libpcre2: Fix CVE-2017-8786

The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. (From OE-Core rev: dd63a26fedb8a578d34850ede4c27e26b8876e7e) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Robert Yang <liezhi.yang@windriver.com> 2017-08-29 17:48:56 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-31 17:41:41 +0100
commit: 45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (patch)
tree: c7125eac3a1b7ff7bf9fff8ff0c740793d76f6e3
parent: d01694e7336e472aefecf778c1d08e4341a8aa3b (diff)
download: poky-45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
new file mode 100644
index 0000000000..eafafc1f69
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
@@ -0,0 +1,93 @@
+libpcre2-10.23: Fix CVE-2017-8786
+The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
+service (heap-based buffer overflow) or possibly have unspecified other impact
+via a crafted regular expression.
+Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
+CVE: CVE-2017-8786
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+--- trunk/src/pcre2test.c  2017/03/21 16:18:54 692
+++ trunk/src/pcre2test.c  2017/03/21 18:36:13 697
+@@ -1017,9 +1017,9 @@
+   if (test_mode == PCRE8_MODE) \
+     r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
+   else if (test_mode == PCRE16_MODE) \
+-    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
+    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
+   else \
+-    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ 
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+   if (test_mode == PCRE8_MODE) \
+@@ -1399,6 +1399,9 @@
+ 
+ /* ----- Common macros for two-mode cases ----- */
+ 
+#define BYTEONE (BITONE/8)
+#define BYTETWO (BITTWO/8)
+
+ #define CASTFLD(t,a,b) \
+   ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
+     (t)(G(a,BITTWO)->b))
+@@ -1481,9 +1484,9 @@
+ 
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+-    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
+    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
+   else \
+-    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
+    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
+ 
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) \
+   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
+@@ -1904,7 +1907,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+   a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+-  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
+  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
+@@ -2000,7 +2003,7 @@
+ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
+   a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
+ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
+-  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
+ #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
+ #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
+ #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
+@@ -2889,7 +2892,7 @@
+   {
+   if (pbuffer32 != NULL) free(pbuffer32);
+   pbuffer32_size = 4*len + 4;
+-  if (pbuffer32_size < 256) pbuffer32_size = 256;
+  if (pbuffer32_size < 512) pbuffer32_size = 512;
+   pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+   if (pbuffer32 == NULL)
+     {
+@@ -7600,7 +7603,8 @@
+   int errcode;
+   char *endptr;
+ 
+-/* Ensure the relevant non-8-bit buffer is available. */
+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at 
+least 128 code units, because it is used for retrieving error messages. */
+ 
+ #ifdef SUPPORT_PCRE2_16
+   if (test_mode == PCRE16_MODE)
+@@ -7620,7 +7624,7 @@
+ #ifdef SUPPORT_PCRE2_32
+   if (test_mode == PCRE32_MODE)
+     {
+-    pbuffer32_size = 256;
+    pbuffer32_size = 512;
+     pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
+     if (pbuffer32 == NULL)
+       {
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb
index 794d973d71..63f8d51c9e 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.23.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
 SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
           file://pcre-cross.patch \
+           file://libpcre2-CVE-2017-8786.patch \
 "
 SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"
author	Robert Yang <liezhi.yang@windriver.com>	2017-08-29 17:48:56 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-31 17:41:41 +0100
commit	45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (patch)
tree	c7125eac3a1b7ff7bf9fff8ff0c740793d76f6e3
parent	d01694e7336e472aefecf778c1d08e4341a8aa3b (diff)
download	poky-45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96.tar.gz

diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch new file mode 100644 index 0000000000..eafafc1f69 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
@@ -0,0 +1,93 @@
		1	libpcre2-10.23: Fix CVE-2017-8786
		2
		3	The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
		4	service (heap-based buffer overflow) or possibly have unspecified other impact
		5	via a crafted regular expression.
		6
		7	Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
		8	CVE: CVE-2017-8786
		9
		10	Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
		11
		12	--- trunk/src/pcre2test.c 2017/03/21 16:18:54 692
		13	+++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697
		14	@@ -1017,9 +1017,9 @@
		15	if (test_mode == PCRE8_MODE) \
		16	r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
		17	else if (test_mode == PCRE16_MODE) \
		18	- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
		19	+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
		20	else \
		21	- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
		22	+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
		23
		24	#define PCRE2_GET_OVECTOR_COUNT(a,b) \
		25	if (test_mode == PCRE8_MODE) \
		26	@@ -1399,6 +1399,9 @@
		27
		28	/* ----- Common macros for two-mode cases ----- */
		29
		30	+#define BYTEONE (BITONE/8)
		31	+#define BYTETWO (BITTWO/8)
		32	+
		33	#define CASTFLD(t,a,b) \
		34	((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
		35	(t)(G(a,BITTWO)->b))
		36	@@ -1481,9 +1484,9 @@
		37
		38	#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
		39	if (test_mode == G(G(PCRE,BITONE),_MODE)) \
		40	- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
		41	+ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
		42	else \
		43	- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
		44	+ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
		45
		46	#define PCRE2_GET_OVECTOR_COUNT(a,b) \
		47	if (test_mode == G(G(PCRE,BITONE),_MODE)) \
		48	@@ -1904,7 +1907,7 @@
		49	#define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
		50	a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
		51	#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
		52	- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
		53	+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
		54	#define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
		55	#define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
		56	#define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
		57	@@ -2000,7 +2003,7 @@
		58	#define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
		59	a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
		60	#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
		61	- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
		62	+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
		63	#define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
		64	#define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
		65	#define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
		66	@@ -2889,7 +2892,7 @@
		67	{
		68	if (pbuffer32 != NULL) free(pbuffer32);
		69	pbuffer32_size = 4*len + 4;
		70	- if (pbuffer32_size < 256) pbuffer32_size = 256;
		71	+ if (pbuffer32_size < 512) pbuffer32_size = 512;
		72	pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
		73	if (pbuffer32 == NULL)
		74	{
		75	@@ -7600,7 +7603,8 @@
		76	int errcode;
		77	char *endptr;
		78
		79	-/* Ensure the relevant non-8-bit buffer is available. */
		80	+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at
		81	+least 128 code units, because it is used for retrieving error messages. */
		82
		83	#ifdef SUPPORT_PCRE2_16
		84	if (test_mode == PCRE16_MODE)
		85	@@ -7620,7 +7624,7 @@
		86	#ifdef SUPPORT_PCRE2_32
		87	if (test_mode == PCRE32_MODE)
		88	{
		89	- pbuffer32_size = 256;
		90	+ pbuffer32_size = 512;
		91	pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
		92	if (pbuffer32 == NULL)
		93	{


diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb index 794d973d71..63f8d51c9e 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.23.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
12		12
13	SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \	13	SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
14	file://pcre-cross.patch \	14	file://pcre-cross.patch \
		15	file://libpcre2-CVE-2017-8786.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"	18	SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"