fix CVE-2023-0464

2024-02-19 15:53:41 +08:00 · 2024-02-19 15:53:41 +08:00 · bc63d61586
commit bc63d61586
parent 052a50d3f5
2 changed files with 221 additions and 1 deletions
--- a/backport-CVE-2023-0464.patch
+++ b/backport-CVE-2023-0464.patch
@ -0,0 +1,216 @@
+From ed19b0008b5802505a6ccb05e5bac05baf90c418 Mon Sep 17 00:00:00 2001
+rom: Pauli <pauli@openssl.org>
+Date: Wed, 8 Mar 2023 15:28:20 +1100
+Subject: [PATCH] x509: excessive resource use verifying policy
+constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a
+denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/20569)
+
+---
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h  |  8 +++++-
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c | 11 +++++++--
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c | 30 ++++++++++++++---------
+ 3 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+index b5075f9..0ed2349 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+@@ -161,6 +161,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
+    /* The number of nodes in the tree */
+    size_t node_count;
+    /* The maximum number of nodes in the tree */
+    size_t node_maximum;
+
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -209,7 +214,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  const X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree);
+                                 X509_POLICY_TREE *tree,
+                                 int extra_data);
+ void policy_node_free(X509_POLICY_NODE *node);
+ int policy_node_match(const X509_POLICY_LEVEL *lvl,
+                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+index d6c9176..75b3791 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+@@ -111,9 +111,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  const X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree)
+                                 X509_POLICY_TREE *tree,
+                                 int extra_data)
+ {
+     X509_POLICY_NODE *node;
+
+    /* Verify that the tree isn't too large. this mitigates CVE-2023-0464 */
+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
+        return NULL;
+
+     node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
+     if (!node)
+         return NULL;
+@@ -136,7 +142,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
+    if (extra_data) {
+         if (!tree->extra_data)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (!tree->extra_data)
+@@ -145,6 +151,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+             goto node_error;
+     }
+ 
+    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+index 09b8691..fb9a616 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+@@ -63,6 +63,10 @@
+ 
+ #include "pcy_int.h"
+ 
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
+#endif
+
+ /*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+@@ -225,6 +229,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     if (!tree)
+         return 0;
+ 
+    /* Limit the groeth of the tree to mitigate CVE-2023-0464 */
+    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
+     tree->flags = 0;
+     tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
+     tree->nlevel = 0;
+@@ -247,7 +253,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ 
+     data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
+ 
+-    if (!data || !level_add_node(level, data, NULL, tree))
+    if (!data || !level_add_node(level, data, NULL, tree, 1))
+         goto bad_tree;
+ 
+     for (i = n - 2; i >= 0; i--) {
+@@ -304,7 +310,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ }
+ 
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    const X509_POLICY_DATA *data)
+                                    const X509_POLICY_DATA *data,
+                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     X509_POLICY_NODE *node;
+@@ -313,13 +320,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+     for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
+         node = sk_X509_POLICY_NODE_value(last->nodes, i);
+         if (policy_node_match(last, node, data->valid_policy)) {
+-            if (!level_add_node(curr, data, node, NULL))
+            if (!level_add_node(curr, data, node, tree, 0))
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (!level_add_node(curr, data, last->anyPolicy, NULL))
+        if (!level_add_node(curr, data, last->anyPolicy, tree, 0))
+             return 0;
+     }
+     return 1;
+@@ -331,7 +338,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  */
+ 
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
+                           const X509_POLICY_CACHE *cache,
+                           X509_POLICY_TREE *tree)
+ {
+     int i;
+     X509_POLICY_DATA *data;
+@@ -352,7 +360,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+             continue;
+ #endif
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
+        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -382,7 +390,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (!level_add_node(curr, data, node, tree)) {
+    if (!level_add_node(curr, data, node, tree, 1)) {
+         policy_data_free(data);
+         return 0;
+     }
+@@ -464,7 +472,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+         /* Curr may not have anyPolicy */
+         data->qualifier_set = cache->anyPolicy->qualifier_set;
+         data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-        if (!level_add_node(curr, data, node, tree)) {
+        if (!level_add_node(curr, data, node, tree, 1)) {
+             policy_data_free(data);
+             return 0;
+         }
+@@ -473,7 +481,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     }
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy) {
+-        if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL))
+        if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0))
+             return 0;
+     }
+     return 1;
+@@ -646,7 +654,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
+            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -668,7 +676,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
+        if (!tree_link_nodes(curr, cache, tree))
+             return 0;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+-- 
+2.27.0
+
--- a/shim.spec
+++ b/shim.spec
@ -25,7 +25,7 @@

 Name:	   	   shim
 Version:	   15.7
-Release:	   4
+Release:	   5
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@ -44,6 +44,7 @@ Patch7:backport-CVE-2023-40548-Fix-integer-overflow-on-SBAT-section-.patch
 Patch8:backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch
 Patch9:backport-Further-mitigations-against-CVE-2023-40546-as-a-clas.patch
 Patch10:backport-CVE-2023-40549-Authenticode-verify-that-the-signatur.patch
+Patch11:backport-CVE-2023-0464.patch

 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -167,6 +168,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*

 %changelog
+* Mon Feb 19 2024 jinlun <jinlun@huawei.com> -15.7-5
+- fix CVE-2023-0464
+
 * Mon Feb 5 2024 jinlun <jinlun@huawei.com> - 15.7-4
 - add tpcm support with ipmi channel