1 files changed, 187 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
new file mode 100644
index 0000000000..f35e55b585
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
@@ -0,0 +1,187 @@
+From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:25 +0100
+Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow
+When using a padding specifier in the pretty format passed to git-log(1)
+we need to calculate the string length in several places. These string
+lengths are stored in `int`s though, which means that these can easily
+overflow when the input lengths exceeds 2GB. This can ultimately lead to
+an out-of-bounds write when these are used in a call to memcpy(3P):
+        ==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588
+    WRITE of size 1 at 0x7f1ec62f97fe thread T0
+        #0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
+        #1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762
+        #2 0x5628e96aa7f4 in format_commit_item pretty.c:1801
+        #3 0x5628e97cdb24 in strbuf_expand strbuf.c:429
+        #4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
+        #5 0x5628e96acd0f in pretty_print_commit pretty.c:2161
+        #6 0x5628e95a44c8 in show_log log-tree.c:781
+        #7 0x5628e95a76ba in log_tree_commit log-tree.c:1117
+        #8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
+        #9 0x5628e922c35b in cmd_log_walk builtin/log.c:549
+        #10 0x5628e922f1a2 in cmd_log builtin/log.c:883
+        #11 0x5628e9106993 in run_builtin git.c:466
+        #12 0x5628e9107397 in handle_builtin git.c:721
+        #13 0x5628e9107b07 in run_argv git.c:788
+        #14 0x5628e91088a7 in cmd_main git.c:923
+        #15 0x5628e939d682 in main common-main.c:57
+        #16 0x7f2127c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
+    0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839)
+    allocated by thread T0 here:
+        #0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
+        #1 0x5628e98774d4 in xrealloc wrapper.c:136
+        #2 0x5628e97cb01c in strbuf_grow strbuf.c:99
+        #3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327
+        #4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761
+        #5 0x5628e96aa7f4 in format_commit_item pretty.c:1801
+        #6 0x5628e97cdb24 in strbuf_expand strbuf.c:429
+        #7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
+        #8 0x5628e96acd0f in pretty_print_commit pretty.c:2161
+        #9 0x5628e95a44c8 in show_log log-tree.c:781
+        #10 0x5628e95a76ba in log_tree_commit log-tree.c:1117
+        #11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
+        #12 0x5628e922c35b in cmd_log_walk builtin/log.c:549
+        #13 0x5628e922f1a2 in cmd_log builtin/log.c:883
+        #14 0x5628e9106993 in run_builtin git.c:466
+        #15 0x5628e9107397 in handle_builtin git.c:721
+        #16 0x5628e9107b07 in run_argv git.c:788
+        #17 0x5628e91088a7 in cmd_main git.c:923
+        #18 0x5628e939d682 in main common-main.c:57
+        #19 0x7f2127c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
+    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
+    Shadow bytes around the buggy address:
+      0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+    =>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
+      0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    Shadow byte legend (one shadow byte represents 8 application bytes):
+      Addressable:           00
+      Partially addressable: 01 02 03 04 05 06 07
+      Heap left redzone:       fa
+      Freed heap region:       fd
+      Stack left redzone:      f1
+      Stack mid redzone:       f2
+      Stack right redzone:     f3
+      Stack after return:      f5
+      Stack use after scope:   f8
+      Global redzone:          f9
+      Global init order:       f6
+      Poisoned by user:        f7
+      Container overflow:      fc
+      Array cookie:            ac
+      Intra object redzone:    bb
+      ASan internal:           fe
+      Left alloca redzone:     ca
+      Right alloca redzone:    cb
+    ==8340==ABORTING
+The pretty format can also be used in `git archive` operations via the
+`export-subst` attribute. So this is what in our opinion makes this a
+critical issue in the context of Git forges which allow to download an
+archive of user supplied Git repositories.
+Fix this vulnerability by using `size_t` instead of `int` to track the
+string lengths. Add tests which detect this vulnerability when Git is
+compiled with the address sanitizer.
+Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
+Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
+Modified-by: Taylor  Blau <me@ttalorr.com>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 11 ++++++-----
+ t/t4205-log-pretty-formats.sh | 17 +++++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+diff --git a/pretty.c b/pretty.c
+index b32f036..637e344 100644
+--- a/pretty.c
+++ b/pretty.c
+@@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+                                    struct format_commit_context *c)
+ {
+        struct strbuf local_sb = STRBUF_INIT;
+-       int total_consumed = 0, len, padding = c->padding;
+       size_t total_consumed = 0;
+       int len, padding = c->padding;
+
+        if (padding < 0) {
+                const char *start = strrchr(sb->buf, '\n');
+                int occupied;
+@@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+        }
+        while (1) {
+                int modifier = *placeholder == 'C';
+-               int consumed = format_commit_one(&local_sb, placeholder, c);
+               size_t consumed = format_commit_one(&local_sb, placeholder, c);
+                total_consumed += consumed;
+ 
+                if (!modifier)
+@@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+                }
+                strbuf_addbuf(sb, &local_sb);
+        } else {
+-               int sb_len = sb->len, offset = 0;
+               size_t sb_len = sb->len, offset = 0;
+                if (c->flush_type == flush_left)
+                        offset = padding - len;
+                else if (c->flush_type == flush_both)
+@@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */
+                                 const char *placeholder,
+                                 void *context)
+ {
+-       int consumed;
+-       size_t orig_len;
+       size_t consumed, orig_len;
+        enum {
+                NO_MAGIC,
+                ADD_LF_BEFORE_NON_EMPTY,
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index f42a69f..a2acee1 100755
+--- a/t/t4205-log-pretty-formats.sh
+++ b/t/t4205-log-pretty-formats.sh
+@@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part
+        test_cmp expect actual
+ '
+ 
+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+       # We only assert that this command does not crash. This needs to be
+       # executed with the address sanitizer to demonstrate failure.
+       git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null
+'
+
+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' '
+       test-tool genzeros 2147483649 | tr "\000" "1" >expect &&
+       huge_commit=$(git commit-tree -F expect HEAD^{tree})
+'
+
+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+       git log -1 --format="%B%<(1)%x30" $huge_commit >actual &&
+       echo 0 >>expect &&
+       test_cmp expect actual
+'
+
+ test_done
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch new file mode 100644 index 0000000000..f35e55b585 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
@@ -0,0 +1,187 @@
	1	From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001
	2	From: Patrick Steinhardt <ps@pks.im>
	3	Date: Thu, 1 Dec 2022 15:46:25 +0100
	4	Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow
	5
	6	When using a padding specifier in the pretty format passed to git-log(1)
	7	we need to calculate the string length in several places. These string
	8	lengths are stored in `int`s though, which means that these can easily
	9	overflow when the input lengths exceeds 2GB. This can ultimately lead to
	10	an out-of-bounds write when these are used in a call to memcpy(3P):
	11
	12	==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588
	13	WRITE of size 1 at 0x7f1ec62f97fe thread T0
	14	#0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
	15	#1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762
	16	#2 0x5628e96aa7f4 in format_commit_item pretty.c:1801
	17	#3 0x5628e97cdb24 in strbuf_expand strbuf.c:429
	18	#4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
	19	#5 0x5628e96acd0f in pretty_print_commit pretty.c:2161
	20	#6 0x5628e95a44c8 in show_log log-tree.c:781
	21	#7 0x5628e95a76ba in log_tree_commit log-tree.c:1117
	22	#8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
	23	#9 0x5628e922c35b in cmd_log_walk builtin/log.c:549
	24	#10 0x5628e922f1a2 in cmd_log builtin/log.c:883
	25	#11 0x5628e9106993 in run_builtin git.c:466
	26	#12 0x5628e9107397 in handle_builtin git.c:721
	27	#13 0x5628e9107b07 in run_argv git.c:788
	28	#14 0x5628e91088a7 in cmd_main git.c:923
	29	#15 0x5628e939d682 in main common-main.c:57
	30	#16 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f)
	31	#17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
	32	#18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
	33
	34	0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839)
	35	allocated by thread T0 here:
	36	#0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
	37	#1 0x5628e98774d4 in xrealloc wrapper.c:136
	38	#2 0x5628e97cb01c in strbuf_grow strbuf.c:99
	39	#3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327
	40	#4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761
	41	#5 0x5628e96aa7f4 in format_commit_item pretty.c:1801
	42	#6 0x5628e97cdb24 in strbuf_expand strbuf.c:429
	43	#7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
	44	#8 0x5628e96acd0f in pretty_print_commit pretty.c:2161
	45	#9 0x5628e95a44c8 in show_log log-tree.c:781
	46	#10 0x5628e95a76ba in log_tree_commit log-tree.c:1117
	47	#11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
	48	#12 0x5628e922c35b in cmd_log_walk builtin/log.c:549
	49	#13 0x5628e922f1a2 in cmd_log builtin/log.c:883
	50	#14 0x5628e9106993 in run_builtin git.c:466
	51	#15 0x5628e9107397 in handle_builtin git.c:721
	52	#16 0x5628e9107b07 in run_argv git.c:788
	53	#17 0x5628e91088a7 in cmd_main git.c:923
	54	#18 0x5628e939d682 in main common-main.c:57
	55	#19 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f)
	56	#20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
	57	#21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
	58
	59	SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
	60	Shadow bytes around the buggy address:
	61	0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	62	0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	63	0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	64	0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	65	0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	66	=>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
	67	0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	68	0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	69	0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	70	0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	71	0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	72	Shadow byte legend (one shadow byte represents 8 application bytes):
	73	Addressable: 00
	74	Partially addressable: 01 02 03 04 05 06 07
	75	Heap left redzone: fa
	76	Freed heap region: fd
	77	Stack left redzone: f1
	78	Stack mid redzone: f2
	79	Stack right redzone: f3
	80	Stack after return: f5
	81	Stack use after scope: f8
	82	Global redzone: f9
	83	Global init order: f6
	84	Poisoned by user: f7
	85	Container overflow: fc
	86	Array cookie: ac
	87	Intra object redzone: bb
	88	ASan internal: fe
	89	Left alloca redzone: ca
	90	Right alloca redzone: cb
	91	==8340==ABORTING
	92
	93	The pretty format can also be used in `git archive` operations via the
	94	`export-subst` attribute. So this is what in our opinion makes this a
	95	critical issue in the context of Git forges which allow to download an
	96	archive of user supplied Git repositories.
	97
	98	Fix this vulnerability by using `size_t` instead of `int` to track the
	99	string lengths. Add tests which detect this vulnerability when Git is
	100	compiled with the address sanitizer.
	101
	102	Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
	103	Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
	104	Modified-by: Taylor Blau <me@ttalorr.com>
	105	Signed-off-by: Patrick Steinhardt <ps@pks.im>
	106	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	107
	108	Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf]
	109	CVE: CVE-2022-41903
	110	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	111	---
	112	pretty.c \| 11 ++++++-----
	113	t/t4205-log-pretty-formats.sh \| 17 +++++++++++++++++
	114	2 files changed, 23 insertions(+), 5 deletions(-)
	115
	116	diff --git a/pretty.c b/pretty.c
	117	index b32f036..637e344 100644
	118	--- a/pretty.c
	119	+++ b/pretty.c
	120	@@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf sb, / in UTF-8 */
	121	struct format_commit_context *c)
	122	{
	123	struct strbuf local_sb = STRBUF_INIT;
	124	- int total_consumed = 0, len, padding = c->padding;
	125	+ size_t total_consumed = 0;
	126	+ int len, padding = c->padding;
	127	+
	128	if (padding < 0) {
	129	const char *start = strrchr(sb->buf, '\n');
	130	int occupied;
	131	@@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf sb, / in UTF-8 */
	132	}
	133	while (1) {
	134	int modifier = *placeholder == 'C';
	135	- int consumed = format_commit_one(&local_sb, placeholder, c);
	136	+ size_t consumed = format_commit_one(&local_sb, placeholder, c);
	137	total_consumed += consumed;
	138
	139	if (!modifier)
	140	@@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf sb, / in UTF-8 */
	141	}
	142	strbuf_addbuf(sb, &local_sb);
	143	} else {
	144	- int sb_len = sb->len, offset = 0;
	145	+ size_t sb_len = sb->len, offset = 0;
	146	if (c->flush_type == flush_left)
	147	offset = padding - len;
	148	else if (c->flush_type == flush_both)
	149	@@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf sb, / in UTF-8 */
	150	const char *placeholder,
	151	void *context)
	152	{
	153	- int consumed;
	154	- size_t orig_len;
	155	+ size_t consumed, orig_len;
	156	enum {
	157	NO_MAGIC,
	158	ADD_LF_BEFORE_NON_EMPTY,
	159	diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
	160	index f42a69f..a2acee1 100755
	161	--- a/t/t4205-log-pretty-formats.sh
	162	+++ b/t/t4205-log-pretty-formats.sh
	163	@@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part
	164	test_cmp expect actual
	165	'
	166
	167	+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
	168	+ # We only assert that this command does not crash. This needs to be
	169	+ # executed with the address sanitizer to demonstrate failure.
	170	+ git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null
	171	+'
	172	+
	173	+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' '
	174	+ test-tool genzeros 2147483649 \| tr "\000" "1" >expect &&
	175	+ huge_commit=$(git commit-tree -F expect HEAD^{tree})
	176	+'
	177	+
	178	+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
	179	+ git log -1 --format="%B%<(1)%x30" $huge_commit >actual &&
	180	+ echo 0 >>expect &&
	181	+ test_cmp expect actual
	182	+'
	183	+
	184	test_done
	185	--
	186	2.25.1
	187