Stable release: HardenedBSD-stable 11-STABLE v1100049

HardenedBSD-11-STABLE-v1100049 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • fsgs base changes in kernel and in libc (43f99b9f1cc2c625779e087ba4866d7c496d5b7b, b1a7a7418e73251aad628dc4f9418e550a9fd3d7)
  • reworked vlan locking (a62278e0d2b2f8b2d860fb689490dc1b6d11eb33)
  • HBSD: Update DNSSEC root key 257 (548eb60819e04c5d06671a95f5a7082e194fb7d4)
  • HBSD MFC: Fix information leak in geli(8) integrity mode (9344d69cc4c04c6555d9684976f57e8387354cf5) [FreeBSD-SA-Candidate]
  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow in readelf [CVE-2017-1000249]
  • Fix possible double releasing for SA reference in IPSec. (3bf892e2d5f50a11384e8bf9fb7c14db1bfc0d26) [FreeBSD-SA-Candidate]
  • HBSD: constify pax_elf()'s mode parameter
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
  • HBSD: Bump __HardenedBSD_version after API change
  • HBSD: API change, swap the first and second argument of pax_elf
  • HBSD: update mirror list in bsdinstall
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
  • HBSD: improve logging - hide early hbsd related boot messages under bootverbose
  • MFH (r322052): Upgrade OpenSSH to 7.5p1 (7e3dcea1a1c17915cbd33fd8fcec2b5530f8d3d1)
  • MFC r322590: bpf: Fix incorrect cleanup
  • MFC r322750: Fix the regression in ipsec introduced in r275710. (4e0ff7d0a944d10581e904bc3057524ce7071e30)
  • MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '') (75c367731c924e73c5bd87ab4b974c42917990d8) [FreeBSD-EN-Candidate]
  • Merge ACPICA 20170728. (1c5a17e1a7dd5063e58cee0a717989c5ce609bdc)
  • Plug uninitialized stack variable leak in sendfile(2). (d51b637e3144fab948a4d9a7bb312a2930e3d157)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-bootonly.iso) = 3ff186518876ef188b8a5fc275001613fb91032443a4d122b2d581e09fb5af43d50c388025258c07ca493d241f35c7b5377e0487b28361490b575c5e0ed37a11
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-disc1.iso) = 6bcfce3349e89e04baa4f4c32e51edd873edb07edb43007ec10bb3b6ebd7e153160051c9e64cb95db4ce2673b832ed6db22f772887c852a5b749bccf867ee6a8
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-memstick.img) = 194193396409b28e8c8727b868b96dc7abd75a36d43901323b0f3c3827d615f59b9eb89467a820148de71f0b5ab7f7f80997acbaa8befb04faf92261fe6a9df9
SHA512 (HardenedBSD-11-STABLE-v1100049-amd64-mini-memstick.img) = b9145ed2bde8e473be177db9d643101d30f7d5c086828152ddea17335eb3d7025a6888ae097d8006077de92349a81c33595d2f0422d1de88c62a9abd9d3a7a71

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlm7OZAACgkQgZsRom/9
GI3iRQ/+PxEz2r0jsddF9KNWtRx2fqita2VRfKmIqtdaXDiS//089T0rzLdJIfXL
Uc52RY28HQuD820t4oaW+gsox0/Dmbb9EzSR27YT09ez7pCNbufaHYH+3SGU2zk4
GFJHNrjHdMPfK++Y7Cqg+kFtDssT/OQmfLYc8eAKnzd3V0GlQnb4fZqJKaqt6Zhz
9+E8N1wWVIwB816IXr2UCvkyR9RQspFg/VP/JOQaQfQad/iVrhJWBzluQCmQzMf1
YankE0TvK2+IVmiLOxa0WCYoaD5Asqrizo28U199SM5YOPWe4hHKS/H8zz7BfieG
2R69zBejVSbCfDBN4S94ASimDo4HOq05ApNXlC0JwzcAUNajBXiv9ANzpyeVVkBv
WPBvDIieaKF2OQlbhVdazaO4EiMYTu5Kqqy3oz9YNXfEP/o9/n/OcB2XNLvfszlu
8/jD7f6SPeXijWzSEE3hOmJZWfQc8DzWBqp9PRyk+GtmkhAG1ldXwrjHvBWBSy+x
telrI/Tf0jvM0mNpNnvifz3CbZz1yK6Rvl/r1tZTue3bJf9ddONR+tnYw5CN0wZ/
fkayr52iDvbFhNO25fwI1W1QiyJFuJPZAewZOe9z240HXnV0mOqqxHbIsLgehlpV
hQiztHlpkUyoijTjmb05knqt8pdE8ptGyErKud2IES6mL7NSIUs=
=DnyR
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter (12):

  • HBSD: improve logging
  • HBSD: print out the __{Hardened,Free}BSD_version and version at panic time
  • HBSD: update mirror list in bsdinstall
  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: resolve merge conflict after openssh update
  • HBSD: style a little bit the debug info at panic time
  • HBSD: API change, swap the first and second argument of pax_elf
  • HBSD: Bump __HardenedBSD_version after API change
  • HBSD: rename PAX_NOTE_FINALIZED paxflag to PAX_NOTE_PREFER_ACL
  • HBSD: constify pax_elf()'s mode parameter
  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: fixed merge conflict in bsdinstall


Oliver Pinter + (51):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


Shawn Webb (3):

  • HBSD: Update DNSSEC root key 257
  • Merge remote-tracking branch 'origin/freebsd/11-stable/master' into hardened/11-stable/master
  • HBSD: Resolve merge conflict


ae (4):

  • MFC r321779: Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook from enc_hhook().
  • MFC r322310: Add to if_enc(4) ability to capture packets via BPF after pfil processing.
  • MFC r322750: Fix the regression introduced in r275710.
  • MFC r323086: Fix possible double releasing for SA reference.


araujo (1):

  • MFC r321846:


asomers (9):

  • MFC r320269:
  • MFC r320737, r320914
  • MFC r320807:
  • MFC r320974-r320975, r321001, r321206
  • MFC r321082:
  • MFC r321332:
  • MFC r320255
  • MFC r322255:
  • MFC r322546:


benno (1):

  • MFC r322804: Correct typo in usage string.


cem (4):

  • HBSD MFC: Audit userspace geom code for leaking memory to disk
  • HBSD MFC: geom_virstor: Remove wholly unnecessary g_metadata_store copy
  • HBSD MFC: libgeom: Remove redundant and duplicated code
  • HBSD MFC: Fix information leak in geli(8) integrity mode


cy (3):

  • MFC r322749:
  • MFC r321806:
  • MFC r322073:


davidcs (4):

  • MFC r322331 Provide compile option to choose receive processing in either Ithread or Taskqueue Thread.
  • MFC r322408 Performance enhancements to reduce CPU utililization for large number of TCP connections (order of tens of thousands), with predominantly Transmits.
  • MFC 322771
  • MFC r322852 Fix qlnx_tso_check() so that every window of (ETH_TX_LSO_WINDOW_BDS_NUM - nbds_in_hdr) has atleast ETH_TX_LSO_WINDOW_MIN_LEN bytes


des (4):

  • MFH (r314527,r314576,r314601,r317998): Upgrade OpenSSH to 7.3p1.
  • MFH (r314306,r314720): Upgrade OpenSSH to 7.4p1.
  • MFH (r322052): Upgrade OpenSSH to 7.5p1.
  • MFH (r314888): silence aliasing warning in nvme.h


dim (2):

  • MFC r323001:
  • MFC r323014:


ed (1):

  • MFC r322888:


emaste (19):

  • MFC r322627: arm64: return error instead of panic in unimplemented ptrace ops
  • sys/modules: don't build bxe,qlxgbe if the user objects to sourceless ucode
  • MFC r322680: sa.4: fix spelling of 'suppresses'
  • MFC r322683: ena.4: fix spelling of 'occurred'
  • MFC r322677: pw usermod: Properly deal with empty secondary group lists (-G '')
  • MFC r322581: remove debug files in delete-old* when WITHOUT_DEBUG_FILES
  • MFC r321293: date: avoid crash on invalid time
  • MFC r308789 (glebius):
  • MFC r322798: newvers.sh: accommodate `git worktree`
  • MFC r323039: octeon_ebt3000_cf: eliminate string literal warning
  • MFC r323040: xls_ehci: eliminate string literal warning
  • MFC r323010: hv_vss.4: Fix spelling of 'responsibility'
  • MFC r323011: usb: Add external "Intenso Memory" disk quirk
  • MFC r323022: arge: correct bzero sizeof (pointed-to object, not pointer)
  • MFC r322374: bsdinstall: record DHCP config after obtaining lease
  • make-memstick.sh: use 'set -e' to abort if any step fails
  • MFC r323448: bsdinstall: Ignore error return from newaliases(1)
  • MFC r316802 (cem): bsdinstall(8): Sprinkle a snprintf to fixed size buffer
  • MFC r321226: bsdinstall: improve checksum mismatch error for snapshots


gjb (3):

  • MFC r322544: Always expand the full path to the configuration file specified with the '-c' flag.
  • MFC r322770, r322796:
  • MFC r322752: Update the tests(7) manual page to note the test suite is installed by default as of 11.0-RELEASE.


glebius (1):

  • Merge r322321:


gordon (1):

  • MFC r323278: Fix an incorrectly used conditional causing buffer overflow.


hselasky (1):

  • MFC r322810 and r322830: Add new mlx5ib(4) driver to the kernel source tree which supports Remote DMA over Converged Ethernet, RoCE, for the ConnectX-4 series of PCI express network cards.


ian (38):

  • MFC r315089: Document uiomove_frombuf(9).
  • MFC r315165:
  • MFC r315167:
  • MFC r314723: Build the dtb files for the revb1 versions of wandboard.
  • MFC r315490, r315508:
  • MFC r315530:
  • MFC r315572, r315573, r315575, r315578:
  • MFC r315574, r315576, r315577:
  • MFC r315589, r315591, r316659, r316661:
  • MFC r315692: Eliminate a "format string is not a string literal" warning.
  • MFC r316995: Add support for the Micrel KSZ8081 ethernet PHY.
  • MFC r316374, r316377:
  • MFC r316664, r316670, r316972, r316996, r317033:
  • MFC r319811, r319813:
  • MFC r319859, r319888:
  • MFC r319814, r319815, r319818:
  • MFC r319817: Add a driver for the Vitesse/Microsemi VSC8501 PHY.
  • MFC r319899: Add missing header dependencies.
  • MFC r320456:
  • MFC r320076:
  • MFC r320460, r320461, r320462, r320463:
  • MFC r320655, r321933:
  • MFC r320743:
  • MFC r320928, r320929:
  • MFC r321489:
  • MFC r321686:
  • MFC r321586:
  • MFC r321583, r321584:
  • MFC r320901-r320902, r320996-r320997, r321002, r321048, r321400, r321743, r321745
  • MFC r321876:
  • MFC r322465:
  • MFC r321708-r321712, r321721, r321726-r321727, r321746, r321751, r321791-r321792, r321795, r321798, r321821, r321823, r321826, r321828, r321841, r321934, r322025-r322026, r322282, r322431, r322473, r322475-r322479
  • MFC r321938, r322015
  • MFC r322580:
  • MFC r322373:
  • MFC r323132-r323133
  • MFC r322411:
  • MFC r323341:


jhb (4):

  • MFC 322436: Don't panic for PT_GETFPREGS.
  • MFC 322437: Reliably enable debug exceptions on all CPUs.
  • Add missing #include to fix build after r322761.
  • MFC 309775,312897: Don't delete /usr/bin/ld if it is lld.


jkim (4):

  • MFC: r322803
  • MFC: r319365, r321670
  • MFC: r321601 (emaste)
  • MFC: r316627 (kan)


ken (1):

  • MFC r322410: ------------------------------------------------------------------------ r322410 | ken | 2017-08-11 12:43:52 -0600 (Fri, 11 Aug 2017) | 16 lines


kevans (2):

  • MFC r321450: bsdgrep(1): Don't exit before processing every file
  • bsdgrep: add a primitive literal matcher to unbreak fgrep in some scenarios


kib (27):

  • MFC r322495: Add {rd,wr}{fs,gs}base C wrappers for instructions.
  • MFC r322496: Print whole machine state on double fault.
  • MFC r322667,r322706: Improve i386 #UD low-level kdtrace hook.
  • MFC r322756: Style.
  • MFC r322718: Use ANSI C declaration for trap_pfault(). Style.
  • MFC r322719: Trim excessive 'extern' and remove unused declaration.
  • MFC r322720,r322723: Simplify amd64 trap().
  • MFC r322947: Add PCI Id for MosChip MCS9900.
  • MFC r322948: Let g_access() log the actual error number.
  • MFC r322721: Allow vinvalbuf() to operate with the shared vnode lock.
  • MFC r322722: Do not drop NFS vnode lock when performing consistency checks.
  • MFC r322926: Trim excessive 'extern'.
  • MFC r322927: Use ANSI C declaration for trap_pfault(). Style.
  • MFC r322928: Remove unused code.
  • MFC r322929: Simplify i386 trap().
  • MFC r323102: Add serial comma.
  • MFC r322757, r322883: Avoid dereferencing potentially freed workitem in softdep_count_dependencies().
  • MFC r323017: Make the swap_pager_full variable static.
  • MFC r323018: Adjust interface of swapon_check_swzone() to its actual usage.
  • MFC r323024: Only make the if_ix module depend on netmap when netmap is configured.
  • MFC r323054: The nvme module should explicitly declare dependency on the cam.
  • MFC r322982: Verify that the BPB media descriptor and FAT ID match.
  • MFC r322984: Style.
  • MFC r322762, r322799, r322832, r322833: Make WRFSBASE and WRGSBASE instructions functional.
  • MFC r323217: Fix typos. Stop claiming that two children are created.
  • MFC r322913: Replace global swhash in swap pager with per-object trie to track swap blocks assigned to the object pages.
  • MFC 322763: Optimize libc to get and set TLS using the RDFSBASE and RDGSBASE instructions, if supported both by CPU and kernel.


kp (1):

  • MFC r322590: bpf: Fix incorrect cleanup


lwhsu (1):

  • MFC r322434:


marius (6):

  • MFC: r322726
  • MFC: r308643, r312427
  • MFC: r312641
  • MFC: r322986
  • - Ever since the workaround for the silicon bug of TSO4 causing MAC hangs was committed in r295133, CSUM_TSO gets always disabled by em(4) on the first invocation of em_init_locked() given that at that point no link is established, yet. In turn, this causes CSUM_TSO also to be off when em(4) is used as a parent device for vlan(4), i. e. besides IFCAP_TSO4, also IFCAP_VLAN_HWTSO effectively doesn't work.
  • MFC: 323382, MFV: r323381


markj (7):

  • MFC r322773-r322775: Fix an off-by-two in the llquantize() action parameter validation.
  • MFC r322987: Synchronize page laundering with pmap_extract_and_hold().
  • MFC r321963: Rework and simplify the ksyms implementation.
  • MFC r319934: Don't call vm_pager_page_unswapped() when writing or deleting a dirty page.
  • MFC r319933: Free the request page if an I/O error occurs while reading from swap.
  • MFC r323166: Use O_CLOEXEC when opening persistent handles in libdtrace.
  • MFC r323280: Fix indentation.


mav (11):

  • MFC r322802: Fix off-by-one error when parsing SRAT table.
  • MFC r322821: Add missing restart_queue initialization.
  • MFC r323045: Fix flags field decoding in ACPI_NFIT_CONTROL_REGION.
  • MFC r323047: Make ntb_set_ctx() always generate fake link event.
  • MFC r323046: Make ntb_transport(4) ready receive early link events.
  • MFC r322980: Fix fake interrupt when set doorbell is unmasked.
  • MFC r322981: Mask doorbells while processing them.
  • MFC r323032, r323053, r323058, r323059, r323084, r323114, r323127: Add NTB driver for PLX/Avago/Broadcom PCIe switches.
  • MFC r323074: Clear doorbell bits after masking them before processing.
  • MFC r323126: Make NTB drivers report more info via NewBus methods.
  • MFC r323128: Increase negotiation polling period from 10ms to 100ms.


mckusick (3):

  • MFC of 322179, 322463, and 322464:
  • MFC of 322200, 322201, 322271, and 322297
  • MFC of 322298 noting MFC 322806 in UPDATING


mjoras (1):

  • MFC r322548: Rework vlan(4) locking.


ngie (10):

  • MFC r321387:
  • MFC r322636:
  • MFC r322633:
  • MFC r321456,r321484,r321486:
  • MFC r321455:
  • MFC r321702,r321703:
  • MFC r321704,r321705,r321706:
  • MFC r320701:
  • MFC r321952:
  • Regenerate src.conf(5) based on recent changes to src.opts.mk, etc.


oleg (1):

  • MFC r322628: Fix BSD label partition end sector calculation.


pfg (3):

  • MFC r320578:
  • MFC r320146, r320170, 320842:
  • MFC r322925: libc: minor indent(1) cleanups.


rlibby (20):

  • MFC r303188,r303190,r303271,r303438,r303453: Warn flags for gcc 6.1
  • MFC r316397 (by bde):
  • MFC r320517:
  • MFC r320714:
  • MFC r320977:
  • MFC r321106:
  • MFC r321376:
  • MFC r321864 (by mw):
  • MFC r322329:
  • MFC r321668:
  • MFC r321669:
  • bhyve: actually call bhyve_caph_cache_catpages
  • MFC r323003,r323004:
  • MFC r303723 (by markj):
  • MFC r316119 (by ngie):
  • MFC r321284:
  • MFC r323155:
  • MFC r322940:
  • MFC r323192:
  • MFC r321483 (by ngie):


rmacklem (4):

  • MFC: r321628 Replace the checks for MNTK_UNMOUNTF with a macro that does the same thing.
  • MFC: r321675 Fix possible crash for the NFSv4.1 pNFS client.
  • MFC: r321688 Add kernel support for the NFS client forced dismount "umount -N" option.
  • MFC: r321689 Add a new "-N" option to umount(8), that does a forced dismount of an NFS mount point.


sobomax (1):

  • MFC r320048+r320301+r320277:

Uploads: