From vd@datamax.bg  Mon Jun 13 17:05:17 2005
Return-Path: <vd@datamax.bg>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7CDB016A41C;
	Mon, 13 Jun 2005 17:05:17 +0000 (GMT)
	(envelope-from vd@datamax.bg)
Received: from jengal.datamax.bg (jengal.datamax.bg [82.103.104.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EEAFA43D48;
	Mon, 13 Jun 2005 17:05:13 +0000 (GMT)
	(envelope-from vd@datamax.bg)
Received: from sinanica.bg.datamax (sinanica.bg.datamax [192.168.10.1])
	by jengal.datamax.bg (Postfix) with QMQP
	id 1D61E87CD; Mon, 13 Jun 2005 20:05:09 +0300 (EEST)
Received: (nullmailer pid 56133 invoked by uid 1004);
	Mon, 13 Jun 2005 17:05:07 -0000
Message-Id: <20050613170507.GA50676@sinanica.bg.datamax>
Date: Mon, 13 Jun 2005 20:05:07 +0300
From: Vasil Dimov <vd@datamax.bg>
Reply-To: vd@datamax.bg
To: FreeBSD-gnats-submit@freebsd.org
Cc: roam@freebsd.org
Subject: [patch] solve security/stunnel's ucontext(3) issue
X-Send-Pr-Version: 3.113

>Number:         82202
>Category:       ports
>Synopsis:       [patch] solve security/stunnel's ucontext(3) issue
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    roam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 13 17:10:23 GMT 2005
>Closed-Date:    Tue Jun 14 09:10:36 GMT 2005
>Last-Modified:  Tue Jun 14 09:10:36 GMT 2005
>Originator:     Vasil Dimov
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
DataMax
>Environment:

>Description:

This patch fixes the ucontext(3) issue in security/stunnel, described
and discussed in:

http://lists.FreeBSD.org/pipermail/freebsd-ports/2005-May/023344.html
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=81001
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=81162
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=81289

The actual problem is that stunnel tries to reuse its initially
prepared cleanup context. This technique does not work with FreeBSD.
The fix introduced in this patch reinitializes the cleanup context every
time it is going to be used.

>How-To-Repeat:

>Fix:

--- stunnel_ucontext.diff begins here ---
diff -urN stunnel.orig/Makefile stunnel/Makefile
--- stunnel.orig/Makefile	Mon Jun 13 19:45:30 2005
+++ stunnel/Makefile	Mon Jun 13 19:31:55 2005
@@ -7,7 +7,7 @@
 
 PORTNAME=	stunnel
 PORTVERSION=	4.10
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.stunnel.org/download/stunnel/src/ \
 		ftp://stunnel.mirt.net/stunnel/OBSOLETE/ \
diff -urN stunnel.orig/files/patch-ucontext_src::network.c.diff stunnel/files/patch-ucontext_src::network.c.diff
--- stunnel.orig/files/patch-ucontext_src::network.c.diff	Thu Jan  1 02:00:00 1970
+++ stunnel/files/patch-ucontext_src::network.c.diff	Mon Jun 13 19:13:34 2005
@@ -0,0 +1,10 @@
+--- src/network.c.orig	Mon Jun 13 18:57:42 2005
++++ src/network.c	Mon Jun 13 19:10:55 2005
+@@ -209,6 +209,7 @@
+ 
+     /* switch the context */
+     if(fds) { /* swap the context */
++        rewind_ctx_cleanup(ready_head);
+         swapcontext(&ctx->ctx, &ready_head->ctx);
+         return ready_head->ready;
+     } else { /* drop the context */
diff -urN stunnel.orig/files/patch-ucontext_src::prototypes.h.diff stunnel/files/patch-ucontext_src::prototypes.h.diff
--- stunnel.orig/files/patch-ucontext_src::prototypes.h.diff	Thu Jan  1 02:00:00 1970
+++ stunnel/files/patch-ucontext_src::prototypes.h.diff	Mon Jun 13 19:14:23 2005
@@ -0,0 +1,10 @@
+--- src/prototypes.h.orig	Mon Jun 13 18:57:23 2005
++++ src/prototypes.h	Mon Jun 13 19:09:59 2005
+@@ -327,6 +327,7 @@
+ } CONTEXT;
+ extern CONTEXT *ready_head, *ready_tail;
+ extern CONTEXT *waiting_head, *waiting_tail;
++void rewind_ctx_cleanup(CONTEXT *ctx);
+ #endif
+ #ifdef DEBUG_STACK_SIZE
+ void stack_info(int);
diff -urN stunnel.orig/files/patch-ucontext_src::sthreads.c.diff stunnel/files/patch-ucontext_src::sthreads.c.diff
--- stunnel.orig/files/patch-ucontext_src::sthreads.c.diff	Thu Jan  1 02:00:00 1970
+++ stunnel/files/patch-ucontext_src::sthreads.c.diff	Mon Jun 13 19:17:08 2005
@@ -0,0 +1,18 @@
+--- src/sthreads.c.orig	Mon Jun 13 18:57:08 2005
++++ src/sthreads.c	Mon Jun 13 19:17:04 2005
+@@ -66,6 +66,15 @@
+     s_poll_wait(NULL, 0); /* wait on poll() */
+ }
+ 
++/*
++ * Reinitialize cleanup context to make it reusable
++ * This is necessary at least on FreeBSD 5.4
++ */
++void rewind_ctx_cleanup(CONTEXT *ctx) {
++    if (ctx->ctx.uc_link == &ctx_cleanup)
++        makecontext(&ctx_cleanup, ctx_cleanup_func, 0);
++}
++
+ static CONTEXT *new_context(void) {
+     CONTEXT *ctx;
+ 
--- stunnel_ucontext.diff ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->roam 
Responsible-Changed-By: flz 
Responsible-Changed-When: Mon Jun 13 19:07:32 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82202 
State-Changed-From-To: open->closed 
State-Changed-By: roam 
State-Changed-When: Tue Jun 14 09:09:37 GMT 2005 
State-Changed-Why:  
I've committed Michael Trojnara's patch.  Still, thanks A LOT for all 
the time you've spent tracking this down! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=82202 
>Unformatted:
