering
VersionDeltaFile
1.61+3-3lib/libc/sys/open.2
+3-31 files

OpenBSD/src jmmVlJAlib/libc/sys pledge.2

   remove tab at end of line
VersionDeltaFile
1.85+3-3lib/libc/sys/pledge.2
+3-31 files

OpenBSD/src CWghTJulib/libc/time localtime.c

   Insist on opening only regular files. (On OpenBSD, the directory
   case is handled by the kernel, but I want to stop other weird stuff)
   ok millert, dgl
VersionDeltaFile
1.78+13-3lib/libc/time/localtime.c
+13-31 files

OpenBSD/src ufFxq3slib/libc/sys open.2, sys/kern kern_pledge.c vfs_lookup.c

   Make __pledge_open(2) of /etc/localtime and /usr/share/zoneinfo much
   more strict.  If /etc/localtime is a symbolic link, allow one translation
   which must land cleanly in /usr/share/zoneinfo (.. is checked for) otherwise
   error with EACCES.  In /usr/share/zoneinfo, do not allow symbolic links and
   error with ELOOP.
   Alfredo Ortega observed the non-strict handling, but agrees no specific
   exploitability exists.  Changing this took almost a month with many
   discarded prototypes.
   ok beck dgl
VersionDeltaFile
1.358+25-18sys/kern/kern_pledge.c
1.60+25-4lib/libc/sys/open.2
1.92+19-1sys/kern/vfs_lookup.c
1.52+4-1sys/sys/namei.h
+73-244 files

OpenBSD/src mQtr82husr.sbin/ypldap ypldap.c

   If the main process receives an oversized passwd or group entry message from
   the ldap client process, discard it rather than overflowing the struct
   idm_req on the stack.

   Pointed out by Frank Denis
   ok claudio@
VersionDeltaFile
1.32+5-1usr.sbin/ypldap/ypldap.c
+5-11 files

OpenBSD/src buLn6uXusr.sbin/bgpd rde_rib.c

   Rework the re-evaluation of a prefix if PREFIX_FLAG_FILTERED changed.

   The fix committed in rev 1.291 is not quite right. The problem is that
   prefix_evaluate() uses prefix_best() which calls prefix_eligible().
   It is wrong to alter the eligible state of a prefix while it is still
   on the rib list.

   Instead remove the prefix first, toggle the state, then readd it again.
   Even though prefix_evaluate() is called twice the code complexity is
   about the same since the 2 calls only do half the work.

   OK tb@
VersionDeltaFile
1.294+6-4usr.sbin/bgpd/rde_rib.c
+6-41 files

OpenBSD/src DvKQK1Lsys/arch/amd64/conf RAMDISK_CD, sys/arch/arm64/conf RAMDISK

   Enable qwz(4) for amd64 and arm64 RAMDISK.
VersionDeltaFile
1.215+2-2sys/arch/amd64/conf/RAMDISK_CD
1.241+2-2sys/arch/arm64/conf/RAMDISK
+4-42 files

OpenBSD/src mD7KB4dsys/arch/amd64/conf GENERIC, sys/arch/arm64/conf GENERIC

   Enable qwz(4) for amd64 and arm64 GENERIC.
VersionDeltaFile
1.539+2-2sys/arch/amd64/conf/GENERIC
1.315+2-2sys/arch/arm64/conf/GENERIC
+4-42 files

OpenBSD/src hPjSrccsys/dev/ic qwz.c qwzreg.h, sys/dev/pci if_qwz_pci.c

   Get qwz(4) in to an initial working state (assoc/rx/tx).

   Bug fixes (HAL/WMI drift vs. current ath12k):
     1. RX_BE_PADDING0_BYTES 80 -> 8 -- fixes RX-descriptor misalignment
        (dlpager crash, Hexagon 0x23).
     2. Send WMI_VDEV_PARAM_SET_HEMU_MODE = 0 before peer_assoc_cmd --
        clears stale HE-MU state.
     3. volatile cast on dst-ring hp_addr read in
        qwz_hal_srng_access_begin() -- matches SRC branch, fixes ARM64 hoist.
     4. BUFFER_ADDR_INFO1: RET_BUF_MGR GENMASK(10,8) -> (11,8),
        SW_COOKIE (31,11) -> (31,12).
     5. wbm2sw_cc_enable = WBM2SW3_EN only -- keeps HW Cookie Convert off
        the TX rings.
     6. HTT_TX_WBM_COMP_INFO0_STATUS (12,9) -> (16,13); drop bogus
        INFO2_SW_PEER_ID/VALID; add INFO1_REINJECT_REASON,
        INFO1_EXCEPTION_FRAME, INFO2_ACK_RSSI.
     7. REO/TX_RATE_STATS GENMASK shifts
        (HAL_REO_UPD_RX_QUEUE_INFO2_*, HAL_RX_REO_QUEUE_INFO0/1_* +2 bits;
        HAL_TX_RATE_STATS_INFO0_* +1 bit) + new

    [25 lines not shown]
VersionDeltaFile
1.27+411-118sys/dev/ic/qwz.c
1.14+122-39sys/dev/ic/qwzreg.h
1.9+56-6sys/dev/pci/if_qwz_pci.c
1.15+3-1sys/dev/ic/qwzvar.h
+592-1644 files

OpenBSD/src kN0KMLYsys/arch/arm64/stand/efiboot efiacpi.c conf.c

   Transplant the EL2 virtual timer interrupt into the ACPI device tree if
   it is provided in the GTDT table.
   Based on a diff from Marc Zyngier.

   ok jsg@
VersionDeltaFile
1.20+25-9sys/arch/arm64/stand/efiboot/efiacpi.c
1.54+2-2sys/arch/arm64/stand/efiboot/conf.c
+27-112 files

OpenBSD/src BAmEJPCusr.sbin/bgpd bgpd.c session.c

   If either tcp_md5_set() or pfkey_establish() fail then also fail the
   ongoing connect.

   The old graceful failure mode was added for strange cases like kernels
   without TCP MD5 support but there is honestly no good reason to limp along.
   The correct way to handle this on such broken systems is to edit the config
   and remove the auth settings. After that a bgpctl reload will fix the problem
   by skipping the TCP MD5 or IPSec setup.

   Reported by Frank Denis
   OK tb@
VersionDeltaFile
1.290+9-4usr.sbin/bgpd/bgpd.c
1.537+5-2usr.sbin/bgpd/session.c
+14-62 files

OpenBSD/src yNdK22Osys/arch/arm64/stand/efiboot dt_blob.S

   regen
VersionDeltaFile
1.3+857-265sys/arch/arm64/stand/efiboot/dt_blob.S
+857-2651 files

OpenBSD/src M48McmNsys/arch/arm64/stand/efiboot acpi.dts

   Add "interrupt-names" property to the timer node.

   ok jsg@
VersionDeltaFile
1.2+1-0sys/arch/arm64/stand/efiboot/acpi.dts
+1-01 files

OpenBSD/src xJf599Vusr.sbin/bgpd util.c

   In log_evpnaddr() the labellen for EVPN_ROUTE_TYPE_2 can either be 3 or 6.

   Currently only the first label is printed so only take the first 3 bytes
   of addr->labelstack to build the VNI. Do this by hand with a few shifts
   and or opertations instead of the memcpy and htonl() fumbling.

   EVPN is still experimental and disabled by default.
   Found by myself and also reported by Frank Denis
   OK denis@ tb@
VersionDeltaFile
1.102+5-4usr.sbin/bgpd/util.c
+5-41 files

OpenBSD/src h1zqy7Tlib/libcrypto cert.pem

   Sync cert.pem with mozilla roots; quite a few CA certificates were
   either removed or distrusted for web so are removed here.  ok tb@

   Common policies (moz, google, ca/b) are now to distrust roots with key
   material created before a certain time (currently 2008, this rolls
   forwards by 2 years each April until 2029 when it moves to '15 years
   from creation'), and also roots used for TLS are not permitted to be
   shared with other purposes (Secure Email, Code Signing, or others).

   This removes all root certificates from the following CA operators:

   -AffirmTrust
   -  /C=US/O=AffirmTrust/CN=AffirmTrust Commercial
   -  /C=US/O=AffirmTrust/CN=AffirmTrust Networking
   -  /C=US/O=AffirmTrust/CN=AffirmTrust Premium
   -  /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC

   -Firmaprofesional SA
   -  /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB

    [67 lines not shown]
VersionDeltaFile
1.35+1-1,146lib/libcrypto/cert.pem
+1-1,1461 files

OpenBSD/src nW8TkQQsbin/dhcpleased engine.c

   dhcpleased: Make sure to use VIS_NL with stravis()

   Various DHCP fields could include newlines, these were written to the lease file as-is. Nothing in base reads them, but it could confuse other tools.

   ok florian@
VersionDeltaFile
1.64+4-4sbin/dhcpleased/engine.c
+4-41 files

OpenBSD/src yC3jVgBsbin/dhcpleased dhcpleased.c dhcpleased.h

   dhcpleased: Change rdns_count to size_t

   Potentially on a 32-bit platform a crafted imsg could make the engine read 4 bytes of stack.

   ok florian@
VersionDeltaFile
1.43+4-4sbin/dhcpleased/dhcpleased.c
1.20+2-2sbin/dhcpleased/dhcpleased.h
+6-62 files

OpenBSD/src 9Qsmuvssbin/dhcpleased engine.c

   dhcpleased: Validate size of imsg_dhcp.len

   If the frontend manages to write something bad to imsg (bypassing the frontend's validation), where imsg_dhcp.len is > sizeof(imsg_dhcp.packet) it is possible for an OOB read to be forced in the engine. Make this fatal.

   ok florian@
VersionDeltaFile
1.63+4-2sbin/dhcpleased/engine.c
+4-21 files

OpenBSD/src SPnmCYZsbin/dhcpleased engine.c

   dhcpleased: Ensure imsg is zeroed in send_routes_withdraw.

   ok florian@
VersionDeltaFile
1.62+2-1sbin/dhcpleased/engine.c
+2-11 files

OpenBSD/src LvjNDn4sys/arch/amd64/amd64 cpu.c, sys/arch/amd64/include specialreg.h

   mitigate AMD Zen-2 operation cache corruption

   On Zen 2, the operation cache can be used to change instructions
   of a different privilege level.
   https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html

   The mitigation is setting a chicken bit in an MSR.  This is not documented
   publicly, even in the security bulletin.  The value comes from a patch
   submitted to Linux by AMD employees.

   ok deraadt@ brynet@
VersionDeltaFile
1.206+7-1sys/arch/amd64/amd64/cpu.c
1.680+7-1sys/arch/i386/i386/machdep.c
1.123+4-1sys/arch/amd64/include/specialreg.h
1.87+4-1sys/arch/i386/include/specialreg.h
+22-44 files

OpenBSD/src UddTljbsys/kern sysv_shm.c

   Limit the maximum value of shminfo.shmseg to prevent `size' overflow in
   sys_shmat(). The default value of 128 is safe, but overflow could happen
   on 32 bits machine while the value of shminfo.shmseg was raised too high.

   Discussed with deraadt.
VersionDeltaFile
1.83+6-2sys/kern/sysv_shm.c
+6-21 files

OpenBSD/src t4YtPNrusr.sbin/bgpd rde_attr.c rde.h

   Add const void *data to attr_optadd()

   Doing this requires that attr_alloc() and attr_lookup() also use const.
   For attr_alloc() this is no problem but attr_lookup() is a bit more tricky
   since the data field in sturct attr is deliberatly not const.
   So instead use CH_LOCATE and a new attr_match() function to do the lookup
   with a helper type that uses const.

   OK tb@
VersionDeltaFile
1.145+33-9usr.sbin/bgpd/rde_attr.c
1.349+2-2usr.sbin/bgpd/rde.h
+35-112 files

OpenBSD/src 1hkt9Hyusr.sbin/bgpctl output.c output_json.c

   Add the extended message capability to the if statement that checks if
   the peer has anything enabled. Missed when adding ext_msg support.

   OK tb@
VersionDeltaFile
1.75+5-3usr.sbin/bgpctl/output.c
1.64+3-2usr.sbin/bgpctl/output_json.c
+8-52 files

OpenBSD/src 72WDOGzusr.sbin/bgpd chash.c chash.h

   Introduce ch_ext a struct holding the table an meta data pointers for
   the extendible hash.

   Doing this removes the need for handling two arrays in resize operations
   and also keeps the two pointers together. The code becomes simpler and
   with some reshuffling ch_table_resize() is now less problematic.

   The initial allocation of the extendible table is increased from one entry
   to two.

   OK tb@
VersionDeltaFile
1.12+68-76usr.sbin/bgpd/chash.c
1.7+5-7usr.sbin/bgpd/chash.h
+73-832 files

OpenBSD/src wxJ6n5Wsys/kern subr_disk.c

   In the disklabel check for specific fields with value 0, and return
   early before trying to check for a byte-swapped label.  This avoids
   a /0 in the byte-swapped partition check.
   ok krw, also discussed with krw
VersionDeltaFile
1.285+8-7sys/kern/subr_disk.c
+8-71 files

OpenBSD/src 7zqtlytusr.bin/sed compile.c

   Fix heap buffer overread in compile_delimited()

   OK deraadt
VersionDeltaFile
1.54+3-2usr.bin/sed/compile.c
+3-21 files

OpenBSD/src zg1DqWxusr.sbin/bgpd rde_prefix.c rde.h

   Do not fatal in pt_fill() instead return an error object that can never exist.

   pt_fill() is in some cases used by semi-trusted content (e.g. from
   bgpctl). The fatalx calls in that function are therefor a problem.

   This alters pt_fill to instead return a pt_entry object that can not
   exist in the tree. This error object is simply initalised with 0xff.

   Also if the prefixlen is too large for the address family just clip it down
   to the maximum (with a log message).

   In pt_add(), the only place a pt_fill() object would be added to the tree,
   check if the returned object is valid. There it is ok to fatal (at least
   for now) since the code previous to pt_add() should validate the prefix.

   Uniform some error messages and switch the prefixlen argument to u_int.

   OK tb@
VersionDeltaFile
1.61+53-22usr.sbin/bgpd/rde_prefix.c
1.348+5-5usr.sbin/bgpd/rde.h
+58-272 files

OpenBSD/src wpUl1Fdlib/libc/sys pledge.2

   strict localtime / zoneinfo __pledge_open() behaviours coming soon
VersionDeltaFile
1.84+3-3lib/libc/sys/pledge.2
+3-31 files

OpenBSD/src MOwmcOUsys/kern kern_ktrace.c

   The ktrace signal structure ktr_psig needs to be zero'd before filling in
   for providing to userland.
   from Stuart Thomas
VersionDeltaFile
1.116+2-1sys/kern/kern_ktrace.c
+2-11 files