diff options
| author | Gordon Tetlow <gordon@FreeBSD.org> | 2022-03-15 19:18:42 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2022-03-15 19:21:16 +0000 |
| commit | ba3b824455f82aeca72ef6cd34cabf09672a2640 (patch) | |
| tree | b14a0a467de12d1eb28be67d60aef47d59aa699a | |
| parent | 00f6c1be842bbf1b20a91c10d250ae082f1fd826 (diff) | |
| download | doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.tar.gz doc-ba3b824455f82aeca72ef6cd34cabf09672a2640.zip | |
Add EN-22:09 to EN-22:12 and SA-22:02 to SA-22:03.
Approved by: so
22 files changed, 2135 insertions, 0 deletions
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index bfacfbf277..6a60b5b67b 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -2,6 +2,14 @@ # $FreeBSD$ [[advisories]] +name = "FreeBSD-SA-22:03.openssl" +date = "2022-03-15" + +[[advisories]] +name = "FreeBSD-SA-22:02.wifi" +date = "2022-03-15" + +[[advisories]] name = "FreeBSD-SA-22:01.vt" date = "2022-01-11" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 3ab79b1502..b246718740 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -2,6 +2,22 @@ # $FreeBSD$ [[notices]] +name = "FreeBSD-EN-22:12.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:11.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:10.zfs" +date = "2022-03-15" + +[[notices]] +name = "FreeBSD-EN-22:09.freebsd-update" +date = "2022-03-15" + +[[notices]] name = "FreeBSD-EN-22:08.i386" date = "2022-02-01" diff --git a/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc new file mode 100644 index 0000000000..a85ee4d0cf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:09.freebsd-update.asc @@ -0,0 +1,125 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:09.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update creating erroneous boot environments + +Category: core +Module: freebsd-update +Announced: 2022-03-15 +Affects: FreeBSD 12.3 +Corrected: 2022-02-15 06:09:41 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:17:55 UTC (releng/12.3, 12.3-RELEASE-p3) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +By default, freebsd-update(8) is configured to create new ZFS boot environments +on systems that are compatible with bectl(8). + +II. Problem Description + +When updating a jail or another root that isn't the system root using -b, +freebsd-update(8) will create a spurious boot environment despite the updated +root not causing a change in the boot environment. + +III. Impact + +Users that have used freebsd-update(8) with the -b or -j flags may have some +extra boot environments present on the system that did not meaningfully impact +the boot environment. + +IV. Workaround + +No workaround is available. Systems with "CreateBootEnv" set to "no" in their +/etc/freebsd-update.conf are not affected. Systems that do not use ZFS are also +not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. No reboot is required. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.3] +# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-22:09/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/12/ r371637 +releng/12.3/ r371743 +- ------------------------------------------------------------------------- + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261446> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:09.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n +5cLudhAAmVnJH5dbgVkjuaiGI2fvdoKCZKlMIwvA+kUqgio6MaoiXIygWXgzbLmV +M3BSzEvyrB/pBen/Af3R+3hljjhiOId/3RCKP596fT53bpmWQh4TyAryDX9SmY/+ +mXfARp4MgkAi7bDjKQQMpDlyA5Lp3i/Hqyq6IjIZnk2O1PxhAAer+yoqnjBsDQUl +1SzM+T802NbclKx0nsM6ODFk8IvKmBjK1d6esApihDRzFX4qCXjuP+QMFSKAYEb4 +shZx6pGeDfqMhn8TkIydVhsjO16f7rUSxYoM1i93QZecVfxpWdQhh2OMG91G6ELu +9aQ+CsYPcQoWgkLqsnTuJXVpKQ+PmzIwfD/DHahFvXvkXhL7cXFNgctp/2kb/lPW +mgwPvguUzSJBu3tOs2RyVQTOTSzB+7Cf6hadhuBlzI4p/ZSViSIhI4hsE0Wln2TK +3k+WCCfhEoGZRt6pR1YEjqvjeSin9Rcjd5nSS0vE137pXpjzheXxGQFVtPDtjq28 +mkr4HM6XUafvCs8oqoitpzFRMRwYODEah+z5PXWSpvguhFfehihFBW82e/3YZhLF +2Ub4WkTFXhGx98lH5ofjnWS3kuqy7stG/5fk5gNHayCzPZjH2O6ecSGbBh4IZ9Xw +5vFR0Tfbzo+N/eTiyTq0pj0QK2JTE4cns+xxfEczfLYiGGyFmPE= +=Uh7O +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc new file mode 100644 index 0000000000..83b00d4553 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:10.zfs.asc @@ -0,0 +1,134 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:10.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS writes fail to update file size + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2022-02-21 14:59:58 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +FreeBSD's virtual filesystem layer includes a deadlock-avoidance +mechanism to handle situations where a read(2) or write(2) system call +is invoked and the user-supplied buffer lies within a mmap(2)-created +mapping of the target file. Individual filesystems, such as ZFS, must +implement a portion of the deadlock avoidance protocol. + +II. Problem Description + +The implementation of the deadlock avoidance protocol in ZFS's +implementation of write(2) was incorrect and could, in certain +circumstances, cause an appending write to a file to fail to update the +file size despite returning success to the caller. + +III. Impact + +The bug may cause application misbehavior; the precise effects depend +on the nature of the application triggering the bug. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:10/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ b55a7f3422d7 stable/13-n249621 +releng/13.0/ 9dc74c5a4b3d releng/13.0-n244783 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260453> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:10.zfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n +5cJP2Q//fDLZ876IGCxtcyCc5eNrOgI7V4P/ajQ2Jz3VYvd3NAag4bbfV8OQKTy8 +dn62/bhjmKEDGjLAs2oHrlT+G0gEEYLnxZGzgcHo0UFo9FIEmCV18zEFXGipFMeH +b9pCexvy1a7EH97voS7Mr6V+Bktj3Vcq3B0yIXRxoGxcRvTFTpc5rpYzs8RZWHiu +tzUij2bmtrtXh7oJgmF83roujwNEJele9IY2+AMJ/URtGmxuJ54KN1hNTkeGknMd +WtEarFz7HDoXuy7WDysgwUSdq6s+o+rWm/+knflCFXvYqetjm3Kwl35wBr0hch6f +rb59AIZ1RVN8LsZZT6UNaxsQINEPb4RF9T132nYlMlQPdulEBjWiKI7Y4VSMUSXr +Xtz54FMouRXi/WdgJL7P7CxY3+t+1zWorBvI25jnkEp5mhEhd7DVTgy2Sw0sNI4F +iAYGBmpFyE6pGmJOaz6WLGV96sK9m0/RmmZXwPah5cwBMy4qUFnuPgoT91h8LRIr +5SKLm010lyPxsThcb1NRrqsd4LIUhYb6bZNgOmCd5OcSC03+aUjxEyrmM90Hjtb4 +yhANSTVExJB9bXNnb1rWtdO1inrjb3YAUpd6CpuK3vct/LWw9b0ehuRdJKFDgLtC +dVPQZYc89dcjZNnDWFJ94D2Inoae7oT0o2+nULURXyLABWSDYs0= +=+FRE +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc new file mode 100644 index 0000000000..60462a6f36 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:11.zfs.asc @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:11.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS lseek(2) inconsistencies + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2021-12-19 15:25:26 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +File "holes" are used by filesystems to limit the amount of storage +space occupied by a file containing long runs of zero bytes. Rather +than filling disk blocks with zeroes, file metadata can indicate the +extent of such a run and the filesystem hides the distinction from user +applications. + +II. Problem Description + +When a file containing holes is mapped using mmap(2), mapped regions +of the file may be ignored by lseek(2) when SEEK_HOLE or SEEK_DATA are +passed as the "whence" parameter. + +III. Impact + +The bug may cause application misbehavior; the precise effects depend +on the nature of the application triggering the bug. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:11/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 3aa1cabca37d stable/13-n248633 +releng/13.0/ f5be20afc356 releng/13.0-n244785 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256205> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:11.zfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cIYqA/9HFBfFjdHnU6exTxpeSC3Rf2EcNqkPd/nbT3jP1TGUXHMHCO72rNOuUZB +xVWT7+js4zRkJCAKkqkW9Xww5N3nzrIISFzYKHK5rgzIDA/tlKvcau8WLiRDe8JD +HC1vOVn44tdS9UorxG01lNhSuoNkqoTf1I7ReOzt2L305rzlqVX61T5JzOHMhnFh +enPXcrrVUdw99TgYjUBXrD7qOjDEGP2ZdsUUwnRPLJ6slQQDzE2R2mNRd6tIM8In +RgAZUxkHZ+QDhGYJs7d7uRXDkvXAOgOtzZt/EO+3vOmLvth8b9DzN5TSSv6oZ8le +wWLBPbW8SMBzBAJ6pBbg+AZGg1qMlO8rGyGKyeGOF9hk78SunbdPQ116DYDZS2Yj +jzIu9JXyLLonpXLIIzhQ2alo8xm5vvDN4Hqay92xKJvGJdq+M1hTQ7sVYioxBYP/ +l6gGSgKEJuMukW0qryGvcm5a4qpfpcJYnCMegwDGHwLY+jHkA+Rl54kYKFQQ6OlO +P7/PW+JytcLiD6vuQ+9++6ccM3l2/otyGYhEyLvBmeTnxfy8S3L409NEeYQJrsXW +tjnfXP18rHReI01nBpCU88+HalxDH+Ge1iwY+RkoLpbd2g/VQF1py73mJkjTY8He +N+3Gvx77vmuGzPoGFWo6WNsBt2WQIEGowpTm9Z6i4RIUF9c7LOo= +=X7kd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc new file mode 100644 index 0000000000..dcb85ca049 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:12.zfs.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:12.zfs Errata Notice + The FreeBSD Project + +Topic: ZFS panic upon concurrent 'zfs list' calls + +Category: contrib +Module: zfs +Announced: 2022-03-15 +Affects: FreeBSD 13.0 +Corrected: 2021-04-04 13:18:45 UTC (stable/13, 13.0-STABLE) + 2022-03-15 18:09:52 UTC (releng/13.0, 13.0-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports +many advanced features, including checksumming, transparent compression, +and snapshots. + +II. Problem Description + +A race condition due to incorrect locking can cause a panic when multiple +invocations of 'zfs list' occur in rapid succession. + +III. Impact + +An unprivileged user can trigger the race condition, resulting in a +panic and denial of service. + +IV. Workaround + +No workaround is available, but systems not using ZFS are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-22:12/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ cf2a72643460 stable/13-n245102 +releng/13.0/ 0abaf7f63023 releng/13.0-n244784 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260884> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:12.zfs.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cLz+Q/9FTU5djSE02eqK6IKqWOZDre30OF8KFnBZz9CwnCagyTlxWFvZNscZe30 +a4vm01GyPhKXzWcCgkze5kc8h0E4hGD2zFU0N+oYRGRBQyl3B+DEpKKMZ+SUlYdo +fRAhW4j1btD/zUhK9F5xshtMsbswMyN9wWu8iuK7QDReEgTnQj21Ca4r/Qwn+Y2z +5vMfjeUdBxfMZNomESBTfFtI6FYgpAQmjmdaT0nfJzOjm+uf+Xe5qTzka+XMjj6/ +7mveWg7qv2OsTa9Wj0isbydGooVH65RBdtFacabWfh8MsNVZaFztHsfxGhyDAIwA +A4YhD8fkFdQk7KpB8R1i2TTWJF+zt0tMQwBVMsv41rUDytINmwVF+y18XGLzKggY +rb0YRsIGLjI6V35ESiepUPYqgNLrhQiYG/uGOX5cs+5vwsm1ecbq3gHB7TL3ZiDR +RimxtHfrXM3wMsFacgcKpYZ+lYlF8QS/xcc+p8FrBztPjnRxco7Pxw7ZAm5jJqlk +AbAN0gMCwyeX4kBX99NKYVrYOiTO6XsE/DDuyO/UCTiLnxh1onKUJZiolgpbatz/ +z1hnBvA6BrXtWuRA5+9SM3zNKNjHh6pmsSCrG/3XAQhOXzI7gwhzKIlunccA8yaJ +4ytPNW16OO+mhpewszXvBU/3OG937W3XmFpgNjzkCtVRGBfUUts= +=YnFH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc new file mode 100644 index 0000000000..f2ae1d0acf --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:02.wifi.asc @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:02.wifi Security Advisory + The FreeBSD Project + +Topic: Multiple WiFi issues + +Category: core +Module: net80211 +Announced: 2022-03-15 +Affects: FreeBSD 12.x and FreeBSD 13.0 +Corrected: 2021-11-19 00:01:25 UTC (stable/13, 13.0-STABLE) + 2022-03-15 17:45:36 UTC (releng/13.0, 13.0-RELEASE-p8) + 2022-02-15 16:05:49 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:18:08 UTC (releng/12.3, 12.3-RELEASE-p3) + 2022-03-15 18:17:30 UTC (releng/12.2, 12.2-RELEASE-p14) +CVE Name: CVE-2020-26147, CVE-2020-24588, CVE-2020-26144 + +Note: This issue is already fixed in FreeBSD 13.1-BETA1. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD's net80211 kernel subsystem provides infrastructure and drivers +for IEEE 802.11 wireless (Wi-Fi) communications. + +II. Problem Description + +The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and +Fragmentation" reported a number of security vulnerabilities in 802.11 +specificaiton related to frame aggregation and fragmentation. + +Additionally, FreeBSD 12.x missed length validation of SSIDs and Information +Elements (IEs). + +III. Impact + +As reported on the FragAttacks website, the "design flaws are hard to abuse +because doing so requires user interaction or is only possible when using +uncommon network settings." Under suitable conditions an attacker may be +able to extract sensitive data or inject data. + +IV. Workaround + +No workaround is available, but the ability to extract or inject data is +mitigated by the use of application (e.g. HTTPS) or transport (e.g. TLS, +IPSEC) layer encryption. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.0] +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.13.patch.asc +# gpg --verify wifi.13.patch.asc + +[FreeBSD 12.x] +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch +# fetch https://security.FreeBSD.org/patches/SA-22:02/wifi.12.patch.asc +# gpg --verify wifi.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 6acb9d5f955b stable/13-n248098 +releng/13.0/ 0d1db5c3257e releng/13.0-n244782 +stable/12/ r371640 +releng/12.3/ r371748 +releng/12.2/ r371740 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144> +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254737> +<URL:https://www.fragattacks.com/> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:02.wifi.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5aoACgkQ05eS9J6n +5cLuYw/+OtkGeEYFTmwoZrFn105OOhi1MHjopUmW3B3FDeIMP2BnULkCodLKpDqx +WNROwaLBZ/FSHdX+rwcFhZVKksGuXafRY2bywDfJNCRmSIRjSEiSozIkJbihmKYq +SAWxUwbZxkg+MPtgoiUNocXZhFplN4E1VmfZl6XDfcd9jrFTuNiMKPKWzW8haI7R +H3Tovh6GgRLFfP5nnY2X8xZSSrxqkzXj4iRHJDedu6nmBFtsB34kjhW42fpycM/c +irhHBApfgl9XW31sLSFP2lwhq36AVD27SaYKDWxAv4ywp6PiwPTTNr8lwk05Z0jp +z76f3ZIBDhz3M3qzphMQ5wj6CB7SqTrgSD0WDZchdgDk904BdNum3vNRTO4x9iSB +czlXk/utMbupW8AU9rjdKWeMz0DBpDGckjZq1Ot8+fSwbiLkPCjpYTDsxqiLZs6i +xp/qjDW8rUKbgQSztSq3svF58dY74TLZ34rN0cqVPgvfpG1/fbM4W63vR0b4YG/5 +mv4OKXe5whJmh1OVrrVSX/ttyTFm6JpNFRxpXCkRKOgNICevw9yHlvx8uE6rVKde +P7PXAdRT48gcmN9gIscFuRwt2glvChYuH6ncF1jMQmfoAMTlDGRATQUuDy81fIw9 +va3fiGDy2FsenAQYa4UwaA/iCodjaC0cNjNnf2cc9nZEnuq86l8= +=Cjzd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc new file mode 100644 index 0000000000..79aa990d28 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:03.openssl.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:03.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL certificate parsing infinite loop + +Category: contrib +Module: openssl +Announced: 2022-03-15 +Credits: Tavis Ormandy from Google +Affects: All supported versions of FreeBSD. +Corrected: 2022-03-15 16:51:46 UTC (stable/13, 13.1-STABLE) + 2022-03-15 17:42:48 UTC (releng/13.1, 13.1-BETA1-p1) + 2022-03-15 17:43:02 UTC (releng/13.0, 13.0-RELEASE-p8) + 2022-03-15 16:56:09 UTC (stable/12, 12.3-STABLE) + 2022-03-15 18:17:50 UTC (releng/12.3, 12.3-RELEASE-p3) + 2022-03-15 18:17:16 UTC (releng/12.2, 12.2-RELEASE-p14) +CVE Name: CVE-2022-0778 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +The BN_mod_sqrt() function, which computes a modular square root, contains +a bug that can cause it to loop forever for non-prime moduli. This function +is used when parsing certificates that contain certain forms of elliptic +curves. + +III. Impact + +A specially crafted certificate with invalid explicit curve parameters may +trigger an infinite loop, leading to a denial of service. Since certificate +parsing happens prior to verification of the certificate signature, any +process that parses an externally supplied certificate may be affected. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-22:03/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 5f3d952f6e6b stable/13-n250020 +releng/13.1/ 942b5e156d41 releng/13.1-n249979 +releng/13.0/ 3847c17aa23a releng/13.0-n244777 +stable/12/ r371734 +releng/12.3/ r371742 +releng/12.2/ r371735 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:03.openssl.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n +5cKZqQ/8D7qHRsnXGENtJqjN9Nt2VRiBeO5GKrhBJFVS8/cgVvlgDPFIrWOA/b7v +p386eSIRPA3BGpEzP6cQddM/pogHFjSuskSznkNvfsUeZ7B9avODNvHykiODMajU +ACv/JZ8IU9rWR2C3DqtlnVqKt3N8Pa8ZpxUCpYDeBEMIaYn/UOUZ9PmZZtaCJ1jz +ZSsel99VvA7RdSd58ahb9Mga6KLDdp4bVVftfpepihTOu7pfmxZqrG7W+1pld/wd +R88yGEDxyDD9/qDToA13i8+gAU5P5ASmzfNNqVwzJ4QLlkk2OrJBFKCLl+1BrR2p +w6r3eZzx9SexCSJ9jLw54rezpXgLyJ/+fURHtKVOu39ELqZmftBgBYS0gxWiQ6jH +Wx3lrPjjskFBp4MO5uBChnF8BIpGZN2guLpQkPtHCiaa469OI/NI5zarvXYvGPJL +j4BMZtQQWGj2WIFWmMu7fvkhYOgVWmyjS4SWEwom7UGLq1EJKb9Rau9e4TOr8bYw +EQV5c71Wn7IV9Oga1rPVRUe2hHAX1VkvhVm49G47V2gyvmPwXwwbVe7byW8Mz46j +znkTSmAzHNbXFcJV+aPXejGRDvg0H+wfDyQFlN32IXdyVrbphRjekOu2Ftn8eWS9 +SkEdbvYP5x192NpBgfpHo5tc2CJHcM4xKg7WAIUk0vrK7aSgPoc= +=TDUh +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:09/freebsd-update.patch b/website/static/security/patches/EN-22:09/freebsd-update.patch new file mode 100644 index 0000000000..abd72d631c --- /dev/null +++ b/website/static/security/patches/EN-22:09/freebsd-update.patch @@ -0,0 +1,25 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -890,7 +890,12 @@ + install_create_be () { + # Figure out if we're running in a jail and return if we are + if [ `sysctl -n security.jail.jailed` = 1 ]; then +- return 1 ++ return 1 ++ fi ++ # Operating on roots that aren't located at / will, more often than not, ++ # not touch the boot environment. ++ if [ "$BASEDIR" != "/" ]; then ++ return 1 + fi + # Create a boot environment if enabled + if [ ${BOOTENV} = yes ]; then +@@ -911,7 +916,7 @@ + esac + if [ ${CREATEBE} = yes ]; then + echo -n "Creating snapshot of existing boot environment... " +- VERSION=`freebsd-version -k` ++ VERSION=`freebsd-version -ku | sort -V | tail -n 1` + TIMESTAMP=`date +"%Y-%m-%d_%H%M%S"` + bectl create ${VERSION}_${TIMESTAMP} + if [ $? -eq 0 ]; then diff --git a/website/static/security/patches/EN-22:09/freebsd-update.patch.asc b/website/static/security/patches/EN-22:09/freebsd-update.patch.asc new file mode 100644 index 0000000000..e5e8a302c3 --- /dev/null +++ b/website/static/security/patches/EN-22:09/freebsd-update.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44sACgkQ05eS9J6n +5cK0lg//Y2zqHowl0ZrlpKS681iwY4KNFdXYMAWBr9A/eSgLU4Or6HoliEZ/LKKG +IF5uCJx5+Ao29aAPhiuSKG4qc8ZxHkQqEzflhFTNRulrBHQFqvGdfmQ+FneNs8wZ +VK/SZ1/5MVUIM91Mc97svoKfb4OOrokgM2pVsEJT3QisP/9/NrWoAyTMuR59jxh5 +WsU4mdK6gzwFc0pQucb6ZKR7FUQTXH9Tw2blgVftD6t4hdHl68DrgiY9UejsRlXQ +vwbVv/ku/pbEywSyNFqK/lXbiU1itUgduJ91ykLQDdGXcm0n2WZD9Y3lasWoAUre +dscBJWLDQWXzejgo5KUzl9BYW3kfJlwW76bdSgPTHKKYkJzZyWYJkEHzqHsO2KZZ +wwjtTfvdE/0aXzIMLgVrElPNazlVjcmhDZf3RKGVVCYkSJl2JcSuhmoVPQG6DUed +7YpZ8KnoU4IVpmzj9+3QGkAcXm1ljCEdAUX1fWLFKqTR9v5ETQVo9cLqvaa04hZx +QvHNG/hSdOXNZKMeRvYRPM3ndRttDdtK7wOrdBbGbLPnanAncHzi80rwd+fYULf8 +/Xik0c7OrKaMQ7nTRplKoTBHaUGzHxeRR88UsorB84UrjhKFe/HnzLy91dX700qR +GgH6juctdKK637GMysM0ha+tDFBTtKZT/i/RigpKio8/hX99H8o= +=6+my +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:10/zfs.patch b/website/static/security/patches/EN-22:10/zfs.patch new file mode 100644 index 0000000000..1432597c30 --- /dev/null +++ b/website/static/security/patches/EN-22:10/zfs.patch @@ -0,0 +1,45 @@ +--- sys/contrib/openzfs/module/zfs/zfs_vnops.c.orig ++++ sys/contrib/openzfs/module/zfs/zfs_vnops.c +@@ -316,7 +316,7 @@ + int + zfs_write(znode_t *zp, uio_t *uio, int ioflag, cred_t *cr) + { +- int error = 0; ++ int error = 0, error1; + ssize_t start_resid = uio->uio_resid; + + /* +@@ -551,7 +551,11 @@ + continue; + } + #endif +- if (error != 0) { ++ /* ++ * On FreeBSD, EFAULT should be propagated back to the ++ * VFS, which will handle faulting and will retry. ++ */ ++ if (error != 0 && error != EFAULT) { + dmu_tx_commit(tx); + break; + } +@@ -635,7 +639,7 @@ + while ((end_size = zp->z_size) < uio->uio_loffset) { + (void) atomic_cas_64(&zp->z_size, end_size, + uio->uio_loffset); +- ASSERT(error == 0); ++ ASSERT(error == 0 || error == EFAULT); + } + /* + * If we are replaying and eof is non zero then force +@@ -645,7 +649,10 @@ + if (zfsvfs->z_replay && zfsvfs->z_replay_eof != 0) + zp->z_size = zfsvfs->z_replay_eof; + +- error = sa_bulk_update(zp->z_sa_hdl, bulk, count, tx); ++ error1 = sa_bulk_update(zp->z_sa_hdl, bulk, count, tx); ++ if (error1 != 0) ++ /* Avoid clobbering EFAULT. */ ++ error = error1; + + zfs_log_write(zilog, tx, TX_WRITE, zp, woff, tx_bytes, ioflag, + NULL, NULL); diff --git a/website/static/security/patches/EN-22:10/zfs.patch.asc b/website/static/security/patches/EN-22:10/zfs.patch.asc new file mode 100644 index 0000000000..c0c2ba9cd4 --- /dev/null +++ b/website/static/security/patches/EN-22:10/zfs.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cILlQ//ROC7MYZZuTF8voZ4IDWxnDTrkD/xhBCFPbBIOViwnXM9fOkR77c8Cqv4 +vZ2qtxcoDepdwaMVfb5GqBiLjJ3532zmqZUtHBspVoh3is8jQdA7KOL9G1nfJyZE +MkWYuIBLtjpdeADBMtIxlJ60ORMQwNA+pFqo3zUTOKM78DWqG8GY/i8+URIbo+sL +NcHQ3YXg+zsHWRpewOOQ4vFK+aWCmiCiRtcw1brG/K9go0cOD0a5AKs8Hc5exsLI +ZurIn1XaXj657GSSbYW4bJlEyPeai3105Zk/uXF9BDJ2bkVFsRTKLM1d2H/gNECq ++KOzhYc5QZDFHCVvnenvcOs0t5EWWG3vC47DmPPCtbOMrrBptSf3gebDSOL0P1Xc +U+yzReqQS2JNN7rYeTZLjU0rmrv+5/ggcLvTwI8FSQUHnIYkMapd80GYVJH47yI1 +eT4GO4nGq/bE/dJBMNSe7goyVBR1SpFU3shlUTaeX35XDvRSU5+AuJ2JI1yVKYq5 ++wSYODMkRQbIjfGtOG05uTDO05fb6Dgw1xj2Aolxfc6Nx2F1y47DF6H6iH4fc5ZC +t/VZIIHSfh/ytYko2M1m8aVJ3UwFGQ6K0WW/tzVAYYCLrMalbafFfqQjFqtK6Upd +WVH1efsSjfgeonNgfaguJPCY4aS6Xy8YtQ+7yw9GoWFPAlpKEVU= +=zvGp +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:11/zfs.patch b/website/static/security/patches/EN-22:11/zfs.patch new file mode 100644 index 0000000000..b4859e1fa5 --- /dev/null +++ b/website/static/security/patches/EN-22:11/zfs.patch @@ -0,0 +1,199 @@ +--- sys/contrib/openzfs/include/os/freebsd/spl/sys/vnode.h.orig ++++ sys/contrib/openzfs/include/os/freebsd/spl/sys/vnode.h +@@ -59,6 +59,8 @@ + #include <sys/file.h> + #include <sys/filedesc.h> + #include <sys/syscallsubr.h> ++#include <sys/vm.h> ++#include <vm/vm_object.h> + + typedef struct vop_vector vnodeops_t; + #define VOP_FID VOP_VPTOFH +@@ -88,6 +90,24 @@ + #define vn_has_cached_data(vp) \ + ((vp)->v_object != NULL && \ + (vp)->v_object->resident_page_count > 0) ++ ++#ifndef IN_BASE ++static __inline void ++vn_flush_cached_data(vnode_t *vp, boolean_t sync) ++{ ++#if __FreeBSD_version > 1300054 ++ if (vm_object_mightbedirty(vp->v_object)) { ++#else ++ if (vp->v_object->flags & OBJ_MIGHTBEDIRTY) { ++#endif ++ int flags = sync ? OBJPC_SYNC : 0; ++ zfs_vmobject_wlock(vp->v_object); ++ vm_object_page_clean(vp->v_object, 0, 0, flags); ++ zfs_vmobject_wunlock(vp->v_object); ++ } ++} ++#endif ++ + #define vn_exists(vp) do { } while (0) + #define vn_invalid(vp) do { } while (0) + #define vn_renamepath(tdvp, svp, tnm, lentnm) do { } while (0) +--- sys/contrib/openzfs/include/os/freebsd/zfs/sys/zfs_znode_impl.h.orig ++++ sys/contrib/openzfs/include/os/freebsd/zfs/sys/zfs_znode_impl.h +@@ -117,7 +117,8 @@ + #define Z_ISLNK(type) ((type) == VLNK) + #define Z_ISDIR(type) ((type) == VDIR) + +-#define zn_has_cached_data(zp) vn_has_cached_data(ZTOV(zp)) ++#define zn_has_cached_data(zp) vn_has_cached_data(ZTOV(zp)) ++#define zn_flush_cached_data(zp, sync) vn_flush_cached_data(ZTOV(zp), sync) + #define zn_rlimit_fsize(zp, uio, td) vn_rlimit_fsize(ZTOV(zp), (uio), (td)) + + /* Called on entry to each ZFS vnode and vfs operation */ +--- sys/contrib/openzfs/include/os/linux/zfs/sys/zfs_znode_impl.h.orig ++++ sys/contrib/openzfs/include/os/linux/zfs/sys/zfs_znode_impl.h +@@ -70,7 +70,7 @@ + #define Z_ISDEV(type) (S_ISCHR(type) || S_ISBLK(type) || S_ISFIFO(type)) + #define Z_ISDIR(type) S_ISDIR(type) + +-#define zn_has_cached_data(zp) ((zp)->z_is_mapped) ++#define zn_flush_cached_data(zp, sync) write_inode_now(ZTOI(zp), sync) + #define zn_rlimit_fsize(zp, uio, td) (0) + + #define zhold(zp) igrab(ZTOI((zp))) +--- sys/contrib/openzfs/include/sys/dnode.h.orig ++++ sys/contrib/openzfs/include/sys/dnode.h +@@ -425,6 +425,7 @@ + void dnode_rele(dnode_t *dn, void *ref); + void dnode_rele_and_unlock(dnode_t *dn, void *tag, boolean_t evicting); + int dnode_try_claim(objset_t *os, uint64_t object, int slots); ++boolean_t dnode_is_dirty(dnode_t *dn); + void dnode_setdirty(dnode_t *dn, dmu_tx_t *tx); + void dnode_set_dirtyctx(dnode_t *dn, dmu_tx_t *tx, void *tag); + void dnode_sync(dnode_t *dn, dmu_tx_t *tx); +--- sys/contrib/openzfs/module/zfs/dmu.c.orig ++++ sys/contrib/openzfs/module/zfs/dmu.c +@@ -2082,42 +2082,41 @@ + dmu_offset_next(objset_t *os, uint64_t object, boolean_t hole, uint64_t *off) + { + dnode_t *dn; +- int i, err; +- boolean_t clean = B_TRUE; ++ int err; + ++restart: + err = dnode_hold(os, object, FTAG, &dn); + if (err) + return (err); + +- /* +- * Check if dnode is dirty +- */ +- for (i = 0; i < TXG_SIZE; i++) { +- if (multilist_link_active(&dn->dn_dirty_link[i])) { +- clean = B_FALSE; +- break; +- } +- } ++ rw_enter(&dn->dn_struct_rwlock, RW_READER); + +- /* +- * If compatibility option is on, sync any current changes before +- * we go trundling through the block pointers. +- */ +- if (!clean && zfs_dmu_offset_next_sync) { +- clean = B_TRUE; +- dnode_rele(dn, FTAG); +- txg_wait_synced(dmu_objset_pool(os), 0); +- err = dnode_hold(os, object, FTAG, &dn); +- if (err) +- return (err); +- } ++ if (dnode_is_dirty(dn)) { ++ /* ++ * If the zfs_dmu_offset_next_sync module option is enabled ++ * then strict hole reporting has been requested. Dirty ++ * dnodes must be synced to disk to accurately report all ++ * holes. When disabled (the default) dirty dnodes are ++ * reported to not have any holes which is always safe. ++ * ++ * When called by zfs_holey_common() the zp->z_rangelock ++ * is held to prevent zfs_write() and mmap writeback from ++ * re-dirtying the dnode after txg_wait_synced(). ++ */ ++ if (zfs_dmu_offset_next_sync) { ++ rw_exit(&dn->dn_struct_rwlock); ++ dnode_rele(dn, FTAG); ++ txg_wait_synced(dmu_objset_pool(os), 0); ++ goto restart; ++ } + +- if (clean) +- err = dnode_next_offset(dn, +- (hole ? DNODE_FIND_HOLE : 0), off, 1, 1, 0); +- else + err = SET_ERROR(EBUSY); ++ } else { ++ err = dnode_next_offset(dn, DNODE_FIND_HAVELOCK | ++ (hole ? DNODE_FIND_HOLE : 0), off, 1, 1, 0); ++ } + ++ rw_exit(&dn->dn_struct_rwlock); + dnode_rele(dn, FTAG); + + return (err); +--- sys/contrib/openzfs/module/zfs/dnode.c.orig ++++ sys/contrib/openzfs/module/zfs/dnode.c +@@ -1652,6 +1652,26 @@ + slots, NULL, NULL)); + } + ++/* ++ * Checks if the dnode contains any uncommitted dirty records. ++ */ ++boolean_t ++dnode_is_dirty(dnode_t *dn) ++{ ++ mutex_enter(&dn->dn_mtx); ++ ++ for (int i = 0; i < TXG_SIZE; i++) { ++ if (list_head(&dn->dn_dirty_records[i]) != NULL) { ++ mutex_exit(&dn->dn_mtx); ++ return (B_TRUE); ++ } ++ } ++ ++ mutex_exit(&dn->dn_mtx); ++ ++ return (B_FALSE); ++} ++ + void + dnode_setdirty(dnode_t *dn, dmu_tx_t *tx) + { +--- sys/contrib/openzfs/module/zfs/zfs_vnops.c.orig ++++ sys/contrib/openzfs/module/zfs/zfs_vnops.c +@@ -85,6 +85,7 @@ + static int + zfs_holey_common(znode_t *zp, ulong_t cmd, loff_t *off) + { ++ zfs_locked_range_t *lr; + uint64_t noff = (uint64_t)*off; /* new offset */ + uint64_t file_sz; + int error; +@@ -100,12 +101,18 @@ + else + hole = B_FALSE; + ++ /* Flush any mmap()'d data to disk */ ++ if (zn_has_cached_data(zp)) ++ zn_flush_cached_data(zp, B_FALSE); ++ ++ lr = zfs_rangelock_enter(&zp->z_rangelock, 0, file_sz, RL_READER); + error = dmu_offset_next(ZTOZSB(zp)->z_os, zp->z_id, hole, &noff); ++ zfs_rangelock_exit(lr); + + if (error == ESRCH) + return (SET_ERROR(ENXIO)); + +- /* file was dirty, so fall back to using generic logic */ ++ /* File was dirty, so fall back to using generic logic */ + if (error == EBUSY) { + if (hole) + *off = file_sz; diff --git a/website/static/security/patches/EN-22:11/zfs.patch.asc b/website/static/security/patches/EN-22:11/zfs.patch.asc new file mode 100644 index 0000000000..a0c100c447 --- /dev/null +++ b/website/static/security/patches/EN-22:11/zfs.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cJPVg//a9BgIzkBvfiRp9y1QijbwE4K2tR4CAmgKWyRh1uGxuEErceD57OH/aD0 +4KSuZ3Cs2JPrCkVQGuFQBLwU418udr9/AqLfJtb9zNvZJWr/vSmXM5606Gw58qeI +W6xcQHqeUHt3+MZBfyQIR+XeEMfAQBCvxVRYBER8aZUFQbLpyEfUXRH4yuQbSwBo +N8Rf4S6PHV+YmjYiSmEMeyuIE6oLNS2GyEcGulKXn7LRDZELiKpos48iAxEf5j2S +BH2jvs7GyW+jl1heblQRkH4zWh7I7xxOvypsXXuxvWMZ3h3Hxi8Md9mvejR1ocLZ +qSXlzZ0Ziri3ViiCnUfgRwA2deZd5UXd24P7V+uWOceiZtUwb+cQ4GeGIsAhK9wo +ZarhKcExWHjX5XaAQ6IVmGDlODtJvylbwl8UKosP8gfyn2b/r0pfYZSn3g0V0Rxd +sH2QzW2vITJDaY7r7kujBgV7aw7UPdW+w00nN9B0RNXkhyj0hr/N9V2uGeH83ttJ +CweRfhRGLh2jIWiHo5OsWdPUM70Fr9zzqcMOtnH3q1thSVUSJNp1rKyFvz9MJMwH +uLrj7F52cC8v4QRs2dm21/Q8n6rJxKqayjzlh7VWGh4NR+6OivIzrCx1fyNMftu4 +AJ0u7mAfHcJTVSQo6vRbswW8f0gBppu/6Svf1F7KKTibUo0hmTc= +=yIfG +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:12/zfs.patch b/website/static/security/patches/EN-22:12/zfs.patch new file mode 100644 index 0000000000..cbcb488e34 --- /dev/null +++ b/website/static/security/patches/EN-22:12/zfs.patch @@ -0,0 +1,44 @@ +--- sys/contrib/openzfs/include/sys/zfs_ioctl.h.orig ++++ sys/contrib/openzfs/include/sys/zfs_ioctl.h +@@ -525,7 +525,6 @@ + } zfs_useracct_t; + + #define ZFSDEV_MAX_MINOR (1 << 16) +-#define ZFS_MIN_MINOR (ZFSDEV_MAX_MINOR + 1) + + #define ZPOOL_EXPORT_AFTER_SPLIT 0x1 + +--- sys/contrib/openzfs/module/os/freebsd/zfs/kmod_core.c.orig ++++ sys/contrib/openzfs/module/os/freebsd/zfs/kmod_core.c +@@ -182,23 +182,21 @@ + static void + zfsdev_close(void *data) + { +- zfsdev_state_t *zs, *zsp = data; ++ zfsdev_state_t *zs = data; ++ ++ ASSERT(zs != NULL); + + mutex_enter(&zfsdev_state_lock); +- for (zs = zfsdev_state_list; zs != NULL; zs = zs->zs_next) { +- if (zs == zsp) +- break; +- } +- if (zs == NULL || zs->zs_minor <= 0) { +- mutex_exit(&zfsdev_state_lock); +- return; +- } ++ ++ ASSERT(zs->zs_minor != 0); ++ + zs->zs_minor = -1; + zfs_onexit_destroy(zs->zs_onexit); + zfs_zevent_destroy(zs->zs_zevent); +- mutex_exit(&zfsdev_state_lock); + zs->zs_onexit = NULL; + zs->zs_zevent = NULL; ++ ++ mutex_exit(&zfsdev_state_lock); + } + + static int diff --git a/website/static/security/patches/EN-22:12/zfs.patch.asc b/website/static/security/patches/EN-22:12/zfs.patch.asc new file mode 100644 index 0000000000..e14867c307 --- /dev/null +++ b/website/static/security/patches/EN-22:12/zfs.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw44wACgkQ05eS9J6n +5cJQAA//TJMTHBl2ZQIKJH+Sk1LuBeLo2XMMRNW3jDKB2AMUCzdbzOu+1zvQi2y1 +Gcxy7bIKgn50vjBenet8tDvpvxmDEBzUWo2btFvVQRe8JM7NH488Sa5O4tYFPApk +OispxRz05YknIHWTSX4O2kBwfHIkTPydpuPkazol5ooH0bXCGsNa/W6RXSeCy7UI +SuvD7tfYpjn2YqsSMXKe3djkbenXkIwHucE9NaupJqbomOyhE9slSFYAA1AgxcLW +S2dnQ+LDLwIBeRbszW+HUwJOapKl4SC1xFImFPpxEWrk3L+2sEFtPnjxIChg0uCw +2AfkirVFEYV/B5bM45llrMQSoKn1ZRazEg20jmS+enbCETw15vIlngSmJVM0yP5D +PeBM2b7rYp+Q+YPACzrKHoNUDgFcRbot6157UYKOfT4CA1N6BKGC26HsBaUxTLeL +XVvmIkMe3mR4OIzcvCqg+ybFnEhHh3COjIGebj3lNOXFQZDh1TqmdZc+ZNanFKM+ +BsVxTC0/50WdONwgUfqxOVe8i2yksqZx5QgtWmW85KuW86y2stmMOjXpm/42sE84 +LI9qV8YKkNWZTKoFwdSY5DLjEJv7ejYlWG2jROdkeOoXXwUrx4tD7IpsiwG76Ik2 +NloS1cLEwRgOynwdOzk8hhwT448O/9vFZOY3qILo56vYB0SWNuc= +=HnrQ +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-22:02/wifi.12.patch b/website/static/security/patches/SA-22:02/wifi.12.patch new file mode 100644 index 0000000000..afa9b07d9a --- /dev/null +++ b/website/static/security/patches/SA-22:02/wifi.12.patch @@ -0,0 +1,389 @@ +--- sys/net80211/ieee80211_adhoc.c.orig ++++ sys/net80211/ieee80211_adhoc.c +@@ -531,7 +531,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -558,7 +558,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -571,7 +571,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -581,11 +584,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -598,7 +603,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_hostap.c.orig ++++ sys/net80211/ieee80211_hostap.c +@@ -719,7 +719,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -744,7 +744,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -757,7 +757,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -767,11 +770,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -784,7 +789,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_input.c.orig ++++ sys/net80211/ieee80211_input.c +@@ -170,7 +170,8 @@ + * XXX should handle 3 concurrent reassemblies per-spec. + */ + struct mbuf * +-ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) ++ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace, ++ int has_decrypted) + { + struct ieee80211vap *vap = ni->ni_vap; + struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); +@@ -189,6 +190,11 @@ + if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) + return m; + ++ /* Temporarily set flag to remember if fragment was encrypted. */ ++ /* XXX use a non-packet altering storage for this in the future. */ ++ if (has_decrypted) ++ wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; ++ + /* + * Remove frag to insure it doesn't get reaped by timer. + */ +@@ -219,10 +225,14 @@ + + lwh = mtod(mfrag, struct ieee80211_frame *); + last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); +- /* NB: check seq # and frag together */ ++ /* ++ * NB: check seq # and frag together. Also check that both ++ * fragments are plaintext or that both are encrypted. ++ */ + if (rxseq == last_rxseq+1 && + IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) && +- IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { ++ IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) && ++ !((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_PROTECTED)) { + /* XXX clear MORE_FRAG bit? */ + /* track last seqnum and fragno */ + *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; +@@ -253,6 +263,11 @@ + ni->ni_rxfrag[0] = mfrag; + mfrag = NULL; + } ++ /* Remember to clear protected flag that was temporarily set. */ ++ if (mfrag != NULL) { ++ wh = mtod(mfrag, struct ieee80211_frame *); ++ wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; ++ } + return mfrag; + } + +@@ -294,7 +309,8 @@ + } + + struct mbuf * +-ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) ++ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen, ++ uint8_t qos) + { + struct ieee80211_qosframe_addr4 wh; + struct ether_header *eh; +@@ -316,7 +332,9 @@ + llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 && + /* NB: preserve AppleTalk frames that have a native SNAP hdr */ + !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) || +- llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) { ++ llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) && ++ /* Do not want to touch A-MSDU frames. */ ++ !(qos & IEEE80211_QOS_AMSDU)) { + m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); + llc = NULL; + } else { +@@ -364,6 +382,10 @@ + #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) + struct ether_header *eh; + struct llc *llc; ++ const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { ++ /* MAC address matching the 802.2 LLC header */ ++ LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 ++ }; + + /* + * The frame has an 802.3 header followed by an 802.2 +@@ -376,6 +398,15 @@ + if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL) + return NULL; + eh = mtod(m, struct ether_header *); /* 802.3 header is first */ ++ ++ /* ++ * Detect possible attack where a single 802.11 frame is processed ++ * as an A-MSDU frame due to an adversary setting the A-MSDU present ++ * bit in the 802.11 QoS header. [FragAttacks] ++ */ ++ if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0) ++ return NULL; ++ + llc = (struct llc *)&eh[1]; /* 802.2 header follows */ + *framelen = ntohs(eh->ether_type) /* encap'd frame size */ + + sizeof(struct ether_header) - sizeof(struct llc); +--- sys/net80211/ieee80211_input.h.orig ++++ sys/net80211/ieee80211_input.h +@@ -309,9 +309,10 @@ + void ieee80211_deliver_data(struct ieee80211vap *, + struct ieee80211_node *, struct mbuf *); + struct mbuf *ieee80211_defrag(struct ieee80211_node *, +- struct mbuf *, int); ++ struct mbuf *, int, int); + struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t); +-struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int); ++struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int, ++ uint8_t); + struct mbuf *ieee80211_decap1(struct mbuf *, int *); + int ieee80211_setup_rates(struct ieee80211_node *ni, + const uint8_t *rates, const uint8_t *xrates, int flags); +--- sys/net80211/ieee80211_ioctl.c.orig ++++ sys/net80211/ieee80211_ioctl.c +@@ -1591,7 +1591,7 @@ + ("expected opmode IBSS or AHDEMO not %s", + ieee80211_opmode_name[vap->iv_opmode])); + +- if (ssid_len == 0) ++ if (ssid_len == 0 || ssid_len > IEEE80211_NWID_LEN) + return EINVAL; + + sr = IEEE80211_MALLOC(sizeof(*sr), M_TEMP, +--- sys/net80211/ieee80211_mesh.c.orig ++++ sys/net80211/ieee80211_mesh.c +@@ -1637,7 +1637,7 @@ + */ + hdrspace = ieee80211_hdrspace(ic, wh); + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, 0); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +--- sys/net80211/ieee80211_node.c.orig ++++ sys/net80211/ieee80211_node.c +@@ -1134,7 +1134,7 @@ + + ie = ies->data; + ielen = ies->len; +- while (ielen > 0) { ++ while (ielen > 1) { + switch (ie[0]) { + case IEEE80211_ELEMID_VENDOR: + if (iswpaoui(ie)) +--- sys/net80211/ieee80211_sta.c.orig ++++ sys/net80211/ieee80211_sta.c +@@ -795,7 +795,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -827,7 +827,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -840,7 +840,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -850,11 +853,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -867,7 +872,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_wds.c.orig ++++ sys/net80211/ieee80211_wds.c +@@ -592,7 +592,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -619,7 +619,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -632,7 +632,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -642,11 +645,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -659,7 +664,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ diff --git a/website/static/security/patches/SA-22:02/wifi.12.patch.asc b/website/static/security/patches/SA-22:02/wifi.12.patch.asc new file mode 100644 index 0000000000..56d0a6e8dd --- /dev/null +++ b/website/static/security/patches/SA-22:02/wifi.12.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n +5cLSyw/+IT+IDwgSCMHDrnlHNRQcndm4zen78IJpM6UJqGK4AS5j+rLIPWoGVroT +P2HxTZnGsZ2nd8I9/ItT61A9Phy2ZUzJXHd+VTmKuFxG/Ln3n0LjUih4Vgvmqp/o ++ZQu4XqVGIsw6bBsCnPd0ajPcsLIWgr2hgI3yT9JBcb1vlybNY+bjJDa4jIDxyRh +UHx6eLP+QcgBM8dM6f2AmLUDRYSJw/c9dt5YTG/YFjr7HcCh4XMP4N+5kgtGOyd5 +PQ3e3FCrbH8HQ4a/3XCKAGRRMvfRqyY6okAcOgfix0BlGG4pXc57mMMcWUkQogkk +jl4ybHLeUBvqkwk5mcSoG8agxdVIFQDGLsWu7dOM09N1VJGa5eehUk7L9lODtXZS +mkSXQYqq8DNQ+EqukFoDUcjzEfLBEpWodArhqJ5hjJNi8SmdbXM2/0hO555xpg/d +O+lN3eTfr/4sCQPgD9756VHhxsAvh03MbARzaldYhaAgm8CmxLO7HWelRfMFQe+b +fVNPgW8H5qR5s1TXGd8bHv8KWYYyUNwmThMUlOXd0938KAvyK0VSmlg1nqr1z3BB +5Q0GDivFYchc0nuC6nXxNQa5Ndq75y7zlvWa4ZA9xYwHd7RucTv9RvF2Cvohk2YX +2OyzQ2u+co+Wgdvgi4/fN/neGU8RlhSjYPZnJRuz8g1of6b4wmU= +=vWSs +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-22:02/wifi.13.patch b/website/static/security/patches/SA-22:02/wifi.13.patch new file mode 100644 index 0000000000..5005da9627 --- /dev/null +++ b/website/static/security/patches/SA-22:02/wifi.13.patch @@ -0,0 +1,367 @@ +--- sys/net80211/ieee80211_adhoc.c.orig ++++ sys/net80211/ieee80211_adhoc.c +@@ -531,7 +531,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -558,7 +558,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -571,7 +571,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -581,11 +584,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -598,7 +603,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_hostap.c.orig ++++ sys/net80211/ieee80211_hostap.c +@@ -719,7 +719,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -744,7 +744,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -757,7 +757,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -767,11 +770,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -784,7 +789,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_input.c.orig ++++ sys/net80211/ieee80211_input.c +@@ -170,7 +170,8 @@ + * XXX should handle 3 concurrent reassemblies per-spec. + */ + struct mbuf * +-ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace) ++ieee80211_defrag(struct ieee80211_node *ni, struct mbuf *m, int hdrspace, ++ int has_decrypted) + { + struct ieee80211vap *vap = ni->ni_vap; + struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); +@@ -189,6 +190,11 @@ + if (!more_frag && fragno == 0 && ni->ni_rxfrag[0] == NULL) + return m; + ++ /* Temporarily set flag to remember if fragment was encrypted. */ ++ /* XXX use a non-packet altering storage for this in the future. */ ++ if (has_decrypted) ++ wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; ++ + /* + * Remove frag to insure it doesn't get reaped by timer. + */ +@@ -219,10 +225,14 @@ + + lwh = mtod(mfrag, struct ieee80211_frame *); + last_rxseq = le16toh(*(uint16_t *)lwh->i_seq); +- /* NB: check seq # and frag together */ ++ /* ++ * NB: check seq # and frag together. Also check that both ++ * fragments are plaintext or that both are encrypted. ++ */ + if (rxseq == last_rxseq+1 && + IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) && +- IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) { ++ IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) && ++ !((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_PROTECTED)) { + /* XXX clear MORE_FRAG bit? */ + /* track last seqnum and fragno */ + *(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq; +@@ -253,6 +263,11 @@ + ni->ni_rxfrag[0] = mfrag; + mfrag = NULL; + } ++ /* Remember to clear protected flag that was temporarily set. */ ++ if (mfrag != NULL) { ++ wh = mtod(mfrag, struct ieee80211_frame *); ++ wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; ++ } + return mfrag; + } + +@@ -294,7 +309,8 @@ + } + + struct mbuf * +-ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) ++ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen, ++ uint8_t qos) + { + struct ieee80211_qosframe_addr4 wh; + struct ether_header *eh; +@@ -316,7 +332,9 @@ + llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 && + /* NB: preserve AppleTalk frames that have a native SNAP hdr */ + !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) || +- llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) { ++ llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) && ++ /* Do not want to touch A-MSDU frames. */ ++ !(qos & IEEE80211_QOS_AMSDU)) { + m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); + llc = NULL; + } else { +@@ -364,6 +382,10 @@ + #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) + struct ether_header *eh; + struct llc *llc; ++ const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { ++ /* MAC address matching the 802.2 LLC header */ ++ LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 ++ }; + + /* + * The frame has an 802.3 header followed by an 802.2 +@@ -376,6 +398,15 @@ + if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL) + return NULL; + eh = mtod(m, struct ether_header *); /* 802.3 header is first */ ++ ++ /* ++ * Detect possible attack where a single 802.11 frame is processed ++ * as an A-MSDU frame due to an adversary setting the A-MSDU present ++ * bit in the 802.11 QoS header. [FragAttacks] ++ */ ++ if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0) ++ return NULL; ++ + llc = (struct llc *)&eh[1]; /* 802.2 header follows */ + *framelen = ntohs(eh->ether_type) /* encap'd frame size */ + + sizeof(struct ether_header) - sizeof(struct llc); +--- sys/net80211/ieee80211_input.h.orig ++++ sys/net80211/ieee80211_input.h +@@ -309,9 +309,10 @@ + void ieee80211_deliver_data(struct ieee80211vap *, + struct ieee80211_node *, struct mbuf *); + struct mbuf *ieee80211_defrag(struct ieee80211_node *, +- struct mbuf *, int); ++ struct mbuf *, int, int); + struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t); +-struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int); ++struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int, ++ uint8_t); + struct mbuf *ieee80211_decap1(struct mbuf *, int *); + int ieee80211_setup_rates(struct ieee80211_node *ni, + const uint8_t *rates, const uint8_t *xrates, int flags); +--- sys/net80211/ieee80211_mesh.c.orig ++++ sys/net80211/ieee80211_mesh.c +@@ -1642,7 +1642,7 @@ + */ + hdrspace = ieee80211_hdrspace(ic, wh); + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, 0); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +--- sys/net80211/ieee80211_sta.c.orig ++++ sys/net80211/ieee80211_sta.c +@@ -795,7 +795,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -827,7 +827,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -840,7 +840,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -850,11 +853,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -867,7 +872,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ +--- sys/net80211/ieee80211_wds.c.orig ++++ sys/net80211/ieee80211_wds.c +@@ -594,7 +594,7 @@ + * Next up, any fragmentation. + */ + if (!IEEE80211_IS_MULTICAST(wh->i_addr1)) { +- m = ieee80211_defrag(ni, m, hdrspace); ++ m = ieee80211_defrag(ni, m, hdrspace, has_decrypted); + if (m == NULL) { + /* Fragment dropped or frame not complete yet */ + goto out; +@@ -621,7 +621,7 @@ + /* + * Finally, strip the 802.11 header. + */ +- m = ieee80211_decap(vap, m, hdrspace); ++ m = ieee80211_decap(vap, m, hdrspace, qos); + if (m == NULL) { + /* XXX mask bit to check for both */ + /* don't count Null data frames as errors */ +@@ -634,7 +634,10 @@ + IEEE80211_NODE_STAT(ni, rx_decap); + goto err; + } +- eh = mtod(m, struct ether_header *); ++ if (!(qos & IEEE80211_QOS_AMSDU)) ++ eh = mtod(m, struct ether_header *); ++ else ++ eh = NULL; + if (!ieee80211_node_is_authorized(ni)) { + /* + * Deny any non-PAE frames received prior to +@@ -644,11 +647,13 @@ + * the port is not marked authorized by the + * authenticator until the handshake has completed. + */ +- if (eh->ether_type != htons(ETHERTYPE_PAE)) { ++ if (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE)) { + IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT, +- eh->ether_shost, "data", +- "unauthorized port: ether type 0x%x len %u", +- eh->ether_type, m->m_pkthdr.len); ++ ni->ni_macaddr, "data", "unauthorized or " ++ "unknown port: ether type 0x%x len %u", ++ eh == NULL ? -1 : eh->ether_type, ++ m->m_pkthdr.len); + vap->iv_stats.is_rx_unauth++; + IEEE80211_NODE_STAT(ni, rx_unauth); + goto err; +@@ -661,7 +666,8 @@ + if ((vap->iv_flags & IEEE80211_F_DROPUNENC) && + ((has_decrypted == 0) && (m->m_flags & M_WEP) == 0) && + (is_hw_decrypted == 0) && +- eh->ether_type != htons(ETHERTYPE_PAE)) { ++ (eh == NULL || ++ eh->ether_type != htons(ETHERTYPE_PAE))) { + /* + * Drop unencrypted frames. + */ diff --git a/website/static/security/patches/SA-22:02/wifi.13.patch.asc b/website/static/security/patches/SA-22:02/wifi.13.patch.asc new file mode 100644 index 0000000000..d363dbdb13 --- /dev/null +++ b/website/static/security/patches/SA-22:02/wifi.13.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n +5cJ03RAAi1UkhtAAXdU1ID0qnuX/lABpHkhFgcEymB6VkkPLZ7zJvm93uTaa/nmq +uOtecNDKfd7cnm0xEOt2F4oSH75FblxXgzKfmPki5esQziUJI7T3JbXSXMmRjCR3 +9Wx1JjSA/+jNkuRyuOUznu36vfFoQSmZBaAG0C8LUpFMNCXj3z4BMnorhwEEPJYE +ChZgmMvGcl4/HyFvxK9sbt4vn8U2bDSUNdhHXjSizv2bwgphrKGaAu4VZzPIOyWn +RygzZisfzyWtwXcm8mMZD8SyQlONAS5IPFCiH7VpBWp9aAeJwJNKgF7nMkqFt2uJ +z28YYLTLLSnnoUbz2NlCCRtxisOqblxwwP4oz1x88ay0ffoV0g3xImlle0fTdwD4 +hYoDhf8DCAwH7M1uxg6GLndYKGfqHI7uqq8zGU06gQ8Vqn5kU6KNQb38frrgRcaN +bhWKYCZtE165u3jCflp2Hre0TRwiNbnldwp0nzD8AKHtMgRNKDFRdkosAXsWJwgR +6/JH3C9QXm+I6PRNVsGYFxyAWCI9BjI7bN7uifxExEWMmmKU934irnVhFHbyrzQ9 +nrj8Lu9C6esfev4rMA9L1+Pk7RXXPOrUDEf4nYraAjGWIfNEOZ8AamlMG/+kJRTf +Rr9BZxfOCR/vtcmqXfp7amABSqmlzFWpGteBj287uYMpqQa+NVc= +=NQZB +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-22:03/openssl.patch b/website/static/security/patches/SA-22:03/openssl.patch new file mode 100644 index 0000000000..4b0af80705 --- /dev/null +++ b/website/static/security/patches/SA-22:03/openssl.patch @@ -0,0 +1,92 @@ +--- crypto/openssl/crypto/bn/bn_sqrt.c.orig ++++ crypto/openssl/crypto/bn/bn_sqrt.c +@@ -14,7 +14,8 @@ + /* + * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks + * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number +- * Theory", algorithm 1.5.1). 'p' must be prime! ++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or ++ * an incorrect "result" will be returned. + */ + { + BIGNUM *ret = in; +@@ -301,18 +302,23 @@ + goto vrfy; + } + +- /* find smallest i such that b^(2^i) = 1 */ +- i = 1; +- if (!BN_mod_sqr(t, b, p, ctx)) +- goto end; +- while (!BN_is_one(t)) { +- i++; +- if (i == e) { +- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); +- goto end; ++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ ++ for (i = 1; i < e; i++) { ++ if (i == 1) { ++ if (!BN_mod_sqr(t, b, p, ctx)) ++ goto end; ++ ++ } else { ++ if (!BN_mod_mul(t, t, t, p, ctx)) ++ goto end; + } +- if (!BN_mod_mul(t, t, t, p, ctx)) +- goto end; ++ if (BN_is_one(t)) ++ break; ++ } ++ /* If not found, a is not a square or p is not prime. */ ++ if (i >= e) { ++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); ++ goto end; + } + + /* t := y^2^(e - i - 1) */ +--- crypto/openssl/doc/man3/BN_add.pod.orig ++++ crypto/openssl/doc/man3/BN_add.pod +@@ -3,7 +3,7 @@ + =head1 NAME + + BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, +-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - ++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - + arithmetic operations on BIGNUMs + + =head1 SYNOPSIS +@@ -36,6 +36,8 @@ + + int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + ++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); ++ + int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); + + int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, +@@ -87,6 +89,12 @@ + BN_mod_sqr() takes the square of I<a> modulo B<m> and places the + result in I<r>. + ++BN_mod_sqrt() returns the modular square root of I<a> such that ++C<in^2 = a (mod p)>. The modulus I<p> must be a ++prime, otherwise an error or an incorrect "result" will be returned. ++The result is stored into I<in> which can be NULL. The result will be ++newly allocated in that case. ++ + BN_exp() raises I<a> to the I<p>-th power and places the result in I<r> + (C<r=a^p>). This function is faster than repeated applications of + BN_mul(). +@@ -108,7 +116,10 @@ + + =head1 RETURN VALUES + +-For all functions, 1 is returned for success, 0 on error. The return ++The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is ++not a prime), or NULL. ++ ++For all remaining functions, 1 is returned for success, 0 on error. The return + value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>). + The error codes can be obtained by L<ERR_get_error(3)>. + diff --git a/website/static/security/patches/SA-22:03/openssl.patch.asc b/website/static/security/patches/SA-22:03/openssl.patch.asc new file mode 100644 index 0000000000..18a1108049 --- /dev/null +++ b/website/static/security/patches/SA-22:03/openssl.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmIw5a0ACgkQ05eS9J6n +5cLAmg//VoGJaH5pbdDV/VlMuxc1p/kBvD90vjgTuAbPZ9T02PUyiVl2xVXUQLm2 +rmTShnR7sA35jPuvaiX6G5L3xbXHuaTHz1sAZnbpVrsBVElVvffob2LlAS0n7TIb +Kfr5EGwuy8rwz0G0Kx3ClfgXScfJ863834IAKwbbrgV2cgmopnHtzXxl3VixtK03 +h0b/AuRpFuxVoQ+3SdPzB8tXDOIY1gjacY//nGmvrg7dARgJa0k0liL2/MiMMrVP ++GpsArwklPpxVz9HV7TJQT7yEw4DEKxZlsri/4FaMchOndh7SCiiGYhsZ4W+ID8A +YjVp2sygbiggaeiRIH2Msx1oIpflLb393ynHh+n1PxYlAu627j/H8OfmD67bPtqU +NFrwjKERd3/3m9mFLl69vZPSSgEZn4E3/ycsf0etLnskxhmY07MRYeEhw9skqhnL +1TlfEMy7b49VqvBQs0LVzT8qC0tOOgu9rb/lqss4ps+ei6EA1evPan/vW6QApxDQ +Ft14aXUi7TDkyMNvBhFDNjiO3XmszxHXZP1v4R8gdog0DGIavkVHXNvfNLz2102i +be0800LLHw1KiiN/uK+QY2hpP7s0sNrvC7sBKz7zMPC1eOl4m6MeY+xhaTp/FcVW +3F/tQfxbX9z9D1gjcvNi16LfXKBg6wDJfiHuNR4VCU3Yz/QNKnw= +=ygJX +-----END PGP SIGNATURE----- |