re2c: fix CVE-2020-11958

(From OE-Core rev: 17daffa1bc6d5af2d77dafd2b146d78802e4f2d2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-05-27 17:11:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-05-30 12:32:47 +0100
commit: 0e3ff0c307e8607045827788a58d530e1ed593d6 (patch)
tree: d0e86becffa41cde28abf5e072f16a2c05ee2657 /meta/recipes-support/re2c
parent: a35bf0e5d3b5bcdfab33d441d76ac048c6a86c7d (diff)
download: poky-0e3ff0c307e8607045827788a58d530e1ed593d6.tar.gz
2 files changed, 44 insertions, 1 deletions
diff --git a/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
new file mode 100644
index 0000000000..43462e642a
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
@@ -0,0 +1,41 @@
+From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Fri, 17 Apr 2020 22:47:14 +0100
+Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
+The crash happened in a rare case of a very long lexeme that doen't fit
+into the buffer, forcing buffer reallocation.
+The crash was caused by an incorrect calculation of the shift offset
+(it was smaller than necessary). As a consequence, the data from buffer
+start and up to the beginning of the current lexeme was not discarded
+(as it should have been), resulting in less free space for new data than
+expected.
+Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a]
+CVE: CVE-2020-11958
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/parse/scanner.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
+index 1d6e9efa..bd651314 100644
+--- a/src/parse/scanner.cc
+++ b/src/parse/scanner.cc
+@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
+         if (!buf) fatal("out of memory");
+ 
+         memmove(buf, tok, copy);
+-        shift_ptrs_and_fpos(buf - bot);
+        shift_ptrs_and_fpos(buf - tok);
+         delete [] bot;
+         bot = buf;
+ 
+         free = BSIZE - copy;
+     }
+ 
+    DASSERT(lim + free <= bot + BSIZE);
+     if (!read(free)) {
+         eof = lim;
+         memset(lim, 0, YYMAXFILL);
diff --git a/meta/recipes-support/re2c/re2c_1.3.bb b/meta/recipes-support/re2c/re2c_1.3.bb
index 0e1d938748..e9053acdf6 100644
--- a/meta/recipes-support/re2c/re2c_1.3.bb
+++ b/meta/recipes-support/re2c/re2c_1.3.bb
@@ -5,7 +5,9 @@ SECTION = "devel"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"
-SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz"
+SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz \
+           file://CVE-2020-11958.patch \
+"
 SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503"
 UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-05-27 17:11:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-05-30 12:32:47 +0100
commit	0e3ff0c307e8607045827788a58d530e1ed593d6 (patch)
tree	d0e86becffa41cde28abf5e072f16a2c05ee2657 /meta/recipes-support/re2c
parent	a35bf0e5d3b5bcdfab33d441d76ac048c6a86c7d (diff)
download	poky-0e3ff0c307e8607045827788a58d530e1ed593d6.tar.gz

diff --git a/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch new file mode 100644 index 0000000000..43462e642a --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
@@ -0,0 +1,41 @@
		1	From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
		2	From: Ulya Trofimovich <skvadrik@gmail.com>
		3	Date: Fri, 17 Apr 2020 22:47:14 +0100
		4	Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
		5
		6	The crash happened in a rare case of a very long lexeme that doen't fit
		7	into the buffer, forcing buffer reallocation.
		8
		9	The crash was caused by an incorrect calculation of the shift offset
		10	(it was smaller than necessary). As a consequence, the data from buffer
		11	start and up to the beginning of the current lexeme was not discarded
		12	(as it should have been), resulting in less free space for new data than
		13	expected.
		14
		15	Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a]
		16	CVE: CVE-2020-11958
		17	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		18	---
		19	src/parse/scanner.cc \| 3 ++-
		20	1 file changed, 2 insertions(+), 1 deletion(-)
		21
		22	diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
		23	index 1d6e9efa..bd651314 100644
		24	--- a/src/parse/scanner.cc
		25	+++ b/src/parse/scanner.cc
		26	@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
		27	if (!buf) fatal("out of memory");
		28
		29	memmove(buf, tok, copy);
		30	- shift_ptrs_and_fpos(buf - bot);
		31	+ shift_ptrs_and_fpos(buf - tok);
		32	delete [] bot;
		33	bot = buf;
		34
		35	free = BSIZE - copy;
		36	}
		37
		38	+ DASSERT(lim + free <= bot + BSIZE);
		39	if (!read(free)) {
		40	eof = lim;
		41	memset(lim, 0, YYMAXFILL);


diff --git a/meta/recipes-support/re2c/re2c_1.3.bb b/meta/recipes-support/re2c/re2c_1.3.bb index 0e1d938748..e9053acdf6 100644 --- a/meta/recipes-support/re2c/re2c_1.3.bb +++ b/meta/recipes-support/re2c/re2c_1.3.bb
@@ -5,7 +5,9 @@ SECTION = "devel"
5	LICENSE = "PD"	5	LICENSE = "PD"
6	LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"
7		7
8	SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz"	8	SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz \
		9	file://CVE-2020-11958.patch \
		10	"
9	SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503"	11	SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503"
10	UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"	12	UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
11		13