svn commit: r52797 - in head/share: security/advisories security/patches/EN-19:06 security/patches/EN-19:07 security/patches/SA-19:01 security/patches/SA-19:02 xml
Gordon Tetlow
gordon at FreeBSD.org
Tue Feb 5 18:38:31 UTC 2019
Author: gordon (src,ports committer)
Date: Tue Feb 5 18:38:28 2019
New Revision: 52797
URL: https://svnweb.freebsd.org/changeset/doc/52797
Log:
Add SA-19:01, SA-19:02, EN-19:06, and EN-19:07.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-EN-19:06.dtrace.asc (contents, props changed)
head/share/security/advisories/FreeBSD-EN-19:07.lle.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-19:01.syscall.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-19:02.fd.asc (contents, props changed)
head/share/security/patches/EN-19:06/
head/share/security/patches/EN-19:06/dtrace.patch (contents, props changed)
head/share/security/patches/EN-19:06/dtrace.patch.asc (contents, props changed)
head/share/security/patches/EN-19:07/
head/share/security/patches/EN-19:07/lle.patch (contents, props changed)
head/share/security/patches/EN-19:07/lle.patch.asc (contents, props changed)
head/share/security/patches/SA-19:01/
head/share/security/patches/SA-19:01/syscall.11.2.patch (contents, props changed)
head/share/security/patches/SA-19:01/syscall.11.2.patch.asc (contents, props changed)
head/share/security/patches/SA-19:01/syscall.patch (contents, props changed)
head/share/security/patches/SA-19:01/syscall.patch.asc (contents, props changed)
head/share/security/patches/SA-19:02/
head/share/security/patches/SA-19:02/fd.patch (contents, props changed)
head/share/security/patches/SA-19:02/fd.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-19:06.dtrace.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-19:06.dtrace.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,124 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:06.dtrace Errata Notice
+ The FreeBSD Project
+
+Topic: DTrace incompatibility with SMAP-enabled systems
+
+Category: core
+Module: dtrace
+Announced: 2019-02-05
+Credits: Mateusz Guzik
+Affects: FreeBSD 12.0
+Corrected: 2018-12-19 23:29:44 UTC (stable/12, 12.0-STABLE)
+ 2019-02-05 17:54:09 UTC (releng/12.0, 12.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+DTrace is a dynamic tracing framework that can be used to analyze the kernel
+and userspace applications in various ways.
+
+II. Problem Description
+
+When tracing userspace applications, the kernel component of DTrace may need
+to access userspace memory. With the addition of SMAP support to the amd64
+kernel, the kernel is not able to arbitrarily access userspace memory: it
+must set a CPU flag to enable access. The code used by DTrace to perform
+such accesses was not updated accordingly.
+
+III. Impact
+
+The problem means that certain DTrace actions do not work on SMAP-enabled
+systems. This does not affect the application being traced.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for errata update"
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:06/dtrace.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:06/dtrace.patch.asc
+# gpg --verify dtrace.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r342267
+releng/12.0/ r343783
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:06.dtrace.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1WhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLzHA/+MVR5AHgEorzgRkpiqRzSlmbE6VyhF07lgY5CvRLFGp4mUbspZICcwtk5
+ZOeA8MuDFiLo1p6Fo2JykJ25ipxM+cCbMlx4jO5lILwq40bYfejHiYrmC/gdfR7/
+YcuNR3DpCw4llYIXFAcyw7SXG92jYNi9kKOSol7Fji8Zq2qDTSWTFqKsoJ2Pk3rJ
+LfiQaekux00JlY3TOyt6QtPWSdlkhM4WAITWp4pUkGuNT/nIA2iED5N2ohgSraxa
+dtBp/r8BHHbwog9wOQEHPIRN/Di7Kv02CZk13zJySmV+yZiPlR0YWZ4gI6i69cyD
+rqTfO9kU2yjaqSBIFKMuGGysswZq7ii/+cULHuHVdJLuHDdh/9jZuI9O8VujGqVh
+rU8THFHOtli/nGXNdPQP3jn84SDH7jPr1SgcFv1s3/FPHXVfZW9Uq558G9ZDujgg
+pAtwMYiixMHpNr+j7qJr6DCTh22BR7FjYQg1iPVzIzgTYJ+I6ZH/cexVxXOS2S4T
+O793AjmvOVaXsWB7tzhewTKVBam3upbRH7WmTMdD9z6dIlWtl6xKSgHvyarHVHpA
+/y5H3VcK4suh/NIHlD+ln/hooFtmPIxsJnmInaXKq7Eg/C9mQx3x7h7qQFvWffD8
+cHOVGf3LCrH76unfc7AI7YafnD67Tgm09/sbgjVnScEpVW4E6Pc=
+=3+kY
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-EN-19:07.lle.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-19:07.lle.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:07.lle Errata Notice
+ The FreeBSD Project
+
+Topic: LLE table lookup code race condition
+
+Category: core
+Module: net
+Announced: 2019-02-05
+Credits: Mark Johnston
+Affects: FreeBSD 12.0
+Corrected: 2019-01-25 20:24:53 UTC (stable/12, 12.0-STABLE)
+ 2019-02-05 17:59:50 UTC (releng/12.0, 12.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+A LLE (link layer entry) table stores information about hosts on a network
+and is used to translate between network layer addresses and data link layer
+addresses. The ARP cache, for example, is implemented using an LLE table.
+LLEs typically expire after some period, so there exist mechanisms to
+automatically remove them from their tables upon expiration.
+
+II. Problem Description
+
+The LLE table lookup code for IPv4 and IPv6 contains a race which results in
+a condition where the expiry period of an LLE is extended after it has been
+removed from the table and freed. By the time that the updated timer fires,
+the LLE structure has been freed, and so the timer code is operating on freed
+memory.
+
+III. Impact
+
+When the race is triggered, the result is typically a kernel panic. It may
+otherwise cause undefined system behavior.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for errata update"
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:07/lle.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:07/lle.patch.asc
+# gpg --verify lle.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r343454
+releng/12.0/ r343787
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234296>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:07.lle.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1XtfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIYyA/8Da9XcP30o/+jISmHXjSx+livOJKyPu5UTAm7Xw4Pg8j3GR2xblzAsWie
+YAT56/V88yzeY+u/3UOWG2XNAViWlzBAsfrqphJEcMuGdTwslgVlVRpzLyQeh4hY
+whDkvYzPmjcxuX8+Agj/Ytwo+Q35bSfGNhls2OBSHnkqNL7HNhFePUWm5oVnlczL
+APHsknLRAAhZF8UYR+PdAT5x/9exLJStmGXdAeVT4HCfx8b/AvZ/lr3b4Jwa+8fq
+tCAsISOTOftGsTTpwgtWDebJ4jJB2l71EBBlWuj76yColhK9k1zhacauK3lOxoEw
+cpUHgLcY+ochSijBOZIw7IScVHvR05jry7VzL7oxe1oDn3HNkbTt6pwdNgL5ftzQ
+Cv7vjMGLdSfr7QyAVc/nZhg1x0mBKu+Dj0leQ9ZcjedrB0CIwslhmMYdlTCYWksA
+x06NwrPRzDohtnYM4n2KZBfPQw40vxsJLP8e+hnRpyliXWtOaYdw5GZoUcwublMZ
+TU7Y1n8s1C5L5KuJoYgs9jLS48nXgcSZc9pxjyGRcFQTsk/A5y4sckWImFurU9AT
+cYR3nHlaGJR/TZVNtR6sU1VhzunHg8ARlvoZivsFyVS7bUC+EIUzfQvZqHEUPycR
+RwX+/exDyXQSvhQVfqT1ngLwQ8e/GutI8WZ1ZFy+T6Mh6jeacPQ=
+=zCSg
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-19:01.syscall.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-19:01.syscall.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:01.syscall Security Advisory
+ The FreeBSD Project
+
+Topic: System call kernel data register leak
+
+Category: core
+Module: kernel
+Announced: 2019-02-05
+Credits: Konstantin Belousov
+Affects: All supported versions of FreeBSD.
+Corrected: 2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE)
+ 2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3)
+ 2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE)
+ 2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9)
+CVE Name: CVE-2019-5595
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls,
+and uses registers calling conventions for passing syscalls arguments and
+return values in addition to the registers usage imposed by the SYSCALL and
+SYSRET instructions in long mode. In particular, the arguments are passed in
+registers specified by the C ABI, and the content of the registers specified
+as caller-save, is undefined after the return from syscall.
+
+II. Problem Description
+
+The callee-save registers are used by kernel and for some of them (%r8, %r10,
+and for non-PTI configurations, %r9) the content is not sanitized before
+return from syscalls, potentially leaking sensitive information.
+
+III. Impact
+
+Typically an address of some kernel data structure used in the syscall
+implementation, is exposed.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10m "Rebooting for security update"
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc
+# gpg --verify syscall.patch.asc
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc
+# gpg --verify syscall.patch.11.2.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r343781
+releng/12.0/ r343788
+stable/11/ r343782
+releng/11.2/ r343789
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0
+EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs
+DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD
+GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i
+0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftmxPLuonXyP0PiO3WA0h
+XQck1BbM5ENNm/0SOExctcqS+APXLf/VPhd2JwUPszRcYBV40pdqchkihoRXAKHs
+Dthv+9k9KrgwUO0wsrOvIzK8vjnVC2unUCXnFNX3OD2pfxCjKvl1grKQ2lAsP4Pu
+aP2VgPZyHbFKWQdOGaqOtM94CzXseXyYN3hgkNq+gPgDjkd7Xw8q5vu8d2QY/aYj
+Re4aEfUOzf9S22SQT9g4kx2QfEnUuJnnae3BMeBqWGngtQ7TnTHWrw3wGhxxC2S8
+iou+BzeCv9MRn74Fpzr/xnGRUwT+0wFJVd9N9QdpErRA59oo6X4TXNl6AvKHvxY7
+1UurBJ5MqUGUUIeJg8Qv5HpgJML3BiotDbk+LwmMx7T2IL1dJdk=
+=Aktj
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-19:02.fd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-19:02.fd.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:02.fd Security Advisory
+ The FreeBSD Project
+
+Topic: File description reference count leak
+
+Category: core
+Module: unix
+Announced: 2019-02-05
+Credits: Peter Holm
+Affects: FreeBSD 12.0
+Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
+ 2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
+ 2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
+CVE Name: CVE-2019-5596
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+UNIX-domain sockets are used for inter-process communication. It is
+possible to use UNIX-domain sockets to transfer rights, encoded as file
+descriptors, to another process.
+
+II. Problem Description
+
+FreeBSD 12.0 attempts to handle the case where the receiving process does
+not provide a sufficiently large buffer for an incoming control message
+containing rights. In particular, to avoid leaking the corresponding
+descriptors into the receiving process' descriptor table, the kernel handles
+the truncation case by closing descriptors referenced by the discarded
+message.
+
+The code which performs this operation failed to release a reference obtained
+on the file corresponding to a received right. This bug can be used to cause
+the reference counter to wrap around and free the file structure.
+
+III. Impact
+
+A local user can exploit the bug to gain root privileges or escape from
+a jail.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for security update"
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc
+# gpg --verify fd.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r343785
+releng/12.0/ r343790
+stable/11/ r343786
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3
+fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng
+k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu
+pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt
+iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2
+2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs
+EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW
+ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5
+JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy
+rzGBukIuWnLy9pmJ574oTZymw8Psvu2DJL3Csngak1HkcA9mA5vjnDBvk9mvqTgo
+YCfCewlfFwVa/exSK3q5oI9hxse0KvQI4cH2+c2b7NDMS9+DpTY=
+=pr7t
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-19:06/dtrace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-19:06/dtrace.patch Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,256 @@
+--- sys/cddl/dev/dtrace/amd64/dtrace_asm.S.orig
++++ sys/cddl/dev/dtrace/amd64/dtrace_asm.S
+@@ -208,7 +208,7 @@
+ void
+ dtrace_copy(uintptr_t src, uintptr_t dest, size_t size)
+ */
+- ENTRY(dtrace_copy)
++ ENTRY(dtrace_copy_nosmap)
+ pushq %rbp
+ movq %rsp, %rbp
+
+@@ -218,14 +218,28 @@
+ smovb /* move from %ds:rsi to %ed:rdi */
+ leave
+ ret
+- END(dtrace_copy)
++ END(dtrace_copy_nosmap)
+
++ ENTRY(dtrace_copy_smap)
++ pushq %rbp
++ movq %rsp, %rbp
++
++ xchgq %rdi, %rsi /* make %rsi source, %rdi dest */
++ movq %rdx, %rcx /* load count */
++ stac
++ repz /* repeat for count ... */
++ smovb /* move from %ds:rsi to %ed:rdi */
++ clac
++ leave
++ ret
++ END(dtrace_copy_smap)
++
+ /*
+ void
+ dtrace_copystr(uintptr_t uaddr, uintptr_t kaddr, size_t size,
+ volatile uint16_t *flags)
+ */
+- ENTRY(dtrace_copystr)
++ ENTRY(dtrace_copystr_nosmap)
+ pushq %rbp
+ movq %rsp, %rbp
+
+@@ -248,56 +262,121 @@
+ leave
+ ret
+
+- END(dtrace_copystr)
++ END(dtrace_copystr_nosmap)
+
++ ENTRY(dtrace_copystr_smap)
++ pushq %rbp
++ movq %rsp, %rbp
++
++ stac
++0:
++ movb (%rdi), %al /* load from source */
++ movb %al, (%rsi) /* store to destination */
++ addq $1, %rdi /* increment source pointer */
++ addq $1, %rsi /* increment destination pointer */
++ subq $1, %rdx /* decrement remaining count */
++ cmpb $0, %al
++ je 2f
++ testq $0xfff, %rdx /* test if count is 4k-aligned */
++ jnz 1f /* if not, continue with copying */
++ testq $CPU_DTRACE_BADADDR, (%rcx) /* load and test dtrace flags */
++ jnz 2f
++1:
++ cmpq $0, %rdx
++ jne 0b
++2:
++ clac
++ leave
++ ret
++
++ END(dtrace_copystr_smap)
++
+ /*
+ uintptr_t
+ dtrace_fulword(void *addr)
+ */
+- ENTRY(dtrace_fulword)
++ ENTRY(dtrace_fulword_nosmap)
+ movq (%rdi), %rax
+ ret
+- END(dtrace_fulword)
++ END(dtrace_fulword_nosmap)
+
++ ENTRY(dtrace_fulword_smap)
++ stac
++ movq (%rdi), %rax
++ clac
++ ret
++ END(dtrace_fulword_smap)
++
+ /*
+ uint8_t
+ dtrace_fuword8_nocheck(void *addr)
+ */
+- ENTRY(dtrace_fuword8_nocheck)
++ ENTRY(dtrace_fuword8_nocheck_nosmap)
+ xorq %rax, %rax
+ movb (%rdi), %al
+ ret
+- END(dtrace_fuword8_nocheck)
++ END(dtrace_fuword8_nocheck_nosmap)
+
++ ENTRY(dtrace_fuword8_nocheck_smap)
++ stac
++ xorq %rax, %rax
++ movb (%rdi), %al
++ clac
++ ret
++ END(dtrace_fuword8_nocheck_smap)
++
+ /*
+ uint16_t
+ dtrace_fuword16_nocheck(void *addr)
+ */
+- ENTRY(dtrace_fuword16_nocheck)
++ ENTRY(dtrace_fuword16_nocheck_nosmap)
+ xorq %rax, %rax
+ movw (%rdi), %ax
+ ret
+- END(dtrace_fuword16_nocheck)
++ END(dtrace_fuword16_nocheck_nosmap)
+
++ ENTRY(dtrace_fuword16_nocheck_smap)
++ stac
++ xorq %rax, %rax
++ movw (%rdi), %ax
++ clac
++ ret
++ END(dtrace_fuword16_nocheck_smap)
++
+ /*
+ uint32_t
+ dtrace_fuword32_nocheck(void *addr)
+ */
+- ENTRY(dtrace_fuword32_nocheck)
++ ENTRY(dtrace_fuword32_nocheck_nosmap)
+ xorq %rax, %rax
+ movl (%rdi), %eax
+ ret
+- END(dtrace_fuword32_nocheck)
++ END(dtrace_fuword32_nocheck_nosmap)
+
++ ENTRY(dtrace_fuword32_nocheck_smap)
++ stac
++ xorq %rax, %rax
++ movl (%rdi), %eax
++ clac
++ ret
++ END(dtrace_fuword32_nocheck_smap)
++
+ /*
+ uint64_t
+ dtrace_fuword64_nocheck(void *addr)
+ */
+- ENTRY(dtrace_fuword64_nocheck)
++ ENTRY(dtrace_fuword64_nocheck_nosmap)
+ movq (%rdi), %rax
+ ret
+- END(dtrace_fuword64_nocheck)
++ END(dtrace_fuword64_nocheck_nosmap)
+
++ ENTRY(dtrace_fuword64_nocheck_smap)
++ stac
++ movq (%rdi), %rax
++ clac
++ ret
++ END(dtrace_fuword64_nocheck_smap)
++
+ /*
+ void
+ dtrace_probe_error(dtrace_state_t *state, dtrace_epid_t epid, int which,
+--- sys/cddl/dev/dtrace/amd64/dtrace_isa.c.orig
++++ sys/cddl/dev/dtrace/amd64/dtrace_isa.c
+@@ -37,6 +37,7 @@
+ #include <machine/md_var.h>
+ #include <machine/reg.h>
+ #include <machine/stack.h>
++#include <x86/ifunc.h>
+
+ #include <vm/vm.h>
+ #include <vm/vm_param.h>
+@@ -664,3 +665,70 @@
+ }
+ return (dtrace_fuword64_nocheck(uaddr));
+ }
++
++/*
++ * ifunc resolvers for SMAP support
++ */
++void dtrace_copy_nosmap(uintptr_t, uintptr_t, size_t);
++void dtrace_copy_smap(uintptr_t, uintptr_t, size_t);
++DEFINE_IFUNC(, void, dtrace_copy, (uintptr_t, uintptr_t, size_t), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_copy_smap : dtrace_copy_nosmap);
++}
++
++void dtrace_copystr_nosmap(uintptr_t, uintptr_t, size_t, volatile uint16_t *);
++void dtrace_copystr_smap(uintptr_t, uintptr_t, size_t, volatile uint16_t *);
++DEFINE_IFUNC(, void, dtrace_copystr, (uintptr_t, uintptr_t, size_t,
++ volatile uint16_t *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_copystr_smap : dtrace_copystr_nosmap);
++}
++
++uintptr_t dtrace_fulword_nosmap(void *);
++uintptr_t dtrace_fulword_smap(void *);
++DEFINE_IFUNC(, uintptr_t, dtrace_fulword, (void *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_fulword_smap : dtrace_fulword_nosmap);
++}
++
++uint8_t dtrace_fuword8_nocheck_nosmap(void *);
++uint8_t dtrace_fuword8_nocheck_smap(void *);
++DEFINE_IFUNC(, uint8_t, dtrace_fuword8_nocheck, (void *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_fuword8_nocheck_smap : dtrace_fuword8_nocheck_nosmap);
++}
++
++uint16_t dtrace_fuword16_nocheck_nosmap(void *);
++uint16_t dtrace_fuword16_nocheck_smap(void *);
++DEFINE_IFUNC(, uint16_t, dtrace_fuword16_nocheck, (void *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_fuword16_nocheck_smap : dtrace_fuword16_nocheck_nosmap);
++}
++
++uint32_t dtrace_fuword32_nocheck_nosmap(void *);
++uint32_t dtrace_fuword32_nocheck_smap(void *);
++DEFINE_IFUNC(, uint32_t, dtrace_fuword32_nocheck, (void *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_fuword32_nocheck_smap : dtrace_fuword32_nocheck_nosmap);
++}
++
++uint64_t dtrace_fuword64_nocheck_nosmap(void *);
++uint64_t dtrace_fuword64_nocheck_smap(void *);
++DEFINE_IFUNC(, uint64_t, dtrace_fuword64_nocheck, (void *), static)
++{
++
++ return ((cpu_stdext_feature & CPUID_STDEXT_SMAP) != 0 ?
++ dtrace_fuword64_nocheck_smap : dtrace_fuword64_nocheck_nosmap);
++}
Added: head/share/security/patches/EN-19:06/dtrace.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-19:06/dtrace.patch.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1ZVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI/AQ//b3+UzDH6VXWyY0YODzxG/WxNZ97OvT3uVxWBXRU8KGpmXGnzqzAzxNtZ
+c1JHpZi2pxfxzFxnA0eLYDK/D6pcjvxTB7CPQVJqCXXibEVQepBSnuTEWCBD8EkR
+vDVVKid1aoMVofvtjQ+OGcYkOMgrrlN6eeL3voM8rrrIahupLyeSjfHdXItpI8Qx
+XXNwUvMNaVNlLhymas0Gpcy/iPcXbU5dQnZbzAg9U+nTGhKIuLqkouvswTzeist8
+B6i8YHM+phiCxKMJ7f4pDLD29Eb+sDPqVUt6DL8Av10jVGw2NphXIrZplodzJYft
+MZIdSDbxu9Q745EK8W60aeiIVEJxA1mIKjYhcJyCmELK29HthsuL0gUnSzruKhkD
+ZawH/sC7jI+QTXTT3cHXZleVYSd6FS+1S12EGskoWfrqi94ymyA4FBP135OfPMSq
+NOy+aKLNssGFlw5qyzvJirbt6Au6qI1mxVh0z6ljxskZU9DX6hoeboLZrDrTHco9
+3DHAOaSmajolFAeuMEDAuh+n4EpslzCfmies/ra/pHRR1rAcisNzgdzoBe4IMdGq
+qWEiiWnd7NNUkG4FFnD8ChiCm4cEoB7oG0vXk8iaCqT4R0O/dqqvQAKZLb4pU8Vq
+siAQutL5TgXvVg0faGsfekecZAa+F816zBgt0V5flmAdYlNeZyY=
+=e48g
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-19:07/lle.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-19:07/lle.patch Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,81 @@
+--- sys/netinet/in.c.orig
++++ sys/netinet/in.c
+@@ -1372,15 +1372,13 @@
+ IF_AFDATA_LOCK_ASSERT(llt->llt_ifp);
+ KASSERT(l3addr->sa_family == AF_INET,
+ ("sin_family %d", l3addr->sa_family));
++ KASSERT((flags & (LLE_UNLOCKED | LLE_EXCLUSIVE)) !=
++ (LLE_UNLOCKED | LLE_EXCLUSIVE),
++ ("wrong lle request flags: %#x", flags));
++
+ lle = in_lltable_find_dst(llt, sin->sin_addr);
+-
+ if (lle == NULL)
+ return (NULL);
+-
+- KASSERT((flags & (LLE_UNLOCKED|LLE_EXCLUSIVE)) !=
+- (LLE_UNLOCKED|LLE_EXCLUSIVE),("wrong lle request flags: 0x%X",
+- flags));
+-
+ if (flags & LLE_UNLOCKED)
+ return (lle);
+
+@@ -1389,6 +1387,17 @@
+ else
+ LLE_RLOCK(lle);
+
++ /*
++ * If the afdata lock is not held, the LLE may have been unlinked while
++ * we were blocked on the LLE lock. Check for this case.
++ */
++ if (__predict_false((lle->la_flags & LLE_LINKED) == 0)) {
++ if (flags & LLE_EXCLUSIVE)
++ LLE_WUNLOCK(lle);
++ else
++ LLE_RUNLOCK(lle);
++ return (NULL);
++ }
+ return (lle);
+ }
+
+--- sys/netinet6/in6.c.orig
++++ sys/netinet6/in6.c
+@@ -2311,16 +2311,13 @@
+ IF_AFDATA_LOCK_ASSERT(llt->llt_ifp);
+ KASSERT(l3addr->sa_family == AF_INET6,
+ ("sin_family %d", l3addr->sa_family));
++ KASSERT((flags & (LLE_UNLOCKED | LLE_EXCLUSIVE)) !=
++ (LLE_UNLOCKED | LLE_EXCLUSIVE),
++ ("wrong lle request flags: %#x", flags));
+
+ lle = in6_lltable_find_dst(llt, &sin6->sin6_addr);
+-
+ if (lle == NULL)
+ return (NULL);
+-
+- KASSERT((flags & (LLE_UNLOCKED|LLE_EXCLUSIVE)) !=
+- (LLE_UNLOCKED|LLE_EXCLUSIVE),("wrong lle request flags: 0x%X",
+- flags));
+-
+ if (flags & LLE_UNLOCKED)
+ return (lle);
+
+@@ -2328,6 +2325,18 @@
+ LLE_WLOCK(lle);
+ else
+ LLE_RLOCK(lle);
++
++ /*
++ * If the afdata lock is not held, the LLE may have been unlinked while
++ * we were blocked on the LLE lock. Check for this case.
++ */
++ if (__predict_false((lle->la_flags & LLE_LINKED) == 0)) {
++ if (flags & LLE_EXCLUSIVE)
++ LLE_WUNLOCK(lle);
++ else
++ LLE_RUNLOCK(lle);
++ return (NULL);
++ }
+ return (lle);
+ }
+
Added: head/share/security/patches/EN-19:07/lle.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-19:07/lle.patch.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1ZxfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIIIhAAiMgGjXcETkoTyrua/GEu5jy1Kf0NAPnNdGDPk1bqtpMTzBIAxC6VXPkM
+03bMsAaVNQLYtLPevB/uVnc2Qkr/uZNFv0L4XaGNqvL2FYqq7Fy8g9lkxXSphZ78
+gf1PVDVsHQ4Vwou9mYeGMetVwdil27p1OorT3f1y9nk8VM6m0HQgPGl5bYJjG8Se
+IfiT7j0RwHkXkt9ODJL17Cs0+VjCoKZ9fTN4hWy22sLHT2ZJYLIt6zdvTK1qp6gT
+IYifpEmckCiDNoL/AOrbGknG3FkbaEbwb5TV7BOjt9UiKRfKGoxxyxe6RusTwhUy
+ZScuAqVtY1zRR2k6RqA0RVxGsqkbqdmxz+NUUtMn/8jzvOxPXyWPrD63Xex6rOqC
+B47tpsQzozC6Xuk64EtZuEe5TOVCzQul3CRFpnbJttc/NSfSGc9sLyz/3fA8xI2e
+WXBQhXI4z1zwpUQRedFU5FMKI272I3H0DtjYx/MyxUP5BTyycPbj4n7+X2pTdwi5
+/HSRBprO6dnKi4MZAzIJDRTbTJzu8DaNCfJQKt95wGBwZWPPX3lCl5n/iqkyXDra
+0FDrB3N0YFKmtwCAktZazotAIejANmcdqrNaR72s2KxzzLdEzLJGLLy6giOJQvqd
+aYmmGORxypiE0Y4KcuNWDpFqYYOwyLMydZro5QSygz0nVAgsPhU=
+=PZ6a
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-19:01/syscall.11.2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-19:01/syscall.11.2.patch Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,19 @@
+--- sys/amd64/amd64/exception.S.orig
++++ sys/amd64/amd64/exception.S
+@@ -496,12 +496,14 @@
+ movq TF_RFLAGS(%rsp),%r11 /* original %rflags */
+ movq TF_RIP(%rsp),%rcx /* original %rip */
+ movq TF_RSP(%rsp),%rsp /* user stack pointer */
++ xorl %r8d,%r8d /* zero the rest of GPRs */
++ xorl %r10d,%r10d
+ cmpb $0,pti
+ je 2f
+ movq PCPU(UCR3),%r9
+ movq %r9,%cr3
+- xorl %r9d,%r9d
+-2: swapgs
++2: xorl %r9d,%r9d
++ swapgs
+ sysretq
+
+ 3: /* AST scheduled. */
Added: head/share/security/patches/SA-19:01/syscall.11.2.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-19:01/syscall.11.2.patch.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1eBfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKpCBAAgWL2O3tUpnwwvUIpEAKhIwNaWMqhTH8OyIF5dM8YrZlAYCc7twoPr6Y3
+2ojEMEihgC3B3+5flWZyp6Xxdni65Dpy6NcbgqiXJhbI30htC6TzETm2vhtderam
+wnz7B3dmpYtdNBJpRow3kGiLKv6zZ7gG720EuhVKgPjHx+5U4FXzpBazz8cEfz4U
+8F9amyqqe/7hf7kTbjBF7TZ90FpN/Uoe7FCF58L6UB8c3TYvpdfRSQMNg8ODuDIP
+kLV04/QVgoZKtT3MoRhmVgkpSCYYy1/j7KfZqmx08teW+6OjISbCTotS3DgHQD0Y
+sBB+GtvWxzuZjThWyIGQiDUztdyHrqYZbG5q7XFQMRpPjD7WC6MWRxeIgcLn5gjW
+RVVO6WhBEeFi+uTeSnpQUhMERkwJEBg3VzqeXQ5j6eR1xB3hZynJTl9uqMac4GK3
+K8xSoi4pS0VwOJnmu1iXqkUIrS9xSuSak1x/9dk5K6j+bbMXa1kGAJ808c8PQZ0g
+joqgdJjPeekK0e5U88QQ1aT4lwxBGGxdJVCPFYO55r3AzuDLT1Yo74ksn3mS4v1J
+vWE23qQo4v4iIpp0IESHL0TyFffD3vy1FRmmYwS+hZCiOOQBxgx8d0Cl0wMZn3KF
+Cae6mlauAgltuj2cNCjVTZ0mb+D3YU74mwUhLU4Tc8XVYrgh8Sw=
+=VDU6
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-19:01/syscall.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-19:01/syscall.patch Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,19 @@
+--- sys/amd64/amd64/exception.S.orig
++++ sys/amd64/amd64/exception.S
+@@ -521,12 +521,14 @@
+ movq TF_RFLAGS(%rsp),%r11 /* original %rflags */
+ movq TF_RIP(%rsp),%rcx /* original %rip */
+ movq TF_RSP(%rsp),%rsp /* user stack pointer */
++ xorl %r8d,%r8d /* zero the rest of GPRs */
++ xorl %r10d,%r10d
+ cmpq $~0,PCPU(UCR3)
+ je 2f
+ movq PCPU(UCR3),%r9
+ movq %r9,%cr3
+- xorl %r9d,%r9d
+-2: swapgs
++2: xorl %r9d,%r9d
++ swapgs
+ sysretq
+
+ 3: /* AST scheduled. */
Added: head/share/security/patches/SA-19:01/syscall.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-19:01/syscall.patch.asc Tue Feb 5 18:38:28 2019 (r52797)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1hJfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJbrA//fheN3NfAhxlgRjYwFa6WvhJgHFqoNnwWZLKwUmGdlJCIpdb6o/0FiWVw
+dfH5hSUibY7+vVGYyjcMNnU2BwDFcrQJbzFK7qz8zkDX4sH5RujkGcuacIe71Ny0
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list