1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
new file mode 100644
index 0000000000..978865978d
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
@@ -0,0 +1,124 @@
+From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:23 +0100
+Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats
+Both the padding and wrapping formatting directives allow the caller to
+specify an integer that ultimately leads to us adding this many chars to
+the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
+of RAM via a single formatting directive and cause resource exhaustion
+on the machine executing this logic. Furthermore, it is debatable
+whether there are any sane usecases that require the user to pad data to
+2GB boundaries or to indent wrapped data by 2GB.
+Restrict the input sizes to 16 kilobytes at a maximum to limit the
+amount of bytes that can be requested by the user. This is not meant
+as a fix because there are ways to trivially amplify the amount of
+data we generate via formatting directives; the real protection is
+achieved by the changes in previous steps to catch and avoid integer
+wraparound that causes us to under-allocate and access beyond the
+end of allocated memory reagions. But having such a limit
+significantly helps fuzzing the pretty format, because the fuzzer is
+otherwise quite fast to run out-of-memory as it discovers these
+formatters.
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 26 ++++++++++++++++++++++++++
+ t/t4205-log-pretty-formats.sh | 24 +++++++++++++++---------
+ 2 files changed, 41 insertions(+), 9 deletions(-)
+diff --git a/pretty.c b/pretty.c
+index c3c1443..e9687f0 100644
+--- a/pretty.c
+++ b/pretty.c
+@@ -13,6 +13,13 @@
+ #include "gpg-interface.h"
+ #include "trailer.h"
+ 
+/*
+ * The limit for formatting directives, which enable the caller to append
+ * arbitrarily many bytes to the formatted buffer. This includes padding
+ * and wrapping formatters.
+ */
+#define FORMATTING_LIMIT (16 * 1024)
+
+ static char *user_format;
+ static struct cmt_fmt_map {
+        const char *name;
+@@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder,
+                if (!*end || end == start)
+                        return 0;
+                width = strtol(start, &next, 10);
+
+               /*
+                * We need to limit the amount of padding, or otherwise this
+                * would allow the user to pad the buffer by arbitrarily many
+                * bytes and thus cause resource exhaustion.
+                */
+               if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT)
+                       return 0;
+
+                if (next == start || width == 0)
+                        return 0;
+                if (width < 0) {
+@@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */
+                                if (*next != ')')
+                                        return 0;
+                        }
+
+                       /*
+                        * We need to limit the format here as it allows the
+                        * user to prepend arbitrarily many bytes to the buffer
+                        * when rewrapping.
+                        */
+                       if (width > FORMATTING_LIMIT ||
+                           indent1 > FORMATTING_LIMIT ||
+                           indent2 > FORMATTING_LIMIT)
+                               return 0;
+                        rewrap_message_tail(sb, c, width, indent1, indent2);
+                        return end - placeholder + 1;
+                } else
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 52c8bc8..572d02f 100755
+--- a/t/t4205-log-pretty-formats.sh
+++ b/t/t4205-log-pretty-formats.sh
+@@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' '
+ '
+ 
+ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
+-       cat >expect <<-EOF &&
+-       fatal: number too large to represent as int on this platform: 2147483649
+-       EOF
+-       test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
+-       test_cmp expect error &&
+-       test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
+-       test_cmp expect error &&
+-       test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
+-       test_cmp expect error
+       printf "%%w(2147483649,1,1)0" >expect &&
+       git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual &&
+       test_cmp expect actual &&
+       printf "%%w(1,2147483649,1)0" >expect &&
+       git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual &&
+       test_cmp expect actual &&
+       printf "%%w(1,1,2147483649)0" >expect &&
+       git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual &&
+       test_cmp expect actual
+'
+
+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' '
+       printf "%%<(2147483649)0" >expect &&
+       git log -1 --pretty="format:%<(2147483649)%x30" >actual &&
+       test_cmp expect actual
+ '
+ 
+ test_expect_success 'log --pretty with padding and preceding control chars' '
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch new file mode 100644 index 0000000000..978865978d --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
@@ -0,0 +1,124 @@
	1	From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001
	2	From: Patrick Steinhardt <ps@pks.im>
	3	Date: Thu, 1 Dec 2022 15:47:23 +0100
	4	Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats
	5
	6	Both the padding and wrapping formatting directives allow the caller to
	7	specify an integer that ultimately leads to us adding this many chars to
	8	the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
	9	of RAM via a single formatting directive and cause resource exhaustion
	10	on the machine executing this logic. Furthermore, it is debatable
	11	whether there are any sane usecases that require the user to pad data to
	12	2GB boundaries or to indent wrapped data by 2GB.
	13
	14	Restrict the input sizes to 16 kilobytes at a maximum to limit the
	15	amount of bytes that can be requested by the user. This is not meant
	16	as a fix because there are ways to trivially amplify the amount of
	17	data we generate via formatting directives; the real protection is
	18	achieved by the changes in previous steps to catch and avoid integer
	19	wraparound that causes us to under-allocate and access beyond the
	20	end of allocated memory reagions. But having such a limit
	21	significantly helps fuzzing the pretty format, because the fuzzer is
	22	otherwise quite fast to run out-of-memory as it discovers these
	23	formatters.
	24
	25	Signed-off-by: Patrick Steinhardt <ps@pks.im>
	26	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	27
	28	Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46]
	29	CVE: CVE-2022-41903
	30	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	31	---
	32	pretty.c \| 26 ++++++++++++++++++++++++++
	33	t/t4205-log-pretty-formats.sh \| 24 +++++++++++++++---------
	34	2 files changed, 41 insertions(+), 9 deletions(-)
	35
	36	diff --git a/pretty.c b/pretty.c
	37	index c3c1443..e9687f0 100644
	38	--- a/pretty.c
	39	+++ b/pretty.c
	40	@@ -13,6 +13,13 @@
	41	#include "gpg-interface.h"
	42	#include "trailer.h"
	43
	44	+/*
	45	+ * The limit for formatting directives, which enable the caller to append
	46	+ * arbitrarily many bytes to the formatted buffer. This includes padding
	47	+ * and wrapping formatters.
	48	+ */
	49	+#define FORMATTING_LIMIT (16 * 1024)
	50	+
	51	static char *user_format;
	52	static struct cmt_fmt_map {
	53	const char *name;
	54	@@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder,
	55	if (!*end \|\| end == start)
	56	return 0;
	57	width = strtol(start, &next, 10);
	58	+
	59	+ /*
	60	+ * We need to limit the amount of padding, or otherwise this
	61	+ * would allow the user to pad the buffer by arbitrarily many
	62	+ * bytes and thus cause resource exhaustion.
	63	+ */
	64	+ if (width < -FORMATTING_LIMIT \|\| width > FORMATTING_LIMIT)
	65	+ return 0;
	66	+
	67	if (next == start \|\| width == 0)
	68	return 0;
	69	if (width < 0) {
	70	@@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf sb, / in UTF-8 */
	71	if (*next != ')')
	72	return 0;
	73	}
	74	+
	75	+ /*
	76	+ * We need to limit the format here as it allows the
	77	+ * user to prepend arbitrarily many bytes to the buffer
	78	+ * when rewrapping.
	79	+ */
	80	+ if (width > FORMATTING_LIMIT \|\|
	81	+ indent1 > FORMATTING_LIMIT \|\|
	82	+ indent2 > FORMATTING_LIMIT)
	83	+ return 0;
	84	rewrap_message_tail(sb, c, width, indent1, indent2);
	85	return end - placeholder + 1;
	86	} else
	87	diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
	88	index 52c8bc8..572d02f 100755
	89	--- a/t/t4205-log-pretty-formats.sh
	90	+++ b/t/t4205-log-pretty-formats.sh
	91	@@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' '
	92	'
	93
	94	test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
	95	- cat >expect <<-EOF &&
	96	- fatal: number too large to represent as int on this platform: 2147483649
	97	- EOF
	98	- test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
	99	- test_cmp expect error &&
	100	- test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
	101	- test_cmp expect error &&
	102	- test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
	103	- test_cmp expect error
	104	+ printf "%%w(2147483649,1,1)0" >expect &&
	105	+ git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual &&
	106	+ test_cmp expect actual &&
	107	+ printf "%%w(1,2147483649,1)0" >expect &&
	108	+ git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual &&
	109	+ test_cmp expect actual &&
	110	+ printf "%%w(1,1,2147483649)0" >expect &&
	111	+ git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual &&
	112	+ test_cmp expect actual
	113	+'
	114	+
	115	+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' '
	116	+ printf "%%<(2147483649)0" >expect &&
	117	+ git log -1 --pretty="format:%<(2147483649)%x30" >actual &&
	118	+ test_cmp expect actual
	119	'
	120
	121	test_expect_success 'log --pretty with padding and preceding control chars' '
	122	--
	123	2.25.1
	124