diff options
author | Joe Slater <jslater@windriver.com> | 2017-08-22 14:14:46 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:47:03 +0100 |
commit | 67afd9ead60c139484c5179be3c0dcbbf87938c3 (patch) | |
tree | 5b19856cfaffca20691d76886cb1a0fdb57511dc /meta | |
parent | 8efe72508002772df08664d9bb0d5f8b25497ce5 (diff) | |
download | poky-67afd9ead60c139484c5179be3c0dcbbf87938c3.tar.gz |
ghostscript: CVE-2017-9727, -9835, -11714
CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust
CVE-2017-9835: bounds check the array allocations methods
CVE-2017-11714: prevent trying to reloc a freed object
(From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
4 files changed, 224 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch new file mode 100644 index 0000000000..84983c5aea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 6 Jul 2017 14:54:02 +0100 | ||
4 | Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object | ||
5 | |||
6 | In the token reader, we pass the scanner state structure around as a | ||
7 | t_struct ref on the Postscript operand stack. | ||
8 | |||
9 | But we explicitly free the scanner state when we're done, which leaves a | ||
10 | dangling reference on the operand stack and, unless that reference gets | ||
11 | overwritten before the next garbager run, we can end up with the garbager | ||
12 | trying to deal with an already freed object - that can cause a crash, or | ||
13 | memory corruption. | ||
14 | --- | ||
15 | psi/ztoken.c | 14 +++++++++++++- | ||
16 | 1 file changed, 13 insertions(+), 1 deletion(-) | ||
17 | |||
18 | --- end of original header | ||
19 | |||
20 | CVE: CVE-2017-11714 | ||
21 | |||
22 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
23 | |||
24 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
25 | |||
26 | diff --git a/psi/ztoken.c b/psi/ztoken.c | ||
27 | index 4dba7c5..af1ceeb 100644 | ||
28 | --- a/psi/ztoken.c | ||
29 | +++ b/psi/ztoken.c | ||
30 | @@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) | ||
31 | int code; | ||
32 | ref token; | ||
33 | |||
34 | + /* Since we might free pstate below, and we're dealing with | ||
35 | + * gc memory referenced by the stack, we need to explicitly | ||
36 | + * remove the reference to pstate from the stack, otherwise | ||
37 | + * the garbager will fall over | ||
38 | + */ | ||
39 | + make_null(osp); | ||
40 | /* Note that gs_scan_token may change osp! */ | ||
41 | pop(1); /* remove the file or scanner state */ | ||
42 | again: | ||
43 | @@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p) | ||
44 | static int | ||
45 | tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) | ||
46 | { | ||
47 | - os_ptr op; | ||
48 | + os_ptr op = osp; | ||
49 | int code; | ||
50 | + /* Since we might free pstate below, and we're dealing with | ||
51 | + * gc memory referenced by the stack, we need to explicitly | ||
52 | + * remove the reference to pstate from the stack, otherwise | ||
53 | + * the garbager will fall over | ||
54 | + */ | ||
55 | + make_null(osp); | ||
56 | /* Note that gs_scan_token may change osp! */ | ||
57 | pop(1); | ||
58 | again: | ||
59 | -- | ||
60 | 1.7.9.5 | ||
61 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch new file mode 100644 index 0000000000..a2f7bfa506 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 15 Jun 2017 09:05:20 +0100 | ||
4 | Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more | ||
5 | robust | ||
6 | |||
7 | --- | ||
8 | base/gxttfb.c | 3 ++- | ||
9 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
10 | |||
11 | --- end of original header | ||
12 | |||
13 | CVE: CVE-2017-9727 | ||
14 | |||
15 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
16 | |||
17 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
18 | |||
19 | diff --git a/base/gxttfb.c b/base/gxttfb.c | ||
20 | index 0e9a444..e1561af 100644 | ||
21 | --- a/base/gxttfb.c | ||
22 | +++ b/base/gxttfb.c | ||
23 | @@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n) | ||
24 | if (!r->error) { | ||
25 | if (r->extra_glyph_index != -1) { | ||
26 | q = r->glyph_data.bits.data + r->pos; | ||
27 | - r->error = (r->glyph_data.bits.size - r->pos < n ? | ||
28 | + r->error = ((r->pos >= r->glyph_data.bits.size || | ||
29 | + r->glyph_data.bits.size - r->pos < n) ? | ||
30 | gs_note_error(gs_error_invalidfont) : 0); | ||
31 | if (r->error == 0) | ||
32 | memcpy(p, q, n); | ||
33 | -- | ||
34 | 1.7.9.5 | ||
35 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch new file mode 100644 index 0000000000..7c65690c65 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 7 Jun 2017 14:55:12 +0100 | ||
4 | Subject: [PATCH] Bug 697985: bounds check the array allocations methods | ||
5 | |||
6 | The clump allocator has four allocation functions that use 'number of elements' | ||
7 | and 'size of elements' parameters (rather than a simple 'number of bytes'). | ||
8 | |||
9 | Those need specific bounds checking. | ||
10 | --- | ||
11 | base/gsalloc.c | 42 ++++++++++++++++++++++++++++-------------- | ||
12 | 1 file changed, 28 insertions(+), 14 deletions(-) | ||
13 | |||
14 | --- end of original header | ||
15 | |||
16 | CVE: CVE-2017-9835 | ||
17 | |||
18 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
19 | |||
20 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
21 | |||
22 | diff --git a/base/gsalloc.c b/base/gsalloc.c | ||
23 | index 741ba00..10c04dd 100644 | ||
24 | --- a/base/gsalloc.c | ||
25 | +++ b/base/gsalloc.c | ||
26 | @@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype, | ||
27 | alloc_trace("|+<.", imem, cname, pstype, size, obj); | ||
28 | return obj; | ||
29 | } | ||
30 | + | ||
31 | +static inline bool | ||
32 | +alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize) | ||
33 | +{ | ||
34 | + int64_t s = (int64_t)num_elements * elt_size; | ||
35 | + if (s > max_uint) { | ||
36 | + return false; | ||
37 | + } | ||
38 | + *lsize = (ulong)s; | ||
39 | + return true; | ||
40 | +} | ||
41 | + | ||
42 | static byte * | ||
43 | i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size, | ||
44 | client_name_t cname) | ||
45 | { | ||
46 | gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; | ||
47 | obj_header_t *obj; | ||
48 | - | ||
49 | + ulong lsize; | ||
50 | #ifdef MEMENTO | ||
51 | if (Memento_failThisEvent()) | ||
52 | return NULL; | ||
53 | #endif | ||
54 | - | ||
55 | - obj = alloc_obj(imem, (ulong) num_elements * elt_size, | ||
56 | + if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) | ||
57 | + return NULL; | ||
58 | + obj = alloc_obj(imem, lsize, | ||
59 | &st_bytes, ALLOC_DIRECT, cname); | ||
60 | |||
61 | if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n", | ||
62 | @@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements, | ||
63 | { | ||
64 | gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; | ||
65 | obj_header_t *obj; | ||
66 | - | ||
67 | + ulong lsize; | ||
68 | #ifdef MEMENTO | ||
69 | if (Memento_failThisEvent()) | ||
70 | return NULL; | ||
71 | #endif | ||
72 | - | ||
73 | - obj = alloc_obj(imem, (ulong) num_elements * elt_size, | ||
74 | + if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) | ||
75 | + return NULL; | ||
76 | + obj = alloc_obj(imem, lsize, | ||
77 | &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT, | ||
78 | cname); | ||
79 | |||
80 | @@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, | ||
81 | { | ||
82 | gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; | ||
83 | obj_header_t *obj; | ||
84 | - | ||
85 | + ulong lsize; | ||
86 | #ifdef MEMENTO | ||
87 | if (Memento_failThisEvent()) | ||
88 | return NULL; | ||
89 | @@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, | ||
90 | return NULL; /* fail */ | ||
91 | } | ||
92 | #endif | ||
93 | - obj = alloc_obj(imem, | ||
94 | - (ulong) num_elements * pstype->ssize, | ||
95 | - pstype, ALLOC_DIRECT, cname); | ||
96 | + if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) | ||
97 | + return NULL; | ||
98 | + obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname); | ||
99 | if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", | ||
100 | alloc_trace_space(imem), client_name_string(cname), | ||
101 | struct_type_name_string(pstype), | ||
102 | @@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements, | ||
103 | { | ||
104 | gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; | ||
105 | obj_header_t *obj; | ||
106 | - | ||
107 | + ulong lsize; | ||
108 | #ifdef MEMENTO | ||
109 | if (Memento_failThisEvent()) | ||
110 | return NULL; | ||
111 | #endif | ||
112 | |||
113 | ALLOC_CHECK_SIZE(mem,pstype); | ||
114 | - obj = alloc_obj(imem, | ||
115 | - (ulong) num_elements * pstype->ssize, | ||
116 | - pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); | ||
117 | + if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) | ||
118 | + return NULL; | ||
119 | + obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); | ||
120 | if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", | ||
121 | alloc_trace_space(imem), client_name_string(cname), | ||
122 | struct_type_name_string(pstype), | ||
123 | -- | ||
124 | 1.7.9.5 | ||
125 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb index 93589cc2b9..bf985c44a3 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb | |||
@@ -41,6 +41,9 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
41 | file://CVE-2017-9612.patch \ | 41 | file://CVE-2017-9612.patch \ |
42 | file://CVE-2017-9739.patch \ | 42 | file://CVE-2017-9739.patch \ |
43 | file://CVE-2017-9726.patch \ | 43 | file://CVE-2017-9726.patch \ |
44 | file://CVE-2017-9727.patch \ | ||
45 | file://CVE-2017-9835.patch \ | ||
46 | file://CVE-2017-11714.patch \ | ||
44 | " | 47 | " |
45 | 48 | ||
46 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 49 | SRC_URI_class-native = "${SRC_URI_BASE} \ |