src

Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
fix the bsdmakefile issues with clean

fix query

Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption.

Obtained from: FreeBSD

The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).

Obtained from: FreeBSD

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.

Obtained from: FreeBSD

attempt to improve parallel make execution.

Update Jenkinsfile

2.0.9

document libcasper change.

libcasper(3) creates service processes by forking the calling process, so they initially inherit the calling process' file descriptor table. Casper services expect the lowest 3 file descriptors, traditionally corresponding to standard input, output, and error, are redirected to /dev/null. libcasper(3) ensures this is the case. However, it did not handle the possibility that one of them is closed, and this scenario would trigger an assertion failure during service creation, resulting in a crash.

Obtained from: FreeBSD

    • -0
    • +28
    /lib/libcasper/libcasper/libcasper_impl.c
    • -0
    • +1
    /lib/libcasper/libcasper/libcasper_impl.h
    • -10
    • +13
    /lib/libcasper/libcasper/service.c
A programming error in the Linux compatibility layer futex(2) system call might allow attackers to cause a denial of service.

Update motd

Merge branch 'stable/2.0' of github.com:MidnightBSD/src into stable/2.0

fix a bug with the patch

Update UPDATING

update MidnightBSD version to 2.0.8

libradius did not perform sufficient validation of received messages.

rad_get_attr(3) did not verify that the attribute length is valid before

subtracting the length of the Type and Length fields. As a result, it

could return success while also providing a bogus length of SIZE_T_MAX -

2 for the Value field.

When processing attributes to find an optional authenticator,

is_valid_response() failed to verify that each attribute length is

non-zero and could thus enter an infinite loop.

Obtained from: FreeBSD

fix build issues.

Update mport package manager to 2.1.0

    • -251
    • +248
    /contrib/mport/libmport/bundle_read_install_pkg.c
    • -13
    • +12
    /contrib/mport/libmport/bundle_write.c
    • -224
    • +222
    /contrib/mport/libmport/create_primative.c
  1. … 29 more files in changeset.
bump version.

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

Obtained from: FreeBSD

A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.

Obtained from: FreeBSD

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.

Obtained from: FreeBSD

bump version.

Document xen fix

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in HVM/PVH mode, the BSD backend drivers

mishandle this: Some errors are ignored, effectively implying their success

from the success of related batch elements. In other cases, errors resulting

from one batch element lead to further batch elements not being inspected,

and hence successful ones to not be possible to properly unmap upon error

recovery.

Obtained from: FreeBSD

use sysrc instead of making potential duplicates

Fix a security issue with PAM where the rules would not be applied.

document some of the changes since 2.0.2