| Index: UPDATING |
| =================================================================== |
| --- UPDATING (版本 298770) |
| +++ UPDATING (版本 299066) |
| @@ -16,8 +16,21 @@ |
| stable/10, and then rebuild without this option. The bootstrap process from |
| older version of current is a bit fragile. |
| |
| -20150429 p1 FreeBSD-SA-16:16.ntp |
| +20160504 p2 FreeBSD-SA-16:17.openssl |
| + FreeBSD-EN-16:06.libc |
| + FreeBSD-EN-16:07.ipi |
| + FreeBSD-EN-16:08.zfs |
| |
| + Fix multiple OpenSSL vulnerabilitites. [SA-16:17] |
| + |
| + Fix performance regression in libc hash(3). [EN-16:06] |
| + |
| + Fix excessive latency in x86 IPI delivery. [EN-16:07] |
| + |
| + Fix memory leak in ZFS. [EN-16:08] |
| + |
| +20160429 p1 FreeBSD-SA-16:16.ntp |
| + |
| Fix multiple vulnerabilities of ntp. |
| |
| 20160329: |
| Index: crypto/openssl/crypto/asn1/a_type.c |
| =================================================================== |
| --- crypto/openssl/crypto/asn1/a_type.c (版本 298770) |
| +++ crypto/openssl/crypto/asn1/a_type.c (版本 299066) |
| @@ -126,9 +126,7 @@ |
| result = 0; /* They do not have content. */ |
| break; |
| case V_ASN1_INTEGER: |
| - case V_ASN1_NEG_INTEGER: |
| case V_ASN1_ENUMERATED: |
| - case V_ASN1_NEG_ENUMERATED: |
| case V_ASN1_BIT_STRING: |
| case V_ASN1_OCTET_STRING: |
| case V_ASN1_SEQUENCE: |
| Index: crypto/openssl/crypto/asn1/tasn_dec.c |
| =================================================================== |
| --- crypto/openssl/crypto/asn1/tasn_dec.c (版本 298770) |
| +++ crypto/openssl/crypto/asn1/tasn_dec.c (版本 299066) |
| @@ -903,9 +903,7 @@ |
| break; |
| |
| case V_ASN1_INTEGER: |
| - case V_ASN1_NEG_INTEGER: |
| case V_ASN1_ENUMERATED: |
| - case V_ASN1_NEG_ENUMERATED: |
| tint = (ASN1_INTEGER **)pval; |
| if (!c2i_ASN1_INTEGER(tint, &cont, len)) |
| goto err; |
| Index: crypto/openssl/crypto/asn1/tasn_enc.c |
| =================================================================== |
| --- crypto/openssl/crypto/asn1/tasn_enc.c (版本 298770) |
| +++ crypto/openssl/crypto/asn1/tasn_enc.c (版本 299066) |
| @@ -611,9 +611,7 @@ |
| break; |
| |
| case V_ASN1_INTEGER: |
| - case V_ASN1_NEG_INTEGER: |
| case V_ASN1_ENUMERATED: |
| - case V_ASN1_NEG_ENUMERATED: |
| /* |
| * These are all have the same content format as ASN1_INTEGER |
| */ |
| Index: crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c |
| =================================================================== |
| --- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c (版本 298770) |
| +++ crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c (版本 299066) |
| @@ -59,6 +59,7 @@ |
| # include <openssl/aes.h> |
| # include <openssl/sha.h> |
| # include "evp_locl.h" |
| +# include "constant_time_locl.h" |
| |
| # ifndef EVP_CIPH_FLAG_AEAD_CIPHER |
| # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 |
| @@ -286,6 +287,8 @@ |
| maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); |
| maxpad &= 255; |
| |
| + ret &= constant_time_ge(maxpad, pad); |
| + |
| inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); |
| mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); |
| inp_len &= mask; |
| Index: crypto/openssl/crypto/evp/encode.c |
| =================================================================== |
| --- crypto/openssl/crypto/evp/encode.c (版本 298770) |
| +++ crypto/openssl/crypto/evp/encode.c (版本 299066) |
| @@ -57,6 +57,7 @@ |
| */ |
| |
| #include <stdio.h> |
| +#include <limits.h> |
| #include "cryptlib.h" |
| #include <openssl/evp.h> |
| |
| @@ -151,13 +152,13 @@ |
| const unsigned char *in, int inl) |
| { |
| int i, j; |
| - unsigned int total = 0; |
| + size_t total = 0; |
| |
| *outl = 0; |
| if (inl <= 0) |
| return; |
| OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); |
| - if ((ctx->num + inl) < ctx->length) { |
| + if (ctx->length - ctx->num > inl) { |
| memcpy(&(ctx->enc_data[ctx->num]), in, inl); |
| ctx->num += inl; |
| return; |
| @@ -174,7 +175,7 @@ |
| *out = '\0'; |
| total = j + 1; |
| } |
| - while (inl >= ctx->length) { |
| + while (inl >= ctx->length && total <= INT_MAX) { |
| j = EVP_EncodeBlock(out, in, ctx->length); |
| in += ctx->length; |
| inl -= ctx->length; |
| @@ -183,6 +184,11 @@ |
| *out = '\0'; |
| total += j + 1; |
| } |
| + if (total > INT_MAX) { |
| + /* Too much output data! */ |
| + *outl = 0; |
| + return; |
| + } |
| if (inl != 0) |
| memcpy(&(ctx->enc_data[0]), in, inl); |
| ctx->num = inl; |
| Index: crypto/openssl/crypto/evp/evp_enc.c |
| =================================================================== |
| --- crypto/openssl/crypto/evp/evp_enc.c (版本 298770) |
| +++ crypto/openssl/crypto/evp/evp_enc.c (版本 299066) |
| @@ -334,7 +334,7 @@ |
| bl = ctx->cipher->block_size; |
| OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); |
| if (i != 0) { |
| - if (i + inl < bl) { |
| + if (bl - i > inl) { |
| memcpy(&(ctx->buf[i]), in, inl); |
| ctx->buf_len += inl; |
| *outl = 0; |
| Index: crypto/openssl/crypto/x509/x509_obj.c |
| =================================================================== |
| --- crypto/openssl/crypto/x509/x509_obj.c (版本 298770) |
| +++ crypto/openssl/crypto/x509/x509_obj.c (版本 299066) |
| @@ -117,8 +117,9 @@ |
| type == V_ASN1_PRINTABLESTRING || |
| type == V_ASN1_TELETEXSTRING || |
| type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { |
| - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) |
| - ? sizeof ebcdic_buf : num); |
| + if (num > (int)sizeof(ebcdic_buf)) |
| + num = sizeof(ebcdic_buf); |
| + ascii2ebcdic(ebcdic_buf, q, num); |
| q = ebcdic_buf; |
| } |
| #endif |
| Index: lib/libc/db/hash/hash.c |
| =================================================================== |
| --- lib/libc/db/hash/hash.c (版本 298770) |
| +++ lib/libc/db/hash/hash.c (版本 299066) |
| @@ -423,7 +423,8 @@ |
| free(hashp->tmp_buf); |
| |
| if (hashp->fp != -1) { |
| - (void)_fsync(hashp->fp); |
| + if (hashp->save_file) |
| + (void)_fsync(hashp->fp); |
| (void)_close(hashp->fp); |
| } |
| |
| Index: sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c |
| =================================================================== |
| --- sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c (版本 298770) |
| +++ sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c (版本 299066) |
| @@ -196,6 +196,7 @@ |
| VI_UNLOCK(vp); |
| vrele(vp); |
| vfs_unbusy(mp); |
| + vfs_freeopts(mp->mnt_optnew); |
| vfs_mount_destroy(mp); |
| *vpp = NULL; |
| return (error); |
| Index: sys/conf/newvers.sh |
| =================================================================== |
| --- sys/conf/newvers.sh (版本 298770) |
| +++ sys/conf/newvers.sh (版本 299066) |
| @@ -32,7 +32,7 @@ |
| |
| TYPE="FreeBSD" |
| REVISION="10.3" |
| -BRANCH="RELEASE-p1" |
| +BRANCH="RELEASE-p2" |
| if [ "X${BRANCH_OVERRIDE}" != "X" ]; then |
| BRANCH=${BRANCH_OVERRIDE} |
| fi |
| Index: sys/x86/x86/local_apic.c |
| =================================================================== |
| --- sys/x86/x86/local_apic.c (版本 298770) |
| +++ sys/x86/x86/local_apic.c (版本 299066) |
| @@ -56,6 +56,7 @@ |
| #include <vm/pmap.h> |
| |
| #include <x86/apicreg.h> |
| +#include <machine/clock.h> |
| #include <machine/cputypes.h> |
| #include <machine/frame.h> |
| #include <machine/intr_machdep.h> |
| @@ -158,6 +159,9 @@ |
| vm_paddr_t lapic_paddr; |
| static u_long lapic_timer_divisor; |
| static struct eventtimer lapic_et; |
| +#ifdef SMP |
| +static uint64_t lapic_ipi_wait_mult; |
| +#endif |
| |
| static void lapic_enable(void); |
| static void lapic_resume(struct pic *pic, bool suspend_cancelled); |
| @@ -221,6 +225,9 @@ |
| void |
| lapic_init(vm_paddr_t addr) |
| { |
| +#ifdef SMP |
| + uint64_t r, r1, r2, rx; |
| +#endif |
| u_int regs[4]; |
| int i, arat; |
| |
| @@ -275,6 +282,38 @@ |
| lapic_et.et_priv = NULL; |
| et_register(&lapic_et); |
| } |
| + |
| +#ifdef SMP |
| +#define LOOPS 1000000 |
| + /* |
| + * Calibrate the busy loop waiting for IPI ack in xAPIC mode. |
| + * lapic_ipi_wait_mult contains the number of iterations which |
| + * approximately delay execution for 1 microsecond (the |
| + * argument to native_lapic_ipi_wait() is in microseconds). |
| + * |
| + * We assume that TSC is present and already measured. |
| + * Possible TSC frequency jumps are irrelevant to the |
| + * calibration loop below, the CPU clock management code is |
| + * not yet started, and we do not enter sleep states. |
| + */ |
| + KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0, |
| + ("TSC not initialized")); |
| + r = rdtsc(); |
| + for (rx = 0; rx < LOOPS; rx++) { |
| + (void)lapic->icr_lo; |
| + ia32_pause(); |
| + } |
| + r = rdtsc() - r; |
| + r1 = tsc_freq * LOOPS; |
| + r2 = r * 1000000; |
| + lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1; |
| + if (bootverbose) { |
| + printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n", |
| + (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r, |
| + (uintmax_t)tsc_freq); |
| + } |
| +#undef LOOPS |
| +#endif /* SMP */ |
| } |
| |
| /* |
| @@ -1381,25 +1420,20 @@ |
| * private to the MD code. The public interface for the rest of the |
| * kernel is defined in mp_machdep.c. |
| */ |
| + |
| +/* |
| + * Wait delay microseconds for IPI to be sent. If delay is -1, we |
| + * wait forever. |
| + */ |
| int |
| lapic_ipi_wait(int delay) |
| { |
| - int x; |
| + uint64_t rx; |
| |
| - /* |
| - * Wait delay microseconds for IPI to be sent. If delay is |
| - * -1, we wait forever. |
| - */ |
| - if (delay == -1) { |
| - while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE) |
| - ia32_pause(); |
| - return (1); |
| - } |
| - |
| - for (x = 0; x < delay; x += 5) { |
| + for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) { |
| if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE) |
| return (1); |
| - DELAY(5); |
| + ia32_pause(); |
| } |
| return (0); |
| } |