Author: cperciva
Date: Wed Apr 22 14:07:14 2009
New Revision: 191381
URL: http://svn.freebsd.org/changeset/base/191381
Log:
Don't leak information via uninitialized space in db(3) records. [09:07]
Sanity-check string lengths in order to stop OpenSSL crashing
when printing corrupt BMPString or UniversalString objects. [09:08]
Security: FreeBSD-SA-09:07.libc
Security: FreeBSD-SA-09:08.openssl
Security: CVE-2009-0590
Approved by: re (kensmith)
Approved by: so (cperciva)
Modified:
releng/6.3/UPDATING
releng/6.3/crypto/openssl/crypto/asn1/asn1.h
releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c
releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c
releng/6.3/lib/libc/db/btree/bt_split.c
releng/6.3/lib/libc/db/hash/hash_buf.c
releng/6.3/lib/libc/db/mpool/mpool.c
releng/6.3/sys/conf/newvers.sh
releng/6.4/UPDATING
releng/6.4/crypto/openssl/crypto/asn1/asn1.h
releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c
releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c
releng/6.4/lib/libc/db/btree/bt_split.c
releng/6.4/lib/libc/db/hash/hash_buf.c
releng/6.4/lib/libc/db/mpool/mpool.c
releng/6.4/sys/conf/newvers.sh
releng/7.0/UPDATING
releng/7.0/crypto/openssl/crypto/asn1/asn1.h
releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c
releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c
releng/7.0/lib/libc/db/btree/bt_split.c
releng/7.0/lib/libc/db/hash/hash_buf.c
releng/7.0/lib/libc/db/mpool/mpool.c
releng/7.0/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/crypto/openssl/crypto/asn1/asn1.h
releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c
releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c
releng/7.1/lib/libc/db/btree/bt_split.c
releng/7.1/lib/libc/db/hash/hash_buf.c
releng/7.1/lib/libc/db/mpool/mpool.c
releng/7.1/sys/conf/newvers.sh
releng/7.2/UPDATING
releng/7.2/crypto/openssl/crypto/asn1/asn1.h
releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c
releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c
Changes in other areas also in this revision:
Modified:
head/crypto/openssl/crypto/asn1/asn1.h
head/crypto/openssl/crypto/asn1/asn1_err.c
head/crypto/openssl/crypto/asn1/tasn_dec.c
stable/6/crypto/openssl/crypto/asn1/asn1.h
stable/6/crypto/openssl/crypto/asn1/asn1_err.c
stable/6/crypto/openssl/crypto/asn1/tasn_dec.c
stable/7/crypto/openssl/crypto/asn1/asn1.h
stable/7/crypto/openssl/crypto/asn1/asn1_err.c
stable/7/crypto/openssl/crypto/asn1/tasn_dec.c
Modified: releng/6.3/UPDATING
==============================================================================
--- releng/6.3/UPDATING Wed Apr 22 13:31:52 2009 (r191380)
+++ releng/6.3/UPDATING Wed Apr 22 14:07:14 2009 (r191381)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090422: p10 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
+ Don't leak information via uninitialized space in db(3) records.
+ [09:07]
+
+ Sanity-check string lengths in order to stop OpenSSL crashing
+ when printing corrupt BMPString or UniversalString objects. [09:08]
+
20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
Correct ntpd cryptographic signature bypass. [09:03]
Modified: releng/6.3/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- releng/6.3/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.3/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14
2009 (r191381)
@@ -1030,6 +1030,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1088,6 +1089,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Modified: releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -153,6 +153,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ASN1_R_BAD_OBJECT_HEADER ,"bad object header"},
{ASN1_R_BAD_PASSWORD_READ ,"bad password read"},
{ASN1_R_BAD_TAG ,"bad tag"},
+{ASN1_R_BMPSTRING_IS_WRONG_LENGTH ,"bmpstring is wrong length"},
{ASN1_R_BN_LIB ,"bn lib"},
{ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"},
{ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"},
@@ -211,6 +212,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"},
{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
{ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"},
+{ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH ,"universalstring is wrong length"},
{ASN1_R_UNKNOWN_FORMAT ,"unknown format"},
{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
{ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"},
Modified: releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -768,6 +768,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if(!*pval) {
stmp = ASN1_STRING_type_new(utype);
Modified: releng/6.3/lib/libc/db/btree/bt_split.c
==============================================================================
--- releng/6.3/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.3/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -385,7 +385,7 @@ bt_page(t, h, lp, rp, skip, ilen)
}
/* Put the new left page for the split into place. */
- if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+ if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
mpool_put(t->bt_mp, r, 0);
return (NULL);
}
Modified: releng/6.3/lib/libc/db/hash/hash_buf.c
==============================================================================
--- releng/6.3/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.3/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#ifdef DEBUG
#include <assert.h>
@@ -178,12 +179,12 @@ newbuf(hashp, addr, prev_bp)
*/
if (hashp->nbufs || (bp->flags & BUF_PIN)) {
/* Allocate a new one */
- if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+ if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
return (NULL);
#ifdef PURIFY
memset(bp, 0xff, sizeof(BUFHEAD));
#endif
- if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+ if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
free(bp);
return (NULL);
}
@@ -332,8 +333,10 @@ __buf_free(hashp, do_free, to_disk)
}
/* Check if we are freeing stuff */
if (do_free) {
- if (bp->page)
+ if (bp->page) {
+ (void)memset(bp->page, 0, hashp->BSIZE);
free(bp->page);
+ }
BUF_REMOVE(bp);
free(bp);
bp = LRU;
Modified: releng/6.3/lib/libc/db/mpool/mpool.c
==============================================================================
--- releng/6.3/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.3/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -347,7 +347,7 @@ mpool_bkt(mp)
return (bp);
}
-new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
return (NULL);
#ifdef STATISTICS
++mp->pagealloc;
Modified: releng/6.3/sys/conf/newvers.sh
==============================================================================
--- releng/6.3/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.3/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009
(r191381)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.3"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Wed Apr 22 13:31:52 2009 (r191380)
+++ releng/6.4/UPDATING Wed Apr 22 14:07:14 2009 (r191381)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090422: p4 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
+ Don't leak information via uninitialized space in db(3) records.
+ [09:07]
+
+ Sanity-check string lengths in order to stop OpenSSL crashing
+ when printing corrupt BMPString or UniversalString objects. [09:08]
+
20090113: p3 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
Correct ntpd cryptographic signature bypass. [09:03]
Modified: releng/6.4/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- releng/6.4/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.4/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14
2009 (r191381)
@@ -1030,6 +1030,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1088,6 +1089,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Modified: releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -153,6 +153,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ASN1_R_BAD_OBJECT_HEADER ,"bad object header"},
{ASN1_R_BAD_PASSWORD_READ ,"bad password read"},
{ASN1_R_BAD_TAG ,"bad tag"},
+{ASN1_R_BMPSTRING_IS_WRONG_LENGTH ,"bmpstring is wrong length"},
{ASN1_R_BN_LIB ,"bn lib"},
{ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"},
{ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"},
@@ -211,6 +212,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"},
{ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
{ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"},
+{ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH ,"universalstring is wrong length"},
{ASN1_R_UNKNOWN_FORMAT ,"unknown format"},
{ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
{ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"},
Modified: releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -768,6 +768,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if(!*pval) {
stmp = ASN1_STRING_type_new(utype);
Modified: releng/6.4/lib/libc/db/btree/bt_split.c
==============================================================================
--- releng/6.4/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.4/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -385,7 +385,7 @@ bt_page(t, h, lp, rp, skip, ilen)
}
/* Put the new left page for the split into place. */
- if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+ if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
mpool_put(t->bt_mp, r, 0);
return (NULL);
}
Modified: releng/6.4/lib/libc/db/hash/hash_buf.c
==============================================================================
--- releng/6.4/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.4/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#ifdef DEBUG
#include <assert.h>
@@ -178,12 +179,12 @@ newbuf(hashp, addr, prev_bp)
*/
if (hashp->nbufs || (bp->flags & BUF_PIN)) {
/* Allocate a new one */
- if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+ if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
return (NULL);
#ifdef PURIFY
memset(bp, 0xff, sizeof(BUFHEAD));
#endif
- if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+ if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
free(bp);
return (NULL);
}
@@ -332,8 +333,10 @@ __buf_free(hashp, do_free, to_disk)
}
/* Check if we are freeing stuff */
if (do_free) {
- if (bp->page)
+ if (bp->page) {
+ (void)memset(bp->page, 0, hashp->BSIZE);
free(bp->page);
+ }
BUF_REMOVE(bp);
free(bp);
bp = LRU;
Modified: releng/6.4/lib/libc/db/mpool/mpool.c
==============================================================================
--- releng/6.4/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.4/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -347,7 +347,7 @@ mpool_bkt(mp)
return (bp);
}
-new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
return (NULL);
#ifdef STATISTICS
++mp->pagealloc;
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/6.4/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009
(r191381)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.0/UPDATING
==============================================================================
--- releng/7.0/UPDATING Wed Apr 22 13:31:52 2009 (r191380)
+++ releng/7.0/UPDATING Wed Apr 22 14:07:14 2009 (r191381)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090422: p12 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
+ Don't leak information via uninitialized space in db(3) records.
+ [09:07]
+
+ Sanity-check string lengths in order to stop OpenSSL crashing
+ when printing corrupt BMPString or UniversalString objects. [09:08]
+
20090323: p11 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv
Correctly sanity-check timer IDs. [SA-09:06]
Modified: releng/7.0/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- releng/7.0/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.0/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14
2009 (r191381)
@@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Modified: releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa
private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong
length"},
{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest
algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},
Modified: releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if (!*pval)
{
Modified: releng/7.0/lib/libc/db/btree/bt_split.c
==============================================================================
--- releng/7.0/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.0/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -381,7 +381,7 @@ bt_page(t, h, lp, rp, skip, ilen)
}
/* Put the new left page for the split into place. */
- if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+ if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
mpool_put(t->bt_mp, r, 0);
return (NULL);
}
Modified: releng/7.0/lib/libc/db/hash/hash_buf.c
==============================================================================
--- releng/7.0/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.0/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#ifdef DEBUG
#include <assert.h>
@@ -174,12 +175,12 @@ newbuf(hashp, addr, prev_bp)
*/
if (hashp->nbufs || (bp->flags & BUF_PIN)) {
/* Allocate a new one */
- if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+ if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
return (NULL);
#ifdef PURIFY
memset(bp, 0xff, sizeof(BUFHEAD));
#endif
- if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+ if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
free(bp);
return (NULL);
}
@@ -328,8 +329,10 @@ __buf_free(hashp, do_free, to_disk)
}
/* Check if we are freeing stuff */
if (do_free) {
- if (bp->page)
+ if (bp->page) {
+ (void)memset(bp->page, 0, hashp->BSIZE);
free(bp->page);
+ }
BUF_REMOVE(bp);
free(bp);
bp = LRU;
Modified: releng/7.0/lib/libc/db/mpool/mpool.c
==============================================================================
--- releng/7.0/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.0/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -343,7 +343,7 @@ mpool_bkt(mp)
return (bp);
}
-new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
return (NULL);
#ifdef STATISTICS
++mp->pagealloc;
Modified: releng/7.0/sys/conf/newvers.sh
==============================================================================
--- releng/7.0/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.0/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009
(r191381)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.0"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Wed Apr 22 13:31:52 2009 (r191380)
+++ releng/7.1/UPDATING Wed Apr 22 14:07:14 2009 (r191381)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090422: p5 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
+ Don't leak information via uninitialized space in db(3) records.
+ [09:07]
+
+ Sanity-check string lengths in order to stop OpenSSL crashing
+ when printing corrupt BMPString or UniversalString objects. [09:08]
+
20090323: p4 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv
Correctly sanity-check timer IDs. [SA-09:06]
Modified: releng/7.1/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- releng/7.1/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.1/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14
2009 (r191381)
@@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Modified: releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa
private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong
length"},
{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest
algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},
Modified: releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if (!*pval)
{
Modified: releng/7.1/lib/libc/db/btree/bt_split.c
==============================================================================
--- releng/7.1/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.1/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -381,7 +381,7 @@ bt_page(t, h, lp, rp, skip, ilen)
}
/* Put the new left page for the split into place. */
- if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+ if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
mpool_put(t->bt_mp, r, 0);
return (NULL);
}
Modified: releng/7.1/lib/libc/db/hash/hash_buf.c
==============================================================================
--- releng/7.1/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.1/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#ifdef DEBUG
#include <assert.h>
@@ -174,12 +175,12 @@ newbuf(hashp, addr, prev_bp)
*/
if (hashp->nbufs || (bp->flags & BUF_PIN)) {
/* Allocate a new one */
- if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+ if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
return (NULL);
#ifdef PURIFY
memset(bp, 0xff, sizeof(BUFHEAD));
#endif
- if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+ if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
free(bp);
return (NULL);
}
@@ -328,8 +329,10 @@ __buf_free(hashp, do_free, to_disk)
}
/* Check if we are freeing stuff */
if (do_free) {
- if (bp->page)
+ if (bp->page) {
+ (void)memset(bp->page, 0, hashp->BSIZE);
free(bp->page);
+ }
BUF_REMOVE(bp);
free(bp);
bp = LRU;
Modified: releng/7.1/lib/libc/db/mpool/mpool.c
==============================================================================
--- releng/7.1/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.1/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009
(r191381)
@@ -343,7 +343,7 @@ mpool_bkt(mp)
return (bp);
}
-new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
return (NULL);
#ifdef STATISTICS
++mp->pagealloc;
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009
(r191380)
+++ releng/7.1/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009
(r191381)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.2/UPDATING
==============================================================================
--- releng/7.2/UPDATING Wed Apr 22 13:31:52 2009 (r191380)
+++ releng/7.2/UPDATING Wed Apr 22 14:07:14 2009 (r191381)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090422: FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl
+ Don't leak information via uninitialized space in db(3) records.
+ [09:07]
+
+ Sanity-check string lengths in order to stop OpenSSL crashing
+ when printing corrupt BMPString or UniversalString objects. [09:08]
+
20090326:
Following bug-fixes to TCP connection state flags, netstat, systat,
and sockstat will need to be rebuilt in order to properly print
Modified: releng/7.2/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- releng/7.2/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.2/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14
2009 (r191381)
@@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Modified: releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa
private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong
length"},
{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest
algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},
Modified: releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52
2009 (r191380)
+++ releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14
2009 (r191381)
@@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_EX_C2I,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if (!*pval)
{
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
