diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2020-03-09 08:45:00 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-03-10 23:20:33 +0000 |
commit | 0a9ce59fda57380f8ee08df2f1a2079a6f32009e (patch) | |
tree | 677d14698c974e0ec0858b962054f2b78cee6d2a /meta/recipes-support/sqlite/files | |
parent | 2ac00852cdfb806d9418e03de794474a987f89f8 (diff) | |
download | poky-0a9ce59fda57380f8ee08df2f1a2079a6f32009e.tar.gz |
sqlite3: fix CVE-2020-9327
(From OE-Core rev: 6acb9746744536019d5c04ce482a873916aac99f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/sqlite/files')
-rw-r--r-- | meta/recipes-support/sqlite/files/CVE-2020-9327.patch | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-9327.patch b/meta/recipes-support/sqlite/files/CVE-2020-9327.patch new file mode 100644 index 0000000000..fecbbabce8 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-9327.patch | |||
@@ -0,0 +1,141 @@ | |||
1 | From 45d491851e1bca378de158a5e279fd584ce548e4 Mon Sep 17 00:00:00 2001 | ||
2 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
3 | Date: Mon, 17 Feb 2020 00:12:04 +0000 | ||
4 | Subject: [PATCH] [PATCH 1/2] Take care when checking the table of a TK_COLUMN | ||
5 | expression node to see if the table is a virtual table to first ensure that | ||
6 | the Expr.y.pTab pointer is not null due to generated column optimizations. | ||
7 | Ticket [4374860b29383380]. | ||
8 | |||
9 | FossilOrigin-Name: 9d0d4ab95dc0c56e053c2924ed322a9ea7b25439e6f74599f706905a1994e454 | ||
10 | |||
11 | [PATCH 2/2] A better (smaller and faster) solution to ticket | ||
12 | [4374860b29383380]. | ||
13 | |||
14 | FossilOrigin-Name: abc473fb8fb999005dc79a360e34f97b3b25429decf1820dd2afa5c19577753d | ||
15 | |||
16 | The two patches were converted to amalgamation format | ||
17 | |||
18 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2020-9327 | ||
21 | --- | ||
22 | sqlite3.c | 35 ++++++++++++++++++++++++----------- | ||
23 | sqlite3.h | 2 +- | ||
24 | 2 files changed, 25 insertions(+), 12 deletions(-) | ||
25 | |||
26 | diff --git a/sqlite3.c b/sqlite3.c | ||
27 | index 55dc686..64fae04 100644 | ||
28 | --- a/sqlite3.c | ||
29 | +++ b/sqlite3.c | ||
30 | @@ -1167,7 +1167,7 @@ extern "C" { | ||
31 | */ | ||
32 | #define SQLITE_VERSION "3.31.1" | ||
33 | #define SQLITE_VERSION_NUMBER 3031001 | ||
34 | -#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6" | ||
35 | +#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt1" | ||
36 | |||
37 | /* | ||
38 | ** CAPI3REF: Run-Time Library Version Numbers | ||
39 | @@ -17428,8 +17428,11 @@ struct Table { | ||
40 | */ | ||
41 | #ifndef SQLITE_OMIT_VIRTUALTABLE | ||
42 | # define IsVirtual(X) ((X)->nModuleArg) | ||
43 | +# define ExprIsVtab(X) \ | ||
44 | + ((X)->op==TK_COLUMN && (X)->y.pTab!=0 && (X)->y.pTab->nModuleArg) | ||
45 | #else | ||
46 | # define IsVirtual(X) 0 | ||
47 | +# define ExprIsVtab(X) 0 | ||
48 | #endif | ||
49 | |||
50 | /* | ||
51 | @@ -104133,19 +104136,25 @@ static int impliesNotNullRow(Walker *pWalker, Expr *pExpr){ | ||
52 | case TK_LT: | ||
53 | case TK_LE: | ||
54 | case TK_GT: | ||
55 | - case TK_GE: | ||
56 | + case TK_GE: { | ||
57 | + Expr *pLeft = pExpr->pLeft; | ||
58 | + Expr *pRight = pExpr->pRight; | ||
59 | testcase( pExpr->op==TK_EQ ); | ||
60 | testcase( pExpr->op==TK_NE ); | ||
61 | testcase( pExpr->op==TK_LT ); | ||
62 | testcase( pExpr->op==TK_LE ); | ||
63 | testcase( pExpr->op==TK_GT ); | ||
64 | testcase( pExpr->op==TK_GE ); | ||
65 | - if( (pExpr->pLeft->op==TK_COLUMN && IsVirtual(pExpr->pLeft->y.pTab)) | ||
66 | - || (pExpr->pRight->op==TK_COLUMN && IsVirtual(pExpr->pRight->y.pTab)) | ||
67 | + /* The y.pTab=0 assignment in wherecode.c always happens after the | ||
68 | + ** impliesNotNullRow() test */ | ||
69 | + if( (pLeft->op==TK_COLUMN && ALWAYS(pLeft->y.pTab!=0) | ||
70 | + && IsVirtual(pLeft->y.pTab)) | ||
71 | + || (pRight->op==TK_COLUMN && ALWAYS(pRight->y.pTab!=0) | ||
72 | + && IsVirtual(pRight->y.pTab)) | ||
73 | ){ | ||
74 | - return WRC_Prune; | ||
75 | + return WRC_Prune; | ||
76 | } | ||
77 | - | ||
78 | + } | ||
79 | default: | ||
80 | return WRC_Continue; | ||
81 | } | ||
82 | @@ -142591,7 +142600,8 @@ static int isAuxiliaryVtabOperator( | ||
83 | ** MATCH(expression,vtab_column) | ||
84 | */ | ||
85 | pCol = pList->a[1].pExpr; | ||
86 | - if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ | ||
87 | + testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); | ||
88 | + if( ExprIsVtab(pCol) ){ | ||
89 | for(i=0; i<ArraySize(aOp); i++){ | ||
90 | if( sqlite3StrICmp(pExpr->u.zToken, aOp[i].zOp)==0 ){ | ||
91 | *peOp2 = aOp[i].eOp2; | ||
92 | @@ -142613,7 +142623,8 @@ static int isAuxiliaryVtabOperator( | ||
93 | ** with function names in an arbitrary case. | ||
94 | */ | ||
95 | pCol = pList->a[0].pExpr; | ||
96 | - if( pCol->op==TK_COLUMN && IsVirtual(pCol->y.pTab) ){ | ||
97 | + testcase( pCol->op==TK_COLUMN && pCol->y.pTab==0 ); | ||
98 | + if( ExprIsVtab(pCol) ){ | ||
99 | sqlite3_vtab *pVtab; | ||
100 | sqlite3_module *pMod; | ||
101 | void (*xNotUsed)(sqlite3_context*,int,sqlite3_value**); | ||
102 | @@ -142636,10 +142647,12 @@ static int isAuxiliaryVtabOperator( | ||
103 | int res = 0; | ||
104 | Expr *pLeft = pExpr->pLeft; | ||
105 | Expr *pRight = pExpr->pRight; | ||
106 | - if( pLeft->op==TK_COLUMN && IsVirtual(pLeft->y.pTab) ){ | ||
107 | + testcase( pLeft->op==TK_COLUMN && pLeft->y.pTab==0 ); | ||
108 | + if( ExprIsVtab(pLeft) ){ | ||
109 | res++; | ||
110 | } | ||
111 | - if( pRight && pRight->op==TK_COLUMN && IsVirtual(pRight->y.pTab) ){ | ||
112 | + testcase( pRight && pRight->op==TK_COLUMN && pRight->y.pTab==0 ); | ||
113 | + if( pRight && ExprIsVtab(pRight) ){ | ||
114 | res++; | ||
115 | SWAP(Expr*, pLeft, pRight); | ||
116 | } | ||
117 | @@ -228440,7 +228453,7 @@ SQLITE_API int sqlite3_stmt_init( | ||
118 | #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ | ||
119 | |||
120 | /************** End of stmt.c ************************************************/ | ||
121 | -#if __LINE__!=228443 | ||
122 | +#if __LINE__!=228456 | ||
123 | #undef SQLITE_SOURCE_ID | ||
124 | #define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt2" | ||
125 | #endif | ||
126 | diff --git a/sqlite3.h b/sqlite3.h | ||
127 | index cef6eea..5b9796c 100644 | ||
128 | --- a/sqlite3.h | ||
129 | +++ b/sqlite3.h | ||
130 | @@ -125,7 +125,7 @@ extern "C" { | ||
131 | */ | ||
132 | #define SQLITE_VERSION "3.31.1" | ||
133 | #define SQLITE_VERSION_NUMBER 3031001 | ||
134 | -#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6" | ||
135 | +#define SQLITE_SOURCE_ID "2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt1" | ||
136 | |||
137 | /* | ||
138 | ** CAPI3REF: Run-Time Library Version Numbers | ||
139 | -- | ||
140 | 2.25.1 | ||
141 | |||