diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-03.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-03.patch | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch new file mode 100644 index 0000000000..d83d77eaf7 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From b49f309aa16febeddb65e82526640a91bbba3be3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Steinhardt <ps@pks.im> | ||
3 | Date: Thu, 1 Dec 2022 15:46:30 +0100 | ||
4 | Subject: [PATCH 03/12] pretty: fix out-of-bounds read when left-flushing with stealing | ||
5 | |||
6 | With the `%>>(<N>)` pretty formatter, you can ask git-log(1) et al to | ||
7 | steal spaces. To do so we need to look ahead of the next token to see | ||
8 | whether there are spaces there. This loop takes into account ANSI | ||
9 | sequences that end with an `m`, and if it finds any it will skip them | ||
10 | until it finds the first space. While doing so it does not take into | ||
11 | account the buffer's limits though and easily does an out-of-bounds | ||
12 | read. | ||
13 | |||
14 | Add a test that hits this behaviour. While we don't have an easy way to | ||
15 | verify this, the test causes the following failure when run with | ||
16 | `SANITIZE=address`: | ||
17 | |||
18 | ==37941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000baf at pc 0x55ba6f88e0d0 bp 0x7ffc84c50d20 sp 0x7ffc84c50d10 | ||
19 | READ of size 1 at 0x603000000baf thread T0 | ||
20 | #0 0x55ba6f88e0cf in format_and_pad_commit pretty.c:1712 | ||
21 | #1 0x55ba6f88e7b4 in format_commit_item pretty.c:1801 | ||
22 | #2 0x55ba6f9b1ae4 in strbuf_expand strbuf.c:429 | ||
23 | #3 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869 | ||
24 | #4 0x55ba6f890ccf in pretty_print_commit pretty.c:2161 | ||
25 | #5 0x55ba6f7884c8 in show_log log-tree.c:781 | ||
26 | #6 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117 | ||
27 | #7 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
28 | #8 0x55ba6f41035b in cmd_log_walk builtin/log.c:549 | ||
29 | #9 0x55ba6f4131a2 in cmd_log builtin/log.c:883 | ||
30 | #10 0x55ba6f2ea993 in run_builtin git.c:466 | ||
31 | #11 0x55ba6f2eb397 in handle_builtin git.c:721 | ||
32 | #12 0x55ba6f2ebb07 in run_argv git.c:788 | ||
33 | #13 0x55ba6f2ec8a7 in cmd_main git.c:923 | ||
34 | #14 0x55ba6f581682 in main common-main.c:57 | ||
35 | #15 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
36 | #16 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
37 | #17 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115 | ||
38 | |||
39 | 0x603000000baf is located 1 bytes to the left of 24-byte region [0x603000000bb0,0x603000000bc8) | ||
40 | allocated by thread T0 here: | ||
41 | #0 0x7f2d08ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85 | ||
42 | #1 0x55ba6fa5b494 in xrealloc wrapper.c:136 | ||
43 | #2 0x55ba6f9aefdc in strbuf_grow strbuf.c:99 | ||
44 | #3 0x55ba6f9b0a06 in strbuf_add strbuf.c:298 | ||
45 | #4 0x55ba6f9b1a25 in strbuf_expand strbuf.c:418 | ||
46 | #5 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869 | ||
47 | #6 0x55ba6f890ccf in pretty_print_commit pretty.c:2161 | ||
48 | #7 0x55ba6f7884c8 in show_log log-tree.c:781 | ||
49 | #8 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117 | ||
50 | #9 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
51 | #10 0x55ba6f41035b in cmd_log_walk builtin/log.c:549 | ||
52 | #11 0x55ba6f4131a2 in cmd_log builtin/log.c:883 | ||
53 | #12 0x55ba6f2ea993 in run_builtin git.c:466 | ||
54 | #13 0x55ba6f2eb397 in handle_builtin git.c:721 | ||
55 | #14 0x55ba6f2ebb07 in run_argv git.c:788 | ||
56 | #15 0x55ba6f2ec8a7 in cmd_main git.c:923 | ||
57 | #16 0x55ba6f581682 in main common-main.c:57 | ||
58 | #17 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
59 | #18 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
60 | #19 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115 | ||
61 | |||
62 | SUMMARY: AddressSanitizer: heap-buffer-overflow pretty.c:1712 in format_and_pad_commit | ||
63 | Shadow bytes around the buggy address: | ||
64 | 0x0c067fff8120: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd | ||
65 | 0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa | ||
66 | 0x0c067fff8140: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa | ||
67 | 0x0c067fff8150: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd | ||
68 | 0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa | ||
69 | =>0x0c067fff8170: fd fd fd fa fa[fa]00 00 00 fa fa fa 00 00 00 fa | ||
70 | 0x0c067fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
71 | 0x0c067fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
72 | 0x0c067fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
73 | 0x0c067fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
74 | 0x0c067fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
75 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
76 | Addressable: 00 | ||
77 | Partially addressable: 01 02 03 04 05 06 07 | ||
78 | Heap left redzone: fa | ||
79 | Freed heap region: fd | ||
80 | Stack left redzone: f1 | ||
81 | Stack mid redzone: f2 | ||
82 | Stack right redzone: f3 | ||
83 | Stack after return: f5 | ||
84 | Stack use after scope: f8 | ||
85 | Global redzone: f9 | ||
86 | Global init order: f6 | ||
87 | Poisoned by user: f7 | ||
88 | Container overflow: fc | ||
89 | Array cookie: ac | ||
90 | Intra object redzone: bb | ||
91 | ASan internal: fe | ||
92 | Left alloca redzone: ca | ||
93 | Right alloca redzone: cb | ||
94 | |||
95 | Luckily enough, this would only cause us to copy the out-of-bounds data | ||
96 | into the formatted commit in case we really had an ANSI sequence | ||
97 | preceding our buffer. So this bug likely has no security consequences. | ||
98 | |||
99 | Fix it regardless by not traversing past the buffer's start. | ||
100 | |||
101 | Reported-by: Patrick Steinhardt <ps@pks.im> | ||
102 | Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de> | ||
103 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
104 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
105 | |||
106 | Upstream-Status: Backport [https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3] | ||
107 | CVE: CVE-2022-41903 | ||
108 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
109 | --- | ||
110 | pretty.c | 2 +- | ||
111 | t/t4205-log-pretty-formats.sh | 6 ++++++ | ||
112 | 2 files changed, 7 insertions(+), 1 deletion(-) | ||
113 | |||
114 | diff --git a/pretty.c b/pretty.c | ||
115 | index 637e344..4348a82 100644 | ||
116 | --- a/pretty.c | ||
117 | +++ b/pretty.c | ||
118 | @@ -1468,7 +1468,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
119 | if (*ch != 'm') | ||
120 | break; | ||
121 | p = ch - 1; | ||
122 | - while (ch - p < 10 && *p != '\033') | ||
123 | + while (p > sb->buf && ch - p < 10 && *p != '\033') | ||
124 | p--; | ||
125 | if (*p != '\033' || | ||
126 | ch + 1 - p != display_mode_esc_sequence_len(p)) | ||
127 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
128 | index a2acee1..e69caba 100755 | ||
129 | --- a/t/t4205-log-pretty-formats.sh | ||
130 | +++ b/t/t4205-log-pretty-formats.sh | ||
131 | @@ -788,6 +788,12 @@ test_expect_success '%S in git log --format works with other placeholders (part | ||
132 | test_cmp expect actual | ||
133 | ' | ||
134 | |||
135 | +test_expect_success 'log --pretty with space stealing' ' | ||
136 | + printf mm0 >expect && | ||
137 | + git log -1 --pretty="format:mm%>>|(1)%x30" >actual && | ||
138 | + test_cmp expect actual | ||
139 | +' | ||
140 | + | ||
141 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
142 | # We only assert that this command does not crash. This needs to be | ||
143 | # executed with the address sanitizer to demonstrate failure. | ||
144 | -- | ||
145 | 2.25.1 | ||
146 | |||