svn commit: r51201 - in head/share: security/advisories security/patches/SA-17:08 security/patches/SA-17:09 security/patches/SA-17:10 xml
Gordon Tetlow
gordon at FreeBSD.org
Wed Nov 15 23:08:47 UTC 2017
Author: gordon (src,ports committer)
Date: Wed Nov 15 23:08:45 2017
New Revision: 51201
URL: https://svnweb.freebsd.org/changeset/doc/51201
Log:
Add SA-17:08, SA-17:09, SA-17:10.
Added:
head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-17:09.shm.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc (contents, props changed)
head/share/security/patches/SA-17:08/
head/share/security/patches/SA-17:08/ptrace.patch (contents, props changed)
head/share/security/patches/SA-17:08/ptrace.patch.asc (contents, props changed)
head/share/security/patches/SA-17:09/
head/share/security/patches/SA-17:09/shm-10.3.patch (contents, props changed)
head/share/security/patches/SA-17:09/shm-10.3.patch.asc (contents, props changed)
head/share/security/patches/SA-17:09/shm-10.patch (contents, props changed)
head/share/security/patches/SA-17:09/shm-10.patch.asc (contents, props changed)
head/share/security/patches/SA-17:10/
head/share/security/patches/SA-17:10/kldstat.patch (contents, props changed)
head/share/security/patches/SA-17:10/kldstat.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-17:08.ptrace.asc Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:08.ptrace Security Advisory
+ The FreeBSD Project
+
+Topic: Kernel data leak via ptrace(PT_LWPINFO)
+
+Category: core
+Module: ptrace
+Announced: 2017-11-15
+Credits: John Baldwin
+Affects: All supported versions of FreeBSD.
+Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE)
+ 2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4)
+ 2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15)
+ 2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE)
+ 2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3)
+ 2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24)
+CVE Name: CVE-2017-1086
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ptrace(2) syscall provides the facility for a debugger to control the
+execution of the target process and to obtain necessary status information
+about it. The struct ptrace_lwpinfo structure is reported by one of the
+ptrace(2) subcommand and contains a lot of the information about the stopped
+thread (light-weight process or LWP, thus the name).
+
+II. Problem Description
+
+Not all information in the struct ptrace_lwpinfo is relevant for the state
+of any thread, and the kernel does not fill the irrelevant bytes or short
+strings. Since the structure filled by the kernel is allocated on the
+kernel stack and copied to userspace, a leak of information of the kernel
+stack of the thread is possible from the debugger.
+
+III. Impact
+
+Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO)
+call can be observed in userspace.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc
+# gpg --verify ptrace.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r325643
+releng/10.3/ r325871
+releng/10.4/ r325870
+stable/11/ r325642
+releng/11.0/ r325869
+releng/11.1/ r325868
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1086>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:08.ptrace.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO
+6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J
+aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxXtkZMvhNSGFCShGQTNpjGfAgIwOZD8mNFi
+WvYbPgzwfeE4tsaStZ91SZ8wf2nxdRXhybDXEOCAJvicP6IqYA1Zfr7RG2N3swK7
+JKLXW7tiVu+zbRYYFiWYX4FIWatIlsTjpD0GyuZs0j2PCEu80z1muFnrp/dGg3Bn
+APGVzIrkFjKvmXfkuFZFPMWCL+u9cUgOMNGkMFDXrLppLL7aXCGrz3BWECg581Pr
+dnUrrz/iEcXGDcnTJ3Ff+OidqdhdpVQz59Ek90TMd5iO+nZ+xeVjVzxdLHb82/wt
+KlgXRpwTg3Q72xDSF84UmRSkk1M/V5AZMrZiy2RjIwtvLqIJ9ZpLAMnrwTTWRDjB
+YurHHNWKjMVkdKCdbpBVGRjNmS6XYS6QukmA4M85d2r0Dmb8J6Gd6juHc3Essrz+
+3qEMKAcYsSWbQ5ZSMywUOzM74Dk+wUTf7jCJ1IsSqn8hYHOqvUSF0ftwXkdS1+cv
+GT25iduAMCdTP15Qp57Wlhv9WCF8eOUoYKHiSpXcVa6XMqazLy4=
+=Uqz2
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-17:09.shm.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-17:09.shm.asc Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:09.shm Security Advisory
+ The FreeBSD Project
+
+Topic: POSIX shm allows jails to access global namespace
+
+Category: core
+Module: shm
+Announced: 2017-11-15
+Credits: Whitewinterwolf
+Affects: FreeBSD 10.x
+Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE)
+ 2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3)
+ 2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24)
+CVE Name: CVE-2017-1087
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+POSIX shared memory objects allow realtime inter-process communication by
+sharing a memory area through the use of a named path (see shm_open(2)).
+
+This is used by some multi-process applications to share data between running
+processes, such as a common cache or to implement a producer-consumer model
+where several worker processes handle requests pushed by a producer process.
+
+II. Problem Description
+
+Named paths are globally scoped, meaning a process located in one jail can
+read and modify the content of POSIX shared memory objects created by a
+process in another jail or the host system.
+
+III. Impact
+
+A malicious user that has access to a jailed system is able to abuse shared
+memory by injecting malicious content in the shared memory region. This
+memory region might be executed by applications trusting the shared memory,
+like Squid.
+
+This issue could lead to a Denial of Service or local privilege escalation.
+
+IV. Workaround
+
+No workaround is available, but systems without jails or jails not having
+local users are not vulnerable.
+
+V. Solution
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Reboot the system for the update to take effect.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+Reboot the system for the update to take effect.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.4, FreeBSD 10-STABLE]
+# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc
+# gpg --verify shm-10.patch.asc
+
+[FreeBSD 10.3]
+# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc
+# gpg --verify shm-10.3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r325783
+releng/10.3/ r325873
+releng/10.4/ r325874
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1087>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:09.shm.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5
+zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij
+wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl
+jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0XdElW+okM+L4Q5Nt4Krm+DDp
+L0fUG5tqS+a++53mNIGeGiBhomD0zZMJZ8LXe/FAACHPWA0yUMhCVrZTwzVTHhA7
+g5W1prFW3WYui7x1qF2LIA+SnGFTWXRlIhlAA/1n94Jl6shHnV6guZbzLAX0zk/C
+6WFydhrYhmPXd3o5uWz+oQQHXQCcHeGrNc+fmPKg/bpkyJvgfLc6YaY2gEQmfIrI
+3w/xqhN8mWVVhpHsHK+Wcz44T9uGH4NlYeDYy3TJ1ECri28fbxufAzr8hgbNRDtw
+B8YTijrPUSjwKBG815oO5JsOmHVCkCkIRx7nW72bHIs8ralXX563HK3RPjlFzr2G
+tzk9DF2w2TUQlgzS4wbZk9lXmlgvV0vRzsz+7jcJe1K+ZgyweNg+QIVet3BvobIA
+zeiRFfZuhH3ExNoJKqfZhBtOiePD0JR6JnkhvjEJm1NoHvoDOAQ=
+=epmQ
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-17:10.kldstat.asc Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:10.kldstat Security Advisory
+ The FreeBSD Project
+
+Topic: Information leak in kldstat(2)
+
+Category: core
+Module: kernel
+Announced: 2017-11-15
+Credits: TJ Corley
+Affects: All supported versions of FreeBSD.
+Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE)
+ 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4)
+ 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15)
+ 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE)
+ 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3)
+ 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24)
+CVE Name: CVE-2017-1088
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The kldstat(2) syscall provides information about loaded kld files. The
+syscall takes a userland argument of struct kld_file_stat which is then
+filled with data about the kld file requested.
+
+II. Problem Description
+
+The kernel does not properly clear the memory of the kld_file_stat
+structure before filling the data. Since the structure filled by the
+kernel is allocated on the kernel stack and copied to userspace, a leak
+of information from the kernel stack is possible.
+
+III. Impact
+
+Some bytes from the kernel stack can be observed in userspace.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc
+# gpg --verify kldstat.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r325867
+releng/10.3/ r325878
+releng/10.4/ r325877
+stable/11/ r325866
+releng/11.0/ r325876
+releng/11.1/ r325875
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM
+pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7
+GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj
+je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7
+2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5
+Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg
+EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E
+TNTQ/85nE4BklV1d9wiLy26C21W92IguZam0HdRYJHgEc9Mug+62MfqDzHf0w5HP
+3pu8IV5KMwEjGxzaiDMETIZU+K5fkdzPDNBhscxZ6OOab4zQ0+pZgdT1CSbXV6Ru
+xuOjSyBdz5vVdbq/298VJJ7hNyoP1MgnyaxPrG2ImNDKjUGqbtOgv0m3ISqtsyfs
+pEvyO2MxWWZqdNhtGJuQpOYyzAMxfJdmdOz1PMFFayQiBR7F0ao=
+=N2rs
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-17:08/ptrace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-17:08/ptrace.patch Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,27 @@
+--- sys/kern/sys_process.c.orig
++++ sys/kern/sys_process.c
+@@ -518,6 +518,7 @@
+ struct ptrace_lwpinfo32 *pl32)
+ {
+
++ bzero(pl32, sizeof(*pl32));
+ pl32->pl_lwpid = pl->pl_lwpid;
+ pl32->pl_event = pl->pl_event;
+ pl32->pl_flags = pl->pl_flags;
+@@ -1301,6 +1302,7 @@
+ } else
+ #endif
+ pl = addr;
++ bzero(pl, sizeof(*pl));
+ pl->pl_lwpid = td2->td_tid;
+ pl->pl_event = PL_EVENT_NONE;
+ pl->pl_flags = 0;
+@@ -1321,8 +1323,6 @@
+ pl->pl_siginfo = td2->td_dbgksi.ksi_info;
+ }
+ }
+- if ((pl->pl_flags & PL_FLAG_SI) == 0)
+- bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo));
+ if (td2->td_dbgflags & TDB_SCE)
+ pl->pl_flags |= PL_FLAG_SCE;
+ else if (td2->td_dbgflags & TDB_SCX)
Added: head/share/security/patches/SA-17:08/ptrace.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-17:08/ptrace.patch.asc Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxiVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+aueBbRAApWCpppwWGjGogqxNVVeyROsWzCVGy4MGOT0ngU5mc2uwZA1zwbUZ0m1I
+KGIGQGgkJLaU/pHJfjPmG6QGfGW2XY/VGd6EKY5P7dYXx54uGeb0OXU5e+6HLTMX
+dWPkvAXeRQJuIY5A3L4K9lOiS6sLfpk759RlriuMRpqoBOZ4uQxynplYuuBJ/CRc
+Tezy8LehBys2qDwhQa1wgoK/St5heh7TfOcoaumm9KvO7687DADE7bmU/iQ+XntL
+eB/RVQTZ5yxDNe7z4oDsVwUwHFpwrln76feVDYVVdJFz8/dCszRenFhptrC145rY
+W3o+LuczLdf+70vVY6ajLRypIpcvFEzO7X5DKafNFKG0ZvxrQp190+a4DAKJ6Vgh
+8hB6Poz1aBObeJlnLNKPpcXQDwi3FCxyMardrTJG2bIAjqoS27eqF/RVhJpeXexs
+plG2aRk4CdduOyrTYvvqDw2HkDB36kuE3gyFufV9DwMrPWtPQIEJcW9bPNGBdDi/
+LorKHPCXiX1/M8I9DMgOAmcGkaO/UtTqGFNZRrwuC9j2XpVk4gQfF5LUTdnf7FB3
+R0+/+HWYWpHm+OmuodToYgZ5X4+ftQpQztmvgArBLW83AcUUBL4ic7u5kOJCLUlT
+QEseNpEHQBEIJzkOtq/nui//9kimTOWsC6rw7Raeoh/kUmurMjg=
+=AJBS
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-17:09/shm-10.3.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-17:09/shm-10.3.patch Wed Nov 15 23:08:45 2017 (r51201)
@@ -0,0 +1,1025 @@
+--- share/man/man9/osd.9.orig
++++ share/man/man9/osd.9
+@@ -25,7 +25,7 @@
+ .\"
+ .\" $FreeBSD$
+ .\"
+-.Dd January 5, 2011
++.Dd March 30, 2016
+ .Dt OSD 9
+ .Os
+ .Sh NAME
+@@ -33,6 +33,9 @@
+ .Nm osd_register ,
+ .Nm osd_deregister ,
+ .Nm osd_set ,
++.Nm osd_reserve ,
++.Nm osd_set_reserved ,
++.Nm osd_free_reserved ,
+ .Nm osd_get ,
+ .Nm osd_del ,
+ .Nm osd_call ,
+@@ -63,6 +66,22 @@
+ .Fa "void *value"
+ .Fc
+ .Ft void *
++.Fo osd_reserve
++.Fa "u_int slot"
++.Fc
++.Ft int
++.Fo osd_set_reserved
++.Fa "u_int type"
++.Fa "struct osd *osd"
++.Fa "u_int slot"
++.Fa "void *rsv"
++.Fa "void *value"
++.Fc
++.Ft void
++.Fo osd_free_reserved
++.Fa "void *rsv"
++.Fc
++.Ft void *
+ .Fo osd_get
+ .Fa "u_int type"
+ .Fa "struct osd *osd"
+@@ -198,6 +217,15 @@
+ .Fa osd .
+ .Pp
+ The
++.Fn osd_set_reserved
++function does the same as
++.Fn osd_set ,
++but with an extra argument
++.Fa rsv
++that is internal-use memory previously allocated via
++.Fn osd_reserve .
++.Pp
++The
+ .Fn osd_get
+ function returns the data pointer associated with a kernel data structure's
+ .Vt struct osd
+@@ -324,6 +352,24 @@
+ .Xr realloc 9
+ calls.
+ .Pp
++It is possible for
++.Fn osd_set
++to fail to allocate this array. To ensure that such allocation succeeds,
++.Fn osd_reserve
++may be called (in a non-blocking context), and it will pre-allocate the
++memory via
++.Xr malloc 9
++with M_WAITOK.
++Then this pre-allocated memory is passed to
++.Fn osd_set_reserved ,
++which will use it if necessary or otherwise discard it.
++The memory may also be explicitly discarded by calling
++.Fn osd_free_reserved .
++As this method always allocates memory whether or not it is ultimately needed,
++it should be used only rarely, such as in the unlikely event that
++.Fn osd_set
++fails.
++.Pp
+ The
+ .Nm
+ API is geared towards slot identifiers storing pointers to the same underlying
+@@ -359,15 +405,27 @@
+ returns the slot identifier for the newly registered data type.
+ .Pp
+ .Fn osd_set
+-returns zero on success or ENOMEM if the specified type/slot identifier pair
++and
++.Fn osd_set_reserved
++return zero on success or ENOMEM if the specified type/slot identifier pair
+ triggered an internal
+ .Xr realloc 9
+-which failed.
++which failed
++.Fn ( osd_set_reserved
++will always succeed when
++.Fa rsv
++is non-NULL).
+ .Pp
+ .Fn osd_get
+ returns the data pointer for the specified type/slot identifier pair, or NULL if
+ the slot has not been initialised yet.
+ .Pp
++.Fn osd_reserve
++returns a pointer suitable for passing to
++.Fn osd_set_reserved
++or
++.Fn osd_free_reserved .
++.Pp
+ .Fn osd_call
+ returns zero if no method is run or the method for each slot runs successfully.
+ If a method for a slot returns non-zero,
+--- sys/kern/kern_osd.c.orig
++++ sys/kern/kern_osd.c
+@@ -44,6 +44,23 @@
+
+ /* OSD (Object Specific Data) */
+
++/*
++ * Lock key:
++ * (m) osd_module_lock
++ * (o) osd_object_lock
++ * (l) osd_list_lock
++ */
++struct osd_master {
++ struct sx osd_module_lock;
++ struct rmlock osd_object_lock;
++ struct mtx osd_list_lock;
++ LIST_HEAD(, osd) osd_list; /* (l) */
++ osd_destructor_t *osd_destructors; /* (o) */
++ osd_method_t *osd_methods; /* (m) */
++ u_int osd_ntslots; /* (m) */
++ const u_int osd_nmethods;
++};
++
+ static MALLOC_DEFINE(M_OSD, "osd", "Object Specific Data");
+
+ static int osd_debug = 0;
+@@ -62,25 +79,12 @@
+ int list_locked);
+
+ /*
+- * Lists of objects with OSD.
+- *
+- * Lock key:
+- * (m) osd_module_lock
+- * (o) osd_object_lock
+- * (l) osd_list_lock
++ * List of objects with OSD.
+ */
+-static LIST_HEAD(, osd) osd_list[OSD_LAST + 1]; /* (m) */
+-static osd_method_t *osd_methods[OSD_LAST + 1]; /* (m) */
+-static u_int osd_nslots[OSD_LAST + 1]; /* (m) */
+-static osd_destructor_t *osd_destructors[OSD_LAST + 1]; /* (o) */
+-static const u_int osd_nmethods[OSD_LAST + 1] = {
+- [OSD_JAIL] = PR_MAXMETHOD,
++struct osd_master osdm[OSD_LAST + 1] = {
++ [OSD_JAIL] = { .osd_nmethods = PR_MAXMETHOD },
+ };
+
+-static struct sx osd_module_lock[OSD_LAST + 1];
+-static struct rmlock osd_object_lock[OSD_LAST + 1];
+-static struct mtx osd_list_lock[OSD_LAST + 1];
+-
+ static void
+ osd_default_destructor(void *value __unused)
+ {
+@@ -102,12 +106,12 @@
+ if (destructor == NULL)
+ destructor = osd_default_destructor;
+
+- sx_xlock(&osd_module_lock[type]);
++ sx_xlock(&osdm[type].osd_module_lock);
+ /*
+ * First, we try to find unused slot.
+ */
+- for (i = 0; i < osd_nslots[type]; i++) {
+- if (osd_destructors[type][i] == NULL) {
++ for (i = 0; i < osdm[type].osd_ntslots; i++) {
++ if (osdm[type].osd_destructors[i] == NULL) {
+ OSD_DEBUG("Unused slot found (type=%u, slot=%u).",
+ type, i);
+ break;
+@@ -116,31 +120,31 @@
+ /*
+ * If no unused slot was found, allocate one.
+ */
+- if (i == osd_nslots[type]) {
+- osd_nslots[type]++;
+- if (osd_nmethods[type] != 0)
+- osd_methods[type] = realloc(osd_methods[type],
+- sizeof(osd_method_t) * osd_nslots[type] *
+- osd_nmethods[type], M_OSD, M_WAITOK);
+- newptr = malloc(sizeof(osd_destructor_t) * osd_nslots[type],
+- M_OSD, M_WAITOK);
+- rm_wlock(&osd_object_lock[type]);
+- bcopy(osd_destructors[type], newptr,
++ if (i == osdm[type].osd_ntslots) {
++ osdm[type].osd_ntslots++;
++ if (osdm[type].osd_nmethods != 0)
++ osdm[type].osd_methods = realloc(osdm[type].osd_methods,
++ sizeof(osd_method_t) * osdm[type].osd_ntslots *
++ osdm[type].osd_nmethods, M_OSD, M_WAITOK);
++ newptr = malloc(sizeof(osd_destructor_t) *
++ osdm[type].osd_ntslots, M_OSD, M_WAITOK);
++ rm_wlock(&osdm[type].osd_object_lock);
++ bcopy(osdm[type].osd_destructors, newptr,
+ sizeof(osd_destructor_t) * i);
+- free(osd_destructors[type], M_OSD);
+- osd_destructors[type] = newptr;
+- rm_wunlock(&osd_object_lock[type]);
++ free(osdm[type].osd_destructors, M_OSD);
++ osdm[type].osd_destructors = newptr;
++ rm_wunlock(&osdm[type].osd_object_lock);
+ OSD_DEBUG("New slot allocated (type=%u, slot=%u).",
+ type, i + 1);
+ }
+
+- osd_destructors[type][i] = destructor;
+- if (osd_nmethods[type] != 0) {
+- for (m = 0; m < osd_nmethods[type]; m++)
+- osd_methods[type][i * osd_nmethods[type] + m] =
+- methods != NULL ? methods[m] : NULL;
++ osdm[type].osd_destructors[i] = destructor;
++ if (osdm[type].osd_nmethods != 0) {
++ for (m = 0; m < osdm[type].osd_nmethods; m++)
++ osdm[type].osd_methods[i * osdm[type].osd_nmethods + m]
++ = methods != NULL ? methods[m] : NULL;
+ }
+- sx_xunlock(&osd_module_lock[type]);
++ sx_xunlock(&osdm[type].osd_module_lock);
+ return (i + 1);
+ }
+
+@@ -151,37 +155,37 @@
+
+ KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
+ KASSERT(slot > 0, ("Invalid slot."));
+- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot."));
++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
+- sx_xlock(&osd_module_lock[type]);
+- rm_wlock(&osd_object_lock[type]);
++ sx_xlock(&osdm[type].osd_module_lock);
++ rm_wlock(&osdm[type].osd_object_lock);
+ /*
+ * Free all OSD for the given slot.
+ */
+- mtx_lock(&osd_list_lock[type]);
+- LIST_FOREACH_SAFE(osd, &osd_list[type], osd_next, tosd)
++ mtx_lock(&osdm[type].osd_list_lock);
++ LIST_FOREACH_SAFE(osd, &osdm[type].osd_list, osd_next, tosd)
+ do_osd_del(type, osd, slot, 1);
+- mtx_unlock(&osd_list_lock[type]);
++ mtx_unlock(&osdm[type].osd_list_lock);
+ /*
+ * Set destructor to NULL to free the slot.
+ */
+- osd_destructors[type][slot - 1] = NULL;
+- if (slot == osd_nslots[type]) {
+- osd_nslots[type]--;
+- osd_destructors[type] = realloc(osd_destructors[type],
+- sizeof(osd_destructor_t) * osd_nslots[type], M_OSD,
++ osdm[type].osd_destructors[slot - 1] = NULL;
++ if (slot == osdm[type].osd_ntslots) {
++ osdm[type].osd_ntslots--;
++ osdm[type].osd_destructors = realloc(osdm[type].osd_destructors,
++ sizeof(osd_destructor_t) * osdm[type].osd_ntslots, M_OSD,
+ M_NOWAIT | M_ZERO);
+- if (osd_nmethods[type] != 0)
+- osd_methods[type] = realloc(osd_methods[type],
+- sizeof(osd_method_t) * osd_nslots[type] *
+- osd_nmethods[type], M_OSD, M_NOWAIT | M_ZERO);
++ if (osdm[type].osd_nmethods != 0)
++ osdm[type].osd_methods = realloc(osdm[type].osd_methods,
++ sizeof(osd_method_t) * osdm[type].osd_ntslots *
++ osdm[type].osd_nmethods, M_OSD, M_NOWAIT | M_ZERO);
+ /*
+ * We always reallocate to smaller size, so we assume it will
+ * always succeed.
+ */
+- KASSERT(osd_destructors[type] != NULL &&
+- (osd_nmethods[type] == 0 || osd_methods[type] != NULL),
+- ("realloc() failed"));
++ KASSERT(osdm[type].osd_destructors != NULL &&
++ (osdm[type].osd_nmethods == 0 ||
++ osdm[type].osd_methods != NULL), ("realloc() failed"));
+ OSD_DEBUG("Deregistration of the last slot (type=%u, slot=%u).",
+ type, slot);
+ } else {
+@@ -188,68 +192,105 @@
+ OSD_DEBUG("Slot deregistration (type=%u, slot=%u).",
+ type, slot);
+ }
+- rm_wunlock(&osd_object_lock[type]);
+- sx_xunlock(&osd_module_lock[type]);
++ rm_wunlock(&osdm[type].osd_object_lock);
++ sx_xunlock(&osdm[type].osd_module_lock);
+ }
+
+ int
+ osd_set(u_int type, struct osd *osd, u_int slot, void *value)
+ {
++
++ return (osd_set_reserved(type, osd, slot, NULL, value));
++}
++
++void *
++osd_reserve(u_int slot)
++{
++
++ KASSERT(slot > 0, ("Invalid slot."));
++
++ OSD_DEBUG("Reserving slot array (slot=%u).", slot);
++ return (malloc(sizeof(void *) * slot, M_OSD, M_WAITOK | M_ZERO));
++}
++
++int
++osd_set_reserved(u_int type, struct osd *osd, u_int slot, void *rsv,
++ void *value)
++{
+ struct rm_priotracker tracker;
+
+ KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
+ KASSERT(slot > 0, ("Invalid slot."));
+- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot."));
++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
+- rm_rlock(&osd_object_lock[type], &tracker);
++ rm_rlock(&osdm[type].osd_object_lock, &tracker);
+ if (slot > osd->osd_nslots) {
++ void *newptr;
++
+ if (value == NULL) {
+ OSD_DEBUG(
+ "Not allocating null slot (type=%u, slot=%u).",
+ type, slot);
+- rm_runlock(&osd_object_lock[type], &tracker);
++ rm_runlock(&osdm[type].osd_object_lock, &tracker);
++ if (rsv)
++ osd_free_reserved(rsv);
+ return (0);
+- } else if (osd->osd_nslots == 0) {
++ }
++
++ /*
++ * Too few slots allocated here, so we need to extend or create
++ * the array.
++ */
++ if (rsv) {
+ /*
+- * First OSD for this object, so we need to allocate
+- * space and put it onto the list.
++ * Use the reserve passed in (assumed to be
++ * the right size).
+ */
+- osd->osd_slots = malloc(sizeof(void *) * slot, M_OSD,
+- M_NOWAIT | M_ZERO);
+- if (osd->osd_slots == NULL) {
+- rm_runlock(&osd_object_lock[type], &tracker);
+- return (ENOMEM);
++ newptr = rsv;
++ if (osd->osd_nslots != 0) {
++ memcpy(newptr, osd->osd_slots,
++ sizeof(void *) * osd->osd_nslots);
++ free(osd->osd_slots, M_OSD);
+ }
+- osd->osd_nslots = slot;
+- mtx_lock(&osd_list_lock[type]);
+- LIST_INSERT_HEAD(&osd_list[type], osd, osd_next);
+- mtx_unlock(&osd_list_lock[type]);
+- OSD_DEBUG("Setting first slot (type=%u).", type);
+ } else {
+- void *newptr;
+-
+- /*
+- * Too few slots allocated here, needs to extend
+- * the array.
+- */
+ newptr = realloc(osd->osd_slots, sizeof(void *) * slot,
+ M_OSD, M_NOWAIT | M_ZERO);
+ if (newptr == NULL) {
+- rm_runlock(&osd_object_lock[type], &tracker);
++ rm_runlock(&osdm[type].osd_object_lock,
++ &tracker);
+ return (ENOMEM);
+ }
+- osd->osd_slots = newptr;
+- osd->osd_nslots = slot;
++ }
++ if (osd->osd_nslots == 0) {
++ /*
++ * First OSD for this object, so we need to put it
++ * onto the list.
++ */
++ mtx_lock(&osdm[type].osd_list_lock);
++ LIST_INSERT_HEAD(&osdm[type].osd_list, osd, osd_next);
++ mtx_unlock(&osdm[type].osd_list_lock);
++ OSD_DEBUG("Setting first slot (type=%u).", type);
++ } else
+ OSD_DEBUG("Growing slots array (type=%u).", type);
+- }
+- }
++ osd->osd_slots = newptr;
++ osd->osd_nslots = slot;
++ } else if (rsv)
++ osd_free_reserved(rsv);
+ OSD_DEBUG("Setting slot value (type=%u, slot=%u, value=%p).", type,
+ slot, value);
+ osd->osd_slots[slot - 1] = value;
+- rm_runlock(&osd_object_lock[type], &tracker);
++ rm_runlock(&osdm[type].osd_object_lock, &tracker);
+ return (0);
+ }
+
++void
++osd_free_reserved(void *rsv)
++{
++
++ OSD_DEBUG("Discarding reserved slot array.");
++ free(rsv, M_OSD);
++}
++
+ void *
+ osd_get(u_int type, struct osd *osd, u_int slot)
+ {
+@@ -258,9 +299,9 @@
+
+ KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
+ KASSERT(slot > 0, ("Invalid slot."));
+- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot."));
++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
+- rm_rlock(&osd_object_lock[type], &tracker);
++ rm_rlock(&osdm[type].osd_object_lock, &tracker);
+ if (slot > osd->osd_nslots) {
+ value = NULL;
+ OSD_DEBUG("Slot doesn't exist (type=%u, slot=%u).", type, slot);
+@@ -269,7 +310,7 @@
+ OSD_DEBUG("Returning slot value (type=%u, slot=%u, value=%p).",
+ type, slot, value);
+ }
+- rm_runlock(&osd_object_lock[type], &tracker);
++ rm_runlock(&osdm[type].osd_object_lock, &tracker);
+ return (value);
+ }
+
+@@ -278,9 +319,9 @@
+ {
+ struct rm_priotracker tracker;
+
+- rm_rlock(&osd_object_lock[type], &tracker);
++ rm_rlock(&osdm[type].osd_object_lock, &tracker);
+ do_osd_del(type, osd, slot, 0);
+- rm_runlock(&osd_object_lock[type], &tracker);
++ rm_runlock(&osdm[type].osd_object_lock, &tracker);
+ }
+
+ static void
+@@ -290,7 +331,7 @@
+
+ KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
+ KASSERT(slot > 0, ("Invalid slot."));
+- KASSERT(osd_destructors[type][slot - 1] != NULL, ("Unused slot."));
++ KASSERT(osdm[type].osd_destructors[slot - 1] != NULL, ("Unused slot."));
+
+ OSD_DEBUG("Deleting slot (type=%u, slot=%u).", type, slot);
+
+@@ -299,7 +340,7 @@
+ return;
+ }
+ if (osd->osd_slots[slot - 1] != NULL) {
+- osd_destructors[type][slot - 1](osd->osd_slots[slot - 1]);
++ osdm[type].osd_destructors[slot - 1](osd->osd_slots[slot - 1]);
+ osd->osd_slots[slot - 1] = NULL;
+ }
+ for (i = osd->osd_nslots - 1; i >= 0; i--) {
+@@ -313,10 +354,10 @@
+ /* No values left for this object. */
+ OSD_DEBUG("No more slots left (type=%u).", type);
+ if (!list_locked)
+- mtx_lock(&osd_list_lock[type]);
++ mtx_lock(&osdm[type].osd_list_lock);
+ LIST_REMOVE(osd, osd_next);
+ if (!list_locked)
+- mtx_unlock(&osd_list_lock[type]);
++ mtx_unlock(&osdm[type].osd_list_lock);
+ free(osd->osd_slots, M_OSD);
+ osd->osd_slots = NULL;
+ osd->osd_nslots = 0;
+@@ -342,7 +383,7 @@
+ int error, i;
+
+ KASSERT(type >= OSD_FIRST && type <= OSD_LAST, ("Invalid type."));
+- KASSERT(method < osd_nmethods[type], ("Invalid method."));
++ KASSERT(method < osdm[type].osd_nmethods, ("Invalid method."));
+
+ /*
+ * Call this method for every slot that defines it, stopping if an
+@@ -349,14 +390,14 @@
+ * error is encountered.
+ */
+ error = 0;
+- sx_slock(&osd_module_lock[type]);
+- for (i = 0; i < osd_nslots[type]; i++) {
+- methodfun =
+- osd_methods[type][i * osd_nmethods[type] + method];
++ sx_slock(&osdm[type].osd_module_lock);
++ for (i = 0; i < osdm[type].osd_ntslots; i++) {
++ methodfun = osdm[type].osd_methods[i * osdm[type].osd_nmethods +
++ method];
+ if (methodfun != NULL && (error = methodfun(obj, data)) != 0)
+ break;
+ }
+- sx_sunlock(&osd_module_lock[type]);
++ sx_sunlock(&osdm[type].osd_module_lock);
+ return (error);
+ }
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list