curl: Fix CVE-2023-28320

Add patch to fix CVE-2023-28320 siglongjmp race condition libcurl provides several different backends for resolving host names, selectedat build time. If it is built to use the synchronous resolver, it allows nameresolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected anda multi-threaded application might therefore crash or otherwise misbehave. Link: https://curl.se/docs/CVE-2023-28320.html (From OE-Core rev: c761d822be5ffc4a88600fbd7282c469b1e9902a) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Bhabu Bindu <bhabu.bindu@kpit.com> 2023-05-29 17:02:44 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-06-01 16:24:07 -1000
commit: d68f782872c3159630bd3fd34bf942242686e49c (patch)
tree: bf1efc78709caf74103c5352d50fd8b3b8a787ab
parent: 8f3b0b8e9bbff522c1dd9f1507d71c82d228c46e (diff)
download: poky-d68f782872c3159630bd3fd34bf942242686e49c.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
new file mode 100644
index 0000000000..1e0fc7534a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
@@ -0,0 +1,83 @@
+From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Tue, 25 Apr 2023 09:22:26 +0200
+Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
+When building with the sync name resolver and timeout ability we now
+require thread-safety to be present to enable it.
+Closes #11030
+CVE: CVE-2023-28320
+Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ lib/hostip.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+diff --git a/lib/hostip.c b/lib/hostip.c
+index 2381290fdd43e..e410cda69ae6e 100644
+--- a/lib/hostip.c
+++ b/lib/hostip.c
+@@ -70,12 +70,19 @@
+ #include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
+ #endif
+ 
+-#if defined(CURLRES_SYNCH) && \
+-    defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
+#if defined(CURLRES_SYNCH) &&                   \
+  defined(HAVE_ALARM) &&                        \
+  defined(SIGALRM) &&                           \
+  defined(HAVE_SIGSETJMP) &&                    \
+  defined(GLOBAL_INIT_IS_THREADSAFE)
+ /* alarm-based timeouts can only be used with all the dependencies satisfied */
+ #define USE_ALARM_TIMEOUT
+ #endif
+ 
+#ifdef USE_ALARM_TIMEOUT
+#include "easy_lock.h"
+#endif
+
+ #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
+ 
+ /*
+@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
+     Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
+ }
+ 
+-#ifdef HAVE_SIGSETJMP
+#ifdef USE_ALARM_TIMEOUT
+ /* Beware this is a global and unique instance. This is used to store the
+    return address that we can jump back to from inside a signal handler. This
+    is not thread-safe stuff. */
+ sigjmp_buf curl_jmpenv;
+curl_simple_lock curl_jmpenv_lock;
+ #endif
+ 
+ /* lookup address, returns entry if found and not stale */
+@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
+ static
+ void alarmfunc(int sig)
+ {
+-  /* this is for "-ansi -Wall -pedantic" to stop complaining!   (rabe) */
+   (void)sig;
+   siglongjmp(curl_jmpenv, 1);
+ }
+@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
+      This should be the last thing we do before calling Curl_resolv(),
+      as otherwise we'd have to worry about variables that get modified
+      before we invoke Curl_resolv() (and thus use "volatile"). */
+  curl_simple_lock_lock(&curl_jmpenv_lock);
+
+   if(sigsetjmp(curl_jmpenv, 1)) {
+     /* this is coming from a siglongjmp() after an alarm signal */
+     failf(data, "name lookup timed out");
+@@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
+ #endif
+ #endif /* HAVE_SIGACTION */
+ 
+  curl_simple_lock_unlock(&curl_jmpenv_lock);
+
+   /* switch back the alarm() to either zero or to what it was before minus
+      the time we spent until now! */
+   if(prev_alarm) {
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index e38bf14cc4..422c2bec0f 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2023-27535_and_CVE-2023-27538.patch \
           file://CVE-2023-27536.patch \
           file://CVE-2023-28319.patch \
+           file://CVE-2023-28320.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Bhabu Bindu <bhabu.bindu@kpit.com>	2023-05-29 17:02:44 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-06-01 16:24:07 -1000
commit	d68f782872c3159630bd3fd34bf942242686e49c (patch)
tree	bf1efc78709caf74103c5352d50fd8b3b8a787ab
parent	8f3b0b8e9bbff522c1dd9f1507d71c82d228c46e (diff)
download	poky-d68f782872c3159630bd3fd34bf942242686e49c.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch new file mode 100644 index 0000000000..1e0fc7534a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
@@ -0,0 +1,83 @@
		1	From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
		2	From: Harry Sintonen <sintonen@iki.fi>
		3	Date: Tue, 25 Apr 2023 09:22:26 +0200
		4	Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
		5
		6	When building with the sync name resolver and timeout ability we now
		7	require thread-safety to be present to enable it.
		8
		9	Closes #11030
		10
		11	CVE: CVE-2023-28320
		12	Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b]
		13	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		14	---
		15	lib/hostip.c \| 19 +++++++++++++++----
		16	1 file changed, 15 insertions(+), 4 deletions(-)
		17
		18	diff --git a/lib/hostip.c b/lib/hostip.c
		19	index 2381290fdd43e..e410cda69ae6e 100644
		20	--- a/lib/hostip.c
		21	+++ b/lib/hostip.c
		22	@@ -70,12 +70,19 @@
		23	#include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
		24	#endif
		25
		26	-#if defined(CURLRES_SYNCH) && \
		27	- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
		28	+#if defined(CURLRES_SYNCH) && \
		29	+ defined(HAVE_ALARM) && \
		30	+ defined(SIGALRM) && \
		31	+ defined(HAVE_SIGSETJMP) && \
		32	+ defined(GLOBAL_INIT_IS_THREADSAFE)
		33	/* alarm-based timeouts can only be used with all the dependencies satisfied */
		34	#define USE_ALARM_TIMEOUT
		35	#endif
		36
		37	+#ifdef USE_ALARM_TIMEOUT
		38	+#include "easy_lock.h"
		39	+#endif
		40	+
		41	#define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
		42
		43	/*
		44	@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
		45	Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
		46	}
		47
		48	-#ifdef HAVE_SIGSETJMP
		49	+#ifdef USE_ALARM_TIMEOUT
		50	/* Beware this is a global and unique instance. This is used to store the
		51	return address that we can jump back to from inside a signal handler. This
		52	is not thread-safe stuff. */
		53	sigjmp_buf curl_jmpenv;
		54	+curl_simple_lock curl_jmpenv_lock;
		55	#endif
		56
		57	/* lookup address, returns entry if found and not stale */
		58	@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
		59	static
		60	void alarmfunc(int sig)
		61	{
		62	- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
		63	(void)sig;
		64	siglongjmp(curl_jmpenv, 1);
		65	}
		66	@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
		67	This should be the last thing we do before calling Curl_resolv(),
		68	as otherwise we'd have to worry about variables that get modified
		69	before we invoke Curl_resolv() (and thus use "volatile"). */
		70	+ curl_simple_lock_lock(&curl_jmpenv_lock);
		71	+
		72	if(sigsetjmp(curl_jmpenv, 1)) {
		73	/* this is coming from a siglongjmp() after an alarm signal */
		74	failf(data, "name lookup timed out");
		75	@@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
		76	#endif
		77	#endif /* HAVE_SIGACTION */
		78
		79	+ curl_simple_lock_unlock(&curl_jmpenv_lock);
		80	+
		81	/* switch back the alarm() to either zero or to what it was before minus
		82	the time we spent until now! */
		83	if(prev_alarm) {


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index e38bf14cc4..422c2bec0f 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
46	file://CVE-2023-27535_and_CVE-2023-27538.patch \	46	file://CVE-2023-27535_and_CVE-2023-27538.patch \
47	file://CVE-2023-27536.patch \	47	file://CVE-2023-27536.patch \
48	file://CVE-2023-28319.patch \	48	file://CVE-2023-28319.patch \
		49	file://CVE-2023-28320.patch \
49	"	50	"
50	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	51	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
51		52