git: f791736fc1 - main - Add EN-22:07 and EN-22:08.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 01 Feb 2022 20:11:33 UTC
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=f791736fc1178cf78fba4fb9da1f25fd2de8f3f2
commit f791736fc1178cf78fba4fb9da1f25fd2de8f3f2
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2022-02-01 20:10:18 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2022-02-01 20:11:12 +0000
Add EN-22:07 and EN-22:08.
Approved by: so
---
website/data/security/errata.toml | 8 ++
.../security/advisories/FreeBSD-EN-22:07.la57.asc | 130 +++++++++++++++++++++
.../security/advisories/FreeBSD-EN-22:08.i386.asc | 125 ++++++++++++++++++++
.../static/security/patches/EN-22:07/la57.patch | 12 ++
.../security/patches/EN-22:07/la57.patch.asc | 16 +++
.../static/security/patches/EN-22:08/i386.patch | 13 +++
.../security/patches/EN-22:08/i386.patch.asc | 16 +++
7 files changed, 320 insertions(+)
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 913e1dc6df..3ab79b1502 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,14 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-22:08.i386"
+date = "2022-02-01"
+
+[[notices]]
+name = "FreeBSD-EN-22:07.la57"
+date = "2022-02-01"
+
[[notices]]
name = "FreeBSD-EN-22:06.libalias"
date = "2022-01-11"
diff --git a/website/static/security/advisories/FreeBSD-EN-22:07.la57.asc b/website/static/security/advisories/FreeBSD-EN-22:07.la57.asc
new file mode 100644
index 0000000000..ff43d06c1d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:07.la57.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:07.la57 Errata Notice
+ The FreeBSD Project
+
+Topic: Intel CPU LA57 boot failure
+
+Category: core
+Module: kernel
+Announced: 2022-02-01
+Affects: FreeBSD 13.0
+Corrected: 2021-05-03 01:27:22 UTC (stable/13, 13.0-STABLE)
+ 2022-02-01 17:43:46 UTC (releng/13.0, 13.0-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Recent Intel x86-64 CPUs support 5-level paging, extending the size of the
+virtual address space to 57 bits. The extension is enabled by setting a bit
+known as LA57 in a control register, and switching to 5-level paging during
+boot.
+
+II. Problem Description
+
+LA57 support was tested on and is functional within QEMU, but fails on
+physical hardware.
+
+III. Impact
+
+The kernel fails to boot on Intel CPUs that support LA57.
+
+IV. Workaround
+
+LA57 may be disabled by adding the following to /boot/loader.conf:
+
+ vm.pmap.la57=0
+
+This may also be set from the loader prompt (i.e., for initial boot or
+installation).
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+After update LA57 will be disabled by default. 5-level paging will be fully
+supported in a future FreeBSD release.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:07/la57.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:07/la57.patch.asc
+# gpg --verify la57.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile and reinstall your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ df6241fcef9a stable/13-n245478
+releng/13.0/ f151464add6f releng/13.0-n244775
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:07.la57.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmH5kzIACgkQ05eS9J6n
+5cJP+Q//be4jFodkfCtiwKwMNr+1RvGZtopWq0X6g5CQCTIrPtUKqdie3ceOhjRi
+zl3vNInfus6iTo0jSBMiWCpj7cI3AekZvwLuDHKp1GWv5WWQivDe6A6sbrGSgIQ2
+9MG7RYE7t0L0LVnzTSlHCWXCzTqmpzTXEePw7NqgPhg7J3NtwYLBh5C4MqmScA6Y
+vbNzWMGIfa9IJqaDcxxEdqqGoTrv/MEWzVZ7TzM4O8DWIm+oK/5E+qiTk1fSyc/Z
+uI6hUMMt7xxP8KkZdlqVODwHzVo6v4kigpNTqNK1epv3nFrL3hJ+e3GhWreV6tkI
+XA9pjZT2gyLz+Ryn7QyIzrByrpXKDQK/8nKu9eoQdhDdxN6sWS65PPQKPhzQOemk
+qFx3V2oK3UMF7Q2BeF8aDxm48RU8weDACcxn2w6X73VyIHvz1H3MpirxPrcwjm1v
+RQJKGUZfnnTfg8zsstVASaj2R2i+Qa0Zk70tbCaXrPH7TB6Cadx6sjBjoLViQYQk
+99glmvpc37u2ryW4MKlDNLeae9LnW7jyDMfpGlN3tJ4AD6y+2EcVixiTqAEF8t27
+hZgi/3MVUNltCfSUoOol9y/aqaTjxPHTR9HSjrmCnJAWHwmyk33lC4/17kd8Qx0U
+bEFufzp/pDwFur7dWJOxVehFHc0/MoOioJHbeN3oNBMQiFdDoRY=
+=efkJ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:08.i386.asc b/website/static/security/advisories/FreeBSD-EN-22:08.i386.asc
new file mode 100644
index 0000000000..07b68e1759
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:08.i386.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:08.i386 Errata Notice
+ The FreeBSD Project
+
+Topic: Regression in i386 TLB invalidation logic
+
+Category: core
+Module: i386
+Announced: 2022-02-01
+Affects: FreeBSD 12.2 and 12.3
+Corrected: 2022-01-25 10:40:16 UTC (stable/12, 12.3-STABLE)
+ 2022-02-01 19:13:44 UTC (releng/12.3, 12.3-RELEASE-p2)
+ 2022-02-01 19:13:24 UTC (releng/12.2, 12.2-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The FreeBSD/i386 port supports running FreeBSD on 32-bit Intel and AMD CPUs.
+
+On the i386 platform, the operating system kernel is responsible for
+invalidating per-CPU TLBs (translation lookaside buffer) when virtual memory
+mappings are updated.
+
+II. Problem Description
+
+The patch which was released as EN-22:04.pcid introduced a regression
+affecting FreeBSD 12.2 and 12.3. This regression introduced a bug in the i386
+platform's TLB invalidation logic.
+
+III. Impact
+
+The regression causes kernel panics under multi-core CPU load.
+
+IV. Workaround
+
+No workaround is available. Single-core systems are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:08/i386.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:08/i386.patch.asc
+# gpg --verify i386.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/12/ r371519
+releng/12.3/ r371536
+releng/12.2/ r371534
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261338>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:08.i386.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmH5kz4ACgkQ05eS9J6n
+5cJVsQ/+KFXts6jb5Nrm2qbZm38x6af3zwiN/v39cz5DumOvIC0OFTiaeaWU91Dc
+bytpGp6KIuOK6pYGIP4NrZW5L0pow3mwV/nxpZLATR4QTCiBydOgKekjaAiU6rxX
+vX/MS2rm6Th6EcBIw1dept1up73qM2FoM8DC+/e9HlCtqyDqfgBLqbMuSymk0fz+
+Lh1Zj9ywS1sY+fn7eeAq7RmlTpuQBnlZEllDhf9paC5JWR4fu23XQeZHUUIuqOkF
+bnPE7hDaXdEvU0zY4b57vzTT7MQx7vCRBdCsk086s2dvInbeqTDEYSk5+R/kqsgR
+5+xijYPGb9D9J0tMaETGQp0vLkDI4xJpkX8AhZ8JBIjxyKxKI/VY+KOwX6CfUmon
+tgUeo8EYkliLBUtq31L7MLMzzCN1mjA05h78uBvDjmm9ATv8IAmKlSNestIzfl4j
+Rw3oYpQU/TsQSxUMnReRth781bORmJdDnEDAvjqGKGOT9VkUJ/3chv13EHJX88/R
+No1DYB3LM4MaGf1c7paB9ahJOnV8Z5bk5j3nqLhys2asEvGcWvuWW722LO/wcREL
+L4GsQmEbUerTeh8Q5RE147ZTYOnGb5eIQi5McPRozdNQBLjJGUOEhWeSBdBbDgch
+8cfYw3UdyNst80puq6t/4Wft4uhvkuNYKiaY9MKNYON/YHrhZ78=
+=TqoX
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:07/la57.patch b/website/static/security/patches/EN-22:07/la57.patch
new file mode 100644
index 0000000000..b424d4a185
--- /dev/null
+++ b/website/static/security/patches/EN-22:07/la57.patch
@@ -0,0 +1,12 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -2015,8 +2015,7 @@
+
+ if ((cpu_stdext_feature2 & CPUID_STDEXT2_LA57) == 0)
+ return;
+- if (!TUNABLE_INT_FETCH("vm.pmap.la57", &la57))
+- la57 = 1;
++ TUNABLE_INT_FETCH("vm.pmap.la57", &la57);
+ if (!la57)
+ return;
+
diff --git a/website/static/security/patches/EN-22:07/la57.patch.asc b/website/static/security/patches/EN-22:07/la57.patch.asc
new file mode 100644
index 0000000000..3205213623
--- /dev/null
+++ b/website/static/security/patches/EN-22:07/la57.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmH5kz4ACgkQ05eS9J6n
+5cIAEA//VelXkW6LzL+V1KkJnQrJQJj7wXij630Ctz+9OnEFfiqghMy515U34nlD
+VqgigI7trWaQKtfbZ+GNNDycn+BbnKgeZAEWWgKpVqVuAWT6D0cZe086j5KIOVzr
+UbDuLjUIslWCnnl9Ez4mnIHhly1PsSy6m+71DxLjqcME854IxNCIo0dUgY6yl6yJ
+CV/f4zukJz8N9k2ZineX+DMv2XzjByx5s1DnNi65dcCSZ8uAxmujBvR34b+IgBXG
+jjmW/HLAy+IHiE6MTryS3221+z3grNFGK62ud9rXGahP1oLMym/P33hqftJOKZKH
+4odDXNOtVYzy6J7uTHp5UGitGUYq1uBAIGEL2wPvRMWPkLHMJ6yBdj5Ob8zB8azk
+G775W8/T8SaO7dPsfo3h4yf82xumvz6ft+amDjSycfJhGWg8feTqCi2+6JgNUBFf
+7fSkMCDKZsd64cqOoVizjdC94Ksxn9VWIE41hV6oL0DCjM/DON+R/Wqg5VGHlLEP
+50t+oH8ak07TE0QcITj/osHUVTxF5PFDdsPgPiYkXKgNGfHxXIkgttJyJtoZaUB8
+y3Aq3mZ9EyczOiWG+53EBRpxyO0SODQdP++oHNHyy9qA50fR4t2f1yMAmaEgSQ2c
+HswDlbJQbwRU+B1ZnG9XtE/TmZqBeKEGhROai4Dqrx00zI3yFok=
+=2dQo
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-22:08/i386.patch b/website/static/security/patches/EN-22:08/i386.patch
new file mode 100644
index 0000000000..50b87c3883
--- /dev/null
+++ b/website/static/security/patches/EN-22:08/i386.patch
@@ -0,0 +1,13 @@
+--- sys/x86/x86/mp_x86.c.orig
++++ sys/x86/x86/mp_x86.c
+@@ -1678,6 +1678,10 @@
+ uint32_t generation;
+ int cpu;
+
++#ifdef __i386__
++ sched_pin();
++#endif
++
+ /*
+ * It is not necessary to signal other CPUs while booting or
+ * when in the debugger.
diff --git a/website/static/security/patches/EN-22:08/i386.patch.asc b/website/static/security/patches/EN-22:08/i386.patch.asc
new file mode 100644
index 0000000000..2e9efa75c0
--- /dev/null
+++ b/website/static/security/patches/EN-22:08/i386.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmH5kz8ACgkQ05eS9J6n
+5cKd5RAAmFeOe672hitRtQ59uiSm7kYgp4Mh3fRv5XRQzx43LNb27/6/E925ZA4t
+G8i+jA2xRPhyfrvzV3MvCsDN8+9+/lsLABkY2AQj2fQJG+VTGz2QAf2hOxc7dFMs
+99Rhf7aupwMgAAknWk/ZsG2RAIYNGq1n5f4zHSQCIx95edosJ/hP4dqy25+xgCa6
+SXXV8ePacoaNXZP6Z66OgJvTaT0n6ONfEudvkPX6sVUvj/iUbzleIDGoangU6mIn
+qm+RB4OXcP2qv02XC+MquQoNmGSh/IrrYHl84EmSqhenoUR4tWkK8pB0NeQGSThM
+YqbCJ7YKl0UPqEax3kJrA5X/fppdppx5KpEuw0fEVudpofkoeNxM6Ww+Ub32EP+L
+hIDAPibkf8QbZmVu1YYEiCFLbP7pnTW+Xsv/fsYhJv8gtc3p4gwbPcO2MUn9Ltae
+bRFjqiUP1OI+8I/cruonrfugWIZSJgq3mR6A8qACtmsQ7GAsrdWhjL7gkkYWTj3P
+xUiQeshVgnQ4J8WYABNAaeTod1hVh/nwRsBfrIEQq4OXFoRbyb296gSb06QhjPoq
+6HxwEseTZws+9pFTCe+NCvCPL7V/Vk61ppoDdWU8YvzGP3jPu31YAXyz8pbkxQE0
+EGXTp+HwyP0wCuBnlHS3ixA32SIUdyOGKGS+nbeP2amKJ0w7OXU=
+=Svjy
+-----END PGP SIGNATURE-----