From f57c85b4826817815834b7abdb077ad572f3a641 Mon Sep 17 00:00:00 2001 From: delphij Date: Tue, 13 May 2014 23:22:28 +0000 Subject: [PATCH] Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09] Security: FreeBSD-SA-14:09.openssl Security: CVE-2014-0198 Fix data corruption with ciss(4). [EN-14:05] Errata: FreeBSD-EN-14:05.ciss Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/10.0@265987 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 7 +++++++ crypto/openssl/ssl/s3_pkt.c | 4 ++++ sys/conf/newvers.sh | 2 +- sys/dev/ciss/ciss.c | 35 +++++++++++------------------------ 4 files changed, 23 insertions(+), 25 deletions(-) diff --git a/UPDATING b/UPDATING index 598c54c3..d98613cf 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20140513: p3 FreeBSD-SA-14:10.openssl + FreeBSD-EN-14:05.ciss + + Fix OpenSSL NULL pointer deference vulnerability. [SA-14:10] + + Fix data corruption with ciss(4). [EN-14:05] + 20140430: p2 FreeBSD-SA-14:07.devfs FreeBSD-SA-14:08.tcp FreeBSD-SA-14:09.openssl diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index d500eb8e..d1afe2f2 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (i <= 0) return(i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment) diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index eef15ab9..b0ed76a6 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/dev/ciss/ciss.c b/sys/dev/ciss/ciss.c index 6d89a778..4ad7c74b 100644 --- a/sys/dev/ciss/ciss.c +++ b/sys/dev/ciss/ciss.c @@ -180,8 +180,6 @@ static int ciss_cam_emulate(struct ciss_softc *sc, struct ccb_scsiio *csio); static void ciss_cam_poll(struct cam_sim *sim); static void ciss_cam_complete(struct ciss_request *cr); static void ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio); -static struct cam_periph *ciss_find_periph(struct ciss_softc *sc, - int bus, int target); static int ciss_name_device(struct ciss_softc *sc, int bus, int target); /* periodic status monitoring */ @@ -3397,27 +3395,6 @@ ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio) } -/******************************************************************************** - * Find a peripheral attached at (target) - */ -static struct cam_periph * -ciss_find_periph(struct ciss_softc *sc, int bus, int target) -{ - struct cam_periph *periph; - struct cam_path *path; - int status; - - status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), - target, 0); - if (status == CAM_REQ_CMP) { - periph = cam_periph_find(path, NULL); - xpt_free_path(path); - } else { - periph = NULL; - } - return(periph); -} - /******************************************************************************** * Name the device at (target) * @@ -3427,12 +3404,22 @@ static int ciss_name_device(struct ciss_softc *sc, int bus, int target) { struct cam_periph *periph; + struct cam_path *path; + int status; if (CISS_IS_PHYSICAL(bus)) return (0); - if ((periph = ciss_find_periph(sc, bus, target)) != NULL) { + + status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), + target, 0); + + if (status == CAM_REQ_CMP) { + mtx_lock(&sc->ciss_mtx); + periph = cam_periph_find(path, NULL); sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d", periph->periph_name, periph->unit_number); + mtx_unlock(&sc->ciss_mtx); + xpt_free_path(path); return(0); } sc->ciss_logical[bus][target].cl_name[0] = 0; -- 2.42.0