[kirkstone] openssl: Security fix for CVE-2024-4741

Message ID	20240602164519.126463-1-sdoshi@mvista.com
State	Superseded
Delegated to:	Steve Sakoman
Headers	show Return-Path: <sdoshi@mvista.com> ip: 209.85.161.50, mailfrom: sdoshi@mvista.com) From: Siddharth <sdoshi@mvista.com> To: openembedded-core@lists.openembedded.org Cc: Siddharth Doshi <sdoshi@mvista.com> Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741 Date: Sun, 2 Jun 2024 22:15:19 +0530 Message-Id: <20240602164519.126463-1-sdoshi@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone] openssl: Security fix for CVE-2024-4741 \| expand [kirkstone] openssl: Security fix for CVE-2024-4741

Message ID

20240602164519.126463-1-sdoshi@mvista.com

State

Superseded

Delegated to:

Steve Sakoman

Headers

From: Siddharth <sdoshi@mvista.com>
To: openembedded-core@lists.openembedded.org
Cc: Siddharth Doshi <sdoshi@mvista.com>
Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
Date: Sun,  2 Jun 2024 22:15:19 +0530
Message-Id: <20240602164519.126463-1-sdoshi@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone] openssl: Security fix for CVE-2024-4741 | expand

Commit Message

Siddharth June 2, 2024, 4:45 p.m. UTC

From: Siddharth Doshi <sdoshi@mvista.com>

Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]

CVE's Fixed:
CVE-2024-4741:Use After Free with SSL_free_buffers

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 .../openssl/openssl/CVE-2024-4741.patch       | 76 +++++++++++++++++++
 .../openssl/openssl_3.0.13.bb                 |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch

Comments

Marko, Peter June 2, 2024, 5:33 p.m. UTC | #1

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Siddharth via lists.openembedded.org
Sent: Sunday, June 2, 2024 18:45
To: openembedded-core@lists.openembedded.org
Cc: Siddharth Doshi <sdoshi@mvista.com>
Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741

> From: Siddharth Doshi <sdoshi@mvista.com>
> 
> Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]

Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste error).

The main problem of this patch (and the same patch for scarthgap) is that it's picking only one out of 5 commits referencing this CVE.
At least https://github.com/openssl/openssl/commit/2d05959073c4bf8803401668b9df85931a08e020 needs to be picked.
But ideally also the remaining 3 which extend tests should be picked to verify these changes in ptest.
https://github.com/openssl/openssl/commit/6fef334f914abfcd988e53a32d19f01d84529f74
https://github.com/openssl/openssl/commit/1359c00e683840154760b7ba9204bad1b13dc074
https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b

Peter

> 
> CVE's Fixed:
> CVE-2024-4741:Use After Free with SSL_free_buffers
> 
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>

Siddharth June 2, 2024, 5:52 p.m. UTC | #2

>> Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste error).

- Ahh, that's silly of me. Guess the cup of coffee didnt take away the drowsiness completely.. Thank-you for pointing it out.

>> The main problem of this patch (and the same patch for scarthgap) is that it's picking only one out of 5 commits referencing this CVE.
- That definately makes sense. I just followed the fix links from https://openssl.org/news/vulnerabilities.html and didnt dive deeper.

- I will send a v2 by tomorrow.

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch
new file mode 100644
index 0000000000..2fbc55b48a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch
@@ -0,0 +1,76 @@ 
+From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+
+(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177)
+
+Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d]
+CVE: CVE-2024-4741
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 4bcffcc..1569997 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index 234656b..b60f71c 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 2c8479e..131eaac 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5491,6 +5491,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.35.7
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
index 87ab4047d9..46f02aa20a 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
@@ -14,6 +14,7 @@  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://CVE-2024-2511.patch \
            file://CVE-2024-4603.patch \
+           file://CVE-2024-4741.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \

[kirkstone] openssl: Security fix for CVE-2024-4741

Commit Message

Comments

Patch