From df2aab79ce8c80094bdae2a10ff694887752f9ad Mon Sep 17 00:00:00 2001
From: xh <xinghe2@h-partners.com>
Date: Fri, 8 Dec 2023 14:32:34 +0800
Subject: [PATCH] backport to fix potential coredump

---
 ...andle-malloc-failure-in-usermsgs_put.patch | 39 +++++++++++++++++
 backport-ssl_sock-add-check-for-ha_meth.patch | 43 +++++++++++++++++++
 ...hread-add-a-check-for-pthread_create.patch | 31 +++++++++++++
 haproxy.spec                                  | 14 +++++-
 4 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 backport-errors-handle-malloc-failure-in-usermsgs_put.patch
 create mode 100644 backport-ssl_sock-add-check-for-ha_meth.patch
 create mode 100644 backport-thread-add-a-check-for-pthread_create.patch

diff --git a/backport-errors-handle-malloc-failure-in-usermsgs_put.patch b/backport-errors-handle-malloc-failure-in-usermsgs_put.patch
new file mode 100644
index 0000000..980d68d
--- /dev/null
+++ b/backport-errors-handle-malloc-failure-in-usermsgs_put.patch
@@ -0,0 +1,39 @@
+From d4dba38ab101eee4cbd0c8d8aa21181825ef6472 Mon Sep 17 00:00:00 2001
+From: Aurelien DARRAGON <adarragon@haproxy.com>
+Date: Thu, 11 May 2023 18:49:14 +0200
+Subject: [PATCH] BUG/MINOR: errors: handle malloc failure in usermsgs_put()
+
+usermsgs_buf.size is set without first checking if previous malloc
+attempt succeeded.
+
+This could fool the buffer API into assuming that the buffer is
+initialized, resulting in unsafe read/writes.
+
+Guarding usermsgs_buf.size assignment with the malloc attempt result
+to make the buffer initialization safe against malloc failures.
+
+This partially fixes GH #2130.
+
+It should be backported up to 2.6.
+
+Conflict:NA
+Reference:https://github.com/haproxy/haproxy/commit/d4dba38ab101eee4cbd0c8d8aa21181825ef6472
+
+---
+ src/errors.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/errors.c b/src/errors.c
+index 2e9d6afb7e04..5913cb1d509d 100644
+--- a/src/errors.c
++++ b/src/errors.c
+@@ -229,7 +229,8 @@ static void usermsgs_put(const struct ist *msg)
+ 	/* Allocate the buffer if not already done. */
+ 	if (unlikely(b_is_null(&usermsgs_buf))) {
+ 		usermsgs_buf.area = malloc(USER_MESSAGES_BUFSIZE * sizeof(char));
+-		usermsgs_buf.size = USER_MESSAGES_BUFSIZE;
++		if (usermsgs_buf.area)
++			usermsgs_buf.size = USER_MESSAGES_BUFSIZE;
+ 	}
+ 
+ 	if (likely(!b_is_null(&usermsgs_buf))) {
diff --git a/backport-ssl_sock-add-check-for-ha_meth.patch b/backport-ssl_sock-add-check-for-ha_meth.patch
new file mode 100644
index 0000000..bccdbd9
--- /dev/null
+++ b/backport-ssl_sock-add-check-for-ha_meth.patch
@@ -0,0 +1,43 @@
+From 15c3d20e315f1f06c9649ae598de86d61d41085b Mon Sep 17 00:00:00 2001
+From: eaglegai <eaglegai@163.com>
+Date: Fri, 26 May 2023 16:42:47 +0800
+Subject: [PATCH] BUG/MINOR: ssl_sock: add check for ha_meth
+
+in __ssl_sock_init, BIO_meth_new may failed and return NULL if
+OPENSSL_zalloc failed.  in this case, ha_meth  will be NULL, and then
+crash happens in  BIO_meth_set_write.  So, we add a check for ha_meth.
+
+Conflict:NA
+Reference:https://github.com/haproxy/haproxy/commit/15c3d20e315f1f06c9649ae598de86d61d41085b
+
+---
+ src/ssl_sock.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index e637b0423a9a..ff0db9d1a1c2 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -7561,13 +7561,15 @@ static void __ssl_sock_init(void)
+ 	ERR_load_SSL_strings();
+ #endif
+ 	ha_meth = BIO_meth_new(0x666, "ha methods");
+-	BIO_meth_set_write(ha_meth, ha_ssl_write);
+-	BIO_meth_set_read(ha_meth, ha_ssl_read);
+-	BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl);
+-	BIO_meth_set_create(ha_meth, ha_ssl_new);
+-	BIO_meth_set_destroy(ha_meth, ha_ssl_free);
+-	BIO_meth_set_puts(ha_meth, ha_ssl_puts);
+-	BIO_meth_set_gets(ha_meth, ha_ssl_gets);
++	if (ha_meth != NULL) {
++		BIO_meth_set_write(ha_meth, ha_ssl_write);
++		BIO_meth_set_read(ha_meth, ha_ssl_read);
++		BIO_meth_set_ctrl(ha_meth, ha_ssl_ctrl);
++		BIO_meth_set_create(ha_meth, ha_ssl_new);
++		BIO_meth_set_destroy(ha_meth, ha_ssl_free);
++		BIO_meth_set_puts(ha_meth, ha_ssl_puts);
++		BIO_meth_set_gets(ha_meth, ha_ssl_gets);
++	}
+ 
+ 	HA_SPIN_INIT(&ckch_lock);
+ 
diff --git a/backport-thread-add-a-check-for-pthread_create.patch b/backport-thread-add-a-check-for-pthread_create.patch
new file mode 100644
index 0000000..61cd0b4
--- /dev/null
+++ b/backport-thread-add-a-check-for-pthread_create.patch
@@ -0,0 +1,31 @@
+From ef667b1ad89bb159b1991de0ec07d17e4320df23 Mon Sep 17 00:00:00 2001
+From: eaglegai <eaglegai@163.com>
+Date: Fri, 26 May 2023 16:44:34 +0800
+Subject: [PATCH] BUG/MINOR: thread: add a check for pthread_create
+
+preload_libgcc_s() use pthread_create to create a thread and then call
+pthread_join to use it, but it doesn't check if the option is successful.
+So add a check to aviod potential crash.
+
+Conflict:NA
+Reference:https://github.com/haproxy/haproxy/commit/ef667b1ad89bb159b1991de0ec07d17e4320df23
+
+---
+ src/thread.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/thread.c b/src/thread.c
+index d7128252ed0e..b41b6628a4cb 100644
+--- a/src/thread.c
++++ b/src/thread.c
+@@ -1066,8 +1066,8 @@ static void *dummy_thread_function(void *data)
+ static inline void preload_libgcc_s(void)
+ {
+ 	pthread_t dummy_thread;
+-	pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL);
+-	pthread_join(dummy_thread, NULL);
++	if (pthread_create(&dummy_thread, NULL, dummy_thread_function, NULL) == 0)
++		pthread_join(dummy_thread, NULL);
+ }
+ 
+ static void __thread_init(void)
diff --git a/haproxy.spec b/haproxy.spec
index c585a84..20f6d5b 100644
--- a/haproxy.spec
+++ b/haproxy.spec
@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.6.6
-Release:          8
+Release:          9
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -31,6 +31,9 @@ Patch11:          backport-BUG-MINOR-server-inherit-from-netns-in-srv_settings_.
 Patch12:          CVE-2023-0836.patch
 # https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6
 Patch13:          CVE-2023-45539.patch
+Patch14:          backport-errors-handle-malloc-failure-in-usermsgs_put.patch
+Patch15:          backport-ssl_sock-add-check-for-ha_meth.patch
+Patch16:          backport-thread-add-a-check-for-pthread_create.patch
 
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 %ifarch sw_64
@@ -135,6 +138,15 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Fri Dec 08 2023 xinghe <xinghe2@h-partners.com> - 2.6.6-9
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:backport to fix potential coredump:
+       errors: handle malloc failure in usermsgs_put
+       ssl_sock: add check for ha_meth
+       thread: add a check for pthread_creat
+
 * Wed Dec 06 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-8
 - Fix CVE-2023-45539
 
-- 
Gitee