An initial reading of the preamble of sys_procctl() gives the impression
that no test prevents a malicious user from passing a negative commands
index (in 'uap->com'), which is soon used as an index into the static
array procctl_cmds_info[].
However, a closer examination leads to the conclusion that the existing
code is technically correct. Indeed, the comparison of 'uap->com' to
the nitems() expression, which expands to a ratio of sizeof(), leads to
a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic
Conversions/Integer Promotions applied by '<=', because sizeof() returns
'size_t' values, and we define 'size_t' as an equivalent of 'unsigned
int' (which is not mandated by the standard, the latter allowing, e.g.,
integers of lower ranks).
With this conversion, negative values of 'uap->com' are automatically
ruled-out since they are converted to very big unsigned integers which
are caught by the test. An analysis of assembly code produced by LLVM
16 on amd64 and practical tests confirm that no exploitation is possible.
However, the guard code as written is misleading to readers and might
trip up static analysis tools. Make sure that negative values are
explicitly excluded so that it is immediately clear that EINVAL will be
returned in this case.
Build tested with clang 16 and GCC 12.
Approved by: markj (mentor)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit afc10f8bba)
Approved by: emaste (mentor)
Add a -w flag to forward terminal resize events on to the child, which
can be useful in some circumstances to avoid terminal corruption.
Reviewed by: des
Co-authored-by: Xavier Beaudouin <xavier.beaudouin@klarasystems.com>
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
(cherry picked from commit 8ceac8e13d)
Fix some nits pointed out by checkstyle9.pl in advance of functional
changes to script(1).
Reviewed by: des
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
(cherry picked from commit 4459abe334)
The Seagate IronWolf 110 SATA SSD drive has been reported to be unstable
with NCQ trim enabled.
PR: 264139
Sponsored by: Netflix
(cherry picked from commit a6cef61766)
People still believe that it is essential to run sync(8) a couple of
times before a reboot/halt. Document that this has not been necessary
for a long time now.
Reviewed by: imp, bcr, Pau Amma <pauamma@gundo.com>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D33233
(cherry picked from commit 177ba18307)
[sanitizer_symbolizer] Cast arguments for format strings in markup (#89815)
When compiling the common sanitizer libraries, there are many warnings
about format specifiers, similar to:
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:31:32: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
31 | buffer->AppendF(kFormatData, DI->start);
| ~~~~~~~~~~~ ^~~~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:33:46: note: format string is defined here
33 | constexpr const char *kFormatData = "{{{data:%p}}}";
| ^~
| %lu
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:46:43: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
46 | buffer->AppendF(kFormatFrame, frame_no, address);
| ~~~~~~~~~~~~ ^~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:36:48: note: format string is defined here
36 | constexpr const char *kFormatFrame = "{{{bt:%u:%p}}}";
| ^~
| %lu
...
This is because `uptr` is dependent on the platform, and can be either
`unsigned long long`, `unsigned long`, or `unsigned int`.
To fix the warnings, cast the arguments to the expected type of the
format strings.
PR: 276104
Reported by: pstef
MFC after: 3 days
(cherry picked from commit f08bf5a3ac)
This reverts commit f300335d9a.
It turns out that the old code was correct and it was wireshark
that was broken and indicated that the RPC's XDR was bogus.
Found during IETF bakeathon testing this week.
(cherry picked from commit 54c3aa02e9)
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D44805
(cherry picked from commit 64d6925d19)
cp: Additional sanity check.
Once we've successfully opened the file we've been asked to copy, check
that it's of the same type as FTS told us it was.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude, markj
Differential Revision: https://reviews.freebsd.org/D44806
(cherry picked from commit 9075d4cfad)
cp: Use warnc().
MFC after: 1 week
Sponsored by: Klara, Inc.
(cherry picked from commit f070188c3a)
Previously, we would only use a temporary file if explicitly asked to
with the `-S` option, and even then, only if the target file already
existed. This meant that an outside observer looking for the target
file might see a partial file, and might see the file disappear and
then reappear.
With this patch, we always use a temporary file, ensuring atomicity.
The downside is slightly increased disk usage. The upside is never
having to worry about, for instance, cron jobs randomly failing if
they happen to run simultaneously with `make installworld`.
The `-S` option is retained, partly for compatibility, and partly
to control the use of `fsync(2)`, which has a non-negligible cost
(approximately 10% increase in wall time for `make installworld`).
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: 0mp, brooks, imp, markj
Differential Revision: https://reviews.freebsd.org/D44742
(cherry picked from commit e5035d0857)
install: Simplify path construction.
There's no need to copy the path twice to split it into base and dir.
We simply call `basename()` first, then handle the two trivial cases in
which it isn't safe to call `dirname()`.
While here, add an early check that the destination is not an empty
string. This would always fail eventually, so it may as well fail
right away. Also add a test case for this shortcut.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44743
(cherry picked from commit 17dc7017d7)
install: Remove the mmap(2) option.
We already removed it from cp(1) over a year ago but never followed up
here. Do so now, for the same reasons: significant complexity for
little to no benefit.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44809
(cherry picked from commit a0439a1b82)
install: Assorted nitpickery.
* Use `errc()` instead of manually setting `errno` before calling `err()`.
* Change one warning into a fatal error.
* Drop some unnecessary casts.
* `strlcat()` bounds checks were off-by-one. This does not matter in
practice because the subsequent code renders an overrun harmless.
* We were passing `SSIZE_MAX` to `copy_file_range()` instead of the
requested size. This only matters if we're asked to install a file
which is still being written to while we are copying it.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44810
(cherry picked from commit 000a533e6d)
The MNT_IGNORE flag can be used to mark certain filesystem mounts so
that utilities such as df(1) and mount(8) can filter out those mounts by
default. This can be used, for instance, to reduce the noise from
running container workloads inside jails which often have at least three
and sometimes as many as ten mounts per container.
The flag is supplied by the nmount(2) system call and is recorded so
that it can be reported by statfs(2). Unfortunately several filesystems
override the default behaviour and mask out the flag, defeating its
purpose. This change preserves the MNT_IGNORE flag for those filesystems
so that it can be reported correctly.
MFC after: 1 week
(cherry picked from commit b5c4616582)
This is used by 802.3 Ethernet. (Also be used by 802.4 Token Bus and
802.5 Token Ring, but we don't support those.)
This was accidentally removed along with FDDI support in commit
0437c8e3b1, presumably because comments implied it was used only by
FDDI or Token Ring.
Fixes: 0437c8e3b1 ("Remove support for FDDI networks.")
Reviewed-by: emaste
Signed-off-by: Denny Page <dennypage@me.com>
Pull-request: https://github.com/freebsd/freebsd-src/pull/1166
(cherry picked from commit fcdf9a1989)
(cherry picked from commit d776dd5fbd)
This is a smaller version of upstream
1fafd968b48e5cea6c85f126d77071a8de707a55 to address the
issue that less not being able to operate on files
residing in pseudo-filesystems that advertize a zero
size value.
PR: bin/276133
(cherry picked from commit cae336280b)
In ahc_init(), qoutfifo is already assigned to effectively the same
value a couple lines up, except in the first assignment it uses the
proper definition; keep the more descriptive assignment.
ahc_targetcmd_offset() gets the offset wrong entirely; as per the
area of ahc_init() this diff also touches, targetcmds is laid out first
in the shared map and it's followed by the qoutfifo. As a result, we'd
generally be getting negative offsets here. We can't actually do a
partial sync anyways, so there was no consequence to getting this wrong.
Reviewed by: imp, mav
(cherry picked from commit b5e0cc2fa4)
One of the comments in ahc_execute_scb() notes that the CAM direction is
actually w.r.t. the initiator. As a consequence, all of our sync ops
end up being wrong because the direction is flipped from that of the
transfer. Fix it to do proper invalidation and avoid spewing random
garbage out on the SCSI bus.
Reported and tested by: HP van Braam <hp@tmm.cx>
Reviewed by: imp, mav
(cherry picked from commit 9dcf39575e)
Import upstream 6747e1628:
asn1: Use unsigned bitfields for named bitsets
Signed 1-bit bitfields are undefined in C.
This should fix the following warnings, which for unknown reasons are
errors in CI:
/usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1020 | ku.digitalSignature = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1021 | ku.keyEncipherment = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1028 | ku.keyCertSign = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1029 | ku.cRLSign = 1;
| ^ ~
PR: 276960
Fixes: 1b74875929
MFC after: 1 week
(cherry picked from commit 219b6e4423)
Import upstream 19d378f44:
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
on whether the constraint ranges include numbers that cannot be
represented in 32-bit ints and whether they include negative
numbers.
Template backend support included. check-template is now built with
--template, so we know we're testing it.
Tests included.
Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
from a der-protos.h generated by the upstream build system, which
uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
but that is not portable, and leads to lots of -Werror warnings.
This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..-1),
iv OCTET STRING,
}
while a native build on i386 has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..2147483647),
iv OCTET STRING,
}
These are _both_ wrong, since the source file, cms.asn1, has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..4294967295),
iv OCTET STRING -- exactly 8 octets
}
PR: 276960
Reviewed by: cy, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
(cherry picked from commit 1b74875929)
Clang/LLVM 17 is currently the in-tree default compiler, so use it as
the default Cirrus-CI toolchain. Clang/LLVM 18 is coming soon and needs
to be added here, but I ran into trouble with llvm18-lite package
availability so will look at that later.
Reviewed by: dim (earlier), Jose Luis Duran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D44162
(cherry picked from commit 51c6bf0478)
(cherry picked from commit adc61137fd)
On laptops with builtin batteries, disconnecting the battery may show up
as a battery without any capacity information. (The theory is that one
is disconnecting the cells but the electronics identifying the battery
are still connected.) As a result, the loop over all batteries in
acpi_battery_get_battinfo results in total_lfcap == 0.
So, just check that total_lfcap is non-zero to avoid a division by zero
(triggerable by sysctl hw.acpi.battery).
Reported by: Stefano Marinelli
Tested by: Stefano Marinelli
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D44818
(cherry picked from commit 2e850b832f)
(cherry picked from commit 788987e034)
- Point --rootdir at the installed destdir in the dvd tree. This
causes pkg to determine the ABI from the installed destdir instead
of the host's binaries. Previously the result was that packages
for the host's ABI were always downloaded breaking cross-releases
(e.g. arm64 releases built on an amd64 host included amd64
packages on the DVD ISO image rather than arm64 packages). This
also handles version mismatches, and I tested this by cross-building
a 15.x arm64 release on a 14.x amd64 host.
- As a result, pkg now does a chdir(3) to the rootdir before running,
so the -o argument to fetch needs to be updated to be relative to
rootdir instead of the CWD as make runs.
- Add a new ROOTDIR variable to limit references to "dvd" to one
place. Ideally ROOTDIR would be an argument to this script so
that it didn't really know about the dvd layout at all.
- While here, simplify creation of symlinks by just using a longer
path to the link name instead of using 'cd' in the shell before
invoking ln(1). Also use ln -sf to create the pkg.pkg symlink
rather than rm + ln.
PR: 278273
Reported by: gatekeeper <tiago.gasiba@gmail.com>
Reviewed by: imp, delphij
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D44749
(cherry picked from commit ea2663040d)
Set WRKDIRPREFIX=/tmp/ports DISTDIR=/tmp/distfiles when building tools
needed for uploading cloudware images.
While I'm here, adjust the bsdec2-image-upload build target to match
the style used by the Azure/GCE/Vagrant Makefiles.
MFC after: 3 days
(cherry picked from commit 6c87aed39c)
Build qemu (if needed) with WRKDIRPREFIX=/tmp/ports DISTDIR=/tmp/distfiles
so that we can have a read-only /usr/ports and don't contaminate it. This
became an issue when I enabled parallel release building, since one image
might be creating its ports.txz file at the same time as we're building
qemu as a prerequisite for building another image.
MFC after: 5 days
(cherry picked from commit 6f454c211b)
As discussed in bug 278417, some ports require the F16C instruction set
to compile, but there is no way yet to detect whether the currently
chosen CPUTYPE supports this feature.
Add the feature to the MACHINE_CPU variable, for each processor that
supports it. The list of processors was extracted from clang 18's -dM
output, filtered on the __F16C__ define.
PR: 278417
Reviewed by: brooks, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D44848
(cherry picked from commit 2fd73b7126)
Main difference between older Zen variants is that this supports AVX-512
Reviewed by: imp (previous version), emaste
Approved by: emaste
Differential Revision: https://reviews.freebsd.org/D41331
(cherry picked from commit ed3fb74e44)
This is needed for gpiokeys driver that needs to read input state after
receiving an interrupt for either edge.
PR: 248138
(cherry picked from commit b98558e69b)
