diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch new file mode 100644 index 0000000000..e16e5e245e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch | |||
@@ -0,0 +1,171 @@ | |||
1 | From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Wed, 19 Jul 2023 14:02:27 +0000 | ||
4 | Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected | ||
5 | symbols | ||
6 | |||
7 | This checks via nlist(3) that candidate provider libraries contain one | ||
8 | of the symbols that we will require prior to dlopen(), which can cause | ||
9 | a number of side effects, including execution of constructors. | ||
10 | |||
11 | Feedback deraadt; ok markus | ||
12 | |||
13 | OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77] | ||
16 | CVE: CVE-2023-38408 | ||
17 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
18 | --- | ||
19 | misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
20 | misc.h | 1 + | ||
21 | ssh-pkcs11.c | 4 +++ | ||
22 | ssh-sk.c | 6 ++-- | ||
23 | 4 files changed, 86 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/misc.c b/misc.c | ||
26 | index 3a31d5c..8a107e4 100644 | ||
27 | --- a/misc.c | ||
28 | +++ b/misc.c | ||
29 | @@ -28,6 +28,7 @@ | ||
30 | |||
31 | #include <sys/types.h> | ||
32 | #include <sys/ioctl.h> | ||
33 | +#include <sys/mman.h> | ||
34 | #include <sys/socket.h> | ||
35 | #include <sys/stat.h> | ||
36 | #include <sys/time.h> | ||
37 | @@ -41,6 +42,9 @@ | ||
38 | #ifdef HAVE_POLL_H | ||
39 | #include <poll.h> | ||
40 | #endif | ||
41 | +#ifdef HAVE_NLIST_H | ||
42 | +#include <nlist.h> | ||
43 | +#endif | ||
44 | #include <signal.h> | ||
45 | #include <stdarg.h> | ||
46 | #include <stdio.h> | ||
47 | @@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler) | ||
48 | } | ||
49 | return osa.sa_handler; | ||
50 | } | ||
51 | + | ||
52 | + | ||
53 | +/* | ||
54 | + * Returns zero if the library at 'path' contains symbol 's', nonzero | ||
55 | + * otherwise. | ||
56 | + */ | ||
57 | +int | ||
58 | +lib_contains_symbol(const char *path, const char *s) | ||
59 | +{ | ||
60 | +#ifdef HAVE_NLIST_H | ||
61 | + struct nlist nl[2]; | ||
62 | + int ret = -1, r; | ||
63 | + | ||
64 | + memset(nl, 0, sizeof(nl)); | ||
65 | + nl[0].n_name = xstrdup(s); | ||
66 | + nl[1].n_name = NULL; | ||
67 | + if ((r = nlist(path, nl)) == -1) { | ||
68 | + error("%s: nlist failed for %s", __func__, path); | ||
69 | + goto out; | ||
70 | + } | ||
71 | + if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { | ||
72 | + error("%s: library %s does not contain symbol %s", __func__, path, s); | ||
73 | + goto out; | ||
74 | + } | ||
75 | + /* success */ | ||
76 | + ret = 0; | ||
77 | + out: | ||
78 | + free(nl[0].n_name); | ||
79 | + return ret; | ||
80 | +#else /* HAVE_NLIST_H */ | ||
81 | + int fd, ret = -1; | ||
82 | + struct stat st; | ||
83 | + void *m = NULL; | ||
84 | + size_t sz = 0; | ||
85 | + | ||
86 | + memset(&st, 0, sizeof(st)); | ||
87 | + if ((fd = open(path, O_RDONLY)) < 0) { | ||
88 | + error("%s: open %s: %s", __func__, path, strerror(errno)); | ||
89 | + return -1; | ||
90 | + } | ||
91 | + if (fstat(fd, &st) != 0) { | ||
92 | + error("%s: fstat %s: %s", __func__, path, strerror(errno)); | ||
93 | + goto out; | ||
94 | + } | ||
95 | + if (!S_ISREG(st.st_mode)) { | ||
96 | + error("%s: %s is not a regular file", __func__, path); | ||
97 | + goto out; | ||
98 | + } | ||
99 | + if (st.st_size < 0 || | ||
100 | + (size_t)st.st_size < strlen(s) || | ||
101 | + st.st_size >= INT_MAX/2) { | ||
102 | + error("%s: %s bad size %lld", __func__, path, (long long)st.st_size); | ||
103 | + goto out; | ||
104 | + } | ||
105 | + sz = (size_t)st.st_size; | ||
106 | + if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || | ||
107 | + m == NULL) { | ||
108 | + error("%s: mmap %s: %s", __func__, path, strerror(errno)); | ||
109 | + goto out; | ||
110 | + } | ||
111 | + if (memmem(m, sz, s, strlen(s)) == NULL) { | ||
112 | + error("%s: %s does not contain expected string %s", __func__, path, s); | ||
113 | + goto out; | ||
114 | + } | ||
115 | + /* success */ | ||
116 | + ret = 0; | ||
117 | + out: | ||
118 | + if (m != NULL && m != MAP_FAILED) | ||
119 | + munmap(m, sz); | ||
120 | + close(fd); | ||
121 | + return ret; | ||
122 | +#endif /* HAVE_NLIST_H */ | ||
123 | +} | ||
124 | diff --git a/misc.h b/misc.h | ||
125 | index 4a05db2..3f9f4db 100644 | ||
126 | --- a/misc.h | ||
127 | +++ b/misc.h | ||
128 | @@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *); | ||
129 | int parse_absolute_time(const char *, uint64_t *); | ||
130 | void format_absolute_time(uint64_t, char *, size_t); | ||
131 | int path_absolute(const char *); | ||
132 | +int lib_contains_symbol(const char *, const char *); | ||
133 | |||
134 | void sock_set_v6only(int); | ||
135 | |||
136 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c | ||
137 | index b56a41b..639a6f7 100644 | ||
138 | --- a/ssh-pkcs11.c | ||
139 | +++ b/ssh-pkcs11.c | ||
140 | @@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin, | ||
141 | __func__, provider_id); | ||
142 | goto fail; | ||
143 | } | ||
144 | + if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { | ||
145 | + error("provider %s is not a PKCS11 library", provider_id); | ||
146 | + goto fail; | ||
147 | + } | ||
148 | /* open shared pkcs11-library */ | ||
149 | if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { | ||
150 | error("dlopen %s failed: %s", provider_id, dlerror()); | ||
151 | diff --git a/ssh-sk.c b/ssh-sk.c | ||
152 | index 5ff9381..9df12cc 100644 | ||
153 | --- a/ssh-sk.c | ||
154 | +++ b/ssh-sk.c | ||
155 | @@ -119,10 +119,12 @@ sshsk_open(const char *path) | ||
156 | #endif | ||
157 | return ret; | ||
158 | } | ||
159 | - if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { | ||
160 | - error("Provider \"%s\" dlopen failed: %s", path, dlerror()); | ||
161 | + if (lib_contains_symbol(path, "sk_api_version") != 0) { | ||
162 | + error("provider %s is not an OpenSSH FIDO library", path); | ||
163 | goto fail; | ||
164 | } | ||
165 | + if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) | ||
166 | + fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); | ||
167 | if ((ret->sk_api_version = dlsym(ret->dlhandle, | ||
168 | "sk_api_version")) == NULL) { | ||
169 | error("Provider \"%s\" dlsym(sk_api_version) failed: %s", | ||
170 | -- | ||
171 | 2.41.0 | ||