[kirkstone,02/13] curl: Fix CVE-2023-28320

Message ID	c761d822be5ffc4a88600fbd7282c469b1e9902a.1685500244.git.steve@sakoman.com
State	Accepted, archived
Commit	c761d822be5ffc4a88600fbd7282c469b1e9902a
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.179, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/13] curl: Fix CVE-2023-28320 Date: Tue, 30 May 2023 16:34:09 -1000 Message-Id: <c761d822be5ffc4a88600fbd7282c469b1e9902a.1685500244.git.steve@sakoman.com> In-Reply-To: <cover.1685500244.git.steve@sakoman.com> References: <cover.1685500244.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/13] curl: Fix CVE-2023-28319 \| expand [kirkstone,01/13] curl: Fix CVE-2023-28319 [kirkstone,02/13] curl: Fix CVE-2023-28320 [kirkstone,03/13] curl: Fix CVE-2023-28321 [kirkstone,04/13] curl: Fix CVE-2023-28322 [kirkstone,05/13] linux-yocto/5.10: update to v5.10.176 [kirkstone,06/13] linux-yocto/5.10: update to v5.10.177 [kirkstone,07/13] linux-yocto/5.10: update to v5.10.178 [kirkstone,08/13] linux-yocto/5.10: update to v5.10.179 [kirkstone,09/13] linux-yocto/5.10: update to v5.10.180 [kirkstone,10/13] kernel-devicetree: allow specification of dtb directory [kirkstone,11/13] kernel-devicetree: make shell scripts posix compliant [kirkstone,12/13] package: enable recursion on file globs [kirkstone,13/13] kernel-devicetree: recursively search for dtbs

Message ID

c761d822be5ffc4a88600fbd7282c469b1e9902a.1685500244.git.steve@sakoman.com

State

Accepted, archived

Commit

c761d822be5ffc4a88600fbd7282c469b1e9902a

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/13] curl: Fix CVE-2023-28320
Date: Tue, 30 May 2023 16:34:09 -1000
Message-Id: 
 <c761d822be5ffc4a88600fbd7282c469b1e9902a.1685500244.git.steve@sakoman.com>
In-Reply-To: <cover.1685500244.git.steve@sakoman.com>
References: <cover.1685500244.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/13] curl: Fix CVE-2023-28319 | expand

Commit Message

Steve Sakoman May 31, 2023, 2:34 a.m. UTC

From: Bhabu Bindu <bhabu.bindu@kpit.com>

Add patch to fix CVE-2023-28320

siglongjmp race condition

libcurl provides several different backends for resolving host names,
selectedat build time. If it is built to use the synchronous resolver,
it allows nameresolves to time-out slow operations using `alarm()` and
`siglongjmp()`.

When doing this, libcurl used a global buffer that was not mutex
protected anda multi-threaded application might therefore
crash or otherwise misbehave.

Link: https://curl.se/docs/CVE-2023-28320.html

Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2023-28320.patch            | 83 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
new file mode 100644
index 0000000000..1e0fc7534a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
@@ -0,0 +1,83 @@ 
+From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Tue, 25 Apr 2023 09:22:26 +0200
+Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
+
+When building with the sync name resolver and timeout ability we now
+require thread-safety to be present to enable it.
+
+Closes #11030
+
+CVE: CVE-2023-28320
+Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/hostip.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/hostip.c b/lib/hostip.c
+index 2381290fdd43e..e410cda69ae6e 100644
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -70,12 +70,19 @@
+ #include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
+ #endif
+ 
+-#if defined(CURLRES_SYNCH) && \
+-    defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
++#if defined(CURLRES_SYNCH) &&                   \
++  defined(HAVE_ALARM) &&                        \
++  defined(SIGALRM) &&                           \
++  defined(HAVE_SIGSETJMP) &&                    \
++  defined(GLOBAL_INIT_IS_THREADSAFE)
+ /* alarm-based timeouts can only be used with all the dependencies satisfied */
+ #define USE_ALARM_TIMEOUT
+ #endif
+ 
++#ifdef USE_ALARM_TIMEOUT
++#include "easy_lock.h"
++#endif
++
+ #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
+ 
+ /*
+@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
+     Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
+ }
+ 
+-#ifdef HAVE_SIGSETJMP
++#ifdef USE_ALARM_TIMEOUT
+ /* Beware this is a global and unique instance. This is used to store the
+    return address that we can jump back to from inside a signal handler. This
+    is not thread-safe stuff. */
+ sigjmp_buf curl_jmpenv;
++curl_simple_lock curl_jmpenv_lock;
+ #endif
+ 
+ /* lookup address, returns entry if found and not stale */
+@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
+ static
+ void alarmfunc(int sig)
+ {
+-  /* this is for "-ansi -Wall -pedantic" to stop complaining!   (rabe) */
+   (void)sig;
+   siglongjmp(curl_jmpenv, 1);
+ }
+@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
+      This should be the last thing we do before calling Curl_resolv(),
+      as otherwise we'd have to worry about variables that get modified
+      before we invoke Curl_resolv() (and thus use "volatile"). */
++  curl_simple_lock_lock(&curl_jmpenv_lock);
++
+   if(sigsetjmp(curl_jmpenv, 1)) {
+     /* this is coming from a siglongjmp() after an alarm signal */
+     failf(data, "name lookup timed out");
+@@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
+ #endif
+ #endif /* HAVE_SIGACTION */
+ 
++  curl_simple_lock_unlock(&curl_jmpenv_lock);
++
+   /* switch back the alarm() to either zero or to what it was before minus
+      the time we spent until now! */
+   if(prev_alarm) {
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index e38bf14cc4..422c2bec0f 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -46,6 +46,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-27535_and_CVE-2023-27538.patch \
            file://CVE-2023-27536.patch \
            file://CVE-2023-28319.patch \
+           file://CVE-2023-28320.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

[kirkstone,02/13] curl: Fix CVE-2023-28320

Commit Message

Patch