Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Wed, Feb 05, 2025 at 09:21:39AM +0100, Daniel Stenberg wrote:
> eventfd double close
> ====================
>
> Project curl Security Advisory, February 5th 2025 -
> [Permalink](https://curl.se/docs/CVE-2025-0665.html)
>
> VULNERABILITY
> -------------
>
> libcurl would wrongly close the same eventfd file descriptor twice when taking
> down a connection channel after having completed a threaded name resolve.
>
> INFO
> ----
>
> This flaw requires libcurl to get built with the threaded resolver
>
> It requires that *eventfd* is used in the curl build. This feature is only
> used on 64-bit architectures.
>
> The eventfd socket is used for inter-thread messaging and since the
> communication was originally written to use `socketpair()` only, there was two
> `close()` calls done and the superfluous one was left accidentally used
> because of an `#ifdef` mistake.
>
> This bug was reported (and fixed) immediately after the 8.11.1 release, but
> the security impact was not considered until later. This bug causes libcurl to
> act unreliably which many users will have noticed and either avoided eventfd
> or the vulnerable version, thus somewhat reducing the impact of this problem.
>
> It can also be worth noting that both `close()` calls are typically called
> within a few dozens of instructions, severely limiting the ability for an
> external party to control which other file descriptor this can be made to
> affect.
>
> This bug is **not** considered a *C mistake*. It is not likely to have been
> avoided had we not been using C.

I think this is actually a C mistake.  In most higher-level languages,
it is idiomatic to use higher-level APIs that prevent closing the same
file descriptor multiple times, and Rust enforces this in the type
system.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: