[glib-networking/mcatanzaro/verify-crash: 2/2] gnutls: fix threadsafety in g_tls_database_gnutls_verify_chain

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/mcatanzaro/verify-crash: 2/2] gnutls: fix threadsafety in g_tls_database_gnutls_verify_chain
Date: Tue, 6 Apr 2021 18:54:20 +0000 (UTC)


commit 8c034ff04d865a1b2c4dbb93e6e1c47278997b09
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Thu Apr 1 13:52:36 2021 -0500

    gnutls: fix threadsafety in g_tls_database_gnutls_verify_chain
    
    All priv members need to be locked, including priv->trust_list. Although
    it is read-only once it is initialized, apparently still not safe to
    share across threads.
    
    We also need to lock priv->verify_chain_cancellable.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1937513

 tls/gnutls/gtlsdatabase-gnutls.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
---
diff --git a/tls/gnutls/gtlsdatabase-gnutls.c b/tls/gnutls/gtlsdatabase-gnutls.c
index 85b771f..41fccb2 100644
--- a/tls/gnutls/gtlsdatabase-gnutls.c
+++ b/tls/gnutls/gtlsdatabase-gnutls.c
@@ -43,7 +43,7 @@ typedef struct
    */
   GMutex mutex;
 
-  /* read-only after construct */
+  /* Read-only after construct, but still has to be protected by the mutex. */
   gnutls_x509_trust_list_t trust_list;
 
   /*
@@ -501,6 +501,7 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase             *database,
   if (g_cancellable_set_error_if_cancelled (cancellable, error))
     return G_TLS_CERTIFICATE_GENERIC_ERROR;
 
+  g_mutex_lock (&priv->mutex);
   g_assert (!priv->verify_chain_cancellable);
   priv->verify_chain_cancellable = cancellable;
   gnutls_chain = convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain));
@@ -508,6 +509,7 @@ g_tls_database_gnutls_verify_chain (GTlsDatabase             *database,
                                             gnutls_chain->chain, gnutls_chain->length,
                                             0, &gnutls_result, NULL);
   priv->verify_chain_cancellable = NULL;
+  g_mutex_unlock (&priv->mutex);
 
   if (gerr != 0 || g_cancellable_set_error_if_cancelled (cancellable, error))
     {
@@ -610,6 +612,8 @@ issuer_missing_cb (gnutls_x509_trust_list_t   tlist,
    * 
https://blogs.gnome.org/mcatanzaro/2015/01/30/mozilla-is-responsible-for-the-redhat-corpmerchandise-com-fiasco/
    */
 
+  /* Note: priv->mutex is already locked by g_tls_database_gnutls_verify_chain(). */
+
   for (int i = 0; ; i++)
     {
       gerr = gnutls_x509_crt_get_authority_info_access (crt, i, GNUTLS_IA_CAISSUERS_URI, &datum, NULL);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]