poky/meta/recipes-support/curl/curl/CVE-2023-28320.patch - openbmc/openbmc - Gitiles

 From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
 From: Harry Sintonen <sintonen@iki.fi>
 Date: Tue, 25 Apr 2023 09:22:26 +0200
 Subject: [PATCH] hostip: add locks around use of global buffer for alarm()

 When building with the sync name resolver and timeout ability we now
 require thread-safety to be present to enable it.

 Closes #11030

 CVE: CVE-2023-28320
 Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b]
 Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
 ---
  lib/hostip.c | 19 +++++++++++++++----
  1 file changed, 15 insertions(+), 4 deletions(-)

 diff --git a/lib/hostip.c b/lib/hostip.c
 index 2381290fdd43e..e410cda69ae6e 100644
 --- a/lib/hostip.c
 +++ b/lib/hostip.c
 @@ -70,12 +70,19 @@
  #include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
  #endif

 -#if defined(CURLRES_SYNCH) && \
 -    defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
 +#if defined(CURLRES_SYNCH) &&                   \
 +  defined(HAVE_ALARM) &&                        \
 +  defined(SIGALRM) &&                           \
 +  defined(HAVE_SIGSETJMP) &&                    \
 +  defined(GLOBAL_INIT_IS_THREADSAFE)
  /* alarm-based timeouts can only be used with all the dependencies satisfied */
  #define USE_ALARM_TIMEOUT
  #endif

 +#ifdef USE_ALARM_TIMEOUT
 +#include "easy_lock.h"
 +#endif
 +
  #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */

  /*
 @@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
      Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
  }

 -#ifdef HAVE_SIGSETJMP
 +#ifdef USE_ALARM_TIMEOUT
  /* Beware this is a global and unique instance. This is used to store the
     return address that we can jump back to from inside a signal handler. This
     is not thread-safe stuff. */
  sigjmp_buf curl_jmpenv;
 +curl_simple_lock curl_jmpenv_lock;
  #endif

  /* lookup address, returns entry if found and not stale */
 @@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
  static
  void alarmfunc(int sig)
  {
 -  /* this is for "-ansi -Wall -pedantic" to stop complaining!   (rabe) */
    (void)sig;
    siglongjmp(curl_jmpenv, 1);
  }
 @@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
       This should be the last thing we do before calling Curl_resolv(),
       as otherwise we'd have to worry about variables that get modified
       before we invoke Curl_resolv() (and thus use "volatile"). */
 +  curl_simple_lock_lock(&curl_jmpenv_lock);
 +
    if(sigsetjmp(curl_jmpenv, 1)) {
      /* this is coming from a siglongjmp() after an alarm signal */
      failf(data, "name lookup timed out");
 @@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
  #endif
  #endif /* HAVE_SIGACTION */

 +  curl_simple_lock_unlock(&curl_jmpenv_lock);
 +
    /* switch back the alarm() to either zero or to what it was before minus
       the time we spent until now! */
    if(prev_alarm) {
	From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
	From: Harry Sintonen <sintonen@iki.fi>
	Date: Tue, 25 Apr 2023 09:22:26 +0200
	Subject: [PATCH] hostip: add locks around use of global buffer for alarm()

	When building with the sync name resolver and timeout ability we now
	require thread-safety to be present to enable it.

	Closes #11030

	CVE: CVE-2023-28320
	Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b]
	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
	---
	lib/hostip.c \| 19 +++++++++++++++----
	1 file changed, 15 insertions(+), 4 deletions(-)

	diff --git a/lib/hostip.c b/lib/hostip.c
	index 2381290fdd43e..e410cda69ae6e 100644
	--- a/lib/hostip.c
	+++ b/lib/hostip.c
	@@ -70,12 +70,19 @@
	#include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
	#endif

	-#if defined(CURLRES_SYNCH) && \
	- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
	+#if defined(CURLRES_SYNCH) && \
	+ defined(HAVE_ALARM) && \
	+ defined(SIGALRM) && \
	+ defined(HAVE_SIGSETJMP) && \
	+ defined(GLOBAL_INIT_IS_THREADSAFE)
	/* alarm-based timeouts can only be used with all the dependencies satisfied */
	#define USE_ALARM_TIMEOUT
	#endif

	+#ifdef USE_ALARM_TIMEOUT
	+#include "easy_lock.h"
	+#endif
	+
	#define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */

	/*
	@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
	Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
	}

	-#ifdef HAVE_SIGSETJMP
	+#ifdef USE_ALARM_TIMEOUT
	/* Beware this is a global and unique instance. This is used to store the
	return address that we can jump back to from inside a signal handler. This
	is not thread-safe stuff. */
	sigjmp_buf curl_jmpenv;
	+curl_simple_lock curl_jmpenv_lock;
	#endif

	/* lookup address, returns entry if found and not stale */
	@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
	static
	void alarmfunc(int sig)
	{
	- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
	(void)sig;
	siglongjmp(curl_jmpenv, 1);
	}
	@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
	This should be the last thing we do before calling Curl_resolv(),
	as otherwise we'd have to worry about variables that get modified
	before we invoke Curl_resolv() (and thus use "volatile"). */
	+ curl_simple_lock_lock(&curl_jmpenv_lock);
	+
	if(sigsetjmp(curl_jmpenv, 1)) {
	/* this is coming from a siglongjmp() after an alarm signal */
	failf(data, "name lookup timed out");
	@@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data,
	#endif
	#endif /* HAVE_SIGACTION */

	+ curl_simple_lock_unlock(&curl_jmpenv_lock);
	+
	/* switch back the alarm() to either zero or to what it was before minus
	the time we spent until now! */
	if(prev_alarm) {