sqlite3: Security fixes for CVE-2018-20505 & 20506

Source: sqlite.org MR: 97484, 97490 Type: Security Fix Disposition: Backport from sqilte.org ChangeID: c6105b5d3ce4fb2c0f38c3cab745b769d2df38f5 Description: Affects < 3.26.0 fixes: CVE-2018-20505 CVE-2018-20506 (From OE-Core rev: e2f9efdc93068bce00b07021aa447f0b8786f69d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-30 14:10:11 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: 015bfc5971120e3483572cb4eaf0cb7c15b64349 (patch)
tree: d629cfbbf4154e10d56346b0543ecc9fa4841ab4
parent: 14d23c29a2d6a9944233983d64109037077db49e (diff)
download: poky-015bfc5971120e3483572cb4eaf0cb7c15b64349.tar.gz
3 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20505.patch b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
new file mode 100644
index 0000000000..d1119f3b31
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
@@ -0,0 +1,31 @@
+From: D. Richard Hipp <drh@hwaci.com>
+Date: Sat, 3 Nov 2018 13:11:24 +0000 (+0000)
+Subject: Fix a assert() in the query planner that can arise when doing row-value
+X-Git-Tag: version-3.26.0~59
+X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/24298027a30cf7941f16a8cc878d0c1f9f14308f
+Fix a assert() in the query planner that can arise when doing row-value
+operations on a PRIMARY KEY that contains duplicate columns.
+Ticket [1a84668dcfdebaf12415d].
+https://sqlite.org/src/info/1a84668dcfdebaf12415d
+upstream-Status: Backport
+CVE: CVE-2018-20505
+affects <= 3.26.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: sqlite-autoconf-3230100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3230100.orig/sqlite3.c
+++ sqlite-autoconf-3230100/sqlite3.c
+@@ -131231,7 +131231,7 @@ static Expr *removeUnindexableInClauseTe
+     for(i=iEq; i<pLoop->nLTerm; i++){
+       if( pLoop->aLTerm[i]->pExpr==pX ){
+         int iField = pLoop->aLTerm[i]->iField - 1;
+-        assert( pOrigRhs->a[iField].pExpr!=0 );
+        if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
+         pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
+         pOrigRhs->a[iField].pExpr = 0;
+         assert( pOrigLhs->a[iField].pExpr!=0 );
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20506.patch b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
new file mode 100644
index 0000000000..7919f9b5ee
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
@@ -0,0 +1,103 @@
+From: Dan Kennedy <danielk1977@gmail.com>
+Date: Sat, 3 Nov 2018 16:51:30 +0000 (+0000)
+Subject: Add extra defenses against strategically corrupt databases to fts3/4.
+X-Git-Tag: version-3.26.0~58
+X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/19816852d4e82e115338b1997540c26a1b794d18
+Add extra defenses against strategically corrupt databases to fts3/4.
+https://sqlite.org/src/info/940f2adc8541a838
+Upstream-Status: Backport
+CVE: CVE-2018-20506
+Affects <= 3.26.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: sqlite-autoconf-3230100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3230100.orig/sqlite3.c
+++ sqlite-autoconf-3230100/sqlite3.c
+@@ -152368,7 +152368,7 @@ static int fts3ScanInteriorNode(
+   const char *zCsr = zNode;       /* Cursor to iterate through node */
+   const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
+   char *zBuffer = 0;              /* Buffer to load terms into */
+-  int nAlloc = 0;                 /* Size of allocated buffer */
+  i64 nAlloc = 0;                 /* Size of allocated buffer */
+   int isFirstTerm = 1;            /* True when processing first term on page */
+   sqlite3_int64 iChild;           /* Block id of child node to descend to */
+ 
+@@ -152406,14 +152406,14 @@ static int fts3ScanInteriorNode(
+     zCsr += fts3GetVarint32(zCsr, &nSuffix);
+     
+     assert( nPrefix>=0 && nSuffix>=0 );
+-    if( &zCsr[nSuffix]>zEnd ){
+    if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
+       rc = FTS_CORRUPT_VTAB;
+       goto finish_scan;
+     }
+-    if( nPrefix+nSuffix>nAlloc ){
+    if( (i64)nPrefix+nSuffix>nAlloc ){
+       char *zNew;
+-      nAlloc = (nPrefix+nSuffix) * 2;
+-      zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
+      nAlloc = ((i64)nPrefix+nSuffix) * 2;
+      zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
+       if( !zNew ){
+         rc = SQLITE_NOMEM;
+         goto finish_scan;
+@@ -162012,15 +162012,19 @@ static int fts3SegReaderNext(
+   ** safe (no risk of overread) even if the node data is corrupted. */
+   pNext += fts3GetVarint32(pNext, &nPrefix);
+   pNext += fts3GetVarint32(pNext, &nSuffix);
+-  if( nPrefix<0 || nSuffix<=0 
+-   || &pNext[nSuffix]>&pReader->aNode[pReader->nNode] 
+  if( nSuffix<=0 
+   || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
+   || nPrefix>pReader->nTermAlloc
+   ){
+     return FTS_CORRUPT_VTAB;
+   }
+ 
+-  if( nPrefix+nSuffix>pReader->nTermAlloc ){
+-    int nNew = (nPrefix+nSuffix)*2;
+-    char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
+  /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
+  ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
+  ** overflow - hence the (i64) casts.  */
+  if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
+    i64 nNew = ((i64)nPrefix+nSuffix)*2;
+    char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
+     if( !zNew ){
+       return SQLITE_NOMEM;
+     }
+@@ -162042,7 +162046,7 @@ static int fts3SegReaderNext(
+   ** b-tree node. And that the final byte of the doclist is 0x00. If either 
+   ** of these statements is untrue, then the data structure is corrupt.
+   */
+-  if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode] 
+  if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
+    || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
+   ){
+     return FTS_CORRUPT_VTAB;
+@@ -164367,7 +164371,9 @@ static int nodeReaderNext(NodeReader *p)
+       p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix);
+     }
+     p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+-
+    if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
+      return SQLITE_CORRUPT_VTAB;
+    }
+     blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
+     if( rc==SQLITE_OK ){
+       memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
+@@ -164375,6 +164381,9 @@ static int nodeReaderNext(NodeReader *p)
+       p->iOff += nSuffix;
+       if( p->iChild==0 ){
+         p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
+        if( (p->nNode-p->iOff)<p->nDoclist ){
+          return SQLITE_CORRUPT_VTAB;
+        }
+         p->aDoclist = &p->aNode[p->iOff];
+         p->iOff += p->nDoclist;
+       }
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index 3755761d76..d214ea1528 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "\
  http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+  file://CVE-2018-20505.patch \
+  file://CVE-2018-20506.patch \
  "
 SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
 SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"
author	Armin Kuster <akuster@mvista.com>	2019-05-30 14:10:11 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	015bfc5971120e3483572cb4eaf0cb7c15b64349 (patch)
tree	d629cfbbf4154e10d56346b0543ecc9fa4841ab4
parent	14d23c29a2d6a9944233983d64109037077db49e (diff)
download	poky-015bfc5971120e3483572cb4eaf0cb7c15b64349.tar.gz

diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20505.patch b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch new file mode 100644 index 0000000000..d1119f3b31 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
@@ -0,0 +1,31 @@
		1	From: D. Richard Hipp <drh@hwaci.com>
		2	Date: Sat, 3 Nov 2018 13:11:24 +0000 (+0000)
		3	Subject: Fix a assert() in the query planner that can arise when doing row-value
		4	X-Git-Tag: version-3.26.0~59
		5	X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/24298027a30cf7941f16a8cc878d0c1f9f14308f
		6
		7	Fix a assert() in the query planner that can arise when doing row-value
		8	operations on a PRIMARY KEY that contains duplicate columns.
		9	Ticket [1a84668dcfdebaf12415d].
		10
		11	https://sqlite.org/src/info/1a84668dcfdebaf12415d
		12
		13	upstream-Status: Backport
		14	CVE: CVE-2018-20505
		15	affects <= 3.26.0
		16
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	Index: sqlite-autoconf-3230100/sqlite3.c
		20	===================================================================
		21	--- sqlite-autoconf-3230100.orig/sqlite3.c
		22	+++ sqlite-autoconf-3230100/sqlite3.c
		23	@@ -131231,7 +131231,7 @@ static Expr *removeUnindexableInClauseTe
		24	for(i=iEq; i<pLoop->nLTerm; i++){
		25	if( pLoop->aLTerm[i]->pExpr==pX ){
		26	int iField = pLoop->aLTerm[i]->iField - 1;
		27	- assert( pOrigRhs->a[iField].pExpr!=0 );
		28	+ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
		29	pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
		30	pOrigRhs->a[iField].pExpr = 0;
		31	assert( pOrigLhs->a[iField].pExpr!=0 );


diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20506.patch b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch new file mode 100644 index 0000000000..7919f9b5ee --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
@@ -0,0 +1,103 @@
		1	From: Dan Kennedy <danielk1977@gmail.com>
		2	Date: Sat, 3 Nov 2018 16:51:30 +0000 (+0000)
		3	Subject: Add extra defenses against strategically corrupt databases to fts3/4.
		4	X-Git-Tag: version-3.26.0~58
		5	X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/19816852d4e82e115338b1997540c26a1b794d18
		6
		7	Add extra defenses against strategically corrupt databases to fts3/4.
		8
		9	https://sqlite.org/src/info/940f2adc8541a838
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2018-20506
		13	Affects <= 3.26.0
		14
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	Index: sqlite-autoconf-3230100/sqlite3.c
		18	===================================================================
		19	--- sqlite-autoconf-3230100.orig/sqlite3.c
		20	+++ sqlite-autoconf-3230100/sqlite3.c
		21	@@ -152368,7 +152368,7 @@ static int fts3ScanInteriorNode(
		22	const char zCsr = zNode; / Cursor to iterate through node */
		23	const char zEnd = &zCsr[nNode];/ End of interior node buffer */
		24	char zBuffer = 0; / Buffer to load terms into */
		25	- int nAlloc = 0; /* Size of allocated buffer */
		26	+ i64 nAlloc = 0; /* Size of allocated buffer */
		27	int isFirstTerm = 1; /* True when processing first term on page */
		28	sqlite3_int64 iChild; /* Block id of child node to descend to */
		29
		30	@@ -152406,14 +152406,14 @@ static int fts3ScanInteriorNode(
		31	zCsr += fts3GetVarint32(zCsr, &nSuffix);
		32
		33	assert( nPrefix>=0 && nSuffix>=0 );
		34	- if( &zCsr[nSuffix]>zEnd ){
		35	+ if( nPrefix>zCsr-zNode \|\| nSuffix>zEnd-zCsr ){
		36	rc = FTS_CORRUPT_VTAB;
		37	goto finish_scan;
		38	}
		39	- if( nPrefix+nSuffix>nAlloc ){
		40	+ if( (i64)nPrefix+nSuffix>nAlloc ){
		41	char *zNew;
		42	- nAlloc = (nPrefix+nSuffix) * 2;
		43	- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
		44	+ nAlloc = ((i64)nPrefix+nSuffix) * 2;
		45	+ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
		46	if( !zNew ){
		47	rc = SQLITE_NOMEM;
		48	goto finish_scan;
		49	@@ -162012,15 +162012,19 @@ static int fts3SegReaderNext(
		50	** safe (no risk of overread) even if the node data is corrupted. */
		51	pNext += fts3GetVarint32(pNext, &nPrefix);
		52	pNext += fts3GetVarint32(pNext, &nSuffix);
		53	- if( nPrefix<0 \|\| nSuffix<=0
		54	- \|\| &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
		55	+ if( nSuffix<=0
		56	+ \|\| (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
		57	+ \|\| nPrefix>pReader->nTermAlloc
		58	){
		59	return FTS_CORRUPT_VTAB;
		60	}
		61
		62	- if( nPrefix+nSuffix>pReader->nTermAlloc ){
		63	- int nNew = (nPrefix+nSuffix)*2;
		64	- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
		65	+ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
		66	+ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
		67	+ ** overflow - hence the (i64) casts. */
		68	+ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
		69	+ i64 nNew = ((i64)nPrefix+nSuffix)*2;
		70	+ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
		71	if( !zNew ){
		72	return SQLITE_NOMEM;
		73	}
		74	@@ -162042,7 +162046,7 @@ static int fts3SegReaderNext(
		75	** b-tree node. And that the final byte of the doclist is 0x00. If either
		76	** of these statements is untrue, then the data structure is corrupt.
		77	*/
		78	- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
		79	+ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
		80	\|\| (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
		81	){
		82	return FTS_CORRUPT_VTAB;
		83	@@ -164367,7 +164371,9 @@ static int nodeReaderNext(NodeReader *p)
		84	p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix);
		85	}
		86	p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
		87	-
		88	+ if( nPrefix>p->iOff \|\| nSuffix>p->nNode-p->iOff ){
		89	+ return SQLITE_CORRUPT_VTAB;
		90	+ }
		91	blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
		92	if( rc==SQLITE_OK ){
		93	memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
		94	@@ -164375,6 +164381,9 @@ static int nodeReaderNext(NodeReader *p)
		95	p->iOff += nSuffix;
		96	if( p->iChild==0 ){
		97	p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
		98	+ if( (p->nNode-p->iOff)<p->nDoclist ){
		99	+ return SQLITE_CORRUPT_VTAB;
		100	+ }
		101	p->aDoclist = &p->aNode[p->iOff];
		102	p->iOff += p->nDoclist;
		103	}


diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb index 3755761d76..d214ea1528 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
5		5
6	SRC_URI = "\	6	SRC_URI = "\
7	http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \	7	http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
		8	file://CVE-2018-20505.patch \
		9	file://CVE-2018-20506.patch \
8	"	10	"
9	SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"	11	SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
10	SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"	12	SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"