ghostscript: fix CVE-2021-45949

Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply this CVE-2021-45959 patch, the check-stack-limits-after-function-evalution.patch should be applied first. References: https://nvd.nist.gov/vuln/detail/CVE-2021-45949 (From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0) (From OE-Core rev: 9b0199a1d8ec3c7bbfd2022932d524d61f2c6832) Signed-off-by: Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2022-02-28 11:38:38 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-10 16:39:45 +0000
commit: f8d05252d1f99c49208e07133d8534fab70af37f (patch)
tree: f22934cbfc11aded4c6d6e7db9685ca26e0ebf31
parent: b2bd31b9cc10165719d132073ddaa8e93298f633 (diff)
download: poky-f8d05252d1f99c49208e07133d8534fab70af37f.tar.gz
3 files changed, 118 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
new file mode 100644
index 0000000000..f312f89e04
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
@@ -0,0 +1,65 @@
+From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 28 Jan 2022 08:21:19 +0000
+Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in
+ sampled_data_continue()
+Replace pop() (which does no checking, and doesn't handle stack extension
+blocks) with ref_stack_pop() which does do all that.
+We still use pop() in one case (it's faster), but we have to later use
+ref_stack_pop() before calling sampled_data_sample() which also accesses the
+op stack.
+Fixes:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
+Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
+CVE: CVE-2021-45949
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ psi/zfsample.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 0023fa4..f84671f 100644
+--- a/psi/zfsample.c
+++ b/psi/zfsample.c
+@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
+     }
+     pop(num_out);                  /* Move op to base of result values */
+-
+    /* From here on, we have to use ref_stack_pop() rather than pop()
+       so that it handles stack extension blocks properly, before calling
+       sampled_data_sample() which also uses the op stack.
+    */
+     /* Check if we are done collecting data. */
+ 
+     if (increment_cube_indexes(params, penum->indexes)) {
+         if (stack_depth_adjust == 0)
+-            pop(O_STACK_PAD);      /* Remove spare stack space */
+           ref_stack_pop(&o_stack, O_STACK_PAD);         /* Remove spare stack space */
+         else
+-            pop(stack_depth_adjust - num_out);
+            ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
+         /* Execute the closing procedure, if given */
+         code = 0;
+         if (esp_finish_proc != 0)
+@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+                 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+                 check_op(stack_depth_adjust);
+-                pop(stack_depth_adjust);
+               ref_stack_pop(&o_stack, stack_depth_adjust);
+             }
+             else {
+                 check_ostack(O_STACK_PAD - stack_depth_adjust);
+-                push(O_STACK_PAD - stack_depth_adjust);
+               ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
+                 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+                     make_null(op - i);
+             }
+-- 
+2.17.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
new file mode 100644
index 0000000000..722bab4ddb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
@@ -0,0 +1,51 @@
+From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 12 Feb 2021 10:34:23 +0000
+Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
+During function result sampling, after the callout to the Postscript
+interpreter, make sure there is enough stack space available before pushing
+or popping entries.
+In thise case, the Postscript procedure for the "function" is totally invalid
+(as a function), and leaves the op stack in an unrecoverable state (as far as
+function evaluation is concerned). We end up popping more entries off the
+stack than are available.
+To cope, add in stack limit checking to throw an appropriate error when this
+happens.
+Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ psi/zfsample.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 290809405..652ae02c6 100644
+--- a/psi/zfsample.c
+++ b/psi/zfsample.c
+@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+     } else {
+         if (stack_depth_adjust) {
+             stack_depth_adjust -= num_out;
+-            push(O_STACK_PAD - stack_depth_adjust);
+-            for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+-                make_null(op - i);
+            if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+                stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+                check_op(stack_depth_adjust);
+                pop(stack_depth_adjust);
+            }
+            else {
+                check_ostack(O_STACK_PAD - stack_depth_adjust);
+                push(O_STACK_PAD - stack_depth_adjust);
+                for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+                    make_null(op - i);
+            }
+         }
+     }
+--
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
index 216822478f..958a88e968 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -34,6 +34,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://avoid-host-contamination.patch \
                file://mkdir-p.patch \
                file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \
+                file://check-stack-limits-after-function-evalution.patch \
+                file://CVE-2021-45949.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Minjae Kim <flowergom@gmail.com>	2022-02-28 11:38:38 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-10 16:39:45 +0000
commit	f8d05252d1f99c49208e07133d8534fab70af37f (patch)
tree	f22934cbfc11aded4c6d6e7db9685ca26e0ebf31
parent	b2bd31b9cc10165719d132073ddaa8e93298f633 (diff)
download	poky-f8d05252d1f99c49208e07133d8534fab70af37f.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..f312f89e04 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
@@ -0,0 +1,65 @@
		1	From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Fri, 28 Jan 2022 08:21:19 +0000
		4	Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in
		5	sampled_data_continue()
		6
		7	Replace pop() (which does no checking, and doesn't handle stack extension
		8	blocks) with ref_stack_pop() which does do all that.
		9
		10	We still use pop() in one case (it's faster), but we have to later use
		11	ref_stack_pop() before calling sampled_data_sample() which also accesses the
		12	op stack.
		13
		14	Fixes:
		15	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
		16
		17	Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
		18	CVE: CVE-2021-45949
		19	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		20	---
		21	psi/zfsample.c \| 13 ++++++++-----
		22	1 file changed, 8 insertions(+), 5 deletions(-)
		23
		24	diff --git a/psi/zfsample.c b/psi/zfsample.c
		25	index 0023fa4..f84671f 100644
		26	--- a/psi/zfsample.c
		27	+++ b/psi/zfsample.c
		28	@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
		29	data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
		30	}
		31	pop(num_out); /* Move op to base of result values */
		32	-
		33	+ /* From here on, we have to use ref_stack_pop() rather than pop()
		34	+ so that it handles stack extension blocks properly, before calling
		35	+ sampled_data_sample() which also uses the op stack.
		36	+ */
		37	/* Check if we are done collecting data. */
		38
		39	if (increment_cube_indexes(params, penum->indexes)) {
		40	if (stack_depth_adjust == 0)
		41	- pop(O_STACK_PAD); /* Remove spare stack space */
		42	+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
		43	else
		44	- pop(stack_depth_adjust - num_out);
		45	+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
		46	/* Execute the closing procedure, if given */
		47	code = 0;
		48	if (esp_finish_proc != 0)
		49	@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
		50	if ((O_STACK_PAD - stack_depth_adjust) < 0) {
		51	stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
		52	check_op(stack_depth_adjust);
		53	- pop(stack_depth_adjust);
		54	+ ref_stack_pop(&o_stack, stack_depth_adjust);
		55	}
		56	else {
		57	check_ostack(O_STACK_PAD - stack_depth_adjust);
		58	- push(O_STACK_PAD - stack_depth_adjust);
		59	+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
		60	for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
		61	make_null(op - i);
		62	}
		63	--
		64	2.17.1
		65


diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..722bab4ddb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
@@ -0,0 +1,51 @@
		1	From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Fri, 12 Feb 2021 10:34:23 +0000
		4	Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
		5
		6	During function result sampling, after the callout to the Postscript
		7	interpreter, make sure there is enough stack space available before pushing
		8	or popping entries.
		9
		10	In thise case, the Postscript procedure for the "function" is totally invalid
		11	(as a function), and leaves the op stack in an unrecoverable state (as far as
		12	function evaluation is concerned). We end up popping more entries off the
		13	stack than are available.
		14
		15	To cope, add in stack limit checking to throw an appropriate error when this
		16	happens.
		17
		18	Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
		19	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		20	---
		21	psi/zfsample.c \| 14 +++++++++++---
		22	1 file changed, 11 insertions(+), 3 deletions(-)
		23
		24	diff --git a/psi/zfsample.c b/psi/zfsample.c
		25	index 290809405..652ae02c6 100644
		26	--- a/psi/zfsample.c
		27	+++ b/psi/zfsample.c
		28	@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
		29	} else {
		30	if (stack_depth_adjust) {
		31	stack_depth_adjust -= num_out;
		32	- push(O_STACK_PAD - stack_depth_adjust);
		33	- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
		34	- make_null(op - i);
		35	+ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
		36	+ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
		37	+ check_op(stack_depth_adjust);
		38	+ pop(stack_depth_adjust);
		39	+ }
		40	+ else {
		41	+ check_ostack(O_STACK_PAD - stack_depth_adjust);
		42	+ push(O_STACK_PAD - stack_depth_adjust);
		43	+ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
		44	+ make_null(op - i);
		45	+ }
		46	}
		47	}
		48
		49	--
		50	2.25.1
		51


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index 216822478f..958a88e968 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -34,6 +34,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
34	file://avoid-host-contamination.patch \	34	file://avoid-host-contamination.patch \
35	file://mkdir-p.patch \	35	file://mkdir-p.patch \
36	file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \	36	file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \
		37	file://check-stack-limits-after-function-evalution.patch \
		38	file://CVE-2021-45949.patch \
37	"	39	"
38		40
39	SRC_URI = "${SRC_URI_BASE} \	41	SRC_URI = "${SRC_URI_BASE} \