When vmd parses vm.conf, it's inspecting any provided disk images
to determine the disk format (raw or qcow) if left unspecified.
This is a big TOCTOU because nothing prevents these files from
changing between vmd startup and vm launch.
This change defers detection to vm launch time and tracks the disk
format as an enum instead of an int to make things more interpretable.
ok hshoexer@
vmd sends two large structs over an ipc socket after fork+exec:
vmd_vm and virtio_dev.
Both have heap pointers from being put in TAILQs in the parent
process and both carry some used for setting up imsg event channels.
Zero all these things before send to be safe and not leak deatils
on the parent's address space.
Issue raised by Systopia Team.
ok hshoexer@
on a SAN DNSname constraint. This is not correct, as with
a DNSname constraint, it may exacly match or match zero or
more additional components on the front of the candidte to
match.
Spotted by Haruto Kimura <hkimura2026@gmail.com>
ok tb@ kenjiro@
APIs with in-band errors that conflate the error with a legitimate return
value are about the worst you can get. Near and dear to my heart is the API
aptly described as "gibbering eidritch horror" by beck: ASN1_INTEGER_get(3).
Adapt the wording of its RETURN VALUES to timegm() and mktime(), for which
Dec 31, 1969 at 23:59:59 will yield the error return -1 and thereby errata.
Missing docs pointed out by claudio a while back and yesterday by deraadt
ok deraadt millert
anon does not expect failures because we are short on memory. These
are synchronous operations so we're expected to wait on memory to
become available. This got broken in rev 1.178 (Back out the
pagedaemon "oom" reserve and sleeping point). Bring back the code to
allocate bounce memory using uvm_pglistalloc(9) but only use it for
the !async case (which will never be use by the pagedaemon).
This fixes random segfaults when under memory pressure and init dying
with SIGILL because it can't copy out a signal frame to the stack when
it happens to trigger such a segfault.
With deraadt@, who wrote the code to consolidate the allocation of
bounce memory.
ok deraadt@
A UTCTime represents a time between Jan 1, 1950 and Dec 31, 2049. This
includes Dec 31, 1969, 23:59:59 UTC, which translates to epoch -1 when
converted as a time_t. timegm()'s in-band error conflates this time with
its error return, so a hard error for this creates a DoS.
Instead, return an error for ASN.1 times that translate to negative time_t
and bubble up the error to reject the RPKI product as malformed. Real life
notBefore (or equivalent) are in the ongoing millenium, although strictly
speaking this is not guaranteed since Validity windows need not nest.
Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,
and Teatime Lab for reporting.
ok claudio job
ie, don't allow prefixes greater than 32 or 128 bits for ipv4 and
ipv6 respectively.
found by Daniel Wade (danjwade95 at gmail dot com), who also suggested
the fix.
ok deraadt@ jmatthew@
There are two issues in pf_sourcelim_add() error path:
- stale pointers are left in pf_sourcelim_id_tree_inactive when
duplicate source limiter instance is found in pf_sourcelim_nm_tree
- overload table may leak when insertion of new source limiter instance
fails.
Both issues reported and patch submitted by:
Renaud Allard <renaud () allard ! it>
OK sashan@
It fully parse SERVICE_READY_EXT2 peer-metadata capability and fill
wmi_resource_config's tail.
It also fixes a crash/free of null, and adjusted buffer and timeouts to
match Linux to actually get full RDDM.
It uses world regulatory domain.
Plus a few small typos.
qwz now loads, but firmware crashes on scan.
OK: mglocker@
ipi_drop_fpstate() needs to check if the current fpu context matches the
expected one sent via IPI. Only after that %fprs should be cleared.
Use the same asm in ipi_drop_fpstate() as in the start of ipi_save_fpstate().
Also simplify ipi_drop_fpstate() and clearfpstate() since there is no need
to enable the FPU before clearing %fprs.
OK miod@ kettenis@ deraadt@
