From 626e8c7364b3007a44f011d2a0acaa496c69a74c Mon Sep 17 00:00:00 2001 From: Vamshi Maskuri <117595548+varshith257@users.noreply.github.com> Date: Tue, 17 Dec 2024 19:18:55 +0530 Subject: [PATCH] fix(CVE-2021-42074): Handle SSL race conditions and segmentation fault based on barrier: debauchee/barrier@8b937a4 --- src/lib/net/SecureSocket.cpp | 14 ++++++++++++++ src/lib/net/SecureSocket.h | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp index 4779a5513..e77f70612 100644 --- a/src/lib/net/SecureSocket.cpp +++ b/src/lib/net/SecureSocket.cpp @@ -228,6 +228,8 @@ TCPSocket::EJobResult SecureSocket::doWrite() int SecureSocket::secureRead(void *buffer, int size, int &read) { + std::lock_guard ssl_lock{ssl_mutex_}; + if (m_ssl->m_ssl != NULL) { LOG((CLOG_DEBUG2 "reading secure socket")); read = SSL_read(m_ssl->m_ssl, buffer, size); @@ -253,6 +255,8 @@ int SecureSocket::secureRead(void *buffer, int size, int &read) int SecureSocket::secureWrite(const void *buffer, int size, int &wrote) { + std::lock_guard ssl_lock{ssl_mutex_}; + if (m_ssl->m_ssl != NULL) { LOG((CLOG_DEBUG2 "writing secure socket: %p", this)); @@ -284,6 +288,8 @@ bool SecureSocket::isSecureReady() void SecureSocket::initSsl(bool server) { + std::lock_guard ssl_lock{ssl_mutex_}; + m_ssl = new Ssl(); m_ssl->m_context = NULL; m_ssl->m_ssl = NULL; @@ -293,6 +299,8 @@ void SecureSocket::initSsl(bool server) bool SecureSocket::loadCertificates(String &filename) { + std::lock_guard ssl_lock{ssl_mutex_}; + if (filename.empty()) { SslLogger::logError("tls certificate is not specified"); return false; @@ -375,6 +383,8 @@ void SecureSocket::createSSL() void SecureSocket::freeSSL() { + std::lock_guard ssl_lock{ssl_mutex_}; + isFatal(true); // take socket from multiplexer ASAP otherwise the race condition // could cause events to get called on a dead object. TCPSocket @@ -398,6 +408,8 @@ void SecureSocket::freeSSL() int SecureSocket::secureAccept(int socket) { + std::lock_guard ssl_lock{ssl_mutex_}; + createSSL(); // set connection socket to SSL state @@ -444,6 +456,8 @@ int SecureSocket::secureAccept(int socket) int SecureSocket::secureConnect(int socket) { + std::lock_guard ssl_lock{ssl_mutex_}; + createSSL(); // attach the socket descriptor diff --git a/src/lib/net/SecureSocket.h b/src/lib/net/SecureSocket.h index 13756da11..bc3c00065 100644 --- a/src/lib/net/SecureSocket.h +++ b/src/lib/net/SecureSocket.h @@ -19,6 +19,7 @@ #include "net/TCPSocket.h" #include "net/XSocket.h" +#include class IEventQueue; class SocketMultiplexer; @@ -87,6 +88,11 @@ private: void handleTCPConnected(const Event &event, void *); private: + // all accesses to m_ssl must be protected by this mutex. The only function that is called + // from outside SocketMultiplexer thread is close(), so we mostly care about things accessed + // by it. + std::mutex ssl_mutex_; + Ssl *m_ssl; bool m_secureReady; bool m_fatal;