summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authoryanjun.zhu <yanjun.zhu@windriver.com>2014-03-28 17:43:37 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-03-30 10:10:32 +0100
commit6a3cadea0ce3f26306389f19121876378cf8925b (patch)
treea656e6e7e3b67297d38cf8ac661fa86ca4751403 /meta
parentc4c31eb76170ee4d7cb436954b35b27971a46e84 (diff)
downloadpoky-6a3cadea0ce3f26306389f19121876378cf8925b.tar.gz
nss-3.15.1: fix CVE-2013-1741
Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741 (From OE-Core rev: b666d173ff0ba213bf81e2c035a605a28e5395ea) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch92
-rw-r--r--meta/recipes-support/nss/nss.inc1
2 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000000..21da0c03b5
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
1Upstream-Status: backport
2yanjun.zhu <yanjun.zhu@windriver.com>
3--- a/nss/lib/util/secport.c
4+++ b/nss/lib/util/secport.c
5@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
6 PORTCharConversionFunc ucs2Utf8ConvertFunc;
7 PORTCharConversionWSwapFunc ucs2AsciiConvertFunc;
8
9+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
10+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
11+ * unsigned long size to these functions, we need to ensure it is <= half of
12+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
13+ */
14+#define MAX_SIZE (PR_UINT32_MAX >> 1)
15+
16 void *
17 PORT_Alloc(size_t bytes)
18 {
19- void *rv;
20+ void *rv = NULL;
21
22- /* Always allocate a non-zero amount of bytes */
23- rv = (void *)PR_Malloc(bytes ? bytes : 1);
24+ if (bytes <= MAX_SIZE) {
25+ /* Always allocate a non-zero amount of bytes */
26+ rv = PR_Malloc(bytes ? bytes : 1);
27+ }
28 if (!rv) {
29 ++port_allocFailures;
30 PORT_SetError(SEC_ERROR_NO_MEMORY);
31@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
32 void *
33 PORT_Realloc(void *oldptr, size_t bytes)
34 {
35- void *rv;
36+ void *rv = NULL;
37
38- rv = (void *)PR_Realloc(oldptr, bytes);
39+ if (bytes <= MAX_SIZE) {
40+ rv = PR_Realloc(oldptr, bytes);
41+ }
42 if (!rv) {
43 ++port_allocFailures;
44 PORT_SetError(SEC_ERROR_NO_MEMORY);
45@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
46 void *
47 PORT_ZAlloc(size_t bytes)
48 {
49- void *rv;
50+ void *rv = NULL;
51
52- /* Always allocate a non-zero amount of bytes */
53- rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
54+ if (bytes <= MAX_SIZE) {
55+ /* Always allocate a non-zero amount of bytes */
56+ rv = PR_Calloc(1, bytes ? bytes : 1);
57+ }
58 if (!rv) {
59 ++port_allocFailures;
60 PORT_SetError(SEC_ERROR_NO_MEMORY);
61@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
62 {
63 PORTArenaPool *pool;
64
65+ if (chunksize > MAX_SIZE) {
66+ PORT_SetError(SEC_ERROR_NO_MEMORY);
67+ return NULL;
68+ }
69 pool = PORT_ZNew(PORTArenaPool);
70 if (!pool) {
71 return NULL;
72@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
73 return(&pool->arena);
74 }
75
76-#define MAX_SIZE 0x7fffffffUL
77-
78 void *
79 PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
80 {
81@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void
82 PORTArenaPool *pool = (PORTArenaPool *)arena;
83 PORT_Assert(newsize >= oldsize);
84
85+ if (newsize > MAX_SIZE) {
86+ PORT_SetError(SEC_ERROR_NO_MEMORY);
87+ return NULL;
88+ }
89+
90 if (ARENAPOOL_MAGIC == pool->magic ) {
91 PZ_Lock(pool->lock);
92 /* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index a6aeed8b1a..6364562a13 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -16,6 +16,7 @@ SRC_URI = "\
16 file://nss-fix-support-cross-compiling.patch \ 16 file://nss-fix-support-cross-compiling.patch \
17 file://nss-no-rpath-for-cross-compiling.patch \ 17 file://nss-no-rpath-for-cross-compiling.patch \
18 file://nss-fix-incorrect-shebang-of-perl.patch \ 18 file://nss-fix-incorrect-shebang-of-perl.patch \
19 file://nss-3.15.1-fix-CVE-2013-1741.patch \
19" 20"
20SRC_URI_append_class-target = "\ 21SRC_URI_append_class-target = "\
21 file://nss.pc.in \ 22 file://nss.pc.in \