aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2018-09-12 05:22:58 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2018-09-12 05:22:58 +0000
commit4dff4ff1a66d9546ececfcb63a627ca0cf0fc48e (patch)
tree24387715ec53262fbbe3230b9549a11e13964e32
parent3f3c94845ac8db4acec27162f6ba48120bcaf061 (diff)
downloaddoc-4dff4ff1a66d9546ececfcb63a627ca0cf0fc48e.tar.gz
doc-4dff4ff1a66d9546ececfcb63a627ca0cf0fc48e.zip
Add SA-18:12, EN-18:08.
Approved by: so
Notes
Notes: svn path=/head/; revision=52250
-rw-r--r--share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc140
-rw-r--r--share/security/advisories/FreeBSD-SA-18:12.elf.asc128
-rw-r--r--share/security/patches/EN-18:08/lazyfpu-11.patch272
-rw-r--r--share/security/patches/EN-18:08/lazyfpu-11.patch.asc18
-rw-r--r--share/security/patches/SA-18:12/elf.patch35
-rw-r--r--share/security/patches/SA-18:12/elf.patch.asc18
-rw-r--r--share/xml/advisories.xml13
-rw-r--r--share/xml/notices.xml13
8 files changed, 637 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc b/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
new file mode 100644
index 0000000000..ca345e3c67
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:08.lazyfpu Errata Notice
+ The FreeBSD Project
+
+Topic: LazyFPU remediation causes potential data corruption
+
+Category: core
+Module: kernel
+Announced: 2018-09-12
+Credits: Gleb Kurtsou
+Affects: FreeBSD 10.4-STABLE, 11.1 and later.
+Corrected: 2018-07-31 10:18:30 UTC (stable/11, 11.1-STABLE)
+ 2018-09-12 05:08:49 UTC (releng/11.2, 11.2-RELEASE-p3)
+ 2018-09-12 05:08:49 UTC (releng/11.1, 11.1-RELEASE-p14)
+ 2018-08-03 14:12:37 UTC (stable/10, 10.4-STABLE)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+Special Note: While SA-18:07.lazyfpu has been fixed in 10.4-STABLE, it has
+yet to be released for 10.4-RELEASE. As such, this EN does not apply for
+that release. Once SA-18:07.lazyfpu has been updated for 10.4-RELEASE,
+this EN will be incorporated at that time.
+
+I. Background
+
+The recent security advisory titled SA-18:07.lazyfpu resolved an issue in the
+floating point unit (FPU) state handling.
+
+II. Problem Description
+
+As a result of fixing the issue described in SA-18:07.lazyfpu, a regression
+was introduced. FPU state manipulation did not sufficiently prevent context
+switches potentially allowing partially modified FPU context to be switched
+out. Upon returning the thread to a running state, stale FPU context could
+be reloaded.
+
+III. Impact
+
+The regression could potentially cause an inconsistent FPU state, leading to
+data corruption.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch.asc
+# gpg --verify lazyfpu-11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r337254
+stable/11/ r336963
+releng/11.1/ r338607
+releng/11.2/ r338607
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The security advisory that introduced the regression is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:08.lazyfpu.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoL5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJovBAAl+BCwCwWy57TzqtYmYYaJlsKi461suiv2KjQWOAddFFPMgmEgRzLtmdu
+hj4Ix5xMMH1efyWGZCk0zs9bN/2bL59P5NMFTC38Fg18fVUHC3u9SYYILvh+eTeH
+s9/mkTO5nJ0LXZi3RrS4fi12Zqkiu3JuT9lcADdg8dtqRK4L0l77NZ7HD9p/mPX0
+LkLtZNTQz3Fv0LsFxwtdlljGOuJF+YYTKsC87ZHuwATDq7wTHOAmA46LVambxvxM
+JQZrzUE3kDblz1sOIbMD8uW/tQ0gG4mvA3mVkuBX0yokhl7SJ4gFltjLiOEJ+n3y
+7VkIcSN/5uZdjk2yWOoZuZojLLWmF0TnNrLYjIw5vacWvX25iIu+f6s9mavjZXTZ
+TdtHKv+IFZfaDcaZ+mzYN87e/J7nTbe6mFwUXqG1D7ptQ3m4BP68PhtzfGrbFn/z
+KXBDhaFP6MDPIMIfnP0r2HufBBlox9kcH8CKAektxVoiGAWD93+AoKVWbaR1nguQ
+9k9Feo3EeS4gFQ+Jz3MQIl57nhI2FZO2SxcFowHvIqk/diXlhNhjHOy+pwSWlVH+
+8vtVlxcmFyjJBa+59QCix6PzHUn74YxRvP0NDA0zZ5WV1MwEi8J+SWaEbZMVKwJo
+eJxWp1KTylk86vhaxzbRCrCzreHr6jf+Ljzn2HQPQ7rC3mRUdw0=
+=+nM+
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-18:12.elf.asc b/share/security/advisories/FreeBSD-SA-18:12.elf.asc
new file mode 100644
index 0000000000..715b52eaa9
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-18:12.elf.asc
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:12.elf Security Advisory
+ The FreeBSD Project
+
+Topic: Improper ELF header parsing
+
+Category: core
+Module: kernel
+Announced: 2018-09-12
+Credits: Thomas Barabosch, Fraunhofer FKIE; Mark Johnston
+Affects: All supported versions of FreeBSD.
+Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE)
+ 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3)
+ 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14)
+ 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE)
+ 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12)
+CVE Name: CVE-2018-6924
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+To execute a binary the kernel must parse the ELF header to determine the
+entry point address, the program interpreter, and other parameters.
+
+II. Problem Description
+
+Insufficient validation was performed in the ELF header parser, and malformed
+or otherwise invalid ELF binaries were not rejected as they should be.
+
+III. Impact
+
+Execution of a malicious ELF binary may result in a kernel crash or may
+disclose kernel memory.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc
+# gpg --verify elf.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r338605
+releng/10.4/ r338606
+stable/11/ r338604
+releng/11.1/ r338606
+releng/11.2/ r338606
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l
+hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8
+sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY
+PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT
+vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh
+nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy
+mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY
+1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH
+uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv
+e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC
+IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw=
+=J/a5
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-18:08/lazyfpu-11.patch b/share/security/patches/EN-18:08/lazyfpu-11.patch
new file mode 100644
index 0000000000..acbbe908ad
--- /dev/null
+++ b/share/security/patches/EN-18:08/lazyfpu-11.patch
@@ -0,0 +1,272 @@
+--- sys/amd64/amd64/fpu.c.orig
++++ sys/amd64/amd64/fpu.c
+@@ -744,6 +744,7 @@
+ int max_ext_n, i, owned;
+
+ pcb = td->td_pcb;
++ critical_enter();
+ if ((pcb->pcb_flags & PCB_USERFPUINITDONE) == 0) {
+ bcopy(fpu_initialstate, get_pcb_user_save_pcb(pcb),
+ cpu_max_ext_state_size);
+@@ -750,9 +751,9 @@
+ get_pcb_user_save_pcb(pcb)->sv_env.en_cw =
+ pcb->pcb_initial_fpucw;
+ fpuuserinited(td);
++ critical_exit();
+ return (_MC_FPOWNED_PCB);
+ }
+- critical_enter();
+ if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ fpusave(get_pcb_user_save_pcb(pcb));
+ owned = _MC_FPOWNED_FPU;
+@@ -759,7 +760,6 @@
+ } else {
+ owned = _MC_FPOWNED_PCB;
+ }
+- critical_exit();
+ if (use_xsave) {
+ /*
+ * Handle partially saved state.
+@@ -779,6 +779,7 @@
+ *xstate_bv |= bit;
+ }
+ }
++ critical_exit();
+ return (owned);
+ }
+
+@@ -787,6 +788,7 @@
+ {
+ struct pcb *pcb;
+
++ CRITICAL_ASSERT(td);
+ pcb = td->td_pcb;
+ if (PCB_USER_FPU(pcb))
+ set_pcb_flags(pcb,
+@@ -845,26 +847,25 @@
+
+ addr->sv_env.en_mxcsr &= cpu_mxcsr_mask;
+ pcb = td->td_pcb;
++ error = 0;
+ critical_enter();
+ if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ error = fpusetxstate(td, xfpustate, xfpustate_size);
+- if (error != 0) {
+- critical_exit();
+- return (error);
++ if (error == 0) {
++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++ fpurestore(get_pcb_user_save_td(td));
++ set_pcb_flags(pcb, PCB_FPUINITDONE |
++ PCB_USERFPUINITDONE);
+ }
+- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+- fpurestore(get_pcb_user_save_td(td));
+- critical_exit();
+- set_pcb_flags(pcb, PCB_FPUINITDONE | PCB_USERFPUINITDONE);
+ } else {
+- critical_exit();
+ error = fpusetxstate(td, xfpustate, xfpustate_size);
+- if (error != 0)
+- return (error);
+- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+- fpuuserinited(td);
++ if (error == 0) {
++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++ fpuuserinited(td);
++ }
+ }
+- return (0);
++ critical_exit();
++ return (error);
+ }
+
+ /*
+@@ -1037,6 +1038,7 @@
+ ctx->flags = FPU_KERN_CTX_DUMMY | FPU_KERN_CTX_INUSE;
+ return (0);
+ }
++ critical_enter();
+ KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
+ get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
+ ctx->flags = FPU_KERN_CTX_INUSE;
+@@ -1047,6 +1049,7 @@
+ pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
+ set_pcb_flags(pcb, PCB_KERNFPU);
+ clear_pcb_flags(pcb, PCB_FPUINITDONE);
++ critical_exit();
+ return (0);
+ }
+
+@@ -1065,7 +1068,6 @@
+
+ clear_pcb_flags(pcb, PCB_FPUNOSAVE | PCB_FPUINITDONE);
+ start_emulating();
+- critical_exit();
+ } else {
+ KASSERT((ctx->flags & FPU_KERN_CTX_INUSE) != 0,
+ ("leaving not inuse ctx"));
+@@ -1079,7 +1081,6 @@
+ critical_enter();
+ if (curthread == PCPU_GET(fpcurthread))
+ fpudrop();
+- critical_exit();
+ pcb->pcb_save = ctx->prev;
+ }
+
+@@ -1096,6 +1097,7 @@
+ clear_pcb_flags(pcb, PCB_FPUINITDONE);
+ KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
+ }
++ critical_exit();
+ return (0);
+ }
+
+--- sys/amd64/amd64/machdep.c.orig
++++ sys/amd64/amd64/machdep.c
+@@ -2158,8 +2158,10 @@
+ set_fpregs(struct thread *td, struct fpreg *fpregs)
+ {
+
++ critical_enter();
+ set_fpregs_xmm(fpregs, get_pcb_user_save_td(td));
+ fpuuserinited(td);
++ critical_exit();
+ return (0);
+ }
+
+--- sys/i386/i386/machdep.c.orig
++++ sys/i386/i386/machdep.c
+@@ -3004,6 +3004,7 @@
+ set_fpregs(struct thread *td, struct fpreg *fpregs)
+ {
+
++ critical_enter();
+ if (cpu_fxsr)
+ npx_set_fpregs_xmm((struct save87 *)fpregs,
+ &get_pcb_user_save_td(td)->sv_xmm);
+@@ -3011,6 +3012,7 @@
+ bcopy(fpregs, &get_pcb_user_save_td(td)->sv_87,
+ sizeof(*fpregs));
+ npxuserinited(td);
++ critical_exit();
+ return (0);
+ }
+
+--- sys/i386/isa/npx.c.orig
++++ sys/i386/isa/npx.c
+@@ -974,14 +974,15 @@
+ return (_MC_FPOWNED_NONE);
+
+ pcb = td->td_pcb;
++ critical_enter();
+ if ((pcb->pcb_flags & PCB_NPXINITDONE) == 0) {
+ bcopy(npx_initialstate, get_pcb_user_save_pcb(pcb),
+ cpu_max_ext_state_size);
+ SET_FPU_CW(get_pcb_user_save_pcb(pcb), pcb->pcb_initial_npxcw);
+ npxuserinited(td);
++ critical_exit();
+ return (_MC_FPOWNED_PCB);
+ }
+- critical_enter();
+ if (td == PCPU_GET(fpcurthread)) {
+ fpusave(get_pcb_user_save_pcb(pcb));
+ if (!cpu_fxsr)
+@@ -995,7 +996,6 @@
+ } else {
+ owned = _MC_FPOWNED_PCB;
+ }
+- critical_exit();
+ if (use_xsave) {
+ /*
+ * Handle partially saved state.
+@@ -1018,6 +1018,7 @@
+ *xstate_bv |= bit;
+ }
+ }
++ critical_exit();
+ return (owned);
+ }
+
+@@ -1026,6 +1027,7 @@
+ {
+ struct pcb *pcb;
+
++ CRITICAL_ASSERT(td);
+ pcb = td->td_pcb;
+ if (PCB_USER_FPU(pcb))
+ pcb->pcb_flags |= PCB_NPXINITDONE;
+@@ -1083,28 +1085,26 @@
+ if (cpu_fxsr)
+ addr->sv_xmm.sv_env.en_mxcsr &= cpu_mxcsr_mask;
+ pcb = td->td_pcb;
++ error = 0;
+ critical_enter();
+ if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ error = npxsetxstate(td, xfpustate, xfpustate_size);
+- if (error != 0) {
+- critical_exit();
+- return (error);
++ if (error == 0) {
++ if (!cpu_fxsr)
++ fnclex(); /* As in npxdrop(). */
++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++ fpurstor(get_pcb_user_save_td(td));
++ pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
+ }
+- if (!cpu_fxsr)
+- fnclex(); /* As in npxdrop(). */
+- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+- fpurstor(get_pcb_user_save_td(td));
+- critical_exit();
+- pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
+ } else {
+- critical_exit();
+ error = npxsetxstate(td, xfpustate, xfpustate_size);
+- if (error != 0)
+- return (error);
+- bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+- npxuserinited(td);
++ if (error == 0) {
++ bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++ npxuserinited(td);
++ }
+ }
+- return (0);
++ critical_exit();
++ return (error);
+ }
+
+ static void
+@@ -1373,6 +1373,7 @@
+ return (0);
+ }
+ pcb = td->td_pcb;
++ critical_enter();
+ KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
+ get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
+ ctx->flags = FPU_KERN_CTX_INUSE;
+@@ -1383,6 +1384,7 @@
+ pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
+ pcb->pcb_flags |= PCB_KERNNPX;
+ pcb->pcb_flags &= ~PCB_NPXINITDONE;
++ critical_exit();
+ return (0);
+ }
+
+@@ -1401,7 +1403,6 @@
+ critical_enter();
+ if (curthread == PCPU_GET(fpcurthread))
+ npxdrop();
+- critical_exit();
+ pcb->pcb_save = ctx->prev;
+ if (pcb->pcb_save == get_pcb_user_save_pcb(pcb)) {
+ if ((pcb->pcb_flags & PCB_NPXUSERINITDONE) != 0)
+@@ -1416,6 +1417,7 @@
+ pcb->pcb_flags &= ~PCB_NPXINITDONE;
+ KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
+ }
++ critical_exit();
+ return (0);
+ }
+
diff --git a/share/security/patches/EN-18:08/lazyfpu-11.patch.asc b/share/security/patches/EN-18:08/lazyfpu-11.patch.asc
new file mode 100644
index 0000000000..5e7b90f81f
--- /dev/null
+++ b/share/security/patches/EN-18:08/lazyfpu-11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoMlfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJigg/+OvQriZe3uQx6A8cjJExzxVTmctmIcAfIxX992E3gKYW8PpomMsIoXnqm
+HCBB7QPKg6k1agIegg38j1zGeLY7LU1pbLQbzJAXx1vtacILx03XpgdPutiHTUty
+NhNl3S71Pk2nFik4pVC2Zqf3qQ3jsauhfItH9Z3Dgasp50/6353upvRAmALUQ/J4
+ffa/xXqcHjL3ZnNyH5oU56s9f287I89iqxz83Q2aw3jhOqoQoseeeRtg78ysWkgx
+KLgvRa2FApxq3LBrjDKmEbV9ph5qHvXzLGP5/FZUN/X0RzLmGD+J6458BHpw1tJW
+ZOu2NHNl79KLl5qsPtp44vwQwLYe33xKHRFBXbT83MmnDnN0qwxhzkKN/txZcbWB
+KEaOo/6MnpHO3YOaw9TWJdmaV/ETT3MS276rzxEXpiJYB50exlgelfTDrKW8wiMX
+WRGUgc1Mmfex0UWEQ48l0d67XpWmoQPUCLDwNks9P6qkMehlhFQZWiv4l9ZGRJp4
+6BkliNGaBBP2raMU9neMJhmd0/24AZ2vPlH2SuRvjLBCRoNA70GfvL5/9h21cQIh
+7UEs5p5spDEle7B3EzJrovMs7eTl89bHKhOx76+WHpmiXpFbFKL3eiEpVYlJYrrU
+zT2hI4B/mOAlHqqfgt9ygFJ4Zlbwh2rrQdioeCZTMEM4VpXLFz8=
+=EN9Q
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-18:12/elf.patch b/share/security/patches/SA-18:12/elf.patch
new file mode 100644
index 0000000000..bc0b808d16
--- /dev/null
+++ b/share/security/patches/SA-18:12/elf.patch
@@ -0,0 +1,35 @@
+--- sys/kern/imgact_elf.c.orig
++++ sys/kern/imgact_elf.c
+@@ -839,7 +839,8 @@
+ break;
+ case PT_INTERP:
+ /* Path to interpreter */
+- if (phdr[i].p_filesz > MAXPATHLEN) {
++ if (phdr[i].p_filesz < 2 ||
++ phdr[i].p_filesz > MAXPATHLEN) {
+ uprintf("Invalid PT_INTERP\n");
+ error = ENOEXEC;
+ goto ret;
+@@ -870,6 +871,11 @@
+ } else {
+ interp = __DECONST(char *, imgp->image_header) +
+ phdr[i].p_offset;
++ if (interp[interp_name_len - 1] != '\0') {
++ uprintf("Invalid PT_INTERP\n");
++ error = ENOEXEC;
++ goto ret;
++ }
+ }
+ break;
+ case PT_GNU_STACK:
+--- sys/kern/vfs_vnops.c.orig
++++ sys/kern/vfs_vnops.c
+@@ -528,6 +528,8 @@
+ struct vn_io_fault_args args;
+ int error, lock_flags;
+
++ if (offset < 0 && vp->v_type != VCHR)
++ return (EINVAL);
+ auio.uio_iov = &aiov;
+ auio.uio_iovcnt = 1;
+ aiov.iov_base = base;
diff --git a/share/security/patches/SA-18:12/elf.patch.asc b/share/security/patches/SA-18:12/elf.patch.asc
new file mode 100644
index 0000000000..c51067dc84
--- /dev/null
+++ b/share/security/patches/SA-18:12/elf.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoM1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL1Yw//VW6p5rRPB6mCxSZP+svZcvOlkz6pBBoMn+Ym2t7SFNYbNuVcD8GFr7F2
+a55U0LaQ9XoePdgwC7XFTfNv4Qeya1gmHvH6el93+MFFWLJV1zryN8mS4ny6oOwP
+PGPINqsS1eOmbs52n1U0ANujj8KvyghgojsqbhhpQtsa6W40/klMmvKGmnq1So5B
+YV8X9uOp6tB8ahkG0S+EbfH7X3o8MC/Q5hlQavmh/biQP44EU/QwqC47DudSpG3m
+S5wZtz6QNwwrtRdbJeBf+HMjfxZaMO/Lw2wC3FjwfysXL14zrCEuZROGT5Qtjd+p
+LQHNrzbK4qDT5c//Tuw7KBVAeOBj2a7Sl6SCt+6wu+WZe4QCbvuE5iC/vmXzQY/7
+2oGvxDLl9yOtu49vf/EQHpo3Als6ILnpz+o2FQ3s3PsDSpjmU8YK2ADRJ2lKuAcE
++i5UAcehcC2wlVI7w7dKJicDz5+4trTpRvfBh1bEjgvk1UY/uYvkwXapUo58CFUZ
+xZyBOaSprjaSyzRCuTlgE7s36mJkNV0QkRCRHutb/qCm0CY2UKcWmG4hf/Wld99m
+Qpr7wdydVdObQhDISqvBi1EPJ0ZSHwdvg2Pbvm10leal0azEEhVm/tGm8ENgLIh3
+5795BkrH+49PoCvUCATlsZOr1qWEtTYdK2DWjj+6rWZL7BYSMdY=
+=KOL2
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 81f9b19749..c451067583 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -8,6 +8,19 @@
<name>2018</name>
<month>
+ <name>9</name>
+
+ <day>
+ <name>12</name>
+
+ <advisory>
+ <name>FreeBSD-SA-18:12.elf</name>
+ </advisory>
+
+ </day>
+ </month>
+
+ <month>
<name>8</name>
<day>
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index 13896f3f52..b891327ccf 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -8,6 +8,19 @@
<name>2018</name>
<month>
+ <name>9</name>
+
+ <day>
+ <name>12</name>
+
+ <notice>
+ <name>FreeBSD-EN-18:08.lazyfpu</name>
+ </notice>
+
+ </day>
+ </month>
+
+ <month>
<name>6</name>
<day>