diff options
-rw-r--r-- | meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch | 160 | ||||
-rw-r--r-- | meta/recipes-devtools/json-c/json-c_0.15.bb (renamed from meta/recipes-devtools/json-c/json-c_0.14.bb) | 6 |
2 files changed, 2 insertions, 164 deletions
diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch deleted file mode 100644 index a45cfb61bc..0000000000 --- a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch +++ /dev/null | |||
@@ -1,160 +0,0 @@ | |||
1 | From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Mon, 4 May 2020 19:41:16 +0200 | ||
4 | Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow. | ||
5 | |||
6 | If the assignment of stop overflows due to idx and count being | ||
7 | larger than SIZE_T_MAX in sum, out of boundary access could happen. | ||
8 | |||
9 | It takes invalid usage of this function for this to happen, but | ||
10 | I decided to add this check so array_list_del_idx is as safe against | ||
11 | bad usage as the other arraylist functions. | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be] | ||
14 | CVE: CVE-2020-12762 | ||
15 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
16 | |||
17 | --- | ||
18 | arraylist.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/arraylist.c b/arraylist.c | ||
22 | index 12ad8af6d3..e5524aca75 100644 | ||
23 | --- a/arraylist.c | ||
24 | +++ b/arraylist.c | ||
25 | @@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) | ||
26 | { | ||
27 | size_t i, stop; | ||
28 | |||
29 | + /* Avoid overflow in calculation with large indices. */ | ||
30 | + if (idx > SIZE_T_MAX - count) | ||
31 | + return -1; | ||
32 | stop = idx + count; | ||
33 | if (idx >= arr->length || stop > arr->length) | ||
34 | return -1; | ||
35 | |||
36 | From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 | ||
37 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
38 | Date: Mon, 4 May 2020 19:46:45 +0200 | ||
39 | Subject: [PATCH 2/3] Prevent division by zero in linkhash. | ||
40 | |||
41 | If a linkhash with a size of zero is created, then modulo operations | ||
42 | are prone to division by zero operations. | ||
43 | |||
44 | Purely protective measure against bad usage. | ||
45 | --- | ||
46 | linkhash.c | 3 +++ | ||
47 | 1 file changed, 3 insertions(+) | ||
48 | |||
49 | diff --git a/linkhash.c b/linkhash.c | ||
50 | index 7ea58c0abf..f05cc38030 100644 | ||
51 | --- a/linkhash.c | ||
52 | +++ b/linkhash.c | ||
53 | @@ -12,6 +12,7 @@ | ||
54 | |||
55 | #include "config.h" | ||
56 | |||
57 | +#include <assert.h> | ||
58 | #include <limits.h> | ||
59 | #include <stdarg.h> | ||
60 | #include <stddef.h> | ||
61 | @@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h | ||
62 | int i; | ||
63 | struct lh_table *t; | ||
64 | |||
65 | + /* Allocate space for elements to avoid divisions by zero. */ | ||
66 | + assert(size > 0); | ||
67 | t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); | ||
68 | if (!t) | ||
69 | return NULL; | ||
70 | |||
71 | From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 | ||
72 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
73 | Date: Mon, 4 May 2020 19:47:25 +0200 | ||
74 | Subject: [PATCH 3/3] Fix integer overflows. | ||
75 | |||
76 | The data structures linkhash and printbuf are limited to 2 GB in size | ||
77 | due to a signed integer being used to track their current size. | ||
78 | |||
79 | If too much data is added, then size variable can overflow, which is | ||
80 | an undefined behaviour in C programming language. | ||
81 | |||
82 | Assuming that a signed int overflow just leads to a negative value, | ||
83 | like it happens on many sytems (Linux i686/amd64 with gcc), then | ||
84 | printbuf is vulnerable to an out of boundary write on 64 bit systems. | ||
85 | --- | ||
86 | linkhash.c | 7 +++++-- | ||
87 | printbuf.c | 19 ++++++++++++++++--- | ||
88 | 2 files changed, 21 insertions(+), 5 deletions(-) | ||
89 | |||
90 | diff --git a/linkhash.c b/linkhash.c | ||
91 | index f05cc38030..51e90b13a2 100644 | ||
92 | --- a/linkhash.c | ||
93 | +++ b/linkhash.c | ||
94 | @@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con | ||
95 | { | ||
96 | unsigned long n; | ||
97 | |||
98 | - if (t->count >= t->size * LH_LOAD_FACTOR) | ||
99 | - if (lh_table_resize(t, t->size * 2) != 0) | ||
100 | + if (t->count >= t->size * LH_LOAD_FACTOR) { | ||
101 | + /* Avoid signed integer overflow with large tables. */ | ||
102 | + int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; | ||
103 | + if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) | ||
104 | return -1; | ||
105 | + } | ||
106 | |||
107 | n = h % t->size; | ||
108 | |||
109 | diff --git a/printbuf.c b/printbuf.c | ||
110 | index 976c12dde5..00822fac4f 100644 | ||
111 | --- a/printbuf.c | ||
112 | +++ b/printbuf.c | ||
113 | @@ -15,6 +15,7 @@ | ||
114 | |||
115 | #include "config.h" | ||
116 | |||
117 | +#include <limits.h> | ||
118 | #include <stdio.h> | ||
119 | #include <stdlib.h> | ||
120 | #include <string.h> | ||
121 | @@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) | ||
122 | |||
123 | if (p->size >= min_size) | ||
124 | return 0; | ||
125 | - | ||
126 | - new_size = p->size * 2; | ||
127 | - if (new_size < min_size + 8) | ||
128 | + /* Prevent signed integer overflows with large buffers. */ | ||
129 | + if (min_size > INT_MAX - 8) | ||
130 | + return -1; | ||
131 | + if (p->size > INT_MAX / 2) | ||
132 | new_size = min_size + 8; | ||
133 | + else { | ||
134 | + new_size = p->size * 2; | ||
135 | + if (new_size < min_size + 8) | ||
136 | + new_size = min_size + 8; | ||
137 | + } | ||
138 | #ifdef PRINTBUF_DEBUG | ||
139 | MC_DEBUG("printbuf_memappend: realloc " | ||
140 | "bpos=%d min_size=%d old_size=%d new_size=%d\n", | ||
141 | @@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) | ||
142 | |||
143 | int printbuf_memappend(struct printbuf *p, const char *buf, int size) | ||
144 | { | ||
145 | + /* Prevent signed integer overflows with large buffers. */ | ||
146 | + if (size > INT_MAX - p->bpos - 1) | ||
147 | + return -1; | ||
148 | if (p->size <= p->bpos + size + 1) | ||
149 | { | ||
150 | if (printbuf_extend(p, p->bpos + size + 1) < 0) | ||
151 | @@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) | ||
152 | |||
153 | if (offset == -1) | ||
154 | offset = pb->bpos; | ||
155 | + /* Prevent signed integer overflows with large buffers. */ | ||
156 | + if (len > INT_MAX - offset) | ||
157 | + return -1; | ||
158 | size_needed = offset + len; | ||
159 | if (pb->size < size_needed) | ||
160 | { | ||
diff --git a/meta/recipes-devtools/json-c/json-c_0.14.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb index 1d501d1294..2968590dd8 100644 --- a/meta/recipes-devtools/json-c/json-c_0.14.bb +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb | |||
@@ -4,11 +4,9 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki" | |||
4 | LICENSE = "MIT" | 4 | LICENSE = "MIT" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" |
6 | 6 | ||
7 | SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ | 7 | SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz" |
8 | file://CVE-2020-12762.patch \ | ||
9 | " | ||
10 | 8 | ||
11 | SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870" | 9 | SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" |
12 | 10 | ||
13 | UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" | 11 | UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" |
14 | UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" | 12 | UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" |