summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorSteve Sakoman <steve@sakoman.com>2022-01-19 04:33:49 -1000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-01-31 21:56:01 +0000
commit6fe3635445523a38500c6884af39d947cc9033eb (patch)
tree45b25af9a649b76dec387ce78a60a6b12a6e73b8 /meta
parent215d753cef95632cbdbe6647288c06f7b6b63a8c (diff)
downloadpoky-6fe3635445523a38500c6884af39d947cc9033eb.tar.gz
expat fix CVE-2022-22822 through CVE-2022-22827
xmlparse.c has multiple integer overflows. The involved functions are: - addBinding (CVE-2022-22822) - build_model (CVE-2022-22823) - defineAttribute (CVE-2022-22824) - lookup (CVE-2022-22825) - nextScaffoldPart (CVE-2022-22826) - storeAtts (CVE-2022-22827) Backport patch from: https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 (From OE-Core rev: 0d195a98703d690a348719f77e7be78653d14ad3) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 3b6c47c0ebae9fdb7a13480daf8f46a8dbb2c9bd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-22822-27.patch257
-rw-r--r--meta/recipes-core/expat/expat_2.2.10.bb1
2 files changed, 258 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
new file mode 100644
index 0000000000..e569fbc7ab
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
1From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Thu, 30 Dec 2021 22:46:03 +0100
4Subject: [PATCH] lib: Prevent integer overflow at multiple places
5 (CVE-2022-22822 to CVE-2022-22827)
6
7The involved functions are:
8- addBinding (CVE-2022-22822)
9- build_model (CVE-2022-22823)
10- defineAttribute (CVE-2022-22824)
11- lookup (CVE-2022-22825)
12- nextScaffoldPart (CVE-2022-22826)
13- storeAtts (CVE-2022-22827)
14
15Upstream-Status: Backport:
16https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
17
18CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
19Signed-off-by: Steve Sakoman <steve@sakoman.com>
20
21---
22 expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
23 1 file changed, 151 insertions(+), 2 deletions(-)
24
25diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
26index 8f243126..575e73ee 100644
27--- a/lib/xmlparse.c
28+++ b/lib/xmlparse.c
29@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
30
31 /* get the attributes from the tokenizer */
32 n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
33+
34+ /* Detect and prevent integer overflow */
35+ if (n > INT_MAX - nDefaultAtts) {
36+ return XML_ERROR_NO_MEMORY;
37+ }
38+
39 if (n + nDefaultAtts > parser->m_attsSize) {
40 int oldAttsSize = parser->m_attsSize;
41 ATTRIBUTE *temp;
42 #ifdef XML_ATTR_INFO
43 XML_AttrInfo *temp2;
44 #endif
45+
46+ /* Detect and prevent integer overflow */
47+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
48+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
49+ return XML_ERROR_NO_MEMORY;
50+ }
51+
52 parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
53+
54+ /* Detect and prevent integer overflow.
55+ * The preprocessor guard addresses the "always false" warning
56+ * from -Wtype-limits on platforms where
57+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
58+#if UINT_MAX >= SIZE_MAX
59+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
60+ parser->m_attsSize = oldAttsSize;
61+ return XML_ERROR_NO_MEMORY;
62+ }
63+#endif
64+
65 temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
66 parser->m_attsSize * sizeof(ATTRIBUTE));
67 if (temp == NULL) {
68@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
69 }
70 parser->m_atts = temp;
71 #ifdef XML_ATTR_INFO
72+ /* Detect and prevent integer overflow.
73+ * The preprocessor guard addresses the "always false" warning
74+ * from -Wtype-limits on platforms where
75+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
76+# if UINT_MAX >= SIZE_MAX
77+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
78+ parser->m_attsSize = oldAttsSize;
79+ return XML_ERROR_NO_MEMORY;
80+ }
81+# endif
82+
83 temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
84 parser->m_attsSize * sizeof(XML_AttrInfo));
85 if (temp2 == NULL) {
86@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
87 tagNamePtr->prefixLen = prefixLen;
88 for (i = 0; localPart[i++];)
89 ; /* i includes null terminator */
90+
91+ /* Detect and prevent integer overflow */
92+ if (binding->uriLen > INT_MAX - prefixLen
93+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
94+ return XML_ERROR_NO_MEMORY;
95+ }
96+
97 n = i + binding->uriLen + prefixLen;
98 if (n > binding->uriAlloc) {
99 TAG *p;
100+
101+ /* Detect and prevent integer overflow */
102+ if (n > INT_MAX - EXPAND_SPARE) {
103+ return XML_ERROR_NO_MEMORY;
104+ }
105+ /* Detect and prevent integer overflow.
106+ * The preprocessor guard addresses the "always false" warning
107+ * from -Wtype-limits on platforms where
108+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
109+#if UINT_MAX >= SIZE_MAX
110+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
111+ return XML_ERROR_NO_MEMORY;
112+ }
113+#endif
114+
115 uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
116 if (! uri)
117 return XML_ERROR_NO_MEMORY;
118@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
119 if (parser->m_freeBindingList) {
120 b = parser->m_freeBindingList;
121 if (len > b->uriAlloc) {
122+ /* Detect and prevent integer overflow */
123+ if (len > INT_MAX - EXPAND_SPARE) {
124+ return XML_ERROR_NO_MEMORY;
125+ }
126+
127+ /* Detect and prevent integer overflow.
128+ * The preprocessor guard addresses the "always false" warning
129+ * from -Wtype-limits on platforms where
130+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
131+#if UINT_MAX >= SIZE_MAX
132+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
133+ return XML_ERROR_NO_MEMORY;
134+ }
135+#endif
136+
137 XML_Char *temp = (XML_Char *)REALLOC(
138 parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
139 if (temp == NULL)
140@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
141 b = (BINDING *)MALLOC(parser, sizeof(BINDING));
142 if (! b)
143 return XML_ERROR_NO_MEMORY;
144+
145+ /* Detect and prevent integer overflow */
146+ if (len > INT_MAX - EXPAND_SPARE) {
147+ return XML_ERROR_NO_MEMORY;
148+ }
149+ /* Detect and prevent integer overflow.
150+ * The preprocessor guard addresses the "always false" warning
151+ * from -Wtype-limits on platforms where
152+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
153+#if UINT_MAX >= SIZE_MAX
154+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
155+ return XML_ERROR_NO_MEMORY;
156+ }
157+#endif
158+
159 b->uri
160 = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
161 if (! b->uri) {
162@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
163 }
164 } else {
165 DEFAULT_ATTRIBUTE *temp;
166+
167+ /* Detect and prevent integer overflow */
168+ if (type->allocDefaultAtts > INT_MAX / 2) {
169+ return 0;
170+ }
171+
172 int count = type->allocDefaultAtts * 2;
173+
174+ /* Detect and prevent integer overflow.
175+ * The preprocessor guard addresses the "always false" warning
176+ * from -Wtype-limits on platforms where
177+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
178+#if UINT_MAX >= SIZE_MAX
179+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
180+ return 0;
181+ }
182+#endif
183+
184 temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
185 (count * sizeof(DEFAULT_ATTRIBUTE)));
186 if (temp == NULL)
187@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
188 /* check for overflow (table is half full) */
189 if (table->used >> (table->power - 1)) {
190 unsigned char newPower = table->power + 1;
191+
192+ /* Detect and prevent invalid shift */
193+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
194+ return NULL;
195+ }
196+
197 size_t newSize = (size_t)1 << newPower;
198 unsigned long newMask = (unsigned long)newSize - 1;
199+
200+ /* Detect and prevent integer overflow */
201+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
202+ return NULL;
203+ }
204+
205 size_t tsize = newSize * sizeof(NAMED *);
206 NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
207 if (! newV)
208@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
209 if (dtd->scaffCount >= dtd->scaffSize) {
210 CONTENT_SCAFFOLD *temp;
211 if (dtd->scaffold) {
212+ /* Detect and prevent integer overflow */
213+ if (dtd->scaffSize > UINT_MAX / 2u) {
214+ return -1;
215+ }
216+ /* Detect and prevent integer overflow.
217+ * The preprocessor guard addresses the "always false" warning
218+ * from -Wtype-limits on platforms where
219+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
220+#if UINT_MAX >= SIZE_MAX
221+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
222+ return -1;
223+ }
224+#endif
225+
226 temp = (CONTENT_SCAFFOLD *)REALLOC(
227 parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
228 if (temp == NULL)
229@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
230 XML_Content *ret;
231 XML_Content *cpos;
232 XML_Char *str;
233- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
234- + (dtd->contentStringLen * sizeof(XML_Char)));
235+
236+ /* Detect and prevent integer overflow.
237+ * The preprocessor guard addresses the "always false" warning
238+ * from -Wtype-limits on platforms where
239+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
240+#if UINT_MAX >= SIZE_MAX
241+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
242+ return NULL;
243+ }
244+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
245+ return NULL;
246+ }
247+#endif
248+ if (dtd->scaffCount * sizeof(XML_Content)
249+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
250+ return NULL;
251+ }
252+
253+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
254+ + (dtd->contentStringLen * sizeof(XML_Char)));
255
256 ret = (XML_Content *)MALLOC(parser, allocsize);
257 if (! ret)
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb
index 08e8ff1cea..5a123305c4 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
12 file://libtool-tag.patch \ 12 file://libtool-tag.patch \
13 file://run-ptest \ 13 file://run-ptest \
14 file://0001-Add-output-of-tests-result.patch \ 14 file://0001-Add-output-of-tests-result.patch \
15 file://CVE-2022-22822-27.patch \
15 " 16 "
16 17
17UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" 18UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"