busybox: Fix lzma segfaults

- fix multiple lzma segmentation faults - patch includes multiple fixing commits - test-cases have been removed due to binary data (From OE-Core rev: e865e5056235a9b4e3911d4c734a3ffa71bb9e62) (From OE-Core rev: 5e1a402e8cf5e87ea200a04c4218cbd7b8d608d7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2018-05-31 10:23:26 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-07-02 11:41:25 +0100
commit: 92c5eeaff9a36789d4c48507b0771b9f2829285f (patch)
tree: 6f8a53c0eee40e65af32e985d59ed20408c03a2d
parent: 3dfc5e4d30751bf18a0f049210facaa489931ff7 (diff)
download: poky-92c5eeaff9a36789d4c48507b0771b9f2829285f.tar.gz
2 files changed, 107 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
new file mode 100644
index 0000000000..da6dfa8023
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
@@ -0,0 +1,106 @@
+busybox-1.27.2: Fix lzma segfaults
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
+libarchive: check buffer index in lzma_decompress
+With specific defconfig busybox fails to check zip fileheader magic
+(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
+for decompression which leads to segmentation fault. It prevents accessing into
+buffer, which is smaller than pos index. Patch includes multiple segmentation
+fault fixes.
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
+bug: 10436 10871
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index a904087..29eee2a 100644
+--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
+@@ -11,6 +11,14 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
+
+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+
+ #if ENABLE_FEATURE_LZMA_FAST
+ #  define speed_inline ALWAYS_INLINE
+ #  define size_inline
+@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
+        rc_t *rc;
+        int i;
+        uint8_t *buffer;
+       uint32_t buffer_size;
+        uint8_t previous_byte = 0;
+        size_t buffer_pos = 0, global_pos = 0;
+        int len = 0;
+@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
+        if (header.dict_size == 0)
+                header.dict_size++;
+ 
+-       buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+       buffer_size = MIN(header.dst_size, header.dict_size);
+       buffer = xmalloc(buffer_size);
+ 
+        {
+                int num_probs;
+@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+                                                state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
+ 
+                                                pos = buffer_pos - rep0;
+-                                               if ((int32_t)pos < 0)
+                                               if ((int32_t)pos < 0) {
+                                                        pos += header.dict_size;
+                                                       /* see unzip_bad_lzma_2.zip: */
+                                                       if (pos >= buffer_size)
+                                                               goto bad;
+                                               }
+                                                previous_byte = buffer[pos];
+                                                goto one_byte1;
+ #else
+@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+                                                for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
+                                                        rep0 = (rep0 << 1) | rc_direct_bit(rc);
+                                                rep0 <<= LZMA_NUM_ALIGN_BITS;
+                                               if ((int32_t)rep0 < 0) {
+                                                       dbg("%d rep0:%d", __LINE__, rep0);
+                                                       goto bad;
+                                               }
+                                                prob3 = p + LZMA_ALIGN;
+                                        }
+                                        i2 = 1;
+@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+  IF_NOT_FEATURE_LZMA_FAST(string:)
+                        do {
+                                uint32_t pos = buffer_pos - rep0;
+-                               if ((int32_t)pos < 0)
+                               if ((int32_t)pos < 0) {
+                                        pos += header.dict_size;
+                                       /* more stringent test (see unzip_bad_lzma_1.zip): */
+                                       if (pos >= buffer_size)
+                                               goto bad;
+                               }
+                                previous_byte = buffer[pos];
+  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
+                                buffer[buffer_pos++] = previous_byte;
+@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+                IF_DESKTOP(total_written += buffer_pos;)
+                if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
+  bad:
+                       /* One of our users, bbunpack(), expects _us_ to emit
+                        * the error message (since it's the best place to give
+                        * potentially more detailed information).
+                        * Do not fail silently.
+                        */
+                       bb_error_msg("corrupted data");
+                        total_written = -1; /* failure */
+                }
+                rc_free(rc);
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342aaf..92678701fc 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2011-5325.patch \
           file://CVE-2017-15873.patch \
           file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-lzma-segfaults.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
author	Andrej Valek <andrej.valek@siemens.com>	2018-05-31 10:23:26 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-07-02 11:41:25 +0100
commit	92c5eeaff9a36789d4c48507b0771b9f2829285f (patch)
tree	6f8a53c0eee40e65af32e985d59ed20408c03a2d
parent	3dfc5e4d30751bf18a0f049210facaa489931ff7 (diff)
download	poky-92c5eeaff9a36789d4c48507b0771b9f2829285f.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch new file mode 100644 index 0000000000..da6dfa8023 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
@@ -0,0 +1,106 @@
		1	busybox-1.27.2: Fix lzma segfaults
		2
		3	[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
		4
		5	libarchive: check buffer index in lzma_decompress
		6
		7	With specific defconfig busybox fails to check zip fileheader magic
		8	(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
		9	for decompression which leads to segmentation fault. It prevents accessing into
		10	buffer, which is smaller than pos index. Patch includes multiple segmentation
		11	fault fixes.
		12
		13	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
		14	bug: 10436 10871
		15	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		16
		17	diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
		18	index a904087..29eee2a 100644
		19	--- a/archival/libarchive/decompress_unlzma.c
		20	+++ b/archival/libarchive/decompress_unlzma.c
		21	@@ -11,6 +11,14 @@
		22	#include "libbb.h"
		23	#include "bb_archive.h"
		24
		25	+
		26	+#if 0
		27	+# define dbg(...) bb_error_msg(__VA_ARGS__)
		28	+#else
		29	+# define dbg(...) ((void)0)
		30	+#endif
		31	+
		32	+
		33	#if ENABLE_FEATURE_LZMA_FAST
		34	# define speed_inline ALWAYS_INLINE
		35	# define size_inline
		36	@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
		37	rc_t *rc;
		38	int i;
		39	uint8_t *buffer;
		40	+ uint32_t buffer_size;
		41	uint8_t previous_byte = 0;
		42	size_t buffer_pos = 0, global_pos = 0;
		43	int len = 0;
		44	@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
		45	if (header.dict_size == 0)
		46	header.dict_size++;
		47
		48	- buffer = xmalloc(MIN(header.dst_size, header.dict_size));
		49	+ buffer_size = MIN(header.dst_size, header.dict_size);
		50	+ buffer = xmalloc(buffer_size);
		51
		52	{
		53	int num_probs;
		54	@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
		55	state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
		56
		57	pos = buffer_pos - rep0;
		58	- if ((int32_t)pos < 0)
		59	+ if ((int32_t)pos < 0) {
		60	pos += header.dict_size;
		61	+ /* see unzip_bad_lzma_2.zip: */
		62	+ if (pos >= buffer_size)
		63	+ goto bad;
		64	+ }
		65	previous_byte = buffer[pos];
		66	goto one_byte1;
		67	#else
		68	@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
		69	for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
		70	rep0 = (rep0 << 1) \| rc_direct_bit(rc);
		71	rep0 <<= LZMA_NUM_ALIGN_BITS;
		72	+ if ((int32_t)rep0 < 0) {
		73	+ dbg("%d rep0:%d", __LINE__, rep0);
		74	+ goto bad;
		75	+ }
		76	prob3 = p + LZMA_ALIGN;
		77	}
		78	i2 = 1;
		79	@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
		80	IF_NOT_FEATURE_LZMA_FAST(string:)
		81	do {
		82	uint32_t pos = buffer_pos - rep0;
		83	- if ((int32_t)pos < 0)
		84	+ if ((int32_t)pos < 0) {
		85	pos += header.dict_size;
		86	+ /* more stringent test (see unzip_bad_lzma_1.zip): */
		87	+ if (pos >= buffer_size)
		88	+ goto bad;
		89	+ }
		90	previous_byte = buffer[pos];
		91	IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
		92	buffer[buffer_pos++] = previous_byte;
		93	@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
		94	IF_DESKTOP(total_written += buffer_pos;)
		95	if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
		96	bad:
		97	+ /* One of our users, bbunpack(), expects _us_ to emit
		98	+ * the error message (since it's the best place to give
		99	+ * potentially more detailed information).
		100	+ * Do not fail silently.
		101	+ */
		102	+ bb_error_msg("corrupted data");
		103	total_written = -1; /* failure */
		104	}
		105	rc_free(rc);
		106


diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 36a6342aaf..92678701fc 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
45	file://CVE-2011-5325.patch \	45	file://CVE-2011-5325.patch \
46	file://CVE-2017-15873.patch \	46	file://CVE-2017-15873.patch \
47	file://busybox-CVE-2017-16544.patch \	47	file://busybox-CVE-2017-16544.patch \
		48	file://busybox-fix-lzma-segfaults.patch \
48	"	49	"
49	SRC_URI_append_libc-musl = " file://musl.cfg "	50	SRC_URI_append_libc-musl = " file://musl.cfg "
50		51