diff options
author | Ross Burton <ross.burton@intel.com> | 2019-11-04 12:14:55 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-13 22:02:15 +0000 |
commit | 495005ae3c4e5f2e36ed1a81b885f5405c6266a9 (patch) | |
tree | 0c2ca49d9d6e047bb92605b52f8ca4223e475a40 /meta/recipes-devtools/file/file | |
parent | cf1117859e0019d37fd2a1cfa47dcf89bda3d22f (diff) | |
download | poky-495005ae3c4e5f2e36ed1a81b885f5405c6266a9.tar.gz |
file: fix CVE-2019-18218
(From OE-Core rev: 2435c38e109cac68476ee672eca09b4cd6237ed4)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/file/file')
-rw-r--r-- | meta/recipes-devtools/file/file/CVE-2019-18218.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch new file mode 100644 index 0000000000..3d02c5ad4b --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | cdf_read_property_info in cdf.c in file through 5.37 does not restrict the | ||
2 | number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte | ||
3 | out-of-bounds write). | ||
4 | |||
5 | CVE: CVE-2019-18218 | ||
6 | Upstream-Status: Backport | ||
7 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
8 | |||
9 | From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 | ||
10 | From: Christos Zoulas <christos@zoulas.com> | ||
11 | Date: Mon, 26 Aug 2019 14:31:39 +0000 | ||
12 | Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) | ||
13 | |||
14 | --- | ||
15 | src/cdf.c | 9 ++++----- | ||
16 | src/cdf.h | 1 + | ||
17 | 2 files changed, 5 insertions(+), 5 deletions(-) | ||
18 | |||
19 | diff --git a/src/cdf.c b/src/cdf.c | ||
20 | index 9d6396742..bb81d6374 100644 | ||
21 | --- a/src/cdf.c | ||
22 | +++ b/src/cdf.c | ||
23 | @@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, | ||
24 | goto out; | ||
25 | } | ||
26 | nelements = CDF_GETUINT32(q, 1); | ||
27 | - if (nelements == 0) { | ||
28 | - DPRINTF(("CDF_VECTOR with nelements == 0\n")); | ||
29 | + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { | ||
30 | + DPRINTF(("CDF_VECTOR with nelements == %" | ||
31 | + SIZE_T_FORMAT "u\n", nelements)); | ||
32 | goto out; | ||
33 | } | ||
34 | slen = 2; | ||
35 | @@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, | ||
36 | goto out; | ||
37 | inp += nelem; | ||
38 | } | ||
39 | - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", | ||
40 | - nelements)); | ||
41 | for (j = 0; j < nelements && i < sh.sh_properties; | ||
42 | j++, i++) | ||
43 | { | ||
44 | diff --git a/src/cdf.h b/src/cdf.h | ||
45 | index 2f7e554b7..05056668f 100644 | ||
46 | --- a/src/cdf.h | ||
47 | +++ b/src/cdf.h | ||
48 | @@ -48,6 +48,7 @@ | ||
49 | typedef int32_t cdf_secid_t; | ||
50 | |||
51 | #define CDF_LOOP_LIMIT 10000 | ||
52 | +#define CDF_ELEMENT_LIMIT 100000 | ||
53 | |||
54 | #define CDF_SECID_NULL 0 | ||
55 | #define CDF_SECID_FREE -1 | ||