1. 20 Jan, 2022 10 commits
    • Shawn Webb's avatar
      HBSD: Fix kernel-side of procctl(2) cansee/candebug generally · 1f044325
      Shawn Webb authored
      When a non-zero PID value is passed to procctl(2), procctl verifies that
      the caller has the right to observe the target. We should treat passing
      in the caller's own PID as the same as passing in 0, in which the
      cansee/candebug check is bypassed.
      
      This fixes in a more general fashion the bug that OpenSSH manifest,
      which I had fixed in commit cc791ab8
      
      .
      Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
      1f044325
    • Shawn Webb's avatar
      HBSD: Properly prevent process tracing in OpenSSH · cc791ab8
      Shawn Webb authored
      
      
      When procctl is passed getpid(), it performs an additional check to see
      whether the process can be seen or debugged. In the case of the sftpd
      server, the sftpd server switches UID/GID to that of the to-be-logged-in
      user account.
      
      Since HardenedBSD sets the security.bsd.unprivileged_proc_debug sysctl
      node to 0 by default (FreeBSD leaves it at 1), procctl's cansee/candebug
      check fails. This cascades down to the sftpd process, causing sftpd to
      deny the connection.
      
      To circumvent the cansee/candebug check, procctl callers can pass in 0
      as the target PID, which tells procctl to act on the caller itself. As
      such, the cansee/candebug check is bypassed, since it's okay to use
      procctl on oneself.
      
      To fix this problem, have OpenSSH pass in 0 as the target PID.
      Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
      cc791ab8
    • HardenedBSD Sync Service's avatar
    • Mark Johnston's avatar
      geom: Handle partial I/O in g_{read,write,delete}_data() · d91d2b51
      Mark Johnston authored
      These routines are used internally by GEOM to dispatch I/O requests to a
      provider, typically for tasting or for updating GEOM class metadata
      blocks.
      
      These routines assumed that partial I/O did not occur without setting
      BIO_ERROR, but this is possible in at least two cases:
      - Some or all of the I/O range is beyond the provider's mediasize.
        In this scenario g_io_check() truncates the bounds of the request
        before it is handed to the target provider.
      - A read from vnode-backed md(4) device returns EOF (the backing vnode
        is allowed to be smaller than the device itself) or partial vnode I/O
        occurs.
      In these scenarios g_read_data() could return a partially uninitialized
      buffer.  Many consumers are not affected by the first case, since the
      offsets used for provider metadata or tasting are relative to the
      provider's mediasize, but in some cases metadata is read at fixed
      offsets, such as when searching for a UFS superblock using the offsets
      defined by SBLOCKSEARCH.
      
      Thus, modify the routines to explicitly check for a non-zero residual
      and return EIO in that case.  Remove a related check from the
      DIOCGDELETE ioctl handler, it is handled within g_delete_data() now.
      
      Reviewed by:	mav, imp, kib
      Reported by:	KMSAN
      MFC after:	2 weeks
      Sponsored by:	The FreeBSD Foundation
      Differential Revision:	https://reviews.freebsd.org/D31293
      d91d2b51
    • Mark Johnston's avatar
      vtnet: Mark MRG_RXBUF headers as initialized before loading fields · 526ddf17
      Mark Johnston authored
      MFC after:	1 week
      Sponsored by:	The FreeBSD Foundation
      526ddf17
    • Mark Johnston's avatar
      fusefs: Address -Wunused-but-set-variable warnings · 3d856234
      Mark Johnston authored
      Reviewed by:	asomers
      MFC after:	1 week
      Differential Revision:	https://reviews.freebsd.org/D33957
      3d856234
    • Mark Johnston's avatar
      clockcalib: Fix an overflow bug · c3196306
      Mark Johnston authored
      tc_counter_mask is an unsigned int and in the TSC timecounter is equal
      to UINT_MAX, so the addition tc->tc_counter_mask + 1 can overflow to 0,
      resulting in a hang during boot.
      
      Fixes:		c2705cea ("x86: Speed up clock calibration")
      Reviewed by:	cperciva
      Sponsored by:	The FreeBSD Foundation
      Differential Revision:	https://reviews.freebsd.org/D33956
      c3196306
    • HardenedBSD Sync Service's avatar
    • Wolfram Schneider's avatar
      remove debug code for cpu usage · e0282802
      Wolfram Schneider authored
      I guess nobody used this in the last decade, and you can get
      similar results with the time(1) command.
      e0282802
    • Wolfram Schneider's avatar
      Use 64-bit integers for database statistics · cfa38564
      Wolfram Schneider authored
      This fix (harmless) integer overflows for larger partitions (>2TB)
      
      PR: 223023
      cfa38564
  2. 19 Jan, 2022 22 commits
    • Shawn Webb's avatar
      HBSD: Revert "sanitizers: Improve FreeBSD ASLR detection" · 3848b8b1
      Shawn Webb authored
      This reverts commit 7cafe89f
      
      . We don't
      use FreeBSD's AS{L}R implementation.
      Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
      3848b8b1
    • HardenedBSD Sync Service's avatar
    • Konstantin Belousov's avatar
      kqueue(2): Add note about format of the data for NOTE_EXIT · 7406ec4e
      Konstantin Belousov authored
      Noted by:	Dave Baukus <daveb@spectralogic.com>
      PR:	261346
      MFC after:	3 days
      Sponsored by:	The FreeBSD Foundation
      7406ec4e
    • Mitchell Horne's avatar
      riscv: fix unused var in page_fault_handler() · eb81812f
      Mitchell Horne authored
      clang warns that p is set-but-not-used, so let's use it.
      eb81812f
    • Alan Somers's avatar
      Add tests for ses(4) · eea7c615
      Alan Somers authored
      The tests require SES hardware.  Without it, the test cases will be
      skipped.
      
      Reviewed by:	ken
      Differential Revision: https://reviews.freebsd.org/D31809
      Sponsored by:	Axcient
      MFC after:	2 weeks
      eea7c615
    • Alan Somers's avatar
      sesutil: fix a comment · 18acbeb3
      Alan Somers authored
      MFC after:	2 weeks
      Sponsored by:	Axcient
      18acbeb3
    • Wolfram Schneider's avatar
      correct type of mmap len parameter · a97ce14a
      Wolfram Schneider authored
      Using locate -m on a database > 2GB should work now.
      
      PR: 261277
      a97ce14a
    • Alan Somers's avatar
      ses: minor cleanup · 170a0a8e
      Alan Somers authored
      * Prefer variables of small scope rather than large scope
      * Remove a magic number
      * style(9) for return statements
      * Remove the get_enc_status method, which never did anything
      * Fix a variable type in the handle_string method
      * Proofread some comments
      
      MFC after:	2 weeks
      Sponsored by:	Spectra Logic, Axcient
      Reviewed by:	ken, mav
      Differential Revision: https://reviews.freebsd.org/D31686
      170a0a8e
    • Ed Maste's avatar
      sanitizers: Improve FreeBSD ASLR detection · 7cafe89f
      Ed Maste authored
      The kern.elf64.aslr.pie_enable and kern.elf32.aslr.pie_enable sysctls
      control the default setting for PIE binary address randomization, but
      it is possible to enable or disable ASLR on a per-process basis.  Use
      procctl(2) to query whether ASLR is enabled.
      
      (Note that with ASLR enabled but sysctl kern.elf64.aslr.pie_enable=0
      a PIE binary will in effect have randomization disabled, and be
      functional with msan.  This is not intended as as a user-facing control
      though.  The user can use proccontrol(1) to disable aslr for the
      process.)
      
      Approved by:	dim
      Obtained from:	LLVM 64de0064f315f57044294879d9ff4eacb454d45b
      MFC after:	2 weeks
      Sponsored by:	The FreeBSD Foundation
      Differential Revision:	https://reviews.freebsd.org/D33933
      7cafe89f
    • Robert Wing's avatar
      bhyve/snapshot: fix pthread_create() error check · 51fbd894
      Robert Wing authored
      pthread_create() returns 0 on success or an error number on failure.
      
      Reviewed by:	khng, markj
      Differential Revision:	https://reviews.freebsd.org/D33930
      51fbd894
    • HardenedBSD Sync Service's avatar
    • Mark Johnston's avatar
      vt: Use a taskqueue to clear splash_cpu logos · 6c7e4d72
      Mark Johnston authored
      vt_fini_logos() calls vtbuf_grow(), which reallocates the console
      window's buffer using malloc(M_WAITOK).  Because vt_fini_logos() is
      called via a callout, we end up panicking if INVARIANTS is enabled.
      
      Fix the problem simply by clearing the logos using a timed taskqueue.
      taskqueue_thread is formally allowed to sleep; of course, if we actually
      end up sleeping to satisfy the allocation, then we have bigger problems.
      
      PR:		260896
      Reviewed by:	emaste
      MFC after:	2 weeks
      Sponsored by:	The FreeBSD Foundation
      Differential Revision:	https://reviews.freebsd.org/D33932
      6c7e4d72
    • Andrew Turner's avatar
      Add the Armv8.3-SPE registers · 2ad19997
      Andrew Turner authored
      2ad19997
    • Andrew Turner's avatar
      Teach DTrace about BTI on arm64 · b5876847
      Andrew Turner authored
      The Branch Target Identification (BTI) Armv8-A extension adds new
      instructions that can be placed where we may indirrectly branch to,
      e.g. at the start of a function called via a function pointer. We can't
      emulate these in DTrace as the kernel will have raised a different
      exception before the DTrace handler has run.
      
      Skip over the BTI instruction if it's used as the first instruction in
      a function.
      
      Sponsored by:	The FreeBSD Foundation
      b5876847
    • HardenedBSD Sync Service's avatar
    • Baptiste Daroussin's avatar
      pci_vendors: update to 2022-01-15 · 6521372e
      Baptiste Daroussin authored
      6521372e
    • Alfonso Siciliano's avatar
      bsddialog: Fix for terminals without colours · 8ea2d22e
      Alfonso Siciliano authored
      When running the installer, in particular disextract (which is so far
      the only part converted to bsddialog), on serial console or vt100 or
      actually any terminal without color support, it failed to start.
      
      This change makes bsddialog fallback on the black and white theme.
      
      This is incorporated in newer version of bsddialog which will be
      imported soon.
      
      PR:		261272
      Reported by:	thj
      Differential Revision:	https://reviews.freebsd.org/D33920
      8ea2d22e
    • Doug Moore's avatar
      vm_phys: add essential segment bounds check · 0ce7909c
      Doug Moore authored
      A lower-bound segment check is necessary in vm_phys_alloc_seg_contig.
      Add one.
      
      Reported by:	jenkins
      Reviewed by:	alc
      Fixes:	da92ecbc vm_phys: fix seg->end test in alloc_seg_contig
      MFC after:	1 week
      Differential Revision:	https://reviews.freebsd.org/D33945
      0ce7909c
    • Shawn Webb's avatar
      HBSD: Randomize the RTLD in a special manner · c34575c2
      Shawn Webb authored
      
      
      Apply a new delta specific for the RTLD, in similar fashion as the PIE
      execution base.
      
      Previously, the same delta we used for regular mmap calls was used,
      which placed the RTLD next to all the other shared objects. This is
      somewhat undesireable as the RTLD contains a lot of sensitive
      information.
      
      This commit sets up a new delta just for the RTLD, using the same level
      of entropy as the mmap delta.
      
      Before:
      
      ```
      81137      0x2bfd6929000      0x2bfd6956000 r--   33  208 168   0 CN--- vn /usr/local/bin/rzsh
      81137      0x2bfd6956000      0x2bfd69ff000 r-x  169  208 168   0 CN--- vn /usr/local/bin/rzsh
      81137      0x2bfd69ff000      0x2bfd6a01000 r--    2    0   1   0 CN--- vn /usr/local/bin/rzsh
      81137      0x2bfd6a01000      0x2bfd6a07000 rw-    6    0   1   0 CN--- vn /usr/local/bin/rzsh
      81137      0x2bfd6a07000      0x2bfd6a0d000 rw-    6    6   1   0 C---- df
      81137      0x3c8c2c39000      0x3c8c2c3f000 r--    6   30 632   0 CN--- vn /libexec/ld-elf.so.1
      81137      0x3c8c2c3f000      0x3c8c2c57000 r-x   24   30 632   0 CN--- vn /libexec/ld-elf.so.1
      81137      0x3c8c2c57000      0x3c8c2c58000 r--    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
      81137      0x3c8c2c58000      0x3c8c2c59000 rw-    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
      81137      0x3c8c2c59000      0x3c8c2c5b000 rw-    2    2   1   0 CN--- df
      81137      0x3c8c2c5b000      0x3c8c2c73000 rw-   21   21   1   0 CN--- df
      81137      0x3c8c2c74000      0x3c8c2c76000 r--    2    2 144   0 CN--- vn /usr/local/lib/zsh/5.8/zsh/langinfo.so
      ```
      
      After:
      
      ```
      60476        0xb7795c000        0xb77989000 r--   33  208  12   0 CN--- vn /usr/local/bin/zsh
      60476        0xb77989000        0xb77a32000 r-x  169  208  12   0 CN--- vn /usr/local/bin/zsh
      60476        0xb77a32000        0xb77a34000 r--    2    0   1   0 CN--- vn /usr/local/bin/zsh
      60476        0xb77a34000        0xb77a3a000 rw-    6    0   1   0 CN--- vn /usr/local/bin/zsh
      60476        0xb77a3a000        0xb77a40000 rw-    6    6   1   0 C---- df
      60476      0x1ee19122000      0x1ee19128000 r--    6   30  95   0 CN--- vn /libexec/ld-elf.so.1
      60476      0x1ee19128000      0x1ee19140000 r-x   24   30  95   0 CN--- vn /libexec/ld-elf.so.1
      60476      0x1ee19140000      0x1ee19141000 r--    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
      60476      0x1ee19141000      0x1ee19142000 rw-    1    0   1   0 CN--- vn /libexec/ld-elf.so.1
      60476      0x1ee19142000      0x1ee19144000 rw-    2    2   1   0 CN--- df
      60476      0x3b2db385000      0x3b2db39d000 rw-   21   21   1   0 CN--- df
      60476      0x3b2db39e000      0x3b2db3a0000 r--    2    2  12   0 CN--- vn /usr/local/lib/zsh/5.8/zsh/langinfo.so
      ```
      Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
      MFC-to:		13-STABLE
      MFC-to:		12-STABLE
      c34575c2
    • HardenedBSD Sync Service's avatar
    • Alan Somers's avatar
      fusefs: implement VOP_DEALLOCATE · 89d57b94
      Alan Somers authored
      MFC after:	Never
      Reviewed by:	khng
      Differential Revision: https://reviews.freebsd.org/D33800
      89d57b94
    • Alexander Motin's avatar
      Reduce bufdaemon/bufspacedaemon shutdown time. · b7ff445f
      Alexander Motin authored
      Before this change bufdaemon and bufspacedaemon threads used
      kthread_shutdown() to stop activity on system shutdown.  The problem is
      that kthread_shutdown() has no idea about the wait channel and lock used
      by specific thread to wake them up reliably.  As result, up to 9 threads
      could consume up to 9 seconds to shutdown for no good reason.
      
      This change introduces specific shutdown functions, knowing how to
      properly wake up specific threads, reducing wait for those threads on
      shutdown/reboot from average 4 seconds to effectively zero.
      
      MFC after:	2 weeks
      Reviewed by:	kib, markj
      Differential Revision:  https://reviews.freebsd.org/D33936
      b7ff445f
  3. 18 Jan, 2022 8 commits