diff options
Diffstat (limited to 'meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch')
-rw-r--r-- | meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch new file mode 100644 index 0000000000..32846f50be --- /dev/null +++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch | |||
@@ -0,0 +1,129 @@ | |||
1 | From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yuliy Pisetsky <ypisetsky@fb.com> | ||
3 | Date: Thu, 01 Jan 2015 23:36:55 +0000 | ||
4 | Subject: grep -F: fix a heap buffer (read) overrun | ||
5 | |||
6 | grep's read buffer is often filled to its full size, except when | ||
7 | reading the final buffer of a file. In that case, the number of | ||
8 | bytes read may be far less than the size of the buffer. However, for | ||
9 | certain unusual pattern/text combinations, grep -F would mistakenly | ||
10 | examine bytes in that uninitialized region of memory when searching | ||
11 | for a match. With carefully chosen inputs, one can cause grep -F to | ||
12 | read beyond the end of that buffer altogether. This problem arose via | ||
13 | commit v2.18-90-g73893ff with the introduction of a more efficient | ||
14 | heuristic using what is now the memchr_kwset function. The use of | ||
15 | that function in bmexec_trans could leave TP much larger than EP, | ||
16 | and the subsequent call to bm_delta2_search would mistakenly access | ||
17 | beyond end of the main input read buffer. | ||
18 | |||
19 | * src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, | ||
20 | do not call bm_delta2_search. | ||
21 | * tests/kwset-abuse: New file. | ||
22 | * tests/Makefile.am (TESTS): Add it. | ||
23 | * NEWS (Bug fixes): Mention it. | ||
24 | |||
25 | Prior to this patch, this command would trigger a UMR: | ||
26 | |||
27 | printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) | ||
28 | |||
29 | Use of uninitialised value of size 8 | ||
30 | at 0x4142BE: bmexec_trans (kwset.c:657) | ||
31 | by 0x4143CA: bmexec (kwset.c:678) | ||
32 | by 0x414973: kwsexec (kwset.c:848) | ||
33 | by 0x414DC4: Fexecute (kwsearch.c:128) | ||
34 | by 0x404E2E: grepbuf (grep.c:1238) | ||
35 | by 0x4054BF: grep (grep.c:1417) | ||
36 | by 0x405CEB: grepdesc (grep.c:1645) | ||
37 | by 0x405EC1: grep_command_line_arg (grep.c:1692) | ||
38 | by 0x4077D4: main (grep.c:2570) | ||
39 | |||
40 | See the accompanying test for how to trigger the heap buffer overrun. | ||
41 | |||
42 | Thanks to Nima Aghdaii for testing and finding numerous | ||
43 | ways to break early iterations of this patch. | ||
44 | |||
45 | Fixes CVE-2015-1345. | ||
46 | Upstream-Status: Backport | ||
47 | |||
48 | --- | ||
49 | diff --git a/NEWS b/NEWS | ||
50 | index 975440d..3835d8d 100644 | ||
51 | --- a/NEWS | ||
52 | +++ b/NEWS | ||
53 | @@ -2,6 +2,11 @@ GNU grep NEWS -*- outline -*- | ||
54 | |||
55 | * Noteworthy changes in release ?.? (????-??-??) [?] | ||
56 | |||
57 | +** Bug fixes | ||
58 | + | ||
59 | + grep no longer reads from uninitialized memory or from beyond the end | ||
60 | + of the heap-allocated input buffer. | ||
61 | + | ||
62 | |||
63 | * Noteworthy changes in release 2.21 (2014-11-23) [stable] | ||
64 | |||
65 | diff --git a/src/kwset.c b/src/kwset.c | ||
66 | index 4003c8d..376f7c3 100644 | ||
67 | --- a/src/kwset.c | ||
68 | +++ b/src/kwset.c | ||
69 | @@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size) | ||
70 | if (! tp) | ||
71 | return -1; | ||
72 | tp++; | ||
73 | + if (ep <= tp) | ||
74 | + break; | ||
75 | } | ||
76 | } | ||
77 | } | ||
78 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
79 | index 2cba2cd..0508cd2 100644 | ||
80 | --- a/tests/Makefile.am | ||
81 | +++ b/tests/Makefile.am | ||
82 | @@ -75,6 +75,7 @@ TESTS = \ | ||
83 | inconsistent-range \ | ||
84 | invalid-multibyte-infloop \ | ||
85 | khadafy \ | ||
86 | + kwset-abuse \ | ||
87 | long-line-vs-2GiB-read \ | ||
88 | match-lines \ | ||
89 | max-count-overread \ | ||
90 | diff --git a/tests/kwset-abuse b/tests/kwset-abuse | ||
91 | new file mode 100755 | ||
92 | index 0000000..6d8ec0c | ||
93 | --- a/dev/null | ||
94 | +++ b/tests/kwset-abuse | ||
95 | @@ -0,0 +1,32 @@ | ||
96 | +#! /bin/sh | ||
97 | +# Evoke a segfault in a hard-to-reach code path of kwset.c. | ||
98 | +# This bug affected grep versions 2.19 through 2.21. | ||
99 | +# | ||
100 | +# Copyright (C) 2015 Free Software Foundation, Inc. | ||
101 | +# | ||
102 | +# This program is free software: you can redistribute it and/or modify | ||
103 | +# it under the terms of the GNU General Public License as published by | ||
104 | +# the Free Software Foundation, either version 3 of the License, or | ||
105 | +# (at your option) any later version. | ||
106 | + | ||
107 | +# This program is distributed in the hope that it will be useful, | ||
108 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
109 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
110 | +# GNU General Public License for more details. | ||
111 | + | ||
112 | +# You should have received a copy of the GNU General Public License | ||
113 | +# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
114 | + | ||
115 | +. "${srcdir=.}/init.sh"; path_prepend_ ../src | ||
116 | + | ||
117 | +fail=0 | ||
118 | + | ||
119 | +# This test case chooses a haystack of size 260,000, since prodding | ||
120 | +# with gdb showed a reallocation slightly larger than that in fillbuf. | ||
121 | +# To reach the buggy code, the needle must have length < 1/11 that of | ||
122 | +# the haystack, and 10,000 is a nice round number that fits the bill. | ||
123 | +printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0) | ||
124 | + | ||
125 | +test $? = 1 || fail=1 | ||
126 | + | ||
127 | +Exit $fail | ||
128 | -- | ||
129 | cgit v0.9.0.2 | ||