From owner-svn-src-releng@freebsd.org Wed May 4 15:25:49 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53B46B2D956; Wed, 4 May 2016 15:25:49 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F15D104D; Wed, 4 May 2016 15:25:49 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u44FPmVB022763; Wed, 4 May 2016 15:25:48 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u44FPlIo022751; Wed, 4 May 2016 15:25:47 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201605041525.u44FPlIo022751@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 4 May 2016 15:25:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r299066 - in releng/10.3: . crypto/openssl/crypto/asn1 crypto/openssl/crypto/evp crypto/openssl/crypto/x509 lib/libc/db/hash sys/cddl/compat/opensolaris/kern sys/conf sys/x86/x86 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 15:25:49 -0000 Author: delphij Date: Wed May 4 15:25:47 2016 New Revision: 299066 URL: https://svnweb.freebsd.org/changeset/base/299066 Log: Fix multiple OpenSSL vulnerabilitites. [SA-16:17] Fix performance regression in libc hash(3). [EN-16:06] Fix excessive latency in x86 IPI delivery. [EN-16:07] Fix memory leak in ZFS. [EN-16:08] Approved by: so Modified: releng/10.3/UPDATING releng/10.3/crypto/openssl/crypto/asn1/a_type.c releng/10.3/crypto/openssl/crypto/asn1/tasn_dec.c releng/10.3/crypto/openssl/crypto/asn1/tasn_enc.c releng/10.3/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c releng/10.3/crypto/openssl/crypto/evp/encode.c releng/10.3/crypto/openssl/crypto/evp/evp_enc.c releng/10.3/crypto/openssl/crypto/x509/x509_obj.c releng/10.3/lib/libc/db/hash/hash.c releng/10.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c releng/10.3/sys/conf/newvers.sh releng/10.3/sys/x86/x86/local_apic.c Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/UPDATING Wed May 4 15:25:47 2016 (r299066) @@ -16,7 +16,20 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. -20150429 p1 FreeBSD-SA-16:16.ntp +20160504 p2 FreeBSD-SA-16:17.openssl + FreeBSD-EN-16:06.libc + FreeBSD-EN-16:07.ipi + FreeBSD-EN-16:08.zfs + + Fix multiple OpenSSL vulnerabilitites. [SA-16:17] + + Fix performance regression in libc hash(3). [EN-16:06] + + Fix excessive latency in x86 IPI delivery. [EN-16:07] + + Fix memory leak in ZFS. [EN-16:08] + +20160429 p1 FreeBSD-SA-16:16.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.3/crypto/openssl/crypto/asn1/a_type.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:25:47 2016 (r299066) @@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: releng/10.3/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:25:47 2016 (r299066) @@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: releng/10.3/crypto/openssl/crypto/asn1/tasn_enc.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:25:47 2016 (r299066) @@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: releng/10.3/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 15:25:47 2016 (r299066) @@ -59,6 +59,7 @@ # include # include # include "evp_locl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; Modified: releng/10.3/crypto/openssl/crypto/evp/encode.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/evp/encode.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/evp/encode.c Wed May 4 15:25:47 2016 (r299066) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: releng/10.3/crypto/openssl/crypto/evp/evp_enc.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:25:47 2016 (r299066) @@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: releng/10.3/crypto/openssl/crypto/x509/x509_obj.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:25:47 2016 (r299066) @@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif Modified: releng/10.3/lib/libc/db/hash/hash.c ============================================================================== --- releng/10.3/lib/libc/db/hash/hash.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/lib/libc/db/hash/hash.c Wed May 4 15:25:47 2016 (r299066) @@ -423,7 +423,8 @@ hdestroy(HTAB *hashp) free(hashp->tmp_buf); if (hashp->fp != -1) { - (void)_fsync(hashp->fp); + if (hashp->save_file) + (void)_fsync(hashp->fp); (void)_close(hashp->fp); } Modified: releng/10.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c ============================================================================== --- releng/10.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:25:47 2016 (r299066) @@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t ** VI_UNLOCK(vp); vrele(vp); vfs_unbusy(mp); + vfs_freeopts(mp->mnt_optnew); vfs_mount_destroy(mp); *vpp = NULL; return (error); Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/sys/conf/newvers.sh Wed May 4 15:25:47 2016 (r299066) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.3/sys/x86/x86/local_apic.c ============================================================================== --- releng/10.3/sys/x86/x86/local_apic.c Wed May 4 13:49:59 2016 (r299065) +++ releng/10.3/sys/x86/x86/local_apic.c Wed May 4 15:25:47 2016 (r299066) @@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -158,6 +159,9 @@ volatile lapic_t *lapic; vm_paddr_t lapic_paddr; static u_long lapic_timer_divisor; static struct eventtimer lapic_et; +#ifdef SMP +static uint64_t lapic_ipi_wait_mult; +#endif static void lapic_enable(void); static void lapic_resume(struct pic *pic, bool suspend_cancelled); @@ -221,6 +225,9 @@ lvt_mode(struct lapic *la, u_int pin, ui void lapic_init(vm_paddr_t addr) { +#ifdef SMP + uint64_t r, r1, r2, rx; +#endif u_int regs[4]; int i, arat; @@ -275,6 +282,38 @@ lapic_init(vm_paddr_t addr) lapic_et.et_priv = NULL; et_register(&lapic_et); } + +#ifdef SMP +#define LOOPS 1000000 + /* + * Calibrate the busy loop waiting for IPI ack in xAPIC mode. + * lapic_ipi_wait_mult contains the number of iterations which + * approximately delay execution for 1 microsecond (the + * argument to native_lapic_ipi_wait() is in microseconds). + * + * We assume that TSC is present and already measured. + * Possible TSC frequency jumps are irrelevant to the + * calibration loop below, the CPU clock management code is + * not yet started, and we do not enter sleep states. + */ + KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0, + ("TSC not initialized")); + r = rdtsc(); + for (rx = 0; rx < LOOPS; rx++) { + (void)lapic->icr_lo; + ia32_pause(); + } + r = rdtsc() - r; + r1 = tsc_freq * LOOPS; + r2 = r * 1000000; + lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1; + if (bootverbose) { + printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n", + (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r, + (uintmax_t)tsc_freq); + } +#undef LOOPS +#endif /* SMP */ } /* @@ -1381,25 +1420,20 @@ SYSINIT(apic_setup_io, SI_SUB_INTR, SI_O * private to the MD code. The public interface for the rest of the * kernel is defined in mp_machdep.c. */ + +/* + * Wait delay microseconds for IPI to be sent. If delay is -1, we + * wait forever. + */ int lapic_ipi_wait(int delay) { - int x; - - /* - * Wait delay microseconds for IPI to be sent. If delay is - * -1, we wait forever. - */ - if (delay == -1) { - while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE) - ia32_pause(); - return (1); - } + uint64_t rx; - for (x = 0; x < delay; x += 5) { + for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) { if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE) return (1); - DELAY(5); + ia32_pause(); } return (0); } From owner-svn-src-releng@freebsd.org Wed May 4 15:26:25 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7053DB2D9A7; Wed, 4 May 2016 15:26:25 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 30ACD11A1; Wed, 4 May 2016 15:26:25 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u44FQO4c022837; Wed, 4 May 2016 15:26:24 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u44FQNu5022826; Wed, 4 May 2016 15:26:23 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201605041526.u44FQNu5022826@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 4 May 2016 15:26:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r299067 - in releng/10.2: . crypto/openssl/crypto/asn1 crypto/openssl/crypto/evp crypto/openssl/crypto/x509 sys/cddl/compat/opensolaris/kern sys/conf sys/x86/x86 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 15:26:25 -0000 Author: delphij Date: Wed May 4 15:26:23 2016 New Revision: 299067 URL: https://svnweb.freebsd.org/changeset/base/299067 Log: Fix multiple OpenSSL vulnerabilitites. [SA-16:17] Fix excessive latency in x86 IPI delivery. [EN-16:07] Fix memory leak in ZFS. [EN-16:08] Approved by: so Modified: releng/10.2/UPDATING releng/10.2/crypto/openssl/crypto/asn1/a_type.c releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c releng/10.2/crypto/openssl/crypto/asn1/tasn_enc.c releng/10.2/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c releng/10.2/crypto/openssl/crypto/evp/encode.c releng/10.2/crypto/openssl/crypto/evp/evp_enc.c releng/10.2/crypto/openssl/crypto/x509/x509_obj.c releng/10.2/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c releng/10.2/sys/conf/newvers.sh releng/10.2/sys/x86/x86/local_apic.c Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/UPDATING Wed May 4 15:26:23 2016 (r299067) @@ -16,7 +16,17 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. -20150429 p15 FreeBSD-SA-16:16.ntp +20160504 p16 FreeBSD-SA-16:17.openssl + FreeBSD-EN-16:07.ipi + FreeBSD-EN-16:08.zfs + + Fix multiple OpenSSL vulnerabilitites. [SA-16:17] + + Fix excessive latency in x86 IPI delivery. [EN-16:07] + + Fix memory leak in ZFS. [EN-16:08] + +20160429 p15 FreeBSD-SA-16:16.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.2/crypto/openssl/crypto/asn1/a_type.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:26:23 2016 (r299067) @@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:26:23 2016 (r299067) @@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: releng/10.2/crypto/openssl/crypto/asn1/tasn_enc.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:26:23 2016 (r299067) @@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: releng/10.2/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 15:26:23 2016 (r299067) @@ -59,6 +59,7 @@ # include # include # include "evp_locl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; Modified: releng/10.2/crypto/openssl/crypto/evp/encode.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/evp/encode.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/evp/encode.c Wed May 4 15:26:23 2016 (r299067) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: releng/10.2/crypto/openssl/crypto/evp/evp_enc.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:26:23 2016 (r299067) @@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: releng/10.2/crypto/openssl/crypto/x509/x509_obj.c ============================================================================== --- releng/10.2/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:26:23 2016 (r299067) @@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif Modified: releng/10.2/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c ============================================================================== --- releng/10.2/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:26:23 2016 (r299067) @@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t ** VI_UNLOCK(vp); vrele(vp); vfs_unbusy(mp); + vfs_freeopts(mp->mnt_optnew); vfs_mount_destroy(mp); *vpp = NULL; return (error); Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/sys/conf/newvers.sh Wed May 4 15:26:23 2016 (r299067) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p15" +BRANCH="RELEASE-p16" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.2/sys/x86/x86/local_apic.c ============================================================================== --- releng/10.2/sys/x86/x86/local_apic.c Wed May 4 15:25:47 2016 (r299066) +++ releng/10.2/sys/x86/x86/local_apic.c Wed May 4 15:26:23 2016 (r299067) @@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -158,6 +159,9 @@ volatile lapic_t *lapic; vm_paddr_t lapic_paddr; static u_long lapic_timer_divisor; static struct eventtimer lapic_et; +#ifdef SMP +static uint64_t lapic_ipi_wait_mult; +#endif static void lapic_enable(void); static void lapic_resume(struct pic *pic, bool suspend_cancelled); @@ -221,6 +225,9 @@ lvt_mode(struct lapic *la, u_int pin, ui void lapic_init(vm_paddr_t addr) { +#ifdef SMP + uint64_t r, r1, r2, rx; +#endif u_int regs[4]; int i, arat; @@ -275,6 +282,38 @@ lapic_init(vm_paddr_t addr) lapic_et.et_priv = NULL; et_register(&lapic_et); } + +#ifdef SMP +#define LOOPS 1000000 + /* + * Calibrate the busy loop waiting for IPI ack in xAPIC mode. + * lapic_ipi_wait_mult contains the number of iterations which + * approximately delay execution for 1 microsecond (the + * argument to native_lapic_ipi_wait() is in microseconds). + * + * We assume that TSC is present and already measured. + * Possible TSC frequency jumps are irrelevant to the + * calibration loop below, the CPU clock management code is + * not yet started, and we do not enter sleep states. + */ + KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0, + ("TSC not initialized")); + r = rdtsc(); + for (rx = 0; rx < LOOPS; rx++) { + (void)lapic->icr_lo; + ia32_pause(); + } + r = rdtsc() - r; + r1 = tsc_freq * LOOPS; + r2 = r * 1000000; + lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1; + if (bootverbose) { + printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n", + (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r, + (uintmax_t)tsc_freq); + } +#undef LOOPS +#endif /* SMP */ } /* @@ -1381,25 +1420,20 @@ SYSINIT(apic_setup_io, SI_SUB_INTR, SI_O * private to the MD code. The public interface for the rest of the * kernel is defined in mp_machdep.c. */ + +/* + * Wait delay microseconds for IPI to be sent. If delay is -1, we + * wait forever. + */ int lapic_ipi_wait(int delay) { - int x; - - /* - * Wait delay microseconds for IPI to be sent. If delay is - * -1, we wait forever. - */ - if (delay == -1) { - while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE) - ia32_pause(); - return (1); - } + uint64_t rx; - for (x = 0; x < delay; x += 5) { + for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) { if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE) return (1); - DELAY(5); + ia32_pause(); } return (0); } From owner-svn-src-releng@freebsd.org Wed May 4 15:27:12 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 531C4B2D9FC; Wed, 4 May 2016 15:27:12 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 220E71303; Wed, 4 May 2016 15:27:12 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u44FRBA2022926; Wed, 4 May 2016 15:27:11 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u44FR9Ro022907; Wed, 4 May 2016 15:27:09 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201605041527.u44FR9Ro022907@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 4 May 2016 15:27:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r299068 - in releng: 10.1 10.1/crypto/openssl/crypto/asn1 10.1/crypto/openssl/crypto/evp 10.1/crypto/openssl/crypto/x509 10.1/sys/cddl/compat/opensolaris/kern 10.1/sys/conf 9.3 9.3/cryp... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 15:27:12 -0000 Author: delphij Date: Wed May 4 15:27:09 2016 New Revision: 299068 URL: https://svnweb.freebsd.org/changeset/base/299068 Log: Fix multiple OpenSSL vulnerabilitites. [SA-16:17] Fix memory leak in ZFS. [EN-16:08] Approved by: so Modified: releng/10.1/UPDATING releng/10.1/crypto/openssl/crypto/asn1/a_type.c releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c releng/10.1/crypto/openssl/crypto/evp/encode.c releng/10.1/crypto/openssl/crypto/evp/evp_enc.c releng/10.1/crypto/openssl/crypto/x509/x509_obj.c releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c releng/10.1/sys/conf/newvers.sh releng/9.3/UPDATING releng/9.3/crypto/openssl/crypto/asn1/a_type.c releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c releng/9.3/crypto/openssl/crypto/evp/encode.c releng/9.3/crypto/openssl/crypto/evp/evp_enc.c releng/9.3/crypto/openssl/crypto/x509/x509_obj.c releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c releng/9.3/sys/conf/newvers.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/UPDATING Wed May 4 15:27:09 2016 (r299068) @@ -16,7 +16,14 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. -20150429 p32 FreeBSD-SA-16:16.ntp +20160504 p33 FreeBSD-SA-16:17.openssl + FreeBSD-EN-16:08.zfs + + Fix multiple OpenSSL vulnerabilitites. [SA-16:17] + + Fix memory leak in ZFS. [EN-16:08] + +20160429 p32 FreeBSD-SA-16:16.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.1/crypto/openssl/crypto/asn1/a_type.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:27:09 2016 (r299068) @@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:27:09 2016 (r299068) @@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:27:09 2016 (r299068) @@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c Wed May 4 15:27:09 2016 (r299068) @@ -59,6 +59,7 @@ # include # include # include "evp_locl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; Modified: releng/10.1/crypto/openssl/crypto/evp/encode.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/evp/encode.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/evp/encode.c Wed May 4 15:27:09 2016 (r299068) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: releng/10.1/crypto/openssl/crypto/evp/evp_enc.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:27:09 2016 (r299068) @@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: releng/10.1/crypto/openssl/crypto/x509/x509_obj.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:27:09 2016 (r299068) @@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif Modified: releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c ============================================================================== --- releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:27:09 2016 (r299068) @@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t ** VI_UNLOCK(vp); vrele(vp); vfs_unbusy(mp); + vfs_freeopts(mp->mnt_optnew); vfs_mount_destroy(mp); *vpp = NULL; return (error); Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Wed May 4 15:26:23 2016 (r299067) +++ releng/10.1/sys/conf/newvers.sh Wed May 4 15:27:09 2016 (r299068) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p32" +BRANCH="RELEASE-p33" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/UPDATING Wed May 4 15:27:09 2016 (r299068) @@ -11,7 +11,14 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. -20150429 p40 FreeBSD-SA-16:16.ntp +20160504 p41 FreeBSD-SA-16:17.openssl + FreeBSD-EN-16:08.zfs + + Fix multiple OpenSSL vulnerabilitites. [SA-16:17] + + Fix memory leak in ZFS. [EN-16:08] + +20160429 p40 FreeBSD-SA-16:16.ntp Fix multiple vulnerabilities of ntp. Modified: releng/9.3/crypto/openssl/crypto/asn1/a_type.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/asn1/a_type.c Wed May 4 15:27:09 2016 (r299068) @@ -123,9 +123,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed May 4 15:27:09 2016 (r299068) @@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c Wed May 4 15:27:09 2016 (r299068) @@ -610,9 +610,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: releng/9.3/crypto/openssl/crypto/evp/encode.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/evp/encode.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/evp/encode.c Wed May 4 15:27:09 2016 (r299068) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl == 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: releng/9.3/crypto/openssl/crypto/evp/evp_enc.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/evp/evp_enc.c Wed May 4 15:27:09 2016 (r299068) @@ -166,7 +166,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: releng/9.3/crypto/openssl/crypto/x509/x509_obj.c ============================================================================== --- releng/9.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/crypto/openssl/crypto/x509/x509_obj.c Wed May 4 15:27:09 2016 (r299068) @@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif Modified: releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c ============================================================================== --- releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Wed May 4 15:27:09 2016 (r299068) @@ -196,6 +196,7 @@ mount_snapshot(kthread_t *td, vnode_t ** VI_UNLOCK(vp); vrele(vp); vfs_unbusy(mp); + vfs_freeopts(mp->mnt_optnew); vfs_mount_destroy(mp); *vpp = NULL; return (error); Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Wed May 4 15:26:23 2016 (r299067) +++ releng/9.3/sys/conf/newvers.sh Wed May 4 15:27:09 2016 (r299068) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p40" +BRANCH="RELEASE-p41" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi