File curl-CVE-2023-28320.patch of Package curl.28980
From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
From: Harry Sintonen <sintonen@iki.fi>
Date: Tue, 25 Apr 2023 09:22:26 +0200
Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
When building with the sync name resolver and timeout ability we now
require thread-safety to be present to enable it.
Closes #11030
---
lib/hostip.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
Index: curl-7.66.0/lib/hostip.c
===================================================================
--- curl-7.66.0.orig/lib/hostip.c
+++ curl-7.66.0/lib/hostip.c
@@ -67,12 +67,19 @@
#include "curl_memory.h"
#include "memdebug.h"
-#if defined(CURLRES_SYNCH) && \
- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
+#if defined(CURLRES_SYNCH) && \
+ defined(HAVE_ALARM) && \
+ defined(SIGALRM) && \
+ defined(HAVE_SIGSETJMP) && \
+ defined(GLOBAL_INIT_IS_THREADSAFE)
/* alarm-based timeouts can only be used with all the dependencies satisfied */
#define USE_ALARM_TIMEOUT
#endif
+#ifdef USE_ALARM_TIMEOUT
+#include "easy_lock.h"
+#endif
+
#define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
/*
@@ -247,11 +254,12 @@ void Curl_hostcache_prune(struct Curl_ea
Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
}
-#ifdef HAVE_SIGSETJMP
+#ifdef USE_ALARM_TIMEOUT
/* Beware this is a global and unique instance. This is used to store the
return address that we can jump back to from inside a signal handler. This
is not thread-safe stuff. */
sigjmp_buf curl_jmpenv;
+curl_simple_lock curl_jmpenv_lock;
#endif
/* lookup address, returns entry if found and not stale */
@@ -592,7 +600,6 @@ int Curl_resolv(struct connectdata *conn
static
RETSIGTYPE alarmfunc(int sig)
{
- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void)sig;
siglongjmp(curl_jmpenv, 1);
}
@@ -673,6 +680,8 @@ int Curl_resolv_timeout(struct connectda
This should be the last thing we do before calling Curl_resolv(),
as otherwise we'd have to worry about variables that get modified
before we invoke Curl_resolv() (and thus use "volatile"). */
+ curl_simple_lock_lock(&curl_jmpenv_lock);
+
if(sigsetjmp(curl_jmpenv, 1)) {
/* this is coming from a siglongjmp() after an alarm signal */
failf(data, "name lookup timed out");
@@ -741,6 +750,8 @@ clean_up:
#endif
#endif /* HAVE_SIGACTION */
+ curl_simple_lock_unlock(&curl_jmpenv_lock);
+
/* switch back the alarm() to either zero or to what it was before minus
the time we spent until now! */
if(prev_alarm) {