glibc: CVE-2019-25013

* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2019-25013 * upstream tracking: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 * patch from upstream: https://sourceware.org/git/?p=glibc.git;a=patch; h=ee7a3144c9922808181009b7b3e50e852fb4999b (From OE-Core rev: b067f78a116b9c6cd75bdffe568a1f801f7ed9a2) Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 53d149df4d8832e34ace2470c31ddc688176faf7) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Scott Murray <scott.murray@konsulko.com> 2021-01-09 22:11:30 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-18 23:51:07 +0000
commit: c804eb79c134c2d175be087e090c81e5013c6488 (patch)
tree: 48be9d8278c3578bcb6c37e76eb9bcc0910e1503 /meta/recipes-core
parent: 9b5e60d77a23ef89977bd382961083ee55248eca (diff)
download: poky-c804eb79c134c2d175be087e090c81e5013c6488.tar.gz
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
new file mode 100644
index 0000000000..987e959db2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
@@ -0,0 +1,137 @@
+From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 21 Dec 2020 08:56:43 +0530
+Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
+The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
+area and is not allowed.  The from_euc_kr function used to skip two bytes
+when told to skip over the unknown designation, potentially running over
+the buffer end.
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
+CVE: CVE-2019-25013
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ iconvdata/Makefile      |  3 ++-
+ iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
+ iconvdata/euc-kr.c      |  6 +----
+ iconvdata/ksc5601.h     |  6 ++---
+ 4 files changed, 59 insertions(+), 9 deletions(-)
+ create mode 100644 iconvdata/bug-iconv13.c
+diff --git a/iconvdata/Makefile b/iconvdata/Makefile
+index 4ec2741cdc..85009f3390 100644
+--- a/iconvdata/Makefile
+++ b/iconvdata/Makefile
+@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules))
+ ifeq (yes,$(build-shared))
+ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
+        tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
+-       bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4
+       bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
+       bug-iconv13
+ ifeq ($(have-thread-library),yes)
+ tests += bug-iconv3
+ endif
+diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
+new file mode 100644
+index 0000000000..87aaff398e
+--- /dev/null
+++ b/iconvdata/bug-iconv13.c
+@@ -0,0 +1,53 @@
+/* bug 24973: Test EUC-KR module
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
+  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+  /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
+     areas, which are not allowed and should be skipped over due to
+     //IGNORE.  The trailing 0xfe also is an incomplete sequence, which
+     should be checked first.  */
+  char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
+  char *inptr = input;
+  size_t insize = sizeof (input);
+  char output[4];
+  char *outptr = output;
+  size_t outsize = sizeof (output);
+
+  /* This used to crash due to buffer overrun.  */
+  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
+  TEST_VERIFY (errno == EINVAL);
+  /* The conversion should produce one character, the converted null
+     character.  */
+  TEST_VERIFY (sizeof (output) - outsize == 1);
+
+  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
+index b0d56cf3ee..1045bae926 100644
+--- a/iconvdata/euc-kr.c
+++ b/iconvdata/euc-kr.c
+@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
+                                                                              \
+     if (ch <= 0x9f)                                                          \
+       ++inptr;                                                               \
+-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are                   \
+-       user-defined areas.  */                                               \
+-    else if (__builtin_expect (ch == 0xa0, 0)                                \
+-            || __builtin_expect (ch > 0xfe, 0)                               \
+-            || __builtin_expect (ch == 0xc9, 0))                             \
+    else if (__glibc_unlikely (ch == 0xa0))                                  \
+       {                                                                              \
+        /* This is illegal.  */                                               \
+        STANDARD_FROM_LOOP_ERR_HANDLER (1);                                   \
+diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
+index d3eb3a4ff8..f5cdc72797 100644
+--- a/iconvdata/ksc5601.h
+++ b/iconvdata/ksc5601.h
+@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
+   unsigned char ch2;
+   int idx;
+ 
+  if (avail < 2)
+    return 0;
+
+   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
+ 
+   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
+       || (ch - offset) == 0x49)
+     return __UNKNOWN_10646_CHAR;
+ 
+-  if (avail < 2)
+-    return 0;
+-
+   ch2 = (*s)[1];
+   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
+     return __UNKNOWN_10646_CHAR;
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index b850c28c78..d43c8c56cb 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -46,6 +46,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
           file://CVE-2020-29562.patch \
           file://CVE-2020-29573.patch \
+           file://CVE-2019-25013.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Scott Murray <scott.murray@konsulko.com>	2021-01-09 22:11:30 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-18 23:51:07 +0000
commit	c804eb79c134c2d175be087e090c81e5013c6488 (patch)
tree	48be9d8278c3578bcb6c37e76eb9bcc0910e1503 /meta/recipes-core
parent	9b5e60d77a23ef89977bd382961083ee55248eca (diff)
download	poky-c804eb79c134c2d175be087e090c81e5013c6488.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch new file mode 100644 index 0000000000..987e959db2 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
@@ -0,0 +1,137 @@
		1	From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@suse.de>
		3	Date: Mon, 21 Dec 2020 08:56:43 +0530
		4	Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
		5
		6	The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
		7	area and is not allowed. The from_euc_kr function used to skip two bytes
		8	when told to skip over the unknown designation, potentially running over
		9	the buffer end.
		10
		11	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
		12	CVE: CVE-2019-25013
		13	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
		14	---
		15	iconvdata/Makefile \| 3 ++-
		16	iconvdata/bug-iconv13.c \| 53 +++++++++++++++++++++++++++++++++++++++++
		17	iconvdata/euc-kr.c \| 6 +----
		18	iconvdata/ksc5601.h \| 6 ++---
		19	4 files changed, 59 insertions(+), 9 deletions(-)
		20	create mode 100644 iconvdata/bug-iconv13.c
		21
		22	diff --git a/iconvdata/Makefile b/iconvdata/Makefile
		23	index 4ec2741cdc..85009f3390 100644
		24	--- a/iconvdata/Makefile
		25	+++ b/iconvdata/Makefile
		26	@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules))
		27	ifeq (yes,$(build-shared))
		28	tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
		29	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
		30	- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4
		31	+ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
		32	+ bug-iconv13
		33	ifeq ($(have-thread-library),yes)
		34	tests += bug-iconv3
		35	endif
		36	diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
		37	new file mode 100644
		38	index 0000000000..87aaff398e
		39	--- /dev/null
		40	+++ b/iconvdata/bug-iconv13.c
		41	@@ -0,0 +1,53 @@
		42	+/* bug 24973: Test EUC-KR module
		43	+ Copyright (C) 2020 Free Software Foundation, Inc.
		44	+ This file is part of the GNU C Library.
		45	+
		46	+ The GNU C Library is free software; you can redistribute it and/or
		47	+ modify it under the terms of the GNU Lesser General Public
		48	+ License as published by the Free Software Foundation; either
		49	+ version 2.1 of the License, or (at your option) any later version.
		50	+
		51	+ The GNU C Library is distributed in the hope that it will be useful,
		52	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		53	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		54	+ Lesser General Public License for more details.
		55	+
		56	+ You should have received a copy of the GNU Lesser General Public
		57	+ License along with the GNU C Library; if not, see
		58	+ <https://www.gnu.org/licenses/>. */
		59	+
		60	+#include <errno.h>
		61	+#include <iconv.h>
		62	+#include <stdio.h>
		63	+#include <support/check.h>
		64	+
		65	+static int
		66	+do_test (void)
		67	+{
		68	+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
		69	+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
		70	+
		71	+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
		72	+ areas, which are not allowed and should be skipped over due to
		73	+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
		74	+ should be checked first. */
		75	+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
		76	+ char *inptr = input;
		77	+ size_t insize = sizeof (input);
		78	+ char output[4];
		79	+ char *outptr = output;
		80	+ size_t outsize = sizeof (output);
		81	+
		82	+ /* This used to crash due to buffer overrun. */
		83	+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
		84	+ TEST_VERIFY (errno == EINVAL);
		85	+ /* The conversion should produce one character, the converted null
		86	+ character. */
		87	+ TEST_VERIFY (sizeof (output) - outsize == 1);
		88	+
		89	+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
		90	+
		91	+ return 0;
		92	+}
		93	+
		94	+#include <support/test-driver.c>
		95	diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
		96	index b0d56cf3ee..1045bae926 100644
		97	--- a/iconvdata/euc-kr.c
		98	+++ b/iconvdata/euc-kr.c
		99	@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
		100	\
		101	if (ch <= 0x9f) \
		102	++inptr; \
		103	- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
		104	- user-defined areas. */ \
		105	- else if (__builtin_expect (ch == 0xa0, 0) \
		106	- \|\| __builtin_expect (ch > 0xfe, 0) \
		107	- \|\| __builtin_expect (ch == 0xc9, 0)) \
		108	+ else if (__glibc_unlikely (ch == 0xa0)) \
		109	{ \
		110	/* This is illegal. */ \
		111	STANDARD_FROM_LOOP_ERR_HANDLER (1); \
		112	diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
		113	index d3eb3a4ff8..f5cdc72797 100644
		114	--- a/iconvdata/ksc5601.h
		115	+++ b/iconvdata/ksc5601.h
		116	@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
		117	unsigned char ch2;
		118	int idx;
		119
		120	+ if (avail < 2)
		121	+ return 0;
		122	+
		123	/* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
		124
		125	if (ch < offset \|\| (ch - offset) <= 0x20 \|\| (ch - offset) >= 0x7e
		126	\|\| (ch - offset) == 0x49)
		127	return __UNKNOWN_10646_CHAR;
		128
		129	- if (avail < 2)
		130	- return 0;
		131	-
		132	ch2 = (*s)[1];
		133	if (ch2 < offset \|\| (ch2 - offset) <= 0x20 \|\| (ch2 - offset) >= 0x7f)
		134	return __UNKNOWN_10646_CHAR;
		135	--
		136	2.27.0
		137


diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb index b850c28c78..d43c8c56cb 100644 --- a/meta/recipes-core/glibc/glibc_2.32.bb +++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
46	file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \	46	file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
47	file://CVE-2020-29562.patch \	47	file://CVE-2020-29562.patch \
48	file://CVE-2020-29573.patch \	48	file://CVE-2020-29573.patch \
		49	file://CVE-2019-25013.patch \
49	"	50	"
50	S = "${WORKDIR}/git"	51	S = "${WORKDIR}/git"
51	B = "${WORKDIR}/build-${TARGET_SYS}"	52	B = "${WORKDIR}/build-${TARGET_SYS}"