diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2023-28320.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2023-28320.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch new file mode 100644 index 0000000000..0c9b67440a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Harry Sintonen <sintonen@iki.fi> | ||
3 | Date: Tue, 25 Apr 2023 09:22:26 +0200 | ||
4 | Subject: [PATCH] hostip: add locks around use of global buffer for alarm() | ||
5 | |||
6 | When building with the sync name resolver and timeout ability we now | ||
7 | require thread-safety to be present to enable it. | ||
8 | |||
9 | Closes #11030 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2] | ||
12 | CVE: CVE-2023-28320 | ||
13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
14 | --- | ||
15 | lib/hostip.c | 19 +++++++++++++++---- | ||
16 | 1 file changed, 15 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/lib/hostip.c b/lib/hostip.c | ||
19 | index f5bb634..5231a74 100644 | ||
20 | --- a/lib/hostip.c | ||
21 | +++ b/lib/hostip.c | ||
22 | @@ -68,12 +68,19 @@ | ||
23 | #include "curl_memory.h" | ||
24 | #include "memdebug.h" | ||
25 | |||
26 | -#if defined(CURLRES_SYNCH) && \ | ||
27 | - defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) | ||
28 | +#if defined(CURLRES_SYNCH) && \ | ||
29 | + defined(HAVE_ALARM) && \ | ||
30 | + defined(SIGALRM) && \ | ||
31 | + defined(HAVE_SIGSETJMP) && \ | ||
32 | + defined(GLOBAL_INIT_IS_THREADSAFE) | ||
33 | /* alarm-based timeouts can only be used with all the dependencies satisfied */ | ||
34 | #define USE_ALARM_TIMEOUT | ||
35 | #endif | ||
36 | |||
37 | +#ifdef USE_ALARM_TIMEOUT | ||
38 | +#include "easy_lock.h" | ||
39 | +#endif | ||
40 | + | ||
41 | #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ | ||
42 | |||
43 | /* | ||
44 | @@ -248,11 +255,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) | ||
45 | Curl_share_unlock(data, CURL_LOCK_DATA_DNS); | ||
46 | } | ||
47 | |||
48 | -#ifdef HAVE_SIGSETJMP | ||
49 | +#ifdef USE_ALARM_TIMEOUT | ||
50 | /* Beware this is a global and unique instance. This is used to store the | ||
51 | return address that we can jump back to from inside a signal handler. This | ||
52 | is not thread-safe stuff. */ | ||
53 | sigjmp_buf curl_jmpenv; | ||
54 | +curl_simple_lock curl_jmpenv_lock; | ||
55 | #endif | ||
56 | |||
57 | /* lookup address, returns entry if found and not stale */ | ||
58 | @@ -614,7 +622,6 @@ enum resolve_t Curl_resolv(struct connectdata *conn, | ||
59 | static | ||
60 | RETSIGTYPE alarmfunc(int sig) | ||
61 | { | ||
62 | - /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ | ||
63 | (void)sig; | ||
64 | siglongjmp(curl_jmpenv, 1); | ||
65 | } | ||
66 | @@ -695,6 +702,8 @@ enum resolve_t Curl_resolv_timeout(struct connectdata *conn, | ||
67 | This should be the last thing we do before calling Curl_resolv(), | ||
68 | as otherwise we'd have to worry about variables that get modified | ||
69 | before we invoke Curl_resolv() (and thus use "volatile"). */ | ||
70 | + curl_simple_lock_lock(&curl_jmpenv_lock); | ||
71 | + | ||
72 | if(sigsetjmp(curl_jmpenv, 1)) { | ||
73 | /* this is coming from a siglongjmp() after an alarm signal */ | ||
74 | failf(data, "name lookup timed out"); | ||
75 | @@ -763,6 +772,8 @@ clean_up: | ||
76 | #endif | ||
77 | #endif /* HAVE_SIGACTION */ | ||
78 | |||
79 | + curl_simple_lock_unlock(&curl_jmpenv_lock); | ||
80 | + | ||
81 | /* switch back the alarm() to either zero or to what it was before minus | ||
82 | the time we spent until now! */ | ||
83 | if(prev_alarm) { | ||
84 | -- | ||
85 | 2.25.1 | ||
86 | |||