Add a new 'clear driver' command for devctl along with the accompanying
ioctl and devctl_clear_driver() library routine to reset a device to
use a wildcard devclass instead of a fixed devclass. This can be used
to undo a previous 'set driver' command. After the device's name has
been reset to permit wildcard names, it is reprobed so that it can
attach to newly-available (to it) device drivers.
Sponsored by: Chelsio Communications
1) Microoptimize %p case.
2) Implememt %u for GNU compatibility.
3) Don't forget to advance buf for %w/%u.
4) Fail with incomplete week (week 0) request and no such week in the
year.
5) Fix yday formula when Sunday requested and the week started from Monday.
6) Fail with impossible yday for incomplete week (week 0) and direct %w/%u
request.
7) Shift yday/wday to the first day of the year, if incomplete week
(week 0) requested and no %w/%u used.
8) For already non-standard %z extension implement GNU compatible formats:
+hh and -hh.
9) Check for incorrect values for %z.
PR: 212983 (case 3 only)
MFC r305033,r305041,r305170:
r305033:
Minor Makefile simplifications for lib/atf/...
- Replace uses of `${.CURDIR:H:H:H}` with ${SRCTOP}
- Use built-in :H operator instead of ".." when enumerating paths.
r305041:
Filter certain compile-time options into -DATF_BUILD_*
Items filtered through are:
- Constant defines (-D)
- Include flags (-I)
- Linker flags (-L)
- Optimization level (-O)
- Warnings / linker flags (-W)
- Preprocessor options (-f)
This fixes the scenario hit by the Jenkins job where it's infecting
the build with --sysroot, etc options from the Jenkins build in the
tests.
Prefix all intermediate variables (_CFLAGS, etc) with "ATF_BUILD" [*].
Requested by: jmmv
r305170:
Don't bake all of CC/CPP/CXX into CFLAGS
Capture executable names for CC, CPP, CXX (assumed to be the
first non-CCACHE_BIN word).
This change strips out all of the cross-compiler arguments, (-target,
-B, etc), added to ${CC}, etc via ${CROSSENV} in Makefile.inc1, so it
doesn't infect the build and subsequently the test.
Add comments noting why this logic is being added, and why the logic in
r305041 was necessary/what it was trying to achieve.
This is required after recent changes made to the toolchain to always
specify --sysroot, -target, -B, etc with clang in buildworld (presumably
r304681).
Sync libarchive with vendor
Vendor issues fixed:
PR #777: Multiple bugfixes for setup_acls()
This includes a bugfix for a bug that caused ACLs not to be read properly
for files and directories inside subdirectories and as a result not being
stored or being incorrectly stored in tar archives.
Fix array size issue when using the pre-scaling feature for
ISOCHRONOUS USB transfers. Make sure enough length and buffer pointers
are allocated when setting up the libusb transfer structure to support
the maximum number of frames the kernel can handle.
misc replacements of comma with semicolon when pertinent.
Uses of commas instead of a semicolons can easily go undetected. The comma
can serve as a statement separator but this shouldn't be abused when
statements are meant to be standalone.
libc/rpc: replace comma with semicolon when pertinent.
Uses of commas instead of a semicolons can easily go undetected. The comma
can serve as a statement separator but this shouldn't be abused when
statements are meant to be standalone.
1) Fix errors handling.
2) Prevent out of bounds access to ws[-1] (passed buffer) which happens
when the first mb sequence is incomplete and there are not enougn chars in
the read buffer. ws[-1] may lead to memory faults or false results, in
case the memory here contains '\n'.
3) Fix n == 1 case. Here should be no physical read (fill buffer) attempt
(we read n - 1 chars with the room for NUL, see fgets()),
and no NULL return.
In existing implementations including FreeBSD, there is no reason to use
readdir_r() in the common case where potentially multiple threads each list
their own directory. Code using readdir() is simpler.
What's more, although readdir_r() can safely be used on FreeBSD because
NAME_MAX is forced to 255, it cannot be used safely on systems where
{NAME_MAX} is not fixed. As a concrete example, FAT/NTFS filenames can be up
to 255 UTF-16 code units long, which can be up to 765 UTF-8 bytes.
Deprecating readdir_r() in POSIX has been proposed in
http://www.austingroupbugs.net/view.php?id=696
and glibc wants to deprecate it as well.
fgetwc(3) may set both __SEOF and __SERR at once (in case of incomplete
sequence near EOF), so we can't just check for
(wc == WEOF && !__sfeof(fp)) and must relay on __sferror(fp) with
__SERR clearing/restoring.
'addrlen' does not matter when we need to find the first non-zero bit in
the byte from the left and 'addrlen' already counted in 'lim'.
PR: 212121
Submitted by: Herbie.Robinson@stratus.com
Do not obliterate errno value in the main thread during ptrace(2) call on x86.
MFC r304931:
Follow ABI when calling __error from the ptrace(2) wrapper.
MFC r305012:
Rewrite ptrace(2) wrappers in C.
MFC r305022:
Restore the requirement of setting errno to zero before calling ptrace(2).
MFC r304033:
Increase timeout from 10 minutes to 20 minutes for all tests
On particular slow networks, it can (on average) take longer to
resolve hosts to IP* addresses. 20 minutes seemed reasonable for
my work network
This will be solved in a more meaningful way (if possible) using
concurrency in the near future
Sync libarchive with vendor including security fixes
Vendor issues fixed:
Issue #731: Reject tar entries >= INT64_MAX
Issue #744: Very long pathnames evade symlink checks
Issue #748: libarchive can compress, but cannot decompress zip some files
PR #750: ustar: fix out of bounds read on empty string ("") filename
PR #755: fix use of acl_get_flagset_np() on FreeBSD
Issue #767: Buffer overflow printing a filename
Issue #770: Zip read: be more careful about extra_length
MFC r304874:
Temporarily disable two libarchive tests that have not yet been fixed by
vendor. Tests will be re-enabled after a fix has been merged.
The formal behavior of qsort is unstable with regard to objects that
are equal. Unfortunately, RFC 3484 requires that otherwise equal objects
remain in the order supplied by the DNS server. The present code attempts
to deal with this by returning -1 for objects that are equal (i.e.,
returns that the first parameter is less then the second parameter).
Unfortunately, the qsort API does not state that the first parameter
passed in is in any particular position in the list.
PR: 212122
Submitted by: Herbie.Robinson@stratus.com
MFC r304034:
Initialize `ai` to NULL and test for `ai` with type-appropriate values
Depending on the address family and ai_flags containing AI_V4MAPPED,
it might not do a proper DNS lookup on the provided DNS address
Convert some `ai` boolean true/false checks to NULL/non-NULL while here.
PR: 211790
1) Don't forget to set __SERR on __slbexpand() error.
2) Remove "Fast path" from fgetwc()/fputwc() since it can't detect
encoding errors and ignores them all.
One of affected encoding example: US-ASCII
3) Original fgetln() from 44lite return success for line tail errors,
i.e. partial line, but set __SERR and errno in the same time, which
is inconsistent.
Now both OpenBSD and NetBSD return failure, i.e. no line and set error
indicators for such case, so make our fgetln() and fgetwln()
(as its wide version) compatible with the rest of *BSD.
PR: 212033
Don't check for __SERR which may stick from one of any previous stdio
functions.
__SERR is for user and the rest of stdio code do not check it
for error sensing internally, only set it.
In vf(w)printf.c here it is more easy to save __SERR, clear and restore it.
1) _locale.h
LC_*_MASK bit shifting order was partially broken from the initial commit
time at year 2012. Only LC_COLLATE_MASK and LC_CTYPE_MASK are in the
right order.
The order here should match XLC_* from "xlocale_private.h" which, in turn,
match LC_* publicly visible order from <locale.h> which determines how
locale components are stored in the structure.
LC_*_MASK -> XLC_* translation done as "ffs(mask) - 1" in the querylocale()
and equivalent shift loop in the newlocale(), so mapped to some wrong
components (excluding two mentioned above).
Formally the fix is ABI breakage, but old code using those masks
never works properly in any case.
Only newlocale() and querylocale() are affected.
2) msgcat.c
Use current locale (f.e. set by thread). It was global locale always
previously.
PR: 211743
getln: We cannot expand the buffer beyond INT_MAX (_size overflows).
In such cases return ENOMEM. This is a limitation of our
implementation, alternatively you may consider getline(3).
Differential Revision: https://reviews.freebsd.org/D442 (Partial)
Obtained from: Apple Inc. (Libc 997.90.3)
- Avoid double use of "request" in a single sentence. Instead, describe
aio_sigevent as being used to request notification of the associated
operation's completion. This matches the language used to describe
aio_sigevent in aio(4).
- Simplify the prohibition on modifying buffers while requests are in
flight.
- Fix case mismatch.
- Drop note about not using stack variables. C programmers should be able
to figure out if a stack variable is safe based on the later warning
about the life cycle requirements of control blocks.
- Remove prohibition on modifying the I/O buffer for aio_fsync() since
it does not use an I/O buffer. For aio_mlock(), prohibit modifications
to the mapping (e.g. due to mprotect, munmap, mmap, etc.) but do not
prohibit modifications to the memory backing the buffer (stores into
the pages backing the buffer).
- src.opts.mk should be bsd.own.mk on ^/stable/10
- LIBADD should be DPADD/LDADD on ^/stable/10
Pointyhat to: kib
Reported by: Olivier Pinter <oliver.pinter@hardenedbsd.org>
Sponsored by: EMC / Isilon Storage Division
First, PL_FLAG_FORKED events now also set a PL_FLAG_VFORKED flag when
the new child was created via vfork() rather than fork(). Second, a
new PL_FLAG_VFORK_DONE event can now be enabled via the PTRACE_VFORK
event mask. This new stop is reported after the vfork parent resumes
due to the child calling exit or exec. Debuggers can use this stop to
reinsert breakpoints in the vfork parent process before it resumes.
r303088,r303142,r303208,r303210,r303530,r303536,r303564,r303565,
r303706
In short:
1) All situations with glob(3) error return codes are well defined by
POSIX, so rewrite old sporadic errors processing to match those
definitions.
Including subcases:
Both C99 and POSIX directly prohibits any standard function to set errno
to 0. Breaking this rule in 2001 NetBSD hack was imported which attempts
to workaround very limited glob(3) return codes amount.
Use POSIX-compatible workaround now with E2BIG which can't comes from
other functions used instead of prohibited 0.
Process errors happpens in (*readdirfunc)() too, as POSIX requires.
Per POSIX GLOB_NOCHECK should return original pattern,
unmodified, if no matches found. But our code strips all '\'
returning it. Rewrite the code to allow to return original pattern.
GLOB_ERR and gl_errfunc are supposed to work only for real directories
per POSIX, so don't act on missing or plain files for ENOENT or ENOTDIR
(as TODO in the code suggested).
Remove the hack in the manpage describing how to skip ENOENT and ENOTDIR
in gl_errfunc, it is unneeded now.
Per POSIX GLOB_ERR must be considered even if gl_errfunc is not set,
old code skips it in that case.
2) For near MAXPATHLEN long pathes old glob(3) code can operate on
truncated results, prevent it in several places.
3) Results was not sorted according to collate as POSIX requires.
4) globtilde() forget to convert expanded user home dir from multibyte to
wide chars. Moreover, those chars are addded as not protected, so
can be treated as special chars.
5) Backward hack for EILSEQ in g_Ctoc() was not implemented, so all
pathes with illegal byte sequences are skipped as result, implement it now.
6) GLOB_BRACE was somehow broken. First it repeatedly calls glob0() in
globexp1() recursive calls, but glob0() was not supposed to be called
repeatedly in the original code. It finalize results by possible adding
original pattern for no match case, may return GLOB_NOMATCH error and
by sorting all things. Original pattern adding or GLOB_NOMATCH error
can happens each time glob0() called repeatedly, and sorting happens
for one item only, all things are never sorted. Second, f.e. "a{a"
pattern does not match "a{a" file but match "a" file instead.
Third, some errors (f.e. for limits or overflow) can be ignored
by GLOB_BRACE code because it forces return (0).
Add non-finalizing flag to glob0() and make globexp0() wrapper around
recursively called globexp1() to finalize things like glob0() does.
Reorganize braces code to work correctly.
7) Don't allow MB_CUR_MAX * strlen overallocation hits GLOB_LIMIT_STRING
(ARG_MAX) limit, use final string length, not malloced space for it.
Add a mask of optional ptrace() events.
302900:
Add a test for user signal delivery.
This test verifies we get the correct ptrace event details when a signal
is posted to a traced process from userland.
302902:
Add a mask of optional ptrace() events.
ptrace() now stores a mask of optional events in p_ptevents. Currently
this mask is a single integer, but it can be expanded into an array of
integers in the future.
Two new ptrace requests can be used to manipulate the event mask:
PT_GET_EVENT_MASK fetches the current event mask and PT_SET_EVENT_MASK
sets the current event mask.
The current set of events include:
- PTRACE_EXEC: trace calls to execve().
- PTRACE_SCE: trace system call entries.
- PTRACE_SCX: trace syscam call exits.
- PTRACE_FORK: trace forks and auto-attach to new child processes.
- PTRACE_LWP: trace LWP events.
The S_PT_SCX and S_PT_SCE events in the procfs p_stops flags have
been replaced by PTRACE_SCE and PTRACE_SCX. PTRACE_FORK replaces
P_FOLLOW_FORK and PTRACE_LWP replaces P2_LWP_EVENTS.
The PT_FOLLOW_FORK and PT_LWP_EVENTS ptrace requests remain for
compatibility but now simply toggle corresponding flags in the
event mask.
While here, document that PT_SYSCALL, PT_TO_SCE, and PT_TO_SCX both
modify the event mask and continue the traced process.
302921:
Rename PTRACE_SYSCALL to LINUX_PTRACE_SYSCALL.
303461:
Note that not all optional ptrace events use SIGTRAP.
New child processes attached due to PTRACE_FORK use SIGSTOP instead of
SIGTRAP. All other ptrace events use SIGTRAP.
304009:
Remove description of P_FOLLOWFORK as this flag was removed.
292894:
Add ptrace(2) reporting for LWP events.
Add two new LWPINFO flags: PL_FLAG_BORN and PL_FLAG_EXITED for reporting
thread creation and destruction. Newly created threads will stop to report
PL_FLAG_BORN before returning to userland and exiting threads will stop to
report PL_FLAG_EXIT before exiting completely. Both of these events are
only enabled and reported if PT_LWP_EVENTS is enabled on a process.
292896:
Document the recently added support for ptrace(2) LWP events.
- Add a sigevent(3) manpage to give a general overview of the sigevent
structure and the available notification mechanisms.
- Document that AIO requests contain a nested sigevent structure that can
be used to request completion notification.
- Expand the sigevent details in other manuals to note details such as
the extra values stored in a queued signal's information or in a posted
kevent.
r261644 (MFC of r260553) added missing C++ typinfos to libcxxrt's
version script. It appears that a number of duplicate mangled symbols
were added due to a cut and paste error. Switch the second instances to
_ZTS*, typeinfo name for *.
Found by lld, which produces an error or warning for duplicate symbols.
Sponsored by: The FreeBSD Foundation
1) Eliminate possibility to call __*collate_range_cmp() with inclomplete
locale (which cause core dump) by removing whole 'table' argument
by which it passed.
2) Restore __collate_range_cmp() in __sccl().
3) Collating [a-z] range in regcomp() works for single byte locales only
(we can't do it for other ones). In previous state only first 256
wide chars are considered and all others are just silently dropped from the
range.
Revert r301707
getnetent_p doesn't return NULL like getnetent does. coccinelle got confused and
I didn't verify that it worked before committing the change
Pointyhat to: ngie
Fix multiple Coverity Out-of-bounds access false postive issues in CAM
The currently used idiom for clearing the part of a ccb after its
header generates one or two Coverity errors for each time it is
used. All instances generate an Out-of-bounds access (ARRAY_VS_SINGLETON)
error because of the treatment of the header as a two element array,
with a pointer to the non-existent second element being passed as
the starting address to bzero(). Some instances also alsp generate
Out-of-bounds access (OVERRUN) errors, probably because the space
being cleared is larger than the sizeofstruct ccb_hdr).
In addition, this idiom is difficult for humans to understand and
it is error prone. The user has to chose the proper struct ccb_*
type (which does not appear in the surrounding code) for the sizeof()
in the length calculation. I found several instances where the
length was incorrect, which could cause either an actual out of
bounds write, or incompletely clear the ccb.
A better way is to write the code to clear the ccb itself starting
at sizeof(ccb_hdr) bytes from the start of the ccb, and calculate
the length based on the specific type of struct ccb_* being cleared
as specified by the union ccb member being used. The latter can
normally be seen in the nearby code. This is friendlier for Coverity
and other static analysis tools because they will see that the
intent is to clear the trailing part of the ccb.
Wrap all of the boilerplate code in a convenient macro that only
requires a pointer to the desired union ccb member (or a pointer
to the union ccb itself) as an argument.
Reported by: Coverity
CID: 1007578, 1008684, 1009724, 1009773, 1011304, 1011306
CID: 1011307, 1011308, 1011309, 1011310, 1011311, 1011312
CID: 1011313, 1011314, 1011315, 1011316, 1011317, 1011318
CID: 1011319, 1011320, 1011321, 1011322, 1011324, 1011325
CID: 1011326, 1011327, 1011328, 1011329, 1011330, 1011374
CID: 1011390, 1011391, 1011392, 1011393, 1011394, 1011395
CID: 1011396, 1011397, 1011398, 1011399, 1011400, 1011401
CID: 1011402, 1011403, 1011404, 1011405, 1011406, 1011408
CID: 1011409, 1011410, 1011411, 1011412, 1011413, 1011414
CID: 1017461, 1018387, 1086860, 1086874, 1194257, 1229897
CID: 1229968, 1306229, 1306234, 1331282, 1331283, 1331294
CID: 1331295, 1331535, 1331536, 1331539, 1331540, 1341623
CID: 1341624, 1341637, 1341638, 1355264, 1355324
Reviewed by: scottl, ken, delphij, imp
MFH: 1 month
Differential Revision: https://reviews.freebsd.org/D6496
Update libarchive to 3.2.1 (bugfix and security fix release)
List of vendor fixes:
- fix exploitable heap overflow vulnerability in Rar decompression
(vendor issue 719, CVE-2016-4302, TALOS-2016-0154)
- fix exploitable stack based buffer overflow vulnebarility in mtree
parse_device functionality (vendor PR 715, CVE-2016-4301, TALOS-2016-0153)
- fix exploitable heap overflow vulnerability in 7-zip read_SubStreamsInfo
(vendor issue 718, CVE-2016-4300, TALOS-2016-152)
- fix integer overflow when computing location of volume descriptor
(vendor issue 717)
- fix buffer overflow when reading a crafred rar archive (vendor issue 521)
- fix possible buffer overflow when reading ISO9660 archives on machines
where sizeof(int) < sizeof(size_t) (vendor issue 711)
- tar and cpio should fail if an input file named on the command line is
missing (vendor issue 708)
- fix incorrect writing of gnutar filenames that are exactly 512 bytes
long (vendor issue 682)
- allow tests to be run from paths that are equal or longer than 128
characters (vendor issue 657)
- add memory allocation errors in archive_entry_xattr.c (vendor PR 603)
- remove dead code in archive_entry_xattr_add_entry() (vendor PR 716)
- fix broken decryption of ZIP files (vendor issue 553)
- manpage style, typo and description fixes
Post-3.2.1 vendor fixes:
- fix typo in cpio version reporting (Vendor PR 725, 726)
- fix argument range of ctype functions in libarchive_fe/passphrase.c
- fix ctype use and avoid empty loop bodies in WARC reader
Security: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302