diff options
Diffstat (limited to 'meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch')
-rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch new file mode 100644 index 0000000000..b5da44ec7b --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Fri, 12 Feb 2021 20:18:31 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: fix invalid memory access in some files | ||
5 | |||
6 | RAR5 reader uses several variables to manage the window buffer during | ||
7 | extraction: the buffer itself (`window_buf`), the current size of the | ||
8 | window buffer (`window_size`), and a helper variable (`window_mask`) | ||
9 | that is used to constrain read and write offsets to the window buffer. | ||
10 | |||
11 | Some specially crafted files can force the unpacker to update the | ||
12 | `window_mask` variable to a value that is out of sync with current | ||
13 | buffer size. If the `window_mask` will be bigger than the actual buffer | ||
14 | size, then an invalid access operation can happen (SIGSEGV). | ||
15 | |||
16 | This commit ensures that if the `window_size` and `window_mask` will be | ||
17 | changed, the window buffer will be reallocated to the proper size, so no | ||
18 | invalid memory operation should be possible. | ||
19 | |||
20 | This commit contains a test file from OSSFuzz #30442. | ||
21 | |||
22 | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1] | ||
23 | CVE: CVE-2021-36976 | ||
24 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
25 | |||
26 | --- | ||
27 | Makefile.am | 1 + | ||
28 | libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++----- | ||
29 | libarchive/test/test_read_format_rar5.c | 17 ++++++++++++ | ||
30 | ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++ | ||
31 | 4 files changed, 50 insertions(+), 6 deletions(-) | ||
32 | create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu | ||
33 | |||
34 | --- a/Makefile.am | ||
35 | +++ b/Makefile.am | ||
36 | @@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\ | ||
37 | libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ | ||
38 | libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
39 | libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ | ||
40 | + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ | ||
41 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
42 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
43 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
44 | --- a/libarchive/archive_read_support_format_rar5.c | ||
45 | +++ b/libarchive/archive_read_support_format_rar5.c | ||
46 | @@ -1730,14 +1730,29 @@ static int process_head_file(struct arch | ||
47 | } | ||
48 | } | ||
49 | |||
50 | - /* If we're currently switching volumes, ignore the new definition of | ||
51 | - * window_size. */ | ||
52 | - if(rar->cstate.switch_multivolume == 0) { | ||
53 | - /* Values up to 64M should fit into ssize_t on every | ||
54 | - * architecture. */ | ||
55 | - rar->cstate.window_size = (ssize_t) window_size; | ||
56 | + if(rar->cstate.window_size < (ssize_t) window_size && | ||
57 | + rar->cstate.window_buf) | ||
58 | + { | ||
59 | + /* If window_buf has been allocated before, reallocate it, so | ||
60 | + * that its size will match new window_size. */ | ||
61 | + | ||
62 | + uint8_t* new_window_buf = | ||
63 | + realloc(rar->cstate.window_buf, window_size); | ||
64 | + | ||
65 | + if(!new_window_buf) { | ||
66 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER, | ||
67 | + "Not enough memory when trying to realloc the window " | ||
68 | + "buffer."); | ||
69 | + return ARCHIVE_FATAL; | ||
70 | + } | ||
71 | + | ||
72 | + rar->cstate.window_buf = new_window_buf; | ||
73 | } | ||
74 | |||
75 | + /* Values up to 64M should fit into ssize_t on every | ||
76 | + * architecture. */ | ||
77 | + rar->cstate.window_size = (ssize_t) window_size; | ||
78 | + | ||
79 | if(rar->file.solid > 0 && rar->file.solid_window_size == 0) { | ||
80 | /* Solid files have to have the same window_size across | ||
81 | whole archive. Remember the window_size parameter | ||
82 | --- a/libarchive/test/test_read_format_rar5.c | ||
83 | +++ b/libarchive/test/test_read_format_rar5.c | ||
84 | @@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ | ||
85 | EPILOGUE(); | ||
86 | } | ||
87 | |||
88 | +DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync) | ||
89 | +{ | ||
90 | + /* oss fuzz 30442 */ | ||
91 | + | ||
92 | + char buf[4096]; | ||
93 | + PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar"); | ||
94 | + | ||
95 | + /* Return codes of those calls are ignored, because this sample file | ||
96 | + * is invalid. However, the unpacker shouldn't produce any SIGSEGV | ||
97 | + * errors during processing. */ | ||
98 | + | ||
99 | + (void) archive_read_next_header(a, &ae); | ||
100 | + while(0 < archive_read_data(a, buf, 46)) {} | ||
101 | + | ||
102 | + EPILOGUE(); | ||
103 | +} | ||
104 | + | ||
105 | DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary) | ||
106 | { | ||
107 | char buf[4096]; | ||
108 | --- /dev/null | ||
109 | +++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu | ||
110 | @@ -0,0 +1,11 @@ | ||
111 | +begin 644 test_read_format_rar5_window_buf_and_size_desync.rar | ||
112 | +M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1 | ||
113 | +M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A | ||
114 | +M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z | ||
115 | +MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!` | ||
116 | +M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!` | ||
117 | +M0$!`0'!,J+:O!IZ-WN4'@`!3*F0````````````````````````````````` | ||
118 | +M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S | ||
119 | +J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!. | ||
120 | +` | ||
121 | +end | ||