!112 backport to fix potential coredump

From: @xinghe_1 Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2024-01-22 01:14:01 +00:00 · 2024-01-22 01:14:01 +00:00 · ce43ece7f8
commit ce43ece7f8
parent 5dd1b2224b f04ffea0e0
4 changed files with 126 additions and 1 deletions
--- a/backport-errors-handle-malloc-failure-in-usermsgs_put.patch
+++ b/backport-errors-handle-malloc-failure-in-usermsgs_put.patch
@ -0,0 +1,39 @@
 From d4dba38ab101eee4cbd0c8d8aa21181825ef6472 Mon Sep 17 00:00:00 2001
 From: Aurelien DARRAGON <adarragon@haproxy.com>
 Date: Thu, 11 May 2023 18:49:14 +0200
 Subject: [PATCH] BUG/MINOR: errors: handle malloc failure in usermsgs_put()
 usermsgs_buf.size is set without first checking if previous malloc
 attempt succeeded.
 This could fool the buffer API into assuming that the buffer is
 initialized, resulting in unsafe read/writes.
 Guarding usermsgs_buf.size assignment with the malloc attempt result
 to make the buffer initialization safe against malloc failures.
 This partially fixes GH #2130.
 It should be backported up to 2.6.
 Conflict:NA
 Reference:https://github.com/haproxy/haproxy/commit/d4dba38ab101eee4cbd0c8d8aa21181825ef6472
 ---
 src/errors.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/errors.c b/src/errors.c
 index 2e9d6afb7e04..5913cb1d509d 100644
 --- a/src/errors.c
 +++ b/src/errors.c
@@ -229,7 +229,8 @@ static void usermsgs_put(const struct ist *msg)
 	/* Allocate the buffer if not already done. */
 	if (unlikely(b_is_null(&usermsgs_buf))) {
 		usermsgs_buf.area = malloc(USER_MESSAGES_BUFSIZE * sizeof(char));
 -		usermsgs_buf.size = USER_MESSAGES_BUFSIZE;
 +		if (usermsgs_buf.area)
 +			usermsgs_buf.size = USER_MESSAGES_BUFSIZE;
 	}
 	if (likely(!b_is_null(&usermsgs_buf))) {
--- a/backport-ssl_sock-add-check-for-ha_meth.patch
+++ b/backport-ssl_sock-add-check-for-ha_meth.patch
@ -0,0 +1,43 @@
 From 15c3d20e315f1f06c9649ae598de86d61d41085b Mon Sep 17 00:00:00 2001
 From: eaglegai <eaglegai@163.com>
 Date: Fri, 26 May 2023 16:42:47 +0800
 Subject: [PATCH] BUG/MINOR: ssl_sock: add check for ha_meth
 in __ssl_sock_init, BIO_meth_new may failed and return NULL if
 OPENSSL_zalloc failed.  in this case, ha_meth  will be NULL, and then
 crash happens in  BIO_meth_set_write.  So, we add a check for ha_meth.
 Conflict:NA
 Reference:https://github.com/haproxy/haproxy/commit/15c3d20e315f1f06c9649ae598de86d61d41085b
 ---
 src/ssl_sock.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index e637b0423a9a..ff0db9d1a1c2 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -7561,13 +7561,15 @@ static void __ssl_sock_init(void)
 	ERR_load_SSL_strings();
 #endif
 	ha_meth = BIO_meth_new(0x666, "ha methods");
 -	BIO_meth_set_write(ha_meth, ha_ssl_write);
 -	BIO_meth_set_read(ha_meth, ha_ssl_read);
 -	BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl);
 -	BIO_meth_set_create(ha_meth, ha_ssl_new);
 -	BIO_meth_set_destroy(ha_meth, ha_ssl_free);
 -	BIO_meth_set_puts(ha_meth, ha_ssl_puts);
 -	BIO_meth_set_gets(ha_meth, ha_ssl_gets);
 +	if (ha_meth != NULL) {
 +		BIO_meth_set_write(ha_meth, ha_ssl_write);
 +		BIO_meth_set_read(ha_meth, ha_ssl_read);
 +		BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl);
 +		BIO_meth_set_create(ha_meth, ha_ssl_new);
 +		BIO_meth_set_destroy(ha_meth, ha_ssl_free);
 +		BIO_meth_set_puts(ha_meth, ha_ssl_puts);
 +		BIO_meth_set_gets(ha_meth, ha_ssl_gets);
 +	}
 	HA_SPIN_INIT(&ckch_lock);
--- a/backport-thread-add-a-check-for-pthread_create.patch
+++ b/backport-thread-add-a-check-for-pthread_create.patch
@ -0,0 +1,31 @@
 From ef667b1ad89bb159b1991de0ec07d17e4320df23 Mon Sep 17 00:00:00 2001
 From: eaglegai <eaglegai@163.com>
 Date: Fri, 26 May 2023 16:44:34 +0800
 Subject: [PATCH] BUG/MINOR: thread: add a check for pthread_create
 preload_libgcc_s() use pthread_create to create a thread and then call
 pthread_join to use it, but it doesn't check if the option is successful.
 So add a check to aviod potential crash.
 Conflict:NA
 Reference:https://github.com/haproxy/haproxy/commit/ef667b1ad89bb159b1991de0ec07d17e4320df23
 ---
 src/thread.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/thread.c b/src/thread.c
 index d7128252ed0e..b41b6628a4cb 100644
 --- a/src/thread.c
 +++ b/src/thread.c
@@ -1066,8 +1066,8 @@ static void *dummy_thread_function(void *data)
 static inline void preload_libgcc_s(void)
 {
 	pthread_t dummy_thread;
 -	pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL);
 -	pthread_join(dummy_thread, NULL);
 +	if (pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL) == 0)
 +		pthread_join(dummy_thread, NULL);
 }
 static void __thread_init(void)
--- a/haproxy.spec
+++ b/haproxy.spec
@ -5,7 +5,7 @@
 Name:             haproxy
 Version:          2.6.6
-Release:          8
+Release:          9
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 License:          GPLv2+
@ -31,6 +31,9 @@ Patch11:          backport-BUG-MINOR-server-inherit-from-netns-in-srv_settings_.
 Patch12:          CVE-2023-0836.patch
 # https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6
 Patch13:          CVE-2023-45539.patch
 Patch14:          backport-errors-handle-malloc-failure-in-usermsgs_put.patch
 Patch15:          backport-ssl_sock-add-check-for-ha_meth.patch
 Patch16:          backport-thread-add-a-check-for-pthread_create.patch
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 %ifarch sw_64
@ -135,6 +138,15 @@ exit 0
 %{_mandir}/man1/*
 %changelog
 * Fri Jan 19 2024 xinghe <xinghe2@h-partners.com> - 2.6.6-9
 - Type:bugfix
 - CVE:NA
 - SUG:restart
 - DESC:backport to fix potential coredump:
       errors: handle malloc failure in usermsgs_put
       ssl_sock: add check for ha_meth
       thread: add a check for pthread_creat
 * Wed Dec 06 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-8
 - Fix CVE-2023-45539