sysstat: fix CVE-2022-39377

(From OE-Core rev: caf40fd28424aa583c18f9235d6d28651cc419b9) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Xiangyu Chen <xiangyu.chen@eng.windriver.com> 2022-11-19 16:17:35 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-13 15:23:34 +0000
commit: 887faedb16db908c032f3abcfd8a16e9da2123cd (patch)
tree: 9b07acbc847618c07f77c08a8d0aa2dbbf82fd4e /meta/recipes-extended
parent: 873eb777a090f45da26e30508f2b6e61ab6382ce (diff)
download: poky-887faedb16db908c032f3abcfd8a16e9da2123cd.tar.gz
2 files changed, 95 insertions, 1 deletions
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
new file mode 100644
index 0000000000..dce7b0d61f
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,93 @@
+From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
+From: Sebastien <seb@fedora-2.home>
+Date: Sat, 15 Oct 2022 14:24:22 +0200
+Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
+allocate_structures function located in sa_common.c insufficiently
+checks bounds before arithmetic multiplication allowing for an
+overflow in the size allocated for the buffer representing system
+activities.
+This patch checks that the post-multiplied value is not greater than
+UINT_MAX.
+Signed-off-by: Sebastien <seb@fedora-2.home>
+Upstream-Status: Backport from
+[https://github.com/sysstat/sysstat/commit/a953ee3307d51255cc96e1f211882e97f795eed9]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ common.c    | 25 +++++++++++++++++++++++++
+ common.h    |  2 ++
+ sa_common.c |  6 ++++++
+ 3 files changed, 33 insertions(+)
+diff --git a/common.c b/common.c
+index 81c7762..1a84b05 100644
+--- a/common.c
+++ b/common.c
+@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
+ 
+        return 0;
+ }
+
+/*
+ ***************************************************************************
+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+ *
+ * IN:
+ * @val1       First value.
+ * @val2       Second value.
+ * @val3       Third value.
+ ***************************************************************************
+ */
+void check_overflow(size_t val1, size_t val2, size_t val3)
+{
+       if ((unsigned long long) val1 *
+           (unsigned long long) val2 *
+           (unsigned long long) val3 > UINT_MAX) {
+#ifdef DEBUG
+               fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+                       __FUNCTION__,
+                       (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
+#endif
+       exit(4);
+       }
+}
+
+ #endif /* SOURCE_SADC undefined */
+diff --git a/common.h b/common.h
+index 55b6657..e8ab98a 100644
+--- a/common.h
+++ b/common.h
+@@ -260,6 +260,8 @@ int check_dir
+        (char *);
+ 
+ #ifndef SOURCE_SADC
+void check_overflow
+       (size_t, size_t, size_t);
+ int count_bits
+        (void *, int);
+ int count_csvalues
+diff --git a/sa_common.c b/sa_common.c
+index 3699a84..b2cec4a 100644
+--- a/sa_common.c
+++ b/sa_common.c
+@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[])
+        int i, j;
+ 
+        for (i = 0; i < NR_ACT; i++) {
+
+                if (act[i]->nr_ini > 0) {
+
+                       /* Look for a possible overflow */
+                       check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
+                                      (size_t) act[i]->nr2);
+
+                        for (j = 0; j < 3; j++) {
+                                SREALLOC(act[i]->buf[j], void,
+                                                (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
+-- 
+2.34.1
diff --git a/meta/recipes-extended/sysstat/sysstat_12.4.5.bb b/meta/recipes-extended/sysstat/sysstat_12.4.5.bb
index fe3db4d8a5..3a3d1fb6ba 100644
--- a/meta/recipes-extended/sysstat/sysstat_12.4.5.bb
+++ b/meta/recipes-extended/sysstat/sysstat_12.4.5.bb
@@ -2,6 +2,7 @@ require sysstat.inc
 LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
-SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch"
+SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
+           file://CVE-2022-39377.patch"
 SRC_URI[sha256sum] = "ef445acea301bbb996e410842f6290a8d049e884d4868cfef7e85dc04b7eee5b"
author	Xiangyu Chen <xiangyu.chen@eng.windriver.com>	2022-11-19 16:17:35 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-13 15:23:34 +0000
commit	887faedb16db908c032f3abcfd8a16e9da2123cd (patch)
tree	9b07acbc847618c07f77c08a8d0aa2dbbf82fd4e /meta/recipes-extended
parent	873eb777a090f45da26e30508f2b6e61ab6382ce (diff)
download	poky-887faedb16db908c032f3abcfd8a16e9da2123cd.tar.gz

diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..dce7b0d61f --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,93 @@
		1	From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
		2	From: Sebastien <seb@fedora-2.home>
		3	Date: Sat, 15 Oct 2022 14:24:22 +0200
		4	Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
		5
		6	allocate_structures function located in sa_common.c insufficiently
		7	checks bounds before arithmetic multiplication allowing for an
		8	overflow in the size allocated for the buffer representing system
		9	activities.
		10
		11	This patch checks that the post-multiplied value is not greater than
		12	UINT_MAX.
		13
		14	Signed-off-by: Sebastien <seb@fedora-2.home>
		15
		16	Upstream-Status: Backport from
		17	[https://github.com/sysstat/sysstat/commit/a953ee3307d51255cc96e1f211882e97f795eed9]
		18
		19	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		20	---
		21	common.c \| 25 +++++++++++++++++++++++++
		22	common.h \| 2 ++
		23	sa_common.c \| 6 ++++++
		24	3 files changed, 33 insertions(+)
		25
		26	diff --git a/common.c b/common.c
		27	index 81c7762..1a84b05 100644
		28	--- a/common.c
		29	+++ b/common.c
		30	@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
		31
		32	return 0;
		33	}
		34	+
		35	+/*
		36	+ ***************************************************************************
		37	+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
		38	+ *
		39	+ * IN:
		40	+ * @val1 First value.
		41	+ * @val2 Second value.
		42	+ * @val3 Third value.
		43	+ ***************************************************************************
		44	+ */
		45	+void check_overflow(size_t val1, size_t val2, size_t val3)
		46	+{
		47	+ if ((unsigned long long) val1 *
		48	+ (unsigned long long) val2 *
		49	+ (unsigned long long) val3 > UINT_MAX) {
		50	+#ifdef DEBUG
		51	+ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
		52	+ __FUNCTION__,
		53	+ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
		54	+#endif
		55	+ exit(4);
		56	+ }
		57	+}
		58	+
		59	#endif /* SOURCE_SADC undefined */
		60	diff --git a/common.h b/common.h
		61	index 55b6657..e8ab98a 100644
		62	--- a/common.h
		63	+++ b/common.h
		64	@@ -260,6 +260,8 @@ int check_dir
		65	(char *);
		66
		67	#ifndef SOURCE_SADC
		68	+void check_overflow
		69	+ (size_t, size_t, size_t);
		70	int count_bits
		71	(void *, int);
		72	int count_csvalues
		73	diff --git a/sa_common.c b/sa_common.c
		74	index 3699a84..b2cec4a 100644
		75	--- a/sa_common.c
		76	+++ b/sa_common.c
		77	@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[])
		78	int i, j;
		79
		80	for (i = 0; i < NR_ACT; i++) {
		81	+
		82	if (act[i]->nr_ini > 0) {
		83	+
		84	+ /* Look for a possible overflow */
		85	+ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
		86	+ (size_t) act[i]->nr2);
		87	+
		88	for (j = 0; j < 3; j++) {
		89	SREALLOC(act[i]->buf[j], void,
		90	(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
		91	--
		92	2.34.1
		93


diff --git a/meta/recipes-extended/sysstat/sysstat_12.4.5.bb b/meta/recipes-extended/sysstat/sysstat_12.4.5.bb index fe3db4d8a5..3a3d1fb6ba 100644 --- a/meta/recipes-extended/sysstat/sysstat_12.4.5.bb +++ b/meta/recipes-extended/sysstat/sysstat_12.4.5.bb
@@ -2,6 +2,7 @@ require sysstat.inc
2		2
3	LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"	3	LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
4		4
5	SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch"	5	SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
		6	file://CVE-2022-39377.patch"
6		7
7	SRC_URI[sha256sum] = "ef445acea301bbb996e410842f6290a8d049e884d4868cfef7e85dc04b7eee5b"	8	SRC_URI[sha256sum] = "ef445acea301bbb996e410842f6290a8d049e884d4868cfef7e85dc04b7eee5b"