diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-04.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-04.patch | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch new file mode 100644 index 0000000000..9e3c74ff67 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch | |||
@@ -0,0 +1,150 @@ | |||
1 | From f6e0b9f38987ad5e47bab551f8760b70689a5905 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Steinhardt <ps@pks.im> | ||
3 | Date: Thu, 1 Dec 2022 15:46:34 +0100 | ||
4 | Subject: [PATCH 04/12] pretty: fix out-of-bounds read when parsing invalid padding format | ||
5 | |||
6 | An out-of-bounds read can be triggered when parsing an incomplete | ||
7 | padding format string passed via `--pretty=format` or in Git archives | ||
8 | when files are marked with the `export-subst` gitattribute. | ||
9 | |||
10 | This bug exists since we have introduced support for truncating output | ||
11 | via the `trunc` keyword a7f01c6 (pretty: support truncating in %>, %< | ||
12 | and %><, 2013-04-19). Before this commit, we used to find the end of the | ||
13 | formatting string by using strchr(3P). This function returns a `NULL` | ||
14 | pointer in case the character in question wasn't found. The subsequent | ||
15 | check whether any character was found thus simply checked the returned | ||
16 | pointer. After the commit we switched to strcspn(3P) though, which only | ||
17 | returns the offset to the first found character or to the trailing NUL | ||
18 | byte. As the end pointer is now computed by adding the offset to the | ||
19 | start pointer it won't be `NULL` anymore, and as a consequence the check | ||
20 | doesn't do anything anymore. | ||
21 | |||
22 | The out-of-bounds data that is being read can in fact end up in the | ||
23 | formatted string. As a consequence, it is possible to leak memory | ||
24 | contents either by calling git-log(1) or via git-archive(1) when any of | ||
25 | the archived files is marked with the `export-subst` gitattribute. | ||
26 | |||
27 | ==10888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000398 at pc 0x7f0356047cb2 bp 0x7fff3ffb95d0 sp 0x7fff3ffb8d78 | ||
28 | READ of size 1 at 0x602000000398 thread T0 | ||
29 | #0 0x7f0356047cb1 in __interceptor_strchrnul /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 | ||
30 | #1 0x563b7cec9a43 in strbuf_expand strbuf.c:417 | ||
31 | #2 0x563b7cda7060 in repo_format_commit_message pretty.c:1869 | ||
32 | #3 0x563b7cda8d0f in pretty_print_commit pretty.c:2161 | ||
33 | #4 0x563b7cca04c8 in show_log log-tree.c:781 | ||
34 | #5 0x563b7cca36ba in log_tree_commit log-tree.c:1117 | ||
35 | #6 0x563b7c927ed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
36 | #7 0x563b7c92835b in cmd_log_walk builtin/log.c:549 | ||
37 | #8 0x563b7c92b1a2 in cmd_log builtin/log.c:883 | ||
38 | #9 0x563b7c802993 in run_builtin git.c:466 | ||
39 | #10 0x563b7c803397 in handle_builtin git.c:721 | ||
40 | #11 0x563b7c803b07 in run_argv git.c:788 | ||
41 | #12 0x563b7c8048a7 in cmd_main git.c:923 | ||
42 | #13 0x563b7ca99682 in main common-main.c:57 | ||
43 | #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f) | ||
44 | #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
45 | #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115 | ||
46 | |||
47 | 0x602000000398 is located 0 bytes to the right of 8-byte region [0x602000000390,0x602000000398) | ||
48 | allocated by thread T0 here: | ||
49 | #0 0x7f0356072faa in __interceptor_strdup /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:439 | ||
50 | #1 0x563b7cf7317c in xstrdup wrapper.c:39 | ||
51 | #2 0x563b7cd9a06a in save_user_format pretty.c:40 | ||
52 | #3 0x563b7cd9b3e5 in get_commit_format pretty.c:173 | ||
53 | #4 0x563b7ce54ea0 in handle_revision_opt revision.c:2456 | ||
54 | #5 0x563b7ce597c9 in setup_revisions revision.c:2850 | ||
55 | #6 0x563b7c9269e0 in cmd_log_init_finish builtin/log.c:269 | ||
56 | #7 0x563b7c927362 in cmd_log_init builtin/log.c:348 | ||
57 | #8 0x563b7c92b193 in cmd_log builtin/log.c:882 | ||
58 | #9 0x563b7c802993 in run_builtin git.c:466 | ||
59 | #10 0x563b7c803397 in handle_builtin git.c:721 | ||
60 | #11 0x563b7c803b07 in run_argv git.c:788 | ||
61 | #12 0x563b7c8048a7 in cmd_main git.c:923 | ||
62 | #13 0x563b7ca99682 in main common-main.c:57 | ||
63 | #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f) | ||
64 | #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
65 | #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115 | ||
66 | |||
67 | SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 in __interceptor_strchrnul | ||
68 | Shadow bytes around the buggy address: | ||
69 | 0x0c047fff8020: fa fa fd fd fa fa 00 06 fa fa 05 fa fa fa fd fd | ||
70 | 0x0c047fff8030: fa fa 00 02 fa fa 06 fa fa fa 05 fa fa fa fd fd | ||
71 | 0x0c047fff8040: fa fa 00 07 fa fa 03 fa fa fa fd fd fa fa 00 00 | ||
72 | 0x0c047fff8050: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa 00 01 | ||
73 | 0x0c047fff8060: fa fa 00 06 fa fa 00 06 fa fa 05 fa fa fa 05 fa | ||
74 | =>0x0c047fff8070: fa fa 00[fa]fa fa fd fa fa fa fd fd fa fa fd fd | ||
75 | 0x0c047fff8080: fa fa fd fd fa fa 00 00 fa fa 00 fa fa fa fd fa | ||
76 | 0x0c047fff8090: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa | ||
77 | 0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
78 | 0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
79 | 0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
80 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
81 | Addressable: 00 | ||
82 | Partially addressable: 01 02 03 04 05 06 07 | ||
83 | Heap left redzone: fa | ||
84 | Freed heap region: fd | ||
85 | Stack left redzone: f1 | ||
86 | Stack mid redzone: f2 | ||
87 | Stack right redzone: f3 | ||
88 | Stack after return: f5 | ||
89 | Stack use after scope: f8 | ||
90 | Global redzone: f9 | ||
91 | Global init order: f6 | ||
92 | Poisoned by user: f7 | ||
93 | Container overflow: fc | ||
94 | Array cookie: ac | ||
95 | Intra object redzone: bb | ||
96 | ASan internal: fe | ||
97 | Left alloca redzone: ca | ||
98 | Right alloca redzone: cb | ||
99 | ==10888==ABORTING | ||
100 | |||
101 | Fix this bug by checking whether `end` points at the trailing NUL byte. | ||
102 | Add a test which catches this out-of-bounds read and which demonstrates | ||
103 | that we used to write out-of-bounds data into the formatted message. | ||
104 | |||
105 | Reported-by: Markus Vervier <markus.vervier@x41-dsec.de> | ||
106 | Original-patch-by: Markus Vervier <markus.vervier@x41-dsec.de> | ||
107 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
108 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
109 | |||
110 | Upstream-Status: Backport [https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905] | ||
111 | CVE: CVE-2022-41903 | ||
112 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
113 | --- | ||
114 | pretty.c | 2 +- | ||
115 | t/t4205-log-pretty-formats.sh | 6 ++++++ | ||
116 | 2 files changed, 7 insertions(+), 1 deletion(-) | ||
117 | |||
118 | diff --git a/pretty.c b/pretty.c | ||
119 | index 4348a82..c49e818 100644 | ||
120 | --- a/pretty.c | ||
121 | +++ b/pretty.c | ||
122 | @@ -1024,7 +1024,7 @@ static size_t parse_padding_placeholder(const char *placeholder, | ||
123 | const char *end = start + strcspn(start, ",)"); | ||
124 | char *next; | ||
125 | int width; | ||
126 | - if (!end || end == start) | ||
127 | + if (!*end || end == start) | ||
128 | return 0; | ||
129 | width = strtol(start, &next, 10); | ||
130 | if (next == start || width == 0) | ||
131 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
132 | index e69caba..8a349df 100755 | ||
133 | --- a/t/t4205-log-pretty-formats.sh | ||
134 | +++ b/t/t4205-log-pretty-formats.sh | ||
135 | @@ -794,6 +794,12 @@ test_expect_success 'log --pretty with space stealing' ' | ||
136 | test_cmp expect actual | ||
137 | ' | ||
138 | |||
139 | +test_expect_success 'log --pretty with invalid padding format' ' | ||
140 | + printf "%s%%<(20" "$(git rev-parse HEAD)" >expect && | ||
141 | + git log -1 --pretty="format:%H%<(20" >actual && | ||
142 | + test_cmp expect actual | ||
143 | +' | ||
144 | + | ||
145 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
146 | # We only assert that this command does not crash. This needs to be | ||
147 | # executed with the address sanitizer to demonstrate failure. | ||
148 | -- | ||
149 | 2.25.1 | ||
150 | |||