diff options
author | Minjae Kim <flowergom@gmail.com> | 2022-02-28 11:38:38 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-10 16:39:45 +0000 |
commit | f8d05252d1f99c49208e07133d8534fab70af37f (patch) | |
tree | f22934cbfc11aded4c6d6e7db9685ca26e0ebf31 /meta/recipes-extended | |
parent | b2bd31b9cc10165719d132073ddaa8e93298f633 (diff) | |
download | poky-f8d05252d1f99c49208e07133d8534fab70af37f.tar.gz |
ghostscript: fix CVE-2021-45949
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish
(called from sampled_data_continue and interp).
To apply this CVE-2021-45959 patch,
the check-stack-limits-after-function-evalution.patch should be applied first.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-45949
(From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0)
(From OE-Core rev: 9b0199a1d8ec3c7bbfd2022932d524d61f2c6832)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
3 files changed, 118 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..f312f89e04 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 28 Jan 2022 08:21:19 +0000 | ||
4 | Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in | ||
5 | sampled_data_continue() | ||
6 | |||
7 | Replace pop() (which does no checking, and doesn't handle stack extension | ||
8 | blocks) with ref_stack_pop() which does do all that. | ||
9 | |||
10 | We still use pop() in one case (it's faster), but we have to later use | ||
11 | ref_stack_pop() before calling sampled_data_sample() which also accesses the | ||
12 | op stack. | ||
13 | |||
14 | Fixes: | ||
15 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 | ||
16 | |||
17 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] | ||
18 | CVE: CVE-2021-45949 | ||
19 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
20 | --- | ||
21 | psi/zfsample.c | 13 ++++++++----- | ||
22 | 1 file changed, 8 insertions(+), 5 deletions(-) | ||
23 | |||
24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
25 | index 0023fa4..f84671f 100644 | ||
26 | --- a/psi/zfsample.c | ||
27 | +++ b/psi/zfsample.c | ||
28 | @@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
29 | data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ | ||
30 | } | ||
31 | pop(num_out); /* Move op to base of result values */ | ||
32 | - | ||
33 | + /* From here on, we have to use ref_stack_pop() rather than pop() | ||
34 | + so that it handles stack extension blocks properly, before calling | ||
35 | + sampled_data_sample() which also uses the op stack. | ||
36 | + */ | ||
37 | /* Check if we are done collecting data. */ | ||
38 | |||
39 | if (increment_cube_indexes(params, penum->indexes)) { | ||
40 | if (stack_depth_adjust == 0) | ||
41 | - pop(O_STACK_PAD); /* Remove spare stack space */ | ||
42 | + ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ | ||
43 | else | ||
44 | - pop(stack_depth_adjust - num_out); | ||
45 | + ref_stack_pop(&o_stack, stack_depth_adjust - num_out); | ||
46 | /* Execute the closing procedure, if given */ | ||
47 | code = 0; | ||
48 | if (esp_finish_proc != 0) | ||
49 | @@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
50 | if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
51 | stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
52 | check_op(stack_depth_adjust); | ||
53 | - pop(stack_depth_adjust); | ||
54 | + ref_stack_pop(&o_stack, stack_depth_adjust); | ||
55 | } | ||
56 | else { | ||
57 | check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
58 | - push(O_STACK_PAD - stack_depth_adjust); | ||
59 | + ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); | ||
60 | for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
61 | make_null(op - i); | ||
62 | } | ||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..722bab4ddb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 12 Feb 2021 10:34:23 +0000 | ||
4 | Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. | ||
5 | |||
6 | During function result sampling, after the callout to the Postscript | ||
7 | interpreter, make sure there is enough stack space available before pushing | ||
8 | or popping entries. | ||
9 | |||
10 | In thise case, the Postscript procedure for the "function" is totally invalid | ||
11 | (as a function), and leaves the op stack in an unrecoverable state (as far as | ||
12 | function evaluation is concerned). We end up popping more entries off the | ||
13 | stack than are available. | ||
14 | |||
15 | To cope, add in stack limit checking to throw an appropriate error when this | ||
16 | happens. | ||
17 | |||
18 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] | ||
19 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
20 | --- | ||
21 | psi/zfsample.c | 14 +++++++++++--- | ||
22 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
25 | index 290809405..652ae02c6 100644 | ||
26 | --- a/psi/zfsample.c | ||
27 | +++ b/psi/zfsample.c | ||
28 | @@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
29 | } else { | ||
30 | if (stack_depth_adjust) { | ||
31 | stack_depth_adjust -= num_out; | ||
32 | - push(O_STACK_PAD - stack_depth_adjust); | ||
33 | - for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
34 | - make_null(op - i); | ||
35 | + if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
36 | + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
37 | + check_op(stack_depth_adjust); | ||
38 | + pop(stack_depth_adjust); | ||
39 | + } | ||
40 | + else { | ||
41 | + check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
42 | + push(O_STACK_PAD - stack_depth_adjust); | ||
43 | + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
44 | + make_null(op - i); | ||
45 | + } | ||
46 | } | ||
47 | } | ||
48 | |||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index 216822478f..958a88e968 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb | |||
@@ -34,6 +34,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
34 | file://avoid-host-contamination.patch \ | 34 | file://avoid-host-contamination.patch \ |
35 | file://mkdir-p.patch \ | 35 | file://mkdir-p.patch \ |
36 | file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \ | 36 | file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \ |
37 | file://check-stack-limits-after-function-evalution.patch \ | ||
38 | file://CVE-2021-45949.patch \ | ||
37 | " | 39 | " |
38 | 40 | ||
39 | SRC_URI = "${SRC_URI_BASE} \ | 41 | SRC_URI = "${SRC_URI_BASE} \ |