sys/arch/xen/x86/xen_intr.c: revision 1.31 (patch)
sys/arch/xen/include/xen.h (apply patch)
xen_intr.c: Use kpreempt_disable/enable around access to curcpu().
curcpu() is not otherwise guaranteed to be stable at these points.
While here, nix nonsensical membars. This need only be synchronized
with interrupts on the same CPU.
Proposed on port-xen:
https://mail-index.netbsd.org/port-xen/2022/07/13/msg010250.html
sys/kern/kern_rwlock.c: revision 1.68 (patch)
rwlock(9): Fix membars.
rw_downgrade must be a release operation, and rw_tryupgrade must be
an acquire operation. membar_producer is not enough -- need to use
membar_release and membar_acquire.
Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/22/msg028726.html
sys/arch/ia64/ia64/vm_machdep.c: revision 1.18
sys/arch/powerpc/powerpc/locore_subr.S: revision 1.67
sys/arch/aarch64/aarch64/locore.S: revision 1.91
sys/arch/mips/include/asm.h: revision 1.74
sys/arch/hppa/include/cpu.h: revision 1.13
sys/arch/arm/arm/armv6_start.S: revision 1.38
(applied also to sys/arch/arm/cortex/a9_mpsubr.S,
sys/arch/arm/cortex/a9_mpsubr.S,
sys/arch/arm/cortex/cortex_init.S)
sys/arch/evbmips/ingenic/cpu_startup.S: revision 1.2
sys/arch/mips/mips/locore.S: revision 1.229
sys/arch/alpha/include/asm.h: revision 1.45
(applied to sys/arch/alpha/alpha/multiproc.s)
sys/arch/sparc64/sparc64/locore.s: revision 1.432
sys/arch/vax/vax/subr.S: revision 1.42
sys/arch/mips/mips/locore_mips3.S: revision 1.116
sys/arch/ia64/ia64/machdep.c: revision 1.44
sys/arch/arm/arm32/cpuswitch.S: revision 1.106
sys/arch/sparc/sparc/locore.s: revision 1.284
(all via patch)
aarch64: Add missing barriers in cpu_switchto.
Details in comments.
Note: This is a conservative change that inserts a barrier where
there was a comment saying none is needed, which is probably correct.
The goal of this change is to systematically add barriers to be
confident in correctness; subsequent changes may remove some bariers,
as an optimization, with an explanation of why each barrier is not
needed.
PR kern/57240
alpha: Add missing barriers in cpu_switchto.
Details in comments.
arm32: Add missing barriers in cpu_switchto.
Details in comments.
hppa: Add missing barriers in cpu_switchto.
Not sure hppa has ever had working MULTIPROCESSOR, so maybe no
pullups needed?
ia64: Add missing barriers in cpu_switchto.
(ia64 has never really worked, so no pullups needed, right?)
mips: Add missing barriers in cpu_switchto.
Details in comments.
powerpc: Add missing barriers in cpu_switchto.
Details in comments.
sparc: Add missing barriers in cpu_switchto.
sparc64: Add missing barriers in cpu_switchto.
Details in comments.
vax: Note where cpu_switchto needs barriers.
Not sure vax has ever had working MULTIPROCESSOR, though, and I'm not
even sure how to spell store-before-load barriers on VAX, so no
functional change for now.
lib/csu/arch/vax/crtbegin.S: revision 1.8
lib/csu/arch/vax/crtbegin.S: revision 1.9
vax/csu: __do_global_ctors_aux: Save actually-used r8, instead of r11
Thanks Kalvis Duckmanton for report and patch on tech-toolchain:
https://mail-index.netbsd.org/tech-toolchain/2023/07/28/msg004321.html
vax/csu: Use register name provided by asm.h. No binary changes.
sys/arch/x86/x86/coretemp.c: revision 1.38-1.39 (patch)
coretemp(4): Change limits of Tjmax.
- Change the lower limit from 70 to 60. At least, some BIOSes can change
the value down to 62.
- Change the upper limit from 110 to 120. At least, some BIOSes can change
the value up to 115.
- Print error message when rdmsr(TEMPERATURE_TARGET) failed.
- When Tjmax exceeded the limit, print warning message and use the value
as it is.
- KNF.
ticket #1856:
sys/dev/pci/ichsmb.c 1.83-1.84
- Add support Intel 700 series chipset and Alder Lake-N devices.
- Use device_printf() instead of aprint_error_dev() in
ichsmb_i2c_exec().
sys/arch/x86/x86/errata.c: revision 1.32
fix the cpuids for the zen2 client CPUs.
i'm not exactly how i came up with the values i had, though one
of them was still valid and matched my test systems.
sys/arch/x86/include/specialreg.h: revision 1.207
sys/arch/x86/x86/errata.c: revision 1.31
x86: turn off zenbleed chicken bit on Zen2 cpus.
this is based upon Taylor's original work. i just made the list
of CPUs to run on correct as i could determine. (also, add some
Zen3 and Zen4 cpuids not yet used by any errata.)
(might be nice to have a better way to expression revision ranges
rather than specific cpuid matches, eg, 0x30-0x4f models in a cpu
family, etc.)
tested on ryzen 3600, and a ported zenbleed PoC that no longer
shows any obtained text. (a similar module-version of it stopped
the PoC on a ryzen 3950x without having to reboot.)
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.htmlhttps://lock.cmpxchg8b.com/zenbleed.html
external/bsd/dhcpcd/examples/Makefile: revision 1.2
distrib/sets/lists/misc/mi: revision 1.225
external/bsd/dhcpcd/examples/conf/Makefile: revision 1.1
Install a copy of dhcpcd.conf under /usr/share/examples
Addresses PR bin/57487 from Taylor R Campbell.
sys/dev/pci/if_wm.c 1.768-1.782 via patch
sys/dev/pci/if_wmreg.h 1.129-1.130
sys/dev/pci/if_wmvar.h 1.49
wm(4):
- Rework for event counters:
- Fix calculation of GORC, GOTC, TOR and TOT counters correctly.
- Rearrange the order of the registers so that they are roughly
in ascending order.
- Reorder evcnt_attach_dynamic(), WM_EVCNT_ADD() and evcnt_detach()
to match.
- IC{TX,RX}*C registers are for older than 82575.
- Fix a bug that the transmit underrun counter is incorrectly
counted.
- Don't add "Count" for event counter's description.
- Some statistics registers were replaced with new counters on newer
chips. Treat 0x403c(CEXTERR->HTDPMC), 0x40fc(TSCTFC->CBRMPC),
0x4124(ICRXOC->HTCBDPC) and from 0x4104 to 0x4124.
- Add some new counters:
- Circuit Breaker TX Manageability Packet
- Circuit Breaker RX Dropped Packet
- Host Good Octets RX
- Host Good Octets TX
- Length Errors
- SerDes/SGMII Code Violation Packet
- Header Redirection Missed Packet
- EEE TX LPI
- EEE RX LPI
- Fix prc511's comment and description.
- Add SOICZIFDATA (ifconfig -z) support for evcnt(9).
- Use WM_IS_ICHPCH(). No functional change.
- Fix typo. s/ictxact/ictxatc/. No functional change.
- Add comment.
sys/dev/pci/pcidevs: revision 1.1478
sys/dev/pci/pcidevs: revision 1.1479
sys/dev/pci/pcidevs: revision 1.1480
Add Samsung SM990.
Add devices from PPR for AMD Family 19h Model 61h Revision B1 processors.
The SATA device ID for Apollo Lake is not 0x5ae0 but 0x5ae3.
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.htmlhttps://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10
pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC. But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.
As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48
compat_sunos32: Memset zero before copyout.
Unclear if this can leak anything but let's be on the safe side.
compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.
linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.
sys/compat/common/kern_time_30.c: revision 1.6
sys/compat/netbsd32/netbsd32_time.c: revision 1.50
Paranoia: zero COMPAT_30 ntptimeval and 32-bit ntptimeval too.
These structs don't have padding but safer to keep the code
structured the same way between the various ntp_gettimes in case
anyone makes more copypasta of it for future updates.
sys/compat/common/kern_time_50.c: revision 1.32
Zero ntptimeval50 too to prevent 4-byte kernel stack disclosure.
From Thomas Barabosch of Fraunhofer FKIE.
sys/compat/osf1/osf1_cvt.c
sys/compat/osf1/osf1_file.c
sys/compat/osf1/osf1_misc.c
Memset structures to zero before passing them to copyout to expose them
to userland.
No equivalent change in newer branches, commpat/osf1 has been deleted.
sys/dev/pci/if_iwi.c: revision 1.117
sys/dev/raidframe/rf_netbsdkintf.c: revision 1.401
sys/dev/scsipi/ses.c: revision 1.52
sys/dev/isa/mcd.c: revision 1.121
(all via patch)
sys/dev: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.
I think the iwi(4), mcd(4), and ses(4) changes actually plug leaks;
the raidframe(4) change probably doesn't (but doesn't hurt).
sys/compat/netbsd32/netbsd32_netbsd.c: revision 1.232
sys/compat/netbsd32/netbsd32_socket.c: revision 1.56
sys/compat/netbsd32/netbsd32_conv.h: revision 1.45
sys/compat/netbsd32/netbsd32_fs.c: revision 1.92
sys/compat/netbsd32/netbsd32.h: revision 1.137
The read/write/send/recv system calls return ssize_t because -1 is
returned on error. Therefore we must restrict the lengths of any
buffers to NETBSD32_SSIZE_MAX with compat32 to avoid garbage return
values.
Fixes ATF lib/libc/sys/t_write:write_err.
sys/altq/altq_hfsc.c: revision 1.29
sys/altq/altq_priq.c: revision 1.27
sys/altq: Memset zero before copyout.
Just in case of uninitialized padding which would lead to kernel
stack disclosure. If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.
sys/dev/pci/ixgbe/ixgbe.c 1.325-1.326 via patch
sys/dev/pci/ixgbe/ixgbe_common.c 1.44
sys/dev/pci/ixgbe/ixgbe_type.h 1.56
- PCI device ID 0x15c8 also uses X557-AT PHY, so create the thermal
sensor sysctl for it, too.
- Count the number of link down events in the MAC using with
LINK_DN_CNT register.
sys/arch/vax/vax/pmap.c: revision 1.196
sys/arch/vax/include/trap.h: revision 1.25
Change CASMAGIC to 0xFEDABABE so that it cannot accidentally end up in
valid kernel memory. Due to the VARM accesses above S0 should always
give a ptelen trap.
Bug found by Kalvis Duckmanton.
Ensure that the kernel do not try to allocate a S0 segment larger than 1G,
since the hardware prohibits that.
martin