[OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
@ 2024-06-02 16:45 Siddharth
  2024-06-02 17:33 ` Marko, Peter
  0 siblings, 1 reply; 3+ messages in thread
From: Siddharth @ 2024-06-02 16:45 UTC (permalink / raw)
  To: openembedded-core; +Cc: Siddharth Doshi

From: Siddharth Doshi <sdoshi@mvista.com>

Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]

CVE's Fixed:
CVE-2024-4741:Use After Free with SSL_free_buffers

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 .../openssl/openssl/CVE-2024-4741.patch       | 76 +++++++++++++++++++
 .../openssl/openssl_3.0.13.bb                 |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch
new file mode 100644
index 0000000000..2fbc55b48a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch
@@ -0,0 +1,76 @@
+From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+
+(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177)
+
+Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d]
+CVE: CVE-2024-4741
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 4bcffcc..1569997 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index 234656b..b60f71c 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 2c8479e..131eaac 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5491,6 +5491,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.35.7
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
index 87ab4047d9..46f02aa20a 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://CVE-2024-2511.patch \
            file://CVE-2024-4603.patch \
+           file://CVE-2024-4741.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
  2024-06-02 16:45 [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741 Siddharth
@ 2024-06-02 17:33 ` Marko, Peter
  2024-06-02 17:52   ` [kirkstone][PATCH] " Siddharth
  0 siblings, 1 reply; 3+ messages in thread
From: Marko, Peter @ 2024-06-02 17:33 UTC (permalink / raw)
  To: sdoshi@mvista.com, openembedded-core@lists.openembedded.org

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Siddharth via lists.openembedded.org
Sent: Sunday, June 2, 2024 18:45
To: openembedded-core@lists.openembedded.org
Cc: Siddharth Doshi <sdoshi@mvista.com>
Subject: [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741

> From: Siddharth Doshi <sdoshi@mvista.com>
> 
> Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]

Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste error).

The main problem of this patch (and the same patch for scarthgap) is that it's picking only one out of 5 commits referencing this CVE.
At least https://github.com/openssl/openssl/commit/2d05959073c4bf8803401668b9df85931a08e020 needs to be picked.
But ideally also the remaining 3 which extend tests should be picked to verify these changes in ptest.
https://github.com/openssl/openssl/commit/6fef334f914abfcd988e53a32d19f01d84529f74
https://github.com/openssl/openssl/commit/1359c00e683840154760b7ba9204bad1b13dc074
https://github.com/openssl/openssl/commit/d095674320c84b8ed1250715b1dd5ce05f9f267b

Peter

> 
> CVE's Fixed:
> CVE-2024-4741:Use After Free with SSL_free_buffers
> 
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [kirkstone][PATCH] openssl: Security fix for CVE-2024-4741
  2024-06-02 17:33 ` Marko, Peter
@ 2024-06-02 17:52   ` Siddharth
  0 siblings, 0 replies; 3+ messages in thread
From: Siddharth @ 2024-06-02 17:52 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 529 bytes --]

>> Nitpick : above commit link references commit for CVE-2024-4603 (copy+paste error).

- Ahh, that's silly of me. Guess the cup of coffee didnt take away the drowsiness completely.. Thank-you for pointing it out.

>> The main problem of this patch (and the same patch for scarthgap) is that it's picking only one out of 5 commits referencing this CVE.
- That definately makes sense. I just followed the fix links from https://openssl.org/news/vulnerabilities.html and didnt dive deeper.

- I will send a v2 by tomorrow.

[-- Attachment #2: Type: text/html, Size: 2059 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-06-02 17:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-02 16:45 [OE-core][kirkstone][PATCH] openssl: Security fix for CVE-2024-4741 Siddharth
2024-06-02 17:33 ` Marko, Peter
2024-06-02 17:52   ` [kirkstone][PATCH] " Siddharth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox