diff options
| author | yanjun.zhu <yanjun.zhu@windriver.com> | 2014-03-28 17:43:37 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-30 10:10:32 +0100 |
| commit | 6a3cadea0ce3f26306389f19121876378cf8925b (patch) | |
| tree | a656e6e7e3b67297d38cf8ac661fa86ca4751403 /meta | |
| parent | c4c31eb76170ee4d7cb436954b35b27971a46e84 (diff) | |
| download | poky-6a3cadea0ce3f26306389f19121876378cf8925b.tar.gz | |
nss-3.15.1: fix CVE-2013-1741
Integer overflow in Mozilla Network Security Services (NSS)
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via a
large size value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741
(From OE-Core rev: b666d173ff0ba213bf81e2c035a605a28e5395ea)
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | 92 | ||||
| -rw-r--r-- | meta/recipes-support/nss/nss.inc | 1 |
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | |||
| @@ -0,0 +1,92 @@ | |||
| 1 | Upstream-Status: backport | ||
| 2 | yanjun.zhu <yanjun.zhu@windriver.com> | ||
| 3 | --- a/nss/lib/util/secport.c | ||
| 4 | +++ b/nss/lib/util/secport.c | ||
| 5 | @@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu | ||
| 6 | PORTCharConversionFunc ucs2Utf8ConvertFunc; | ||
| 7 | PORTCharConversionWSwapFunc ucs2AsciiConvertFunc; | ||
| 8 | |||
| 9 | +/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc) | ||
| 10 | + * use the PRUint32 type for the size parameter. Before we pass a size_t or | ||
| 11 | + * unsigned long size to these functions, we need to ensure it is <= half of | ||
| 12 | + * the maximum PRUint32 value to avoid truncation and catch a negative size. | ||
| 13 | + */ | ||
| 14 | +#define MAX_SIZE (PR_UINT32_MAX >> 1) | ||
| 15 | + | ||
| 16 | void * | ||
| 17 | PORT_Alloc(size_t bytes) | ||
| 18 | { | ||
| 19 | - void *rv; | ||
| 20 | + void *rv = NULL; | ||
| 21 | |||
| 22 | - /* Always allocate a non-zero amount of bytes */ | ||
| 23 | - rv = (void *)PR_Malloc(bytes ? bytes : 1); | ||
| 24 | + if (bytes <= MAX_SIZE) { | ||
| 25 | + /* Always allocate a non-zero amount of bytes */ | ||
| 26 | + rv = PR_Malloc(bytes ? bytes : 1); | ||
| 27 | + } | ||
| 28 | if (!rv) { | ||
| 29 | ++port_allocFailures; | ||
| 30 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
| 31 | @@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes) | ||
| 32 | void * | ||
| 33 | PORT_Realloc(void *oldptr, size_t bytes) | ||
| 34 | { | ||
| 35 | - void *rv; | ||
| 36 | + void *rv = NULL; | ||
| 37 | |||
| 38 | - rv = (void *)PR_Realloc(oldptr, bytes); | ||
| 39 | + if (bytes <= MAX_SIZE) { | ||
| 40 | + rv = PR_Realloc(oldptr, bytes); | ||
| 41 | + } | ||
| 42 | if (!rv) { | ||
| 43 | ++port_allocFailures; | ||
| 44 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
| 45 | @@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes) | ||
| 46 | void * | ||
| 47 | PORT_ZAlloc(size_t bytes) | ||
| 48 | { | ||
| 49 | - void *rv; | ||
| 50 | + void *rv = NULL; | ||
| 51 | |||
| 52 | - /* Always allocate a non-zero amount of bytes */ | ||
| 53 | - rv = (void *)PR_Calloc(1, bytes ? bytes : 1); | ||
| 54 | + if (bytes <= MAX_SIZE) { | ||
| 55 | + /* Always allocate a non-zero amount of bytes */ | ||
| 56 | + rv = PR_Calloc(1, bytes ? bytes : 1); | ||
| 57 | + } | ||
| 58 | if (!rv) { | ||
| 59 | ++port_allocFailures; | ||
| 60 | PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
| 61 | @@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize) | ||
| 62 | { | ||
| 63 | PORTArenaPool *pool; | ||
| 64 | |||
| 65 | + if (chunksize > MAX_SIZE) { | ||
| 66 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
| 67 | + return NULL; | ||
| 68 | + } | ||
| 69 | pool = PORT_ZNew(PORTArenaPool); | ||
| 70 | if (!pool) { | ||
| 71 | return NULL; | ||
| 72 | @@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize) | ||
| 73 | return(&pool->arena); | ||
| 74 | } | ||
| 75 | |||
| 76 | -#define MAX_SIZE 0x7fffffffUL | ||
| 77 | - | ||
| 78 | void * | ||
| 79 | PORT_ArenaAlloc(PLArenaPool *arena, size_t size) | ||
| 80 | { | ||
| 81 | @@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void | ||
| 82 | PORTArenaPool *pool = (PORTArenaPool *)arena; | ||
| 83 | PORT_Assert(newsize >= oldsize); | ||
| 84 | |||
| 85 | + if (newsize > MAX_SIZE) { | ||
| 86 | + PORT_SetError(SEC_ERROR_NO_MEMORY); | ||
| 87 | + return NULL; | ||
| 88 | + } | ||
| 89 | + | ||
| 90 | if (ARENAPOOL_MAGIC == pool->magic ) { | ||
| 91 | PZ_Lock(pool->lock); | ||
| 92 | /* Do we do a THREADMARK check here? */ | ||
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index a6aeed8b1a..6364562a13 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc | |||
| @@ -16,6 +16,7 @@ SRC_URI = "\ | |||
| 16 | file://nss-fix-support-cross-compiling.patch \ | 16 | file://nss-fix-support-cross-compiling.patch \ |
| 17 | file://nss-no-rpath-for-cross-compiling.patch \ | 17 | file://nss-no-rpath-for-cross-compiling.patch \ |
| 18 | file://nss-fix-incorrect-shebang-of-perl.patch \ | 18 | file://nss-fix-incorrect-shebang-of-perl.patch \ |
| 19 | file://nss-3.15.1-fix-CVE-2013-1741.patch \ | ||
| 19 | " | 20 | " |
| 20 | SRC_URI_append_class-target = "\ | 21 | SRC_URI_append_class-target = "\ |
| 21 | file://nss.pc.in \ | 22 | file://nss.pc.in \ |