Stable release: HardenedBSD-stable 12-STABLE v1200058.3

HardenedBSD-12-STABLE-v1200058.3 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Highlights:

MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages. (0526a0cabfe1cb63e93947a4d34a050a13d97851) [CVE-2019-5596 FreeBSD-SA-19:02.fd]
MFC r343780: amd64: clear callee-preserved registers on syscall exit. (bd0cbe8cc38d2e67c3d4a9f1c6746a31aa213963 CVE-2019-5595 FreeBSD-SA-19:01.syscall]
MFC r343587: Add a simple port filter to SIFTR. (ab2d372594adbe95166adfed1d78c0a6c4dc773b)
MFC r343060: [drm] Fix off-by-one error when accessing driver-specific ioctl handlers array (c53a074639dd8b3b1cdadd80e6860b2a7ade95f7)
MFC r341472: Add ability to request listing and deleting only for dynamic states. (caad386934df5f897739c80b071dc90d8165008d)
MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used (0441c4fa5aa5b68927224cfc81ce354772ff10a9)
MFC r343418: pf: Fix use-after-free of counters (824b38d7e5213d4a94fefb5e0ddda41f95da6321)
MFC r343395: Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 connectivity. (69483a2f2af7c93450b276cc0a24e6561009cfda)
HBSD: Add EFIRT to the HARDENEDBSD amd64 kernel (23220bd7b1eaff08140fe4daa6d0786c7aa713e8)
HBSD: Disable cfi-icall for mount_nfs and showmount (924afb0d77fd83485b8ba9c3e0a6927585d37858)
MFC of 343449 and 343483 Update tunefs to allow '_' in label names. (3df852382237702f1c262aaad54933bdf5b2fbed)
MFC r343363, r343364: Fix an LLE lookup race. (4b6ead634deb05c2b3f0f83b8b1ba3a18708197d) [FreeBSD-EN-19:07.lle]
MFC r343089: Limit the user-controllable amount of memory the kernel allocates via IPPROTO_SCTP level socket options. (1d3e563dc53e1190bbc635ba00874e51b1548197)
MFC r342857: Avoid overfow in vtruncbuf() (5dafae63da366cedf24d91d32aa54a4b4a4a8640)
HBSD: Disable cfi-icall for NFS RPC utilities (d09bc59f69276e1b8b382f3a0ba00cfb2288833d)
MFC r343082: Implement shmat(2) flag SHM_REMAP. (58501d93bee4827fa9429db046484bf26a8ad40b)
MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS. (0e46cd7fe5be1edad6471bc1add8fa7702596f3f)
MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}. (d5dd66e58281aeb5300f19095ceee3894938de43)
MFC linuxulator stack memory disclosure fixes (c69e471dfc3ef2730bde80e755b5656e7ac55e1a)
MFC r343017: Handle overflow in calculating max kmem size. (ef32d9a8bb0d37bce34588d49ca5f972475853f0)
nvdimm updates
pf updates
ipfilter updates
ipfw updates
netmap updates
net80211 updates

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:
SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-bootonly.iso) = 75661d8fc8c6508c6e27ad36c1bc18f5a6a43b95e71623d3b227b29e439b4cf835ab3525343e045e91d9db061b7926722b9342c27d6613534eff632f7b5c4567 SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-disc1.iso) = 4d368903e3edbe6ca5290b3ad3a4bf2c85455731839a55b38113283ee7e2ffbdf020c983f6d24fed7141af754e55592f5d55b2d334b108b3f3e5b5a0423c1d32 SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-memstick.img) = 8debd3c0702cb3733d6bafbff05c6d54838fa4c5be68fb0cda778cc38a2c5fcc8e85009de30d7e96fe7161c6dfb2edfbf430b76f9380829435423c7cf9e1dc69 SHA512 (HardenedBSD-12-STABLE-v1200058.3-amd64-mini-memstick.img) = 6325fa8feeea551c065e6b6009809c6048a1ed4d2ef6fe657ad1e2ed59345bb72f4fdae0950b69491725b0d46680da81b24cb539a439dc8765c9889a15977fde

CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlxaN5gACgkQgZsRom/9
GI3aOhAAtAhGQ2nlQI+bll2DSBj2gV1Ph0z3M1zeL6Wyii1JtZLroLmUHoTnkN5P
smCLgPoNXDQlkRlBTjF/UtEuguxEQfa30U3q+lEs3SBprvCK214QXS7fTazs7Im6
vNdyoqGAgGmN6HViybRHL2ZilaxYoQBdl7zimFgphlQ/Qa8p8zkBMv+mZp7wwrDn
kK/1RYlioJsw2bNEYTVTRPy/pBTDolNlkc0z2NZ21V5QObJRxLphrqaY8Yl5B7zV
W+TRDWV+dFcCjiMUxHrzkTWNBcBAlsjZo9bWXPhgxvygqfHzD7J7wbliVkEKLz8N
8nYga5KtlMUBN5IRoRtwOpVLUerfKxmbDvqzyMYR1mLGD3giVXzvGQX5jdaHSkSs
+3lEBXghVrAj0nXHq3r0XZawLi6bOwe9XDfOcSue2CblGlhOpknIvh2bY6gCF1Pt
BcfduhG1QSmL3dcCgkQkmOnqVVVKkraBdUpAZET3OhAsnD+Q/u1aW00TygLlEUh7
Msj4AxCSCqgS0xE/zzLbXwXfGV9RPbJ2LFz4zNuz54mOnUmWD5qd9Yzl2ezyG5c0
w5FWdjlxWPJmJovQEfAOuUJ5UyhjPVMnaTd9W1occNWgHwFk931NRMG/HrG13yWj
oPj2e7HcDrS5guh+m56S6HuZG8lw3nGhT6KyhxfF+TByCYLNMkg=
=C22B
-----END PGP SIGNATURE-----

Oliver Pinter (1):

Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master

Oliver Pinter + (50):

Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master
Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master

Shawn Webb (3):

HBSD: Disable cfi-icall for NFS RPC utilities
HBSD: Disable cfi-icall for mount_nfs and showmount
HBSD: Add EFIRT to the HARDENEDBSD amd64 kernel

ae (2):

MFC r341471: Reimplement how net.inet.ip.fw.dyn_keep_states works.
MFC r341472: Add ability to request listing and deleting only for dynamic states.

araujo (1):

MFC r343077:

avg (1):

MFC r342170: add support for marking interrupt handlers as suspended

avos (24):

MFC r343088: rtwn_usb(4): add new USB id for RTL8821AU
MFC r342991: net80211: provide rate validation for injected frames.
MFC r343092: rtwn(4): clear 'basic' rate bit before calculating RTS/CTS rate.
MFC r343190: net80211: drop m_pullup call from ieee80211_crypto_decap.
MFC r343244: devd.conf(5): add otus(4) into wifi-driver-regex
MFC r343249: Fix duplicate wpa_supplicant(8) / hostapd(8) startup with devd(8)
MFC r343213: net80211: resolve ioctl <-> detach race for ieee80211com structure
MFC r343341: ifconfig: drop unused macros from ifieee80211.c
MFC r343235: iwn(4): drop return code from iwn_*attach functions (they cannot fail)
MFC r343340: net80211: fix channel list construction for non-auto operating mode.
MFC r343342: net80211: turn channel mode check into assertion.
MFC r343234: run(4): add more length checks in Rx path.
MFC r343238: urtw(4): add length checks in Rx path.
MFC r343472: otus(4): fix a typo in man page (802.11 -> 802.11n)
MFC r343473: geom_uzip(4): move NULL pointer KASSERT check before it is dereferenced
MFC r343495: wlan.4: improve wording
MFC r343497: Unbreak devd.conf(5) regex after r343249
MFC r343496: pcf(4): fix parentheses in if condition
MFC r343499: rc(8): do not stop dhclient(8) when wpa_supplicant(8) / hostapd(8) is used
MFC r343518: rtwn_usb(4): add new USB id.
MFC r343502: Remove RADIUS-related files when WITHOUT_RADIUS_SUPPORT=true is set in src.conf(5)
MFC r343576: ndiscvt(8): abort if no IDs were found during conversion.
MFC r343524: rsu(4): do not ignore mgmtrate / mcastrate / ucastrate.
MFC r343541: Drop some unneeded includes from wireless USB drivers.

bapt (1):

MFC: 343546

bcr (2):

Add ZFS usage tips to freebsd-tips.
MFC r343532: A few corrections and clarifications to r343406.

brooks (7):

MFC r343162:
MFC r343305:
MFC r343366:
MFC r340242:
MFC r340129, r340195, r340198
Regen after r343596: enable ppoll in capability mode.
MFC r343587:

cy (5):

MFC r343073:
MFC r343103:
MFC r343486:
MFC r343600:
MFC r342815:

delphij (4):

MFC r342845,342846: Port NetBSD improvements:
MFC r342856: Added support for the SIOCGI2C ioctl.
MFC r343038: Use TD_IS_IDLETHREAD instead of unrolled version.
MFC r342813: Remove unneeded headers.

emaste (3):

MFC r343153: freebsd-update.8: mandoc -Tlint fixes
MFC linuxulator stack memory disclosure fixes
MFC r339960 (cem): freebsd-update: add a progress report

gallatin (2):

MFC r341095:
MFC r343430

gjb (1):

MFC r343259: Correct a typo: was -> way.

gonzo (18):

MFC r343450:
MFC r343443, r343446, r343448, r343452
MFC r343028, r343104
MFC r343009, r343109-r343110, r343128, r343232
MFC r343222-r343223, r343338
MFC r343008:
MFC r343029:
MFC r343060:
MFC r343069:
MFC r343106:
MFC r343127:
MFC r343129:
MFC r343156:
MFC r343224, r343533
MFC r343170:
MFC r343391:
MFC r343458:
MFC r343516:

hselasky (7):

MFC r343392: Fix duplicate acquiring of refcount when joining IPv6 multicast groups. This was observed by starting and stopping rpcbind(8) multiple times.
MFC r343393: Add debugging sysctl to disable incoming MLD v2 messages similar to the existing sysctl for MLD v1 messages.
MFC r343394: When detaching a network interface drain the workqueue freeing the inm's because the destructor will access the if_ioctl() callback in the ifnet pointer which is about to be freed. This prevents use-after-free.
MFC r343395: Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 connectivity.
Build fix for missing NET_EPOCH_XXX() dependencies after r343650. This patch is to be reverted when the relevant changes are MFC'ed. This is a direct commit.
MFC r343451: Add full support for PCI_ANY_ID when matching PCI IDs in the LinuxKPI.
MFC r343453: Add new USB quirk.

jah (1):

MFC r343005: Handle SIGIO for listening sockets

jhibbits (3):

MFC r342988:
MFC r341387:
MFC r342671:

jilles (1):

MFC r343105: libedit: Avoid out of bounds read in 'bind' command

kevans (2):

MFC r342903, r342911: libbe(3)/bectl(8) refactor and fix mount for deep BEs
MFC r342757: getopt_long(3): fix case of malformed long opt

kib (17):

MFC r343108: Trim whitespace at EoL, use tabs instead of spaces for indent.
MFC r343017: Handle overflow in calculating max kmem size.
MFC r343081: Trim spaces at the end of lines.
MFC r343082: Implement shmat(2) flag SHM_REMAP.
MFC r343085: Improve iflib busdma(9) KPI use.
MFC r343086: Remove unused prototype.
MFC r343087: Style(9) fixes for x86/busdma_bounce.c.
MFC r343302: Remove unused *_sysinit_flags() declarations.
MFC r339461: nvdimm(4): Fix GCC 6.4.0 build
MFC r343143: nvdimm: add a driver for the NVDIMM root device
MFC r343144: nvdimm: initialize SPA uuids statically.
MFC r343145: MI VM: Make it possible to set size of superpage at boot instead of compile time.
MFC r343146: x86 busdma: fix mis-use of bus_addr_t where vm_paddr_t is assumed.
MFC r343147: i386/PAE busdma: allow more bounce pages.
MFC r343484: Remove now redundand ifunc relocation code which should have been removed as part of r341441.
MFC r343607: Reserve a bit in the FreeBSD feature control note for marking the image as not compatible with ASLR.
MFC r343780: amd64: clear callee-preserved registers on syscall exit.

kp (7):

MFC r342989
MFC r342990
MFC r343130
MFC r343041
MFC r343295:
MFC r343297:
MFC r343418:

marius (2):

MFC: r342634
MFC: r343481

markj (12):

MFC r343117: Fix handling of rights on stdio streams.
MFC r343245: Revert r343117.
Properly commit the revert of r343205.
MFC r342864: Specify the correct option level when emulating SO_PEERCRED.
MFC r343265: hwpmc: Plug memory disclosures from PMC_OP_{GETPMCINFO,GETCPUINFO}.
MFC r343286: nfs: Zero the buffers exported by NFSSVC_DUMPCLIENTS and DUMPLOCKS.
MFC r343348: ocs_fc: Ensure that we zero-initialize memory before copying it out.
MFC r343363, r343364: Fix an LLE lookup race.
MFC r343274, r343275: Optimize RISC-V copyin(9)/copyout(9) routines.
MFC r343247: Fix cmp(1) tests for "special" mode.
MFC r343353: Correct uma_prealloc()'s use of domainset iterators after r339925.
MFC r343784: Avoid leaking fp references when truncating SCM_RIGHTS control messages.

mav (6):

MFC r342977 (by cem): amdtemp(4): Add support for Family 15h, Model >=60h
MFC r342399: Remove CAM SIM lock from NVMe SIM.
Increase MTX_POOL_SLEEP_SIZE from 128 to 1024.
MFC r342546: Add descriptions to NVMe interrupts.
MFC r342558: Switch from mutexes to atomics in GEOM_DEV I/O path.
MFC r342557, r342559: Reimplement nvd(4) detach handling.

mckusick (1):

MFC of 343449 and 343483

mw (1):

MFC r343074: Suppress excessive error prints in ENA TX hotpath

np (1):

MFC r342603: cxgbe(4): Attach to two T540 variants.

nyan (2):

MFC: r342964
MFC: r342965

pfg (3):

MFC r343023: msun: reduce diff between src/e_j0.c and src/e_j0f.c
MFC r343459: ext2fs: Add some extra consistency checks for the superblock.
MFC r342379, r342383: gai_strerror() - Update string error messages according to RFC 3493.

sef (1):

MFC r342928: Change ZFS quotas to return EINVAL when not present (matches man page).

shurd (1):

MFC r343047:

tsoome (3):

MFC r343123: loader should ignore active multi_vdev_crash_dump feature on zpool
MFC r343124:
MFC r343225: Unbreak mip64 build after r328437

tuexen (3):

MFC r342857:
MFC r342879:
MFC r343089:

vmaffione (2):

MFC r343413
MFC r343552

wulf (3):

MFC r340338: wmt(4): Add PNP record so it could be picked by devd/devmatch. Fix uhid(4) conflict with blacklisting of multitouch HID-usages in uhid(4) probe handler.
MFC r340912,r340913:
MFC r340926: