========================================================================== The checksum's (found through sum -r) of the files that you have received (other than this README) are as follows: 45021 29 patchSG0002770 55046 18 patchSG0002770.dev_hdr 58486 19 patchSG0002770.eoe1_man 19070 3874 patchSG0002770.eoe1_sw 20509 16 patchSG0002770.eoe2_man 35898 1681 patchSG0002770.eoe2_sw 46255 53 patchSG0002770.idb 22345 17 patchSG0002770.nfs_man 22859 162 patchSG0002770.nfs_sw ========================================================================== - 1 - 1. Patch_SG0002770_Release_Note This release note describes patch SG0002770 to IRIX 5.3. Patch SG0002770 replaces patches SG0000797, SG0001092, SG0001233, SG0001356, SG0001412, SG0001529, SG0001654, SG0002098, and SG0002292. 1.1 Supported_Hardware_Platforms This patch contains bug fixes for all platforms. 1.2 Supported_Software_Platforms This patch contains bug fixes for IRIX 5.3 and IRIX 5.3 with XFS. The software cannot be installed on other configurations. This patch is incompatible with IRIX 5.3 patch 990 - either remove patch990 or upgrade to a more recent IRIX 5.3 kernel rollup patch before attempting to install this patch. 1.3 Bugs_Fixed_by_Patch_SG0002770 This patch contains fixes for the following bugs in IRIX 5.3 and IRIX 5.3 with XFS. Bug numbers from Silicon Graphics bug tracking system are included for reference. This patch merges the fixes of patches 222, 246, 317, 327, 336, 477, 530, 546, 620, 639, 797, 906, 935, 1092, 1215, 1233, 1249, 1250, 1356, 1412, 1529, 1654, 2098 and 3072; and includes additional new fixes. The fixes are detailed below. o Bug 490534: System hangs every few days after installing patch 1654 o Bug 467421: potential structure leak in tpisocket o Bug 446660: kernel crash during cots/listen X/Open VST test run o Bug 446662: kernel crash during cots/snddis X/Open VST test run o Bug 259508: TLI program does not run on all SGI platform o Bug 284409: tpisocket race conditions cause kernel to panic [see below] o Bug 438858: race in tpisocket tests [see below] - 2 - o Bug 439983: O2-R10K PANIC:tlbmiss: invalid kptbl entry [see below] o Bug 440572: svr4net still broken on ficus-ssg (crashed tokyo) [see below] o Bug 441987: double trip on socket lock [see below] o Bug 444215: furnace panic'ed in tpisockd [see below] o Bug 390346: transport state was being returned as TS_IDLE instead of TS_WRES_CIND Important note. The fixes for bug 284409, 438858, 439983, 440572, 441987, 444215 require that patch #1489 also be installed. patch #1654 and patch #1489 may be installed in either order. If patch #1489 is not installed, then the complete fixes for the bug listed earlier will not be present and there is the possibility that the kernel may panic when svr4net is enabled (rpcbind) and used under load. o Bug 247288, 248807, 268149, 276364, 278721, 278754, 278777: panics in tli and TCP code (originally fixed in patch 797) o Bug 254269: crash in sorflush() (originally fixed in patch 797) o Bug 260111: multicast datagrams that could not be accepted were mistakenly being counted as packets that could not be forwarded (originally fixed in patch 797). o IRIX did not support IP aliasing (bug 306135). IP aliasing lets the system administrator assign more than a single IP address to a single physical Ethernet address through the use of the ifconfig(1M) command. This is useful whenever one would like a single interface to accept packets for many different addresses. Example uses are when changing network numbers, and one wishes to accept packets addressed to the old interface or when an Internet Service Provider would like to provide World Wide Web Home Pages to many different organizations, each with its own IP address. Alias information is dynamically allocated by IRIX so there is no set limit on the allowable number of aliases configured per interface or in total. Aliasing is controlled through the ifconfig command which now supports the "alias" option to add a new - 3 - alias and "-alias" option to delete a previously added alias. See the ifconfig(1M) man page for a more detailed explanation of ifconfig usage. Each alias is added to the IP routing tables as a host route between the primary address and the alias. If the primary address aliases are on the same network than running routed with -h will suffice. Running aliases that are on different networks may require routed to be run with -gs instead. o Bug 327092: Multicast routing has been updated to version 3.8. o Mrouted would fail to forget prunes when a neighbor went away, thus potentially sending traffic down a tunnel after the tunnel endpoint has gone down. o Mrouted could send prunes with negative lifetimes. This causes slightly higher prune traffic but shouldn't be any major problem. o Mrouted now ignores route reports that include bogus netmasks. There was a bug in 3.5 that would mangle default routes into tens of bogus routes; this should prevent that bug from killing the MBONE. This solution can cause route flaps and black holes until the 3.5's are gone or all of the 3.5's neighbors are 3.7 . o Mrouted now ignores duplicate routes. Ciscos and the above 3.5 bug could cause two copies of the same route to appear in a single routing update; mrouted would insert two copies of the same route into its routing table and wreak all sorts of havoc. o Mrouted now sends a group-specific query for both retransmissions of a g-s query; previous versions sent a general query the second time. o Mrouted now performs deterministic tiebreaking between two neighbors on the same vif. o Mrouted now only does duplicate suppression on traceroute requests, not all traceroute packets, so that a loop can be nicely detected via a duplicate router instead of just a timeout. o The buffer size that mrouted uses has been increased to allow more than 16 hops in mtrace messages. - 4 - o The configuration file can accept a hostname as the other end of a tunnel. There must be a single name->ip mapping for the given name, however, or mrouted will fail to start up. o Mrouted would dump core when attempting to report no routes (i.e. upon startup, if you have no enabled phyint's) o Mrouted would dump core if requested to traceroute a source for which it had no route o Neighbor flags were not always properly updated on probe or report o Mrouted would sometimes reply to a multicast traceroute on a disabled phyint; now it uses the first configured phyint to reply to traceroutes. o Host routes (i.e. netmask 0xffffffff) works now; it was discarding IGMP from the host because it was coming from the "broadcast address" of the subnet. o The function send_igmp() now treats the failure to send an mtrace or a neighbor reply as informational, as opposed to warning. o Mrouted would go into an infinite loop trying to respond to a traceroute for a source with a netmask of 0xffffffff. o The variable vifs_with_neighbors was not being reset if the mrouted was restarted with SIGHUP o The default route was not being properly advertised to neighbors (although it was accepted if it was advertised to it) o This patch contains networking rollup changes relating to bug 323277 ("ia workaround needed"). These changes will have no effect unless 5.3 kernel rollup patch 1034 or a subsequent 5.3 kernel rollup patch is installed on the system, too. Only when kernel rollup patch1034 or later is installed will the networking ia workaround functionality be enabled. Note: An incompatibility has been discovered between this patch and patch990. You must remove patch990 before installing this patch. You may install a more recent IRIX kernel rollup patch but not patch990. - 5 - o The IP multicast support did not prune multicasts when they were not needed. (Bug 255570) o IP multicast multicast routers with more than two interfaces decremented the time-to-live field too often, and could corrupt the IP header checksum. (Bug 249138) o When TCP connections are being created and destroyed at high rate, a multiprocessor system may panic with a segmentation violation. This fix avoids the race between accept() and tcp_drop() on multiprocessor machine. (Bug 248734) o When TCP connections are being created at a high rate, a system panic may occur with message "soaccept !NOFDREF". This fix avoids the race between accept() and tcp_drop(). (Bug 249206) o When TCP connections are being created at a high rate, connections may time out even though the server is largely idle, due to the backlog limit on the server's initial connection socket being limited to a small value. This change allows the maximum backlog value to be reconfigured, by modifying the variable somaxconn in /var/sysgen/master.d/bsd. (Bug 245976) o When remote TCP clients disappear forever (where the client systems do not respond to pings), with connections open and data queued for output, after the local server has closed the connection, but before all the data has been delivered and acknowledged, the TCP socket is left in the kernel indefinitely, even if the server set the SO_KEEPALIVE option. This eventually uses up all available network buffer space. This change adds a new kernel variable, tcp_keep_timer_in_close, located in /var/sysgen/master.d/bsd. This variable may be set to a non-zero value, to permit SO_KEEPALIVE timeouts to act on such sockets. The variables tcp_keepidle (the basic SO_KEEPALIVE timeout period) and tcp_keepintvl (the SO_KEEPALIVE probe interval) are now located in /var/sysgen/master.d/bsd as well, to simplify modifying them. On heavily used TCP servers, it may be useful to reduce tcp_keepidle from the default (2 hours) to something less (perhaps 15 minutes). (Bug 248935) o The automount daemon may hang for several minutes at a time or the sendto() system call may churn up lots of system cpu for a non-bound UDP socket for MP systems. Incoming UDP packets for a specific socket may be - 6 - discarded if an application is currently executing a sendto() system call on the UDP socket. One particular symptom is the local automount daemon not responding to a request (mount or symlink LOOKUP) for 30 seconds or longer while the local nfs kernel client code (/hosts/ mount) times out and retries the request. The dropped UDP packets show up in the udp section of "netstat -s" output with the label "XXX datagrams dropped due to no socket". Other programs which use UDP extensively may encounter this problem of incoming packets dropped while the program is executing a sendto() syscall. The problem is due to the way the sendto() system call is implemented over UDP in 5.3 . Each sendto() causes a connect/udp_output/disconnect to be done on the socket which may (1) encounter high lock contention and (2) will discard packets received for this socket which arrive during the sendto(). The fix is to properly multithread sendto() for UDP to allow concurrent transmit and receive. (Bugs 252553 and 258545) o Bug 282117: panic in tcp_notify() (originally fixed in patch 530). o Bug 295611: crash in uipc_vget() (originally fixed in patch 797). o The default amount of memory to be used by mbufs used to be a simple step function, it has been changed to be a 1/8 of physical memory. o IRIX did not include the base support necessary for firewall to firewall encryption feature of the Gauntlet firewall product. (Bug 286234) o Users of the TLI could experience problems due to bugs in locking on MP systems, rpcbind is often implicated in these cases as it is one of the few programs in the system that uses TLI. (Bugs 286701 and 277139) o Bug 279053: rpcbind didn't work correctly with IP aliases (originally fixed in patch 546). o Bug 279057: portmap didn't work correctly with IP aliases (originally fixed in patch 546). o A hang could occur when the data for source or destination of a socket read or write operation was a page that was mapped via nfs and the page gets a fault. The code to handle the fault indirectly depends on a socket lock that is held when the fault is taken. (Bug 303082) - 7 - o Fix "uipc 3" panics. When sending on unix domain socket, a socket pair needs to be locked, check that the connection is still open before retrying the locking of the socket pair. Don't panic if the connection does go away as it is now possible with MP locking, just return ENOTCONN. (Bugs 342039 and 364727) o Fix kernel segmentation fault in unp_connect due to race. Initialize unp_address before linking onto bound list; use SOCKET_PAIR_CMPLOCK, its faster in the common case; check for socket destruction when can't acquire all needed locks. (Bug 361688) o Bug 368408: after tcp_respond calculates a checksum, it needs to clear M_CKSUMMED flag so that the hardware will not incorrectly recalculate it. o Bug 272453: source routing implementation will fail on multiprocessors; furthermore, source routing is a security problem for systems acting as firewalls. Removed source routing support altogether; note that source routing support has similarly been removed for IRIX 6.2. o A variable was added to enable the skipping of a check for invalid source address 0xffffffff, which is a broadcast address. This is explicitly against RFC1122 3.2.1.3. This is a special for a customer that is trying to bootp a kernel but is using a broadcast address as source address. They complain we are the only vendor that checks for this. Original BSD code does not check for this, but we added the check quite a while ago. Setting allow_brdaddr_srcaddr to nonzero will disable the check. o Bug 348668: tlbmiss in m_free This fixes a bug where soreceive() would "page flip" out a received FDDI packet into the user receive buffer, then call m_free() which would sometimes panic with a "tlbmiss" error. o Bug 363009: invalid mbuf causing tlbmiss in m_freem This fixes a problem that would occur on EVEREST systems with multiple IO4 boards and the fix for 323277 ("ia workaround") where the system would sometimes crash in a tlbmiss in m_freem(). o Bug 310756: more logging information from ... kernel Added kernel support and kernel variables warn_tcp_unserved_port and warn_udp_unserved_port to - 8 - /var/sysgen/master.d/bsd for Gauntlet firewall functionality (port scan detection). o Bug 369521: system.dl/irix.sm needs Gauntlet changes if installing networking rollup. Diskless systems sometimes could not successfully generate a new kernel after installing previous IRIX 5.3 networking rollup patches, due to missing symbols starting with "sw" at the kernel link stage. o Bugs 323866,375099: "Patch 797 (IP aliases portion) shows strange routing table with ppp setups", "ifconfig in patch 797 (and successor 1092) does not set destination address", "netstat -r is slow with patch 1356 installed." The ifconfig command starting in patch 797 did not attempt to set the destination address for a point-to- point network interface. This affected some PPP systems and Gauntlet Firewall systems making use of the virtual swIPe network interface sw0. This also caused "netstat -rn" to display some garbage when listing routes involving such interfaces. Netstat will no longer attempt to look up network numbers in the DNS. o Bug 348335: rpcbind does not work with TOT kernels This fixes rpcbind so that select exceptions are treated as read events. o Bug 291184: netstat reported incorrect type information for UNIX-domain sockets. o Bug 353649: FTP server processes would sometimes hang forever in an accept() system call. o Bug 273287: FTP server would allow logins on accounts with expired passwords. o Bug 369917: Previous to this patch, if the tunable SOMAXCONN is set to a preposterous value (less than or equal to zero or greater than 1000), it would be reset to 5. In such cases it is now set to 1000. o Bug 370907: In patch 1092, IP aliasing and Appletalk were incompatible, this has been fixed in the release. o Bug 255531: inetd satwrite failure message in SYSLOG o Bug 309353: All eight EPLEX ports hang, SYSLOG shows a "bad B2H sernum" (originally fixed in patch 1233). - 9 - o Bug 374809: irix5.3 IP19 hangs when same IP address put on two EPLEX interfaces o BUt 377322: when the EPLEX board falls asleep, reset it. The board seems to doze only when the network is physically broken as indicated by late collisions or other errors caused by bad wires. To see kernel printfs when the board is reset, set the IFF_DEBUG flag on the first port, either manually with the `ifconfig` command or automatically in /etc/config/ifconfig- xx.options. o Bug 380275: hang due to socket<=>inpcb deadlock with patch 1233 installed o Bug 316600: fix pkt counts for mrouted for all vifs o Bug 366431: System could panic if >327 permanent ARP entries added o Bug 382081: netstat -C would not redraw correctly if suspended o Bug 386355: rtnetd could hang due to a deadlock in the PCB management code (with patch 1356 installed) o Bug 389756: netstat -C would dump core whenever 'z' was typed o Bug 394867: some systems incorrectly send ICMP messages in response to multicast datagrams, and these error reports would confuse multicast applications. IRIX now ignores ICMP error reports sent in response to a datagram that was multicast o Bug 396323: inetd could dump core if the NIS password map changed after it was started. A failure to locate a user would result in a NULL-pointer dereference. o Bug 399569: TCP connections in persist state would never time out, and could result in processes that could not be killed. o Bug 8180: ypbind now tries to bind using multicast. To bind to a NIS server not on the local network, the distant system running `ypserv` must have `portmap` configured to listen to multicast requests. Note that the unpatched version of portmap in IRIX 5.3 and IRIX 6.2 is vulnerable to denial of service attacks from the Internet if multicast reception is turned on, and if packets addressed to 224.0.2.2 can be received from the - 10 - Internet, as is usually the case when MBONE or other Internet facilities are available. o Bug 391121: tli program crashes/hangs 6.2 machines. Bug was also in 5.3 as well. An already unlocked socket was being unlocked. o Bug 407050: rtnetd could hang in tcp_close() with patch 1092, 1233, or 1356 installed. o Bug 416312: ypbind in patch 1412 fails to bind. o Bug 416381: errors in SYN_RCVD could cause congestion on busy servers o Bug 264076,264553: exiting ipfilterd causes crash on Irix 5.3. o Bug 258507: ipfilterd does a bogus TTL compare on Irix 5.3. o Bug 283063: system hangs occur when ipfilterd is enabled on Irix 5.3. o Bug 286233: ipfilterd did not support a grab function which was required by the transparent proxy feature of the Gauntlet firewall product. o Bug 325865: ipfilterd failed to do bounds checking when loading filters. If you exceeded its filters limit, it overwrites other parts of its own memory and may core dump. o Bug 363456: ipfilterd should indicate when the number of filters in its configuration file exceeds its internal limit. o Bugs 325865,363456: The limit of 100 ipfilterd filters is too restrictive for some uses. The limit has been increased to 1000. o Bug 405907: ipfilter code in kernel does not reset SPL level if input queue overflows. o Bug 360129: alias information missing from patch 1092 release notes o Bug 360200: ensure that persist timer is running in the CLOSING state (originally fixed in patch 1233). - 11 - o Bug 360309, 413610: panic in in_pcblookup() o Bug 419350: unp_connect() could attempt to unlock a garbage socket pointer o Bug 423124: rtnetd could sleep forever in tcp_close() o Bug 427433: defend against denial-of-service attack consisting of a stream of TCP SYNs. o Bug 427672: ipfilter could crash in ipfilter_kernel() o Bug 428441: in some circumstances, getsockopt() could free an mbuf twice o Bug 428841: If the system ran out of mbufs, UDP could crash the system. o Bug 429599: deadlock in ARP o Bug 438125: under certain circumstances, large ping packets could crash the system. o Bug 443482: the system could crash if an application attempted to connect an AF_UNIX socket to itself. o Bug 455547: single-CPU systems could crash with a corrupted PCB list when running certain applications, such as vic and vat o Bug 458244: TCP connections could get stuck in FIN- WAIT-2 and never be cleaned up (tcp_keep_timer_in_close) must be set for this fix to take effect. o Bug 459724: tpisocket used M_PROTO messages for acknowledgments that should have been M_PCPROTO. o Bug 459895: inetd could fail to look up user 'root' in the password file or the NIS map. o Bug 473346: in some cases, a RST could be ignored while in state SYN-RCVD o Bug 490852: a race condition in the mblk/mbuf conversion code could cause a crash in m_free(). o The inetd listen queue length was raised to 255 from the previous value of 10 (no incident ID). - 12 - o Bug 498529: FTPD security problem o Bug 498603: rlogin security issue when rlogin dumps core. o Bug 499575: rlogin could dump core if $TERM was very long o Bug 508398: rpcbind could dump core o Bug 552707: EPLEX ethernet driver could compute TCP and UDP checksums wrong. o Bug 549465: multicast packets could have the wrong UDP checksum. o Bug 550627: EPLEX driver reset code could crash the system. o Bug 568631: Tracing in `routed` could be turned on and appended to an arbitrary file. This security problem is small, because the data appended cannot be controlled by a bad guy. The problem is not present in the new version of `routed` in patch SG0001638 for IRIX 6.2 or in releases of IRIX starting with 6.3. It is a good idea to apply patch SG0002413 to IRIX 6.3 and 6.4. o Bug 579436: ftpd's use of utmp and utmpx files is problematic. ftpd logs an entry in the utmpx file, if possible, at connection initiation. The previous method could lead to corruption of the utmp and utmpx files when mutliple ftpd processes simultaneously log to the utmpx. The fix for this problem only allows one ftpd process at a time access to the utmpx. On a heavily loaded system, the fix has a side effect that some valid ftp sessions are not logged to the utmpx file. Thus, the w and who commands will display incorrect information until the unlogged ftp session terminates. This behavior is only an extensions of previous ftpd behavior which would occur if a system experienced more than 62 simultaneous ftp connections. wtmp and wtmpx logging, which occurs regardless of the outcome of umptx logging, is unaffected by this fix. For a complete fix for reported ftp with utmp and utmpx problems, install IRIX 5.3 libc rollup patch 2806 along in addition to this patch. o Bug 540871: Irix 6.2 ftp / ftpd not y2k compliant - 13 - o Bug 548138: timeslave should know about a GPS receiver o Bug 555856: timeslave broken with year=>2000 o Bug 558302: `timeslave -Y` sets the year wrong o Bug 597368: timeslave does not like '-y X' for X>=0 1.4 Subsystems_Included_in_Patch_SG0002770 This patch release includes these subsystems: o patchSG0002770.eoe1_sw.svr4net o patchSG0002770.eoe1_sw.unix o patchSG0002770.eoe2_sw.ipgate o patchSG0002770.eoe2_sw.tcp 1.5 Installation_Instructions Because you want to install patches for only the problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch, determine the patches that meet your specific needs. Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your IRIS Software Installation Guide to bring up the miniroot form of the software installation tools. Follow these steps to select a patch for installation: 1. At the Inst>prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Select the desired patches for installation. 3. Initiate the installation sequence. Type Inst> go 4. You may find that two patches have been marked as incompatible. If this occurs, you must deselect one of the patches. - 14 - Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 5. After completing the installation process, exit the inst program by typing Inst> quit To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number.