Bump newvers.sh and UPDATING for today's patches.
Approved by: so
Security: CVE-2018-3665
Security: FreeBSD-SA-18:07.lazyfpu
Sponsored by: The FreeBSD Foundation
Bump newvers.sh and UPDATING for today's patches.
Approved by: so
Security: CVE-2018-8897
Security: FreeBSD-SA-18:06.debugreg
Sponsored by: The FreeBSD Foundation
Bump newvers.sh and UPDATING for today's patches.
Submitted by: emaste
Reported by: Dr Silvio Cesare of InfoSect
Approved by: so
Security: CVE-2018-6917
Security: FreeBSD-SA-18:04.vt
Sponsored by: The FreeBSD Foundation
(cherry picked from commit ec50e7cb61)
Default the enable the recent PTI mitigation against Intel's Meltdown
bug. So in general, HardenedBSD always comes with enabled mitigation,
since in our kernel always enabled the PAX.
For more detail see: c35d24e497ef2fa5d08a59ddb20123e9d9f58cc4
Discussed-with: Shawn Webb
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
(cherry picked from commit 25b11e7bcfb13d7e8f24148af7374769e25166da)
HBSD: enable PTI by default, when option PAX specified
This is a follow up commit to 1cf1c6c06d2f9cc2a208d17d610064cbc621e01a
and 25b11e7bcfb13d7e8f24148af7374769e25166da .
Suggested-by: noptrix
Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
(cherry picked from commit 502559de8775002d1e6ba07f725a1fb40d77893d)
(cherry picked from commit 62f297a550)
later by TCP-MD5 code.
This fixes the problem with broken TCP-MD5 over IPv4 when NIC has
disabled TCP checksum offloading.
PR: 223835
MFC after: 1 week
pf will unconditionally "set prio", so this will fail if the
sysctl is off. The sysctl, however, introduces a side-effect
so we would rather keep the default behaviour. The allocation
slowdown is already taking place, so this in the worst case
only adds a list traversal / lookup.
PR: https://forum.opnsense.org/index.php?topic=6714.0
(cherry picked from commit dabc3cf4ef)
LuaJIT creates 32-bit memory maps in a 64-bit execution environment,
which is disabled by default in HardenedBSD. We never ported the
MAP_32BIT disallow logic over from HardenedBSD to OPNsense prior to
18.1. The merge of HardenedBSD's ASLR implementation for 18.1 also
brought in the new logic.
Instead of removing disallow_map32bit, simply set it to 1 by default.
This will allow those who don't use LuaJIT applications to set it to 2
in /boot/loader.conf.local.
Note that this commit is specific to OPNsense. OPNsense ships without
the PAX_SYSCTLS kernel option, thus it's impossible to toggle via
sysctl.conf(5) and must be set via loader.conf.local.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
github-issue: opnsense/plugins#466
(cherry picked from commit 5a1bbae356)
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
DCSP names instead of having to embed their TOS equivalents
as plain numbers.
Obtained from: OpenBSD
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D8165
Compile world with SafeStack from clang/llvm. Right now, only
applications are compiled with SafeStack, not libraries. clang 3.9.0
does not support compiling shared libraries with SafeStack, though a
patch has been proposed that would enable support.
Note that with clang's current implementation of SafeStack, ASLR and W^X
are prerequisites. SafeStack currently requires ASLR and W^X in order to
be effective.
Based on feedback by countless users, this removes the if_output
calls in the pf code that escape pfil processing in IPv4 by going
the long way.
In our 11.1 iteration ip_tryforward() is easy to port and while
we are at it we shall also tackle IPv6. :)
Many thanks to Andrey V. Elsukov (ae@) for giving this direction
and review.
Also see: https://reviews.freebsd.org/D8877
pf: add ipv6 shared forwarding
Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook
from enc_hhook().
This should solve the problem when pf is used with if_enc(4) interface,
and outbound packet with existing PCB checked by pf, and this leads to
deadlock due to pf does its own PCB lookup and tries to take rlock when
wlock is already held.
Now we pass PCB pointer if it is known to the pfil hook, this helps to
avoid extra PCB lookup and thus rlock acquiring is not needed.
For inbound packets it is safe to pass NULL, because we do not held any
PCB locks yet.
PR: 220217
Sponsored by: Yandex LLC
(cherry picked from commit 4683f93d198d5dc926b2d73beb0b4c09ff8646f4)
convention for interfaces, because only one stf(4) interface can exist
in the system.
This disallow the use of unit numbers different than 0, however, it is
possible to create the clone without specify the unit number (wildcard).
In the wildcard case we must update the interface name before return.
This fix an infinite recursion in pf code that keeps track of network
interfaces and groups:
1 - a group for the cloned type of the interface is added (stf in this
case);
2 - the system will now try to add an interface named stf (instead of
stf0) to stf group;
3 - when pfi_kif_attach() tries to search for an already existing 'stf'
interface, the 'stf' group is returned and thus the group is added
as an interface of itself;
This will now cause a crash at the first attempt to traverse the groups
which the stf interface belongs (which loops over itself).
Obtained from: pfSense
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (Netgate)
While at it remove some whitespaces.
Submitted by: Jose Luis Duran <jlduran@gmail.com>
PR: 213110
MFC after: 1 week
(cherry picked from commit 0c22163daba4a8ecc287e6b2f7060383c5e1dcb1)
This would enqueue an event to send the gratuitous arp on a dying lagg
interface without any physical ports attached to it.
Apart from that, the taskqueue_drain() on lagg_clone_destroy() runs too
late, when the ifp data structure is already freed. Fix that too.
Obtained from: pfSense
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (Netgate)
