commit 2ebf478107ecb3c554fceb26d01bca59c6d0ed1e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Feb 23 21:21:49 2022 +0000

    upstream: free(3) wants stdlib.h
    
    OpenBSD-Commit-ID: 227a8c70a95b4428c49e46863c9ef4bd318a3b8a

diff --git a/auth-rhosts.c b/auth-rhosts.c
index cac5cd84..4fc9252a 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.55 2022/02/23 11:15:57 djm Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.56 2022/02/23 21:21:49 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -19,6 +19,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 
+#include <fcntl.h>
 #ifdef HAVE_NETGROUP_H
 # include <netgroup.h>
 #endif
@@ -26,7 +27,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
-#include <fcntl.h>
+#include <stdlib.h>
 #include <unistd.h>
 
 #include "packet.h"

commit 6c4a67ece33d9551429490898bb3c793a689e913
Author: Colin Watson <cjwatson@debian.org>
Date:   Thu Feb 24 16:04:18 2022 +0000

    Improve detection of -fzero-call-used-regs=all support
    
    GCC doesn't tell us whether this option is supported unless it runs into
    the situation where it would need to emit corresponding code.

diff --git a/m4/openssh.m4 b/m4/openssh.m4
index 4f9c3792..8c33c701 100644
--- a/m4/openssh.m4
+++ b/m4/openssh.m4
@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
 #include <stdlib.h>
 #include <stdio.h>
+/* Trivial function to help test for -fzero-call-used-regs */
+void f(int n) {}
 int main(int argc, char **argv) {
 	(void)argv;
 	/* Some math to catch -ftrapv problems in the toolchain */
@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+	f(0);
 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
 	/*
 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does

commit 995cf19fbef0b10dbcf1dd8d6382cec9194e08c5
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Feb 26 14:06:14 2022 +1100

    Allow ppoll_time64 in seccomp sandbox.
    
    Should fix sandbox violations on (some? at least i386 and armhf) 32bit
    Linux platforms.  Patch from chutzpahu at gentoo.org and cjwatson at
    debian.org via bz#3396.

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e065ba3..4ce80cb2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(__NR_ppoll),
 #endif
+#ifdef __NR_ppoll_time64
+	SC_ALLOW(__NR_ppoll_time64),
+#endif
 #ifdef __NR_poll
 	SC_ALLOW(__NR_poll),
 #endif

commit 238ac091dd57316bc9690d9cc42229fe21ce0def
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Mar 1 01:59:19 2022 +0000

    upstream: pack pollfd array before server_accept_loop() ppoll()
    
    call, and terminate sshd if ppoll() returns errno==EINVAL
    
    avoids spin in ppoll when MaxStartups > RLIMIT_NOFILE, reported by
    Daniel Micay
    
    feedback/ok deraadt
    
    OpenBSD-Commit-ID: dbab1c24993ac977ec24d83283b8b7528f7c2c15

diff --git a/sshd.c b/sshd.c
index ef18ba46..30aeb806 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.583 2022/02/01 07:57:32 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.584 2022/03/01 01:59:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1129,9 +1129,9 @@ static void
 server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 {
 	struct pollfd *pfd = NULL;
-	int i, j, ret;
+	int i, j, ret, npfd;
 	int ostartups = -1, startups = 0, listening = 0, lameduck = 0;
-	int startup_p[2] = { -1 , -1 };
+	int startup_p[2] = { -1 , -1 }, *startup_pollfd;
 	char c = 0;
 	struct sockaddr_storage from;
 	socklen_t fromlen;
@@ -1142,6 +1142,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 	/* pipes connected to unauthenticated child sshd processes */
 	startup_pipes = xcalloc(options.max_startups, sizeof(int));
 	startup_flags = xcalloc(options.max_startups, sizeof(int));
+	startup_pollfd = xcalloc(options.max_startups, sizeof(int));
 	for (i = 0; i < options.max_startups; i++)
 		startup_pipes[i] = -1;
 
@@ -1157,6 +1158,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 	sigaddset(&nsigset, SIGTERM);
 	sigaddset(&nsigset, SIGQUIT);
 
+	/* sized for worst-case */
 	pfd = xcalloc(num_listen_socks + options.max_startups,
 	    sizeof(struct pollfd));
 
@@ -1196,24 +1198,31 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 			pfd[i].fd = listen_socks[i];
 			pfd[i].events = POLLIN;
 		}
+		npfd = num_listen_socks;
 		for (i = 0; i < options.max_startups; i++) {
-			pfd[num_listen_socks+i].fd = startup_pipes[i];
-			if (startup_pipes[i] != -1)
-				pfd[num_listen_socks+i].events = POLLIN;
+			startup_pollfd[i] = -1;
+			if (startup_pipes[i] != -1) {
+				pfd[npfd].fd = startup_pipes[i];
+				pfd[npfd].events = POLLIN;
+				startup_pollfd[i] = npfd++;
+			}
 		}
 
 		/* Wait until a connection arrives or a child exits. */
-		ret = ppoll(pfd, num_listen_socks + options.max_startups,
-		    NULL, &osigset);
-		if (ret == -1 && errno != EINTR)
+		ret = ppoll(pfd, npfd, NULL, &osigset);
+		if (ret == -1 && errno != EINTR) {
 			error("ppoll: %.100s", strerror(errno));
+			if (errno == EINVAL)
+				cleanup_exit(1); /* can't recover */
+		}
 		sigprocmask(SIG_SETMASK, &osigset, NULL);
 		if (ret == -1)
 			continue;
 
 		for (i = 0; i < options.max_startups; i++) {
 			if (startup_pipes[i] == -1 ||
-			    !(pfd[num_listen_socks+i].revents & (POLLIN|POLLHUP)))
+			    startup_pollfd[i] == -1 ||
+			    !(pfd[startup_pollfd[i]].revents & (POLLIN|POLLHUP)))
 				continue;
 			switch (read(startup_pipes[i], &c, sizeof(c))) {
 			case -1:

commit 244f64071150d8e78b114a32c0e5ca1a0d21d54c
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 8 20:04:06 2022 +1100

    Default to not using sandbox when cross compiling.
    
    On most systems poll(2) does not work when the number of FDs is reduced
    with setrlimit, so assume it doesn't when cross compiling and we can't
    run the test.  bz#3398.

diff --git a/configure.ac b/configure.ac
index 17fb1e60..a165d087 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3574,8 +3574,8 @@ AC_RUN_IFELSE(
 	 select_works_with_rlimit=yes],
 	[AC_MSG_RESULT([no])
 	 select_works_with_rlimit=no],
-	[AC_MSG_WARN([cross compiling: assuming yes])
-	 select_works_with_rlimit=yes]
+	[AC_MSG_WARN([cross compiling: assuming no])
+	 select_works_with_rlimit=no]
 )
 
 AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[

commit 5880200867e440f8ab5fd893c93db86555990443
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 11 18:43:58 2022 +1100

    Resync fmt_scaled. with OpenBSD.
    
    Fixes underflow reported in bz#3401.

diff --git a/openbsd-compat/fmt_scaled.c b/openbsd-compat/fmt_scaled.c
index 2f76ef93..87d40d2d 100644
--- a/openbsd-compat/fmt_scaled.c
+++ b/openbsd-compat/fmt_scaled.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fmt_scaled.c,v 1.17 2018/05/14 04:39:04 djm Exp $	*/
+/*	$OpenBSD: fmt_scaled.c,v 1.21 2022/03/11 07:29:53 dtucker Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003 Ian F. Darwin.  All rights reserved.
@@ -54,9 +54,9 @@ typedef enum {
 } unit_type;
 
 /* These three arrays MUST be in sync!  XXX make a struct */
-static unit_type units[] = { NONE, KILO, MEGA, GIGA, TERA, PETA, EXA };
-static char scale_chars[] = "BKMGTPE";
-static long long scale_factors[] = {
+static const unit_type units[] = { NONE, KILO, MEGA, GIGA, TERA, PETA, EXA };
+static const char scale_chars[] = "BKMGTPE";
+static const long long scale_factors[] = {
 	1LL,
 	1024LL,
 	1024LL*1024,
@@ -153,10 +153,8 @@ scan_scaled(char *scaled, long long *result)
 		}
 	}
 
-	if (sign) {
+	if (sign)
 		whole *= sign;
-		fpart *= sign;
-	}
 
 	/* If no scale factor given, we're done. fraction is discarded. */
 	if (!*p) {
@@ -191,7 +189,8 @@ scan_scaled(char *scaled, long long *result)
 			/* truncate fpart so it doesn't overflow.
 			 * then scale fractional part.
 			 */
-			while (fpart >= LLONG_MAX / scale_fact) {
+			while (fpart >= LLONG_MAX / scale_fact ||
+			    fpart <= LLONG_MIN / scale_fact) {
 				fpart /= 10;
 				fract_digits--;
 			}
@@ -200,7 +199,10 @@ scan_scaled(char *scaled, long long *result)
 				for (i = 0; i < fract_digits -1; i++)
 					fpart /= 10;
 			}
-			whole += fpart;
+			if (sign == -1)
+				whole -= fpart;
+			else
+				whole += fpart;
 			*result = whole;
 			return 0;
 		}
@@ -222,12 +224,16 @@ fmt_scaled(long long number, char *result)
 	unsigned int i;
 	unit_type unit = NONE;
 
+	/* Not every negative long long has a positive representation. */
+	if (number == LLONG_MIN) {
+		errno = ERANGE;
+		return -1;
+	}
+
 	abval = llabs(number);
 
-	/* Not every negative long long has a positive representation.
-	 * Also check for numbers that are just too darned big to format
-	 */
-	if (abval < 0 || abval / 1024 >= scale_factors[SCALE_LENGTH-1]) {
+	/* Also check for numbers that are just too darned big to format. */
+	if (abval / 1024 >= scale_factors[SCALE_LENGTH-1]) {
 		errno = ERANGE;
 		return -1;
 	}