diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-02.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-02.patch | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch new file mode 100644 index 0000000000..f35e55b585 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch | |||
@@ -0,0 +1,187 @@ | |||
1 | From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Steinhardt <ps@pks.im> | ||
3 | Date: Thu, 1 Dec 2022 15:46:25 +0100 | ||
4 | Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow | ||
5 | |||
6 | When using a padding specifier in the pretty format passed to git-log(1) | ||
7 | we need to calculate the string length in several places. These string | ||
8 | lengths are stored in `int`s though, which means that these can easily | ||
9 | overflow when the input lengths exceeds 2GB. This can ultimately lead to | ||
10 | an out-of-bounds write when these are used in a call to memcpy(3P): | ||
11 | |||
12 | ==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588 | ||
13 | WRITE of size 1 at 0x7f1ec62f97fe thread T0 | ||
14 | #0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 | ||
15 | #1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762 | ||
16 | #2 0x5628e96aa7f4 in format_commit_item pretty.c:1801 | ||
17 | #3 0x5628e97cdb24 in strbuf_expand strbuf.c:429 | ||
18 | #4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869 | ||
19 | #5 0x5628e96acd0f in pretty_print_commit pretty.c:2161 | ||
20 | #6 0x5628e95a44c8 in show_log log-tree.c:781 | ||
21 | #7 0x5628e95a76ba in log_tree_commit log-tree.c:1117 | ||
22 | #8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
23 | #9 0x5628e922c35b in cmd_log_walk builtin/log.c:549 | ||
24 | #10 0x5628e922f1a2 in cmd_log builtin/log.c:883 | ||
25 | #11 0x5628e9106993 in run_builtin git.c:466 | ||
26 | #12 0x5628e9107397 in handle_builtin git.c:721 | ||
27 | #13 0x5628e9107b07 in run_argv git.c:788 | ||
28 | #14 0x5628e91088a7 in cmd_main git.c:923 | ||
29 | #15 0x5628e939d682 in main common-main.c:57 | ||
30 | #16 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
31 | #17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
32 | #18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115 | ||
33 | |||
34 | 0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839) | ||
35 | allocated by thread T0 here: | ||
36 | #0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85 | ||
37 | #1 0x5628e98774d4 in xrealloc wrapper.c:136 | ||
38 | #2 0x5628e97cb01c in strbuf_grow strbuf.c:99 | ||
39 | #3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327 | ||
40 | #4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761 | ||
41 | #5 0x5628e96aa7f4 in format_commit_item pretty.c:1801 | ||
42 | #6 0x5628e97cdb24 in strbuf_expand strbuf.c:429 | ||
43 | #7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869 | ||
44 | #8 0x5628e96acd0f in pretty_print_commit pretty.c:2161 | ||
45 | #9 0x5628e95a44c8 in show_log log-tree.c:781 | ||
46 | #10 0x5628e95a76ba in log_tree_commit log-tree.c:1117 | ||
47 | #11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
48 | #12 0x5628e922c35b in cmd_log_walk builtin/log.c:549 | ||
49 | #13 0x5628e922f1a2 in cmd_log builtin/log.c:883 | ||
50 | #14 0x5628e9106993 in run_builtin git.c:466 | ||
51 | #15 0x5628e9107397 in handle_builtin git.c:721 | ||
52 | #16 0x5628e9107b07 in run_argv git.c:788 | ||
53 | #17 0x5628e91088a7 in cmd_main git.c:923 | ||
54 | #18 0x5628e939d682 in main common-main.c:57 | ||
55 | #19 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
56 | #20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
57 | #21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115 | ||
58 | |||
59 | SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy | ||
60 | Shadow bytes around the buggy address: | ||
61 | 0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
62 | 0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
63 | 0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
64 | 0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
65 | 0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
66 | =>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] | ||
67 | 0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
68 | 0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
69 | 0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
70 | 0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
71 | 0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
72 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
73 | Addressable: 00 | ||
74 | Partially addressable: 01 02 03 04 05 06 07 | ||
75 | Heap left redzone: fa | ||
76 | Freed heap region: fd | ||
77 | Stack left redzone: f1 | ||
78 | Stack mid redzone: f2 | ||
79 | Stack right redzone: f3 | ||
80 | Stack after return: f5 | ||
81 | Stack use after scope: f8 | ||
82 | Global redzone: f9 | ||
83 | Global init order: f6 | ||
84 | Poisoned by user: f7 | ||
85 | Container overflow: fc | ||
86 | Array cookie: ac | ||
87 | Intra object redzone: bb | ||
88 | ASan internal: fe | ||
89 | Left alloca redzone: ca | ||
90 | Right alloca redzone: cb | ||
91 | ==8340==ABORTING | ||
92 | |||
93 | The pretty format can also be used in `git archive` operations via the | ||
94 | `export-subst` attribute. So this is what in our opinion makes this a | ||
95 | critical issue in the context of Git forges which allow to download an | ||
96 | archive of user supplied Git repositories. | ||
97 | |||
98 | Fix this vulnerability by using `size_t` instead of `int` to track the | ||
99 | string lengths. Add tests which detect this vulnerability when Git is | ||
100 | compiled with the address sanitizer. | ||
101 | |||
102 | Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> | ||
103 | Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com> | ||
104 | Modified-by: Taylor Blau <me@ttalorr.com> | ||
105 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
106 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
107 | |||
108 | Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf] | ||
109 | CVE: CVE-2022-41903 | ||
110 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
111 | --- | ||
112 | pretty.c | 11 ++++++----- | ||
113 | t/t4205-log-pretty-formats.sh | 17 +++++++++++++++++ | ||
114 | 2 files changed, 23 insertions(+), 5 deletions(-) | ||
115 | |||
116 | diff --git a/pretty.c b/pretty.c | ||
117 | index b32f036..637e344 100644 | ||
118 | --- a/pretty.c | ||
119 | +++ b/pretty.c | ||
120 | @@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
121 | struct format_commit_context *c) | ||
122 | { | ||
123 | struct strbuf local_sb = STRBUF_INIT; | ||
124 | - int total_consumed = 0, len, padding = c->padding; | ||
125 | + size_t total_consumed = 0; | ||
126 | + int len, padding = c->padding; | ||
127 | + | ||
128 | if (padding < 0) { | ||
129 | const char *start = strrchr(sb->buf, '\n'); | ||
130 | int occupied; | ||
131 | @@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
132 | } | ||
133 | while (1) { | ||
134 | int modifier = *placeholder == 'C'; | ||
135 | - int consumed = format_commit_one(&local_sb, placeholder, c); | ||
136 | + size_t consumed = format_commit_one(&local_sb, placeholder, c); | ||
137 | total_consumed += consumed; | ||
138 | |||
139 | if (!modifier) | ||
140 | @@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
141 | } | ||
142 | strbuf_addbuf(sb, &local_sb); | ||
143 | } else { | ||
144 | - int sb_len = sb->len, offset = 0; | ||
145 | + size_t sb_len = sb->len, offset = 0; | ||
146 | if (c->flush_type == flush_left) | ||
147 | offset = padding - len; | ||
148 | else if (c->flush_type == flush_both) | ||
149 | @@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */ | ||
150 | const char *placeholder, | ||
151 | void *context) | ||
152 | { | ||
153 | - int consumed; | ||
154 | - size_t orig_len; | ||
155 | + size_t consumed, orig_len; | ||
156 | enum { | ||
157 | NO_MAGIC, | ||
158 | ADD_LF_BEFORE_NON_EMPTY, | ||
159 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
160 | index f42a69f..a2acee1 100755 | ||
161 | --- a/t/t4205-log-pretty-formats.sh | ||
162 | +++ b/t/t4205-log-pretty-formats.sh | ||
163 | @@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part | ||
164 | test_cmp expect actual | ||
165 | ' | ||
166 | |||
167 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
168 | + # We only assert that this command does not crash. This needs to be | ||
169 | + # executed with the address sanitizer to demonstrate failure. | ||
170 | + git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null | ||
171 | +' | ||
172 | + | ||
173 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' ' | ||
174 | + test-tool genzeros 2147483649 | tr "\000" "1" >expect && | ||
175 | + huge_commit=$(git commit-tree -F expect HEAD^{tree}) | ||
176 | +' | ||
177 | + | ||
178 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
179 | + git log -1 --format="%B%<(1)%x30" $huge_commit >actual && | ||
180 | + echo 0 >>expect && | ||
181 | + test_cmp expect actual | ||
182 | +' | ||
183 | + | ||
184 | test_done | ||
185 | -- | ||
186 | 2.25.1 | ||
187 | |||