diff options
author | yanjun.zhu <yanjun.zhu@windriver.com> | 2014-03-28 17:43:37 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-30 10:10:32 +0100 |
commit | 6a3cadea0ce3f26306389f19121876378cf8925b (patch) | |
tree | a656e6e7e3b67297d38cf8ac661fa86ca4751403 /meta/recipes-support | |
parent | c4c31eb76170ee4d7cb436954b35b27971a46e84 (diff) | |
download | poky-6a3cadea0ce3f26306389f19121876378cf8925b.tar.gz |
nss-3.15.1: fix CVE-2013-1741
Integer overflow in Mozilla Network Security Services (NSS)
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via a
large size value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741
(From OE-Core rev: b666d173ff0ba213bf81e2c035a605a28e5395ea)
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | 92 | ||||
-rw-r--r-- | meta/recipes-support/nss/nss.inc | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | Upstream-Status: backport | ||
2 | yanjun.zhu <yanjun.zhu@windriver.com> | ||
3 | --- a/nss/lib/util/secport.c | ||
4 | +++ b/nss/lib/util/secport.c | ||
5 | @@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu | ||
6 | PORTCharConversionFunc ucs2Utf8ConvertFunc; | ||
7 | PORTCharConversionWSwapFunc ucs2AsciiConvertFunc; | ||
8 | |||
9 | +/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc) | ||
10 | + * use the PRUint32 type for the size parameter. Before we pass a size_t or | ||
11 | + * unsigned long size to these functions, we need to ensure it is <= half of | ||
12 | + * the maximum PRUint32 value to avoid truncation and catch a negative size. | ||
13 | + */ | ||
14 | +#define MAX_SIZE (PR_UINT32_MAX >> 1) | ||
15 | + | ||
16 | void * | ||
17 | PORT_Alloc(size_t bytes) | ||
18 | { | ||
19 | - void *rv; | ||
20 | + void *rv = NULL; | ||
21 | |||
22 | - /* Always allocate a non-zero amount of bytes */ | ||
23 | - rv = (void *)PR_Malloc(bytes ? bytes : 1); | ||
24 | + if (bytes <= MAX_SIZE) { | ||
25 | + /* Always allocate a non-zero amount of bytes */ | ||
26 | + rv = PR_Malloc(bytes ? bytes : 1); | ||
27 | + } | ||
28 | if (!rv) { | ||
29 | ++port_allocFailures; | ||
30 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
31 | @@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes) | ||
32 | void * | ||
33 | PORT_Realloc(void *oldptr, size_t bytes) | ||
34 | { | ||
35 | - void *rv; | ||
36 | + void *rv = NULL; | ||
37 | |||
38 | - rv = (void *)PR_Realloc(oldptr, bytes); | ||
39 | + if (bytes <= MAX_SIZE) { | ||
40 | + rv = PR_Realloc(oldptr, bytes); | ||
41 | + } | ||
42 | if (!rv) { | ||
43 | ++port_allocFailures; | ||
44 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
45 | @@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes) | ||
46 | void * | ||
47 | PORT_ZAlloc(size_t bytes) | ||
48 | { | ||
49 | - void *rv; | ||
50 | + void *rv = NULL; | ||
51 | |||
52 | - /* Always allocate a non-zero amount of bytes */ | ||
53 | - rv = (void *)PR_Calloc(1, bytes ? bytes : 1); | ||
54 | + if (bytes <= MAX_SIZE) { | ||
55 | + /* Always allocate a non-zero amount of bytes */ | ||
56 | + rv = PR_Calloc(1, bytes ? bytes : 1); | ||
57 | + } | ||
58 | if (!rv) { | ||
59 | ++port_allocFailures; | ||
60 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
61 | @@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize) | ||
62 | { | ||
63 | PORTArenaPool *pool; | ||
64 | |||
65 | + if (chunksize > MAX_SIZE) { | ||
66 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
67 | + return NULL; | ||
68 | + } | ||
69 | pool = PORT_ZNew(PORTArenaPool); | ||
70 | if (!pool) { | ||
71 | return NULL; | ||
72 | @@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize) | ||
73 | return(&pool->arena); | ||
74 | } | ||
75 | |||
76 | -#define MAX_SIZE 0x7fffffffUL | ||
77 | - | ||
78 | void * | ||
79 | PORT_ArenaAlloc(PLArenaPool *arena, size_t size) | ||
80 | { | ||
81 | @@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void | ||
82 | PORTArenaPool *pool = (PORTArenaPool *)arena; | ||
83 | PORT_Assert(newsize >= oldsize); | ||
84 | |||
85 | + if (newsize > MAX_SIZE) { | ||
86 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
87 | + return NULL; | ||
88 | + } | ||
89 | + | ||
90 | if (ARENAPOOL_MAGIC == pool->magic ) { | ||
91 | PZ_Lock(pool->lock); | ||
92 | /* Do we do a THREADMARK check here? */ | ||
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index a6aeed8b1a..6364562a13 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc | |||
@@ -16,6 +16,7 @@ SRC_URI = "\ | |||
16 | file://nss-fix-support-cross-compiling.patch \ | 16 | file://nss-fix-support-cross-compiling.patch \ |
17 | file://nss-no-rpath-for-cross-compiling.patch \ | 17 | file://nss-no-rpath-for-cross-compiling.patch \ |
18 | file://nss-fix-incorrect-shebang-of-perl.patch \ | 18 | file://nss-fix-incorrect-shebang-of-perl.patch \ |
19 | file://nss-3.15.1-fix-CVE-2013-1741.patch \ | ||
19 | " | 20 | " |
20 | SRC_URI_append_class-target = "\ | 21 | SRC_URI_append_class-target = "\ |
21 | file://nss.pc.in \ | 22 | file://nss.pc.in \ |