diff mbox series

[scarthgap] mbedtls: fix CVE-2025-47917

Message ID 20251214180446.2682162-1-kai.kang@windriver.com
State New
Headers show
Series [scarthgap] mbedtls: fix CVE-2025-47917 | expand

Commit Message

Kai Dec. 14, 2025, 6:04 p.m. UTC 
From: Kai Kang <kai.kang@windriver.com>

CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes
a head argument and performs a deep free() on it.

Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../mbedtls/mbedtls/CVE-2025-47917.patch      | 52 +++++++++++++++++++
 .../mbedtls/mbedtls_2.28.10.bb                |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
new file mode 100644
index 0000000000..75c4829191
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
@@ -0,0 +1,52 @@ 
+From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
+ <manuel.pegourie-gonnard@arm.com>
+Date: Mon, 5 May 2025 16:41:52 +0200
+Subject: [PATCH] Fix undocumented free() in x509_string_to_names()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
+crashing with use-after-free, instead it's now failing cleanly:
+
+ failed
+  !  mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
+
+That's better of course but still not great, will be fixed by future
+commits.
+
+Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
+
+CVE: CVE-2025-47917
+
+Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73]
+
+Backport patch to fix CVE-2025-47917 and drop the modification in doc
+file and comment in header file which lack of context.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ library/x509_create.c                          |  8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+ create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt
+
+diff --git a/library/x509_create.c b/library/x509_create.c
+index 839b5df226..420e36b81b 100644
+--- a/library/x509_create.c
++++ b/library/x509_create.c
+@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
+     char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+     char *d = data;
+ 
+-    /* Clear existing chain if present */
+-    mbedtls_asn1_free_named_data_list(head);
++    /* Ensure the output parameter is not already populated.
++     * (If it were, overwriting it would likely cause a memory leak.)
++     */
++    if (*head != NULL) {
++        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
++    }
+ 
+     while (c <= end) {
+         if (in_tag && *c == '=') {
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
index 62e6c90f63..53462953ef 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
@@ -26,6 +26,7 @@  S = "${WORKDIR}/git"
 SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"
 SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \
            file://run-ptest \
+           file://CVE-2025-47917.patch \
           "
 
 inherit cmake update-alternatives ptest