Change-Id: I8b9502722a1a9a7e393aeebaa3fc32271a420d65
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4555
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,142 @@ |
0 |
+From 3888095ed2fa32870c2a5452bd91ca21efa70907 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jay Satiro <raysatiro@yahoo.com> |
|
2 |
+Date: Mon, 20 Nov 2017 01:26:19 -0500 |
|
3 |
+Subject: [PATCH] url: fix alignment of ssl_backend_data struct |
|
4 |
+ |
|
5 |
+- Align the array of ssl_backend_data on a max 32 byte boundary. |
|
6 |
+ |
|
7 |
+8 is likely to be ok but I went with 32 for posterity should one of |
|
8 |
+the ssl_backend_data structs change to contain a larger sized variable |
|
9 |
+in the future. |
|
10 |
+ |
|
11 |
+Prior to this change (since dev 70f1db3, release 7.56) the connectdata |
|
12 |
+structure was undersized by 4 bytes in 32-bit builds with ssl enabled |
|
13 |
+because long long * was mistakenly used for alignment instead of |
|
14 |
+long long, with the intention being an 8 byte boundary. Also long long |
|
15 |
+may not be an available type. |
|
16 |
+ |
|
17 |
+The undersized connectdata could lead to oob read/write past the end in |
|
18 |
+what was expected to be the last 4 bytes of the connection's secondary |
|
19 |
+socket https proxy ssl_backend_data struct (the secondary socket in a |
|
20 |
+connection is used by ftp, others?). |
|
21 |
+ |
|
22 |
+Closes https://github.com/curl/curl/issues/2093 |
|
23 |
+ |
|
24 |
+CVE-2017-8818 |
|
25 |
+ |
|
26 |
+Bug: https://curl.haxx.se/docs/adv_2017-af0a.html |
|
27 |
+--- |
|
28 |
+ lib/url.c | 51 ++++++++++++++++++++++++++++++--------------------- |
|
29 |
+ lib/urldata.h | 10 ---------- |
|
30 |
+ 2 files changed, 30 insertions(+), 31 deletions(-) |
|
31 |
+ |
|
32 |
+diff --git a/lib/url.c b/lib/url.c |
|
33 |
+index 9f9fa0c43..47f69c9f1 100644 |
|
34 |
+--- a/lib/url.c |
|
35 |
+@@ -1791,19 +1791,45 @@ static void llist_dtor(void *user, void *element) |
|
36 |
+ /* |
|
37 |
+ * Allocate and initialize a new connectdata object. |
|
38 |
+ */ |
|
39 |
+ static struct connectdata *allocate_conn(struct Curl_easy *data) |
|
40 |
+ { |
|
41 |
++ struct connectdata *conn; |
|
42 |
++ size_t connsize = sizeof(struct connectdata); |
|
43 |
++ |
|
44 |
+ #ifdef USE_SSL |
|
45 |
+-#define SSL_EXTRA + 4 * Curl_ssl->sizeof_ssl_backend_data - sizeof(long long) |
|
46 |
+-#else |
|
47 |
+-#define SSL_EXTRA 0 |
|
48 |
++/* SSLBK_MAX_ALIGN: The max byte alignment a CPU would use */ |
|
49 |
++#define SSLBK_MAX_ALIGN 32 |
|
50 |
++ /* The SSL backend-specific data (ssl_backend_data) objects are allocated as |
|
51 |
++ part of connectdata at the end. To ensure suitable alignment we will |
|
52 |
++ assume a maximum of SSLBK_MAX_ALIGN for alignment. Since calloc returns a |
|
53 |
++ pointer suitably aligned for any variable this will ensure the |
|
54 |
++ ssl_backend_data array has proper alignment, even if that alignment turns |
|
55 |
++ out to be less than SSLBK_MAX_ALIGN. */ |
|
56 |
++ size_t paddingsize = sizeof(struct connectdata) % SSLBK_MAX_ALIGN; |
|
57 |
++ size_t alignsize = paddingsize ? (SSLBK_MAX_ALIGN - paddingsize) : 0; |
|
58 |
++ size_t sslbksize = Curl_ssl->sizeof_ssl_backend_data; |
|
59 |
++ connsize += alignsize + (4 * sslbksize); |
|
60 |
+ #endif |
|
61 |
+- struct connectdata *conn = calloc(1, sizeof(struct connectdata) + SSL_EXTRA); |
|
62 |
++ |
|
63 |
++ conn = calloc(1, connsize); |
|
64 |
+ if(!conn) |
|
65 |
+ return NULL; |
|
66 |
+ |
|
67 |
++#ifdef USE_SSL |
|
68 |
++ /* Point to the ssl_backend_data objects at the end of connectdata. |
|
69 |
++ Note that these backend pointers can be swapped by vtls (eg ssl backend |
|
70 |
++ data becomes proxy backend data). */ |
|
71 |
++ { |
|
72 |
++ char *end = (char *)conn + connsize; |
|
73 |
++ conn->ssl[0].backend = ((void *)(end - (4 * sslbksize))); |
|
74 |
++ conn->ssl[1].backend = ((void *)(end - (3 * sslbksize))); |
|
75 |
++ conn->proxy_ssl[0].backend = ((void *)(end - (2 * sslbksize))); |
|
76 |
++ conn->proxy_ssl[1].backend = ((void *)(end - (1 * sslbksize))); |
|
77 |
++ } |
|
78 |
++#endif |
|
79 |
++ |
|
80 |
+ conn->handler = &Curl_handler_dummy; /* Be sure we have a handler defined |
|
81 |
+ already from start to avoid NULL |
|
82 |
+ situations and checks */ |
|
83 |
+ |
|
84 |
+ /* and we setup a few fields in case we end up actually using this struct */ |
|
85 |
+@@ -1879,27 +1905,10 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) |
|
86 |
+ conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; |
|
87 |
+ conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; |
|
88 |
+ |
|
89 |
+ conn->ip_version = data->set.ipver; |
|
90 |
+ |
|
91 |
+-#ifdef USE_SSL |
|
92 |
+- /* |
|
93 |
+- * To save on malloc()s, the SSL backend-specific data has been allocated |
|
94 |
+- * at the end of the connectdata struct. |
|
95 |
+- */ |
|
96 |
+- { |
|
97 |
+- char *p = (char *)&conn->align_data__do_not_use; |
|
98 |
+- conn->ssl[0].backend = (struct ssl_backend_data *)p; |
|
99 |
+- conn->ssl[1].backend = |
|
100 |
+- (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data); |
|
101 |
+- conn->proxy_ssl[0].backend = |
|
102 |
+- (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data * 2); |
|
103 |
+- conn->proxy_ssl[1].backend = |
|
104 |
+- (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data * 3); |
|
105 |
+- } |
|
106 |
+-#endif |
|
107 |
+- |
|
108 |
+ #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ |
|
109 |
+ defined(NTLM_WB_ENABLED) |
|
110 |
+ conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD; |
|
111 |
+ conn->ntlm_auth_hlpr_pid = 0; |
|
112 |
+ conn->challenge_header = NULL; |
|
113 |
+diff --git a/lib/urldata.h b/lib/urldata.h |
|
114 |
+index 94f692223..edd1fd9ac 100644 |
|
115 |
+--- a/lib/urldata.h |
|
116 |
+@@ -1002,20 +1002,10 @@ struct connectdata { |
|
117 |
+ |
|
118 |
+ #ifdef USE_UNIX_SOCKETS |
|
119 |
+ char *unix_domain_socket; |
|
120 |
+ bool abstract_unix_socket; |
|
121 |
+ #endif |
|
122 |
+- |
|
123 |
+-#ifdef USE_SSL |
|
124 |
+- /* |
|
125 |
+- * To avoid multiple malloc() calls, the ssl_connect_data structures |
|
126 |
+- * associated with a connectdata struct are allocated in the same block |
|
127 |
+- * as the latter. This field forces alignment to an 8-byte boundary so |
|
128 |
+- * that this all works. |
|
129 |
+- */ |
|
130 |
+- long long *align_data__do_not_use; |
|
131 |
+-#endif |
|
132 |
+ }; |
|
133 |
+ |
|
134 |
+ /* The end of connectdata. */ |
|
135 |
+ |
|
136 |
+ /* |
|
137 |
+-- |
|
138 |
+2.15.0 |
|
139 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: An URL retrieval utility and library |
2 | 2 |
Name: curl |
3 | 3 |
Version: 7.56.1 |
4 |
-Release: 1%{?dist} |
|
4 |
+Release: 2%{?dist} |
|
5 | 5 |
License: MIT |
6 | 6 |
URL: http://curl.haxx.se |
7 | 7 |
Group: System Environment/NetworkingLibraries |
... | ... |
@@ -9,6 +9,7 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://curl.haxx.se/download/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 curl=c26bd88fdd5fe5d31a3b9e7a0a6b3dffff3168df |
12 |
+Patch0: curl-CVE-2017-8818.patch |
|
12 | 13 |
BuildRequires: ca-certificates |
13 | 14 |
BuildRequires: openssl-devel |
14 | 15 |
BuildRequires: krb5-devel |
... | ... |
@@ -41,6 +42,7 @@ This package contains minimal set of shared curl libraries. |
41 | 41 |
|
42 | 42 |
%prep |
43 | 43 |
%setup -q |
44 |
+%patch0 -p1 |
|
44 | 45 |
%build |
45 | 46 |
./configure \ |
46 | 47 |
CFLAGS="%{optflags}" \ |
... | ... |
@@ -88,6 +90,8 @@ rm -rf %{buildroot}/* |
88 | 88 |
%{_libdir}/libcurl.so.* |
89 | 89 |
|
90 | 90 |
%changelog |
91 |
+* Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 7.56.1-2 |
|
92 |
+- Fix CVE-2017-8818. |
|
91 | 93 |
* Wed Dec 13 2017 Xiaolin Li <xiaolinl@vmware.com> 7.56.1-1 |
92 | 94 |
- Update to version 7.56.1 |
93 | 95 |
* Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.1-4 |