src/sys, branch releng/13.3

Add UPDATING entries and bump revision

2024-10-29T19:07:08Z

SA-24:17.bhyve SA-24:18.ctl SA-24:19.fetch Approved by: so

ctl: limit memory allocation in pci_virtio_scsi

2024-10-29T18:53:00Z

The virtio_scsi device allows a VM guest to directly send SCSI commands (ctsio->cdb array) to the kernel driver exposed on /dev/cam/ctl (ctl.ko). All kernel commands accessible from the guest are defined by ctl_cmd_table. The command ctl_persistent_reserve_out (cdb[0]=0x5F and cbd[1]=0) allows the caller to call malloc() with an arbitrary size (uint32_t). This can be used by the guest to overload the kernel memory (DOS attack). Reported by: Synacktiv Reviewed by: asomers Security: HYP-08 Security: FreeBSD-SA-24:18.ctl Approved by: so Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46044 (cherry picked from commit 64b0f52be2c9d7bcecebfeef393f8ec56cb85f47) (cherry picked from commit 2e7f4728fa738a7a7b6c4e4c46eb68952386efce) (cherry picked from commit 367d8c86a182813d88f728fdb2c3ef1a4679a852)

bhyve: avoid TOCTOU on iov_len in virtio_vq_recordon()

2024-10-29T18:52:46Z

Avoid a race condition when accessing guest memory, by reading memory contents only once. This has also been applied to _vq_record() in sys/dev/beri/virtio/virtio.c, as per markj@'s suggestion. Reported by: Synacktiv Reviewed by: markj Security: HYP-10 Security: FreeBSD-SA-24:17.bhyve Approved by: so Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45735 (cherry picked from commit 869d760cb9d7a307faa2fbe8c1c2b238a81b74d4) (cherry picked from commit ed03c309908687bdb9f71dc6d9c9c8a92c54fc20) (cherry picked from commit 6eb7879f426129aa38f4e8b0d57ab7456e4eb351)

Add UPDATING entries and bump revision.

2024-09-19T13:19:04Z

Approved by: so

libnv: correct the calculation of the structure's size

2024-09-19T13:12:37Z

Reported by: Milosz Kaniewski Approved by: so Security: FreeBSD-SA-24:16.libnv Security: CVE-2024-45287 (cherry picked from commit 7f4731ab67f1d3345aee6626eb83cc5ce00010f0) (cherry picked from commit 056c50c48be3e3828ef740d2fcce988a545e52aa) (cherry picked from commit d84fced6b468a637b5a47bad747730fa344d68d8)

pf: rework pf_icmp_state_lookup() failure mode

2024-09-19T13:01:45Z

If pf_icmp_state_lookup() finds a state but rejects it for not matching the expected direction we should unlock the state (and NULL out *state). This simplifies life for callers, and also ensures there's no confusion about what a non-NULL returned state means. Previously it could have been left in there by the caller, resulting in callers unlocking the same state twice. Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 0578fe492284ded4745167060be794032e6e22f0) (cherry picked from commit d6e5f8643d37e925aa51fc8224cfc05aba0813f7)

pf: be less strict about icmp state checking for sloppy state tracking

2024-09-19T13:01:36Z

Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) (cherry picked from commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b)

pf: try to lookup the icmp state based on a correct packet descriptor

2024-09-19T13:01:05Z

Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Obtained from: OpenBSD, mikeb , e467ea25dcd3 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit b8cd169efa6ac0899b4998898129765ae5c685a6) (cherry picked from commit fa4b64836183c33631d92dadb073a9e435c5bf6d)

pf: improve the ICMPv6 direction check

2024-09-19T13:00:57Z

Following bluhm's advice this changes the way we setup state keys and perform state lookups for ICMPv6 Neighbor Discovery packets: - replace the NS-dst with ND target address; - replace the NA-src with ND target address; - replace the NA-dst with unspecified address if it is a multicast. This allows pf to match Address Resolution, Neighbor Unreachability Detection and Duplicate Address Detection packets to the corresponding states without the need to create new ones or match unrelated ones. As a side effect we're doing now one state table lookup for ND packets instead of two. Fixes a bug uncovered by one of the previous commits that virtually breaks IPv6 connectivity after few minutes of use. ok stsp henning, with and ok bluhm Approved by: so Security: FreeBSD-EN-24:16.pf PR: 280701 MFC after: 1 week Obtained from: OpenBSD, mikeb , 2633ae8c4c8a Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82) (cherry picked from commit b84344206721ed2803d5da68585289d5880efe3f)

pf: invert direction for inner icmp state lookups

2024-09-19T13:00:48Z

(e.g. traceroute with icmp) ok henning, jsing Also extend the test case to cover this scenario. Approved by: so Security: FreeBSD-EN-24:16.pf PR: 280701 Obtained from: OpenBSD MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 89f6723288b0d27d3f14f93e6e83f672fa2b8aca) (cherry picked from commit 5f3f07397a7909e8f9449d1aa0b465159cbf0d60)