1 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch
new file mode 100644
index 0000000000..12486e1710
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch
@@ -0,0 +1,137 @@
+From 6c7f9703e42bc5278d0a4a6f0a39d07d62123ea3 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 31 Mar 2020 06:58:48 +0200
+Subject: [PATCH 2/3] build: use valgrind client request to detect undefined
+ memory use
+commit 50ad8778a81f9421effa4c5a3b457f98e559b178 from https://gitlab.com/gnutls/gnutls.git
+This tightens the check introduced in
+ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client
+request to explicitly mark the "uninitialized but initialization is
+needed before use" regions.  With this patch and the
+fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see
+the following error when running dtls_hello_random_value under
+valgrind:
+  $ valgrind ./dtls_hello_random_value
+  testing: default
+  ==520145== Conditional jump or move depends on uninitialised value(s)
+  ==520145==    at 0x4025F5: hello_callback (dtls_hello_random_value.c:90)
+  ==520145==    by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215)
+  ==520145==    by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332)
+  ==520145==    by 0x488FC7E: send_client_hello (handshake.c:2290)
+  ==520145==    by 0x48902A1: handshake_client (handshake.c:2908)
+  ==520145==    by 0x48902A1: gnutls_handshake (handshake.c:2740)
+  ==520145==    by 0x402CB3: client (dtls_hello_random_value.c:153)
+  ==520145==    by 0x402CB3: start (dtls_hello_random_value.c:317)
+  ==520145==    by 0x402EFE: doit (dtls_hello_random_value.c:331)
+  ==520145==    by 0x4023D4: main (utils.c:254)
+  ==520145==
+Upstream-Status: Backport
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ configure.ac    |  2 ++
+ lib/handshake.c | 15 +++++++++++++++
+ lib/state.c     | 21 ++++++++++++++++++---
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index 172cf42..12da283 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -233,6 +233,8 @@ AS_IF([test "$ac_cv_search___atomic_load_4" = "none required" || test "$ac_cv_se
+ dnl We use its presence to detect C11 threads
+ AC_CHECK_HEADERS([threads.h])
+ 
+AC_CHECK_HEADERS([valgrind/memcheck.h])
+
+ AC_ARG_ENABLE(padlock,
+   AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]),
+     use_padlock=$enableval)
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 84a0e52..8d58fa4 100644
+--- a/lib/handshake.c
+++ b/lib/handshake.c
+@@ -57,6 +57,9 @@
+ #include "secrets.h"
+ #include "tls13/session_ticket.h"
+ #include "locks.h"
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+#include <valgrind/memcheck.h>
+#endif
+ 
+ #define TRUE 1
+ #define FALSE 0
+@@ -242,6 +245,12 @@ int _gnutls_gen_client_random(gnutls_session_t session)
+                        return gnutls_assert_val(ret);
+        }
+ 
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+       if (RUNNING_ON_VALGRIND)
+               VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
+                                         GNUTLS_RANDOM_SIZE);
+#endif
+
+        return 0;
+ }
+ 
+@@ -320,6 +329,12 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version)
+                return ret;
+        }
+ 
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+       if (RUNNING_ON_VALGRIND)
+               VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
+                                         GNUTLS_RANDOM_SIZE);
+#endif
+
+        return 0;
+ }
+ 
+diff --git a/lib/state.c b/lib/state.c
+index 0e1d155..98900c1 100644
+--- a/lib/state.c
+++ b/lib/state.c
+@@ -55,6 +55,9 @@
+ #include "ext/cert_types.h"
+ #include "locks.h"
+ #include "kx.h"
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+#include <valgrind/memcheck.h>
+#endif
+ 
+ /* to be used by supplemental data support to disable TLS1.3
+  * when supplemental data have been globally registered */
+@@ -564,10 +567,22 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
+                        UINT32_MAX;
+        }
+ 
+-       /* everything else not initialized here is initialized
+-        * as NULL or 0. This is why calloc is used.
+       /* Everything else not initialized here is initialized as NULL
+        * or 0. This is why calloc is used. However, we want to
+        * ensure that certain portions of data are initialized at
+        * runtime before being used. Mark such regions with a
+        * valgrind client request as undefined.
+         */
+-
+#ifdef HAVE_VALGRIND_MEMCHECK_H
+       if (RUNNING_ON_VALGRIND) {
+               if (flags & GNUTLS_CLIENT)
+                       VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
+                                                   GNUTLS_RANDOM_SIZE);
+               if (flags & GNUTLS_SERVER)
+                       VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
+                                                   GNUTLS_RANDOM_SIZE);
+       }
+#endif
+        handshake_internal_state_clear1(*session);
+ 
+ #ifdef HAVE_WRITEV
+-- 
+2.17.1

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch new file mode 100644 index 0000000000..12486e1710 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch
@@ -0,0 +1,137 @@
	1	From 6c7f9703e42bc5278d0a4a6f0a39d07d62123ea3 Mon Sep 17 00:00:00 2001
	2	From: Daiki Ueno <dueno@redhat.com>
	3	Date: Tue, 31 Mar 2020 06:58:48 +0200
	4	Subject: [PATCH 2/3] build: use valgrind client request to detect undefined
	5	memory use
	6
	7	commit 50ad8778a81f9421effa4c5a3b457f98e559b178 from https://gitlab.com/gnutls/gnutls.git
	8
	9	This tightens the check introduced in
	10	ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client
	11	request to explicitly mark the "uninitialized but initialization is
	12	needed before use" regions. With this patch and the
	13	fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see
	14	the following error when running dtls_hello_random_value under
	15	valgrind:
	16
	17	$ valgrind ./dtls_hello_random_value
	18	testing: default
	19	==520145== Conditional jump or move depends on uninitialised value(s)
	20	==520145== at 0x4025F5: hello_callback (dtls_hello_random_value.c:90)
	21	==520145== by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215)
	22	==520145== by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332)
	23	==520145== by 0x488FC7E: send_client_hello (handshake.c:2290)
	24	==520145== by 0x48902A1: handshake_client (handshake.c:2908)
	25	==520145== by 0x48902A1: gnutls_handshake (handshake.c:2740)
	26	==520145== by 0x402CB3: client (dtls_hello_random_value.c:153)
	27	==520145== by 0x402CB3: start (dtls_hello_random_value.c:317)
	28	==520145== by 0x402EFE: doit (dtls_hello_random_value.c:331)
	29	==520145== by 0x4023D4: main (utils.c:254)
	30	==520145==
	31
	32	Upstream-Status: Backport
	33
	34	Signed-off-by: Daiki Ueno <dueno@redhat.com>
	35	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
	36	---
	37	configure.ac \| 2 ++
	38	lib/handshake.c \| 15 +++++++++++++++
	39	lib/state.c \| 21 ++++++++++++++++++---
	40	3 files changed, 35 insertions(+), 3 deletions(-)
	41
	42	diff --git a/configure.ac b/configure.ac
	43	index 172cf42..12da283 100644
	44	--- a/configure.ac
	45	+++ b/configure.ac
	46	@@ -233,6 +233,8 @@ AS_IF([test "$ac_cv_search___atomic_load_4" = "none required" \|\| test "$ac_cv_se
	47	dnl We use its presence to detect C11 threads
	48	AC_CHECK_HEADERS([threads.h])
	49
	50	+AC_CHECK_HEADERS([valgrind/memcheck.h])
	51	+
	52	AC_ARG_ENABLE(padlock,
	53	AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]),
	54	use_padlock=$enableval)
	55	diff --git a/lib/handshake.c b/lib/handshake.c
	56	index 84a0e52..8d58fa4 100644
	57	--- a/lib/handshake.c
	58	+++ b/lib/handshake.c
	59	@@ -57,6 +57,9 @@
	60	#include "secrets.h"
	61	#include "tls13/session_ticket.h"
	62	#include "locks.h"
	63	+#ifdef HAVE_VALGRIND_MEMCHECK_H
	64	+#include <valgrind/memcheck.h>
	65	+#endif
	66
	67	#define TRUE 1
	68	#define FALSE 0
	69	@@ -242,6 +245,12 @@ int _gnutls_gen_client_random(gnutls_session_t session)
	70	return gnutls_assert_val(ret);
	71	}
	72
	73	+#ifdef HAVE_VALGRIND_MEMCHECK_H
	74	+ if (RUNNING_ON_VALGRIND)
	75	+ VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
	76	+ GNUTLS_RANDOM_SIZE);
	77	+#endif
	78	+
	79	return 0;
	80	}
	81
	82	@@ -320,6 +329,12 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version)
	83	return ret;
	84	}
	85
	86	+#ifdef HAVE_VALGRIND_MEMCHECK_H
	87	+ if (RUNNING_ON_VALGRIND)
	88	+ VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
	89	+ GNUTLS_RANDOM_SIZE);
	90	+#endif
	91	+
	92	return 0;
	93	}
	94
	95	diff --git a/lib/state.c b/lib/state.c
	96	index 0e1d155..98900c1 100644
	97	--- a/lib/state.c
	98	+++ b/lib/state.c
	99	@@ -55,6 +55,9 @@
	100	#include "ext/cert_types.h"
	101	#include "locks.h"
	102	#include "kx.h"
	103	+#ifdef HAVE_VALGRIND_MEMCHECK_H
	104	+#include <valgrind/memcheck.h>
	105	+#endif
	106
	107	/* to be used by supplemental data support to disable TLS1.3
	108	* when supplemental data have been globally registered */
	109	@@ -564,10 +567,22 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
	110	UINT32_MAX;
	111	}
	112
	113	- /* everything else not initialized here is initialized
	114	- * as NULL or 0. This is why calloc is used.
	115	+ /* Everything else not initialized here is initialized as NULL
	116	+ * or 0. This is why calloc is used. However, we want to
	117	+ * ensure that certain portions of data are initialized at
	118	+ * runtime before being used. Mark such regions with a
	119	+ * valgrind client request as undefined.
	120	*/
	121	-
	122	+#ifdef HAVE_VALGRIND_MEMCHECK_H
	123	+ if (RUNNING_ON_VALGRIND) {
	124	+ if (flags & GNUTLS_CLIENT)
	125	+ VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
	126	+ GNUTLS_RANDOM_SIZE);
	127	+ if (flags & GNUTLS_SERVER)
	128	+ VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
	129	+ GNUTLS_RANDOM_SIZE);
	130	+ }
	131	+#endif
	132	handshake_internal_state_clear1(*session);
	133
	134	#ifdef HAVE_WRITEV
	135	--
	136	2.17.1
	137