65a2f89e39
Remove TCP_COMPAT_42 from the config files. Pass 1.
2017-07-28 19:26:15 +00:00
0e2173f7a6
Remove TCP_COMPAT_42. This feature is a workaround for a bug in the TCP
...
stack of BSD4.2. Having such features just does not make any sense, and
looking at the code, I'm not sure it actually works.
2017-07-28 19:16:41 +00:00
7756a99ec4
Zero buffers in ibcs2 ioctl to avoid disclosing stack to userland.
...
From Ilja Van Sprundel.
2017-07-28 17:57:48 +00:00
ce78c80ccb
Check bounds in svr4_sys_putmsg. Check more svr4_strmcmd bounds.
...
svr4 streams code is still a disaster.
From Ilja Van Sprundel.
2017-07-28 17:52:47 +00:00
c5012f3010
Feebly attempt to get this reference counting less bad.
...
This svr4 streams code is bad and it should feel bad.
From Ilja Van Sprundel.
2017-07-28 17:43:46 +00:00
efcd84bb03
Fix indexing of svr4 signals.
...
From Ilja Van Sprundel.
2017-07-28 17:38:35 +00:00
0090c87fd5
Avoid another userland-controlled integer overflow.
...
From Ilja Van Sprundel.
2017-07-28 17:14:04 +00:00
a543e5bfce
Zero stack data before copyout.
...
From Ilja Van Sprundel.
2017-07-28 16:57:12 +00:00
6d7a254de5
Fix some of the multitudinous holes in svr4 streams.
...
We should never have enabled this by default; it is a minefield.
From Ilja Van Sprundel.
2017-07-28 16:55:48 +00:00
49e522ca87
Appease toxic bullshit warning from gcc.
...
If you have a better way to write a useful bounds check that happens
to always pass on LP64 but doesn't always on LP32, without making it
fail to compile on LP64 or making it an #ifdef conditional on LP32,
please put it in here instead.
2017-07-28 16:30:41 +00:00
c22f09e921
Fix indentation. u_intN_t -> uintN_t. ntohl -> be32toh.
...
No functional change intended.
2017-07-28 16:22:01 +00:00
f92d8e549d
Put in a litany of judicious bounds checks around vnd headers.
...
Thought I was done with this crap after I rewrote vndcompress(1)!
From Ilja Van Sprundel.
2017-07-28 16:19:20 +00:00
5cf2f7f839
New sentence, new line.
2017-07-28 16:11:03 +00:00
b577919c69
After a careful review, and all things considered, disable compat43 by
...
default on amd64. The use case is limited, the potential for damage too
high, and it is safer to run a BSD4.3 binary on i386 since the kernel does
not have to go through netbsd32 - which may not correctly reproduce i386.
2017-07-28 16:10:28 +00:00
2203a9f499
* sii(4) was never used in VAXstation 3100 (uses si(4) and is NCR-based).
...
* Reference scsi(4) in sii(4).
* Add more machines to pmax/intro(4).
* Small fixes.
2017-07-28 15:58:24 +00:00
e4da734a80
Tweak whitespace to make this definition more greppable.
2017-07-28 15:52:53 +00:00
18c4e4218d
Make sure we move forward over the buffer.
...
From Ilja Van Sprundel.
2017-07-28 15:51:35 +00:00
9a25e0f558
Make sure we have enough space in the buffer before reading it.
...
From Ilja Van Sprundel.
2017-07-28 15:50:04 +00:00
74f9c98ecc
Check for NUL termination within the buffer we have.
...
From Ilja Van Sprundel.
2017-07-28 15:47:23 +00:00
5a050a1b30
Add some more bogus compat options to amd64/ALL for compile-testing.
2017-07-28 15:40:38 +00:00
56272c962e
Don't walk off the end of the dirent buffer.
...
From Ilja Van Sprundel.
2017-07-28 15:37:23 +00:00
39f1e86852
Fail, don't panic, on bad dirents from file system.
...
Controllable via puffs from userland.
From Ilja Van Sprundel.
2017-07-28 15:34:06 +00:00
cf5a000fe5
Clamp the length we use, not the length we don't.
...
Avoids uninitialized memory disclosure to userland.
From Ilja Van Sprundel.
2017-07-28 15:16:39 +00:00
930eafe842
Reject out-of-bounds channel index.
...
From Ilja Van Sprundel.
2017-07-28 15:02:52 +00:00
8c4d14f179
Reject negative indices from userland.
...
From Ilja Van Sprundel.
2017-07-28 14:49:55 +00:00
6b6142bc49
Reject negative offset/count for smb read/write.
...
Not clear that this is actually a problem for the kernel -- might
overwrite user's buffers or return garbage to user, but that's their
own damn fault. But it's hard to imagine that negative offset/count
ever makes sense, and I haven't ruled out a problem for the kernel.
2017-07-28 14:45:59 +00:00
7856833155
Reject negative ioc_setupcnt.
2017-07-28 14:40:42 +00:00
cf6e54504a
Plug another overflow: refuse bogus sa_len from user.
2017-07-28 14:37:27 +00:00
befe278cf1
Don't include malloc.h.
2017-07-28 14:26:50 +00:00
8fe0fa733b
Reject allocations for too-small buffers from userland.
...
From Ilja Van Sprundel.
2017-07-28 14:20:46 +00:00
027f8447ce
Avert userland-controlled integer overflow.
...
From Ilja Van Sprundel.
2017-07-28 14:16:29 +00:00
0633411db6
Don't disclose uninitialized 32-bit word if cryptodev_session fails.
...
From Ilja Van Sprundel.
2017-07-28 14:13:56 +00:00
055288f266
Disable svr4 and ibcs2 by default.
...
These options are not well-tested, of a limited use case, and the potential
for damage is too high. Vulnerabilities were presented at DEFCON 25 - I see
that at least one of them can be exploited to get ring0 privileges.
2017-07-28 14:13:13 +00:00
ecfd948c0b
#if DIAGNOSTIC panic ---> KASSERTMSG
2017-07-28 14:13:11 +00:00
b62f3dc335
cpu_trace is no more, remove vestige of it that broke ALL kernel.
2017-07-28 14:12:26 +00:00
7b79cc9c72
Disable vm86 by default. The use case is limited, and the potential for
...
damage is too high.
This code is fragile, and relies on a certain number of assumptions, some
of which are not be totally true. For example, it relies on the fact that
a 16bit process cannot perform a syscall, but verily it can. The slighest
confusion in the trap frame can lead to ring0 exploits. Also, I'm not
convinced that it interacts well with the compatibility layers.
2017-07-28 13:59:07 +00:00
a62f05d75e
Reject negative indices.
...
(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought. Also one of
them is a u_long, because why not?)
From Ilja Van Sprundel.
2017-07-28 13:58:47 +00:00
e80123a9be
Zero buffers copied to userland to avoid stack disclosure.
...
From Ilja Van Sprundel.
2017-07-28 13:53:17 +00:00
558c652db8
Free the RX list if ural_alloc_rx_list fails part way through.
...
Reported by Ilja Van Sprundel.
2017-07-28 13:23:01 +00:00
f08cc415b0
Avoid integer overflow in kern_malloc(). Reported by Ilja Van Sprundel.
...
XXX Time to kill malloc() completely!
2017-07-28 12:28:48 +00:00
e6aadd1b31
add comment about confusing wm_rxeof() calling.
...
pointed out by msaitoh@n.o.
2017-07-28 10:34:58 +00:00
6110fbb36a
Check some wm_nvm_read()'s return vale.
2017-07-28 10:21:10 +00:00
2dca05ef1e
Qemu's e1000e emulation (82574L)'s SPI has only 64 words. I've never seen on
...
real 82574 hardware with such small SPI ROM. Check sc->sc_nvm_wordsize before
accessing higer address words to prevent timeout.
2017-07-28 09:12:40 +00:00
5e43c2aaaf
APIC related macros are mixed with IOAPIC related ones.
...
This needs separation.
Until then, band-aid it.
This fixes pci-passthrough build failures on XEN3_DOMU pointed out by
msaitoh@
2017-07-28 07:42:41 +00:00
301f20f125
Remove dead code from audio open. Found by isaki@.
...
Better error handling incase memory for the streams' ringbuffers cannot be
allocated.
Addresses PR kern/52433.
2017-07-28 03:58:54 +00:00
d228595a0f
Remove unused code from audio_set_params.
...
Addresses PR kern/52434.
2017-07-28 03:29:19 +00:00
63137f370a
Refactoring of order of auto config combinations. Most common formats
...
come first.
Do not exceed AUDIO_MAX_CHANNELS.
Addresses PR kern/52435.
2017-07-28 02:53:54 +00:00
60fa90dcac
Mixer device bounds checking.
...
Analysis by Ilja van Sprundel.
2017-07-28 01:36:40 +00:00
64d02c8415
Add a null_filter to help with the audio autoconfig of pmax.
...
Tested by flxd@.
2017-07-27 23:39:37 +00:00
8c4cb02e17
merge
2017-07-27 18:27:19 +00:00
maxv