Add SA-18:12, EN-18:08.

Approved by:	so

8 files changed, 637 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc b/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
new file mode 100644
index 0000000000..ca345e3c67
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:08.lazyfpu                                        Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          LazyFPU remediation causes potential data corruption
+
+Category:       core
+Module:         kernel
+Announced:      2018-09-12
+Credits:        Gleb Kurtsou
+Affects:        FreeBSD 10.4-STABLE, 11.1 and later.
+Corrected:      2018-07-31 10:18:30 UTC (stable/11, 11.1-STABLE)
+                2018-09-12 05:08:49 UTC (releng/11.2, 11.2-RELEASE-p3)
+                2018-09-12 05:08:49 UTC (releng/11.1, 11.1-RELEASE-p14)
+                2018-08-03 14:12:37 UTC (stable/10, 10.4-STABLE)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+Special Note: While SA-18:07.lazyfpu has been fixed in 10.4-STABLE, it has
+yet to be released for 10.4-RELEASE.  As such, this EN does not apply for
+that release.  Once SA-18:07.lazyfpu has been updated for 10.4-RELEASE,
+this EN will be incorporated at that time.
+
+I.   Background
+
+The recent security advisory titled SA-18:07.lazyfpu resolved an issue in the
+floating point unit (FPU) state handling.
+
+II.  Problem Description
+
+As a result of fixing the issue described in SA-18:07.lazyfpu, a regression
+was introduced.  FPU state manipulation did not sufficiently prevent context
+switches potentially allowing partially modified FPU context to be switched
+out.  Upon returning the thread to a running state, stale FPU context could
+be reloaded.
+
+III. Impact
+
+The regression could potentially cause an inconsistent FPU state, leading to
+data corruption.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:08/lazyfpu-11.patch.asc
+# gpg --verify lazyfpu-11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r337254
+stable/11/                                                        r336963
+releng/11.1/                                                      r338607
+releng/11.2/                                                      r338607
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The security advisory that introduced the regression is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:08.lazyfpu.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoL5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJovBAAl+BCwCwWy57TzqtYmYYaJlsKi461suiv2KjQWOAddFFPMgmEgRzLtmdu
+hj4Ix5xMMH1efyWGZCk0zs9bN/2bL59P5NMFTC38Fg18fVUHC3u9SYYILvh+eTeH
+s9/mkTO5nJ0LXZi3RrS4fi12Zqkiu3JuT9lcADdg8dtqRK4L0l77NZ7HD9p/mPX0
+LkLtZNTQz3Fv0LsFxwtdlljGOuJF+YYTKsC87ZHuwATDq7wTHOAmA46LVambxvxM
+JQZrzUE3kDblz1sOIbMD8uW/tQ0gG4mvA3mVkuBX0yokhl7SJ4gFltjLiOEJ+n3y
+7VkIcSN/5uZdjk2yWOoZuZojLLWmF0TnNrLYjIw5vacWvX25iIu+f6s9mavjZXTZ
+TdtHKv+IFZfaDcaZ+mzYN87e/J7nTbe6mFwUXqG1D7ptQ3m4BP68PhtzfGrbFn/z
+KXBDhaFP6MDPIMIfnP0r2HufBBlox9kcH8CKAektxVoiGAWD93+AoKVWbaR1nguQ
+9k9Feo3EeS4gFQ+Jz3MQIl57nhI2FZO2SxcFowHvIqk/diXlhNhjHOy+pwSWlVH+
+8vtVlxcmFyjJBa+59QCix6PzHUn74YxRvP0NDA0zZ5WV1MwEi8J+SWaEbZMVKwJo
+eJxWp1KTylk86vhaxzbRCrCzreHr6jf+Ljzn2HQPQ7rC3mRUdw0=
+=+nM+
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-18:12.elf.asc b/share/security/advisories/FreeBSD-SA-18:12.elf.asc
new file mode 100644
index 0000000000..715b52eaa9
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-18:12.elf.asc
@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:12.elf                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Improper ELF header parsing
+
+Category:       core
+Module:         kernel
+Announced:      2018-09-12
+Credits:        Thomas Barabosch, Fraunhofer FKIE; Mark Johnston
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE)
+                2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3)
+                2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14)
+                2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE)
+                2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12)
+CVE Name:       CVE-2018-6924
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+To execute a binary the kernel must parse the ELF header to determine the
+entry point address, the program interpreter, and other parameters.
+
+II.  Problem Description
+
+Insufficient validation was performed in the ELF header parser, and malformed
+or otherwise invalid ELF binaries were not rejected as they should be.
+
+III. Impact
+
+Execution of a malicious ELF binary may result in a kernel crash or may
+disclose kernel memory.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc
+# gpg --verify elf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r338605
+releng/10.4/                                                      r338606
+stable/11/                                                        r338604
+releng/11.1/                                                      r338606
+releng/11.2/                                                      r338606
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l
+hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8
+sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY
+PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT
+vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh
+nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy
+mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY
+1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH
+uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv
+e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC
+IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw=
+=J/a5
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-18:08/lazyfpu-11.patch b/share/security/patches/EN-18:08/lazyfpu-11.patch
new file mode 100644
index 0000000000..acbbe908ad
--- /dev/null
+++ b/share/security/patches/EN-18:08/lazyfpu-11.patch
@@ -0,0 +1,272 @@
+--- sys/amd64/amd64/fpu.c.orig
++++ sys/amd64/amd64/fpu.c
+@@ -744,6 +744,7 @@
+ 	int max_ext_n, i, owned;
+ 
+ 	pcb = td->td_pcb;
++	critical_enter();
+ 	if ((pcb->pcb_flags & PCB_USERFPUINITDONE) == 0) {
+ 		bcopy(fpu_initialstate, get_pcb_user_save_pcb(pcb),
+ 		    cpu_max_ext_state_size);
+@@ -750,9 +751,9 @@
+ 		get_pcb_user_save_pcb(pcb)->sv_env.en_cw =
+ 		    pcb->pcb_initial_fpucw;
+ 		fpuuserinited(td);
++		critical_exit();
+ 		return (_MC_FPOWNED_PCB);
+ 	}
+-	critical_enter();
+ 	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ 		fpusave(get_pcb_user_save_pcb(pcb));
+ 		owned = _MC_FPOWNED_FPU;
+@@ -759,7 +760,6 @@
+ 	} else {
+ 		owned = _MC_FPOWNED_PCB;
+ 	}
+-	critical_exit();
+ 	if (use_xsave) {
+ 		/*
+ 		 * Handle partially saved state.
+@@ -779,6 +779,7 @@
+ 			*xstate_bv |= bit;
+ 		}
+ 	}
++	critical_exit();
+ 	return (owned);
+ }
+ 
+@@ -787,6 +788,7 @@
+ {
+ 	struct pcb *pcb;
+ 
++	CRITICAL_ASSERT(td);
+ 	pcb = td->td_pcb;
+ 	if (PCB_USER_FPU(pcb))
+ 		set_pcb_flags(pcb,
+@@ -845,26 +847,25 @@
+ 
+ 	addr->sv_env.en_mxcsr &= cpu_mxcsr_mask;
+ 	pcb = td->td_pcb;
++	error = 0;
+ 	critical_enter();
+ 	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ 		error = fpusetxstate(td, xfpustate, xfpustate_size);
+-		if (error != 0) {
+-			critical_exit();
+-			return (error);
++		if (error == 0) {
++			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++			fpurestore(get_pcb_user_save_td(td));
++			set_pcb_flags(pcb, PCB_FPUINITDONE |
++			    PCB_USERFPUINITDONE);
+ 		}
+-		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+-		fpurestore(get_pcb_user_save_td(td));
+-		critical_exit();
+-		set_pcb_flags(pcb, PCB_FPUINITDONE | PCB_USERFPUINITDONE);
+ 	} else {
+-		critical_exit();
+ 		error = fpusetxstate(td, xfpustate, xfpustate_size);
+-		if (error != 0)
+-			return (error);
+-		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+-		fpuuserinited(td);
++		if (error == 0) {
++			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++			fpuuserinited(td);
++		}
+ 	}
+-	return (0);
++	critical_exit();
++	return (error);
+ }
+ 
+ /*
+@@ -1037,6 +1038,7 @@
+ 		ctx->flags = FPU_KERN_CTX_DUMMY | FPU_KERN_CTX_INUSE;
+ 		return (0);
+ 	}
++	critical_enter();
+ 	KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
+ 	    get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
+ 	ctx->flags = FPU_KERN_CTX_INUSE;
+@@ -1047,6 +1049,7 @@
+ 	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
+ 	set_pcb_flags(pcb, PCB_KERNFPU);
+ 	clear_pcb_flags(pcb, PCB_FPUINITDONE);
++	critical_exit();
+ 	return (0);
+ }
+ 
+@@ -1065,7 +1068,6 @@
+ 
+ 		clear_pcb_flags(pcb,  PCB_FPUNOSAVE | PCB_FPUINITDONE);
+ 		start_emulating();
+-		critical_exit();
+ 	} else {
+ 		KASSERT((ctx->flags & FPU_KERN_CTX_INUSE) != 0,
+ 		    ("leaving not inuse ctx"));
+@@ -1079,7 +1081,6 @@
+ 		critical_enter();
+ 		if (curthread == PCPU_GET(fpcurthread))
+ 			fpudrop();
+-		critical_exit();
+ 		pcb->pcb_save = ctx->prev;
+ 	}
+ 
+@@ -1096,6 +1097,7 @@
+ 			clear_pcb_flags(pcb, PCB_FPUINITDONE);
+ 		KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
+ 	}
++	critical_exit();
+ 	return (0);
+ }
+ 
+--- sys/amd64/amd64/machdep.c.orig
++++ sys/amd64/amd64/machdep.c
+@@ -2158,8 +2158,10 @@
+ set_fpregs(struct thread *td, struct fpreg *fpregs)
+ {
+ 
++	critical_enter();
+ 	set_fpregs_xmm(fpregs, get_pcb_user_save_td(td));
+ 	fpuuserinited(td);
++	critical_exit();
+ 	return (0);
+ }
+ 
+--- sys/i386/i386/machdep.c.orig
++++ sys/i386/i386/machdep.c
+@@ -3004,6 +3004,7 @@
+ set_fpregs(struct thread *td, struct fpreg *fpregs)
+ {
+ 
++	critical_enter();
+ 	if (cpu_fxsr)
+ 		npx_set_fpregs_xmm((struct save87 *)fpregs,
+ 		    &get_pcb_user_save_td(td)->sv_xmm);
+@@ -3011,6 +3012,7 @@
+ 		bcopy(fpregs, &get_pcb_user_save_td(td)->sv_87,
+ 		    sizeof(*fpregs));
+ 	npxuserinited(td);
++	critical_exit();
+ 	return (0);
+ }
+ 
+--- sys/i386/isa/npx.c.orig
++++ sys/i386/isa/npx.c
+@@ -974,14 +974,15 @@
+ 		return (_MC_FPOWNED_NONE);
+ 
+ 	pcb = td->td_pcb;
++	critical_enter();
+ 	if ((pcb->pcb_flags & PCB_NPXINITDONE) == 0) {
+ 		bcopy(npx_initialstate, get_pcb_user_save_pcb(pcb),
+ 		    cpu_max_ext_state_size);
+ 		SET_FPU_CW(get_pcb_user_save_pcb(pcb), pcb->pcb_initial_npxcw);
+ 		npxuserinited(td);
++		critical_exit();
+ 		return (_MC_FPOWNED_PCB);
+ 	}
+-	critical_enter();
+ 	if (td == PCPU_GET(fpcurthread)) {
+ 		fpusave(get_pcb_user_save_pcb(pcb));
+ 		if (!cpu_fxsr)
+@@ -995,7 +996,6 @@
+ 	} else {
+ 		owned = _MC_FPOWNED_PCB;
+ 	}
+-	critical_exit();
+ 	if (use_xsave) {
+ 		/*
+ 		 * Handle partially saved state.
+@@ -1018,6 +1018,7 @@
+ 			*xstate_bv |= bit;
+ 		}
+ 	}
++	critical_exit();
+ 	return (owned);
+ }
+ 
+@@ -1026,6 +1027,7 @@
+ {
+ 	struct pcb *pcb;
+ 
++	CRITICAL_ASSERT(td);
+ 	pcb = td->td_pcb;
+ 	if (PCB_USER_FPU(pcb))
+ 		pcb->pcb_flags |= PCB_NPXINITDONE;
+@@ -1083,28 +1085,26 @@
+ 	if (cpu_fxsr)
+ 		addr->sv_xmm.sv_env.en_mxcsr &= cpu_mxcsr_mask;
+ 	pcb = td->td_pcb;
++	error = 0;
+ 	critical_enter();
+ 	if (td == PCPU_GET(fpcurthread) && PCB_USER_FPU(pcb)) {
+ 		error = npxsetxstate(td, xfpustate, xfpustate_size);
+-		if (error != 0) {
+-			critical_exit();
+-			return (error);
++		if (error == 0) {
++			if (!cpu_fxsr)
++				fnclex();	/* As in npxdrop(). */
++			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++			fpurstor(get_pcb_user_save_td(td));
++			pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
+ 		}
+-		if (!cpu_fxsr)
+-			fnclex();	/* As in npxdrop(). */
+-		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+-		fpurstor(get_pcb_user_save_td(td));
+-		critical_exit();
+-		pcb->pcb_flags |= PCB_NPXUSERINITDONE | PCB_NPXINITDONE;
+ 	} else {
+-		critical_exit();
+ 		error = npxsetxstate(td, xfpustate, xfpustate_size);
+-		if (error != 0)
+-			return (error);
+-		bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
+-		npxuserinited(td);
++		if (error == 0) {
++			bcopy(addr, get_pcb_user_save_td(td), sizeof(*addr));
++			npxuserinited(td);
++		}
+ 	}
+-	return (0);
++	critical_exit();
++	return (error);
+ }
+ 
+ static void
+@@ -1373,6 +1373,7 @@
+ 		return (0);
+ 	}
+ 	pcb = td->td_pcb;
++	critical_enter();
+ 	KASSERT(!PCB_USER_FPU(pcb) || pcb->pcb_save ==
+ 	    get_pcb_user_save_pcb(pcb), ("mangled pcb_save"));
+ 	ctx->flags = FPU_KERN_CTX_INUSE;
+@@ -1383,6 +1384,7 @@
+ 	pcb->pcb_save = fpu_kern_ctx_savefpu(ctx);
+ 	pcb->pcb_flags |= PCB_KERNNPX;
+ 	pcb->pcb_flags &= ~PCB_NPXINITDONE;
++	critical_exit();
+ 	return (0);
+ }
+ 
+@@ -1401,7 +1403,6 @@
+ 	critical_enter();
+ 	if (curthread == PCPU_GET(fpcurthread))
+ 		npxdrop();
+-	critical_exit();
+ 	pcb->pcb_save = ctx->prev;
+ 	if (pcb->pcb_save == get_pcb_user_save_pcb(pcb)) {
+ 		if ((pcb->pcb_flags & PCB_NPXUSERINITDONE) != 0)
+@@ -1416,6 +1417,7 @@
+ 			pcb->pcb_flags &= ~PCB_NPXINITDONE;
+ 		KASSERT(!PCB_USER_FPU(pcb), ("unpaired fpu_kern_leave"));
+ 	}
++	critical_exit();
+ 	return (0);
+ }
+ 
diff --git a/share/security/patches/EN-18:08/lazyfpu-11.patch.asc b/share/security/patches/EN-18:08/lazyfpu-11.patch.asc
new file mode 100644
index 0000000000..5e7b90f81f
--- /dev/null
+++ b/share/security/patches/EN-18:08/lazyfpu-11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoMlfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJigg/+OvQriZe3uQx6A8cjJExzxVTmctmIcAfIxX992E3gKYW8PpomMsIoXnqm
+HCBB7QPKg6k1agIegg38j1zGeLY7LU1pbLQbzJAXx1vtacILx03XpgdPutiHTUty
+NhNl3S71Pk2nFik4pVC2Zqf3qQ3jsauhfItH9Z3Dgasp50/6353upvRAmALUQ/J4
+ffa/xXqcHjL3ZnNyH5oU56s9f287I89iqxz83Q2aw3jhOqoQoseeeRtg78ysWkgx
+KLgvRa2FApxq3LBrjDKmEbV9ph5qHvXzLGP5/FZUN/X0RzLmGD+J6458BHpw1tJW
+ZOu2NHNl79KLl5qsPtp44vwQwLYe33xKHRFBXbT83MmnDnN0qwxhzkKN/txZcbWB
+KEaOo/6MnpHO3YOaw9TWJdmaV/ETT3MS276rzxEXpiJYB50exlgelfTDrKW8wiMX
+WRGUgc1Mmfex0UWEQ48l0d67XpWmoQPUCLDwNks9P6qkMehlhFQZWiv4l9ZGRJp4
+6BkliNGaBBP2raMU9neMJhmd0/24AZ2vPlH2SuRvjLBCRoNA70GfvL5/9h21cQIh
+7UEs5p5spDEle7B3EzJrovMs7eTl89bHKhOx76+WHpmiXpFbFKL3eiEpVYlJYrrU
+zT2hI4B/mOAlHqqfgt9ygFJ4Zlbwh2rrQdioeCZTMEM4VpXLFz8=
+=EN9Q
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-18:12/elf.patch b/share/security/patches/SA-18:12/elf.patch
new file mode 100644
index 0000000000..bc0b808d16
--- /dev/null
+++ b/share/security/patches/SA-18:12/elf.patch
@@ -0,0 +1,35 @@
+--- sys/kern/imgact_elf.c.orig
++++ sys/kern/imgact_elf.c
+@@ -839,7 +839,8 @@
+ 			break;
+ 		case PT_INTERP:
+ 			/* Path to interpreter */
+-			if (phdr[i].p_filesz > MAXPATHLEN) {
++			if (phdr[i].p_filesz < 2 ||
++			    phdr[i].p_filesz > MAXPATHLEN) {
+ 				uprintf("Invalid PT_INTERP\n");
+ 				error = ENOEXEC;
+ 				goto ret;
+@@ -870,6 +871,11 @@
+ 			} else {
+ 				interp = __DECONST(char *, imgp->image_header) +
+ 				    phdr[i].p_offset;
++				if (interp[interp_name_len - 1] != '\0') {
++					uprintf("Invalid PT_INTERP\n");
++					error = ENOEXEC;
++					goto ret;
++				}
+ 			}
+ 			break;
+ 		case PT_GNU_STACK:
+--- sys/kern/vfs_vnops.c.orig
++++ sys/kern/vfs_vnops.c
+@@ -528,6 +528,8 @@
+ 	struct vn_io_fault_args args;
+ 	int error, lock_flags;
+ 
++	if (offset < 0 && vp->v_type != VCHR)
++		return (EINVAL);
+ 	auio.uio_iov = &aiov;
+ 	auio.uio_iovcnt = 1;
+ 	aiov.iov_base = base;
diff --git a/share/security/patches/SA-18:12/elf.patch.asc b/share/security/patches/SA-18:12/elf.patch.asc
new file mode 100644
index 0000000000..c51067dc84
--- /dev/null
+++ b/share/security/patches/SA-18:12/elf.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoM1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL1Yw//VW6p5rRPB6mCxSZP+svZcvOlkz6pBBoMn+Ym2t7SFNYbNuVcD8GFr7F2
+a55U0LaQ9XoePdgwC7XFTfNv4Qeya1gmHvH6el93+MFFWLJV1zryN8mS4ny6oOwP
+PGPINqsS1eOmbs52n1U0ANujj8KvyghgojsqbhhpQtsa6W40/klMmvKGmnq1So5B
+YV8X9uOp6tB8ahkG0S+EbfH7X3o8MC/Q5hlQavmh/biQP44EU/QwqC47DudSpG3m
+S5wZtz6QNwwrtRdbJeBf+HMjfxZaMO/Lw2wC3FjwfysXL14zrCEuZROGT5Qtjd+p
+LQHNrzbK4qDT5c//Tuw7KBVAeOBj2a7Sl6SCt+6wu+WZe4QCbvuE5iC/vmXzQY/7
+2oGvxDLl9yOtu49vf/EQHpo3Als6ILnpz+o2FQ3s3PsDSpjmU8YK2ADRJ2lKuAcE
++i5UAcehcC2wlVI7w7dKJicDz5+4trTpRvfBh1bEjgvk1UY/uYvkwXapUo58CFUZ
+xZyBOaSprjaSyzRCuTlgE7s36mJkNV0QkRCRHutb/qCm0CY2UKcWmG4hf/Wld99m
+Qpr7wdydVdObQhDISqvBi1EPJ0ZSHwdvg2Pbvm10leal0azEEhVm/tGm8ENgLIh3
+5795BkrH+49PoCvUCATlsZOr1qWEtTYdK2DWjj+6rWZL7BYSMdY=
+=KOL2
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 81f9b19749..c451067583 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -8,6 +8,19 @@
     <name>2018</name>
 
     <month>
+      <name>9</name>
+
+      <day>
+	<name>12</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:12.elf</name>
+	</advisory>
+
+      </day>
+    </month>
+
+    <month>
       <name>8</name>
 
       <day>
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index 13896f3f52..b891327ccf 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -8,6 +8,19 @@
     <name>2018</name>
 
     <month>
+      <name>9</name>
+
+      <day>
+	<name>12</name>
+
+	<notice>
+	  <name>FreeBSD-EN-18:08.lazyfpu</name>
+	</notice>
+
+      </day>
+    </month>
+
+    <month>
       <name>6</name>
 
       <day>