This is actually harmless, since:
- the offset is too short rather than too long (no overflow)
- the struct audio_device comes from userland (no information leak)
"looks good to me" nat@
For the record, I was partly mistaken in my previous commit: even though
the macros were local, the function names were still the ones of the real
callers.
However, setting the name in m_data was not a good thing; this was a
valid pointer, and the kernel could execute a long time before figuring
out the mbuf was already freed - therefore making debugging more difficult.
And information on the caller can be obtained via ddb anyway.
* dhcp: when unicasting on L3, unicast on L2 as well
* dhcp: when rebooting, don't set cidaddr
* dhcp6: don't listen on IPv6 addresses when not using DHCPv6
* dhcp: only set probe state when probing (fixes REBOOT reason)
* ipv6: disable kernel RA if interface is active
* hooks: set protocol to link for link layer events
r1.6 changed the code in such a way that it was hitting a BFD assert on
MIPS, causing the builds to fail.
we were hitting the assert at binutils/dist/bfd/elfxx-mips.c:10879
2) Change the IP_RECVPKTINFO option to control the generation of
IP_PKTINFO control messages, the way it's done in Solaris.
3) Remove the superfluous IP_RECVPKTINFO control message.
4) Change the IP_PKTINFO option to do different things depending on
the parameter it's supplied with:
- If it's sizeof(int), assume it's being used as in Linux:
- If it's non-zero, turn on the IP_RECVPKTINFO option.
- If it's zero, turn off the IP_RECVPKTINFO option.
- If it's sizeof(struct in_pktinfo), assume it's being used as in
Solaris, to set a default for the source interface and/or
source address for outgoing packets on the socket.
5) Return what Linux or Solaris compatible code expects, depending
on data size, and just added a fallback to a Linux (and current NetBSD)
compatible value if the size is unknown (as it is now), or,
in the future, if the calling application specifies a receiving
buffer that doesn't match either data item.
From: Tom Ivar Helbekkmo
could cause KASLR kernels to crash early during the boot procedure.
pmap_remap_largepages assumes that the kernel is far from the end of
the VM space, but this assumption does not hold with KASLR, since the
kernel sections are allowed to reside in the very last page of the VM
space.
Doing +NBPD_L2 or roundup() in such cases caused an integer overflow,
which caused a page fault when touching &L2_BASE, which in turn caused
an immediate CPU reset and a reboot.
Took me a while to reproduce and debug this issue.
On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL
equals SEL_UPL. While Xen can make a distinction between usermode and
kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL
in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes
to read and write to the CPU ports.
It is easy, then, to completely escalate privileges; by reprogramming the
PIC, by reading the ATA disks, by intercepting the keyboard interrupts
(keylogger), etc.
Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use
the ports but not userland. I didn't test this change on i386, but it
seems fine enough.
code is fast, with an nonexistent overhead - and we already take care of
setting MT_FREE, so why not check it.
In addition, stop registering the function name, that's not helpful since
the MBUFFREE macro is local. Instead, set m_data to NULL, so that any
access to a freed mbuf's data after mtod() or similar will page fault.
The combination of these two changes provides a fast and efficient way of
detecting use-after-frees in the network stack.
of uninit'd field also fix a couple more (still harmless) related
technical C usage bugs.
Explaining why these issues were harmless would take too long to include here.
