We were inconsistent about the use of time_second vs. time_uptime.
Always use time_uptime so the value can be meaningfully compared.
Submitted by: "Max" <maximos@als.nnov.ru>
MFC after: 4 days
On i386, the stack isn't randomized enough to provide enough space for
the VDSO to be randomized. Bump the stack randomization up to 14 for
32bit systems and lower the VDSO randomization to 8. This provides
enough of a difference between the two to allow for both stack and
VDSO randomization.
Note that ASLR on 32bit systems is still rather weak. Not much entropy
can be introduced into the stack and VDSO. Brute forcing the stack and
VDSO is well within the realm of possibility. Users are strongly
advised to migrate to 64bit systems.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
On OPNsense's 16.7 roadmap is HardenedBSD's ASLR code. This commit
separates out the ASLR code from the rest of our exploit mitigation
and system hardening code.
Testing and verification still need to be performed. Initial testing
(compile + boot + `procstat -v PIDofPIEapplication) has been
performed. More thorough testing should occur.
Shared object load order randomization in the RTLD is not included in
this patch. That will be discussed with the fine folks at OPNsense at
a later time.
Since OPNsense is based on FreeBSD 10.x, this patch will need to be
backported to 10-STABLE. However, a "horizontal port" to 11-CURRENT,
which is what this commit is, needed to be done first.
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
- Validate that user supplied control message length in sendmsg(2)
is not negative.
Security: SA-16:18
Security: CVE-2016-1886
Security: SA-16:19
Security: CVE-2016-1887
Submitted by: C Turt <cturt hardenedbsd.org>
Approved by: so
panics when unloading the dummynet and IPFW modules:
- The callout drain function can sleep and should not be called having
a non-sleepable lock locked. Remove locks around "ipfw_dyn_uninit(0)".
- Add a new "dn_gone" variable to prevent asynchronous restart of
dummynet callouts when unloading the dummynet kernel module.
- Call "dn_reschedule()" locked so that "dn_gone" can be set and
checked atomically with regard to starting a new callout.
Reviewed by: hiren
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D3855
OpenBSD pf 4.5).
Fix argument ordering to memcpy as well as the size of the copy in the
(theoretical) case that pfi_buffer_cnt should be greater than ~_max.
This fix the failure when you hit the self table size and force it to be
resized.
MFC after: 3 days
Sponsored by: Rubicon Communications (Netgate)
Logo kindly supplied by the Schellevis brothers @jschellevis
and @adschellevis, who had a lot of fun doing this. :)
Time is ticking.... tick tock tick tock :)
(cherry picked from commit 3c2aaddaa4)
(cherry picked from commit 7a0f30b0a2)
(cherry picked from commit 5dc2a15077)
Ignore the inbound checksum flags when doing packet forwarding in netvsc
driver.
Sponsored by: Microsoft OSTC
PR: 203630
(cherry picked from commit a5f1c95b3c8a3114c0dd550de01326f7c442020a)
mapped address without valid pte installed, when parallel wiring of
the entry happen. The entry must be copy on write. If entry is COW
but was already copied, and parallel wiring set
MAP_ENTRY_IN_TRANSITION, vm_fault() would sleep waiting for the
MAP_ENTRY_IN_TRANSITION flag to clear. After that, the fault handler
is restarted and vm_map_lookup() or vm_map_lookup_locked() trip over
the check. Note that this is race, if the address is accessed after
the wiring is done, the entry does not fault at all.
There is no reason in the current kernel to disallow write access to
the COW wired entry if the entry permissions allow it. Initially this
was done in r24666, since that kernel did not supported proper
copy-on-write for wired text, which was fixed in r199869. The r251901
revision re-introduced the r24666 fix for the current VM.
Note that write access must clear MAP_ENTRY_NEEDS_COPY entry flag by
performing COW. In reverse, when MAP_ENTRY_NEEDS_COPY is set in
vmspace_fork(), the MAP_ENTRY_USER_WIRED flag is cleared. Put the
assert stating the invariant, instead of returning the error.
Reported and debugging help by: peter
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
In rpcbind(8), netbuf structures are copied directly, which would
result in two netbuf structures that reference to one shared
address buffer. When one of the two netbuf structures is freed,
access to the other netbuf structure would result in an undefined
result that may crash the rpcbind(8) daemon.
Fix this by making a copy of the buffer that is going to be freed
instead of doing a shallow copy.
Security: FreeBSD-SA-15:24.rpcbind
Security: CVE-2015-7236
Approved by: so
Security: CVE-2015-1283
Security: FreeBSD-SA-15:20.expat
Fix make(1) syntax errors when upgrading from 9.x and earlier.
[EN-15:11]
Fix incorrect netstat(1) data handling on 32-bit systems.
[EN-15:12]
Allow size argument to vidcontrol(1) for syscons(4). [EN-15:13]
Approved by: so
