Date: Wed, 22 Apr 2009 14:07:14 +0000 (UTC) From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r191381 - head/crypto/openssl/crypto/asn1 releng/6.3 releng/6.3/crypto/openssl/crypto/asn1 releng/6.3/lib/libc/db/btree releng/6.3/lib/libc/db/hash releng/6.3/lib/libc/db/mpool releng/6... Message-ID: <200904221407.n3ME7Eat058288@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cperciva Date: Wed Apr 22 14:07:14 2009 New Revision: 191381 URL: http://svn.freebsd.org/changeset/base/191381 Log: Don't leak information via uninitialized space in db(3) records. [09:07] Sanity-check string lengths in order to stop OpenSSL crashing when printing corrupt BMPString or UniversalString objects. [09:08] Security: FreeBSD-SA-09:07.libc Security: FreeBSD-SA-09:08.openssl Security: CVE-2009-0590 Approved by: re (kensmith) Approved by: so (cperciva) Modified: releng/6.3/UPDATING releng/6.3/crypto/openssl/crypto/asn1/asn1.h releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c releng/6.3/lib/libc/db/btree/bt_split.c releng/6.3/lib/libc/db/hash/hash_buf.c releng/6.3/lib/libc/db/mpool/mpool.c releng/6.3/sys/conf/newvers.sh releng/6.4/UPDATING releng/6.4/crypto/openssl/crypto/asn1/asn1.h releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c releng/6.4/lib/libc/db/btree/bt_split.c releng/6.4/lib/libc/db/hash/hash_buf.c releng/6.4/lib/libc/db/mpool/mpool.c releng/6.4/sys/conf/newvers.sh releng/7.0/UPDATING releng/7.0/crypto/openssl/crypto/asn1/asn1.h releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c releng/7.0/lib/libc/db/btree/bt_split.c releng/7.0/lib/libc/db/hash/hash_buf.c releng/7.0/lib/libc/db/mpool/mpool.c releng/7.0/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/crypto/openssl/crypto/asn1/asn1.h releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c releng/7.1/lib/libc/db/btree/bt_split.c releng/7.1/lib/libc/db/hash/hash_buf.c releng/7.1/lib/libc/db/mpool/mpool.c releng/7.1/sys/conf/newvers.sh releng/7.2/UPDATING releng/7.2/crypto/openssl/crypto/asn1/asn1.h releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c Changes in other areas also in this revision: Modified: head/crypto/openssl/crypto/asn1/asn1.h head/crypto/openssl/crypto/asn1/asn1_err.c head/crypto/openssl/crypto/asn1/tasn_dec.c stable/6/crypto/openssl/crypto/asn1/asn1.h stable/6/crypto/openssl/crypto/asn1/asn1_err.c stable/6/crypto/openssl/crypto/asn1/tasn_dec.c stable/7/crypto/openssl/crypto/asn1/asn1.h stable/7/crypto/openssl/crypto/asn1/asn1_err.c stable/7/crypto/openssl/crypto/asn1/tasn_dec.c Modified: releng/6.3/UPDATING ============================================================================== --- releng/6.3/UPDATING Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/UPDATING Wed Apr 22 14:07:14 2009 (r191381) @@ -8,6 +8,13 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: p10 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind Correct ntpd cryptographic signature bypass. [09:03] Modified: releng/6.3/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/6.3/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1030,6 +1030,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1088,6 +1089,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -153,6 +153,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_BAD_OBJECT_HEADER ,"bad object header"}, {ASN1_R_BAD_PASSWORD_READ ,"bad password read"}, {ASN1_R_BAD_TAG ,"bad tag"}, +{ASN1_R_BMPSTRING_IS_WRONG_LENGTH ,"bmpstring is wrong length"}, {ASN1_R_BN_LIB ,"bn lib"}, {ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"}, {ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"}, @@ -211,6 +212,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"}, {ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"}, {ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"}, +{ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH ,"universalstring is wrong length"}, {ASN1_R_UNKNOWN_FORMAT ,"unknown format"}, {ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"}, {ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"}, Modified: releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -768,6 +768,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if(!*pval) { stmp = ASN1_STRING_type_new(utype); Modified: releng/6.3/lib/libc/db/btree/bt_split.c ============================================================================== --- releng/6.3/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009 (r191381) @@ -385,7 +385,7 @@ bt_page(t, h, lp, rp, skip, ilen) } /* Put the new left page for the split into place. */ - if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) { + if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) { mpool_put(t->bt_mp, r, 0); return (NULL); } Modified: releng/6.3/lib/libc/db/hash/hash_buf.c ============================================================================== --- releng/6.3/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009 (r191381) @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <stddef.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> #ifdef DEBUG #include <assert.h> @@ -178,12 +179,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); #ifdef PURIFY memset(bp, 0xff, sizeof(BUFHEAD)); #endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } @@ -332,8 +333,10 @@ __buf_free(hashp, do_free, to_disk) } /* Check if we are freeing stuff */ if (do_free) { - if (bp->page) + if (bp->page) { + (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; Modified: releng/6.3/lib/libc/db/mpool/mpool.c ============================================================================== --- releng/6.3/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009 (r191381) @@ -347,7 +347,7 @@ mpool_bkt(mp) return (bp); } -new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) +new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL) return (NULL); #ifdef STATISTICS ++mp->pagealloc; Modified: releng/6.3/sys/conf/newvers.sh ============================================================================== --- releng/6.3/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.3/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009 (r191381) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.3" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/6.4/UPDATING ============================================================================== --- releng/6.4/UPDATING Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/UPDATING Wed Apr 22 14:07:14 2009 (r191381) @@ -8,6 +8,13 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: p4 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090113: p3 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind Correct ntpd cryptographic signature bypass. [09:03] Modified: releng/6.4/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/6.4/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1030,6 +1030,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1088,6 +1089,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -153,6 +153,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_BAD_OBJECT_HEADER ,"bad object header"}, {ASN1_R_BAD_PASSWORD_READ ,"bad password read"}, {ASN1_R_BAD_TAG ,"bad tag"}, +{ASN1_R_BMPSTRING_IS_WRONG_LENGTH ,"bmpstring is wrong length"}, {ASN1_R_BN_LIB ,"bn lib"}, {ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"}, {ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"}, @@ -211,6 +212,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"}, {ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"}, {ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"}, +{ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH ,"universalstring is wrong length"}, {ASN1_R_UNKNOWN_FORMAT ,"unknown format"}, {ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"}, {ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"}, Modified: releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -768,6 +768,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if(!*pval) { stmp = ASN1_STRING_type_new(utype); Modified: releng/6.4/lib/libc/db/btree/bt_split.c ============================================================================== --- releng/6.4/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009 (r191381) @@ -385,7 +385,7 @@ bt_page(t, h, lp, rp, skip, ilen) } /* Put the new left page for the split into place. */ - if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) { + if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) { mpool_put(t->bt_mp, r, 0); return (NULL); } Modified: releng/6.4/lib/libc/db/hash/hash_buf.c ============================================================================== --- releng/6.4/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009 (r191381) @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <stddef.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> #ifdef DEBUG #include <assert.h> @@ -178,12 +179,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); #ifdef PURIFY memset(bp, 0xff, sizeof(BUFHEAD)); #endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } @@ -332,8 +333,10 @@ __buf_free(hashp, do_free, to_disk) } /* Check if we are freeing stuff */ if (do_free) { - if (bp->page) + if (bp->page) { + (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; Modified: releng/6.4/lib/libc/db/mpool/mpool.c ============================================================================== --- releng/6.4/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009 (r191381) @@ -347,7 +347,7 @@ mpool_bkt(mp) return (bp); } -new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) +new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL) return (NULL); #ifdef STATISTICS ++mp->pagealloc; Modified: releng/6.4/sys/conf/newvers.sh ============================================================================== --- releng/6.4/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009 (r191380) +++ releng/6.4/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009 (r191381) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.0/UPDATING ============================================================================== --- releng/7.0/UPDATING Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/UPDATING Wed Apr 22 14:07:14 2009 (r191381) @@ -8,6 +8,13 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: p12 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090323: p11 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv Correctly sanity-check timer IDs. [SA-09:06] Modified: releng/7.0/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/7.0/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, Modified: releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { Modified: releng/7.0/lib/libc/db/btree/bt_split.c ============================================================================== --- releng/7.0/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009 (r191381) @@ -381,7 +381,7 @@ bt_page(t, h, lp, rp, skip, ilen) } /* Put the new left page for the split into place. */ - if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) { + if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) { mpool_put(t->bt_mp, r, 0); return (NULL); } Modified: releng/7.0/lib/libc/db/hash/hash_buf.c ============================================================================== --- releng/7.0/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009 (r191381) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include <stddef.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> #ifdef DEBUG #include <assert.h> @@ -174,12 +175,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); #ifdef PURIFY memset(bp, 0xff, sizeof(BUFHEAD)); #endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } @@ -328,8 +329,10 @@ __buf_free(hashp, do_free, to_disk) } /* Check if we are freeing stuff */ if (do_free) { - if (bp->page) + if (bp->page) { + (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; Modified: releng/7.0/lib/libc/db/mpool/mpool.c ============================================================================== --- releng/7.0/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009 (r191381) @@ -343,7 +343,7 @@ mpool_bkt(mp) return (bp); } -new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) +new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL) return (NULL); #ifdef STATISTICS ++mp->pagealloc; Modified: releng/7.0/sys/conf/newvers.sh ============================================================================== --- releng/7.0/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.0/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009 (r191381) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.0" -BRANCH="RELEASE-p11" +BRANCH="RELEASE-p12" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/UPDATING Wed Apr 22 14:07:14 2009 (r191381) @@ -8,6 +8,13 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: p5 FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090323: p4 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv Correctly sanity-check timer IDs. [SA-09:06] Modified: releng/7.1/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/7.1/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, Modified: releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { Modified: releng/7.1/lib/libc/db/btree/bt_split.c ============================================================================== --- releng/7.1/lib/libc/db/btree/bt_split.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/lib/libc/db/btree/bt_split.c Wed Apr 22 14:07:14 2009 (r191381) @@ -381,7 +381,7 @@ bt_page(t, h, lp, rp, skip, ilen) } /* Put the new left page for the split into place. */ - if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) { + if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) { mpool_put(t->bt_mp, r, 0); return (NULL); } Modified: releng/7.1/lib/libc/db/hash/hash_buf.c ============================================================================== --- releng/7.1/lib/libc/db/hash/hash_buf.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/lib/libc/db/hash/hash_buf.c Wed Apr 22 14:07:14 2009 (r191381) @@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include <stddef.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> #ifdef DEBUG #include <assert.h> @@ -174,12 +175,12 @@ newbuf(hashp, addr, prev_bp) */ if (hashp->nbufs || (bp->flags & BUF_PIN)) { /* Allocate a new one */ - if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL) + if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL) return (NULL); #ifdef PURIFY memset(bp, 0xff, sizeof(BUFHEAD)); #endif - if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) { + if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) { free(bp); return (NULL); } @@ -328,8 +329,10 @@ __buf_free(hashp, do_free, to_disk) } /* Check if we are freeing stuff */ if (do_free) { - if (bp->page) + if (bp->page) { + (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; Modified: releng/7.1/lib/libc/db/mpool/mpool.c ============================================================================== --- releng/7.1/lib/libc/db/mpool/mpool.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/lib/libc/db/mpool/mpool.c Wed Apr 22 14:07:14 2009 (r191381) @@ -343,7 +343,7 @@ mpool_bkt(mp) return (bp); } -new: if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL) +new: if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL) return (NULL); #ifdef STATISTICS ++mp->pagealloc; Modified: releng/7.1/sys/conf/newvers.sh ============================================================================== --- releng/7.1/sys/conf/newvers.sh Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.1/sys/conf/newvers.sh Wed Apr 22 14:07:14 2009 (r191381) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.1" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.2/UPDATING ============================================================================== --- releng/7.2/UPDATING Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.2/UPDATING Wed Apr 22 14:07:14 2009 (r191381) @@ -8,6 +8,13 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090326: Following bug-fixes to TCP connection state flags, netstat, systat, and sockstat will need to be rebuilt in order to properly print Modified: releng/7.2/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- releng/7.2/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.2/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, Modified: releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904221407.n3ME7Eat058288>