MFC r323314, r323338, r328849

r323314:
Audit userspace geom code for leaking memory to disk

Any geom class using g_metadata_store, as well as geom_virstor which
duplicated g_metadata_store internally, would dump sectorsize - mdsize bytes
of userspace memory following the metadata block stored. This is most or all
geom classes (gcache, gconcat, geli, gjournal, glabel, gmirror, gmultipath,
graid3, gshsec, gstripe, and geom_virstor).

PR: 222077 (comment #3)
Reported by: Maxim Khitrov <max AT mxcrypt.com>
Reviewed by: des
Security: yes
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12269

r323338:
Fix information leak in geli(8) integrity mode

In integrity mode, a larger logical sector (e.g., 4096 bytes) spans several
physical sectors (e.g., 512 bytes) on the backing device. Due to hash
overhead, a 4096 byte logical sector takes 8.5625 512-byte physical sectors.
This means that only 288 bytes (256 data + 32 hash) of the last 512 byte
sector are used.

The memory allocation used to store the encrypted data to be written to the
physical sectors comes from malloc(9) and does not use M_ZERO.

Previously, nothing initialized the final physical sector backing each
logical sector, aside from the hash + encrypted data portion. So 224 bytes
of kernel heap memory was leaked to every block :-(.

This patch addresses the issue by initializing the trailing portion of the
physical sector in every logical sector to zeros before use. A much simpler
but higher overhead fix would be to tag the entire allocation M_ZERO.

PR: 222077
Reported by: Maxim Khitrov <max AT mxcrypt.com>
Reviewed by: emaste
Security: yes
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12272

r328849:
geom: don't write stack garbage in disk labels

Most consumers of g_metadata_store were passing in partially unallocated
memory, resulting in stack garbage being written to disk labels. Fix them by
zeroing the memory first.

gvirstor repeated the same mistake, but in the kernel.

Also, glabel's label contained a fixed-size string that wasn't
initialized to zero.

PR: 222077
Reported by: Maxim Khitrov <max@mxcrypt.com>
Reviewed by: cem
X-MFC-With: 323314
X-MFC-With: 323338
Differential Revision: https://reviews.freebsd.org/D14164

MFC r326276:

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

MFC r316530, r316535

r316530:
Fix clearing geom metadata if DIOCGSECTORSIZE fails

An unhandled error case would result in passing SIZE_MAX to malloc.
While I'm here, remove an unnecessary NULL check before free

Reported by: Coverity
CID: 1017793
Sponsored by: Spectra Logic Corp

r316535:
Fix memory leak in "gpart bootcode"

Also, annotate that gpart_issue never returns

Reported by: Coverity
CID: 1007105
Sponsored by: Spectra Logic Corp

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

If 'req' is NULL, print error on stderr.

MFC after: 3 days

- Simplify code by using g_*() API.
- Don't use u_char and u_int in userland.
- Change 'unsigned' to 'unsigned int'.
- Update copyright years.

MFC after: 1 week

Check for overflow before it occurs. Also add check for
negative numbers.

Suggested by: ache
Approved by: kib (mentor)

Remove G_TYPE_ASCLBA type and replace it with G_TYPE_STRING in gpart.
Move code that converts params from humanized numbers to sectors count
to subr.c and adjust comment.
Add post-processing for "size" and "start offset" params in gpart,
now they are properly converted to sectors count with known sector size
that can be greater that 512 bytes.
Also replace "unsigned long long" type to "off_t" for unify code since
it used for medium size in libgeom(3) and DIOCGMEDIASIZE ioctl.

PR: bin/146277
Reviewed by: marcel (previous version)
Approved by: kib (mentor)
MFC after: 1 month

bgeom(3) does strdup of param name.
Don't leak memory when deleting param from gctl_req.

Reviewed by: marcel
Approved by: mav (mentor)
MFC after: 2 weeks

Flush disk write cache after storing and clearing metadata.

- Back out r186038. Rather than changing the intent of the caller, the problem
should be handled internally in gvinum.

Suggested by: pjd

- When writing metadata to a geom provider, open the it as read-write since it
might do subsequent reads from other providers. This stopped geli (and
probably other classes using g_metadata_store as well) from being put on top
of gvinum raid5 volumes.

Note:
The reason it fails in the gvinum raid5 case is that gvinum will read back the
old parity stripe before calculating the new parity stripe to be written out
again. The write will then fail because the underlying disk to be read is
opened write only.

MFC after: 1 week

Add two support functions:
o gctl_delete_param() -- intended for parameters that are consumed
by geom(8) itself and which should not be passed to the kernel.
o gctl_has_param() -- intended to check if optional parameters are
present.

Both are needed by gpart(8) to process the optional parameter for
writing bootcode to a partition (as part of the bootcode verb).
However, the kernel is itself not involved in this matter and the
parameter needs to be removed from the request destined for the
kernel.

Implement gctl_change_param() function, which changes value of existing
parameter.

MFC after: 1 week

Add __printflike() attribute to various functions.

Remove trailing spaces.

- The geom(8) utility only uses three types of arguments: string (char *),
value (intmax_t) and boolean (int).
Based on that provide three functions:
- gctl_get_ascii()
- gctl_get_int()
- gctl_get_intmax()
- Hide gctl_get_param() function, as it is only used internally in
subr.c.
- Allow to provide argument name as (fmt, ...).
- Assert geom(8) bugs (missing argument is a geom(8) bug).

- Clean-up and simplify the code by using new functions and assumtions
(no more checking for missing argument).

Tested by: regression tests

Move function for calculating number of bits into more central place.
I want to use it so more.

MFC after: 3 days

MFp4: gmirror(8) is coming soon, and we need g_metadata_read() there.

Implement 3 new functions:
- g_lcm() - calculates Least Common Multiple of two given values,
it is helpful when we need to find sector size for provider
which is based on disks with different sector size;
- g_get_mediasize() - returns media size of given provider;
- g_get_sectorsize() - returns sector size of given provider;
Those function aren't used now, but are used by geom_mirror which will be
committed soon.

Bring in geom(8) utility. It is an universal utility for operating on
GEOM classes. It works by loading a shared library via dlopen(3) mechanism
with class-specific code, it is also responsible for communicating with
GEOM via libgeom(3).
Per-class shared libraries are going to be stored in /lib/geom/ directory.
It provides also few standard commands like 'list', 'load' and 'unload'
for existing classes which aren't aware of geom(8).
More info will be send on freebsd-current@ mailing list.

Supported by: Wheel - Open Technologies - http://www.wheel.pl