zlib: Fix CVE-2016-9841

Add backported patch to fix CVE-2016-9841 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9841 (From OE-Core rev: aa650d4f5eb2b671e76d7c4da3ef080e26eed543) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2017-11-14 14:01:04 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:56 +0000
commit: ed3802b67f00f3e565c64086f0fbffd432aabc29 (patch)
tree: 6f33b5e9bef2223ee5343c6e120e37e2cf342f47 /meta/recipes-core
parent: c3450174c8624e02d6515ec4afb981171aed1817 (diff)
download: poky-ed3802b67f00f3e565c64086f0fbffd432aabc29.tar.gz
2 files changed, 231 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
new file mode 100644
index 0000000000..9cf7a77786
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
@@ -0,0 +1,230 @@
+commit 9aaec95e82117c1cb0f9624264c3618fc380cecb
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date:   Wed Sep 21 22:25:21 2016 -0700
+    Use post-increment only in inffast.c.
+    
+    An old inffast.c optimization turns out to not be optimal anymore
+    with modern compilers, and furthermore was not compliant with the
+    C standard, for which decrementing a pointer before its allocated
+    memory is undefined. Per the recommendation of a security audit of
+    the zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this "optimization" was removed, in order to
+    avoid the possibility of undefined behavior.
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
+CVE: CVE-2016-9841
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/inffast.c b/inffast.c
+index bda59ce..f0d163d 100644
+--- a/inffast.c
+++ b/inffast.c
+@@ -10,25 +10,6 @@
+ 
+ #ifndef ASMINF
+ 
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+-   Based on testing to date,
+-   Pre-increment preferred for:
+-   - PowerPC G3 (Adler)
+-   - MIPS R5000 (Randers-Pehrson)
+-   Post-increment preferred for:
+-   - none
+-   No measurable difference:
+-   - Pentium III (Anderson)
+-   - M68060 (Nikl)
+- */
+-#ifdef POSTINC
+-#  define OFF 0
+-#  define PUP(a) *(a)++
+-#else
+-#  define OFF 1
+-#  define PUP(a) *++(a)
+-#endif
+-
+ /*
+    Decode literal, length, and distance codes and write out the resulting
+    literal and match bytes until either not enough input or output is
+@@ -96,9 +77,9 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+ 
+     /* copy state to local variables */
+     state = (struct inflate_state FAR *)strm->state;
+-    in = strm->next_in - OFF;
+    in = strm->next_in;
+     last = in + (strm->avail_in - 5);
+-    out = strm->next_out - OFF;
+    out = strm->next_out;
+     beg = out - (start - strm->avail_out);
+     end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -119,9 +100,9 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+        input data or output space */
+     do {
+         if (bits < 15) {
+-            hold += (unsigned long)(PUP(in)) << bits;
+            hold += (unsigned long)(*in++) << bits;
+             bits += 8;
+-            hold += (unsigned long)(PUP(in)) << bits;
+            hold += (unsigned long)(*in++) << bits;
+             bits += 8;
+         }
+         here = lcode[hold & lmask];
+@@ -134,14 +115,14 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+             Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
+                     "inflate:         literal '%c'\n" :
+                     "inflate:         literal 0x%02x\n", here.val));
+-            PUP(out) = (unsigned char)(here.val);
+            *out++ = (unsigned char)(here.val);
+         }
+         else if (op & 16) {                     /* length base */
+             len = (unsigned)(here.val);
+             op &= 15;                           /* number of extra bits */
+             if (op) {
+                 if (bits < op) {
+-                    hold += (unsigned long)(PUP(in)) << bits;
+                    hold += (unsigned long)(*in++) << bits;
+                     bits += 8;
+                 }
+                 len += (unsigned)hold & ((1U << op) - 1);
+@@ -150,9 +131,9 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+             }
+             Tracevv((stderr, "inflate:         length %u\n", len));
+             if (bits < 15) {
+-                hold += (unsigned long)(PUP(in)) << bits;
+                hold += (unsigned long)(*in++) << bits;
+                 bits += 8;
+-                hold += (unsigned long)(PUP(in)) << bits;
+                hold += (unsigned long)(*in++) << bits;
+                 bits += 8;
+             }
+             here = dcode[hold & dmask];
+@@ -165,10 +146,10 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+                 dist = (unsigned)(here.val);
+                 op &= 15;                       /* number of extra bits */
+                 if (bits < op) {
+-                    hold += (unsigned long)(PUP(in)) << bits;
+                    hold += (unsigned long)(*in++) << bits;
+                     bits += 8;
+                     if (bits < op) {
+-                        hold += (unsigned long)(PUP(in)) << bits;
+                        hold += (unsigned long)(*in++) << bits;
+                         bits += 8;
+                     }
+                 }
+@@ -196,30 +177,30 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+ #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+                         if (len <= op - whave) {
+                             do {
+-                                PUP(out) = 0;
+                                *out++ = 0;
+                             } while (--len);
+                             continue;
+                         }
+                         len -= op - whave;
+                         do {
+-                            PUP(out) = 0;
+                            *out++ = 0;
+                         } while (--op > whave);
+                         if (op == 0) {
+                             from = out - dist;
+                             do {
+-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
+                             } while (--len);
+                             continue;
+                         }
+ #endif
+                     }
+-                    from = window - OFF;
+                    from = window;
+                     if (wnext == 0) {           /* very common case */
+                         from += wsize - op;
+                         if (op < len) {         /* some from window */
+                             len -= op;
+                             do {
+-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
+                             } while (--op);
+                             from = out - dist;  /* rest from output */
+                         }
+@@ -230,14 +211,14 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+                         if (op < len) {         /* some from end of window */
+                             len -= op;
+                             do {
+-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
+                             } while (--op);
+-                            from = window - OFF;
+                            from = window;
+                             if (wnext < len) {  /* some from start of window */
+                                 op = wnext;
+                                 len -= op;
+                                 do {
+-                                    PUP(out) = PUP(from);
+                                    *out++ = *from++;
+                                 } while (--op);
+                                 from = out - dist;      /* rest from output */
+                             }
+@@ -248,35 +229,35 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+                         if (op < len) {         /* some from window */
+                             len -= op;
+                             do {
+-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
+                             } while (--op);
+                             from = out - dist;  /* rest from output */
+                         }
+                     }
+                     while (len > 2) {
+-                        PUP(out) = PUP(from);
+-                        PUP(out) = PUP(from);
+-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                        *out++ = *from++;
+                        *out++ = *from++;
+                         len -= 3;
+                     }
+                     if (len) {
+-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                         if (len > 1)
+-                            PUP(out) = PUP(from);
+                            *out++ = *from++;
+                     }
+                 }
+                 else {
+                     from = out - dist;          /* copy direct from output */
+                     do {                        /* minimum length is three */
+-                        PUP(out) = PUP(from);
+-                        PUP(out) = PUP(from);
+-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                        *out++ = *from++;
+                        *out++ = *from++;
+                         len -= 3;
+                     } while (len > 2);
+                     if (len) {
+-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                         if (len > 1)
+-                            PUP(out) = PUP(from);
+                            *out++ = *from++;
+                     }
+                 }
+             }
+@@ -313,8 +294,8 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
+     hold &= (1U << bits) - 1;
+ 
+     /* update state and return */
+-    strm->next_in = in + OFF;
+-    strm->next_out = out + OFF;
+    strm->next_in = in;
+    strm->next_out = out;
+     strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+     strm->avail_out = (unsigned)(out < end ?
+                                  257 + (end - out) : 257 - (out - end));
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index b6a4c687ca..88f60611d9 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -11,6 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
           file://Makefile-runtests.patch \
           file://ldflags-tests.patch \
           file://CVE-2016-9840.patch \
+           file://CVE-2016-9841.patch \
           file://run-ptest \
           "
author	George McCollister <george.mccollister@gmail.com>	2017-11-14 14:01:04 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:56 +0000
commit	ed3802b67f00f3e565c64086f0fbffd432aabc29 (patch)
tree	6f33b5e9bef2223ee5343c6e120e37e2cf342f47 /meta/recipes-core
parent	c3450174c8624e02d6515ec4afb981171aed1817 (diff)
download	poky-ed3802b67f00f3e565c64086f0fbffd432aabc29.tar.gz

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch new file mode 100644 index 0000000000..9cf7a77786 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
@@ -0,0 +1,230 @@
		1	commit 9aaec95e82117c1cb0f9624264c3618fc380cecb
		2	Author: Mark Adler <madler@alumni.caltech.edu>
		3	Date: Wed Sep 21 22:25:21 2016 -0700
		4
		5	Use post-increment only in inffast.c.
		6
		7	An old inffast.c optimization turns out to not be optimal anymore
		8	with modern compilers, and furthermore was not compliant with the
		9	C standard, for which decrementing a pointer before its allocated
		10	memory is undefined. Per the recommendation of a security audit of
		11	the zlib code by Trail of Bits and TrustInSoft, in support of the
		12	Mozilla Foundation, this "optimization" was removed, in order to
		13	avoid the possibility of undefined behavior.
		14
		15	Upstream-Status: Backport
		16	http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
		17	https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
		18
		19	CVE: CVE-2016-9841
		20
		21	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		22
		23	diff --git a/inffast.c b/inffast.c
		24	index bda59ce..f0d163d 100644
		25	--- a/inffast.c
		26	+++ b/inffast.c
		27	@@ -10,25 +10,6 @@
		28
		29	#ifndef ASMINF
		30
		31	-/* Allow machine dependent optimization for post-increment or pre-increment.
		32	- Based on testing to date,
		33	- Pre-increment preferred for:
		34	- - PowerPC G3 (Adler)
		35	- - MIPS R5000 (Randers-Pehrson)
		36	- Post-increment preferred for:
		37	- - none
		38	- No measurable difference:
		39	- - Pentium III (Anderson)
		40	- - M68060 (Nikl)
		41	- */
		42	-#ifdef POSTINC
		43	-# define OFF 0
		44	-# define PUP(a) *(a)++
		45	-#else
		46	-# define OFF 1
		47	-# define PUP(a) *++(a)
		48	-#endif
		49	-
		50	/*
		51	Decode literal, length, and distance codes and write out the resulting
		52	literal and match bytes until either not enough input or output is
		53	@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		54
		55	/* copy state to local variables */
		56	state = (struct inflate_state FAR *)strm->state;
		57	- in = strm->next_in - OFF;
		58	+ in = strm->next_in;
		59	last = in + (strm->avail_in - 5);
		60	- out = strm->next_out - OFF;
		61	+ out = strm->next_out;
		62	beg = out - (start - strm->avail_out);
		63	end = out + (strm->avail_out - 257);
		64	#ifdef INFLATE_STRICT
		65	@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		66	input data or output space */
		67	do {
		68	if (bits < 15) {
		69	- hold += (unsigned long)(PUP(in)) << bits;
		70	+ hold += (unsigned long)(*in++) << bits;
		71	bits += 8;
		72	- hold += (unsigned long)(PUP(in)) << bits;
		73	+ hold += (unsigned long)(*in++) << bits;
		74	bits += 8;
		75	}
		76	here = lcode[hold & lmask];
		77	@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		78	Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
		79	"inflate: literal '%c'\n" :
		80	"inflate: literal 0x%02x\n", here.val));
		81	- PUP(out) = (unsigned char)(here.val);
		82	+ *out++ = (unsigned char)(here.val);
		83	}
		84	else if (op & 16) { /* length base */
		85	len = (unsigned)(here.val);
		86	op &= 15; /* number of extra bits */
		87	if (op) {
		88	if (bits < op) {
		89	- hold += (unsigned long)(PUP(in)) << bits;
		90	+ hold += (unsigned long)(*in++) << bits;
		91	bits += 8;
		92	}
		93	len += (unsigned)hold & ((1U << op) - 1);
		94	@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		95	}
		96	Tracevv((stderr, "inflate: length %u\n", len));
		97	if (bits < 15) {
		98	- hold += (unsigned long)(PUP(in)) << bits;
		99	+ hold += (unsigned long)(*in++) << bits;
		100	bits += 8;
		101	- hold += (unsigned long)(PUP(in)) << bits;
		102	+ hold += (unsigned long)(*in++) << bits;
		103	bits += 8;
		104	}
		105	here = dcode[hold & dmask];
		106	@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		107	dist = (unsigned)(here.val);
		108	op &= 15; /* number of extra bits */
		109	if (bits < op) {
		110	- hold += (unsigned long)(PUP(in)) << bits;
		111	+ hold += (unsigned long)(*in++) << bits;
		112	bits += 8;
		113	if (bits < op) {
		114	- hold += (unsigned long)(PUP(in)) << bits;
		115	+ hold += (unsigned long)(*in++) << bits;
		116	bits += 8;
		117	}
		118	}
		119	@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		120	#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
		121	if (len <= op - whave) {
		122	do {
		123	- PUP(out) = 0;
		124	+ *out++ = 0;
		125	} while (--len);
		126	continue;
		127	}
		128	len -= op - whave;
		129	do {
		130	- PUP(out) = 0;
		131	+ *out++ = 0;
		132	} while (--op > whave);
		133	if (op == 0) {
		134	from = out - dist;
		135	do {
		136	- PUP(out) = PUP(from);
		137	+ out++ = from++;
		138	} while (--len);
		139	continue;
		140	}
		141	#endif
		142	}
		143	- from = window - OFF;
		144	+ from = window;
		145	if (wnext == 0) { /* very common case */
		146	from += wsize - op;
		147	if (op < len) { /* some from window */
		148	len -= op;
		149	do {
		150	- PUP(out) = PUP(from);
		151	+ out++ = from++;
		152	} while (--op);
		153	from = out - dist; /* rest from output */
		154	}
		155	@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		156	if (op < len) { /* some from end of window */
		157	len -= op;
		158	do {
		159	- PUP(out) = PUP(from);
		160	+ out++ = from++;
		161	} while (--op);
		162	- from = window - OFF;
		163	+ from = window;
		164	if (wnext < len) { /* some from start of window */
		165	op = wnext;
		166	len -= op;
		167	do {
		168	- PUP(out) = PUP(from);
		169	+ out++ = from++;
		170	} while (--op);
		171	from = out - dist; /* rest from output */
		172	}
		173	@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		174	if (op < len) { /* some from window */
		175	len -= op;
		176	do {
		177	- PUP(out) = PUP(from);
		178	+ out++ = from++;
		179	} while (--op);
		180	from = out - dist; /* rest from output */
		181	}
		182	}
		183	while (len > 2) {
		184	- PUP(out) = PUP(from);
		185	- PUP(out) = PUP(from);
		186	- PUP(out) = PUP(from);
		187	+ out++ = from++;
		188	+ out++ = from++;
		189	+ out++ = from++;
		190	len -= 3;
		191	}
		192	if (len) {
		193	- PUP(out) = PUP(from);
		194	+ out++ = from++;
		195	if (len > 1)
		196	- PUP(out) = PUP(from);
		197	+ out++ = from++;
		198	}
		199	}
		200	else {
		201	from = out - dist; /* copy direct from output */
		202	do { /* minimum length is three */
		203	- PUP(out) = PUP(from);
		204	- PUP(out) = PUP(from);
		205	- PUP(out) = PUP(from);
		206	+ out++ = from++;
		207	+ out++ = from++;
		208	+ out++ = from++;
		209	len -= 3;
		210	} while (len > 2);
		211	if (len) {
		212	- PUP(out) = PUP(from);
		213	+ out++ = from++;
		214	if (len > 1)
		215	- PUP(out) = PUP(from);
		216	+ out++ = from++;
		217	}
		218	}
		219	}
		220	@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
		221	hold &= (1U << bits) - 1;
		222
		223	/* update state and return */
		224	- strm->next_in = in + OFF;
		225	- strm->next_out = out + OFF;
		226	+ strm->next_in = in;
		227	+ strm->next_out = out;
		228	strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
		229	strm->avail_out = (unsigned)(out < end ?
		230	257 + (end - out) : 257 - (out - end));


diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index b6a4c687ca..88f60611d9 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -11,6 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
11	file://Makefile-runtests.patch \	11	file://Makefile-runtests.patch \
12	file://ldflags-tests.patch \	12	file://ldflags-tests.patch \
13	file://CVE-2016-9840.patch \	13	file://CVE-2016-9840.patch \
		14	file://CVE-2016-9841.patch \
14	file://run-ptest \	15	file://run-ptest \
15	"	16	"
16		17