summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch')
-rw-r--r--meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch129
1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 0000000000..32846f50be
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
1From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
2From: Yuliy Pisetsky <ypisetsky@fb.com>
3Date: Thu, 01 Jan 2015 23:36:55 +0000
4Subject: grep -F: fix a heap buffer (read) overrun
5
6grep's read buffer is often filled to its full size, except when
7reading the final buffer of a file. In that case, the number of
8bytes read may be far less than the size of the buffer. However, for
9certain unusual pattern/text combinations, grep -F would mistakenly
10examine bytes in that uninitialized region of memory when searching
11for a match. With carefully chosen inputs, one can cause grep -F to
12read beyond the end of that buffer altogether. This problem arose via
13commit v2.18-90-g73893ff with the introduction of a more efficient
14heuristic using what is now the memchr_kwset function. The use of
15that function in bmexec_trans could leave TP much larger than EP,
16and the subsequent call to bm_delta2_search would mistakenly access
17beyond end of the main input read buffer.
18
19* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
20do not call bm_delta2_search.
21* tests/kwset-abuse: New file.
22* tests/Makefile.am (TESTS): Add it.
23* NEWS (Bug fixes): Mention it.
24
25Prior to this patch, this command would trigger a UMR:
26
27 printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
28
29 Use of uninitialised value of size 8
30 at 0x4142BE: bmexec_trans (kwset.c:657)
31 by 0x4143CA: bmexec (kwset.c:678)
32 by 0x414973: kwsexec (kwset.c:848)
33 by 0x414DC4: Fexecute (kwsearch.c:128)
34 by 0x404E2E: grepbuf (grep.c:1238)
35 by 0x4054BF: grep (grep.c:1417)
36 by 0x405CEB: grepdesc (grep.c:1645)
37 by 0x405EC1: grep_command_line_arg (grep.c:1692)
38 by 0x4077D4: main (grep.c:2570)
39
40See the accompanying test for how to trigger the heap buffer overrun.
41
42Thanks to Nima Aghdaii for testing and finding numerous
43ways to break early iterations of this patch.
44
45Fixes CVE-2015-1345.
46Upstream-Status: Backport
47
48---
49diff --git a/NEWS b/NEWS
50index 975440d..3835d8d 100644
51--- a/NEWS
52+++ b/NEWS
53@@ -2,6 +2,11 @@ GNU grep NEWS -*- outline -*-
54
55 * Noteworthy changes in release ?.? (????-??-??) [?]
56
57+** Bug fixes
58+
59+ grep no longer reads from uninitialized memory or from beyond the end
60+ of the heap-allocated input buffer.
61+
62
63 * Noteworthy changes in release 2.21 (2014-11-23) [stable]
64
65diff --git a/src/kwset.c b/src/kwset.c
66index 4003c8d..376f7c3 100644
67--- a/src/kwset.c
68+++ b/src/kwset.c
69@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
70 if (! tp)
71 return -1;
72 tp++;
73+ if (ep <= tp)
74+ break;
75 }
76 }
77 }
78diff --git a/tests/Makefile.am b/tests/Makefile.am
79index 2cba2cd..0508cd2 100644
80--- a/tests/Makefile.am
81+++ b/tests/Makefile.am
82@@ -75,6 +75,7 @@ TESTS = \
83 inconsistent-range \
84 invalid-multibyte-infloop \
85 khadafy \
86+ kwset-abuse \
87 long-line-vs-2GiB-read \
88 match-lines \
89 max-count-overread \
90diff --git a/tests/kwset-abuse b/tests/kwset-abuse
91new file mode 100755
92index 0000000..6d8ec0c
93--- a/dev/null
94+++ b/tests/kwset-abuse
95@@ -0,0 +1,32 @@
96+#! /bin/sh
97+# Evoke a segfault in a hard-to-reach code path of kwset.c.
98+# This bug affected grep versions 2.19 through 2.21.
99+#
100+# Copyright (C) 2015 Free Software Foundation, Inc.
101+#
102+# This program is free software: you can redistribute it and/or modify
103+# it under the terms of the GNU General Public License as published by
104+# the Free Software Foundation, either version 3 of the License, or
105+# (at your option) any later version.
106+
107+# This program is distributed in the hope that it will be useful,
108+# but WITHOUT ANY WARRANTY; without even the implied warranty of
109+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
110+# GNU General Public License for more details.
111+
112+# You should have received a copy of the GNU General Public License
113+# along with this program. If not, see <http://www.gnu.org/licenses/>.
114+
115+. "${srcdir=.}/init.sh"; path_prepend_ ../src
116+
117+fail=0
118+
119+# This test case chooses a haystack of size 260,000, since prodding
120+# with gdb showed a reallocation slightly larger than that in fillbuf.
121+# To reach the buggy code, the needle must have length < 1/11 that of
122+# the haystack, and 10,000 is a nice round number that fits the bill.
123+printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
124+
125+test $? = 1 || fail=1
126+
127+Exit $fail
128--
129cgit v0.9.0.2