From owner-svn-src-all@FreeBSD.ORG Tue May 13 23:22:29 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A108F73A; Tue, 13 May 2014 23:22:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E1AC29D8; Tue, 13 May 2014 23:22:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s4DNMT84058500; Tue, 13 May 2014 23:22:29 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s4DNMSh6058494; Tue, 13 May 2014 23:22:28 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201405132322.s4DNMSh6058494@svn.freebsd.org> From: Xin LI Date: Tue, 13 May 2014 23:22:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r265987 - in releng/10.0: . crypto/openssl/ssl sys/conf sys/dev/ciss X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 23:22:29 -0000 Author: delphij Date: Tue May 13 23:22:28 2014 New Revision: 265987 URL: http://svnweb.freebsd.org/changeset/base/265987 Log: Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09] Security: FreeBSD-SA-14:09.openssl Security: CVE-2014-0198 Fix data corruption with ciss(4). [EN-14:05] Errata: FreeBSD-EN-14:05.ciss Approved by: so Modified: releng/10.0/UPDATING releng/10.0/crypto/openssl/ssl/s3_pkt.c releng/10.0/sys/conf/newvers.sh releng/10.0/sys/dev/ciss/ciss.c Modified: releng/10.0/UPDATING ============================================================================== --- releng/10.0/UPDATING Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/UPDATING Tue May 13 23:22:28 2014 (r265987) @@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20140513: p3 FreeBSD-SA-14:10.openssl + FreeBSD-EN-14:05.ciss + + Fix OpenSSL NULL pointer deference vulnerability. [SA-14:10] + + Fix data corruption with ciss(4). [EN-14:05] + 20140430: p2 FreeBSD-SA-14:07.devfs FreeBSD-SA-14:08.tcp FreeBSD-SA-14:09.openssl Modified: releng/10.0/crypto/openssl/ssl/s3_pkt.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s3_pkt.c Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/crypto/openssl/ssl/s3_pkt.c Tue May 13 23:22:28 2014 (r265987) @@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ if (i <= 0) return(i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment) Modified: releng/10.0/sys/conf/newvers.sh ============================================================================== --- releng/10.0/sys/conf/newvers.sh Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/sys/conf/newvers.sh Tue May 13 23:22:28 2014 (r265987) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.0" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.0/sys/dev/ciss/ciss.c ============================================================================== --- releng/10.0/sys/dev/ciss/ciss.c Tue May 13 23:19:16 2014 (r265986) +++ releng/10.0/sys/dev/ciss/ciss.c Tue May 13 23:22:28 2014 (r265987) @@ -180,8 +180,6 @@ static int ciss_cam_emulate(struct ciss_ static void ciss_cam_poll(struct cam_sim *sim); static void ciss_cam_complete(struct ciss_request *cr); static void ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio); -static struct cam_periph *ciss_find_periph(struct ciss_softc *sc, - int bus, int target); static int ciss_name_device(struct ciss_softc *sc, int bus, int target); /* periodic status monitoring */ @@ -3398,27 +3396,6 @@ ciss_cam_complete_fixup(struct ciss_soft /******************************************************************************** - * Find a peripheral attached at (target) - */ -static struct cam_periph * -ciss_find_periph(struct ciss_softc *sc, int bus, int target) -{ - struct cam_periph *periph; - struct cam_path *path; - int status; - - status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), - target, 0); - if (status == CAM_REQ_CMP) { - periph = cam_periph_find(path, NULL); - xpt_free_path(path); - } else { - periph = NULL; - } - return(periph); -} - -/******************************************************************************** * Name the device at (target) * * XXX is this strictly correct? @@ -3427,12 +3404,22 @@ static int ciss_name_device(struct ciss_softc *sc, int bus, int target) { struct cam_periph *periph; + struct cam_path *path; + int status; if (CISS_IS_PHYSICAL(bus)) return (0); - if ((periph = ciss_find_periph(sc, bus, target)) != NULL) { + + status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]), + target, 0); + + if (status == CAM_REQ_CMP) { + mtx_lock(&sc->ciss_mtx); + periph = cam_periph_find(path, NULL); sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d", periph->periph_name, periph->unit_number); + mtx_unlock(&sc->ciss_mtx); + xpt_free_path(path); return(0); } sc->ciss_logical[bus][target].cl_name[0] = 0;