New stable version: HardenedBSD-stable 10-STABLE v46

Submitted by op on

UPDATE TO THIS RELEASE IS STRONGLY ADVISED!

This release fixes two locally exploitable security issue, namely the followings:
https://security.freebsd.org/advisories/FreeBSD-SA-16:19.sendmsg.asc
https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc

Other news in this release:

Backported a lot of smaller coverity issues from FreeBSD.
Introduced fully enabled PIE, RELRO and BIND_NOW in the base system.

If you encounter build failures due the PIEified base system, you could empty the /usr/obj directory
and retry the build. For more details please consult the ${SRCTOP}/UPDATING-HardenedBSD
file.

https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Oliver Pinter (3):
HBSD: add build instructions after PIEified base system
HBSD: fix SETFKEY FreeBSD kernel vulnerability
HBSD: fix sockargs FreeBSD kernel heap overflow

Oliver Pinter + (8):
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master
Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master

Shawn Webb (4):
Squashed commit of the following:
HBSD: Introduce RELRO + BIND_NOW to base.
HBSD: Bump __HardenedBSD_version to 46.
HBSD: Default to HARDENEDBSD kernel in release.

asomers (2):
MFC r298072
MFC 298212

avg (6):
MFC r298472: MFV r298471: 6052 decouple lzc_create() from the implementation details
MFC r298473,298787: add invpcid, fix sahf/lahf in dtrace disassembler
MFC r298106: zfs_rezget: z_vnode can not be NULL if zp is valid
MFC r298736: ensure that initial local apic id is sane on AMD 10h systems
MFC r298737: fix up r300036
MFC r297848: l2arc: make sure that all writes honor ashift of a cache device

bapt (1):
HBSD MFC: Print the fchmodat mode in human readable fashion

cem (24):
HBSD MFC: netipsec: Fix minor style nit
HBSD MFC: Fix buffer overrun in gcore(1) NT_PRPSINFO
HBSD MFC: fsck_ffs: Don't overrun mount device buffer
HBSD MFC: ffs_bswap: Copy one UFS dinode member at a time
HBSD MFC: bsnmp: Don't overrun privkey buffer by copying wrong size
HBSD MFC: bsnmpd: Fix size of trapsink::comm to match other community arrays
HBSD MFC: whois(1): Fix potential double-close and logic mistakes
HBSD MFC: camcontrol(8): Fix trival double-free
HBSD MFC: camcontrol(8): Fix another trivial double-free
HBSD MFC: route6d(8): Fix potential double-free
HBSD MFC: subr_vmem: Fix double-free in error case of vmem_create
HBSD MFC: libkrb5: Fix potential double-free
HBSD MFC: atf map: Fix double-free in low memory error path
HBSD MFC: nss/gethostby_test: fix broken vector iteration of gethostbyaddr h_aliases
HBSD MFC: snd_hda(4): Don't pass bogus sizeof()s to unused sysctl arg2 parameter
HBSD MFC: snd_hda(4): Don't pass bogus sizeof()s to unused sysctl arg2 parameter (again)
HBSD MFC: rtadvd(8): Fix a typo in full msg receive logic
HBSD MFC: kern_descrip_test: Fix trivial buffer overrun with readlink(2)
HBSD MFC: rpcgen(1): Tag crash() routine as __dead2 for static analyzers
HBSD MFC: print_positional_test: Fix misuse of wchar APIs
HBSD MFC: dhclient: Fix some trivial buffer overruns
HBSD MFC: rtadvd(8): Don't use-after-free
HBSD MFC: nfsd: Fix use-after-free in NFS4 lock test service
HBSD MFC: rtadvd(8): Fix use-after-close in cm_handler_client

cy (2):
MFC r298030: Use NULL instead of 0 for pointer comparison.
MFC r298031: Static pointers need not be initialized.

garga (1):
MFC r299196:

hrs (2):
HBSD MFC: Check buffer length more strictly.
HBSD MFC: Fix a bug which prevented dnssl[0-9] and rdnss[0-9] parameters from working.

jkim (3):
Detect Clang to support AVX instructions on x86 platforms. Note head (OpenSSL 1.0.2 branch) has similar changes.
- Make libcrypto.so position independent on i386. - Enable linker error when libcrypto.so contains a relocation against text. - Add "Do not modify" comment to generated source files. - Set CC environment variable for Perl scripts to enable AVX instructions. - Update __FreeBSD_version to indicate libcrypto.so is position independent.
Hide OPENSSL_cpuid_setup and OPENSSL_ia32cap_P symbols from libcrypto.so. Note this is a direct commit because it is merged from OpenSSL upstream and head (OpenSSL 1.0.2 branch) already has the same change:

kib (5):
MFC r298921: Fix reporting of NOTE_LINK when directory link count changes due to rename removing or adding subdirectory entry.
MFC r298922: Issue NOTE_EXTEND when a directory entry is added to or removed from the monitored directory as the result of rename(2) operation. The renames staying in the directory are not reported.
MFC r287831 (by cem): Note DOOMED vnodes with NOTE_REVOKE.
MFC r298982: Add EVFILT_VNODE open, read and close notifications.
MFC r299350: Add locking annotations to amd64 struct md_page members.

kp (1):
HBSD MFC: vtnet: fix panic on unload

ngie (5):
MFC r298864:
HBSD MFC: Fix theoretical buffer overflow issues in snmp_oid2asn_oid
HBSD MFC: Use the size of the destination buffer, not the source buffer.
HBSD MFC: Fix up r299764 (2d68dcc76380780cc8550fc35454c6eab1528591)
HBSD MFC: Fix up both r299764 and r299770 (93494c28bc2a361d3215e2206a976a062f5ba258)

pfg (15):
MFC r298881, 298882, 298883, 298885:
HBSD MFC: bhyve: replace uninitialized variable "offset".
HBSD MFC: bhyve: consider the bogus case of a negative bar idx.
HBSD MFC: timed(8): Use stronger random number generator.
HBSD MFC: timed(8): Use strlcpy() for bounds checking.
HBSD MFC: Undo the bogus gethostname() change from r299709.
HBSD MFC: routed: Fix use after free.
HBSD MFC: routed(8): Use arc4random.
HBSD MFC: Avoid NULL de-references.
HBSD MFC: routed(8): Avoid NULL de-reference and two possible memory leaks.
HBSD MFC: routed(8): Dereference before null check.
HBSD MFC: routed(8): Misc. cleanups to squelch Coverity.
HBSD MFC: routed(8): Use arc4random_uniform instead of arc4random.
MFC r298901: restore: promote some getfiles() parameters to size_t.
MFC r298931, r298981, r299375:

royger (1):
HBSD MFC: rtc: fix inverted resolution check

sephe (1):
MFC r298769, r299315

slm (3):
HBSD MFC: Fix possible use of invalid pointer.
MFC r299263, r299265, r299266, r299267, r299268, r299269, r299270, r299271, r299272, r299274, r299275
MFC r299276

truckman (15):
HBSD MFC: Use strlcpy() instead of strncpy() to copy the string returned by setlocale() so that static analyzers know that the string is NUL terminated. This was causing a false positive in Coverity even though the longest string returned by setlocale() is ENCODING_LEN (31) and we are copying into a 64 byte buffer. This change is also a bit of an optimization since we don't need the strncpy() feature of padding the rest of the destination buffer with NUL characters.
HBSD MFC: Use strlcpy() instead of strncpy() when copying the encoding value to ensure that the destination is NUL terminated. Length truncation of one more character should not be an issue since encoding values that long are not supported by libc. The destination string is treated as a NUL terminated string, but it is only passed to strcmp() for comparison to a set of shorter, fixed length strings, so this is not a serious problem.
HBSD MFC: Use strlcpy() instead of strncpy() when copying date and subj to ensure that these are properly NUL terminated since they are passed to printf().
HBSD MFC: Avoid Coverity NUL termination warning about strncpy() by using memcpy() instead. It's probably a bit more optimal in this case anyway. [1]
HBSD MFC: If fchdir() fails, call err() instead of warn().
HBSD MFC: Use strlcpy() instead of strncpy() to ensure that qup->fsname is NUL terminated. Don't bother checking for truncation since the subsequent quota_read() should detect that and fail.
HBSD MFC: Use strlcpy() instead of strncpy() to ensure that ret->name is NUL terminated. The source and destination buffers are the same size and the source should be NUL terminated, but be paranoid.
HBSD MFC: Use strlcpy() instead of strncpy() to ensure that qf->fsname is NUL terminated. Don't bother checking for truncation since the subsequent stat() call should detect that and fail.
HBSD MFC: Simplify some overly complex code so that both humans and Coverity have a better chance of understanding it.
HBSD MFC: Declare line[] in the outermost scope of retrieve() instead of declaring it in an inner scope and then using it via a pointer in the outer scope.
HBSD MFC: Instead of ignoring the EEXIST from link(), unconditionally unlink the terget before calling link(). This should prevent links to an old copy of the file from being retained.
HBSD MFC: Always return either a dynamically allocated string or NULL from expand(). Never return the name parameter, which could be a the buf[] buffer which is allocated on the stack by getdeadletter() and which would then be used after getdeadletter() has returned.
HBSD MFC: Move a call to cam_freeccb() to avoid a use after free error and a later double free.
HBSD MFC: Properly compute the size argument to pass to malloc().
HBSD MFC: Another attempt at resolving CID 1305629. The test of cmd == -1 may make Coverity think that other negative values of cmd (used as an index) are possible. Testing