ospfd(8) must be more paranoid about what it sends
to its peers using IPC messages (see imsg_add(3)).
The data passed between processes must not leak
information on memory address layout from process.
The process must be sending to its peers either data which
are needed or, if taking a shortcut, zeroize fields
which carry pointer (memory addresses) from process.
The issue has been reported by students
from British Columbia University earlier this year.
The fix includes generous feedback from claudio@
OK claudio@
Major rework of prompts. The basic prompt mechanics (draw, editing, etc)
are now wrapped up in prompt*.c and do not depend on a client. These
functions are used to provide the original client prompt but also to
allow panes to have their own prompts, which works much much better for
floating panes. The mode prompts for both the tree modes and copy mode
are switched over to be per pane.
There are some visible changes (some of these may be changed if they
don't seem to be working well):
- Prompts in modes now appear in the bottom line, covering whatever
content was there.
- command-prompt has a -P flag to open a pane prompt.
- Because they cover the content, the default style for prompts in modes
now does not fill the entire line; the main command prompt stays the
same.
[5 lines not shown]
Initialize uvm_maxkaddr to VM_MIN_KERNEL_ADDRESS. This fixes a problem
where uvm_map() with the UVM_FLAG_FIXED flag would miscalculate the amount
to grow the kernel pmap if uvm_maxkaddr was still zero, which happens on
amd64 (and possibly other architectures that use PMAP_STEAL_MEMORY). This
would result in the kernel pmap growing to its maximum which would consume
all memory on small memory machines now that we've given amd64 512G of KVA.
ok deraadt@
Always untrace traced children even when they're exiting. But do skip
sending them a SIGKILL. This prevents triggering a KASSERT in a convuluted
scenario reported by Yuxiang Yang.
"looks right" deraadt@
ok claudio@
rpki-client: add some signed object boilerplate
This adds new/free/obj functions and introduces struct signed_obj
containing the handlers. Pass signtime and der_len into the new()
function for now and rewrite *_parse() using that.
discussed with claudio
ok job
Long ago, we took advantage of the "status" property to avoid attaching
drivers to devices reporting themselves as in failing state.
However, doing this on Mostek chips with dead batteries would cause no
clock source to attach, and the kernel would then assume it is running on
sun4v with the unix-gettod? OFW method being available, causing spurious
(and puzzling) warnings on console on non-sun4v systems.
Relax this logic to allow clock(4) to always attach regardless of its state,
but distrust the clock value on devices reported as failing.
This allow e.g. Enterprise 4000 systems with dead batteries on all
motherboards to correctly attach clocks and hold the date on warm reboots,
without scaring users.
ok kettenis@ quite some time ago.
Rename EVAL_RECONF to EVAL_REEVAL since this is a re-evaluation of the RIB
that is triggered. Also use EVAL_REEVAL in the peer_dump upcall since
there the re-evaluation also happens but just for a single peer.
Adjust the peer_generate_update() prototype and drop the newpath and
old_pathid_tx arguments. Those will no longer be used. Also adjust
up_generate_addpath_all() which is currently unreachable.
OK tb@
Make divert-packet / divert(4) properly rdomain aware.
divert(4) only partially handled rtables / rdomains. While it was used
outbound, inbound packets did not check the rdomain. This is confusing
and incorrect.
Now inbound packets need to match the rdomain of the listening socket
so one needs to listen on the rdomain the packets come in.
If packets from multiple rdomains match the rule then userland
needs to listen on each rdomain. If not the packet will be dropped.
Report by Y Yang, et al from Tsinghua University
With and OK bluhm@ OK sashan@ mvs@
sndiod: Refactor and simplify the hello message handling
Use proper enums for the resource type (audio device, midithru port,
etc) in place of magic numbers and factor duplicated code.
No behavior change.
CCVS: ----------------------------------------------------------------------
Extend multicast router counter.
ip_mforward() contained a static variable that poorly implements a
rate limited log message. Replace the log with a counter, which
is MP-safe.
Also count drops due to time-to-live and hop-limit. As the default
ttl is 1, this is the most common pitfall when configuring a multicast
router. This counter helps debugging.
OK claudio@ deraadt@
For IPC_STAT (and KERN_SYSVIPC_SHM_INFO) the three fields
__shm_atimensec/__shm_dtimensec/_shm_ctimensec fields leak kernel memory
contents because we never initialize them, they should clearly be zero
until such time as we add more precision. The Tsinghua University group
suggested clearing these at export time, but the real problem is the
memory is being allocated without PR_ZERO.
ok kettenis mvs