From: Siddharth Doshi <[email protected]> Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac]
CVE's Fixed: CVE-2024-4741:Use After Free with SSL_free_buffers Signed-off-by: Siddharth Doshi <[email protected]> --- .../openssl/openssl/CVE-2024-4741.patch | 44 +++++++++++++++++++ .../openssl/openssl_3.2.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch new file mode 100644 index 0000000000..4cb9806c75 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4741.patch @@ -0,0 +1,44 @@ +From 9c24e8a8e04d4bb6de5198bc40a0bdbd860aded0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <[email protected]> +Date: Tue, 23 Apr 2024 16:34:46 +0100 +Subject: [PATCH] Only free the read buffers if we're not using them + +If we're part way through processing a record, or the application has +not released all the records then we should not free our buffer because +they are still needed. + +CVE-2024-4741 + +Reviewed-by: Tomas Mraz <[email protected]> +Reviewed-by: Neil Horman <[email protected]> +(Merged from https://github.com/openssl/openssl/pull/24395) + +(cherry picked from commit 38690cab18de88198f46478565fab423cf534efa) + +Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac] +CVE: CVE-2024-4741 +Signed-off-by: Siddharth Doshi <[email protected]> + +--- + ssl/record/methods/tls_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c +index 08e519a..f46da0f 100644 +--- a/ssl/record/methods/tls_common.c ++++ b/ssl/record/methods/tls_common.c +@@ -2129,7 +2129,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl) + /* Read direction */ + + /* If we have pending data to be read then fail */ +- if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0) ++ if (rl->curr_rec < rl->num_recs ++ || rl->curr_rec != rl->num_released ++ || TLS_BUFFER_get_left(&rl->rbuf) != 0 ++ || rl->rstate == SSL_ST_READ_BODY) + return 0; + + return tls_release_read_buffer(rl); +-- +2.44.0 + diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb index 9bdf7e1ec6..c1f5591f8e 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://bti.patch \ file://CVE-2024-2511.patch \ file://CVE-2024-4603.patch \ + file://CVE-2024-4741.patch \ " SRC_URI:append:class-nativesdk = " \ -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200211): https://lists.openembedded.org/g/openembedded-core/message/200211 Mute This Topic: https://lists.openembedded.org/mt/106446429/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
