diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-12.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-12.patch | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch new file mode 100644 index 0000000000..978865978d --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Steinhardt <ps@pks.im> | ||
3 | Date: Thu, 1 Dec 2022 15:47:23 +0100 | ||
4 | Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats | ||
5 | |||
6 | Both the padding and wrapping formatting directives allow the caller to | ||
7 | specify an integer that ultimately leads to us adding this many chars to | ||
8 | the result buffer. As a consequence, it is trivial to e.g. allocate 2GB | ||
9 | of RAM via a single formatting directive and cause resource exhaustion | ||
10 | on the machine executing this logic. Furthermore, it is debatable | ||
11 | whether there are any sane usecases that require the user to pad data to | ||
12 | 2GB boundaries or to indent wrapped data by 2GB. | ||
13 | |||
14 | Restrict the input sizes to 16 kilobytes at a maximum to limit the | ||
15 | amount of bytes that can be requested by the user. This is not meant | ||
16 | as a fix because there are ways to trivially amplify the amount of | ||
17 | data we generate via formatting directives; the real protection is | ||
18 | achieved by the changes in previous steps to catch and avoid integer | ||
19 | wraparound that causes us to under-allocate and access beyond the | ||
20 | end of allocated memory reagions. But having such a limit | ||
21 | significantly helps fuzzing the pretty format, because the fuzzer is | ||
22 | otherwise quite fast to run out-of-memory as it discovers these | ||
23 | formatters. | ||
24 | |||
25 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
26 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
27 | |||
28 | Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46] | ||
29 | CVE: CVE-2022-41903 | ||
30 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
31 | --- | ||
32 | pretty.c | 26 ++++++++++++++++++++++++++ | ||
33 | t/t4205-log-pretty-formats.sh | 24 +++++++++++++++--------- | ||
34 | 2 files changed, 41 insertions(+), 9 deletions(-) | ||
35 | |||
36 | diff --git a/pretty.c b/pretty.c | ||
37 | index c3c1443..e9687f0 100644 | ||
38 | --- a/pretty.c | ||
39 | +++ b/pretty.c | ||
40 | @@ -13,6 +13,13 @@ | ||
41 | #include "gpg-interface.h" | ||
42 | #include "trailer.h" | ||
43 | |||
44 | +/* | ||
45 | + * The limit for formatting directives, which enable the caller to append | ||
46 | + * arbitrarily many bytes to the formatted buffer. This includes padding | ||
47 | + * and wrapping formatters. | ||
48 | + */ | ||
49 | +#define FORMATTING_LIMIT (16 * 1024) | ||
50 | + | ||
51 | static char *user_format; | ||
52 | static struct cmt_fmt_map { | ||
53 | const char *name; | ||
54 | @@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder, | ||
55 | if (!*end || end == start) | ||
56 | return 0; | ||
57 | width = strtol(start, &next, 10); | ||
58 | + | ||
59 | + /* | ||
60 | + * We need to limit the amount of padding, or otherwise this | ||
61 | + * would allow the user to pad the buffer by arbitrarily many | ||
62 | + * bytes and thus cause resource exhaustion. | ||
63 | + */ | ||
64 | + if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT) | ||
65 | + return 0; | ||
66 | + | ||
67 | if (next == start || width == 0) | ||
68 | return 0; | ||
69 | if (width < 0) { | ||
70 | @@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ | ||
71 | if (*next != ')') | ||
72 | return 0; | ||
73 | } | ||
74 | + | ||
75 | + /* | ||
76 | + * We need to limit the format here as it allows the | ||
77 | + * user to prepend arbitrarily many bytes to the buffer | ||
78 | + * when rewrapping. | ||
79 | + */ | ||
80 | + if (width > FORMATTING_LIMIT || | ||
81 | + indent1 > FORMATTING_LIMIT || | ||
82 | + indent2 > FORMATTING_LIMIT) | ||
83 | + return 0; | ||
84 | rewrap_message_tail(sb, c, width, indent1, indent2); | ||
85 | return end - placeholder + 1; | ||
86 | } else | ||
87 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
88 | index 52c8bc8..572d02f 100755 | ||
89 | --- a/t/t4205-log-pretty-formats.sh | ||
90 | +++ b/t/t4205-log-pretty-formats.sh | ||
91 | @@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' ' | ||
92 | ' | ||
93 | |||
94 | test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' ' | ||
95 | - cat >expect <<-EOF && | ||
96 | - fatal: number too large to represent as int on this platform: 2147483649 | ||
97 | - EOF | ||
98 | - test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error && | ||
99 | - test_cmp expect error && | ||
100 | - test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error && | ||
101 | - test_cmp expect error && | ||
102 | - test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error && | ||
103 | - test_cmp expect error | ||
104 | + printf "%%w(2147483649,1,1)0" >expect && | ||
105 | + git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual && | ||
106 | + test_cmp expect actual && | ||
107 | + printf "%%w(1,2147483649,1)0" >expect && | ||
108 | + git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual && | ||
109 | + test_cmp expect actual && | ||
110 | + printf "%%w(1,1,2147483649)0" >expect && | ||
111 | + git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual && | ||
112 | + test_cmp expect actual | ||
113 | +' | ||
114 | + | ||
115 | +test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' ' | ||
116 | + printf "%%<(2147483649)0" >expect && | ||
117 | + git log -1 --pretty="format:%<(2147483649)%x30" >actual && | ||
118 | + test_cmp expect actual | ||
119 | ' | ||
120 | |||
121 | test_expect_success 'log --pretty with padding and preceding control chars' ' | ||
122 | -- | ||
123 | 2.25.1 | ||
124 | |||