From f22531ce210e8fc29566b58182af44adb187d3f3 Mon Sep 17 00:00:00 2001
From: wangcheng <wangcheng156@huawei.com>
Date: Tue, 28 Nov 2023 15:20:19 +0800
Subject: [PATCH] backport some patches

---
 ...Fix-possible-use-after-free-when-OOM.patch | 65 +++++++++++++++++
 ...le-ossl_policy_level_add_node-errors.patch | 72 +++++++++++++++++++
 openssl.spec                                  |  9 ++-
 3 files changed, 144 insertions(+), 2 deletions(-)
 create mode 100644 backport-x509-Fix-possible-use-after-free-when-OOM.patch
 create mode 100644 backport-x509-Handle-ossl_policy_level_add_node-errors.patch

diff --git a/backport-x509-Fix-possible-use-after-free-when-OOM.patch b/backport-x509-Fix-possible-use-after-free-when-OOM.patch
new file mode 100644
index 0000000..f6b47c8
--- /dev/null
+++ b/backport-x509-Fix-possible-use-after-free-when-OOM.patch
@@ -0,0 +1,65 @@
+From b1cc84e82d41ab669bf804ea519f5332c48a3d77 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 24 May 2023 12:22:25 +0200
+Subject: [PATCH] x509: Fix possible use-after-free when OOM
+
+ossl_policy_level_add_node() first adds the new node to the level->nodes
+stack, and then attempts to add extra data if extra_data is true. If
+memory allocation or adding the extra data to tree->extra_data fails,
+the allocated node (that has already been added to the level->nodes
+stack) is freed using ossl_policy_node_free(), which leads to
+a potential use after free.
+
+Additionally, the tree's node count and the parent's child count would
+not be updated, despite the new node being added.
+
+Fix this by either performing the function's purpose completely, or not
+at all by reverting the changes on error.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21066)
+---
+ crypto/x509v3/pcy_node.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
+index d574fb9d66..c6c01cbb39 100644
+--- a/crypto/x509v3/pcy_node.c
++++ b/crypto/x509v3/pcy_node.c
+@@ -100,11 +100,11 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+             X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+-            goto node_error;
++            goto extra_data_error;
+         }
+         if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
+             X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+-            goto node_error;
++            goto extra_data_error;
+         }
+     }
+ 
+@@ -114,6 +114,14 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+ 
+     return node;
+ 
++ extra_data_error:
++    if (level != NULL) {
++        if (level->anyPolicy == node)
++            level->anyPolicy = NULL;
++        else
++            (void) sk_X509_POLICY_NODE_pop(level->nodes);
++    }
++
+  node_error:
+     policy_node_free(node);
+     return NULL;
+-- 
+2.33.0
+
diff --git a/backport-x509-Handle-ossl_policy_level_add_node-errors.patch b/backport-x509-Handle-ossl_policy_level_add_node-errors.patch
new file mode 100644
index 0000000..c594262
--- /dev/null
+++ b/backport-x509-Handle-ossl_policy_level_add_node-errors.patch
@@ -0,0 +1,72 @@
+From 3cc6933555a0c66328ec659b5bb86c57b6402e1e Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 24 May 2023 13:12:54 +0200
+Subject: [PATCH] x509: Handle ossl_policy_level_add_node errors
+
+The invocation of ossl_policy_level_add_node in tree_calculate_user_set
+did not have any error handling. Add it to prevent a memory leak for the
+allocated extra policy data.
+
+Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
+a new node was allocated, but could not be added to the stack, it is
+freed correctly.
+
+Fix error handling if tree->user_policies cannot be allocated by
+returning 0, indicating failure, rather than 1.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21066)
+---
+ crypto/x509v3/pcy_tree.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
+index 6c7fd35405..3c504e82c6 100644
+--- a/crypto/x509v3/pcy_tree.c
++++ b/crypto/x509v3/pcy_tree.c
+@@ -25,6 +25,8 @@
+ # define OPENSSL_POLICY_TREE_NODES_MAX 1000
+ #endif
+ 
++static void exnode_free(X509_POLICY_NODE *node);
++
+ /*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+@@ -572,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
++            node = level_add_node(NULL, extra, anyPolicy->parent,
++                                  tree, 1);
++            if (node == NULL) {
++                policy_data_free(extra);
++                return 0;
++            }
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+-            if (!tree->user_policies)
+-                return 1;
++            if (!tree->user_policies) {
++                exnode_free(node);
++                return 0;
++            }
+         }
+-        if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
++        if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
++            exnode_free(node);
+             return 0;
++        }
+     }
+     return 1;
+ }
+-- 
+2.33.0
+
diff --git a/openssl.spec b/openssl.spec
index fe4f489..33d0e7f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1m
-Release:     29
+Release:     30
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -72,6 +72,8 @@ Patch61:     backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-sa
 Patch62:     backport-Add-negative-integer-check-when-using-ASN1_BIT_STRIN.patch
 Patch63:     backport-Fix-stack-corruption-in-ui_read.patch
 Patch64:     backport-Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorre.patch
+Patch65:     backport-x509-Fix-possible-use-after-free-when-OOM.patch
+Patch66:     backport-x509-Handle-ossl_policy_level_add_node-errors.patch
 
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
@@ -275,8 +277,11 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Tue Nov 28 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-30
+- backport some patches 
+
 * Mon Nov 20 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-29
-* backport some patches
+- backport some patches
 
 * Tue Nov 14 2023 zhujianwei <zhujianwei7@huawei.com> - 1:1.1.1m-25
 - fix CVE-2023-5678
-- 
Gitee