os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Publish todays advisory and notices:

Browse source 
- SA-16:17.openssl
- EN-16:06.libc
- EN-16:07.ipi
- EN-16:08.zfs

Approved by:	so
This commit is contained in:
Gleb Smirnoff 2016-05-04 22:52:54 +00:00
parent 094ccc9b32
commit cf13b85a51
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=48779
16 changed files with 1041 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

128
share/security/advisories/FreeBSD-EN-16:06.libc.asc Normal file
View file

@ -0,0 +1,128 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:06.libc Errata Notice
The FreeBSD Project
Topic: Performance regression in libc hash(3)
Category: core
Module: libc / hash(3)
Announced: 2016-05-04
Credits: Bryan Drewery, Baptiste Daroussin
Affects: FreeBSD 10.3-RELEASE
Corrected: 2016-04-13 01:54:36 UTC (stable/10, 10.3-STABLE)
2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security branches,
and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
The dbopen(3) with DB_HASH allows reading and writing to database files
in the hash(3) format. Examples of such files are the system master
passwd and services databases in /etc. In FreeBSD 10.3 operations
using dbopen(3) were fixed to always call fsync(2) on their files when
writing to ensure they were consistent after a power loss. This was
mostly noticeable for the user and group database files after using
pw, vipw, chpass, etc.
II. Problem Description
The changes in FreeBSD 10.3 to use fsync(2) were improperly extended to
operations that were read-only.
III. Impact
This could manifest as extreme slowdowns in operations that read from one
of these files, such as the user database. It was especially noticeable
during the use of "pkg install" since it reads from the user database. It
could also incur excessive I/O writes to these files if the file system
was not mounted with noatime which could lessen the lifetime of SSD.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.3]
# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch
# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch.asc
# gpg --verify libc.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r297904
releng/10.3/ r299066
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-16:06.libc.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXKj2JAAoJEO1n7NZdz2rnAqUQAKQmHsqyFPwl+yva/Is8U0Z+
iuMnGAa9zp422ESLF8wczAYIQxv2wNuPAupuZGdDD5vnt8AJNEhs84xq9RW63AxM
V1YQAsNzMTeP4xhGJbrLXPgS5tgB59Rwj0OmIjrbyi4rmDMVGl0Ok0XRr+L+c9KV
dZhUSTmtlR005887aEoUe7Ujnqn4TljijaK/mD2YhGoE5Xkx5yOzJoO3ajCkyY61
qSFVDqKP+pGgazt9gXpf7vtj4tw+TUqCMH3lj+LF4I7QfbAATYqwXo6pPVxSdZAY
D8qFR7h31Rpb7ImnSLiULGkZvV5cJrbHJQR63ty1WF6y5qur1La4EfTDDhqqkz3I
hvC8PCgAu11E55TsDeFUAFibjWZZvcqoYG3taWAKc9JlOHd5+cKoXVAzGTX4a/B7
V0r5WH9AmmcodE7oRo90yFhUuv28G9T/z7a7bihaD6Cu2+3C7ez9f8cyD2x/FYJV
Y7wF3Ey4faybuaXBmxrbq3aJQYPe4knfvigmLoJNbCgIutvCiDVue/BxXaZ97Zc3
RxPx7+SQo18R83u/iGgYIgs5MAsLLDphwETQhAi8ZUsSO/YVb4Od0ScCHaHC/byp
CdSC7DW56wiqYYyFjAe5/MQIIv8cvNLtekiaiUhAf36DrstglbSwOTw7x2kMcguk
KLNONz99Am4A/sIHhizX
=p2R6
-----END PGP SIGNATURE-----

125
share/security/advisories/FreeBSD-EN-16:07.ipi.asc Normal file
View file

@ -0,0 +1,125 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:07.ipi Errata Notice
The FreeBSD Project
Topic: Excessive latency in x86 IPI delivery
Category: core
Module: kernel
Announced: 2016-05-04
Credits: Stanislav Sedov
Affects: FreeBSD 10.2 and 10.3
Corrected: 2016-04-27 19:12:49 UTC (stable/10, 10.3-STABLE)
2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security branches,
and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
Each CPU in an x86 system contains an interrupt controller (local APIC)
used to handle both external interrupts and inter-processor-interrupts
(IPIs).
II. Problem Description
In xAPIC mode, the local APIC can only queue a single IPI at a time. If
a previously queued IPI is still pending when a CPU attempts to send an
IPI, it spins waiting for the previous IPI to complete. A change merged
prior to 10.2-RELEASE altered this loop to check the state of the previous
IPI once every 5 microseconds rather than constantly polling.
III. Impact
Checking the status of the previous IPI once every 5 microseconds could
introduce 5 microsecond delays when sending IPIs. This could increase the
latency of various scheduling operations reducing performance.
IV. Workaround
No workaround is available, but non-x86 systems are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch
# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch.asc
# gpg --verify ipi.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r298715
releng/10.2/ r299067
releng/10.3/ r299066
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-16:07.ipi.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXKj3tAAoJEO1n7NZdz2rnbpMP/R/Xetx8IFIeP4Ez9IYvQPXM
ylnDZiLn0AP2AW5Wn4Dxa6SyfrTGYOpjMSGFtxu6JqPczFYhYY0fYVkdwLqPu0DS
2Q9xGLJ0hedVa+aPbDyoS6Zafe2VElFjcpHm+y3qaaAhLoQNolMd+3bj0sezxzb/
mVJZq1vHzFKU84vmiBXb6zF6lcwJgEqbdeLyLT+y+p42Sne9/k6QIUPUQPZKciu/
gs3RH3/0NhNWyXRl8ISjU0uJB3SHFZTbbfRSoX/0pE0FGaaYue9UeOEAzsBi5O6x
apF5euq6o6QSzH1MQaPj1hApreUY4TCS+/2ZSjKGTOZAOP9CkIjm/U89G5cw+dH4
Bs4jV4q0H1Pc3jHGP/Y0NyPDA7XrmNUjhw//8WodchqyeHkrSboy4K2Cd5AFS03e
dM4fUz1ybTWYTAuHejKIN7yPKo1MsI7tX55fYXZtZ9iA+JhTYGBuJEoBVqlDiSte
RcfYWjMY45srf5lPwTjauuHFjsfgvHwxuxyQyKPV+uysq9y7E2E6hypBYZ0SJNaz
W6fEAyUFv8rM6qMxtANuuOVDDrRTYq/FId5AhMMheK9AONA3XcvL9otMqw5HMBtg
kzOoQ0JJKUbDow8sy9mjtM0cOgoNvmfRlUuLXxV26swXEHZ4la0o16mNVEzo10Z9
mlbeuHCqBP25eT/TzQG4
=XoQ4
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-EN-16:08.zfs.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-16:08.zfs Errata Notice
The FreeBSD Project
Topic: Memory leak in ZFS
Category: contrib
Module: zfs
Announced: 2016-05-04
Credits: Eric Borisch
Affects: All supported versions of FreeBSD.
Corrected: 2016-03-18 13:32:00 UTC (stable/10, 10.3-STABLE)
2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33)
2016-03-18 13:32:37 UTC (stable/9, 9.3-STABLE)
2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ZFS is one of several filesystems available on FreeBSD. ZFS supports many
advanced features, including snapshots, which provides a frozen read-only
image of file system at a given time.
File system snapshots can be accessed under the .zfs/snapshot directory
in the root of the file system.
II. Problem Description
There is a memory leak in the error path when mounting a snapshot via the
automatic .zfs/snapshot directory, which can be triggered when the snapshot
was once mounted, but later deleted by the system administrator.
III. Impact
A local user may be able to trigger the memory leak multiple times and
eventually exhaust kernel memory, if the user knows a snapshot and access
it before the system administrator deletes it.
IV. Workaround
No workaround is available, but systems that do not use ZFS snapshots are
not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Reboot is required.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is required.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r297022
releng/9.3/ r299068
stable/10/ r297021
releng/10.1/ r299068
releng/10.2/ r299067
releng/10.3/ r299066
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:08.zfs.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXKk4dAAoJEO1n7NZdz2rnscQQAODmJLkUgi8YgTP32IuWyz+N
mX/g5HNKGWP7COTzsoIFrGZ1l+BqWwqcX9cSR1K3fFOYSDPPgug3qMHdfg63RIsm
G9sJRQ/XdsUC6436UYGe3ElZyqKUjrKSPW2pA95AYVWMiJTJwly+Vd6UqDadLKmA
HyebF2uh5HR7JpkTyw9lT6uN4FHTIF6NfKruap3m+NNCMw64w4bILwOLuylvxT+0
fiPJRlZ5X+I9lRM7QqO8m/S4AYAHeFAu/GG8GDPR2kO6ZuW2iuIQg04tfv8JmHgG
4074OkCo7etJ6qq59EC1Y7k6TpuNDuiTNtTpn5DnOWVCaduZnGxZo0FhKhZg7b0K
D4uJkXF8aSTi4Y9rp4ynEP+d1NJD7B5dLnI5R3P3EGuGKhigymI0QlT+iDy/UGLT
rG1Hx9Tsq1CsrpUe6/Go6Daqt4VxW/WYtOULDZBoVaIhhKk5H4gV1Yj66MUAsPhZ
Fe+hMnehYdCcKlSYrlCaF6MTosAafhzyTgxDKehgc0K1RPxHXOME98NF76erU1Vx
62P7sdq3JrYFNg+9TUkyjaYnhc5XrHtShzCJxcMKm0NMNm7nWfyYYVwvBYpflSUI
AE1VGcgAAlnH/yLnJPJL1BY6hfjsA2wPO+vituxOGDKCvSuUdWCV1baAW9ySmG4K
Pgle9/Qvg/BNvtVL3dvv
=PzFd
-----END PGP SIGNATURE-----

178
share/security/advisories/FreeBSD-SA-16:17.openssl.asc Normal file
View file

@ -0,0 +1,178 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:17.openssl Security Advisory
The FreeBSD Project
Topic: Multiple OpenSSL vulnerabilities
Category: contrib
Module: openssl
Announced: 2016-05-04
Credits: OpenSSL Project
Affects: All supported versions of FreeBSD.
Corrected: 2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE)
2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33)
2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE)
2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41)
CVE Name: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109,
CVE-2016-2176
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
The padding check in AES-NI CBC MAC was rewritten to be in constant time
by making sure that always the same bytes are read and compared against
either the MAC or padding bytes. But it no longer checked that there was
enough data to have both the MAC and padding bytes. [CVE-2016-2107]
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. [CVE-2016-2105]
An overflow can occur in the EVP_EncryptUpdate() function, however it is
believed that there can be no overflows in internal code due to this problem.
[CVE-2016-2106]
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
[CVE-2016-2109]
ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176]
FreeBSD does not run on any EBCDIC systems and therefore is not affected.
III. Impact
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI. [CVE-2016-2107]
If an attacker is able to supply very large amounts of input data then a
length check can overflow resulting in a heap corruption. [CVE-2016-2105]
Any application parsing untrusted data through d2i BIO functions are vulnerable
to memory exhaustion attack. [CVE-2016-2109] TLS applications are not affected.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc
# gpg --verify openssl-10.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc
# gpg --verify openssl-9.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r299053
releng/9.3/ r299068
stable/10/ r298999
releng/10.1/ r299068
releng/10.2/ r299067
releng/10.3/ r299066
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20160503.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:17.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXKjuIAAoJEO1n7NZdz2rneZoP/jqsWr9q5MkCel2aZzfmSVhU
8CjzPwm3t48ibZqrkolAak4dbjJGhidUM/S83BvIcCdtKWyoG8D0fzemB7bBIP2L
fqvd1314vuy82CgZlAyJIqzokckUPfyHhTAz9FPZW46f8A+s8znzJcaaD81tt1Xe
qg9JZ61e2DZJ2NdZSJSjOpBl55gZqQq3tIwGYw027GKjiflJSvOG1n/531R4rppI
x0IZpLor7XBWuiC44hPc4yasC4khWzmdaRpqcUoWVEex8g6Il6xByS2o4AgX7kE/
NBZ0mj4IMYZNQW4VUYbnkmLtWXJYYScboBKh4FRljNCG/t5u/YoSfOY8SbS9LT9K
KVj56C6tQRq+/frKbPt26HbqqRTFNVn3FKxJWNQ9CLzsebobXPUYATTN2NVC8gkj
S0A/lT2xnvA2YqB9HfmHOvlHS2LDv8SivJWNK4dCPOwhVm624H4qH/N+VFcwU7zc
ue+BPvDYU/czsyoJDdQoWxTdkreaOY6eLAWkYAh9dEDIkZSOxgsZR7C4th6THXMu
ybIy544elc3bf9vS4tGR552Wi9VntE0B1/LJ2la8l+MnYE6qZL1hbAYpvNyuPWVP
EDPjOc4inaMpV62fuL1UrKH1g1HMmFUnoWhC70iS+cuLeXWFdvwBFyL420Ixkd5H
zvcsfJCrazlcZ6j83Qfd
=PGTh
-----END PGP SIGNATURE-----

103
share/security/patches/EN-16:07/ipi.patch Normal file
View file

@ -0,0 +1,103 @@
--- sys/x86/x86/local_apic.c.orig
+++ sys/x86/x86/local_apic.c
@@ -56,6 +56,7 @@
#include <vm/pmap.h>
#include <x86/apicreg.h>
+#include <machine/clock.h>
#include <machine/cputypes.h>
#include <machine/frame.h>
#include <machine/intr_machdep.h>
@@ -158,6 +159,9 @@
vm_paddr_t lapic_paddr;
static u_long lapic_timer_divisor;
static struct eventtimer lapic_et;
+#ifdef SMP
+static uint64_t lapic_ipi_wait_mult;
+#endif
static void lapic_enable(void);
static void lapic_resume(struct pic *pic, bool suspend_cancelled);
@@ -221,6 +225,9 @@
void
lapic_init(vm_paddr_t addr)
{
+#ifdef SMP
+ uint64_t r, r1, r2, rx;
+#endif
u_int regs[4];
int i, arat;
@@ -275,6 +282,38 @@
lapic_et.et_priv = NULL;
et_register(&lapic_et);
}
+
+#ifdef SMP
+#define LOOPS 1000000
+ /*
+ * Calibrate the busy loop waiting for IPI ack in xAPIC mode.
+ * lapic_ipi_wait_mult contains the number of iterations which
+ * approximately delay execution for 1 microsecond (the
+ * argument to native_lapic_ipi_wait() is in microseconds).
+ *
+ * We assume that TSC is present and already measured.
+ * Possible TSC frequency jumps are irrelevant to the
+ * calibration loop below, the CPU clock management code is
+ * not yet started, and we do not enter sleep states.
+ */
+ KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0,
+ ("TSC not initialized"));
+ r = rdtsc();
+ for (rx = 0; rx < LOOPS; rx++) {
+ (void)lapic->icr_lo;
+ ia32_pause();
+ }
+ r = rdtsc() - r;
+ r1 = tsc_freq * LOOPS;
+ r2 = r * 1000000;
+ lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1;
+ if (bootverbose) {
+ printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n",
+ (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r,
+ (uintmax_t)tsc_freq);
+ }
+#undef LOOPS
+#endif /* SMP */
}
/*
@@ -1381,25 +1420,20 @@
* private to the MD code. The public interface for the rest of the
* kernel is defined in mp_machdep.c.
*/
+
+/*
+ * Wait delay microseconds for IPI to be sent. If delay is -1, we
+ * wait forever.
+ */
int
lapic_ipi_wait(int delay)
{
- int x;
+ uint64_t rx;
- /*
- * Wait delay microseconds for IPI to be sent. If delay is
- * -1, we wait forever.
- */
- if (delay == -1) {
- while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE)
- ia32_pause();
- return (1);
- }
-
- for (x = 0; x < delay; x += 5) {
+ for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) {
if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE)
return (1);
- DELAY(5);
+ ia32_pause();
}
return (0);
}

16
share/security/patches/EN-16:07/ipi.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJXKj3yAAoJEO1n7NZdz2rnv4kP/06mfaq4/iwxKgkmZ/YA1xr1
OyeEURd20DU/z5IJrcOOM7I6t20tzTpITp4G4TirPAl+614ieFBEJLZtlLYCCnhd
02VfG9SEbqsM1ymfCrWg2FBx9YJtszL6bkWUSjlWA9dei2eomie6GyJeprfVDolD
Va+fp1FDVPmhcw8uXp9BNiCoBe/S1pd1ireMemXVwJCTwzJAcIrhMThDqTBKX9Rh
hxzd4gJBtAfppdPL0jcfjLMN3NUelRLs6AlT447lGJJeLJZTGnZNyaq6TKzHBE9E
witl2MOcaxm3SodaYq5e7CT4DZ+zfZHJ6Tc9r3RqoshlMgVk2DV6GXzcY8Z+GAjv
VeMY4shqEmApu3qIB3h/+PHN9RRPYtt4yNIAJjZt7sYWqEyAIIu4TH3UkUmdbLyg
v+Gf6CmDCoDmPsO0Yg1Ap5TrZy6NxoEXERzPOhgUaRBy7q0VKFrmLZoBw6UJ9GPu
DcS6aSxVoNgD7a/zUkrMezAtOsXD2OGcPpPOvco6JsbYqieoAZ4UGtCRSW+m7uJK
G1i1+c4sC5lqN/PxPvc05ci1RbtrjZFdYakg8Jz4rTegg44zU24ENZ+qW0k4uXUY
pm4ED1z1yozrMghOeTcFvq33j2fttfpHGtR24QCzoIMd6S9NNuCT5zTNf8PpU5aW
Tq2KDK20ywHxg8rBZdlW
=L412
-----END PGP SIGNATURE-----

10
share/security/patches/EN-16:08/zfs.patch Normal file
View file

@ -0,0 +1,10 @@
--- sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c.orig
+++ sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
@@ -196,6 +196,7 @@
VI_UNLOCK(vp);
vrele(vp);
vfs_unbusy(mp);
+ vfs_freeopts(mp->mnt_optnew);
vfs_mount_destroy(mp);
*vpp = NULL;
return (error);

16
share/security/patches/EN-16:08/zfs.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJXKk4gAAoJEO1n7NZdz2rnJnsQAKcsAvrU96EYdeIHQnR2AJ88
jCHXfXDnGN+dPpHXqBwjVCM4TLTHQVdsa47sw9wWOD5hhlP53qsKmsDohV68E+nc
HSbksbOWACuLtihtiR5bwlU2NuSUF+MKH+P35yqlIC6IFLJ41XrfbPXidJz4vUH0
1FhKGiXgHMlaCDpOxRXVKtQ05O8BvKl3kh1G2u/wM0fbdTWmK98kscc8b/abysi9
qV88b8cDYf9Dn57moFN0GySAKxPTnn4s0IKAu6BCko/bwH9cdwJmbbktpxTZrJuS
s2z0KKO15Wb/iD1SPTF9oxetXc8kok6nTQikLBVUNA6aXCpn69CeD6X7SL4198a0
oCXCZM1cYJDrT7V1Z/JTncF7e66UViLdFxI3v9RnpcGmsz88xjhXKv7jtv5DD+L+
tLsCCHZqfOtNEF7mTBdm0tfZP7B+quhXCnFs4qB945q0nJ1J8s5fLsWKSFgaeYUu
nEmNpjE3EbhxzUVa3xSdbs+hwtcOdMUaOelbO5sehaFOwblO6FDNLZ7TDpU2vfNk
noo9t2OqyK6hJvm+IIZgjwnQxTS64O4ehpd3S5HZit/3ExIt3SdsF7LUuGIHskfU
ucHvK763RsxjbwTyF2M6HV8TWbn8zKdLIJ9AlSF3B3hJIqwIpTKFBF6Sm/ovGe48
kSE51i0jjr8eRC87SB0K
=wnPD
-----END PGP SIGNATURE-----

12
share/security/patches/SA-16:06/libc.patch Normal file
View file

@ -0,0 +1,12 @@
--- lib/libc/db/hash/hash.c.orig
+++ lib/libc/db/hash/hash.c
@@ -423,7 +423,8 @@
free(hashp->tmp_buf);
if (hashp->fp != -1) {
- (void)_fsync(hashp->fp);
+ if (hashp->save_file)
+ (void)_fsync(hashp->fp);
(void)_close(hashp->fp);
}

16
share/security/patches/SA-16:06/libc.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJXKj1xAAoJEO1n7NZdz2rnBE4QALyliMFWZRH6HNFUOmUzpb82
ukBfKSS7MA2xXoFAZAGcpStuHRVg8sl21s4tGtnSa7Q9VkDzr898BG4mFlf+ZNWc
qHZqaZcQbJAJofrywklu4XCss0V9pv5WQ5TPnIaddoQs/USbbx4nZFyiY7p3XFHc
D9U30O8/QAUJO//TwHcQftbhNRJiVINWiGaNlKzf/tW5LipkA+GuMrLjqodA0FjN
nTZo469DWm26YzVKx7QH0ZobqEhK+7P/4Uo+gMLhXfBXnh+EX4P1w+gsYPXOhy02
bL0MsqG9F7tpcNI6tlxjNP0V6PjMCtuEuQ0Fk4rkPEZJDq9B6dc9wY9Vxas5hQ8n
IsNkMeIfNz9plK9WFTwfOiwu9IO84J0xhHgdp4cHqbvFcDSxU+GrtYU2zmPqoxJe
uT+KqdhfC533oN6CXzKzrn+kcxx2NuBt2lIjsg8K1V1Q/ovYpopdPfTOColDdBKZ
41XBo5AdDVS1liTNTiXtjUL9A5Eb8876Be4O+yvhQiXYsRFhQ7Kw2talGLiiJWlP
MOWEtBAvkFYZPedGNnIc+dmtBQ3G2uqEd/w4ZO0tgxkL0jt2b02s9xD0Y3YU9Xtp
f/sjoxT2kWNeQ8MS+zWh2dEj9OIxAerdOZsOSJmchqNHXD3Rv+99jmK/IY78LmbZ
5+hYuoGy4zOMHFXMJ8vm
=9bAQ
-----END PGP SIGNATURE-----

127
share/security/patches/SA-16:17/openssl-10.patch Normal file
View file

@ -0,0 +1,127 @@
--- crypto/openssl/crypto/asn1/a_type.c.orig
+++ crypto/openssl/crypto/asn1/a_type.c
@@ -126,9 +126,7 @@
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
+++ crypto/openssl/crypto/asn1/tasn_dec.c
@@ -903,9 +903,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
+++ crypto/openssl/crypto/asn1/tasn_enc.c
@@ -611,9 +611,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
--- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c.orig
+++ crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -59,6 +59,7 @@
# include <openssl/aes.h>
# include <openssl/sha.h>
# include "evp_locl.h"
+# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -286,6 +287,8 @@
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
--- crypto/openssl/crypto/evp/encode.c.orig
+++ crypto/openssl/crypto/evp/encode.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -151,13 +152,13 @@
const unsigned char *in, int inl)
{
int i, j;
- unsigned int total = 0;
+ size_t total = 0;
*outl = 0;
if (inl <= 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;
@@ -174,7 +175,7 @@
*out = '\0';
total = j + 1;
}
- while (inl >= ctx->length) {
+ while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
inl -= ctx->length;
@@ -183,6 +184,11 @@
*out = '\0';
total += j + 1;
}
+ if (total > INT_MAX) {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl;
--- crypto/openssl/crypto/evp/evp_enc.c.orig
+++ crypto/openssl/crypto/evp/evp_enc.c
@@ -334,7 +334,7 @@
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
--- crypto/openssl/crypto/x509/x509_obj.c.orig
+++ crypto/openssl/crypto/x509/x509_obj.c
@@ -117,8 +117,9 @@
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+ if (num > (int)sizeof(ebcdic_buf))
+ num = sizeof(ebcdic_buf);
+ ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf;
}
#endif

16
share/security/patches/SA-16:17/openssl-10.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJXKjysAAoJEO1n7NZdz2rnmqsP/AhTL40m2kb2Ccu8prEqw2XF
glaizsxpLE5fxARZm4V/MB5s2uQk1OvhN3/im6mzfIZhLwrVnIERtMXG5cZM3fUa
kSguKkP72U2agBivBXLQgsWXWzdzwLk+boS9idUhXj8MU4o9Irrpmm4N31l2K+3A
A853HSIHfOB1R/1U9hKUPTAYnz2SVrqjtcmxAC/0m7//v5mWotR4KE/BL9x8lzUm
ZmdNc/O8HsXkZdIrMt3l4K5va20sFUEFURVhUl2drd4FAv52RK1N36d4uZ09riyU
9/dEJdln4V1HWM48Smy/spqvNBzKUPidJPXw2lfFacKqMAM8h5micvAxfwD50iUy
8noKrZyT9CfeZPGxp9iua5F86Qgco7sRyDL5vgsZQDHLDzQFA4uFgnaW1qDlci+K
qEF5gJtXHw0bezjbiAr0Z/68bcYzcEz5j4/nUmFcd2+ZTzhGY/PKCdHKwoCdvoB9
J+XLCsvM5TN8+OFFp7Mb42fW5BuaRlOjzk1G6zUPSeHVhI6mPcoyYRXDaBudh3KV
DoX6SUFQaqm12wyheFkj0n1tNUMmBd3L5JKPWRNEMbm3kFXVlwbPq4iqKjsMVryy
wxQsdv30WXUpfwtN0XYfAkAcYh99lZB7873qSGJ+MvFPWLi7M7HhHnP46A27zHF/
yflt63U9yT6T/apz5LCa
=sQdP
-----END PGP SIGNATURE-----

108
share/security/patches/SA-16:17/openssl-9.patch Normal file
View file

@ -0,0 +1,108 @@
--- crypto/openssl/crypto/asn1/a_type.c.orig
+++ crypto/openssl/crypto/asn1/a_type.c
@@ -123,9 +123,7 @@
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
--- crypto/openssl/crypto/asn1/tasn_dec.c.orig
+++ crypto/openssl/crypto/asn1/tasn_dec.c
@@ -901,9 +901,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
--- crypto/openssl/crypto/asn1/tasn_enc.c.orig
+++ crypto/openssl/crypto/asn1/tasn_enc.c
@@ -610,9 +610,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
--- crypto/openssl/crypto/evp/encode.c.orig
+++ crypto/openssl/crypto/evp/encode.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/evp.h>
@@ -134,13 +135,13 @@
const unsigned char *in, int inl)
{
int i, j;
- unsigned int total = 0;
+ size_t total = 0;
*outl = 0;
if (inl == 0)
return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
- if ((ctx->num + inl) < ctx->length) {
+ if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl;
return;
@@ -157,7 +158,7 @@
*out = '\0';
total = j + 1;
}
- while (inl >= ctx->length) {
+ while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
inl -= ctx->length;
@@ -166,6 +167,11 @@
*out = '\0';
total += j + 1;
}
+ if (total > INT_MAX) {
+ /* Too much output data! */
+ *outl = 0;
+ return;
+ }
if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl;
--- crypto/openssl/crypto/evp/evp_enc.c.orig
+++ crypto/openssl/crypto/evp/evp_enc.c
@@ -166,7 +166,7 @@
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
--- crypto/openssl/crypto/x509/x509_obj.c.orig
+++ crypto/openssl/crypto/x509/x509_obj.c
@@ -117,8 +117,9 @@
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+ if (num > (int)sizeof(ebcdic_buf))
+ num = sizeof(ebcdic_buf);
+ ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf;
}
#endif

16
share/security/patches/SA-16:17/openssl-9.patch.asc Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJXKjyhAAoJEO1n7NZdz2rnvqAP/2EwlDKVEvDlKjYf2jd/A9lk
MLM5bSKBkkOagn2k+ENCj6EK7qMutI7h4gYNfFQ4nMCxHoHQfpLFHrS5KkO6RiLb
yhUR3fmgBGXKo25Tij1w1kpGaiVva8DFe6eEVO4p98gYdezS/78XAaOeFHVxsxCt
BKzxDbGcdbJChLevR3gCSYSLCwbNTUqwc6syYV/334cHBwUOT1dzoUnagGML/zsA
TVVwH+tZoK+yEOk7vlvsSV6H20nQz0I3HFXjd27oXfnK98J9AXiYIGeIMnLJ0S3j
RmeXmB1SZcORQ3yK3cE6qQnHBOUy+xVLf1WFuV2oUX8RvSCAzZKopsOi048ZMxdm
S35j0gP/kf18l3ZzjiUGx34vNsAhG21xp3Ks+dz2ly6R15DLan5nLqVqRu3UIaOE
C56u/+zMBnw6T8TkFWmZcEwrXeYOPlZPdljLMX2Fb9RfT9+m+pEQInUYniyUHZ3r
a6prch27nIBGJwVDGzxugsONOOB524lC0NRisE55PfMahnnAUhXd5HznJ+6U5wdS
bI6mLIo7/vGyelVufZjpUdAT5Zq/ERWkfAMXoZz5SDIPDqbZUYMwPv6iD87k/Zze
Xy2aFwGqy4MRXYmsLAQlNfTGiGu78pYumDIH3odYFrmK6eLR1APhtSdxlvrkiN3V
RhJ4kKgn8Cf8I/Tu92Ah
=Lu+P
-----END PGP SIGNATURE-----

12
share/xml/advisories.xml
View file

@ -7,6 +7,18 @@
<year>
<name>2016</name>
<month>
<name>5</name>
<day>
<name>4</name>
<advisory>
<name>FreeBSD-SA-16:17.openssl</name>
</advisory>
</day>
</month>
<month>
<name>4</name>

21
share/xml/notices.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2016</name>
<month>
<name>5</name>
<day>
<name>4</name>
<notice>
<name>FreeBSD-EN-16:08.zfs</name>
</notice>
<notice>
<name>FreeBSD-EN-16:07.ipi</name>
</notice>
<notice>
<name>FreeBSD-EN-16:06.libc</name>
</notice>
</day>
</month>
<month>
<name>3</name>
@ -23,6 +43,7 @@
</day>
</month>
<month>
<name>1</name>