1. photon
  2. Commit ab50a742dbd80605278fb93326a15ee3e108c44c
Browse code

curl : Fix CVE-2017-8818.

Change-Id: I8b9502722a1a9a7e393aeebaa3fc32271a420d65
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4559
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>

xiaolin-vmware authored on 2017/12/22 05:05:19
Showing 2 changed files
SPECS/curl/curl-CVE-2017-8818.patch
History View file @ ab50a74
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,142 @@
0 
+From 3888095ed2fa32870c2a5452bd91ca21efa70907 Mon Sep 17 00:00:00 2001
1 
+From: Jay Satiro <raysatiro@yahoo.com>
2 
+Date: Mon, 20 Nov 2017 01:26:19 -0500
3 
+Subject: [PATCH] url: fix alignment of ssl_backend_data struct
4 
+
5 
+- Align the array of ssl_backend_data on a max 32 byte boundary.
6 
+
7 
+8 is likely to be ok but I went with 32 for posterity should one of
8 
+the ssl_backend_data structs change to contain a larger sized variable
9 
+in the future.
10 
+
11 
+Prior to this change (since dev 70f1db3, release 7.56) the connectdata
12 
+structure was undersized by 4 bytes in 32-bit builds with ssl enabled
13 
+because long long * was mistakenly used for alignment instead of
14 
+long long, with the intention being an 8 byte boundary. Also long long
15 
+may not be an available type.
16 
+
17 
+The undersized connectdata could lead to oob read/write past the end in
18 
+what was expected to be the last 4 bytes of the connection's secondary
19 
+socket https proxy ssl_backend_data struct (the secondary socket in a
20 
+connection is used by ftp, others?).
21 
+
22 
+Closes https://github.com/curl/curl/issues/2093
23 
+
24 
+CVE-2017-8818
25 
+
26 
+Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
27 
+---
28 
+ lib/url.c     | 51 ++++++++++++++++++++++++++++++---------------------
29 
+ lib/urldata.h | 10 ----------
30 
+ 2 files changed, 30 insertions(+), 31 deletions(-)
31 
+
32 
+diff --git a/lib/url.c b/lib/url.c
33 
+index 9f9fa0c43..47f69c9f1 100644
34 
+--- a/lib/url.c
35 
+@@ -1791,19 +1791,45 @@ static void llist_dtor(void *user, void *element)
36 
+ /*
37 
+  * Allocate and initialize a new connectdata object.
38 
+  */
39 
+ static struct connectdata *allocate_conn(struct Curl_easy *data)
40 
+ {
41 
++  struct connectdata *conn;
42 
++  size_t connsize = sizeof(struct connectdata);
43 
++
44 
+ #ifdef USE_SSL
45 
+-#define SSL_EXTRA + 4 * Curl_ssl->sizeof_ssl_backend_data - sizeof(long long)
46 
+-#else
47 
+-#define SSL_EXTRA 0
48 
++/* SSLBK_MAX_ALIGN: The max byte alignment a CPU would use */
49 
++#define SSLBK_MAX_ALIGN 32
50 
++  /* The SSL backend-specific data (ssl_backend_data) objects are allocated as
51 
++     part of connectdata at the end. To ensure suitable alignment we will
52 
++     assume a maximum of SSLBK_MAX_ALIGN for alignment. Since calloc returns a
53 
++     pointer suitably aligned for any variable this will ensure the
54 
++     ssl_backend_data array has proper alignment, even if that alignment turns
55 
++     out to be less than SSLBK_MAX_ALIGN. */
56 
++  size_t paddingsize = sizeof(struct connectdata) % SSLBK_MAX_ALIGN;
57 
++  size_t alignsize = paddingsize ? (SSLBK_MAX_ALIGN - paddingsize) : 0;
58 
++  size_t sslbksize = Curl_ssl->sizeof_ssl_backend_data;
59 
++  connsize += alignsize + (4 * sslbksize);
60 
+ #endif
61 
+-  struct connectdata *conn = calloc(1, sizeof(struct connectdata) + SSL_EXTRA);
62 
++
63 
++  conn = calloc(1, connsize);
64 
+   if(!conn)
65 
+     return NULL;
66 
+
67 
++#ifdef USE_SSL
68 
++  /* Point to the ssl_backend_data objects at the end of connectdata.
69 
++     Note that these backend pointers can be swapped by vtls (eg ssl backend
70 
++     data becomes proxy backend data). */
71 
++  {
72 
++    char *end = (char *)conn + connsize;
73 
++    conn->ssl[0].backend = ((void *)(end - (4 * sslbksize)));
74 
++    conn->ssl[1].backend = ((void *)(end - (3 * sslbksize)));
75 
++    conn->proxy_ssl[0].backend = ((void *)(end - (2 * sslbksize)));
76 
++    conn->proxy_ssl[1].backend = ((void *)(end - (1 * sslbksize)));
77 
++  }
78 
++#endif
79 
++
80 
+   conn->handler = &Curl_handler_dummy;  /* Be sure we have a handler defined
81 
+                                            already from start to avoid NULL
82 
+                                            situations and checks */
83 
+
84 
+   /* and we setup a few fields in case we end up actually using this struct */
85 
+@@ -1879,27 +1905,10 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
86 
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
87 
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
88 
+
89 
+   conn->ip_version = data->set.ipver;
90 
+
91 
+-#ifdef USE_SSL
92 
+-  /*
93 
+-   * To save on malloc()s, the SSL backend-specific data has been allocated
94 
+-   * at the end of the connectdata struct.
95 
+-   */
96 
+-  {
97 
+-    char *p = (char *)&conn->align_data__do_not_use;
98 
+-    conn->ssl[0].backend = (struct ssl_backend_data *)p;
99 
+-    conn->ssl[1].backend =
100 
+-      (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data);
101 
+-    conn->proxy_ssl[0].backend =
102 
+-      (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data * 2);
103 
+-    conn->proxy_ssl[1].backend =
104 
+-      (struct ssl_backend_data *)(p + Curl_ssl->sizeof_ssl_backend_data * 3);
105 
+-  }
106 
+-#endif
107 
+-
108 
+ #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
109 
+     defined(NTLM_WB_ENABLED)
110 
+   conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
111 
+   conn->ntlm_auth_hlpr_pid = 0;
112 
+   conn->challenge_header = NULL;
113 
+diff --git a/lib/urldata.h b/lib/urldata.h
114 
+index 94f692223..edd1fd9ac 100644
115 
+--- a/lib/urldata.h
116 
+@@ -1002,20 +1002,10 @@ struct connectdata {
117 
+
118 
+ #ifdef USE_UNIX_SOCKETS
119 
+   char *unix_domain_socket;
120 
+   bool abstract_unix_socket;
121 
+ #endif
122 
+-
123 
+-#ifdef USE_SSL
124 
+-  /*
125 
+-   * To avoid multiple malloc() calls, the ssl_connect_data structures
126 
+-   * associated with a connectdata struct are allocated in the same block
127 
+-   * as the latter. This field forces alignment to an 8-byte boundary so
128 
+-   * that this all works.
129 
+-   */
130 
+-  long long *align_data__do_not_use;
131 
+-#endif
132 
+ };
133 
+
134 
+ /* The end of connectdata. */
135 
+
136 
+ /*
137 
+--
138 
+2.15.0
139 
+
SPECS/curl/curl.spec
History View file @ ab50a74
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        An URL retrieval utility and library
2 2 
 Name:           curl
3 3 
 Version:        7.56.1
4 
-Release:        1%{?dist}
4 
+Release:        2%{?dist}
5 5 
 License:        MIT
6 6 
 URL:            http://curl.haxx.se
7 7 
 Group:          System Environment/NetworkingLibraries
... ... 
@@ -9,6 +9,7 @@ Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 10 
 Source0:        http://curl.haxx.se/download/%{name}-%{version}.tar.xz
11 11 
 %define sha1    curl=c26bd88fdd5fe5d31a3b9e7a0a6b3dffff3168df
12 
+Patch0:         curl-CVE-2017-8818.patch
12 13 
 BuildRequires:  ca-certificates
13 14 
 BuildRequires:  openssl-devel
14 15 
 BuildRequires:  krb5-devel
... ... 
@@ -41,6 +42,7 @@ This package contains minimal set of shared curl libraries.
41 41
42 42 
 %prep
43 43 
 %setup -q
44 
+%patch0 -p1
44 45 
 %build
45 46 
 ./configure \
46 47 
     CFLAGS="%{optflags}" \
... ... 
@@ -88,6 +90,8 @@ rm -rf %{buildroot}/*
88 88 
 %{_libdir}/libcurl.so.*
89 89
90 90 
 %changelog
91 
+*   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 7.56.1-2
92 
+-   Fix CVE-2017-8818.
91 93 
 *   Wed Dec 13 2017 Xiaolin Li <xiaolinl@vmware.com> 7.56.1-1
92 94 
 -   Update to version 7.56.1
93 95 
 *   Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 7.54.1-4