nss-3.15.1: fix CVE-2013-1741

Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741 (From OE-Core rev: b666d173ff0ba213bf81e2c035a605a28e5395ea) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2014-03-28 17:43:37 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-03-30 10:10:32 +0100
commit: 6a3cadea0ce3f26306389f19121876378cf8925b (patch)
tree: a656e6e7e3b67297d38cf8ac661fa86ca4751403 /meta/recipes-support/nss
parent: c4c31eb76170ee4d7cb436954b35b27971a46e84 (diff)
download: poky-6a3cadea0ce3f26306389f19121876378cf8925b.tar.gz
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000000..21da0c03b5
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
+Upstream-Status: backport
+yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/nss/lib/util/secport.c
+++ b/nss/lib/util/secport.c
+@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
+ PORTCharConversionFunc ucs2Utf8ConvertFunc;
+ PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+ 
+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
+ * unsigned long size to these functions, we need to ensure it is <= half of
+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
+ */
+#define MAX_SIZE (PR_UINT32_MAX >> 1)
+
+ void *
+ PORT_Alloc(size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
+    if (bytes <= MAX_SIZE) {
+       /* Always allocate a non-zero amount of bytes */
+       rv = PR_Malloc(bytes ? bytes : 1);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
+ void *
+ PORT_Realloc(void *oldptr, size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    rv = (void *)PR_Realloc(oldptr, bytes);
+    if (bytes <= MAX_SIZE) {
+       rv = PR_Realloc(oldptr, bytes);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
+ void *
+ PORT_ZAlloc(size_t bytes)
+ {
+-    void *rv;
+    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
+    if (bytes <= MAX_SIZE) {
+       /* Always allocate a non-zero amount of bytes */
+       rv = PR_Calloc(1, bytes ? bytes : 1);
+    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
+ {
+     PORTArenaPool *pool;
+     
+    if (chunksize > MAX_SIZE) {
+       PORT_SetError(SEC_ERROR_NO_MEMORY);
+       return NULL;
+    }
+     pool = PORT_ZNew(PORTArenaPool);
+     if (!pool) {
+        return NULL;
+@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
+     return(&pool->arena);
+ }
+ 
+-#define MAX_SIZE 0x7fffffffUL
+-
+ void *
+ PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+ {
+@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
+     PORTArenaPool *pool = (PORTArenaPool *)arena;
+     PORT_Assert(newsize >= oldsize);
+     
+    if (newsize > MAX_SIZE) {
+       PORT_SetError(SEC_ERROR_NO_MEMORY);
+       return NULL;
+    }
+
+     if (ARENAPOOL_MAGIC == pool->magic ) {
+        PZ_Lock(pool->lock);
+        /* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index a6aeed8b1a..6364562a13 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -16,6 +16,7 @@ SRC_URI = "\
    file://nss-fix-support-cross-compiling.patch \
    file://nss-no-rpath-for-cross-compiling.patch \
    file://nss-fix-incorrect-shebang-of-perl.patch \
+    file://nss-3.15.1-fix-CVE-2013-1741.patch \
 "
 SRC_URI_append_class-target = "\
    file://nss.pc.in \
author	yanjun.zhu <yanjun.zhu@windriver.com>	2014-03-28 17:43:37 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-03-30 10:10:32 +0100
commit	6a3cadea0ce3f26306389f19121876378cf8925b (patch)
tree	a656e6e7e3b67297d38cf8ac661fa86ca4751403 /meta/recipes-support/nss
parent	c4c31eb76170ee4d7cb436954b35b27971a46e84 (diff)
download	poky-6a3cadea0ce3f26306389f19121876378cf8925b.tar.gz

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
		1	Upstream-Status: backport
		2	yanjun.zhu <yanjun.zhu@windriver.com>
		3	--- a/nss/lib/util/secport.c
		4	+++ b/nss/lib/util/secport.c
		5	@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
		6	PORTCharConversionFunc ucs2Utf8ConvertFunc;
		7	PORTCharConversionWSwapFunc ucs2AsciiConvertFunc;
		8
		9	+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
		10	+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
		11	+ * unsigned long size to these functions, we need to ensure it is <= half of
		12	+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
		13	+ */
		14	+#define MAX_SIZE (PR_UINT32_MAX >> 1)
		15	+
		16	void *
		17	PORT_Alloc(size_t bytes)
		18	{
		19	- void *rv;
		20	+ void *rv = NULL;
		21
		22	- /* Always allocate a non-zero amount of bytes */
		23	- rv = (void *)PR_Malloc(bytes ? bytes : 1);
		24	+ if (bytes <= MAX_SIZE) {
		25	+ /* Always allocate a non-zero amount of bytes */
		26	+ rv = PR_Malloc(bytes ? bytes : 1);
		27	+ }
		28	if (!rv) {
		29	++port_allocFailures;
		30	PORT_SetError(SEC_ERROR_NO_MEMORY);
		31	@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
		32	void *
		33	PORT_Realloc(void *oldptr, size_t bytes)
		34	{
		35	- void *rv;
		36	+ void *rv = NULL;
		37
		38	- rv = (void *)PR_Realloc(oldptr, bytes);
		39	+ if (bytes <= MAX_SIZE) {
		40	+ rv = PR_Realloc(oldptr, bytes);
		41	+ }
		42	if (!rv) {
		43	++port_allocFailures;
		44	PORT_SetError(SEC_ERROR_NO_MEMORY);
		45	@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
		46	void *
		47	PORT_ZAlloc(size_t bytes)
		48	{
		49	- void *rv;
		50	+ void *rv = NULL;
		51
		52	- /* Always allocate a non-zero amount of bytes */
		53	- rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
		54	+ if (bytes <= MAX_SIZE) {
		55	+ /* Always allocate a non-zero amount of bytes */
		56	+ rv = PR_Calloc(1, bytes ? bytes : 1);
		57	+ }
		58	if (!rv) {
		59	++port_allocFailures;
		60	PORT_SetError(SEC_ERROR_NO_MEMORY);
		61	@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
		62	{
		63	PORTArenaPool *pool;
		64
		65	+ if (chunksize > MAX_SIZE) {
		66	+ PORT_SetError(SEC_ERROR_NO_MEMORY);
		67	+ return NULL;
		68	+ }
		69	pool = PORT_ZNew(PORTArenaPool);
		70	if (!pool) {
		71	return NULL;
		72	@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
		73	return(&pool->arena);
		74	}
		75
		76	-#define MAX_SIZE 0x7fffffffUL
		77	-
		78	void *
		79	PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
		80	{
		81	@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void
		82	PORTArenaPool pool = (PORTArenaPool )arena;
		83	PORT_Assert(newsize >= oldsize);
		84
		85	+ if (newsize > MAX_SIZE) {
		86	+ PORT_SetError(SEC_ERROR_NO_MEMORY);
		87	+ return NULL;
		88	+ }
		89	+
		90	if (ARENAPOOL_MAGIC == pool->magic ) {
		91	PZ_Lock(pool->lock);
		92	/* Do we do a THREADMARK check here? */


diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index a6aeed8b1a..6364562a13 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc
@@ -16,6 +16,7 @@ SRC_URI = "\
16	file://nss-fix-support-cross-compiling.patch \	16	file://nss-fix-support-cross-compiling.patch \
17	file://nss-no-rpath-for-cross-compiling.patch \	17	file://nss-no-rpath-for-cross-compiling.patch \
18	file://nss-fix-incorrect-shebang-of-perl.patch \	18	file://nss-fix-incorrect-shebang-of-perl.patch \
		19	file://nss-3.15.1-fix-CVE-2013-1741.patch \
19	"	20	"
20	SRC_URI_append_class-target = "\	21	SRC_URI_append_class-target = "\
21	file://nss.pc.in \	22	file://nss.pc.in \