diff options
Diffstat (limited to 'share/security')
23 files changed, 2286 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-13:03.mfi.asc b/share/security/advisories/FreeBSD-EN-13:03.mfi.asc new file mode 100644 index 0000000000..6ec02fbbfa --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-13:03.mfi.asc @@ -0,0 +1,109 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-EN-13:03.mfi Errata Notice + The FreeBSD Project + +Topic: data corruption with mfi(4) JBOD disks > 2TB + +Category: contrib +Module: mfi +Announced: 2013-08-22 +Credits: Steven Hartland, Doug Ambrisko +Affects: FreeBSD 9.1 +Corrected: 2012-12-03 18:37:02 UTC (stable/9, 9.1-STABLE) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The mfi(4) driver supports LSI's next generation PCI Express SAS RAID +controllers. The driver supports JBOD attachment through /dev/mfisyspd? +device nodes. + +Logical block addressing (LBA) is a common scheme used for specifying the +location of sectors on hard drives. + +II. Problem Description + +The way mfi(4) implements access of "syspd" or also known as JBOD always +uses READ10/WRITE10 commands for underlying disk. When writing over 2^32 +sectors, the LBA would wrap and starts writing at the beginning of the +disk. + +III. Impact + +Writing beyond 2TB to mfi(4) connected JBODs would result in data corruption. + +IV. Workaround + +No workaround is available, but systems that do not use mfi(4) as a JBOD +HBA or do not have disks with 2^32 or more sectors (2^41 or more bytes with +512-byte logical sector size) are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-13:03/mfi.patch +# fetch http://security.FreeBSD.org/patches/EN-13:03/mfi.patch.asc +# gpg --verify mfi.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r243824 +releng/9.1/ r254631 +- ------------------------------------------------------------------------- + +VII. References + +http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/173291 + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-13:03.mfi.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEARECAAYFAlIVY1YACgkQFdaIBMps37IHmwCfZH+1Gi0u7eYMXYevu0KHaG3a +rCwAn2ecdXnLOsaC6D6i2mo4dmI4HLDk +=AwdQ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-13:04.freebsd-update.asc b/share/security/advisories/FreeBSD-EN-13:04.freebsd-update.asc new file mode 100644 index 0000000000..22ad9341ff --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-13:04.freebsd-update.asc @@ -0,0 +1,157 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-13:04.freebsd-update Errata Notice + The FreeBSD Project + +Topic: Multiple freebsd-update bugs break upgrading to FreeBSD 10.0 + +Category: base +Module: freebsd-update +Announced: 2013-10-24 +Credits: Colin Percival +Affects: All supported FreeBSD releases +Corrected: 2013-10-26 08:34:35 UTC (stable/10, 10.0-STABLE) + 2013-10-26 08:34:35 UTC (stable/10, 10.0-BETA1-p1) + 2013-10-26 19:54:28 UTC (stable/9, 9.2-STABLE) + 2013-10-26 20:01:00 UTC (releng/9.2, 9.2-RELEASE-p1) + 2013-10-26 20:01:00 UTC (releng/9.2, 9.2-RC4-p1) + 2013-10-26 20:01:00 UTC (releng/9.2, 9.2-RC3-p2) + 2013-10-26 20:01:00 UTC (releng/9.1, 9.1-RELEASE-p8) + 2013-10-26 19:54:28 UTC (stable/8, 8.4-STABLE) + 2013-10-26 20:01:00 UTC (releng/8.4, 8.4-RELEASE-p5) + 2013-10-26 20:01:00 UTC (releng/8.3, 8.3-RELEASE-p12) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The freebsd-update(8) utility is used to download and apply binary diffs +for security and errata patches on systems installed from official FreeBSD +release CDs and DVDs. It can also be used to upgrade such systems to new +FreeBSD releases. + +II. Problem Description + +The freebsd-update(8) utility always updates shared libraries first, so +new or updated libraries will be available when binaries that use them are +installed or updated. If shared libraries appear in a directory which +does not already exist on the target system, freebsd-update(8) will +attempt to install them before creating the directory. + +At the end of the updating process, freebsd-update(8) removes old shared +libraries which should no longer exist. An error in filtering the list +of filesystem objects results in symlinks to shared libraries being +incorrectly included in the lists of shared libraries. + +Additionally, freebsd-update(8) rejects updates which include files with +the tilde character ('~') in their names. Such files sometimes occur in +third-party software and may be included in the src distribution. + +III. Impact + +It is not possible to use freebsd-update(8) to upgrade an existing +installation to FreeBSD 10.0-BETA1, because 10.0 introduces two new shared +library directories, the /usr/lib/libc.so symlink is replaced by a regular +file, and the source distribution includes a file with a tilde in its name. + +It is not possible to use freebsd-update(8) to update 10.0-BETA1, as its +source distribution includes a file with a tilde in its name. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-13:04/freebsd-update.patch +# fetch http://security.FreeBSD.org/patches/EN-13:04/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Reinstall freebsd-update. + +# cd /usr/src/usr.sbin/freebsd-update +# make install -DWITHOUT_MAN + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +On systems running 10.0-BETA1 (and ONLY systems running 10.0-BETA1), run +the following command before using freebsd-update in order to fix it +enough that it can update itself: + +# sed -i '' -e 's/%@/%~@/' /usr/sbin/freebsd-update + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r257192 +releng/8.3/ r257194 +releng/8.4/ r257194 +stable/9/ r257192 +releng/9.1/ r257194 +releng/9.2/ r257194 +stable/10/ r257153 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-13:04.freebsd-update.asc +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJSbCdaAAoJEO1n7NZdz2rnRvAQAOsb3lZIaiLEsQgynVaIgH/I +ZzvkR1ZwKbfRBzb5QQnQ/3ZHL30m9MCV+Z/dh/g2CKsf5D1K5uAv8a0SIqy0yW8g +E8Oi4+136VPCTcs5uGC8PuBVEMq87hBhWycKasVL+ukdYA3AHM10JRuVLhV81M87 +Xe/vJqH7qPzvEtNIZdDqvDWhuHhPjlCI6SqMHI5ufxl3M7q+ylNgi5+yTwRbLqtH +0E109rMlVpnVzRELl28wmgIx9u/lmsa3LHCO6HBRlUjWQlV7CBlRfgGjrlcGhcq+ +wFfmtT1jgbCOtJjakGOzEZhDuD5SlQTbIf4NCMfwgEIZE8PIUkWJcX8dPW4XiIo/ +72IoF8eyvgR8VoGhA+l2gtFwlGWI2AZEpyi0zbk4pZJBmU5O1qVzMLlFRGufD8kx +1UZDT6yIsdWNCFF/R4YdrgyoySQoUlvpCV38cuKR6asOpyBFY/U9O3Ndu9VlTOBi +GI2eX1XyFsTAzcp6PuXBIIUFlsRzrHFXxGyagF0NaLIAlB1amwcPHx5yxiRYcquM +7VFaHUyMqWwRTTq+gtZlPcGI1t16tWmH9O9N+Cip9nUqL37s2Zb0zr+LttnYYod4 +kxMi2jTQLdGkxZvIR+iTGJD3SqKD321n6iWrHuGmyrRKmf3e6P2BTxjerBvI2Jkf +nPk49938gAirwh9ucDbF +=VqIo +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc b/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc new file mode 100644 index 0000000000..4212249718 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:09.ip_multicast Security Advisory + The FreeBSD Project + +Topic: integer overflow in IP_MSFILTER + +Category: core +Module: kernel +Announced: 2013-08-22 +Credits: Clement Lecigne (Google Security Team) +Affects: All supported versions of FreeBSD. +Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) + 2013-08-22 00:51:43 UTC (releng/9.1, 9.2-RC1-p1) + 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) + 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) + 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) +CVE Name: CVE-2013-3077 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +0. Revision History + +v1.0 2013-08-22 Initial release. +v1.1 2013-09-07 Binary patch released for 9.2-RC1. + +I. Background + +IP multicast is a method of sending Internet Protocol (IP) datagrams to a +group of interested receivers in a single transmission. + +II. Problem Description + +An integer overflow in computing the size of a temporary buffer can +result in a buffer which is too small for the requested operation. + +III. Impact + +An unprivileged process can read or write pages of memory which belong to +the kernel. These may lead to exposure of sensitive information or allow +privilege escalation. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch +# fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc +# gpg --verify ip_multicast.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r254629 +releng/8.3/ r254632 +releng/8.4/ r254632 +stable/9/ r254629 +releng/9.1/ r254631 +releng/9.2/ r254630 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on vulnerability> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3077> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEARECAAYFAlIu+gwACgkQFdaIBMps37L2+QCePwycOYKrh9VJi7Pc2AS+DfsQ +UcUAnimJz9bKgDUOEIwefkPbF85yH3aw +=tnWM +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-13:10.sctp.asc b/share/security/advisories/FreeBSD-SA-13:10.sctp.asc new file mode 100644 index 0000000000..13790c6257 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-13:10.sctp.asc @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:10.sctp Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in sctp(4) + +Category: core +Module: sctp +Announced: 2013-08-22 +Credits: Julian Seward, Michael Tuexen +Affects: All supported versions of FreeBSD. +Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) + 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC1-p1) + 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) + 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) + 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) + 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) + 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) +CVE Name: CVE-2013-5209 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +0. Revision History + +v1.0 2013-08-22 Initial release. +v1.1 2013-09-07 Binary patch released for 9.2-RC1. + +I. Background + +The SCTP protocol provides reliable, flow-controlled, two-way transmission +of data. It is a message oriented protocol and can support the SOCK_STREAM +and SOCK_SEQPACKET abstractions. + +The SCTP protocol checks the integrity of messages by validating the state +cookie information that is returned from the peer. + +II. Problem Description + +When initializing the SCTP state cookie being sent in INIT-ACK chunks, +a buffer allocated from the kernel stack is not completely initialized. + +III. Impact + +Fragments of kernel memory may be included in SCTP packets and +transmitted over the network. For each SCTP session, there are two +separate instances in which a 4-byte fragment may be transmitted. + +This memory might contain sensitive information, such as portions of the +file cache or terminal buffers. This information might be directly +useful, or it might be leveraged to obtain elevated privileges in +some way. For example, a terminal buffer might include a user-entered +password. + +IV. Workaround + +No workaround is available, but systems not using the SCTP protocol +are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch +# fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc +# gpg --verify sctp.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r254354 +releng/8.3/ r254632 +releng/8.4/ r254632 +stable/9/ r254352 +releng/9.1/ r254631 +releng/9.2/ r254355 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on vulnerability> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5209> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEARECAAYFAlIu+g8ACgkQFdaIBMps37JBjgCgkRdb24STra3EjItZymFqU0S8 +6rQAn0EQeP1D8BUCIbzR5uNYrrNv9Eo6 +=2Ot5 +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-13:11.sendfile.asc b/share/security/advisories/FreeBSD-SA-13:11.sendfile.asc new file mode 100644 index 0000000000..191e683c11 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-13:11.sendfile.asc @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:11.sendfile Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in sendfile(2) + +Category: core +Module: sendfile +Announced: 2013-09-10 +Credits: Ed Maste +Affects: FreeBSD 9.2-RC1 and 9.2-RC2 +Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) +CVE Name: CVE-2013-5666 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The sendfile(2) system call allows a server application (such as an +HTTP or FTP server) to transmit the contents of a file over a network +connection without first copying it to application memory. High +performance servers such as Apache and ftpd use sendfile. + +II. Problem Description + +On affected systems, if the length passed to sendfile(2) is non-zero +and greater than the length of the file being transmitted, sendfile(2) +will pad the transmission up to the requested length or the next +pagesize boundary, whichever is smaller. + +The content of the additional bytes transmitted in this manner depends +on the underlying filesystem, but may potentially include information +useful to an attacker. + +III. Impact + +An unprivileged user with the ability to run arbitrary code may be +able to obtain arbitrary kernel memory contents. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.2-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch +# fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch.asc +# gpg --verify sendfile-9.2-stable.patch.asc + +[FreeBSD 9.2-RC1 and 9.2-RC2] +# fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch +# fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch.asc +# gpg --verify sendfile-9.2-rc.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r255443 +releng/9.2/ r255444 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5666> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:11.sendfile.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEARECAAYFAlIu8rIACgkQFdaIBMps37K01ACgmwaW3PZhjDqWSlTHusjIPNVy +A/YAn3DFUAvlX8sH89taM+sedjbD5In8 +=gZwu +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-13:12.ifioctl.asc b/share/security/advisories/FreeBSD-SA-13:12.ifioctl.asc new file mode 100644 index 0000000000..5bdf6b1431 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-13:12.ifioctl.asc @@ -0,0 +1,150 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:12.ifioctl Security Advisory + The FreeBSD Project + +Topic: Insufficient credential checks in network ioctl(2) + +Category: core +Module: sys_netinet6 sys_netatm +Announced: 2013-09-10 +Credits: Loganaden Velvindron + Gleb Smirnoff +Affects: All supported versions of FreeBSD. +Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) + 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) + 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) + 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) + 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) +CVE Name: CVE-2013-5691 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The ioctl(2) system call allows an application to perform device- or +protocol-specific operations through a file or socket descriptor +associated with a specific device or protocol. + +The SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK +ioctl requests are used to associate a network address, broadcast +address, destination address (for point-to-point interfaces) or +netmask with an interface. They operate on the assumption that each +interface only has one address per protocol, and are therefore of +limited use for IPv4, where interfaces may have more than one address. +They were never implemented for IPv6, where interfaces nearly always +have at least two, and in many cases three, addresses; nor were they +ever implemented for ATM. + +II. Problem Description + +As is commonly the case, the IPv6 and ATM network layer ioctl request +handlers are written in such a way that an unrecognized request is +passed on unmodified to the link layer, which will either handle it or +return an error code. + +Network interface drivers, however, assume that the SIOCSIFADDR, +SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been +handled at the network layer, and therefore do not perform input +validation or verify the caller's credentials. Typical link-layer +actions for these requests may include marking the interface as "up" +and resetting the underlying hardware. + +III. Impact + +An unprivileged user with the ability to run arbitrary code can cause +any network interface in the system to perform the link layer actions +associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or +SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a +specially crafted address structure which causes a network interface +driver to dereference an invalid pointer. + +Although this has not been confirmed, the possibility that an attacker +may be able to execute arbitrary code in kernel context can not be +ruled out. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch +# fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch.asc +# gpg --verify ifioctl.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r255445 +releng/8.3/ r255446 +releng/8.4/ r255447 +stable/9/ r255443 +releng/9.1/ r255448 +releng/9.2/ r255444 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5691> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEARECAAYFAlIu8rUACgkQFdaIBMps37ImRQCdGUcSBvK6+kAN69aGChHT6fVb +YI4AoJNveN9PSowTG0NnUkPJR9oJimZT +=xb3g +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-13:13.nullfs.asc b/share/security/advisories/FreeBSD-SA-13:13.nullfs.asc new file mode 100644 index 0000000000..34bf6c2633 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-13:13.nullfs.asc @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:13.nullfs Security Advisory + The FreeBSD Project + +Topic: Cross-mount links between nullfs(5) mounts + +Category: core +Module: nullfs +Announced: 2013-09-10 +Credits: Konstantin Belousov +Affects: All supported versions of FreeBSD. +Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) + 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) + 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) + 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) + 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) + 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) +CVE Name: CVE-2013-5710 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The nullfs(5) filesystem allows all or a part of an already mounted +filesystem to be made available in a different part of the global +filesystem namespace. It is commonly used to make a set of files +available to multiple chroot(2) or jail(2) environments without +replicating the files in each environment. A common idiom, described +in the FreeBSD Handbook, is to mount one subtree of a filesystem +read-only within a jail's filesystem namespace, and mount a different +subtree of the same filesystem read-write. + +II. Problem Description + +The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not +check whether the source and target of the link are both in the same +nullfs instance. It is therefore possible to create a hardlink from a +location in one nullfs instance to a file in another, as long as the +underlying (source) filesystem is the same. + +III. Impact + +If multiple nullfs views into the same filesystem are mounted in +different locations, a user with read access to one of these views and +write access to another will be able to create a hard link from the +latter to a file in the former, even though they are, from the user's +perspective, different filesystems. The user may thereby gain write +access to files which are nominally on a read-only filesystem. + +IV. Workaround + +No workaround is available, but systems which do not use the nullfs(5) +filesystem, or do not null-mount different subtrees of the same source +filesystem with different permissions, are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch +# fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch.asc +# gpg --verify nullfs.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r255445 +releng/8.3/ r255446 +releng/8.4/ r255447 +stable/9/ r255443 +releng/9.1/ r255448 +releng/9.2/ r255444 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://www.freebsd.org/doc/en/books/handbook/jails-application.html> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5710> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:13.nullfs.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEARECAAYFAlIu+7EACgkQFdaIBMps37K+7gCfVrmhwyE+k5QU3Z4wsdJFoeyL +BqEAn23QlLQ7o4HlDSiJuPoX622IsFbk +=/7Zz +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-13:03/mfi.patch b/share/security/patches/EN-13:03/mfi.patch new file mode 100644 index 0000000000..2daa5bf91e --- /dev/null +++ b/share/security/patches/EN-13:03/mfi.patch @@ -0,0 +1,994 @@ +Index: sys/dev/mfi/mfi.c +=================================================================== +--- sys/dev/mfi/mfi.c (revision 254079) ++++ sys/dev/mfi/mfi.c (working copy) +@@ -107,7 +107,7 @@ static void mfi_bio_complete(struct mfi_command *) + static struct mfi_command *mfi_build_ldio(struct mfi_softc *,struct bio*); + static struct mfi_command *mfi_build_syspdio(struct mfi_softc *,struct bio*); + static int mfi_send_frame(struct mfi_softc *, struct mfi_command *); +-static int mfi_abort(struct mfi_softc *, struct mfi_command *); ++static int mfi_abort(struct mfi_softc *, struct mfi_command **); + static int mfi_linux_ioctl_int(struct cdev *, u_long, caddr_t, int, struct thread *); + static void mfi_timeout(void *); + static int mfi_user_command(struct mfi_softc *, +@@ -373,6 +373,8 @@ mfi_attach(struct mfi_softc *sc) + sx_init(&sc->mfi_config_lock, "MFI config"); + TAILQ_INIT(&sc->mfi_ld_tqh); + TAILQ_INIT(&sc->mfi_syspd_tqh); ++ TAILQ_INIT(&sc->mfi_ld_pend_tqh); ++ TAILQ_INIT(&sc->mfi_syspd_pend_tqh); + TAILQ_INIT(&sc->mfi_evt_queue); + TASK_INIT(&sc->mfi_evt_task, 0, mfi_handle_evt, sc); + TASK_INIT(&sc->mfi_map_sync_task, 0, mfi_handle_map_sync, sc); +@@ -694,6 +696,7 @@ mfi_attach(struct mfi_softc *sc) + device_printf(sc->mfi_dev, "Cannot set up interrupt\n"); + return (EINVAL); + } ++ sc->mfi_intr_ptr = mfi_intr_tbolt; + sc->mfi_enable_intr(sc); + } else { + if ((error = mfi_comms_init(sc)) != 0) +@@ -704,6 +707,7 @@ mfi_attach(struct mfi_softc *sc) + device_printf(sc->mfi_dev, "Cannot set up interrupt\n"); + return (EINVAL); + } ++ sc->mfi_intr_ptr = mfi_intr; + sc->mfi_enable_intr(sc); + } + if ((error = mfi_get_controller_info(sc)) != 0) +@@ -1278,6 +1282,17 @@ mfi_shutdown(struct mfi_softc *sc) + struct mfi_command *cm; + int error; + ++ ++ if (sc->mfi_aen_cm) ++ sc->cm_aen_abort = 1; ++ if (sc->mfi_aen_cm != NULL) ++ mfi_abort(sc, &sc->mfi_aen_cm); ++ ++ if (sc->mfi_map_sync_cm) ++ sc->cm_map_abort = 1; ++ if (sc->mfi_map_sync_cm != NULL) ++ mfi_abort(sc, &sc->mfi_map_sync_cm); ++ + mtx_lock(&sc->mfi_io_lock); + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_CTRL_SHUTDOWN, NULL, 0); + if (error) { +@@ -1285,12 +1300,6 @@ mfi_shutdown(struct mfi_softc *sc) + return (error); + } + +- if (sc->mfi_aen_cm != NULL) +- mfi_abort(sc, sc->mfi_aen_cm); +- +- if (sc->mfi_map_sync_cm != NULL) +- mfi_abort(sc, sc->mfi_map_sync_cm); +- + dcmd = &cm->cm_frame->dcmd; + dcmd->header.flags = MFI_FRAME_DIR_NONE; + cm->cm_flags = MFI_CMD_POLLED; +@@ -1312,6 +1321,7 @@ mfi_syspdprobe(struct mfi_softc *sc) + struct mfi_command *cm = NULL; + struct mfi_pd_list *pdlist = NULL; + struct mfi_system_pd *syspd, *tmp; ++ struct mfi_system_pending *syspd_pend; + int error, i, found; + + sx_assert(&sc->mfi_config_lock, SA_XLOCKED); +@@ -1352,6 +1362,10 @@ mfi_syspdprobe(struct mfi_softc *sc) + if (syspd->pd_id == pdlist->addr[i].device_id) + found = 1; + } ++ TAILQ_FOREACH(syspd_pend, &sc->mfi_syspd_pend_tqh, pd_link) { ++ if (syspd_pend->pd_id == pdlist->addr[i].device_id) ++ found = 1; ++ } + if (found == 0) + mfi_add_sys_pd(sc, pdlist->addr[i].device_id); + } +@@ -1387,6 +1401,7 @@ mfi_ldprobe(struct mfi_softc *sc) + struct mfi_command *cm = NULL; + struct mfi_ld_list *list = NULL; + struct mfi_disk *ld; ++ struct mfi_disk_pending *ld_pend; + int error, i; + + sx_assert(&sc->mfi_config_lock, SA_XLOCKED); +@@ -1415,6 +1430,10 @@ mfi_ldprobe(struct mfi_softc *sc) + if (ld->ld_id == list->ld_list[i].ld.v.target_id) + goto skip_add; + } ++ TAILQ_FOREACH(ld_pend, &sc->mfi_ld_pend_tqh, ld_link) { ++ if (ld_pend->ld_id == list->ld_list[i].ld.v.target_id) ++ goto skip_add; ++ } + mfi_add_ld(sc, list->ld_list[i].ld.v.target_id); + skip_add:; + } +@@ -1617,9 +1636,7 @@ mfi_aen_register(struct mfi_softc *sc, int seq, in + < current_aen.members.evt_class) + current_aen.members.evt_class = + prior_aen.members.evt_class; +- mtx_lock(&sc->mfi_io_lock); +- mfi_abort(sc, sc->mfi_aen_cm); +- mtx_unlock(&sc->mfi_io_lock); ++ mfi_abort(sc, &sc->mfi_aen_cm); + } + } + +@@ -1811,10 +1828,17 @@ mfi_add_ld(struct mfi_softc *sc, int id) + struct mfi_command *cm; + struct mfi_dcmd_frame *dcmd = NULL; + struct mfi_ld_info *ld_info = NULL; ++ struct mfi_disk_pending *ld_pend; + int error; + + mtx_assert(&sc->mfi_io_lock, MA_OWNED); + ++ ld_pend = malloc(sizeof(*ld_pend), M_MFIBUF, M_NOWAIT | M_ZERO); ++ if (ld_pend != NULL) { ++ ld_pend->ld_id = id; ++ TAILQ_INSERT_TAIL(&sc->mfi_ld_pend_tqh, ld_pend, ld_link); ++ } ++ + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_LD_GET_INFO, + (void **)&ld_info, sizeof(*ld_info)); + if (error) { +@@ -1855,11 +1879,13 @@ mfi_add_ld_complete(struct mfi_command *cm) + hdr = &cm->cm_frame->header; + ld_info = cm->cm_private; + +- if (hdr->cmd_status != MFI_STAT_OK) { ++ if (sc->cm_map_abort || hdr->cmd_status != MFI_STAT_OK) { + free(ld_info, M_MFIBUF); ++ wakeup(&sc->mfi_map_sync_cm); + mfi_release_command(cm); + return; + } ++ wakeup(&sc->mfi_map_sync_cm); + mfi_release_command(cm); + + mtx_unlock(&sc->mfi_io_lock); +@@ -1884,10 +1910,17 @@ static int mfi_add_sys_pd(struct mfi_softc *sc, in + struct mfi_command *cm; + struct mfi_dcmd_frame *dcmd = NULL; + struct mfi_pd_info *pd_info = NULL; ++ struct mfi_system_pending *syspd_pend; + int error; + + mtx_assert(&sc->mfi_io_lock, MA_OWNED); + ++ syspd_pend = malloc(sizeof(*syspd_pend), M_MFIBUF, M_NOWAIT | M_ZERO); ++ if (syspd_pend != NULL) { ++ syspd_pend->pd_id = id; ++ TAILQ_INSERT_TAIL(&sc->mfi_syspd_pend_tqh, syspd_pend, pd_link); ++ } ++ + error = mfi_dcmd_command(sc, &cm, MFI_DCMD_PD_GET_INFO, + (void **)&pd_info, sizeof(*pd_info)); + if (error) { +@@ -1981,19 +2014,87 @@ mfi_bio_command(struct mfi_softc *sc) + mfi_enqueue_bio(sc, bio); + return cm; + } ++ ++/* ++ * mostly copied from cam/scsi/scsi_all.c:scsi_read_write ++ */ ++ ++int ++mfi_build_cdb(int readop, uint8_t byte2, u_int64_t lba, u_int32_t block_count, uint8_t *cdb) ++{ ++ int cdb_len; ++ ++ if (((lba & 0x1fffff) == lba) ++ && ((block_count & 0xff) == block_count) ++ && (byte2 == 0)) { ++ /* We can fit in a 6 byte cdb */ ++ struct scsi_rw_6 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_6 *)cdb; ++ scsi_cmd->opcode = readop ? READ_6 : WRITE_6; ++ scsi_ulto3b(lba, scsi_cmd->addr); ++ scsi_cmd->length = block_count & 0xff; ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else if (((block_count & 0xffff) == block_count) && ((lba & 0xffffffff) == lba)) { ++ /* Need a 10 byte CDB */ ++ struct scsi_rw_10 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_10 *)cdb; ++ scsi_cmd->opcode = readop ? READ_10 : WRITE_10; ++ scsi_cmd->byte2 = byte2; ++ scsi_ulto4b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto2b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else if (((block_count & 0xffffffff) == block_count) && ++ ((lba & 0xffffffff) == lba)) { ++ /* Block count is too big for 10 byte CDB use a 12 byte CDB */ ++ struct scsi_rw_12 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_12 *)cdb; ++ scsi_cmd->opcode = readop ? READ_12 : WRITE_12; ++ scsi_cmd->byte2 = byte2; ++ scsi_ulto4b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto4b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } else { ++ /* ++ * 16 byte CDB. We'll only get here if the LBA is larger ++ * than 2^32 ++ */ ++ struct scsi_rw_16 *scsi_cmd; ++ ++ scsi_cmd = (struct scsi_rw_16 *)cdb; ++ scsi_cmd->opcode = readop ? READ_16 : WRITE_16; ++ scsi_cmd->byte2 = byte2; ++ scsi_u64to8b(lba, scsi_cmd->addr); ++ scsi_cmd->reserved = 0; ++ scsi_ulto4b(block_count, scsi_cmd->length); ++ scsi_cmd->control = 0; ++ cdb_len = sizeof(*scsi_cmd); ++ } ++ ++ return cdb_len; ++} ++ + static struct mfi_command * + mfi_build_syspdio(struct mfi_softc *sc, struct bio *bio) + { + struct mfi_command *cm; + struct mfi_pass_frame *pass; +- int flags = 0, blkcount = 0; + uint32_t context = 0; ++ int flags = 0, blkcount = 0, readop; ++ uint8_t cdb_len; + + if ((cm = mfi_dequeue_free(sc)) == NULL) + return (NULL); + + /* Zero out the MFI frame */ +- context = cm->cm_frame->header.context; ++ context = cm->cm_frame->header.context; + bzero(cm->cm_frame, sizeof(union mfi_frame)); + cm->cm_frame->header.context = context; + pass = &cm->cm_frame->pass; +@@ -2001,35 +2102,31 @@ mfi_build_syspdio(struct mfi_softc *sc, struct bio + pass->header.cmd = MFI_CMD_PD_SCSI_IO; + switch (bio->bio_cmd & 0x03) { + case BIO_READ: +-#define SCSI_READ 0x28 +- pass->cdb[0] = SCSI_READ; + flags = MFI_CMD_DATAIN; ++ readop = 1; + break; + case BIO_WRITE: +-#define SCSI_WRITE 0x2a +- pass->cdb[0] = SCSI_WRITE; + flags = MFI_CMD_DATAOUT; ++ readop = 0; + break; + default: +- panic("Invalid bio command"); ++ /* TODO: what about BIO_DELETE??? */ ++ panic("Unsupported bio command %x\n", bio->bio_cmd); + } + + /* Cheat with the sector length to avoid a non-constant division */ + blkcount = (bio->bio_bcount + MFI_SECTOR_LEN - 1) / MFI_SECTOR_LEN; + /* Fill the LBA and Transfer length in CDB */ +- pass->cdb[2] = (bio->bio_pblkno & 0xff000000) >> 24; +- pass->cdb[3] = (bio->bio_pblkno & 0x00ff0000) >> 16; +- pass->cdb[4] = (bio->bio_pblkno & 0x0000ff00) >> 8; +- pass->cdb[5] = bio->bio_pblkno & 0x000000ff; +- pass->cdb[7] = (blkcount & 0xff00) >> 8; +- pass->cdb[8] = (blkcount & 0x00ff); ++ cdb_len = mfi_build_cdb(readop, 0, bio->bio_pblkno, blkcount, ++ pass->cdb); + pass->header.target_id = (uintptr_t)bio->bio_driver1; ++ pass->header.lun_id = 0; + pass->header.timeout = 0; + pass->header.flags = 0; + pass->header.scsi_status = 0; + pass->header.sense_len = MFI_SENSE_LEN; + pass->header.data_len = bio->bio_bcount; +- pass->header.cdb_len = 10; ++ pass->header.cdb_len = cdb_len; + pass->sense_addr_lo = (uint32_t)cm->cm_sense_busaddr; + pass->sense_addr_hi = (uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32); + cm->cm_complete = mfi_bio_complete; +@@ -2047,7 +2144,8 @@ mfi_build_ldio(struct mfi_softc *sc, struct bio *b + { + struct mfi_io_frame *io; + struct mfi_command *cm; +- int flags, blkcount; ++ int flags; ++ uint32_t blkcount; + uint32_t context = 0; + + if ((cm = mfi_dequeue_free(sc)) == NULL) +@@ -2068,7 +2166,8 @@ mfi_build_ldio(struct mfi_softc *sc, struct bio *b + flags = MFI_CMD_DATAOUT; + break; + default: +- panic("Invalid bio command"); ++ /* TODO: what about BIO_DELETE??? */ ++ panic("Unsupported bio command %x\n", bio->bio_cmd); + } + + /* Cheat with the sector length to avoid a non-constant division */ +@@ -2358,7 +2457,7 @@ mfi_complete(struct mfi_softc *sc, struct mfi_comm + } + + static int +-mfi_abort(struct mfi_softc *sc, struct mfi_command *cm_abort) ++mfi_abort(struct mfi_softc *sc, struct mfi_command **cm_abort) + { + struct mfi_command *cm; + struct mfi_abort_frame *abort; +@@ -2365,8 +2464,7 @@ static int + int i = 0; + uint32_t context = 0; + +- mtx_assert(&sc->mfi_io_lock, MA_OWNED); +- ++ mtx_lock(&sc->mfi_io_lock); + if ((cm = mfi_dequeue_free(sc)) == NULL) { + return (EBUSY); + } +@@ -2380,29 +2478,27 @@ static int + abort->header.cmd = MFI_CMD_ABORT; + abort->header.flags = 0; + abort->header.scsi_status = 0; +- abort->abort_context = cm_abort->cm_frame->header.context; +- abort->abort_mfi_addr_lo = (uint32_t)cm_abort->cm_frame_busaddr; ++ abort->abort_context = (*cm_abort)->cm_frame->header.context; ++ abort->abort_mfi_addr_lo = (uint32_t)(*cm_abort)->cm_frame_busaddr; + abort->abort_mfi_addr_hi = +- (uint32_t)((uint64_t)cm_abort->cm_frame_busaddr >> 32); ++ (uint32_t)((uint64_t)(*cm_abort)->cm_frame_busaddr >> 32); + cm->cm_data = NULL; + cm->cm_flags = MFI_CMD_POLLED; + +- if (sc->mfi_aen_cm) +- sc->cm_aen_abort = 1; +- if (sc->mfi_map_sync_cm) +- sc->cm_map_abort = 1; + mfi_mapcmd(sc, cm); + mfi_release_command(cm); + +- while (i < 5 && sc->mfi_aen_cm != NULL) { +- msleep(&sc->mfi_aen_cm, &sc->mfi_io_lock, 0, "mfiabort", ++ mtx_unlock(&sc->mfi_io_lock); ++ while (i < 5 && *cm_abort != NULL) { ++ tsleep(cm_abort, 0, "mfiabort", + 5 * hz); + i++; + } +- while (i < 5 && sc->mfi_map_sync_cm != NULL) { +- msleep(&sc->mfi_map_sync_cm, &sc->mfi_io_lock, 0, "mfiabort", +- 5 * hz); +- i++; ++ if (*cm_abort != NULL) { ++ /* Force a complete if command didn't abort */ ++ mtx_lock(&sc->mfi_io_lock); ++ (*cm_abort)->cm_complete(*cm_abort); ++ mtx_unlock(&sc->mfi_io_lock); + } + + return (0); +@@ -2458,8 +2554,8 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + { + struct mfi_command *cm; + struct mfi_pass_frame *pass; +- int error; +- int blkcount = 0; ++ int error, readop, cdb_len; ++ uint32_t blkcount; + + if ((cm = mfi_dequeue_free(sc)) == NULL) + return (EBUSY); +@@ -2467,14 +2563,10 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + pass = &cm->cm_frame->pass; + bzero(pass->cdb, 16); + pass->header.cmd = MFI_CMD_PD_SCSI_IO; +- pass->cdb[0] = SCSI_WRITE; +- pass->cdb[2] = (lba & 0xff000000) >> 24; +- pass->cdb[3] = (lba & 0x00ff0000) >> 16; +- pass->cdb[4] = (lba & 0x0000ff00) >> 8; +- pass->cdb[5] = (lba & 0x000000ff); ++ ++ readop = 0; + blkcount = (len + MFI_SECTOR_LEN - 1) / MFI_SECTOR_LEN; +- pass->cdb[7] = (blkcount & 0xff00) >> 8; +- pass->cdb[8] = (blkcount & 0x00ff); ++ cdb_len = mfi_build_cdb(readop, 0, lba, blkcount, pass->cdb); + pass->header.target_id = id; + pass->header.timeout = 0; + pass->header.flags = 0; +@@ -2481,7 +2573,7 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + pass->header.scsi_status = 0; + pass->header.sense_len = MFI_SENSE_LEN; + pass->header.data_len = len; +- pass->header.cdb_len = 10; ++ pass->header.cdb_len = cdb_len; + pass->sense_addr_lo = (uint32_t)cm->cm_sense_busaddr; + pass->sense_addr_hi = (uint32_t)((uint64_t)cm->cm_sense_busaddr >> 32); + cm->cm_data = virt; +@@ -2488,7 +2580,7 @@ mfi_dump_syspd_blocks(struct mfi_softc *sc, int id + cm->cm_len = len; + cm->cm_sg = &pass->sgl; + cm->cm_total_frame_size = MFI_PASS_FRAME_SIZE; +- cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT; ++ cm->cm_flags = MFI_CMD_POLLED | MFI_CMD_DATAOUT | MFI_CMD_SCSI; + + error = mfi_mapcmd(sc, cm); + bus_dmamap_sync(sc->mfi_buffer_dmat, cm->cm_dmamap, +@@ -2687,16 +2779,24 @@ mfi_check_command_post(struct mfi_softc *sc, struc + } + } + +-static int mfi_check_for_sscd(struct mfi_softc *sc, struct mfi_command *cm) ++static int ++mfi_check_for_sscd(struct mfi_softc *sc, struct mfi_command *cm) + { +- struct mfi_config_data *conf_data=(struct mfi_config_data *)cm->cm_data; ++ struct mfi_config_data *conf_data; + struct mfi_command *ld_cm = NULL; + struct mfi_ld_info *ld_info = NULL; ++ struct mfi_ld_config *ld; ++ char *p; + int error = 0; + +- if ((cm->cm_frame->dcmd.opcode == MFI_DCMD_CFG_ADD) && +- (conf_data->ld[0].params.isSSCD == 1)) { +- error = 1; ++ conf_data = (struct mfi_config_data *)cm->cm_data; ++ ++ if (cm->cm_frame->dcmd.opcode == MFI_DCMD_CFG_ADD) { ++ p = (char *)conf_data->array; ++ p += conf_data->array_size * conf_data->array_count; ++ ld = (struct mfi_ld_config *)p; ++ if (ld->params.isSSCD == 1) ++ error = 1; + } else if (cm->cm_frame->dcmd.opcode == MFI_DCMD_LD_DELETE) { + error = mfi_dcmd_command (sc, &ld_cm, MFI_DCMD_LD_GET_INFO, + (void **)&ld_info, sizeof(*ld_info)); +Index: sys/dev/mfi/mfi_cam.c +=================================================================== +--- sys/dev/mfi/mfi_cam.c (revision 254079) ++++ sys/dev/mfi/mfi_cam.c (working copy) +@@ -79,6 +79,11 @@ static void mfip_cam_poll(struct cam_sim *); + static struct mfi_command * mfip_start(void *); + static void mfip_done(struct mfi_command *cm); + ++static int mfi_allow_disks = 0; ++TUNABLE_INT("hw.mfi.allow_cam_disk_passthrough", &mfi_allow_disks); ++SYSCTL_INT(_hw_mfi, OID_AUTO, allow_cam_disk_passthrough, CTLFLAG_RD, ++ &mfi_allow_disks, 0, "event message locale"); ++ + static devclass_t mfip_devclass; + static device_method_t mfip_methods[] = { + DEVMETHOD(device_probe, mfip_probe), +@@ -349,7 +354,8 @@ mfip_done(struct mfi_command *cm) + command = csio->cdb_io.cdb_bytes[0]; + if (command == INQUIRY) { + device = csio->data_ptr[0] & 0x1f; +- if ((device == T_DIRECT) || (device == T_PROCESSOR)) ++ if ((!mfi_allow_disks && device == T_DIRECT) || ++ (device == T_PROCESSOR)) + csio->data_ptr[0] = + (csio->data_ptr[0] & 0xe0) | T_NODEVICE; + } +@@ -392,6 +398,9 @@ mfip_done(struct mfi_command *cm) + static void + mfip_cam_poll(struct cam_sim *sim) + { +- return; ++ struct mfip_softc *sc = cam_sim_softc(sim); ++ struct mfi_softc *mfisc = sc->mfi_sc; ++ ++ mfisc->mfi_intr_ptr(mfisc); + } + +Index: sys/dev/mfi/mfi_disk.c +=================================================================== +--- sys/dev/mfi/mfi_disk.c (revision 254079) ++++ sys/dev/mfi/mfi_disk.c (working copy) +@@ -93,6 +93,7 @@ mfi_disk_attach(device_t dev) + { + struct mfi_disk *sc; + struct mfi_ld_info *ld_info; ++ struct mfi_disk_pending *ld_pend; + uint64_t sectors; + uint32_t secsize; + char *state; +@@ -111,6 +112,13 @@ mfi_disk_attach(device_t dev) + secsize = MFI_SECTOR_LEN; + mtx_lock(&sc->ld_controller->mfi_io_lock); + TAILQ_INSERT_TAIL(&sc->ld_controller->mfi_ld_tqh, sc, ld_link); ++ TAILQ_FOREACH(ld_pend, &sc->ld_controller->mfi_ld_pend_tqh, ++ ld_link) { ++ TAILQ_REMOVE(&sc->ld_controller->mfi_ld_pend_tqh, ++ ld_pend, ld_link); ++ free(ld_pend, M_MFIBUF); ++ break; ++ } + mtx_unlock(&sc->ld_controller->mfi_io_lock); + + switch (ld_info->ld_config.params.state) { +@@ -131,16 +139,16 @@ mfi_disk_attach(device_t dev) + break; + } + +- if ( strlen(ld_info->ld_config.properties.name) == 0 ) { +- device_printf(dev, +- "%juMB (%ju sectors) RAID volume (no label) is %s\n", +- sectors / (1024 * 1024 / secsize), sectors, state); +- } else { +- device_printf(dev, +- "%juMB (%ju sectors) RAID volume '%s' is %s\n", +- sectors / (1024 * 1024 / secsize), sectors, +- ld_info->ld_config.properties.name, state); +- } ++ if ( strlen(ld_info->ld_config.properties.name) == 0 ) { ++ device_printf(dev, ++ "%juMB (%ju sectors) RAID volume (no label) is %s\n", ++ sectors / (1024 * 1024 / secsize), sectors, state); ++ } else { ++ device_printf(dev, ++ "%juMB (%ju sectors) RAID volume '%s' is %s\n", ++ sectors / (1024 * 1024 / secsize), sectors, ++ ld_info->ld_config.properties.name, state); ++ } + + sc->ld_disk = disk_alloc(); + sc->ld_disk->d_drv1 = sc; +Index: sys/dev/mfi/mfi_syspd.c +=================================================================== +--- sys/dev/mfi/mfi_syspd.c (revision 254079) ++++ sys/dev/mfi/mfi_syspd.c (working copy) +@@ -89,7 +89,6 @@ DRIVER_MODULE(mfisyspd, mfi, mfi_syspd_driver, mfi + static int + mfi_syspd_probe(device_t dev) + { +- + return (0); + } + +@@ -98,12 +97,12 @@ mfi_syspd_attach(device_t dev) + { + struct mfi_system_pd *sc; + struct mfi_pd_info *pd_info; ++ struct mfi_system_pending *syspd_pend; + uint64_t sectors; + uint32_t secsize; + + sc = device_get_softc(dev); + pd_info = device_get_ivars(dev); +- + sc->pd_dev = dev; + sc->pd_id = pd_info->ref.v.device_id; + sc->pd_unit = device_get_unit(dev); +@@ -115,6 +114,13 @@ mfi_syspd_attach(device_t dev) + secsize = MFI_SECTOR_LEN; + mtx_lock(&sc->pd_controller->mfi_io_lock); + TAILQ_INSERT_TAIL(&sc->pd_controller->mfi_syspd_tqh, sc, pd_link); ++ TAILQ_FOREACH(syspd_pend, &sc->pd_controller->mfi_syspd_pend_tqh, ++ pd_link) { ++ TAILQ_REMOVE(&sc->pd_controller->mfi_syspd_pend_tqh, ++ syspd_pend, pd_link); ++ free(syspd_pend, M_MFIBUF); ++ break; ++ } + mtx_unlock(&sc->pd_controller->mfi_io_lock); + device_printf(dev, "%juMB (%ju sectors) SYSPD volume\n", + sectors / (1024 * 1024 / secsize), sectors); +@@ -139,6 +145,7 @@ mfi_syspd_attach(device_t dev) + disk_create(sc->pd_disk, DISK_VERSION); + + device_printf(dev, " SYSPD volume attached\n"); ++ + return (0); + } + +Index: sys/dev/mfi/mfi_tbolt.c +=================================================================== +--- sys/dev/mfi/mfi_tbolt.c (revision 254079) ++++ sys/dev/mfi/mfi_tbolt.c (working copy) +@@ -69,13 +69,10 @@ uint8_t + mfi_build_mpt_pass_thru(struct mfi_softc *sc, struct mfi_command *mfi_cmd); + union mfi_mpi2_request_descriptor *mfi_build_and_issue_cmd(struct mfi_softc + *sc, struct mfi_command *mfi_cmd); +-int mfi_tbolt_is_ldio(struct mfi_command *mfi_cmd); + void mfi_tbolt_build_ldio(struct mfi_softc *sc, struct mfi_command *mfi_cmd, + struct mfi_cmd_tbolt *cmd); + static int mfi_tbolt_make_sgl(struct mfi_softc *sc, struct mfi_command + *mfi_cmd, pMpi25IeeeSgeChain64_t sgl_ptr, struct mfi_cmd_tbolt *cmd); +-static int mfi_tbolt_build_cdb(struct mfi_softc *sc, struct mfi_command +- *mfi_cmd, uint8_t *cdb); + void + map_tbolt_cmd_status(struct mfi_command *mfi_cmd, uint8_t status, + uint8_t ext_status); +@@ -502,6 +499,7 @@ mfi_tbolt_alloc_cmd(struct mfi_softc *sc) + + i * MEGASAS_MAX_SZ_CHAIN_FRAME); + cmd->sg_frame_phys_addr = sc->sg_frame_busaddr + i + * MEGASAS_MAX_SZ_CHAIN_FRAME; ++ cmd->sync_cmd_idx = sc->mfi_max_fw_cmds; + + TAILQ_INSERT_TAIL(&(sc->mfi_cmd_tbolt_tqh), cmd, next); + } +@@ -574,11 +572,11 @@ void + map_tbolt_cmd_status(struct mfi_command *mfi_cmd, uint8_t status, + uint8_t ext_status) + { +- + switch (status) { + case MFI_STAT_OK: +- mfi_cmd->cm_frame->header.cmd_status = 0; +- mfi_cmd->cm_frame->dcmd.header.cmd_status = 0; ++ mfi_cmd->cm_frame->header.cmd_status = MFI_STAT_OK; ++ mfi_cmd->cm_frame->dcmd.header.cmd_status = MFI_STAT_OK; ++ mfi_cmd->cm_error = MFI_STAT_OK; + break; + + case MFI_STAT_SCSI_IO_FAILED: +@@ -618,6 +616,7 @@ mfi_tbolt_return_cmd(struct mfi_softc *sc, struct + { + mtx_assert(&sc->mfi_io_lock, MA_OWNED); + ++ cmd->sync_cmd_idx = sc->mfi_max_fw_cmds; + TAILQ_INSERT_TAIL(&sc->mfi_cmd_tbolt_tqh, cmd, next); + } + +@@ -667,16 +666,26 @@ mfi_tbolt_complete_cmd(struct mfi_softc *sc) + extStatus = cmd_mfi->cm_frame->dcmd.header.scsi_status; + map_tbolt_cmd_status(cmd_mfi, status, extStatus); + +- /* remove command from busy queue if not polled */ +- TAILQ_FOREACH(cmd_mfi_check, &sc->mfi_busy, cm_link) { +- if (cmd_mfi_check == cmd_mfi) { +- mfi_remove_busy(cmd_mfi); +- break; ++ if (cmd_mfi->cm_flags & MFI_CMD_SCSI && ++ (cmd_mfi->cm_flags & MFI_CMD_POLLED) != 0) { ++ /* polled LD/SYSPD IO command */ ++ mfi_tbolt_return_cmd(sc, cmd_tbolt); ++ /* XXX mark okay for now DJA */ ++ cmd_mfi->cm_frame->header.cmd_status = MFI_STAT_OK; ++ } else { ++ ++ /* remove command from busy queue if not polled */ ++ TAILQ_FOREACH(cmd_mfi_check, &sc->mfi_busy, cm_link) { ++ if (cmd_mfi_check == cmd_mfi) { ++ mfi_remove_busy(cmd_mfi); ++ break; ++ } + } ++ ++ /* complete the command */ ++ mfi_complete(sc, cmd_mfi); ++ mfi_tbolt_return_cmd(sc, cmd_tbolt); + } +- cmd_mfi->cm_error = 0; +- mfi_complete(sc, cmd_mfi); +- mfi_tbolt_return_cmd(sc, cmd_tbolt); + + sc->last_reply_idx++; + if (sc->last_reply_idx >= sc->mfi_max_fw_cmds) { +@@ -811,13 +820,13 @@ mfi_tbolt_build_ldio(struct mfi_softc *sc, struct + MFI_FRAME_DIR_READ) + io_info.isRead = 1; + +- io_request->RaidContext.timeoutValue +- = MFI_FUSION_FP_DEFAULT_TIMEOUT; +- io_request->Function = MPI2_FUNCTION_LD_IO_REQUEST; +- io_request->DevHandle = device_id; +- cmd->request_desc->header.RequestFlags +- = (MFI_REQ_DESCRIPT_FLAGS_LD_IO +- << MFI_REQ_DESCRIPT_FLAGS_TYPE_SHIFT); ++ io_request->RaidContext.timeoutValue ++ = MFI_FUSION_FP_DEFAULT_TIMEOUT; ++ io_request->Function = MPI2_FUNCTION_LD_IO_REQUEST; ++ io_request->DevHandle = device_id; ++ cmd->request_desc->header.RequestFlags ++ = (MFI_REQ_DESCRIPT_FLAGS_LD_IO ++ << MFI_REQ_DESCRIPT_FLAGS_TYPE_SHIFT); + if ((io_request->IoFlags == 6) && (io_info.numBlocks == 0)) + io_request->RaidContext.RegLockLength = 0x100; + io_request->DataLength = mfi_cmd->cm_frame->io.header.data_len +@@ -825,41 +834,37 @@ mfi_tbolt_build_ldio(struct mfi_softc *sc, struct + } + + int +-mfi_tbolt_is_ldio(struct mfi_command *mfi_cmd) +-{ +- if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_READ +- || mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) +- return 1; +- else +- return 0; +-} +- +-int + mfi_tbolt_build_io(struct mfi_softc *sc, struct mfi_command *mfi_cmd, + struct mfi_cmd_tbolt *cmd) + { +- uint32_t device_id; ++ struct mfi_mpi2_request_raid_scsi_io *io_request; + uint32_t sge_count; +- uint8_t cdb[32], cdb_len; ++ uint8_t cdb_len; ++ int readop; ++ u_int64_t lba; + +- memset(cdb, 0, 32); +- struct mfi_mpi2_request_raid_scsi_io *io_request = cmd->io_request; ++ io_request = cmd->io_request; ++ if (!(mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_READ ++ || mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE)) ++ return 1; + +- device_id = mfi_cmd->cm_frame->header.target_id; ++ mfi_tbolt_build_ldio(sc, mfi_cmd, cmd); + +- /* Have to build CDB here for TB as BSD don't have a scsi layer */ +- if ((cdb_len = mfi_tbolt_build_cdb(sc, mfi_cmd, cdb)) == 1) +- return 1; ++ /* Convert to SCSI command CDB */ ++ bzero(io_request->CDB.CDB32, sizeof(io_request->CDB.CDB32)); ++ if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) ++ readop = 0; ++ else ++ readop = 1; + +- /* Just the CDB length,rest of the Flags are zero */ ++ lba = mfi_cmd->cm_frame->io.lba_hi; ++ lba = (lba << 32) + mfi_cmd->cm_frame->io.lba_lo; ++ cdb_len = mfi_build_cdb(readop, 0, lba, ++ mfi_cmd->cm_frame->io.header.data_len, io_request->CDB.CDB32); ++ ++ /* Just the CDB length, rest of the Flags are zero */ + io_request->IoFlags = cdb_len; +- memcpy(io_request->CDB.CDB32, cdb, 32); + +- if (mfi_tbolt_is_ldio(mfi_cmd)) +- mfi_tbolt_build_ldio(sc, mfi_cmd , cmd); +- else +- return 1; +- + /* + * Construct SGL + */ +@@ -883,85 +888,13 @@ mfi_tbolt_build_io(struct mfi_softc *sc, struct mf + + io_request->SenseBufferLowAddress = mfi_cmd->cm_sense_busaddr; + io_request->SenseBufferLength = MFI_SENSE_LEN; ++ io_request->RaidContext.Status = MFI_STAT_INVALID_STATUS; ++ io_request->RaidContext.exStatus = MFI_STAT_INVALID_STATUS; ++ + return 0; + } + +-static int +-mfi_tbolt_build_cdb(struct mfi_softc *sc, struct mfi_command *mfi_cmd, +- uint8_t *cdb) +-{ +- uint32_t lba_lo, lba_hi, num_lba; +- uint8_t cdb_len; + +- if (mfi_cmd == NULL || cdb == NULL) +- return 1; +- num_lba = mfi_cmd->cm_frame->io.header.data_len; +- lba_lo = mfi_cmd->cm_frame->io.lba_lo; +- lba_hi = mfi_cmd->cm_frame->io.lba_hi; +- +- if (lba_hi == 0 && (num_lba <= 0xFF) && (lba_lo <= 0x1FFFFF)) { +- if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) +- /* Read 6 or Write 6 */ +- cdb[0] = (uint8_t) (0x0A); +- else +- cdb[0] = (uint8_t) (0x08); +- +- cdb[4] = (uint8_t) num_lba; +- cdb[3] = (uint8_t) (lba_lo & 0xFF); +- cdb[2] = (uint8_t) (lba_lo >> 8); +- cdb[1] = (uint8_t) ((lba_lo >> 16) & 0x1F); +- cdb_len = 6; +- } +- else if (lba_hi == 0 && (num_lba <= 0xFFFF) && (lba_lo <= 0xFFFFFFFF)) { +- if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) +- /* Read 10 or Write 10 */ +- cdb[0] = (uint8_t) (0x2A); +- else +- cdb[0] = (uint8_t) (0x28); +- cdb[8] = (uint8_t) (num_lba & 0xFF); +- cdb[7] = (uint8_t) (num_lba >> 8); +- cdb[5] = (uint8_t) (lba_lo & 0xFF); +- cdb[4] = (uint8_t) (lba_lo >> 8); +- cdb[3] = (uint8_t) (lba_lo >> 16); +- cdb[2] = (uint8_t) (lba_lo >> 24); +- cdb_len = 10; +- } else if ((num_lba > 0xFFFF) && (lba_hi == 0)) { +- if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) +- /* Read 12 or Write 12 */ +- cdb[0] = (uint8_t) (0xAA); +- else +- cdb[0] = (uint8_t) (0xA8); +- cdb[9] = (uint8_t) (num_lba & 0xFF); +- cdb[8] = (uint8_t) (num_lba >> 8); +- cdb[7] = (uint8_t) (num_lba >> 16); +- cdb[6] = (uint8_t) (num_lba >> 24); +- cdb[5] = (uint8_t) (lba_lo & 0xFF); +- cdb[4] = (uint8_t) (lba_lo >> 8); +- cdb[3] = (uint8_t) (lba_lo >> 16); +- cdb[2] = (uint8_t) (lba_lo >> 24); +- cdb_len = 12; +- } else { +- if (mfi_cmd->cm_frame->header.cmd == MFI_CMD_LD_WRITE) +- cdb[0] = (uint8_t) (0x8A); +- else +- cdb[0] = (uint8_t) (0x88); +- cdb[13] = (uint8_t) (num_lba & 0xFF); +- cdb[12] = (uint8_t) (num_lba >> 8); +- cdb[11] = (uint8_t) (num_lba >> 16); +- cdb[10] = (uint8_t) (num_lba >> 24); +- cdb[9] = (uint8_t) (lba_lo & 0xFF); +- cdb[8] = (uint8_t) (lba_lo >> 8); +- cdb[7] = (uint8_t) (lba_lo >> 16); +- cdb[6] = (uint8_t) (lba_lo >> 24); +- cdb[5] = (uint8_t) (lba_hi & 0xFF); +- cdb[4] = (uint8_t) (lba_hi >> 8); +- cdb[3] = (uint8_t) (lba_hi >> 16); +- cdb[2] = (uint8_t) (lba_hi >> 24); +- cdb_len = 16; +- } +- return cdb_len; +-} +- + static int + mfi_tbolt_make_sgl(struct mfi_softc *sc, struct mfi_command *mfi_cmd, + pMpi25IeeeSgeChain64_t sgl_ptr, struct mfi_cmd_tbolt *cmd) +@@ -1100,8 +1033,7 @@ mfi_tbolt_send_frame(struct mfi_softc *sc, struct + if ((cm->cm_flags & MFI_CMD_POLLED) == 0) { + cm->cm_timestamp = time_uptime; + mfi_enqueue_busy(cm); +- } +- else { /* still get interrupts for it */ ++ } else { /* still get interrupts for it */ + hdr->cmd_status = MFI_STAT_INVALID_STATUS; + hdr->flags |= MFI_FRAME_DONT_POST_IN_REPLY_QUEUE; + } +@@ -1118,19 +1050,28 @@ mfi_tbolt_send_frame(struct mfi_softc *sc, struct + } + else + device_printf(sc->mfi_dev, "DJA NA XXX SYSPDIO\n"); +- } +- else if (hdr->cmd == MFI_CMD_LD_SCSI_IO || ++ } else if (hdr->cmd == MFI_CMD_LD_SCSI_IO || + hdr->cmd == MFI_CMD_LD_READ || hdr->cmd == MFI_CMD_LD_WRITE) { ++ cm->cm_flags |= MFI_CMD_SCSI; + if ((req_desc = mfi_build_and_issue_cmd(sc, cm)) == NULL) { + device_printf(sc->mfi_dev, "LDIO Failed \n"); + return 1; + } +- } else +- if ((req_desc = mfi_tbolt_build_mpt_cmd(sc, cm)) == NULL) { ++ } else if ((req_desc = mfi_tbolt_build_mpt_cmd(sc, cm)) == NULL) { + device_printf(sc->mfi_dev, "Mapping from MFI to MPT " + "Failed\n"); + return 1; +- } ++ } ++ ++ if (cm->cm_flags & MFI_CMD_SCSI) { ++ /* ++ * LD IO needs to be posted since it doesn't get ++ * acknowledged via a status update so have the ++ * controller reply via mfi_tbolt_complete_cmd. ++ */ ++ hdr->flags &= ~MFI_FRAME_DONT_POST_IN_REPLY_QUEUE; ++ } ++ + MFI_WRITE4(sc, MFI_ILQP, (req_desc->words & 0xFFFFFFFF)); + MFI_WRITE4(sc, MFI_IHQP, (req_desc->words >>0x20)); + +@@ -1137,12 +1078,21 @@ mfi_tbolt_send_frame(struct mfi_softc *sc, struct + if ((cm->cm_flags & MFI_CMD_POLLED) == 0) + return 0; + ++ if (cm->cm_flags & MFI_CMD_SCSI) { ++ /* check reply queue */ ++ mfi_tbolt_complete_cmd(sc); ++ } ++ + /* This is a polled command, so busy-wait for it to complete. */ + while (hdr->cmd_status == MFI_STAT_INVALID_STATUS) { + DELAY(1000); + tm -= 1; + if (tm <= 0) +- break; ++ break; ++ if (cm->cm_flags & MFI_CMD_SCSI) { ++ /* check reply queue */ ++ mfi_tbolt_complete_cmd(sc); ++ } + } + + if (hdr->cmd_status == MFI_STAT_INVALID_STATUS) { +@@ -1375,7 +1325,7 @@ mfi_tbolt_sync_map_info(struct mfi_softc *sc) + free(ld_sync, M_MFIBUF); + goto out; + } +- ++ + context = cmd->cm_frame->header.context; + bzero(cmd->cm_frame, sizeof(union mfi_frame)); + cmd->cm_frame->header.context = context; +Index: sys/dev/mfi/mfivar.h +=================================================================== +--- sys/dev/mfi/mfivar.h (revision 254079) ++++ sys/dev/mfi/mfivar.h (working copy) +@@ -105,6 +105,7 @@ struct mfi_command { + #define MFI_ON_MFIQ_READY (1<<6) + #define MFI_ON_MFIQ_BUSY (1<<7) + #define MFI_ON_MFIQ_MASK ((1<<5)|(1<<6)|(1<<7)) ++#define MFI_CMD_SCSI (1<<8) + uint8_t retry_for_fw_reset; + void (* cm_complete)(struct mfi_command *cm); + void *cm_private; +@@ -125,6 +126,11 @@ struct mfi_disk { + #define MFI_DISK_FLAGS_DISABLED 0x02 + }; + ++struct mfi_disk_pending { ++ TAILQ_ENTRY(mfi_disk_pending) ld_link; ++ int ld_id; ++}; ++ + struct mfi_system_pd { + TAILQ_ENTRY(mfi_system_pd) pd_link; + device_t pd_dev; +@@ -136,6 +142,11 @@ struct mfi_system_pd { + int pd_flags; + }; + ++struct mfi_system_pending { ++ TAILQ_ENTRY(mfi_system_pending) pd_link; ++ int pd_id; ++}; ++ + struct mfi_evt_queue_elm { + TAILQ_ENTRY(mfi_evt_queue_elm) link; + struct mfi_evt_detail detail; +@@ -284,6 +295,8 @@ struct mfi_softc { + + TAILQ_HEAD(,mfi_disk) mfi_ld_tqh; + TAILQ_HEAD(,mfi_system_pd) mfi_syspd_tqh; ++ TAILQ_HEAD(,mfi_disk_pending) mfi_ld_pend_tqh; ++ TAILQ_HEAD(,mfi_system_pending) mfi_syspd_pend_tqh; + eventhandler_tag mfi_eh; + struct cdev *mfi_cdev; + +@@ -302,6 +315,7 @@ struct mfi_softc { + uint32_t frame_cnt); + int (*mfi_adp_reset)(struct mfi_softc *sc); + int (*mfi_adp_check_reset)(struct mfi_softc *sc); ++ void (*mfi_intr_ptr)(void *sc); + + /* ThunderBolt */ + uint32_t mfi_tbolt; +@@ -420,7 +434,8 @@ extern int mfi_tbolt_reset(struct mfi_softc *sc); + extern void mfi_tbolt_sync_map_info(struct mfi_softc *sc); + extern void mfi_handle_map_sync(void *context, int pending); + extern int mfi_dcmd_command(struct mfi_softc *, struct mfi_command **, +- uint32_t, void **, size_t); ++ uint32_t, void **, size_t); ++extern int mfi_build_cdb(int, uint8_t, u_int64_t, u_int32_t, uint8_t *); + + #define MFIQ_ADD(sc, qname) \ + do { \ diff --git a/share/security/patches/EN-13:03/mfi.patch.asc b/share/security/patches/EN-13:03/mfi.patch.asc new file mode 100644 index 0000000000..3fd57c3721 --- /dev/null +++ b/share/security/patches/EN-13:03/mfi.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEABECAAYFAlIVY24ACgkQFdaIBMps37JCXwCfZhVM1OjOQdzZpIxjNN80C1u1 +JskAoJxlytTc77jV6csrcPfYIFv/oTJD +=MxiW +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-13:04/freebsd-update.patch b/share/security/patches/EN-13:04/freebsd-update.patch new file mode 100644 index 0000000000..cfc1631ea9 --- /dev/null +++ b/share/security/patches/EN-13:04/freebsd-update.patch @@ -0,0 +1,78 @@ +Index: usr.sbin/freebsd-update/freebsd-update.sh +=================================================================== +--- usr.sbin/freebsd-update/freebsd-update.sh ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -1200,7 +1200,7 @@ + # Some aliases to save space later: ${P} is a character which can + # appear in a path; ${M} is the four numeric metadata fields; and + # ${H} is a sha256 hash. +- P="[-+./:=%@_[[:alnum:]]" ++ P="[-+./:=%@_[~[:alnum:]]" + M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+" + H="[0-9a-f]{64}" + +@@ -2814,16 +2814,24 @@ + + # If we haven't already dealt with the world, deal with it. + if ! [ -f $1/worlddone ]; then ++ # Create any necessary directories first ++ grep -vE '^/boot/' $1/INDEX-NEW | ++ grep -E '^[^|]+\|d\|' > INDEX-NEW ++ install_from_index INDEX-NEW || return 1 ++ + # Install new shared libraries next + grep -vE '^/boot/' $1/INDEX-NEW | +- grep -E '/lib/.*\.so\.[0-9]+\|' > INDEX-NEW ++ grep -vE '^[^|]+\|d\|' | ++ grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + + # Deal with everything else + grep -vE '^/boot/' $1/INDEX-OLD | +- grep -vE '/lib/.*\.so\.[0-9]+\|' > INDEX-OLD ++ grep -vE '^[^|]+\|d\|' | ++ grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-OLD + grep -vE '^/boot/' $1/INDEX-NEW | +- grep -vE '/lib/.*\.so\.[0-9]+\|' > INDEX-NEW ++ grep -vE '^[^|]+\|d\|' | ++ grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + install_from_index INDEX-NEW || return 1 + install_delete INDEX-OLD INDEX-NEW || return 1 + +@@ -2844,11 +2852,11 @@ + + # Do we need to ask the user to portupgrade now? + grep -vE '^/boot/' $1/INDEX-NEW | +- grep -E '/lib/.*\.so\.[0-9]+\|' | ++ grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' | + cut -f 1 -d '|' | + sort > newfiles + if grep -vE '^/boot/' $1/INDEX-OLD | +- grep -E '/lib/.*\.so\.[0-9]+\|' | ++ grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' | + cut -f 1 -d '|' | + sort | + join -v 1 - newfiles | +@@ -2868,11 +2876,20 @@ + + # Remove old shared libraries + grep -vE '^/boot/' $1/INDEX-NEW | +- grep -E '/lib/.*\.so\.[0-9]+\|' > INDEX-NEW ++ grep -vE '^[^|]+\|d\|' | ++ grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW + grep -vE '^/boot/' $1/INDEX-OLD | +- grep -E '/lib/.*\.so\.[0-9]+\|' > INDEX-OLD ++ grep -vE '^[^|]+\|d\|' | ++ grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-OLD + install_delete INDEX-OLD INDEX-NEW || return 1 + ++ # Remove old directories ++ grep -vE '^/boot/' $1/INDEX-OLD | ++ grep -E '^[^|]+\|d\|' > INDEX-OLD ++ grep -vE '^/boot/' $1/INDEX-OLD | ++ grep -E '^[^|]+\|d\|' > INDEX-OLD ++ install_delete INDEX-OLD INDEX-NEW || return 1 ++ + # Remove temporary files + rm INDEX-OLD INDEX-NEW + } diff --git a/share/security/patches/EN-13:04/freebsd-update.patch.asc b/share/security/patches/EN-13:04/freebsd-update.patch.asc new file mode 100644 index 0000000000..5f35207f8f --- /dev/null +++ b/share/security/patches/EN-13:04/freebsd-update.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJSbCKVAAoJEO1n7NZdz2rnETwQAOMV7xt2OlnEdtppHyG7F5vj +Kyii95jtZzgdvxh33EpVjqxc/Wo8pLgmciA2tP3K6M9qwbz8B6Hc2HxMyouV1LF2 +WUoJlmZTIZCdXF1RAPndBjvze+15kD7dGPPPfA7pJWN+07p7CZEUTHBoZ94q6u3y +JlEEAjlXtYvWVJCrd2olIN0xwqNDL1AfywMOBKbfTN+NQiYr4hhPnnA33Fb+gyjK +JpEZuCJ1p5caQWLRGn7L2Ro+y32MPSujOW8P0It5xTvGNjtSVYU09ZQPKFgdvD0L +yNSJdSXLKfdpF9fLeUR2Ahwvdnao8BSMfPi2LP3g9sfapw40wP8/s8B7gCXp6wk7 +vl3ZhyqMC53O+kgHxMnbrTB1EK9q6vQ3tEhqUu3caGaCy5zqGxv49WMzNYSYxGcf +8Kqvmab65YRrB7UY8wo6Sqc3tWqfP4VwWv+eljMeDgvbwcPZ3L7oAMfSZfyPfiYK +OfR2JNWgutt6rqre5QixN3c+QsIPlpb9UUgOaoS22iveA0h8FmbOeWGyZ7Rwm6Bd +6VKO+aHiSbumr9/LPVGBxYI63dWkcRj4NZEG/B6eV3wqUJufCEzrRecbJflIEXOJ +jPg61eMA0ua+y+17D9RVkUqL9rrnhF18YfOh1JAkSzMP2J8NCEtW2ol02QAnlLDc +Vv5c44zu0PyqRqtvK5sJ +=QsbS +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:09/ip_multicast.patch b/share/security/patches/SA-13:09/ip_multicast.patch new file mode 100644 index 0000000000..23f68ed9c3 --- /dev/null +++ b/share/security/patches/SA-13:09/ip_multicast.patch @@ -0,0 +1,26 @@ +Index: sys/netinet/in_mcast.c +=================================================================== +--- sys/netinet/in_mcast.c (revision 254252) ++++ sys/netinet/in_mcast.c (working copy) +@@ -1648,6 +1648,8 @@ + * has asked for, but we always tell userland how big the + * buffer really needs to be. + */ ++ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) ++ msfr.msfr_nsrcs = in_mcast_maxsocksrc; + tss = NULL; + if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { + tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, +Index: sys/netinet6/in6_mcast.c +=================================================================== +--- sys/netinet6/in6_mcast.c (revision 254252) ++++ sys/netinet6/in6_mcast.c (working copy) +@@ -1625,6 +1625,8 @@ + * has asked for, but we always tell userland how big the + * buffer really needs to be. + */ ++ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) ++ msfr.msfr_nsrcs = in6_mcast_maxsocksrc; + tss = NULL; + if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { + tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, diff --git a/share/security/patches/SA-13:09/ip_multicast.patch.asc b/share/security/patches/SA-13:09/ip_multicast.patch.asc new file mode 100644 index 0000000000..baf38f70c2 --- /dev/null +++ b/share/security/patches/SA-13:09/ip_multicast.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEABECAAYFAlIVY24ACgkQFdaIBMps37KUkgCfU1WO0UwQEQeRo+DcgCFIf6j7 +R9YAn3m43TNCB0hft+Fmlt7ikftEOCoQ +=m93m +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:10/sctp.patch b/share/security/patches/SA-13:10/sctp.patch new file mode 100644 index 0000000000..e6710e3bcb --- /dev/null +++ b/share/security/patches/SA-13:10/sctp.patch @@ -0,0 +1,19 @@ +Index: sys/netinet/sctp_output.c +=================================================================== +--- sys/netinet/sctp_output.c (revision 254337) ++++ sys/netinet/sctp_output.c (revision 254338) +@@ -5406,6 +5406,14 @@ + } + SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk); + ++ /* ++ * We might not overwrite the identification[] completely and on ++ * some platforms time_entered will contain some padding. Therefore ++ * zero out the cookie to avoid putting uninitialized memory on the ++ * wire. ++ */ ++ memset(&stc, 0, sizeof(struct sctp_state_cookie)); ++ + /* the time I built cookie */ + (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered); + diff --git a/share/security/patches/SA-13:10/sctp.patch.asc b/share/security/patches/SA-13:10/sctp.patch.asc new file mode 100644 index 0000000000..fcf586bae2 --- /dev/null +++ b/share/security/patches/SA-13:10/sctp.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.21 (FreeBSD) + +iEYEABECAAYFAlIVY24ACgkQFdaIBMps37JspQCdHJl2JvDn4fmmqM8xLRJsHghE +onAAn1F8HgApNEcBndp/DlnyiSnPyBCw +=Qaow +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:11/sendfile-9.2-rc.patch b/share/security/patches/SA-13:11/sendfile-9.2-rc.patch new file mode 100644 index 0000000000..aeb5c9f202 --- /dev/null +++ b/share/security/patches/SA-13:11/sendfile-9.2-rc.patch @@ -0,0 +1,20 @@ +Index: sys/kern/uipc_syscalls.c +=================================================================== +--- sys/kern/uipc_syscalls.c (revision 253912) ++++ sys/kern/uipc_syscalls.c (working copy) +@@ -2087,11 +2087,10 @@ + * or the passed in nbytes. + */ + pgoff = (vm_offset_t)(off & PAGE_MASK); +- if (uap->nbytes) +- rem = (uap->nbytes - fsbytes - loopbytes); +- else +- rem = va.va_size - +- uap->offset - fsbytes - loopbytes; ++ rem = obj->un_pager.vnp.vnp_size - uap->offset; ++ if (uap->nbytes != 0) ++ rem = omin(rem, uap->nbytes); ++ rem -= fsbytes + loopbytes; + xfsize = omin(PAGE_SIZE - pgoff, rem); + xfsize = omin(space - loopbytes, xfsize); + if (xfsize <= 0) { diff --git a/share/security/patches/SA-13:11/sendfile-9.2-rc.patch.asc b/share/security/patches/SA-13:11/sendfile-9.2-rc.patch.asc new file mode 100644 index 0000000000..3c183fc1d7 --- /dev/null +++ b/share/security/patches/SA-13:11/sendfile-9.2-rc.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEABECAAYFAlIuF7gACgkQFdaIBMps37LokwCcD0WafThPclpU1qRNCTzNhe61 +S04AmwfYZwH8ZsCbTWFw1bZVOhcqim/m +=6DgA +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:11/sendfile-9.2-stable.patch b/share/security/patches/SA-13:11/sendfile-9.2-stable.patch new file mode 100644 index 0000000000..21805c6325 --- /dev/null +++ b/share/security/patches/SA-13:11/sendfile-9.2-stable.patch @@ -0,0 +1,20 @@ +Index: sys/kern/uipc_syscalls.c +=================================================================== +--- sys/kern/uipc_syscalls.c (revision 255414) ++++ sys/kern/uipc_syscalls.c (working copy) +@@ -2126,11 +2126,10 @@ + * or the passed in nbytes. + */ + pgoff = (vm_offset_t)(off & PAGE_MASK); +- if (uap->nbytes) +- rem = (uap->nbytes - fsbytes - loopbytes); +- else +- rem = va.va_size - +- uap->offset - fsbytes - loopbytes; ++ rem = va.va_size - uap->offset; ++ if (uap->nbytes != 0) ++ rem = omin(rem, uap->nbytes); ++ rem -= fsbytes + loopbytes; + xfsize = omin(PAGE_SIZE - pgoff, rem); + xfsize = omin(space - loopbytes, xfsize); + if (xfsize <= 0) { diff --git a/share/security/patches/SA-13:11/sendfile-9.2-stable.patch.asc b/share/security/patches/SA-13:11/sendfile-9.2-stable.patch.asc new file mode 100644 index 0000000000..182c78bf2d --- /dev/null +++ b/share/security/patches/SA-13:11/sendfile-9.2-stable.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEABECAAYFAlIuF70ACgkQFdaIBMps37Ir2ACeJiObKBkQvyI/3HTotiQnx+7p +laYAoJZlhgNrqHbAiaDg5qjUbTPZCECa +=GX/T +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:12/ifioctl.patch b/share/security/patches/SA-13:12/ifioctl.patch new file mode 100644 index 0000000000..9aef1503f7 --- /dev/null +++ b/share/security/patches/SA-13:12/ifioctl.patch @@ -0,0 +1,89 @@ +Index: sys/net/if.c +=================================================================== +--- sys/net/if.c (revision 254941) ++++ sys/net/if.c (working copy) +@@ -2553,11 +2553,23 @@ + CURVNET_RESTORE(); + return (EOPNOTSUPP); + } ++ ++ /* ++ * Pass the request on to the socket control method, and if the ++ * latter returns EOPNOTSUPP, directly to the interface. ++ * ++ * Make an exception for the legacy SIOCSIF* requests. Drivers ++ * trust SIOCSIFADDR et al to come from an already privileged ++ * layer, and do not perform any credentials checks or input ++ * validation. ++ */ + #ifndef COMPAT_43 + error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd, + data, + ifp, td)); +- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL) ++ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + #else + { +@@ -2601,7 +2613,9 @@ + data, + ifp, td)); + if (error == EOPNOTSUPP && ifp != NULL && +- ifp->if_ioctl != NULL) ++ ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + switch (ocmd) { + +Index: sys/netinet6/in6.c +=================================================================== +--- sys/netinet6/in6.c (revision 254941) ++++ sys/netinet6/in6.c (working copy) +@@ -431,6 +431,18 @@ + case SIOCGIFSTAT_ICMP6: + sa6 = &ifr->ifr_addr; + break; ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-INET6 ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); + default: + sa6 = NULL; + break; +Index: sys/netnatm/natm.c +=================================================================== +--- sys/netnatm/natm.c (revision 254941) ++++ sys/netnatm/natm.c (working copy) +@@ -339,6 +339,21 @@ + npcb = (struct natmpcb *)so->so_pcb; + KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + ++ switch (cmd) { ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-ATM ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); ++ } ++ + if (ifp == NULL || ifp->if_ioctl == NULL) + return (EOPNOTSUPP); + return ((*ifp->if_ioctl)(ifp, cmd, arg)); diff --git a/share/security/patches/SA-13:12/ifioctl.patch.asc b/share/security/patches/SA-13:12/ifioctl.patch.asc new file mode 100644 index 0000000000..b28a32f6b9 --- /dev/null +++ b/share/security/patches/SA-13:12/ifioctl.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEABECAAYFAlIuF98ACgkQFdaIBMps37KefgCeNtxM4xIH3gYvoj4BbefvRoC8 +I8gAnRT1I915xp4nk2lgWK+5HGoDqApO +=W+Ro +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-13:13/nullfs.patch b/share/security/patches/SA-13:13/nullfs.patch new file mode 100644 index 0000000000..83f30e84fe --- /dev/null +++ b/share/security/patches/SA-13:13/nullfs.patch @@ -0,0 +1,28 @@ +Index: sys/fs/nullfs/null_vnops.c +=================================================================== +--- sys/fs/nullfs/null_vnops.c (revision 254941) ++++ sys/fs/nullfs/null_vnops.c (working copy) +@@ -858,6 +858,15 @@ + return (error); + } + ++static int ++null_link(struct vop_link_args *ap) ++{ ++ ++ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount) ++ return (EXDEV); ++ return (null_bypass((struct vop_generic_args *)ap)); ++} ++ + /* + * Global vfs data structures + */ +@@ -871,6 +880,7 @@ + .vop_getwritemount = null_getwritemount, + .vop_inactive = null_inactive, + .vop_islocked = vop_stdislocked, ++ .vop_link = null_link, + .vop_lock1 = null_lock, + .vop_lookup = null_lookup, + .vop_open = null_open, diff --git a/share/security/patches/SA-13:13/nullfs.patch.asc b/share/security/patches/SA-13:13/nullfs.patch.asc new file mode 100644 index 0000000000..e5cdf5919e --- /dev/null +++ b/share/security/patches/SA-13:13/nullfs.patch.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.14 (FreeBSD) + +iEYEABECAAYFAlIuGawACgkQFdaIBMps37J1OgCgm847iabfWVTdyCXAeXVQkK/g +ZR4AoJrz+a812XboghdqiTvVKVHUyD+b +=wGcC +-----END PGP SIGNATURE----- |