libpcre2: Fix CVE-2017-7186

A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the library. For who is interested in a detailed description of the bug, will follow a feedback from upstream: This was a genuine bug in the 32-bit library. Thanks for finding it. The crash was caused by trying to find a Unicode property for a code value greater than 0x10ffff, the Unicode maximum, when running in non-UTF mode (where character values can be up to 0xffffffff). (From OE-Core rev: 1b87201784e733f3a9d436f56cb5a6151ba6bdfa) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Robert Yang <liezhi.yang@windriver.com> 2017-08-29 17:48:57 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-31 17:41:41 +0100
commit: d5f2604669820d637fc77acab45dabfa60fc3440 (patch)
tree: 088f247d22f2099b39c3539b093d023903e5929c /meta/recipes-support
parent: 45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (diff)
download: poky-d5f2604669820d637fc77acab45dabfa60fc3440.tar.gz
2 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
new file mode 100644
index 0000000000..bfa3bfeec9
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
@@ -0,0 +1,96 @@
+libpcre2-10.23: Fix CVE-2017-7186
+A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the
+library. For who is interested in a detailed description of the bug, will
+follow a feedback from upstream:
+This was a genuine bug in the 32-bit library. Thanks for finding it. The crash
+was caused by trying to find a Unicode property for a code value greater than
+0x10ffff, the Unicode maximum, when running in non-UTF mode (where character
+values can be up to 0xffffffff).
+The complete ASan output:
+# pcretest -32 -d $FILE
+==14788==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bbffed4df (pc 0x7f1bbee3fe6b bp 0x7fff8b50d8c0 sp 0x7fff8b50d3a0 T0)
+==14788==The signal is caused by a READ memory access.
+    #0 0x7f1bbee3fe6a in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18
+    #1 0x7f1bbee09226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8
+    #2 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9
+    #3 0x7f1bbddd678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
+    #4 0x41b438 in _init (/usr/bin/pcretest+0x41b438)
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18 in match
+==14788==ABORTING
+Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?view=patch&r1=316&r2=670&sortby=date \
+                        https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?view=patch&r1=600&r2=670&sortby=date]
+CVE: CVE-2017-7186
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+--- trunk/src/pcre2_ucd.c  2015/07/17 15:44:51 316
+++ trunk/src/pcre2_ucd.c  2017/02/24 18:25:32 670
+@@ -41,6 +41,20 @@
+ 
+ const char *PRIV(unicode_version) = "8.0.0";
+ 
+/* If the 32-bit library is run in non-32-bit mode, character values
+greater than 0x10ffff may be encountered. For these we set up a
+special record. */
+
+#if PCRE2_CODE_UNIT_WIDTH == 32
+const ucd_record PRIV(dummy_ucd_record)[] = {{
+  ucp_Common,    /* script */
+  ucp_Cn,        /* type unassigned */
+  ucp_gbOther,   /* grapheme break property */
+  0,             /* case set */
+  0,             /* other case */
+  }};
+#endif
+
+ /* When recompiling tables with a new Unicode version, please check the
+ types in this structure definition from pcre2_internal.h (the actual
+ field names will be different):
+--- trunk/src/pcre2_internal.h 2016/11/19 12:46:24 600
+++ trunk/src/pcre2_internal.h 2017/02/24 18:25:32 670
+@@ -1774,10 +1774,17 @@
+ /* UCD access macros */
+ 
+ #define UCD_BLOCK_SIZE 128
+-#define GET_UCD(ch) (PRIV(ucd_records) + \
+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
+         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
+         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
+ 
+#if PCRE2_CODE_UNIT_WIDTH == 32
+#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
+  PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
+#else
+#define GET_UCD(ch) REAL_GET_UCD(ch)
+#endif
+
+ #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
+ #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
+ #define UCD_CATEGORY(ch)    PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
+@@ -1834,6 +1841,9 @@
+ #define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
+ #define _pcre2_default_match_context   PCRE2_SUFFIX(_pcre2_default_match_context_)
+ #define _pcre2_default_tables          PCRE2_SUFFIX(_pcre2_default_tables_)
+#if PCRE2_CODE_UNIT_WIDTH == 32
+#define _pcre2_dummy_ucd_record        PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
+#endif
+ #define _pcre2_hspace_list             PCRE2_SUFFIX(_pcre2_hspace_list_)
+ #define _pcre2_vspace_list             PCRE2_SUFFIX(_pcre2_vspace_list_)
+ #define _pcre2_ucd_caseless_sets       PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
+@@ -1858,6 +1868,9 @@
+ extern const uint32_t                  PRIV(vspace_list)[];
+ extern const uint32_t                  PRIV(ucd_caseless_sets)[];
+ extern const ucd_record                PRIV(ucd_records)[];
+#if PCRE2_CODE_UNIT_WIDTH == 32
+extern const ucd_record                PRIV(dummy_ucd_record)[];
+#endif
+ extern const uint8_t                   PRIV(ucd_stage1)[];
+ extern const uint16_t                  PRIV(ucd_stage2)[];
+ extern const uint32_t                  PRIV(ucp_gbtable)[];
diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb
index 63f8d51c9e..ca2b028e1c 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.23.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
 SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
           file://pcre-cross.patch \
           file://libpcre2-CVE-2017-8786.patch \
+           file://libpcre2-CVE-2017-7186.patch \
 "
 SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"
author	Robert Yang <liezhi.yang@windriver.com>	2017-08-29 17:48:57 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-08-31 17:41:41 +0100
commit	d5f2604669820d637fc77acab45dabfa60fc3440 (patch)
tree	088f247d22f2099b39c3539b093d023903e5929c /meta/recipes-support
parent	45f40ea5d904808c1b345ebfa3ccbf8db1ef1c96 (diff)
download	poky-d5f2604669820d637fc77acab45dabfa60fc3440.tar.gz

diff --git a/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch new file mode 100644 index 0000000000..bfa3bfeec9 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-7186.patch
@@ -0,0 +1,96 @@
		1	libpcre2-10.23: Fix CVE-2017-7186
		2
		3	A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the
		4	library. For who is interested in a detailed description of the bug, will
		5	follow a feedback from upstream:
		6
		7	This was a genuine bug in the 32-bit library. Thanks for finding it. The crash
		8	was caused by trying to find a Unicode property for a code value greater than
		9	0x10ffff, the Unicode maximum, when running in non-UTF mode (where character
		10	values can be up to 0xffffffff).
		11
		12	The complete ASan output:
		13
		14	# pcretest -32 -d $FILE
		15	==14788==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1bbffed4df (pc 0x7f1bbee3fe6b bp 0x7fff8b50d8c0 sp 0x7fff8b50d3a0 T0)
		16	==14788==The signal is caused by a READ memory access.
		17	#0 0x7f1bbee3fe6a in match /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18
		18	#1 0x7f1bbee09226 in pcre32_exec /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:6936:8
		19	#2 0x527d6c in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5218:9
		20	#3 0x7f1bbddd678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
		21	#4 0x41b438 in _init (/usr/bin/pcretest+0x41b438)
		22
		23	AddressSanitizer can not provide additional info.
		24	SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcre_exec.c:5473:18 in match
		25	==14788==ABORTING
		26
		27	Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?view=patch&r1=316&r2=670&sortby=date \
		28	https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?view=patch&r1=600&r2=670&sortby=date]
		29	CVE: CVE-2017-7186
		30
		31	Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
		32
		33	--- trunk/src/pcre2_ucd.c 2015/07/17 15:44:51 316
		34	+++ trunk/src/pcre2_ucd.c 2017/02/24 18:25:32 670
		35	@@ -41,6 +41,20 @@
		36
		37	const char *PRIV(unicode_version) = "8.0.0";
		38
		39	+/* If the 32-bit library is run in non-32-bit mode, character values
		40	+greater than 0x10ffff may be encountered. For these we set up a
		41	+special record. */
		42	+
		43	+#if PCRE2_CODE_UNIT_WIDTH == 32
		44	+const ucd_record PRIV(dummy_ucd_record)[] = {{
		45	+ ucp_Common, /* script */
		46	+ ucp_Cn, /* type unassigned */
		47	+ ucp_gbOther, /* grapheme break property */
		48	+ 0, /* case set */
		49	+ 0, /* other case */
		50	+ }};
		51	+#endif
		52	+
		53	/* When recompiling tables with a new Unicode version, please check the
		54	types in this structure definition from pcre2_internal.h (the actual
		55	field names will be different):
		56	--- trunk/src/pcre2_internal.h 2016/11/19 12:46:24 600
		57	+++ trunk/src/pcre2_internal.h 2017/02/24 18:25:32 670
		58	@@ -1774,10 +1774,17 @@
		59	/* UCD access macros */
		60
		61	#define UCD_BLOCK_SIZE 128
		62	-#define GET_UCD(ch) (PRIV(ucd_records) + \
		63	+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
		64	PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
		65	UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
		66
		67	+#if PCRE2_CODE_UNIT_WIDTH == 32
		68	+#define GET_UCD(ch) ((ch > MAX_UTF_CODE_POINT)? \
		69	+ PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
		70	+#else
		71	+#define GET_UCD(ch) REAL_GET_UCD(ch)
		72	+#endif
		73	+
		74	#define UCD_CHARTYPE(ch) GET_UCD(ch)->chartype
		75	#define UCD_SCRIPT(ch) GET_UCD(ch)->script
		76	#define UCD_CATEGORY(ch) PRIV(ucp_gentype)[UCD_CHARTYPE(ch)]
		77	@@ -1834,6 +1841,9 @@
		78	#define _pcre2_default_compile_context PCRE2_SUFFIX(_pcre2_default_compile_context_)
		79	#define _pcre2_default_match_context PCRE2_SUFFIX(_pcre2_default_match_context_)
		80	#define _pcre2_default_tables PCRE2_SUFFIX(_pcre2_default_tables_)
		81	+#if PCRE2_CODE_UNIT_WIDTH == 32
		82	+#define _pcre2_dummy_ucd_record PCRE2_SUFFIX(_pcre2_dummy_ucd_record_)
		83	+#endif
		84	#define _pcre2_hspace_list PCRE2_SUFFIX(_pcre2_hspace_list_)
		85	#define _pcre2_vspace_list PCRE2_SUFFIX(_pcre2_vspace_list_)
		86	#define _pcre2_ucd_caseless_sets PCRE2_SUFFIX(_pcre2_ucd_caseless_sets_)
		87	@@ -1858,6 +1868,9 @@
		88	extern const uint32_t PRIV(vspace_list)[];
		89	extern const uint32_t PRIV(ucd_caseless_sets)[];
		90	extern const ucd_record PRIV(ucd_records)[];
		91	+#if PCRE2_CODE_UNIT_WIDTH == 32
		92	+extern const ucd_record PRIV(dummy_ucd_record)[];
		93	+#endif
		94	extern const uint8_t PRIV(ucd_stage1)[];
		95	extern const uint16_t PRIV(ucd_stage2)[];
		96	extern const uint32_t PRIV(ucp_gbtable)[];


diff --git a/meta/recipes-support/libpcre/libpcre2_10.23.bb b/meta/recipes-support/libpcre/libpcre2_10.23.bb index 63f8d51c9e..ca2b028e1c 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.23.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.23.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=3de34df49e1fe3c3b59a08dff214488b"
13	SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \	13	SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
14	file://pcre-cross.patch \	14	file://pcre-cross.patch \
15	file://libpcre2-CVE-2017-8786.patch \	15	file://libpcre2-CVE-2017-8786.patch \
		16	file://libpcre2-CVE-2017-7186.patch \
16	"	17	"
17		18
18	SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"	19	SRC_URI[md5sum] = "b2cd00ca7e24049040099b0a46bb3649"