svn commit: r52127 - in head/share: security/advisories security/patches/SA-18:08 security/patches/SA-18:09 security/patches/SA-18:10 security/patches/SA-18:11 xml
Xin LI
delphij at FreeBSD.org
Wed Aug 15 05:17:33 UTC 2018
Author: delphij
Date: Wed Aug 15 05:17:29 2018
New Revision: 52127
URL: https://svnweb.freebsd.org/changeset/doc/52127
Log:
Add SA-18:09-SA-18:11, refresh SA-18:08.
Added:
head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-18:10.ip.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc (contents, props changed)
head/share/security/patches/SA-18:08/tcp-man-10.patch (contents, props changed)
head/share/security/patches/SA-18:08/tcp-man-10.patch.asc (contents, props changed)
head/share/security/patches/SA-18:08/tcp-man-11.patch (contents, props changed)
head/share/security/patches/SA-18:08/tcp-man-11.patch.asc (contents, props changed)
head/share/security/patches/SA-18:09/
head/share/security/patches/SA-18:09/l1tf-11.1.patch (contents, props changed)
head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc (contents, props changed)
head/share/security/patches/SA-18:09/l1tf-11.2.patch (contents, props changed)
head/share/security/patches/SA-18:09/l1tf-11.2.patch.asc (contents, props changed)
head/share/security/patches/SA-18:10/
head/share/security/patches/SA-18:10/ip.patch (contents, props changed)
head/share/security/patches/SA-18:10/ip.patch.asc (contents, props changed)
head/share/security/patches/SA-18:11/
head/share/security/patches/SA-18:11/hostapd-10.patch (contents, props changed)
head/share/security/patches/SA-18:11/hostapd-10.patch.asc (contents, props changed)
head/share/security/patches/SA-18:11/hostapd.patch (contents, props changed)
head/share/security/patches/SA-18:11/hostapd.patch.asc (contents, props changed)
Modified:
head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc
head/share/xml/advisories.xml
Modified: head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc
==============================================================================
--- head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc Tue Aug 14 20:23:19 2018 (r52126)
+++ head/share/security/advisories/FreeBSD-SA-18:08.tcp.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -15,16 +15,22 @@ Credits: Juha-Matti Tilli <juha-matti.tilli at iki
and Nokia Bell Labs
Affects: All supported versions of FreeBSD.
Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE)
- 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1)
- 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12)
+ 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+ 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE)
- 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10)
+ 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
CVE Name: CVE-2018-6922
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+0. Revision history
+
+v1.0 2018-08-06 Initial release.
+v1.1 2018-08-14 Fixed documentation date in manual pages.
+
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
@@ -108,6 +114,19 @@ detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc
# gpg --verify tcp-11.patch.asc
+[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have
+little impact to runtime behavior.
+
+[FreeBSD 10.4]
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc
+# gpg --verify tcp-man-10.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc
+# gpg --verify tcp-man-11.patch.asc
+
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
@@ -125,10 +144,10 @@ affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r337392
-releng/10.4/ r337389
+releng/10.4/ r337832
stable/11/ r337391
-releng/11.1/ r337388
-releng/11.2/ r337387
+releng/11.1/ r337828
+releng/11.2/ r337828
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
@@ -152,17 +171,17 @@ The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.2.9 (FreeBSD)
-iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltosd4ACgkQ05eS9J6n
-5cKLRRAApitUTx46nToGtbCr/fzEZtYpjU0L/kMDwFw8ngfrb3MR4yht087t8JK1
-jZlbeKRQwYjN+ecLrO3QdWoM4LavQK/cYuWq2tCpJiwqXK15rDJGBJjlBiAsmupF
-fGGSD2DcJ/Jz7zTKDkjybCh83QGGTt/HBZRYLc85ipJPHgPQQtnD/OLjFK34Lr45
-vEss9AAkBEe4ZWiSltrQYzqMYf8+sCz/OYP+NGluz4eUjuzKogqyLIAA29auqoNp
-UY5tIUhf8dcB9oeARxWlvmxTKSLB5kevF5jsBzxB8Ap1xUfLFip02h6ApL0xuWz2
-ouX/gN8KBgmJoNIP+GbBY29sQCEY0GTIR9q/dO1ZB3CePJFQsvWjtNeBBjIK66On
-xJSSrUXDPANfcePbnCN9JdsclSEJ0+EBYol3hSWVY8bX3OMcOZw1wRXXCwN0T3of
-QQwbuP0ORt5OdsOObwaxDJEWLEma7N2swWF5YR0oQl0+ETvkIsqFilsTlY6qEB/L
-WG9G1Y9uVn++AJs7HzI+vKVEhhwtJep+7ks28sH5J0LQiUGYfwRACYfVLgi6iXNV
-YKPB4hUFd2d8QaYWdgU92YBJWrR8bqyDdetifMEG5tP+TFCeNCh6SMpRnL7Lzns+
-hkZiRHJeIT7tGu77xZknFI6ghDHOdemtZ/QiL0NsrM05spWkdIA=
-=HNsD
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztakACgkQ05eS9J6n
+5cLN1A//XMCorSih94rs9zvkRPj8g3eN4es5QD9QzI9IwLlfK8DTvtMM9XUKsNT2
+vxgJK8Mnl6N5NddRyiV8o0CioRQF+cmN4cnMhf0LRN6Rv0PqWpsbuuRdWgVtm/aV
+yHNEvnY32RbaZ6YQWmAhG9b+7JztWCpv2MawIaIdy6QFWmHV50ElDj5k1QBHauDd
+2+P3u3+ohbXNMAZGQjIMQwxIgU7BRTVKASa/GzkPSCwQHFabbtm7aL/jEhzySfdl
+bA6ZsMPhr0QqLORKqt8kAUzzFgpVdSRLCa+a8H9phi3CqPDEzGCDdseiCw4mJ+VU
+EhFu616EKw7V9G7FXpnK3Z+E0aHe6UYlf4swUzXluWJrtO/n5bD++ObZaSUOPH0l
+arcOUe8S5dnHiZ8Gg9BqtT6nKQMPXHgGh8W3U53CPt0USJsUWMPd0GPVYt2QnbkX
+27leNs7e1+Njes4PuhOJ+wunn1iye+eTVilqaGkuFC+YKiOJVs9pNJovBTalTsfB
+XqQO52DesrJ/C0xo3AaaNGfNB4JhG3rqR2tPiqubNQcEIocTJ7LkGy0lKXiDbIra
+UA7fDszAG5l5RSyRtgQ4QPd+EzvYguX1vccFGqItDX9aZdQDspnnViKl/FJNzb19
+p9fEa+ZVjV65N836RhCtRx7allqhTAX4yQFXIrUiwQ3ssLNAx1s=
+=sl/Z
-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:09.l1tf.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,165 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:09.l1tf Security Advisory
+ The FreeBSD Project
+
+Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure
+
+Category: core
+Module: Kernel
+Announced: 2018-08-14
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE)
+ 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+ 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+CVE Name: CVE-2018-3620, CVE-2018-3646
+
+Special Note: Speculative execution vulnerability mitigation remains a work
+ in progress. This advisory addresses the issue in FreeBSD
+ 11.1 and later. We expect to update this advisory to include
+ 10.4 at a later time.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+When a program accesses data in memory via a logical address it is translated
+to a physical address in RAM by the CPU. Accessing an unmapped logical
+address results in what is known as a terminal fault.
+
+II. Problem Description
+
+On certain Intel 64-bit x86 systems there is a period of time during terminal
+fault handling where the CPU may use speculative execution to try to load
+data. The CPU may speculatively access the level 1 data cache (L1D). Data
+which would otherwise be protected may then be determined by using side
+channel methods.
+
+This issue affects bhyve on FreeBSD/amd64 systems.
+
+III. Impact
+
+An attacker executing user code, or kernel code inside of a virtual machine,
+may be able to read secret data from the kernel or from another virtual
+machine.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc
+# gpg --verify l1tf-11.2.patch.asc
+
+[FreeBSD 11.1]
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc
+# gpg --verify l1tf-11.1.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+CVE-2018-3620 (L1 Terminal Fault-OS)
+- ------------------------------------
+FreeBSD reserves the the memory page at physical address 0, so it will not
+contain secret data. FreeBSD zeros the paging data structures for unmapped
+addresses, so that speculatively executed L1 Terminal Faults will access only
+the reserved, unused page.
+
+CVE-2018-3646 (L1 Terminal Fault-VMM)
+- -------------------------------------
+Patched systems flush the L1 data cache prior to guest entry, so that there
+is no secret data in cache for a terminal fault (from the the guest) to
+access.
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r337794
+releng/11.1/ r337828
+releng/11.2/ r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+More information on L1 Terminal Fault is available at:
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646>
+
+<URL:https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault>
+
+<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html>
+
+The FreeBSD Security Team thanks Intel for disclosing the issue.
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztc8ACgkQ05eS9J6n
+5cLwEhAAos2Bnilthrbd+uQr1IGASD96aZZ5iXvn1Ibls03Vtd0kG9EcU30gFVG0
+HSg47qT7r5qJQUdhuSYxspgS9ZxXpRez1vnAz7cSGHL9FdecyfHWmHvGor5tz84/
+CgX4jCCAZfqDBquYD+ioqiLX7p1ZTRKfHBQOHcGgMfMq8UQUsg1YriXabEqnavU6
+W0h/eCGBo/Dbvl7004Gx0hKmDO2YQxt9aPWfInXWx1VOMf+wNWpcrvU6rJ4kOnL9
+7BXi+c5+vwlVXDvjrTwP9X+9DDa0MJcMoy2JCyCa/0W7lQ9nADLfUiXLsTvLDo6V
+6/sooFbqlO+Qz37XHlXOXaoVGZGw+NtJRcnD+w8ueP9ts02SsECoxofN8tPOzGsT
+T285qAwv8D8uuBLU3dc9y+assEe3j/4Aqb1Eil6Eh1MsHypEvyN5z9+PIpbN2tWK
+qqCtzgqx037Jvjo6DwjwMUd+DikObGjZyK4pwP8KIeccOIBrUAA1Xel7Xr74xuwq
+LwqtcHb2MWeFD0Mw+oW9viuJKrxyu6aiQfU6FsuGVmHjtXGxi+aWyGQqed+q8FcU
+w/J6fq4kmBVVqNNrAMc/bWKU3IXAj4c48H0CSiCoX4dE4waRQ+cEetKkSWVGYnXj
+3QdoyPsiqo8Goo34Cn0Ipf9GWDeNVv32iz0fXtr4LtoVZKCx9oc=
+=G5SD
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-18:10.ip.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:10.ip.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,172 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:10.ip Security Advisory
+ The FreeBSD Project
+
+Topic: Resource exhaustion in IP fragment reassembly
+
+Category: core
+Module: inet
+Announced: 2018-08-14
+Credits: Juha-Matti Tilli <juha-matti.tilli at iki.fi> from
+ Aalto University, Department of Communications and Networking
+ and Nokia Bell Labs
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
+ 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+ 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+CVE Name: CVE-2018-6923
+
+Special note: Due to source code differences in FreeBSD 10-stable a patch
+ is not yet available for FreeBSD 10.4. This will follow at
+ a later date.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
+packets which are too big to traverse all the links between two end
+stations. Any router along the path between two end hosts may fragment
+packets which are larger than a link's maximum transmission unit
+(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
+Transmission Control Protocol [TCP]) perform path MTU discovery to
+avoid the need for fragmentation.
+
+IP version 6 (IPv6) retains the concept of packet fragmentation. It
+changed the fragmentation operation to require that the originating
+end-system perform path MTU discovery and fragment packets which are
+too large for any MTU along the path between two end systems.
+
+While all hosts attached to the Internet are required to support
+fragmentation and reassembly, many hosts will encounter very few
+legitimate fragmented packets due to the operation of path MTU discovery.
+
+II. Problem Description
+
+A researcher has notified us of a DoS attack applicable to another
+operating system. While FreeBSD may not be vulnerable to that exact
+attack, we have identified several places where inadequate DoS protection
+could allow an attacker to consume system resources.
+
+It is not necessary that the attacker be able to establish two-way
+communication to carry out these attacks. These attacks impact both
+IPv4 and IPv6 fragment reassembly.
+
+III. Impact
+
+In the worst case, an attacker could send a stream of crafted
+fragments with a low packet rate which would consume a substantial
+amount of CPU.
+
+Other attack vectors allow an attacker to send a stream of crafted
+fragments which could consume a large amount of CPU or all available
+mbuf clusters on the system.
+
+These attacks could temporarily render a system unreachable through
+network interfaces or temporarily render a system unresponsive. The
+effects of the attack should clear within 60 seconds after the attack stops.
+
+IV. Workaround
+
+Disable fragment reassembly, using these commands:
+ % sysctl net.inet.ip.maxfragpackets=0
+ % sysctl net.inet6.ip6.maxfrags=0
+
+On systems compiled with VIMAGE, these sysctls will need to be
+executed for each VNET.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or release or
+security branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
+# gpg --verify ip.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r337804
+releng/11.1/ r337828
+releng/11.2/ r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.kb.cert.org/vuls/id/641765>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n
+5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ
+vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN
+NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt
+1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA
+ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic
+PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW
+tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE
+FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O
+I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS
+dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx
+bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w=
+=ddfE
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-18:11.hostapd.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,159 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:11.hostapd Security Advisory
+ The FreeBSD Project
+
+Topic: Unauthenticated EAPOL-Key Decryption Vulnerability
+
+Category: contrib
+Module: wpa
+Announced: 2018-08-14
+Credits: Mathy Vanhoef of the imec-DistriNet research group of
+ KU Leuven
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE)
+ 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+ 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+ 2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE)
+ 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
+CVE Name: CVE-2018-14526
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The wpa_supplicant(8) utility is a client (supplicant) with support for WPA
+and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop and laptop
+computers as well as embedded systems. Supplicant is the IEEE 802.1X/WPA
+component that is used in the client stations. It implements key negotiation
+with a WPA Authenticator and it controls the roaming and IEEE 802.11
+authentication/association of the wlan(4) driver.
+
+The wpa_supplicant(8) utility is designed to be a "daemon" program that runs
+in the background and acts as the backend component controlling the wireless
+connection. The wpa_supplicant(8) utility supports separate frontend programs
+and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with
+wpa_supplicant(8).
+
+II. Problem Description
+
+When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
+flag set, the data field was decrypted first without verifying the MIC. When
+the dta field was encrypted using RC4, for example, when negotiating TKIP as
+a pairwise cipher, the unauthenticated but decrypted data was subsequently
+processed. This opened wpa_supplicant(8) to abuse by decryption and recovery
+of sensitive information contained in EAPOL-Key messages.
+
+See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+for a detailed description of the bug.
+
+III. Impact
+
+All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for
+example, the group key.
+
+IV. Workaround
+
+Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in
+wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'.
+
+This can also be mitigated by removing TKIP as a cipher on the AP.
+
+Systems and users who do not use WPA2 TKIP are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc
+# gpg --verify hostapd.patch.asc
+
+[FreeBSD 10.4]
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc
+# gpg --verify hostapd-10.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r337832
+releng/10.4/ r337829
+stable/11/ r337831
+releng/11.1/ r337828
+releng/11.2/ r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.hostapd.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztf8ACgkQ05eS9J6n
+5cJ2kRAAiuef2NM6sG/OJhjIi3zTNZRTmO2S7BcaD8w7RDmH0rp1XPzTRs8CyWxo
+zLfoubOwIucS1nQGHHYhwTYSXw7lFvGWbebuzhNcEUOc8a1TrpLlyinqF8KDgfNd
+RSkTR1OTF91BEjlYKjuIFKUZ6OxUCpgUrprneEyn5wV/0eLkRv3VNqUuAwkTqU/i
+X7pnFd2BXPpvKTatefpGjnYmo3j3oJSiQeXcPM9zgcm6n9ZD+KiC48vdvbZGmERt
+HsMzUy0Z+OehKMJ+RvemWTiEwEFO7BK/FFgGH8LAgrwd0xff2RDU7S0NeCd+p76g
+y98aUg0WF6RqHXU/xHeHpljHxzrWP3Msb56NqB+phFuEKvVoVimGL54P6/sBSbq+
+eACFcTUcf88MLry41zKBchSmekzSdzeV1S6kQGG74W7DfYY/UdF/4ves/eNqO13l
+J5PjjusPn5IS+IP1omA6imJNHoEUrKR4ZW6KXZEfF7NdtcLGRebrAGySdqD0jHPP
+23fkVQRmEL23fwtlONxNhvrF/oA09/oHS++MUEUxF6b6BRyq0sQ/aBXU5GpoI8VQ
+5nDcASCloson18oA91T125bwD1bt6yLeTaFWhRJj6eeEI5HcJchZ9m1kGflNxEO9
+vM6bvIEPmF1IcR304i1os2JMgWHOAtOKxlsZpnwGs9U0qJu9/nw=
+=34YE
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-18:08/tcp-man-10.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:08/tcp-man-10.patch Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -38,7 +38,7 @@
+ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd October 13, 2014
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME
Added: head/share/security/patches/SA-18:08/tcp-man-10.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:08/tcp-man-10.patch.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztboACgkQ05eS9J6n
+5cJtEQ/8CDdSUbL4aWI2tt1NTAxMoLirMte4r4oR6R3L3prOQWzqKc8m2KV73pgI
+5hSAbcyW8pINgJ4gIX8FwXd+g1bfiz/9Fq7J7IEeZHbNPUo150NCsHC8LPG4oupz
+6UmjGybX/J4nBrKMVqC88p7sWeukvCQm2d8fcKJQgUPQ8d9lgjRFn2MeaKEGR36j
+rhQRK0GSQC7PLgsxzmHAnPtMBqnBNxP9GAyv/O+GX4pAX4PVf6GevQZMYMMPZYNE
+yC8vOclIBuSuOlXaEtanCB7w3WT4M+x6VUwM8NSTq30uQe3NMUvzbzlv+YE2xx0Q
+3XYncGma86rL0FqrqcgLZLoWHJAubqlxonCJNSNXS0o8I77njPffkKx1nDFtpUt2
+IdIleTaltinZXq1mAoPqtrt/nOa9x1C4hihvrIStIYAi/0rLdB8rCGJgMjD8twG7
+W7GUTJxDz2F/dp/y3zomwg69cjdXadh8JWHoPwscPObFhWUml3/WnPLw8iw0ae4A
+TE8+npZUir8zbbxevcZrQxZA/FasfVIEZJytBkIs6z9t+bxa6stBeR/tWU1qgYPx
+oSebDN09tpb3Qzb8uUKNHjuF9La6BXmstjzuh8F/FgPqfImIGQaTkvb0/jcZtvJt
+GatGGPBnZCJWZvy5wvHkNYbUxO81A6dvBJd0kYbS8Q4vYLrzjHo=
+=tsh3
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-18:08/tcp-man-11.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:08/tcp-man-11.patch Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -34,7 +34,7 @@
+ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd February 6, 2017
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME
Added: head/share/security/patches/SA-18:08/tcp-man-11.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:08/tcp-man-11.patch.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztbgACgkQ05eS9J6n
+5cJfvA//VV3j4T6xmYhMFYQ9fzExzBAfzmJjhmVeeAS/JBrKcHhsZgVuIk1E7CD/
+U1hqrlnwlPgG76UNe3tsXaDxhhYOFo4jH3COwE6zXJaXjDDv0H3rfc3TjbJD22fw
+ktz0P2P9DP0uxb1M2f73yrVvQokPlI5cWQ4yQa0MCyVWNUtCKJPIzK27hupjNo7L
+sDepUOR7809n2vHD1uXrkwAi4OfMYLkxDtf0Yt31EJ8+/ZeL8qg6caP2QPElAnws
+3P45z/SqVg3ygmBR9WhF0UK98a7FuyDI79/KZSMBIAOkl7nwe09HZjjvFNYlXnPq
+l7duHMVcC87VhZ0IaNQ1fEDIcyyXws7pVQpWNuA6HGOjLFYSGrJWCzek/yPsTO+S
+m631sRGWs/YyyY49S1D5P/6MaAGT2WjOnSX3q8wy+2WkKDPdQSlj85MZvRKKXY5u
+5KgvqWH6w/hxtHHDE+9Bk8dDfW7aHBGSy/lV5I2VorgE3dyp1vWTMuOacWeMJqhN
+twzlLEn7QCZgkEocb6rqK+fVuG3Sx+QJPa8pKBj3LgsnHTd8mJRcWWtzG50LvNcO
+orzUHwYht0gWrSfsfsS5OXfMUrOeEfpxtAB0FYh+2Sr+1jEtaAqBA4S9yHUnNUtS
+jLcoPClf+s4FVvm1khHLihhKHp/BMFoha8zeQKudrod4UNxSQxM=
+=r2Sc
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-18:09/l1tf-11.1.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:09/l1tf-11.1.patch Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,213 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1206,6 +1206,9 @@
+ vm_size_t s;
+ int error, i, pv_npg;
+
++ /* L1TF, reserve page @0 unconditionally */
++ vm_page_blacklist_add(0, bootverbose);
++
+ /*
+ * Initialize the vm page array entries for the kernel pmap's
+ * page table pages.
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -183,6 +183,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ &vpid_alloc_failed, 0, NULL);
+
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++ &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+ * Use the last page below 4GB as the APIC access address. This address is
+ * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -718,6 +724,12 @@
+ return (error);
+ }
+
++ guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++ TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++ if (guest_l1d_flush &&
++ (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++ vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ /*
+ * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+ */
+
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+
+ #include "vmx_assym.h"
+
+@@ -136,9 +137,47 @@
+ jbe invept_error /* Check invept instruction error */
+
+ guest_restore:
+- cmpl $0, %edx
++
++ /*
++ * Flush L1D cache if requested. Use IA32_FLUSH_CMD MSR if available,
++ * otherwise load enough of the data from the zero_region to flush
++ * existing L1D content.
++ */
++#define L1D_FLUSH_SIZE (64 * 1024)
++ movl %edx, %r8d
++ cmpb $0, guest_l1d_flush(%rip)
++ je after_l1d
++ movq vmx_msr_flush_cmd(%rip), %rax
++ testq %rax, %rax
++ jz 1f
++ movq %rax, %rdx
++ shrq $32, %rdx
++ movl $MSR_IA32_FLUSH_CMD, %ecx
++ wrmsr
++ jmp after_l1d
++1: movq $KERNBASE, %r9
++ movq $-L1D_FLUSH_SIZE, %rcx
++ /*
++ * pass 1: Preload TLB.
++ * Kernel text is mapped using superpages. TLB preload is
++ * done for the benefit of older CPUs which split 2M page
++ * into 4k TLB entries.
++ */
++2: movb L1D_FLUSH_SIZE(%r9, %rcx), %al
++ addq $PAGE_SIZE, %rcx
++ jne 2b
++ xorl %eax, %eax
++ cpuid
++ movq $-L1D_FLUSH_SIZE, %rcx
++ /* pass 2: Read each cache line */
++3: movb L1D_FLUSH_SIZE(%r9, %rcx), %al
++ addq $64, %rcx
++ jne 3b
++ lfence
++#undef L1D_FLUSH_SIZE
++after_l1d:
++ cmpl $0, %r8d
+ je do_launch
+-
+ VMX_GUEST_RESTORE
+ vmresume
+ /*
+--- sys/vm/vm_page.c.orig
++++ sys/vm/vm_page.c
+@@ -290,6 +290,27 @@
+ return (0);
+ }
+
++bool
++vm_page_blacklist_add(vm_paddr_t pa, bool verbose)
++{
++ vm_page_t m;
++ int ret;
++
++ m = vm_phys_paddr_to_vm_page(pa);
++ if (m == NULL)
++ return (true); /* page does not exist, no failure */
++
++ mtx_lock(&vm_page_queue_free_mtx);
++ ret = vm_phys_unfree_page(m);
++ mtx_unlock(&vm_page_queue_free_mtx);
++ if (ret) {
++ TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
++ if (verbose)
++ printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa);
++ }
++ return (ret);
++}
++
+ /*
+ * vm_page_blacklist_check:
+ *
+@@ -301,26 +322,13 @@
+ vm_page_blacklist_check(char *list, char *end)
+ {
+ vm_paddr_t pa;
+- vm_page_t m;
+ char *next;
+- int ret;
+
+ next = list;
+ while (next != NULL) {
+ if ((pa = vm_page_blacklist_next(&next, end)) == 0)
+ continue;
+- m = vm_phys_paddr_to_vm_page(pa);
+- if (m == NULL)
+- continue;
+- mtx_lock(&vm_page_queue_free_mtx);
+- ret = vm_phys_unfree_page(m);
+- mtx_unlock(&vm_page_queue_free_mtx);
+- if (ret == TRUE) {
+- TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
+- if (bootverbose)
+- printf("Skipping page with pa 0x%jx\n",
+- (uintmax_t)pa);
+- }
++ vm_page_blacklist_add(pa, bootverbose);
+ }
+ }
+
+--- sys/vm/vm_page.h.orig
++++ sys/vm/vm_page.h
+@@ -448,6 +448,7 @@
+ u_long npages, vm_paddr_t low, vm_paddr_t high, u_long alignment,
+ vm_paddr_t boundary, vm_memattr_t memattr);
+ vm_page_t vm_page_alloc_freelist(int, int);
++bool vm_page_blacklist_add(vm_paddr_t pa, bool verbose);
+ vm_page_t vm_page_grab (vm_object_t, vm_pindex_t, int);
+ int vm_page_try_to_free (vm_page_t);
+ void vm_page_deactivate (vm_page_t);
+--- sys/x86/include/specialreg.h.orig
++++ sys/x86/include/specialreg.h
+@@ -378,6 +378,7 @@
+ */
+ #define CPUID_STDEXT3_IBPB 0x04000000
+ #define CPUID_STDEXT3_STIBP 0x08000000
++#define CPUID_STDEXT3_L1D_FLUSH 0x10000000
+ #define CPUID_STDEXT3_ARCH_CAP 0x20000000
+
+ /* MSR IA32_ARCH_CAP(ABILITIES) bits */
+@@ -427,6 +428,7 @@
+ #define MSR_IA32_EXT_CONFIG 0x0ee /* Undocumented. Core Solo/Duo only */
+ #define MSR_MTRRcap 0x0fe
+ #define MSR_IA32_ARCH_CAP 0x10a
++#define MSR_IA32_FLUSH_CMD 0x10b
+ #define MSR_BBL_CR_ADDR 0x116
+ #define MSR_BBL_CR_DECC 0x118
+ #define MSR_BBL_CR_CTL 0x119
+@@ -580,6 +582,9 @@
+ /* MSR IA32_PRED_CMD */
+ #define IA32_PRED_CMD_IBPB_BARRIER 0x0000000000000001ULL
+
++/* MSR IA32_FLUSH_CMD */
++#define IA32_FLUSH_CMD_L1D 0x00000001
++
+ /*
+ * PAT modes.
+ */
Added: head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:09/l1tf-11.1.patch.asc Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztdsACgkQ05eS9J6n
+5cItLA//UjGUEP8QwggeT/drm99htP1lpABfxgLjaBFvXDQ8pFJU2D8bm0X/jHBW
+ExM4TO1H2K6gKtJMXC1gCgL9DXy6ukqI7DDKjG2vt46U8533DQ715C4HInj5+mdp
+hvdJVFKbLKVA4jqv0Z+LGeM/yhC5vLCJ+Upirfz42pLWUdmW1a5zbT0pEXsKldxJ
+cTRWfKck7TKbND9cYczaRKl7YjaJNUY8x2FZ3aq607dxWMbreW1sP1VnC2W/EJOa
+fX6G7WC38uZ5RzLL0GoyEUoA83ljcQLYjGWEH0Kr90AfRw6geh2ViajYWMaRj4Kg
+0/Jax7pn5xI14FaREwMybz7Lj+l2DpYfpToYs9Uh4mg/Ug8orLellD+tEBP88NyY
+aWRPYYc3um08osZ6f96RRdH8bOoYgyW+0HV7hO1ZBrIZiAwLdh7nSLoBPEGoGA/e
+XumkfRbwCc5gODH4NYDuCGFppQ2qQ+vfws97kFWULoia8PM/bseFICv9lbZ3c3wc
+7ImNHSHRCDk8lanX8ivTEN2MqEtQBIXwMJuLy6L2s2SPFaaH8Tzt6VNcFvDMONQb
+iXpUoejcLFdeQV1tisnOTsJ6bZayHQjuE6mvLmbSSVjWhh1X3ZStoqhU44AGnmiC
+LjEmQ03E/pCYfA4YV3trqAsE4dqgNTReiiK2P0edkIlo72g42x0=
+=8Mzj
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-18:09/l1tf-11.2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-18:09/l1tf-11.2.patch Wed Aug 15 05:17:29 2018 (r52127)
@@ -0,0 +1,145 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1215,6 +1215,9 @@
+ vm_size_t s;
+ int error, i, pv_npg, ret, skz63;
+
++ /* L1TF, reserve page @0 unconditionally */
++ vm_page_blacklist_add(0, bootverbose);
++
+ /* Detect bare-metal Skylake Server and Skylake-X. */
+ if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL &&
+ CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) {
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -185,6 +185,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ &vpid_alloc_failed, 0, NULL);
+
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++ &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+ * Use the last page below 4GB as the APIC access address. This address is
+ * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -720,6 +726,12 @@
+ return (error);
+ }
+
++ guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++ TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++ if (guest_l1d_flush &&
++ (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++ vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ /*
+ * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+ */
+
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+
+ #include "vmx_assym.h"
+
+@@ -173,9 +174,47 @@
+ jbe invept_error /* Check invept instruction error */
+
+ guest_restore:
+- cmpl $0, %edx
+- je do_launch
+
++ /*
++ * Flush L1D cache if requested. Use IA32_FLUSH_CMD MSR if available,
++ * otherwise load enough of the data from the zero_region to flush
++ * existing L1D content.
++ */
++#define L1D_FLUSH_SIZE (64 * 1024)
++ movl %edx, %r8d
++ cmpb $0, guest_l1d_flush(%rip)
++ je after_l1d
++ movq vmx_msr_flush_cmd(%rip), %rax
++ testq %rax, %rax
++ jz 1f
++ movq %rax, %rdx
++ shrq $32, %rdx
++ movl $MSR_IA32_FLUSH_CMD, %ecx
++ wrmsr
++ jmp after_l1d
++1: movq $KERNBASE, %r9
++ movq $-L1D_FLUSH_SIZE, %rcx
++ /*
++ * pass 1: Preload TLB.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list