src/sys/nfsserver, branch releng/5.3 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F5.3 2006-03-01T14:24:52Z Correct a remote DoS in OpenSSH when using PAM and privilege 2006-03-01T14:24:52Z Simon L. B. Nielsen simon@FreeBSD.org 2006-03-01T14:24:52Z urn:sha1:7393d7b5b582657ca0fa327cc30b21ea26b3586a separation. [06:09] Submitted by: des Correct a remote kernel panic when processing zero-length RPC records via TCP. [06:10] Security: FreeBSD-SA-06:09.openssh Security: FreeBSD-SA-06:10.nfs Approved by: so (cperciva) MFC of src/sys/nfsserver/nfs_serv.c rev 1.147.2.3: 2005-01-05T03:35:00Z Ken Smith kensmith@FreeBSD.org 2005-01-05T03:35:00Z urn:sha1:a750b6376a2b63602115e458bea53cc9b7bcb37b Merge nfs_serv.c:1.151 from HEAD to RELENG_5: date: 2004/11/11 21:30:52; author: rwatson; state: Exp; lines: +52 -38 Correct a bug in nfsrv_create() where a call to nfsrv_access() might be made holding the NFS server mutex. To clean this up, introduce a version of the function, nfsrv_access_withgiant(), that expects the NFS server mutex to already have been dropped and Giant acquired. Wrap nfsrv_access() around this. This permits callers to more efficiently check access if they're in a code block performing VFS operations, and can be substitited for the nfsrv_access() call that triggered this bug. PR: 73807, 73208 Approved by: so (nectar) Work done by: rwatson Errata Notice: FreeBSD-EN-05:01.nfs Merge nfs_serv.c:1.149 (RELENG_5 1.147.2.2) from HEAD to RELENG_5_3: 2004-10-21T09:01:02Z Robert Watson rwatson@FreeBSD.org 2004-10-21T09:01:02Z urn:sha1:47a63880aecfd8eeb0ea827dd1b3caae7b4f0cc5 date: 2004/10/18 11:23:11; author: rwatson; state: Exp; lines: +61 -13 Correct several instances where calls to vfs_getvfs() resulting in failure in the NFS server would result in a leaked instance of the NFS server subsystem lock. Liberally sprinkle assertions in all target labels for error unwinding to assert the desired locking state. RELENG_5_3 candidate. MFC after: 3 days Reported by: Wilkinson, Alex <alex dot wilkinson at dsto dot defence dot gov dot au> Approved by: re (scottl) Merge nfs_serv.c:1.148 to RELENG_5: 2004-08-30T22:02:57Z Robert Watson rwatson@FreeBSD.org 2004-08-30T22:02:57Z urn:sha1:8f57ee5f807d46b02380a756c6cc195ed15d736f date: 2004/08/25 16:52:59; author: rwatson; state: Exp; lines: +1 -1 Convert a mtx_lock(&Giant) to a mtx_unlock(&Giant) in nfsrv_link() to prevent leakage of Giant. With INVARIANTS, this results in an assertion failure following execution of the RPC. Without INVARIANTS, it could result in problems if the NFS server is killed causing nfsd to return to user space holding Giant. Feet provided by: brueffer Approved by: re (scottl) If debug.mpsafenet is non-zero, run the NFS server callout without 2004-07-24T02:32:27Z Robert Watson rwatson@FreeBSD.org 2004-07-24T02:32:27Z urn:sha1:9e0219d901287cf30d17694cc8850df4d73beb1f Giant. Remove spl() use from nfsrv_timer. 2004-07-24T02:07:09Z Robert Watson rwatson@FreeBSD.org 2004-07-24T02:07:09Z urn:sha1:b0c90b3b8c5aa6ff242923686ca9d4d5f509472c Do a pass over all modules in the kernel and make them return EOPNOTSUPP 2004-07-15T08:26:07Z Poul-Henning Kamp phk@FreeBSD.org 2004-07-15T08:26:07Z urn:sha1:3e019deaed5ad0687ea53ed5b5ba3336dc0be3c4 for unknown events. A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything". Do not call sorecieve() in the context of a socket callback as it causes 2004-07-13T07:05:38Z Alfred Perlstein alfred@FreeBSD.org 2004-07-13T07:05:38Z urn:sha1:d83ed0fac0cc10daabc3198fde20003ff486daf9 lock order reversals so->inpcb since we're called with the socket lock held. Change M_WAITOK argument to sodupsockaddr() to M_NOWAIT. When the call 2004-07-03T19:17:06Z Robert Watson rwatson@FreeBSD.org 2004-07-03T19:17:06Z urn:sha1:3a54d6a8a824bad29e19a6b9cbd4be8fff46b45b to dup_sockaddr() was renamed to sodupsockaddr(), the argument was changed from '1' to 'M_WAITOK', which changed the semantics. This resulted in a WITNESS warning about a potential sleep while holding the NFS server mutex. Now this will no longer happen, restoring a possible bug present in the original code (setting RC_NAM even though the malloc to copy the addres may fail). bde observes that the flag names here should probably not be the same as the malloc flags for name space reasons. Bumped into by: kuriyama Merge additional socket buffer locking from rwatson_netperf: 2004-06-17T22:48:11Z Robert Watson rwatson@FreeBSD.org 2004-06-17T22:48:11Z urn:sha1:9535efc00de36129762534223a2f5782cc5fe472 - Lock down low hanging fruit use of sb_flags with socket buffer lock. - Lock down low hanging fruit use of so_state with socket lock. - Lock down low hanging fruit use of so_options. - Lock down low-hanging fruit use of sb_lowwat and sb_hiwat with socket buffer lock. - Annotate situations in which we unlock the socket lock and then grab the receive socket buffer lock, which are currently actually the same lock. Depending on how we want to play our cards, we may want to coallesce these lock uses to reduce overhead. - Convert a if()->panic() into a KASSERT relating to so_state in soaccept(). - Remove a number of splnet()/splx() references. More complex merging of socket and socket buffer locking to follow.