From nobody Thu Sep 19 15:11:32 2024 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8f9w2RGgz5X4f0 for ; Thu, 19 Sep 2024 15:11:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8f9w2GQBz4Lhc; Thu, 19 Sep 2024 15:11:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726758692; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sb3Dk8sqy8fbaRv6d/1BsHWiBXGNxta0qW41UIwBFWU=; b=VcBBx8072fh13f1HPZh5xMwiRDYjwXR6LyY3neAzhD/9CJcqa5Byv/LOvZTgeHXlVQU3QO Tg5grrnbnPZohcFeDGqvyO2zYFwGZRdjR1GNzVOz3M3KIWUoUneveiQsHVpLrFbkvTmrFM MgcDnMSCAQjTlecF3KjtqqZaDP8cUXEIS3sXc6a5lRpO2ARitPKljwrfkmgWo/tRG7yWC4 BxP6n9tmUrjlnw2w4Kzjk20y3NX2TF6he06GSyFITNlddW8dgmoVsrARX4UJG1bDVRm0MN hUO1wseW+WNElRTv4K+aZzfcfgeXoK/m4xVUv/gzktdXeg/y8d5LSycIy8OnCA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726758692; a=rsa-sha256; cv=none; b=gJxBFjFNwO4poWt7/WAC8vzHiRLv471Xi6MYbt+EoT2KTMuulqQ3hQ95mMSZBor1M98h8y kooc8eWPst/ku6A4X01lsC5NQ2CZdK6LIXWClPszRogZkGveLlS8SGc5HCkbqVqOe+nsug p2r4Y4j6c4Fwm3ZYHQ8ksuF6gOOTmEjuKk+OIc5mwf0JKVvPr7U49HNsIZqzszh7dj45TO dNbBQ/rSVncq1A8oGhcr6NX4oXbql5sqkR5XGIQUwTCN9dCctMslIdku9PGWtgqgK6by/v JfqslCRdbiMIcGAYPTiY2/rEl8VqtbkMKpxJa7A0E0fgWdjK8Xok8Mv4WZpmXg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726758692; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sb3Dk8sqy8fbaRv6d/1BsHWiBXGNxta0qW41UIwBFWU=; b=XdpmHb7Iqa52KEAtDjNVvSFYT90GBumOjQt5kEoCCmb5ulc4QRRcfgHojWFuXlFpe2Lz3a C8KU0HeDAJs5H/mYAuL0wQSuNyoufgjnETI032LVtc7GhAS3lz3lSiiFXyf8p4DNdsQQV2 dmgeYJc3EuU6pLXO8zA/Z3VBE/zUiSFX+2t/jQtg26jcVdrL9HqpofQPiXVRlguOs7mA/m 9WE5vIqz1wJqSCLx8vAmW2ts5F+Kf6rMEeV5WgOKWm2ktX55PSkX8vJuH5DizZri3d5ZCp wHTDyB2alTpGcdLcko27K13uG0QOLw0rUexfJ+RhhQhlLvl5czAufjP4PiXv5Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8f9w1sJBz19p8; Thu, 19 Sep 2024 15:11:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JFBWLK017603; Thu, 19 Sep 2024 15:11:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JFBWQI017600; Thu, 19 Sep 2024 15:11:32 GMT (envelope-from git) Date: Thu, 19 Sep 2024 15:11:32 GMT Message-Id: <202409191511.48JFBWQI017600@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 6c3d107653 - main - Add EN-24:16, SA-24:15, and SA-24:16. Update SA-24:05 and SA-24:09. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6c3d1076537608a4d7d84446fd522f2bcf680719 Auto-Submitted: auto-generated The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=6c3d1076537608a4d7d84446fd522f2bcf680719 commit 6c3d1076537608a4d7d84446fd522f2bcf680719 Author: Gordon Tetlow AuthorDate: 2024-09-19 15:07:29 +0000 Commit: Gordon Tetlow CommitDate: 2024-09-19 15:07:29 +0000 Add EN-24:16, SA-24:15, and SA-24:16. Update SA-24:05 and SA-24:09. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 4 + .../security/advisories/FreeBSD-EN-24:16.pf.asc | 160 ++++++ .../security/advisories/FreeBSD-SA-24:05.pf.asc | 36 +- .../security/advisories/FreeBSD-SA-24:09.libnv.asc | 37 +- .../security/advisories/FreeBSD-SA-24:15.bhyve.asc | 148 +++++ .../security/advisories/FreeBSD-SA-24:16.libnv.asc | 157 ++++++ .../static/security/patches/EN-24:16/pf-13.3.patch | 628 +++++++++++++++++++++ .../security/patches/EN-24:16/pf-13.3.patch.asc | 16 + .../static/security/patches/EN-24:16/pf-14.0.patch | 486 ++++++++++++++++ .../security/patches/EN-24:16/pf-14.0.patch.asc | 16 + .../static/security/patches/EN-24:16/pf-14.1.patch | 384 +++++++++++++ .../security/patches/EN-24:16/pf-14.1.patch.asc | 16 + .../static/security/patches/SA-24:15/bhyve.patch | 165 ++++++ .../security/patches/SA-24:15/bhyve.patch.asc | 16 + .../static/security/patches/SA-24:16/libnv.patch | 11 + .../security/patches/SA-24:16/libnv.patch.asc | 16 + 17 files changed, 2278 insertions(+), 26 deletions(-) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index fc502d85e6..b88121ea3b 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-24:16.libnv" +date = "2024-09-19" + +[[advisories]] +name = "FreeBSD-SA-24:15.bhyve" +date = "2024-09-19" + [[advisories]] name = "FreeBSD-SA-24:14.umtx" date = "2024-09-04" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index ddd7e6e5da..83dfdc6468 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-24:16.pf" +date = "2024-09-19" + [[notices]] name = "FreeBSD-EN-24:15.calendar" date = "2024-09-04" diff --git a/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc b/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc new file mode 100644 index 0000000000..3c38b7cd27 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:16.pf.asc @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:16.pf Errata Notice + The FreeBSD Project + +Topic: Incorrect ICMPv6 state handling in pf + +Category: core +Module: pf +Announced: 2024-09-19 +Affects: All supported versions of FreeBSD +Corrected: 2024-09-04 08:53:34 UTC (stable/14, 14.1-STABLE) + 2024-09-19 13:02:58 UTC (releng/14.1, 14.1-RELEASE-p5) + 2024-09-19 13:03:30 UTC (releng/14.0, 14.0-RELEASE-p11) + 2024-09-04 08:53:34 UTC (stable/13, 13.4-STABLE) + 2024-09-05 07:35:39 UTC (releng/13.4, 13.4-RC3) + 2024-09-19 13:04:05 UTC (releng/13.3, 13.3-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. pf +uses a state table to determine whether to allow a packet that is from a +known/already open transmission. It identifies ICMPv6 states based on the +address family, protocol, addresses, and the ID. + +Normally, states are created by outgoing packets, or by incoming packets +matching 'pass' rules. Packets that do not match any rule will be blocked or +allowed depending on the default rule. + +ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work +properly in broadcast networks, such as Ethernet. + +II. Problem Description + +Patches for a previous security advisory, FreeBSD-SA-24:05, were incomplete +and introduced some overly strict pf state tracking for ICMPv6 packets. + +III. Impact + +The bugs may prevent ICMPv6 functions, e.g., Neighbor Discovery, from working +as designed when the pf firewall is configured. + +IV. Workaround + +No workaround is available but systems not using IPv6 and the pf firewall are +not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.1] +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.1.patch +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.1.patch.asc +# gpg --verify pf-14.1.patch.asc + +[FreeBSD 14.0] +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.0.patch +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-14.0.patch.asc +# gpg --verify pf-14.0.patch.asc + +[FreeBSD 13.4] +No discrete patch is provided against 13.4 as the fix for this issue was +incorporated into 13.4-RELEASE. + +[FreeBSD 13.3] +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-13.3.patch +# fetch https://security.FreeBSD.org/patches/EN-23:16/pf-13.3.patch.asc +# gpg --verify pf-13.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 38f74de7184a stable/14-n268653 +releng/14.1/ 1e965d5399e1 releng/14.1-n267715 +releng/14.0/ 413ae023b056 releng/14.0-n265452 +stable/13/ d6e5f8643d37 stable/13-n258307 +releng/13.4/ e893ec49afb2 releng/13.4-n258254 +releng/13.3/ ea9257bcd0e1 releng/13.3-n257467 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQkACgkQbljekB8A +Gu9jORAAw5niz67Jcjm2fP6//BNGgDTlXR+rI+Yajm3lNLqhz0xPZ7BDTZ/NINwc +bUfEK74R8n4kBuwhfIWendmDrYveeqGhhlZZOgiQfqXJuKmg6FBmQVQruq/Njs1Y +y1BOI/KOSyRjzB3nrq1D8HpTtj8zJdtlB3rvKbEL038BmM/AslOdQvZLq12xPyNO +xYqOYao664IaG6kqNUtN8oE8UpY0ACQGRt8BX2izLa+MAsDyglT2K3YS3cEiGRP9 +ZdbKplcVTZuNZ2XIORXkatRLCgC5BnFu0bK9TO6iMPtciX0ZwKov79zAvl14TK++ +sZhY2bKFEq1VrvpdngjAZfWNMTysQCZIsWqsBJCMQb42Q/DY9Cxs7KK2231zKkt2 +FcKdmQro2Qiy5DIClDoZuvQitQ6hRBFaffL6yRy2Zya70gz8cok3t7iEMsB9oSr3 +BVyNYBHwD3JUkq663mO785zvSIZAxQcqvuR8Tn034ffqJEojI1eFBNaHUcKvt4q4 +Uea03m+zq6xwFH/ZzUow/FFxBC67Nzje+2y3gaCLt4oKPxMDmvP2N43wbHevoTPD +/p4M8fki6RFzOEjc/+vAveul23dbNmbB1ssEdkG6VcqGcesdNTygei9r7j4GGJc4 +VjPmZ0emfR22lfGLGH817odQxXfb/0UYpiTuRcG1cKeU2Fv1Lg8= +=w2vT +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc index 0c6d2b859d..aa65bb2f3c 100644 --- a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc +++ b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc @@ -24,6 +24,14 @@ For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . +Note: This advisory introduced additional issues that were addressed by +FreeBSD-EN-24:16.pf. Please refer to that erratum for additional fixes. + +0. Revision History + +v1.0 2024-08-07 -- Initial release +v1.1 2024-09-19 -- Add reference to EN-24:16.pf + I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. pf @@ -135,21 +143,23 @@ VII. References + + The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A -Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf -Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw -jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW -gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP -AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS -N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV -Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI -+vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY -ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh -FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF -DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80= -=/mRR +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsNYgACgkQbljekB8A +Gu/+9Q/9H++Mts0NlrhE3hsCOats5GpAtsq/hRByjZx0flGwIKyIhvHh364hAWDQ +gvdzWijlrYz86jiekM+CEpg08lkCKKm9jM22AaA2uZqIaUNgh0blenDMvAOqJc4W +e08vmW1Q7RopuT3mjJHhqC9mU6s6B5aaAdjFfkKBRdp+BtMnTZmaH1Bx/acHx7SL +R9WVIDUMEQVorqo1/2YnuO+LrAaiFEKkJ7YN+CS/wN2IbDaupyny1fWKffhBGu0C +Hg/gubJuLGqlBvmDp88Mi+kxyzkw9+MbR3haS2P13FFxDj80JEhaH71hG7CAZ5xd +1S1qv2PvpEKw8TdH249Z0YVK1aUA6h3wy6TWrQkM1YjaWzHY3XJoMq90OwluQQTI +fw5njyLrVvYonHQLqLRv59hlC/0V9+Utpy8cvRA9d7dRf/JBarsFVhp5F7IQDLuq +qE/vf+0lRa7WwFkr+FWfP4Cgt+I39DJFW0nybtll4eJfR5+0j+vGsaZZM973S94F +xkqAU3xXulpQvT1qHvf7d7UY24H7Kmbzet0LNd30PrWT+uRktpZ164wHRZd96eHg +3TXOvSTgqIzvsuxcBI0vh+5EWbTgMKOG21zSwwzbDMM1vNI/39YYJaWnNlUFH17+ +w0sm1aAF9P4vbAz7n+hxQVJFEAZwSChIfuPEuV8QKJGbpyqoDm8= +=iMcB -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc index 8fa9aa9e43..9c18ebdc37 100644 --- a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc +++ b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc @@ -26,6 +26,15 @@ For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . +Note: This advisory provided an incomplete fix for the issues described as +CVE-2024-45287 that were further addressed by FreeBSD-SA-24:16.pf. Please +refer to that advisory for additional fixes. + +0. Revision History + +v1.0 2024-09-04 -- Initial release +v1.1 2024-09-19 -- Add reference to SA-24:16.libnv + I. Background libnv (also called nvlist) is a general-purpose library designed for storing @@ -138,21 +147,23 @@ VII. References + + The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A -Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL -lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE -K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS -5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ -ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ -zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 -SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT -893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx -5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA -plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk -Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= -=yX5r +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsNakACgkQbljekB8A +Gu8sqBAAjveC5IbbKHX/Up8kxzM7XhSjpdTHRCPfwpcjZuAUfCd39m1LRpDTlx0O +gJKksiC5A92rk4aj/OtRB29p6LLyc7k531tqW/3F2Zh7n7aqjKaY9G5neTcPVn3u +7XMVyOtV6dJIUrZaG7+UXrkdUCOrTYNhCOKGoC4EKibyPcAaI0YflY8h7AY5oYVm +KagVktjWfHp3uE7BQqc//9VTA9ZiTO6RrJ2EJus2Nd6M08FQKA2B+q4XcVBHY5oO +n7A0eUso6IUGFFVA1bPpVV8757nlwrnaOalO37ab0Kol3eekeKmFfJez03pWUeDW +tVohnIu3KLcmJ4HeS3aUbr83YbWAFQnvmOM10JUwz4af88RUBvAMHRu0f9hz+aVG +1uukXL+zdK4nmFllfFjQ8+HhSF9MWsc9ZoEgR+JfekkiIV/t4yUqPo8IjaS6ysQs +FdziZMuLsywHEnTzni2STDKXnb0MNV/8OrDtND1ihzFkX+iksapvdjHIJZJwI9Pc +qkXEw1Q7WDKDHlK5iEzkCcTkeEe7N4oNeHjCEn1LznU2mQoreCAGPm6KDQFjN4G6 +U2/o1vJTIpxoOsHT5xJ9dk1WV/gE7C7BSWAPALNPv92v7G/Lmxf5hr4LquaswiNl +L1C7olKkIDo+gYbRJPIA5cvxZP/YQ5WEIqHHuAT085jG1rlXbQk= +=64kV -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc new file mode 100644 index 0000000000..77351dc3df --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:15.bhyve.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:15.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) out-of-bounds read access via XHCI emulation + +Category: core +Module: bhyve +Announced: 2024-09-19 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-19 12:40:17 UTC (stable/14, 14.1-STABLE) + 2024-09-19 13:30:18 UTC (releng/14.1, 14.1-RELEASE-p5) + 2024-09-19 13:30:44 UTC (releng/14.0, 14.0-RELEASE-p11) + 2024-09-19 12:48:52 UTC (stable/13, 13.4-STABLE) + 2024-09-19 13:35:06 UTC (releng/13.4, 13.4-RELEASE-p1) + 2024-09-19 13:35:37 UTC (releng/13.3, 13.3-RELEASE-p7) +CVE Name: CVE-2024-41721 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyve(8) is a hypervisor that runs guest operating systems inside a virtual +machine. + +II. Problem Description + +bhyve can be configured to emulate devices on a virtual USB controller (XHCI), +such as USB tablet devices. An insufficient boundary validation in the USB +code could lead to an out-of-bounds read on the heap, which could potentially +lead to an arbitrary write and remote code execution. + +III. Impact + +A malicious, privileged software running in a guest VM can exploit the +vulnerability to crash the hypervisor process or potentially achieve code +execution on the host in the bhyve userspace process, which typically runs as +root. Note that bhyve runs in a Capsicum sandbox, so malicious code is +constrained by the capabilities available to the bhyve process. + +IV. Workaround + +No workaround is available, but guests that do not use XHCI emulation are not +impacted. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Guest operating systems emulating USB devices with XHCI need to be restarted for +the correction to be applied (i.e., their corresponding bhyve process needs to +be terminated and started again). + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-24:15/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the corresponding bhyve processes, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 419da61f8203 stable/14-n268745 +releng/14.1/ 3c6c0dcb5acb releng/14.1-n267716 +releng/14.0/ ba46f1174972 releng/14.0-n265453 +stable/13/ 2abd2ad64899 stable/13-n258347 +releng/13.4/ 5f035df278cc releng/13.4-n258258 +releng/13.3/ e7a790dc3ffe releng/13.3-n257468 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ0ACgkQbljekB8A +Gu/6chAAzST6xGx6RCb7MAHeZbqE3mTTUFoEkElPG3OiFsnFDySDnk0kKIjCNRbq +GssLGYfUerFYD4/jDhGLApZnBnPhaTruNgwi38d8Pg4pkcqGv8Y5xSdOQBN83Rjq +WiEgRqysuaE6HhvNN+JYf690M1Z6Tz0WkqoUJa8ZB8WcDnvBNQwMM0Prmo1RTZGR +UXxftj+is3EQFUQs/3GcPRzTcp8Cu5QZnfFdbGph6Da/ZIQ6NaslYgslWvmsYHzP +AVb/WI54VnIuMVoRIDWGtjjQa8p2H+dRih67clZYFxl2ya85aK78UrrtPk8x4dci +9KsISpKidqC/ofdT4mHpNH3Uxx4N2ymPJG6xJ/MGmDmrIIk1vjKejy9RVSJzt4QN +Iu1u/8d5NVXsMxbKQMEKqXY2dPFKi17S+EnhKzJUjtXeBxcMbNPh2Xcl+BmI8cZ2 +WuJvfplzu5Wcvd3LUa7s0Z3AHKktiMr1IGIlk8XEEee0b7k164imZlRUZFTCYA6S +dNGTQ2UcHZz7W2Sk2HZf8CdNEgQQftW0BDc2IIs3lyA2WyPsIjGByUl987k3veQa +fQCXzf7cp/a0rOZ9KngMxdJap+TBKCsPLEFm46i074ngmuoJZsW3xd7ZD8hLFlPX +eaKh5MjWsHHfTYPRxeUKk2j9dobzN1ZP7AYWDasaDxZ4kmVIuEE= +=FVQ2 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc new file mode 100644 index 0000000000..751a154622 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:16.libnv.asc @@ -0,0 +1,157 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:16.libnv Security Advisory + The FreeBSD Project + +Topic: Integer overflow in libnv + +Category: core +Module: libnv +Announced: 2024-09-19 +Credits: MiƂosz Kaniewski +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-15 16:59:15 UTC (stable/14, 14.1-STABLE) + 2024-09-19 13:30:20 UTC (releng/14.1, 14.1-RELEASE-p5) + 2024-09-19 13:30:45 UTC (releng/14.0, 14.0-RELEASE-p11) + 2024-09-15 16:59:51 UTC (stable/13, 13.4-STABLE) + 2024-09-19 13:35:07 UTC (releng/13.4, 13.4-RELEASE-p1) + 2024-09-19 13:35:38 UTC (releng/13.3, 13.3-RELEASE-p7) +CVE Name: CVE-2024-45287 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +libnv (also called nvlist) is a general-purpose library designed for storing +name-value pairs. This library can serve as an Inter-Process Communication +(IPC) framework, enabling processes to exchange data. For example, it is +used in libcasper to communicate between privileged and unprivileged +processes. Additionally, libnv can function as an interface for communication +between userland and kernel. + +Originally, libnv was inspired by OpenZFS nvlist. However, the +implementations are separate. This advisory is only about base system +implementation of libnv, not a OpenZFS one. + +II. Problem Description + +A malicious value of size in a structure of packed libnv can cause an integer +overflow, leading to the allocation of a smaller buffer than required for the +parsed data. The introduced check was incorrect, as it took into account the +size of the pointer, not the structure. This vulnerability affects both +kernel and userland. + +This issue was originally intended to be addressed as part of +FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly +addressed. + +III. Impact + +It is possible for an attacker to overwrite portions of memory (in userland +or the kernel) as the allocated buffer might be smaller than the data +received from a malicious process. This vulnerability could result in +privilege escalation or cause a system panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch +# fetch https://security.FreeBSD.org/patches/SA-24:16/libnv.patch.asc +# gpg --verify libnv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +d) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 056c50c48be3 stable/14-n268739 +releng/14.1/ f67468e6e5e2 releng/14.1-n267717 +releng/14.0/ e9d57be06e23 releng/14.0-n265454 +stable/13/ d84fced6b468 stable/13-n258342 +releng/13.4/ 2cffa6354d9f releng/13.4-n258259 +releng/13.3/ 417e81a40091 releng/13.3-n257469 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbsPQ8ACgkQbljekB8A +Gu9aMBAA1N3FliBdeklIU0XGoyrvS0z7goFpFKeLVlkIHssYzZQAWHMILHET6O9n +Gv5vICw5vGDWv/1Rb9muCMQ4wcEW/c/YFEU0FM3VFTgJ+fQrA4ZO/NjpRSixiGDk +uVkJ25Fo2TMp58ITPWmT3Nj1MJ0x9xNzMxXhLk2JgK/sEMH+/Giju8Zq7XojHHC0 +QluYmz1V3EClPXiArkcgt/pagQ24b5yYmOAKGQGHEdRM18QWeJzJ4kUBzATcUVjv +RWkLHz69emH6aQ3JNwyuEQlK/Xda3ge2zMIJ4tYObg21dEFdgqnFoLFrylCUkgIE +T86QPQfb0HGTRhnSjdh/NN5qyiOo9q4FzpIsI3eJ3XJgk0/T/O8Rv+2fexAm0g3+ +37kgkxohETi6RQc3D4ClpmW7bP1DEK8uUwUGeJgCNmkpE4DVpLmGZ0tNbSf/0Mk6 +slYSHb6dF6wNB4AV/1HIusp6i2GlPziNYkhlslkRQgeyXO9T1bWxYqdkYihDFLRs +PStlk1Diu0p+h3r08sX3LQrszBp1bLGkqaipFPLBwWStxYne9nsClORFhN4q9i+4 +fAnWxIRBXH62fJTy1DCPFqpI9zyvQTkVHQVKu5d+JgaTmTPsfJ3MIXdkGdAEV6+m +xbZSFwd2e8uzPIlZke2JmaT4xVv1T92lWu7Ywf8M0eEYWg5WQi8= +=OHm5 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-24:16/pf-13.3.patch b/website/static/security/patches/EN-24:16/pf-13.3.patch new file mode 100644 index 0000000000..3f657dcfdd --- /dev/null +++ b/website/static/security/patches/EN-24:16/pf-13.3.patch @@ -0,0 +1,628 @@ +--- sys/net/pfvar.h.orig ++++ sys/net/pfvar.h +@@ -330,8 +330,8 @@ + mtx_unlock(_s->lock); \ + } while (0) + #else +-#define PF_STATE_LOCK(s) mtx_lock(s->lock) +-#define PF_STATE_UNLOCK(s) mtx_unlock(s->lock) ++#define PF_STATE_LOCK(s) mtx_lock((s)->lock) ++#define PF_STATE_UNLOCK(s) mtx_unlock((s)->lock) + #endif + + #ifdef INVARIANTS +@@ -2222,7 +2222,7 @@ + struct pf_addr *, struct pf_addr *, + uint16_t, uint16_t, struct pf_kanchor_stackframe *); + +-struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, ++struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct mbuf *, int, struct pf_addr *, + struct pf_addr *, u_int16_t, u_int16_t); + struct pf_state_key *pf_state_key_clone(struct pf_state_key *); + +--- sys/netpfil/pf/pf.c.orig ++++ sys/netpfil/pf/pf.c +@@ -307,6 +307,9 @@ + struct pfi_kkif *, struct mbuf *, void *, + struct pf_pdesc *, struct pf_krule **, + struct pf_kruleset **); ++static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *, ++ int, struct pf_state_key_cmp *, int, struct pf_addr *, ++ int, struct pf_addr *, int); + static int pf_tcp_track_full(struct pf_kstate **, + struct pfi_kkif *, struct mbuf *, int, + struct pf_pdesc *, u_short *, int *); +@@ -320,8 +323,8 @@ + void *, struct pf_pdesc *); + int pf_icmp_state_lookup(struct pf_state_key_cmp *, + struct pf_pdesc *, struct pf_kstate **, struct mbuf *, +- int, struct pfi_kkif *, u_int16_t, u_int16_t, +- int, int *, int); ++ int, int, struct pfi_kkif *, u_int16_t, u_int16_t, ++ int, int *, int, int); + static int pf_test_state_icmp(struct pf_kstate **, int, + struct pfi_kkif *, struct mbuf *, int, + void *, struct pf_pdesc *, u_short *); +@@ -375,7 +378,7 @@ + extern struct proc *pf_purge_proc; + + VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); +-enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK }; ++enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_LINK }; + + #define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \ + do { \ +@@ -1414,9 +1417,66 @@ + return (0); + } + ++static int ++pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, int off, ++ struct pf_state_key_cmp *key, int sidx, struct pf_addr *saddr, ++ int didx, struct pf_addr *daddr, int multi) ++{ ++#ifdef INET6 ++ struct nd_neighbor_solicit nd; ++ struct pf_addr *target; ++ u_short action, reason; ++ ++ if (pd->af == AF_INET || pd->proto != IPPROTO_ICMPV6) ++ goto copy; ++ ++ switch (pd->hdr.icmp6.icmp6_type) { ++ case ND_NEIGHBOR_SOLICIT: ++ if (multi) ++ return (-1); ++ if (!pf_pull_hdr(m, off, &nd, sizeof(nd), &action, &reason, pd->af)) ++ return (-1); ++ target = (struct pf_addr *)&nd.nd_ns_target; ++ daddr = target; ++ break; ++ case ND_NEIGHBOR_ADVERT: ++ if (multi) ++ return (-1); ++ if (!pf_pull_hdr(m, off, &nd, sizeof(nd), &action, &reason, pd->af)) ++ return (-1); ++ target = (struct pf_addr *)&nd.nd_ns_target; ++ saddr = target; ++ if (IN6_IS_ADDR_MULTICAST(&pd->dst->v6)) { ++ key->addr[didx].addr32[0] = 0; ++ key->addr[didx].addr32[1] = 0; ++ key->addr[didx].addr32[2] = 0; ++ key->addr[didx].addr32[3] = 0; ++ daddr = NULL; /* overwritten */ ++ } ++ break; ++ default: ++ if (multi == PF_ICMP_MULTI_LINK) { ++ key->addr[sidx].addr32[0] = IPV6_ADDR_INT32_MLL; ++ key->addr[sidx].addr32[1] = 0; ++ key->addr[sidx].addr32[2] = 0; ++ key->addr[sidx].addr32[3] = IPV6_ADDR_INT32_ONE; ++ saddr = NULL; /* overwritten */ ++ } ++ } ++copy: ++#endif ++ if (saddr) ++ PF_ACPY(&key->addr[sidx], saddr, pd->af); ++ if (daddr) ++ PF_ACPY(&key->addr[didx], daddr, pd->af); ++ ++ return (0); ++} ++ + struct pf_state_key * +-pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr, +- struct pf_addr *daddr, u_int16_t sport, u_int16_t dport) ++pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m, int off, ++ struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t sport, ++ u_int16_t dport) + { + struct pf_state_key *sk; + +@@ -1424,8 +1484,12 @@ + if (sk == NULL) + return (NULL); + +- PF_ACPY(&sk->addr[pd->sidx], saddr, pd->af); +- PF_ACPY(&sk->addr[pd->didx], daddr, pd->af); ++ if (pf_state_key_addr_setup(pd, m, off, (struct pf_state_key_cmp *)sk, ++ pd->sidx, pd->src, pd->didx, pd->dst, 0)) { ++ uma_zfree(V_pf_state_key_z, sk); ++ return (NULL); ++ } ++ + sk->port[pd->sidx] = sport; + sk->port[pd->didx] = dport; + sk->proto = pd->proto; +@@ -4579,7 +4643,7 @@ + if (nr == NULL) { + KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p", + __func__, nr, sk, nk)); +- sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport); ++ sk = pf_state_key_setup(pd, m, off, pd->src, pd->dst, sport, dport); + if (sk == NULL) + goto csfailed; + nk = sk; +@@ -5990,8 +6054,9 @@ + + int + pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, +- struct pf_kstate **state, struct mbuf *m, int direction, struct pfi_kkif *kif, +- u_int16_t icmpid, u_int16_t type, int icmp_dir, int *iidx, int multi) ++ struct pf_kstate **state, struct mbuf *m, int off, int direction, ++ struct pfi_kkif *kif, u_int16_t icmpid, u_int16_t type, int icmp_dir, ++ int *iidx, int multi, int inner) + { + key->af = pd->af; + key->proto = pd->proto; +@@ -6004,31 +6069,19 @@ + key->port[pd->sidx] = type; + key->port[pd->didx] = icmpid; + } +- if (pd->af == AF_INET6 && multi != PF_ICMP_MULTI_NONE) { +- switch (multi) { +- case PF_ICMP_MULTI_SOLICITED: +- key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL; +- key->addr[pd->sidx].addr32[1] = 0; +- key->addr[pd->sidx].addr32[2] = IPV6_ADDR_INT32_ONE; +- key->addr[pd->sidx].addr32[3] = pd->src->addr32[3]; +- key->addr[pd->sidx].addr8[12] = 0xff; +- break; +- case PF_ICMP_MULTI_LINK: +- key->addr[pd->sidx].addr32[0] = IPV6_ADDR_INT32_MLL; +- key->addr[pd->sidx].addr32[1] = 0; +- key->addr[pd->sidx].addr32[2] = 0; +- key->addr[pd->sidx].addr32[3] = IPV6_ADDR_INT32_ONE; +- break; +- } +- } else +- PF_ACPY(&key->addr[pd->sidx], pd->src, key->af); +- PF_ACPY(&key->addr[pd->didx], pd->dst, key->af); ++ if (pf_state_key_addr_setup(pd, m, off, key, pd->sidx, pd->src, ++ pd->didx, pd->dst, multi)) ++ return (PF_DROP); + + STATE_LOOKUP(kif, key, direction, *state, pd); + ++ if ((*state)->state_flags & PFSTATE_SLOPPY) ++ return (-1); ++ + /* Is this ICMP message flowing in right direction? */ + if ((*state)->rule.ptr->type && +- (((*state)->direction == direction) ? ++ (((!inner && (*state)->direction == direction) || ++ (inner && (*state)->direction != direction)) ? + PF_IN : PF_OUT) != icmp_dir) { + if (V_pf_status.debug >= PF_DEBUG_MISC) { + printf("pf: icmp type %d in wrong direction (%d): ", +@@ -6036,6 +6089,8 @@ + pf_print_state(*state); + printf("\n"); + } ++ PF_STATE_UNLOCK(*state); ++ *state = NULL; + return (PF_DROP); + } + return (-1); +@@ -6084,19 +6139,20 @@ + * ICMP query/reply message not related to a TCP/UDP packet. + * Search for an ICMP state. + */ +- ret = pf_icmp_state_lookup(&key, pd, state, m, pd->dir, ++ ret = pf_icmp_state_lookup(&key, pd, state, m, off, pd->dir, + kif, virtual_id, virtual_type, icmp_dir, &iidx, +- PF_ICMP_MULTI_NONE); ++ PF_ICMP_MULTI_NONE, 0); + if (ret >= 0) { ++ MPASS(*state == NULL); + if (ret == PF_DROP && pd->af == AF_INET6 && + icmp_dir == PF_OUT) { +- if (*state != NULL) +- PF_STATE_UNLOCK((*state)); +- ret = pf_icmp_state_lookup(&key, pd, state, m, ++ ret = pf_icmp_state_lookup(&key, pd, state, m, off, + pd->dir, kif, virtual_id, virtual_type, +- icmp_dir, &iidx, multi); +- if (ret >= 0) ++ icmp_dir, &iidx, multi, 0); ++ if (ret >= 0) { ++ MPASS(*state == NULL); + return (ret); ++ } + } else + return (ret); + } +@@ -6178,6 +6234,7 @@ + int off2 = 0; + + pd2.af = pd->af; ++ pd2.dir = pd->dir; + /* Payload packet is from the opposite direction. */ + pd2.sidx = (direction == PF_IN) ? 1 : 0; + pd2.didx = (direction == PF_IN) ? 0 : 1; +@@ -6485,9 +6542,9 @@ + } + #ifdef INET + case IPPROTO_ICMP: { +- struct icmp iih; ++ struct icmp *iih = &pd2.hdr.icmp; + +- if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, ++ if (!pf_pull_hdr(m, off2, iih, ICMP_MINLEN, + NULL, reason, pd2.af)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: ICMP error message too short i" +@@ -6495,15 +6552,17 @@ + return (PF_DROP); + } + +- icmpid = iih.icmp_id; +- pf_icmp_mapping(&pd2, iih.icmp_type, ++ icmpid = iih->icmp_id; ++ pf_icmp_mapping(&pd2, iih->icmp_type, + &icmp_dir, &multi, &virtual_id, &virtual_type); + +- ret = pf_icmp_state_lookup(&key, &pd2, state, m, +- pd->dir, kif, virtual_id, virtual_type, +- icmp_dir, &iidx, PF_ICMP_MULTI_NONE); +- if (ret >= 0) ++ ret = pf_icmp_state_lookup(&key, &pd2, state, m, off, ++ pd2.dir, kif, virtual_id, virtual_type, ++ icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1); ++ if (ret >= 0) { ++ MPASS(*state == NULL); + return (ret); ++ } + + /* translate source/destination address, if necessary */ + if ((*state)->key[PF_SK_WIRE] != +@@ -6514,10 +6573,10 @@ + if (PF_ANEQ(pd2.src, + &nk->addr[pd2.sidx], pd2.af) || + (virtual_type == htons(ICMP_ECHO) && +- nk->port[iidx] != iih.icmp_id)) ++ nk->port[iidx] != iih->icmp_id)) + pf_change_icmp(pd2.src, + (virtual_type == htons(ICMP_ECHO)) ? +- &iih.icmp_id : NULL, ++ &iih->icmp_id : NULL, + daddr, &nk->addr[pd2.sidx], + (virtual_type == htons(ICMP_ECHO)) ? + nk->port[iidx] : 0, NULL, +@@ -6533,7 +6592,7 @@ + + m_copyback(m, off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); + m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); +- m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih); ++ m_copyback(m, off2, ICMP_MINLEN, (caddr_t)iih); + } + return (PF_PASS); + break; +@@ -6541,9 +6600,9 @@ + #endif /* INET */ + #ifdef INET6 + case IPPROTO_ICMPV6: { +- struct icmp6_hdr iih; ++ struct icmp6_hdr *iih = &pd2.hdr.icmp6; + +- if (!pf_pull_hdr(m, off2, &iih, ++ if (!pf_pull_hdr(m, off2, iih, + sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: ICMP error message too short " +@@ -6551,22 +6610,24 @@ + return (PF_DROP); + } *** 1491 LINES SKIPPED ***