git: a847059f9c - main - Add EN-23:15 and EN-23:16.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 01 Dec 2023 02:03:14 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=a847059f9ce13a81b8a0d2a46d0ad9dca6a9b335
commit a847059f9ce13a81b8a0d2a46d0ad9dca6a9b335
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-12-01 02:02:53 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-12-01 02:02:53 +0000
Add EN-23:15 and EN-23:16.
Approved by: so
---
website/data/security/errata.toml | 8 +
.../advisories/FreeBSD-EN-23:15.sanitizer.asc | 145 +++++++++++++++
.../advisories/FreeBSD-EN-23:16.openzfs.asc | 197 +++++++++++++++++++++
.../security/patches/EN-23:15/sanitizer.patch | 38 ++++
.../security/patches/EN-23:15/sanitizer.patch.asc | 16 ++
.../security/patches/EN-23:16/openzfs.12.patch | 12 ++
.../security/patches/EN-23:16/openzfs.12.patch.asc | 16 ++
.../security/patches/EN-23:16/openzfs.13.patch | 28 +++
.../security/patches/EN-23:16/openzfs.13.patch.asc | 16 ++
.../security/patches/EN-23:16/openzfs.14.patch | 101 +++++++++++
.../security/patches/EN-23:16/openzfs.14.patch.asc | 16 ++
11 files changed, 593 insertions(+)
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index df128aa134..4966e33623 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,14 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:16.openzfs"
+date = "2023-12-01"
+
+[[notices]]
+name = "FreeBSD-EN-23:15.sanitizer"
+date = "2023-12-01"
+
[[notices]]
name = "FreeBSD-EN-23:14.regcomp"
date = "2023-11-08"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:15.sanitizer.asc b/website/static/security/advisories/FreeBSD-EN-23:15.sanitizer.asc
new file mode 100644
index 0000000000..c99758ce43
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:15.sanitizer.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:15.sanitizer Errata Notice
+ The FreeBSD Project
+
+Topic: Clang sanitizer failure with ASLR enabled
+
+Category: contrib
+Module: compiler-rt
+Announced: 2023-12-01
+Affects: FreeBSD 14.0
+Corrected: 2023-11-25 09:05:09 UTC (stable/14, 14.0-STABLE)
+ 2023-12-01 00:38:35 UTC (releng/14.0, 14.0-RELEASE-p1)
+ 2023-11-25 09:05:14 UTC (stable/13, 13.2-STABLE)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Compiler-RT is an implementation of various compiler runtime support routines,
+provided by the LLVM project. This library also provides a number of so-called
+Sanitizers, which help to catch buffer overruns, thread data races, and so on:
+AddressSanitizer, ThreadSanitizer, UndefinedBehaviorSanitizer, and more.
+
+II. Problem Description
+
+Some of the Sanitizers cannot work correctly when ASLR is enabled. Therefore, at
+the initialization of such Sanitizers, ASLR is detected via procctl(2). If ASLR
+is enabled, it is first disabled, and then the main executable containing the
+Sanitizer is re-executed, after printing an appropriate message.
+
+However, the Sanitizers work by intercepting various function calls, and by
+mistake the already-intercepted procctl(2) function was used. This causes an
+internal error, which usually results in a segfault.
+
+III. Impact
+
+Binaries linked to AddressSanitizer (using -fsanitize=address), MemorySanitizer
+(using -fsanitize=memory) or ThreadSanitizer (using -fsanitize=thread) can crash
+at startup with a segfault, if ASLR is enabled. Other binaries are not affected.
+
+IV. Workaround
+
+If ASLR is enabled system-wide, the problem can be worked around by running the
+specific binary with proccontrol(1), to temporarily disable ASLR for only that
+program. For example:
+
+ proccontrol -m aslr -s disable /path/to/example_program
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+No reboot is necessary, but Sanitized binaries must be re-linked, because the
+Sanitizer libraries are statically linked in.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13 and earlier, can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+No reboot is necessary, but Sanitized binaries must be re-linked, because the
+Sanitizer libraries are statically linked in.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:15/sanitizer.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:15/sanitizer.patch.asc
+# gpg --verify sanitizer.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 1e4798e9677f stable/14-n265803
+releng/14.0/ 78b4c762b20b releng/14.0-n265381
+stable/13/ 7c25a53a2cb9 stable/13-n256726
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275270>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:15.sanitizer.asc>
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPoYACgkQbljekB8A
+Gu+z2A//VhWVguaPhfTkV0jRrG/tD1iu+xhM7TSRcnnGYn7IIkzWzHkO5jrP9Oy5
+aRueyAVvw048f4unEG36qBM+UO5LSCcDEj3OAhxhJzfTfXcRBYMRuvp5cC+Xjgji
+s6S7JlSTeHqJakj6UV58d4elppj5QN1b2IQtwahcwuBtlue4NaOg16z6GFDDbVKo
+Db8h+yOyQuwGj7uvahpuHpNB21pMfTwi4IWV2F9QOjQMO/+pcqia+leG53WOsB/A
+SFW3zNHdAl+Q7NBq6lRVTqyW69Ouh1gblQ57kMCdzyTF5BSzcDhX5QwiS9t2TIU9
+gs2ulNxxIiSPmi7n/ZlDPRyH57C/+h6vSHVeXOVKZhIffrqvpqqhT0WKQfIUnNLb
+0uhdmXLdXWWAAk1OvDkBAIiO6C8GxVvgZvHWFhELjnDK6+qmZD7xv3RVpJnRVk9X
+//U89b+zGNKhS+JFiTvXY90oUxoE72a9PuqvONZuKMGH+ooL9aRGEJujahCL2Swl
+jxymcZHduvsXbnzrmGZr8Lxl4DP+cHD688gc8KOgitb3MCupcx066KmX1Pem7PvX
+2AULZrFBDTPEIgf0ZuGt5R3+zd+k/sDlPVGdkLpF1AVOOuwtfton6Vbd5CKDzDLR
+0PqGdkk9CLpI0Mm8I1o+v69bopYua1ndo3G2YuKIK7V472sgrRw=
+=EPbY
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:16.openzfs.asc b/website/static/security/advisories/FreeBSD-EN-23:16.openzfs.asc
new file mode 100644
index 0000000000..4836b85008
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:16.openzfs.asc
@@ -0,0 +1,197 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:16.openzfs Errata Notice
+ The FreeBSD Project
+
+Topic: OpenZFS data corruption
+
+Category: contrib
+Module: OpenZFS
+Announced: 2023-12-01
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-11-28 21:00:48 UTC (stable/14, 14.0-STABLE)
+ 2023-12-01 00:38:38 UTC (releng/14.0, 14.0-RELEASE-p1)
+ 2023-11-28 21:07:30 UTC (stable/13, 13.2-STABLE)
+ 2023-12-01 00:38:47 UTC (releng/13.2, 13.2-RELEASE-p6)
+ 2023-11-30 05:28:33 UTC (stable/12, 12.4-STABLE)
+ 2023-12-01 00:40:23 UTC (releng/12.4, 12.4-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD has included a version of the powerful and feature-rich ZFS file
+system beginning with FreeBSD 7.0 released in 2008. The ZFS implementation
+in FreeBSD 12 and earlier is based on the Illumos ZFS codebase. In FreeBSD
+13 and later OpenZFS is used as the ZFS implementation.
+
+Sparse files in a file system refer to a technique that optimizes storage
+space by allowing the creation of files with unallocated or unwritten gaps,
+known as holes. When reading a file, holes appear as zero or NUL bytes.
+Certain system calls can access hole location metadata, including lseek(2)
+with SEEK_HOLE and copy_file_range(2).
+
+In OpenZFS a dnode is a data structure used to represent and manage metadata
+about files and directories. In file systems, "dirty" refers to data or
+metadata that has been modified in memory but not yet written to the storage
+device. Thus, a dirty dnode is one which has uncommitted data or metadata.
+
+In FreeBSD 13.2 and FreeBSD 14.0 cp(1) uses copy_file_range(2) to perform the
+data copying in the kernel. copy_file_range attempts to find file holes in
+the source file and preserve them in the copy. In FreeBSD 12.4 cp does not
+use copy_file_range.
+
+II. Problem Description
+
+A check did not test both the dnode itself and its data for dirtiness. This
+provides a very small window of time while a file is being modified where the
+dirtiness check can falsely report that the dnode is clean. If this happens
+a hole may incorrectly be reported where data was written.
+
+III. Impact
+
+If an access occurs while a file is being modified and a hole is incorrectly
+reported, the data may instead be interpreted as zero bytes. Any application
+which checks for holes may be affected by this issue; if this occurs during a
+file copy it will result in a corrupt copy that retains the incorrect data.
+Note that the source file remains intact (a subsequent read will return the
+correct data).
+
+IV. Workaround
+
+Setting the vfs.zfs.dmu_offset_next_sync sysctl to 0 disables forcing
+TXG sync to find holes. This is an effective workaround that greatly
+reduces the likelihood of encountering data corruption, although it does
+not completely eliminate it. Note that with the workaround holes will
+not be reported in recently dirtied files. See the zfs(4) man page for
+more information of the impact of this sysctl setting.
+
+The workaround should be removed once the system is updated to include the
+fix described in this notice.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting to apply OpenZFS erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+NOTE: The FreeBSD 14.0 patch includes additional bug fixes which were found
+during the investigation of this issue. These bug fixes do not apply to
+FreeBSD 13.2 or FreeBSD 12.4.
+
+[FreeBSD 14.0]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.14.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.14.patch.asc
+# gpg --verify openzfs.14.patch.asc
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.13.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.13.patch.asc
+# gpg --verify openzfs.13.patch.asc
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.12.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:16/openzfs.12.patch.asc
+# gpg --verify openzfs.12.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://docs.freebsd.org/en/books/handbook/kernelconfig/> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 99385ec7c296 stable/14-n265836
+releng/14.0/ 154870526943 releng/14.0-n265384
+stable/13/ 5858f93a8b66 stable/13-n256744
+releng/13.2/ 0bb76997ce58 releng/13.2-n254644
+stable/12/ r373278
+releng/12.4/ r373279
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/275308>
+<URL:https://github.com/openzfs/zfs/issues/11900>
+<URL:https://github.com/openzfs/zfs/issues/15526>
+<URL:https://github.com/openzfs/zfs/pull/15566>
+<URL:https://github.com/openzfs/zfs/pull/15571>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:16.openzfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPo4ACgkQbljekB8A
+Gu/7rg/8DV0CgrVWVW8lvywaBry/oFOAcB1s+b49fcW1wt4g4GOnFtU0VGuRYXJh
+2pT2xnCVKgWKWciaFAoFN/N29GOxCuMkcPNoYPf8laiBNAmYTGGBMK6FI4YukI2V
+6GKSU8hYPgxwRSRW7ZSXfzWl2MuLI2NdrRZwY+L/2cgr/uJVq/u7b1s7y7A9CdbQ
+0euotytR77yrSHecA7Ye5PVRFp1behuiK9kbIVUTdFJRB0eQkpap5e3Af9b7GeLe
+t3kFI5cHKim7PnquLpljxjRxwcWKeJBMf0a8X6nhXYJ7FHxh6YfRL1t4tPQIRHLq
+5A4x9oDoZP5kPRQgdxYT4J/VuoCEsq9/D83DwLK6fMY9qcY/TYrp1rOnYKwBQDUj
+FMIbaipxss/j8KWEyAwc3dIwJBFCW40yRFR2cg7SCeZ0UJzZEkuDOaIvzkWIGtc3
+AqW0R+lvAQ2f+ObbP7iQCGj4HrCgIlPUCDX2SckNuAwaXQIdu5GO+HDjuKb49sw3
+8zimt4dAT+OuvZxXDacIhIz53LCJHD/cAyF2CqTdNYpwne892drfiK4FQZ1Jq75Q
+4nRedE8YLD2ZwuUALqR1PqHJQKra5hlAhAoITHuTpBG1fggSx6dyj6kSkMR8p6Mb
+tADR8onFzUHZgOlkEOjddKaVqAP3z4jW+lfrlk7J/9j5jgRrtLM=
+=pM+u
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:15/sanitizer.patch b/website/static/security/patches/EN-23:15/sanitizer.patch
new file mode 100644
index 0000000000..608e2450b1
--- /dev/null
+++ b/website/static/security/patches/EN-23:15/sanitizer.patch
@@ -0,0 +1,38 @@
+--- contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp.orig
++++ contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp
+@@ -2323,7 +2323,7 @@
+ "and binaries compiled with PIE\n"
+ "ASLR will be disabled and the program re-executed.\n");
+ int aslr_ctl = PROC_ASLR_FORCE_DISABLE;
+- CHECK_NE(procctl(P_PID, 0, PROC_ASLR_CTL, &aslr_ctl), -1);
++ CHECK_NE(internal_procctl(P_PID, 0, PROC_ASLR_CTL, &aslr_ctl), -1);
+ ReExec();
+ }
+ # elif SANITIZER_PPC64V2
+--- contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp.orig
++++ contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp
+@@ -56,6 +56,7 @@
+ // that, it was never implemented. So just define it to zero.
+ #undef MAP_NORESERVE
+ #define MAP_NORESERVE 0
++extern const Elf_Auxinfo *__elf_aux_vector;
+ #endif
+
+ #if SANITIZER_NETBSD
+@@ -947,11 +948,11 @@
+ const char *pathname = "/proc/self/exe";
+
+ #if SANITIZER_FREEBSD
+- char exe_path[PATH_MAX];
+- if (elf_aux_info(AT_EXECPATH, exe_path, sizeof(exe_path)) == 0) {
+- char link_path[PATH_MAX];
+- if (realpath(exe_path, link_path))
+- pathname = link_path;
++ for (const auto *aux = __elf_aux_vector; aux->a_type != AT_NULL; aux++) {
++ if (aux->a_type == AT_EXECPATH) {
++ pathname = static_cast<const char *>(aux->a_un.a_ptr);
++ break;
++ }
+ }
+ #elif SANITIZER_NETBSD
+ static const int name[] = {
diff --git a/website/static/security/patches/EN-23:15/sanitizer.patch.asc b/website/static/security/patches/EN-23:15/sanitizer.patch.asc
new file mode 100644
index 0000000000..12d63f9ff1
--- /dev/null
+++ b/website/static/security/patches/EN-23:15/sanitizer.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPo0ACgkQbljekB8A
+Gu/+pQ//YHZI15uVIV9EaMfrdn9XqWZNWUIn8KheUeARA6Ql+RwiGVhi10jnXjvS
+RFxH/3o8HSjxIVlWFb8JlYWceDl7oVcmF1LQKyGRrhZQO6BbI1kX385FvU945qe3
+nABMUtDunu0vbqNScQm/pZAv8y08EdrPDGLItH1+NfIpjVs2HRYxcL3TROTQ6BKF
++EpwdqrrsA96wodQrtc1NXj0CGr8OEGf1AIwxdyd6JV8GkjVJru+lmON1u49eKc1
+3yflwz+3EULWU8SHYmcnVq+vJnanAhJbw8LjKdrDviqvaChdf+/FRsV5XLR6VR1E
+SjXjIzxhwNwF3rZXtDGBTjDUjdW4C4rLUqmNW1oUl2P0GSoz3akXO6eq7/JtLLtR
+jyC5jBmkuOunA+H1OpId2UFrXgLx+L0YsDf5iq2Xk+O6tWlalUczR/7TWtj9X6Xd
+Bb5lx1y/osN9Rdl1TjFXERzS3yymniue3tE6UoGWDnMnLwiIVJg9/YjaniRRclgN
+GRy9vaxLlYybkBTIS27QYduwpibJ2oMsiEcCyJ6ZI/Lkvy++3tg+KvK2YsMarHD9
+Sl8PSDDXiDr6oGwxRLZF5sdo87jh6VCd2OEstbXU+om6J9QOaU/vW/NKRLsZOdSZ
+hrYH3bFAnFMZGx/aI66YRL7ioW1KVaBMcU7iWWS8dKaQ8FHXc4k=
+=DmQ6
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:16/openzfs.12.patch b/website/static/security/patches/EN-23:16/openzfs.12.patch
new file mode 100644
index 0000000000..e80d6cbf6a
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.12.patch
@@ -0,0 +1,12 @@
+--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c.orig
++++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu.c
+@@ -2557,7 +2557,8 @@
+ }
+
+ for (i = 0; i < TXG_SIZE; i++) {
+- if (list_link_active(&dn->dn_dirty_link[i])) {
++ if (list_link_active(&dn->dn_dirty_link[i]) ||
++ !list_is_empty(&dn->dn_dirty_records[i])) {
+ break;
+ }
+ }
diff --git a/website/static/security/patches/EN-23:16/openzfs.12.patch.asc b/website/static/security/patches/EN-23:16/openzfs.12.patch.asc
new file mode 100644
index 0000000000..87e5c1d7ff
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.12.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPo8ACgkQbljekB8A
+Gu9VwxAAmCLK2FkewKGLjYQeys8HMuZlocjr9gg2b5waAqLwiYdPS3rQY/vtJpLo
+i/230IfXxaG783yxeSpfPOAviiyaGKjlDh1K6SQtsRspnqLB0JxZPBzvwt4sy7UI
+8zjCIc4uvpKoifqQ/69DVmrsj3frgJkF4lgcbXX/JBtOulM/XZumRsEw8OX0m+Cj
+ha9z+nqxGxMEXLA2pd1in4/T9hZv5miaDt7/1fuQRN0GBU+FXjTHC3hPk+z5H6/2
++P1oo4IuDZDSkxuAwHPmvtDOqhajL/H0Ozbn0TH+M8k4iTQXOm8IhtSvX+HDuQYb
+kOvTA/CPIeFNp/Y9QZg9z9fyFLNYFjjtzoHN1KNLp4NmOCKPUGHppFLHnXJsnqmh
+nCVT1iYdRAOlp4yK8fuV8tPnjie9umIOOrRKURpF4LNlsUDwEVubhsFfvkTjq2uP
+bEbn5ELM0QsxJO038rDlYhMCs/OVRw6sTirdDI5Y0D3XohlSLvexUcLgy0OfY0Xd
+xX8wh6Yyb4D42Ug1ngMGoS+Ik0Tj2eLsm/gGlCKQyNvQQwrpC5qUDSNJ/moM1Qq5
+NmTzGP2qTmEbfJF5Od1IqbNZejUflOPl/CWvQFieS1UKvwgIXxCBV/eaOUg5Wnx5
+zt0ukYwVCeeq3Iuaa7hXc49Gs3Nt16qYLOf+XknrkSA+7jImlD8=
+=fm3B
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:16/openzfs.13.patch b/website/static/security/patches/EN-23:16/openzfs.13.patch
new file mode 100644
index 0000000000..a8947126b3
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.13.patch
@@ -0,0 +1,28 @@
+--- sys/contrib/openzfs/module/zfs/dnode.c.orig
++++ sys/contrib/openzfs/module/zfs/dnode.c
+@@ -1773,7 +1773,14 @@
+ }
+
+ /*
+- * Checks if the dnode contains any uncommitted dirty records.
++ * Checks if the dnode itself is dirty, or is carrying any uncommitted records.
++ * It is important to check both conditions, as some operations (eg appending
++ * to a file) can dirty both as a single logical unit, but they are not synced
++ * out atomically, so checking one and not the other can result in an object
++ * appearing to be clean mid-way through a commit.
++ *
++ * Do not change this lightly! If you get it wrong, dmu_offset_next() can
++ * detect a hole where there is really data, leading to silent corruption.
+ */
+ boolean_t
+ dnode_is_dirty(dnode_t *dn)
+@@ -1781,7 +1788,8 @@
+ mutex_enter(&dn->dn_mtx);
+
+ for (int i = 0; i < TXG_SIZE; i++) {
+- if (multilist_link_active(&dn->dn_dirty_link[i])) {
++ if (multilist_link_active(&dn->dn_dirty_link[i]) ||
++ !list_is_empty(&dn->dn_dirty_records[i])) {
+ mutex_exit(&dn->dn_mtx);
+ return (B_TRUE);
+ }
diff --git a/website/static/security/patches/EN-23:16/openzfs.13.patch.asc b/website/static/security/patches/EN-23:16/openzfs.13.patch.asc
new file mode 100644
index 0000000000..017633a5e6
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.13.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPpAACgkQbljekB8A
+Gu/NFA//SVX4DWrM8h62yEJtZykr6CoI5qKfCFT6sCYFsYV3d2BzNVje5t3sAndH
+WmexHJ1i0IB0cJBoZ15t2v7WXv2T4CEPK29klp0nLwXmntLeaL5ap2rMrioeCIX7
+yKIrXWZL9wRQ6TkdPoTPrwx0gwLiyNQJ5fz+L9lkH3AjumV5N9yzz1+7s5Hw9fk3
+oyYIsAzVwaMWvK+4f2/3atqCXi14ULuEJvZCtipkQwKTK7G3TizAjY7KB7OaRJkI
+qpTfqEg8N13WSONWuDtqlAqPxAo+la0/HQMJqVdx44JTWO480h3t95fVAs3S94Xx
+lPZX1pwYv3/tY8FzesNVWmdQBpBTLBA7aWCLXElQ1Ex+krMDiDvYwF21VBsqR+qI
+yh+rrXvQCPpmeiOy95XM0YRlX0/RPS8pkLW7BZicWWMNffRpPgLI1aoAxS1a7SN8
+6TXvT4HmbFIuiLClMh9cMWQlKer2PDZ03Q4xuj3SqUEeDk4P/5vi29kOvykQ0LJr
+PPmKSgth2+tq4f5tF6NmhLb22C7TLr6N9t9xi6fd15OJ7tvgjIl1eii7uxsY750f
+SAkz85IXa/ENu0MdRVC0LRKq0B+aCpDtFqzvZmRPBFVu+a1DYQWpMy4Otp8OHSaM
+I6FSSJeGHGBTMMP/4ECD7DmWFudNbWFc8ZgLNA/Wm6fcNsRv8uo=
+=be6d
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:16/openzfs.14.patch b/website/static/security/patches/EN-23:16/openzfs.14.patch
new file mode 100644
index 0000000000..995aa0f683
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.14.patch
@@ -0,0 +1,101 @@
+--- sys/contrib/openzfs/module/os/freebsd/zfs/zio_crypt.c.orig
++++ sys/contrib/openzfs/module/os/freebsd/zfs/zio_crypt.c
+@@ -1364,6 +1364,19 @@
+ vec++;
+ total_len += crypt_len;
+ }
++ } else if (txtype == TX_CLONE_RANGE) {
++ const size_t o = offsetof(lr_clone_range_t, lr_nbps);
++ crypt_len = o - sizeof (lr_t);
++ dst_iovecs[vec].iov_base = (char *)dlrp + sizeof (lr_t);
++ dst_iovecs[vec].iov_len = crypt_len;
++
++ /* copy the bps now since they will not be encrypted */
++ memcpy(dlrp + o, slrp + o, lr_len - o);
++ memcpy(aadp, slrp + o, lr_len - o);
++ aadp += lr_len - o;
++ aad_len += lr_len - o;
++ vec++;
++ total_len += crypt_len;
+ } else {
+ crypt_len = lr_len - sizeof (lr_t);
+ dst_iovecs[vec].iov_base = (char *)dlrp +
+--- sys/contrib/openzfs/module/os/linux/zfs/zio_crypt.c.orig
++++ sys/contrib/openzfs/module/os/linux/zfs/zio_crypt.c
+@@ -1543,6 +1543,21 @@
+ nr_iovecs++;
+ total_len += crypt_len;
+ }
++ } else if (txtype == TX_CLONE_RANGE) {
++ const size_t o = offsetof(lr_clone_range_t, lr_nbps);
++ crypt_len = o - sizeof (lr_t);
++ src_iovecs[nr_iovecs].iov_base = slrp + sizeof (lr_t);
++ src_iovecs[nr_iovecs].iov_len = crypt_len;
++ dst_iovecs[nr_iovecs].iov_base = dlrp + sizeof (lr_t);
++ dst_iovecs[nr_iovecs].iov_len = crypt_len;
++
++ /* copy the bps now since they will not be encrypted */
++ memcpy(dlrp + o, slrp + o, lr_len - o);
++ memcpy(aadp, slrp + o, lr_len - o);
++ aadp += lr_len - o;
++ aad_len += lr_len - o;
++ nr_iovecs++;
++ total_len += crypt_len;
+ } else {
+ crypt_len = lr_len - sizeof (lr_t);
+ src_iovecs[nr_iovecs].iov_base = slrp + sizeof (lr_t);
+--- sys/contrib/openzfs/module/zfs/dbuf.c.orig
++++ sys/contrib/openzfs/module/zfs/dbuf.c
+@@ -2700,15 +2700,23 @@
+ * writes and clones into this block.
+ */
+ mutex_enter(&db->db_mtx);
++ DBUF_VERIFY(db);
+ VERIFY(!dbuf_undirty(db, tx));
+ ASSERT3P(dbuf_find_dirty_eq(db, tx->tx_txg), ==, NULL);
+ if (db->db_buf != NULL) {
+ arc_buf_destroy(db->db_buf, db);
+ db->db_buf = NULL;
++ dbuf_clear_data(db);
+ }
++
++ db->db_state = DB_NOFILL;
++ DTRACE_SET_STATE(db, "allocating NOFILL buffer for clone");
++
++ DBUF_VERIFY(db);
+ mutex_exit(&db->db_mtx);
+
+- dmu_buf_will_not_fill(db_fake, tx);
++ dbuf_noread(db);
++ (void) dbuf_dirty(db, tx);
+ }
+
+ void
+--- sys/contrib/openzfs/module/zfs/dnode.c.orig
++++ sys/contrib/openzfs/module/zfs/dnode.c
+@@ -1764,7 +1764,14 @@
+ }
+
+ /*
+- * Checks if the dnode contains any uncommitted dirty records.
++ * Checks if the dnode itself is dirty, or is carrying any uncommitted records.
++ * It is important to check both conditions, as some operations (eg appending
++ * to a file) can dirty both as a single logical unit, but they are not synced
++ * out atomically, so checking one and not the other can result in an object
++ * appearing to be clean mid-way through a commit.
++ *
++ * Do not change this lightly! If you get it wrong, dmu_offset_next() can
++ * detect a hole where there is really data, leading to silent corruption.
+ */
+ boolean_t
+ dnode_is_dirty(dnode_t *dn)
+@@ -1772,7 +1779,8 @@
+ mutex_enter(&dn->dn_mtx);
+
+ for (int i = 0; i < TXG_SIZE; i++) {
+- if (multilist_link_active(&dn->dn_dirty_link[i])) {
++ if (multilist_link_active(&dn->dn_dirty_link[i]) ||
++ !list_is_empty(&dn->dn_dirty_records[i])) {
+ mutex_exit(&dn->dn_mtx);
+ return (B_TRUE);
+ }
diff --git a/website/static/security/patches/EN-23:16/openzfs.14.patch.asc b/website/static/security/patches/EN-23:16/openzfs.14.patch.asc
new file mode 100644
index 0000000000..49119c2e46
--- /dev/null
+++ b/website/static/security/patches/EN-23:16/openzfs.14.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVpPpEACgkQbljekB8A
+Gu+q9g/9G6UXTaX20ZkbdiioR11+UhnuzXfgEZ0zVJBGAPLDNeNf8SN+THABSzzH
+r/E1aFexSQlIP/yI/EtAIghyPLNkvUDp37BcBPXGQdymV4xrnPV+Zn8i4zAIAxKT
+qDbWrvbqh3/cv9kN58nx3QuLtjWe5Iw432YEED/PG33D2mfRKuVJAGzCpqFZk4cP
+583fwNqdVRMcP4+7PmqsL8NaQy1PC0JzZ9sO01SKi2dRyMwbLpI8BuyMMXGmvnkk
+GnxUGmaoAZzESQW4frGUc1bNiKjU/fTqMsvQBK/L8bENp4g4Zs3qLVzyKWovCojJ
+tgEHksIdHN8dyYeXNBdxsn8C5QwyJMr3P6xs1Un7NAeMRubXSs1b/F4cbG3sKLt6
+nQ8ysz8sZeR0Hi17+gQ5MoXBLB2YlN/2+EZWNwOdY8wvj5KplK9fCyWg09EN/p6q
+qpQMSkmAroNu+AwZDdZ8piL+ECy4mdR1/uBLKtJXyqgAgfAiaS9+tWfM5977z26w
+2ZwJr6VjG7wnWNw1ZhZngll+p7H7inW4y2DYelT7M2QogJpMYbxJHQUTvB4lPdar
+mDcubL0ZLTZbWh0mp6jsTnRV4Yh0un4NQ6E8Z3U9bqFQq9LnNdMJb1g2697rDXJC
+LwrDbXOrKy4ZNQhm+WBfqy6dnlt/0xy1LYhBv7FRKEzVsufyfAg=
+=y3xx
+-----END PGP SIGNATURE-----