Stable release: HardenedBSD-stable 11-STABLE v1100055.3

Submitted by op on

HardenedBSD-11-STABLE-v1100055.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

  • mfc r333368: prepare db# handler for deferred trigger of watchpoints. (5801fdddeba7acdc937cef898a45653c6af7a131) [cve-2018-8897, freebsd-sa-18:06.debugreg]
  • Turn off IBRS on suspend. (dbda57b58572831fa594ed380c7e5a9b87104694)
  • MFC r333247: Import tzdata 2018e (2beb6fbb124ec882449f77288cac650ffa862ab3)
  • MFC r333234: zfs_ioctl: avoid out-of-bound read (e7e4020489d1cdcbc338e0d6b916ec2beef71205) [FreeBSD-SA-Candidate]
  • MFC r332559: mountd: fix a crash when getgrouplist reports too many groups (e6e3f0e40308826bdaa17640f676d5ce98890a24) [FreeBSD-SA-Candidate]
  • Carefully update stack guard bytes inside __guard_setup(). (1086bca876f4a7d526450143227151e6544d2afb)
  • Correct undesirable interaction between caching of %cr4 in bhyve and invltlb_glob(). (1135b57649ecea7452dbae3245610ce03e6394df)
  • Handle Apollo Lake errata APL31. (6fd5da7f06d3412cef113820f484da4551ee8ab7)
  • Add PROC_PDEATHSIG_SET to procctl interface. (a31a7b88e5e784593cf07c3d8c39e1d68769511f)
  • Fix use of pointer after being set NULL. In NFS. (4223ca8e51c2eda332673d16f0dbf27e533a17a1)
  • Add hybrid ISO/memstick image support (47b459549c41e783f81dc1c71f5f5e1cb3454f50)
  • bnxt updates
  • clang updates
  • e1000 updates
  • hyperv updates
  • iflib updates
  • ixl updates
  • makefs updates
  • mlx5 updates
  • zfs updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-bootonly.iso) = e84a88f6909dee4155b6eb70d4471f0c07271f23d1df3c227def32e3e47d5cf78e5bd4c4150c0796ce52c79d61af0915136bf595bf598f898f777af5967e7156
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-disc1.iso) = c3ddf6e6c439b53419442f56773b39e60f75e56cd9f28b4bfccf9623f478d63c307f4851eea75df785058d30f60e981b0c5342c11e1259796a0a0b4c3af0ccd9
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-memstick.img) = 52b1597b74b6f83591ae7a2e678e4129e6ab3cfe07dfa5db8bf6748247c8137853806ea5e6dcb749540874dd35b673e19a9625d07d19d037b50f894ffea442cc
SHA512 (HardenedBSD-11-STABLE-v1100055.3-amd64-mini-memstick.img) = 69c7709b601f5287a1b7a1938d52c8681648175402bc096b5793ba1f8f253b48ca3a019f2e70ad9e32857e812147951eb42c8fb2bec40e098f4ab40d68bfa521

CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlryWWcACgkQgZsRom/9
GI1bABAAwJM+ZF9W3DGS2YCsMbNGHXWICmSWrqGO7Wa4B1s2JfhoIHOi4W7rDWfB
cBr++IkTf3bh0g7A38OJ2s8HWpDZ0IEAzl3KSNHtpvKMKJ6uuBeM79mLb5nAxQQM
lrApsfJ6njSu/kvwaKJLu20pZd1g1EqplC9PQ8D+UTDq9wgfDc0m3gaE7jOGc81Z
OIgw12pVg7bIur2EQVWyNpbEvCBQSTf1w9Ce7RZ2w7irGvptlB/AbrVPKLHraZTV
R6pVHUZnJ8KRvu0S5DpO0Gzr+H9gtfWypVs8H2ys1nn38/tZVpUVQC3S+0X3cSX2
kZbX7WPPK6z+XJF0e0V2V/7DuPPHkqkDe9tNkl+lVLDDwYlEIXVwgC9lRJR1+bML
uwY4VEH8Py2mZw7r8up0i1bNtfo2J+NOaJTvE549W+120zSgKrlzlz95p/jhP3Wj
NYyDOV/gPuxDXbpJEbWbA0XECmS+ijAQ61238/WTh9Gas6gAwXI3EVrm8DEYkpqn
Aj11++8Rh7WOEf6N0rWMy0NciZMLix/tcnoaGeABN6XsyieRTvAnrV/nJM+tbtti
5CxcnyVo4VYrh4zpY7hrF14PifM8WIKlN838N7Bkg3CL+xsWgDDcbs86ayY7B4a1
Bi+JZ95N8UIS00jJbRIbYjhcpHAiuwHbk1ZmAPbdMj76RFjMSbo=
=lVsG
-----END PGP SIGNATURE-----


Changelog:

Oliver Pinter + (38):

  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
  • Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master


ae (3):

  • MFC r332812: Add dead_bpf_if structure, that should be used as fake bpf_if during ifnet detach.
  • MFC r332886: icmp6_reflect() sends ICMPv6 message with new IPv6 header. So, it is considered as originated by our host packet. And thus rcvif should be NULL, since it is used by ipfw(4) to determine that packet was originated from this host. Some of icmp6_reflect() consumers reuse mbuf and m_pkthdr without resetting rcvif pointer. To avoid this always reset m_pkthdr.rcvif pointer to NULL in icmp6_reflect(). Also remove such line and comment describing this from icmp6_error(), since it does not longer matters.
  • MFC r333016: Merge r1.22-1.23 from NetBSD: Don't assume M_PKTHDR is set only on the first mbuf of the chain. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj().


avg (4):

  • MFC r332426: allow ZFS pool to have temporary name for duration of current import
  • MFC r332559: mountd: fix a crash when getgrouplist reports too many groups
  • MFC r332730: don't check for kdb reentry in trap_fatal(), it's impossible
  • MFC r332752: set kdb_why to "trap" when calling kdb_trap from trap_fatal


benno (15):

  • MFC r331949, r332437, r332438
  • Actually MFC r331949, r332437, r332438
  • MFC r332436, r332440
  • MFC r332082
  • MFC r332083:
  • MFC r332084
  • MFC r332085
  • MFC r314117
  • MFC r315304
  • MFC r316572
  • MFC r307927
  • MFC r316579
  • MFC r331463 (partial), r331467, r331468, r331843
  • MFC r332345, r332346, r332661, r333005
  • MFC r333007


brooks (1):

  • MFC r332997:


cperciva (1):

  • MFC r332663: Move panic-related settings from sysctl.conf to loader.conf so that they apply if an EC2 instance panics while booting.


delphij (1):

  • MFC r332877: Correct size for allocation and bzero of fdsr.


dexuan (1):

  • MFC: 332385


dim (2):

  • MFC r332414:
  • MFC r332833:


emaste (8):

  • MFC r332673: Remove mention of tools/recoverdisk, now in sbin
  • MFC r332649: lld: add a __FreeBSD_version-style identifier to version
  • pwd_mkdb: add legacy support deprecation notice
  • MFC r332090: stand: pass --no-rosegment for i386 bits when linking with lld
  • MFC r332902: pwd_mkdb: default to network (big) endian hash order
  • MFC r332849: lldb: propagate error to user if memory read fails
  • MFC r333234: zfs_ioctl: avoid out-of-bound read
  • MFC r333368: Prepare DB# handler for deferred trigger of watchpoints.


erj (3):

  • MFC r319797, r320972:
  • MFC r326571: ifconfig(8): Display extended compliance code string for SFP transceivers
  • MFC r333149: ixl(4): Update to 1.9.9-k


gjb (4):

  • MFC r332674: Increase the msdosfs partition size on arm SoC images where the current size may not be sufficiently large for development and/or testing.
  • MFC r333262, r333264:
  • Document EN-18:05, EN-18:06, SA-18:06.
  • Belatedly bump copyright year.


hselasky (4):

  • MFC r332869: Remove the "load drivers" logic from libibverbs.
  • MFC r333015: Add network device event for priority code point, PCP, changes.
  • MFC r333100: Improve fix in r304629 by allowing configuration of the behaviour through a SYSCTL instead of a compile time define.
  • MFC r333108: Define USEC_PER_MSEC and USEC_PER_SEC in the LinuxKPI.


ian (4):

  • Fix wl(4) after r332288, using the same fix applied in r332331. This driver no longer exists in head, so this is a direct commit to 11-stable.
  • MFC r331868, r332046, r332194-r332196, r332198, r332219, r332231, r332233, r332240, r332258-r332259, r332261, r332292
  • MFC r332518, r332527
  • MFC r308767 by br:


jhb (4):

  • MFC 332657: Properly do a deep copy of the ioctls capability array for fget_cap().
  • MFC 332733: Workaround fixed I/O port resources encoded as I/O port ranges in _CRS.
  • MFC 332735: Fix two off-by-one errors when allocating MSI and MSI-X interrupts.
  • MFC 332975: Document the TRAP_CAP code for SIGTRAP.


jilles (1):

  • MFC r333092: sh: Don't have [ match any [[:class:]]


jtl (8):

  • MFC r307083: Currently, when tcp_input() receives a packet on a session that matches a TCPCB, it checks (so->so_options & SO_ACCEPTCONN) to determine whether or not the socket is a listening socket. However, this causes the code to access a different cacheline. If we first check if the socket is in the LISTEN state, we can avoid accessing so->so_options when processing packets received for ESTABLISHED sessions.
  • MFC r313447: Ensure the idle thread's loop services interrupts in a timely way when using the ACPI C1/mwait sleep method.
  • MFC r314116: Fix a panic during boot caused by inadequate locking of some vt(4) driver data structures.
  • MFC r314286: Do some minimal work to better conform to the 802.3ad (LACP) standard. In particular, don't set the synchronized bit for the peer unless it truly appears to be synchronized to us. Also, don't set our own synchronized bit unless we have actually seen a remote system.
  • MFC r319214: Enforce the limit on ICMP messages before doing work to formulate the response.
  • MFC r319215: Fix two places in the ICMP6 code where we could dereference a NULL pointer in the icmp6_input() function.
  • MFC r319216: Fix an unnecessary/incorrect check in the PKTOPT_EXTHDRCPY macro.
  • MFC r331745 (by np): Fix RSS build (broken in r331309).


kevans (1):

  • MFC r332773: Fix ddb rc script


kib (16):

  • MFC r331622: Allow to specify PCP on packets not belonging to any VLAN.
  • MFC r332737: For fatal traps other than pagefaults, print raw fault error codes.
  • MFC r332970: Use IS_BSP() macro.
  • MFC r332971: Ensure that cmci_monitor() is not executed in parallel.
  • MFC r332972: Extend ap_boot_mtx scope to also cover mca_init().
  • MFC r333002: Use CPUID leaf 0x15 to get TSC frequency when the calibration is disabled.
  • MFC r332740: Add PROC_PDEATHSIG_SET to procctl interface.
  • MFC r332934: Use relaxed atomics to access the monitor line.
  • MFC r332973: Make the sysctl machdep.idle also a tunable.
  • MFC r333025: Some style and minor code improvements for idle selection.
  • MFC r333026: Handle Apollo Lake errata APL31.
  • MFC r332932: Correct undesirable interaction between caching of %cr4 in bhyve and invltlb_glob().
  • MFC r332940: Carefully update stack guard bytes inside __guard_setup().
  • MFC r333208: Style.
  • MFC r333091: Eliminate some vm object relocks in vm fault.
  • MFC r333125: Turn off IBRS on suspend.


kp (1):

  • MFC r333084:


lidl (1):

  • MFC r332671: top: fix warnings from clang/gcc


marius (2):

  • MFC: r327312, r327842, r327865
  • MFC: r330803


markj (2):

  • MFC r332658: Ensure that m and skip_m belong to the same object.
  • MFC r332364: Assert that dtrace_probe() doesn't re-enter itself.


nyan (1):

  • whitespace changes to reduce diffs from i386. still broken pc98 boot.


pfg (1):

  • MFC r332986: makefs: Use ENODATA instead of ENOMSG as a translation for missing ENOATTR.


philip (1):

  • MFC r333247: Import tzdata 2018e


ram (2):

  • MFC r332471, r332646: Check if STACK is defined before using the stack(9). Moved opts-stack.h include before all other includes.
  • MFC r332386, r332430: Updated mentors information. Added entry in the correct section.


riggs (1):

  • MFC r332861:


rmacklem (2):

  • MFC: r332790 Fix OpenDowngrade for NFSv4.1 if a client sets the OPEN_SHARE_ACCESS_WANT* bits.
  • MFC: r332813 Fix use of pointer after being set NULL.


sbruno (2):

  • MFC r333137:
  • MFC r333210


shurd (4):

  • Merge iflib changes to 11-STABLE
  • Direct commit to stable/11 to fix botched r333338
  • MFC r333253-r333254
  • MFC: r308728, r314369, r315243, r316026, r316581, r316616, r318359, r319922, r319990, r321481, r323232-323233, r323321, r323874, r323955, r324323, r324964, r325169, r325488, r325620, r326985, r326999-327001, r327003, r329335


slavash (2):

  • MFC r332003: Bump driver version number in mlx5en(4).
  • MFC r333115: libibumad/umad.c: In get_port, ignore sysctl get rate errors

Uploads: 

Plain text icon shortlog-HardenedBSD-11-STABLE-v1100055.3.txt
Plain text icon CHECKSUM.SHA512.txt
Plain text icon CHECKSUM.SHA512.asc_.txt