2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
new file mode 100644
index 0000000000..972cc8938b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,92 @@
+From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
+From: Sebastien <seb@fedora-2.home>
+Date: Sat, 15 Oct 2022 14:24:22 +0200
+Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
+allocate_structures function located in sa_common.c insufficiently
+checks bounds before arithmetic multiplication allowing for an
+overflow in the size allocated for the buffer representing system
+activities.
+This patch checks that the post-multiplied value is not greater than
+UINT_MAX.
+Signed-off-by: Sebastien <seb@fedora-2.home>
+Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
+CVE : CVE-2022-39377
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common.c    | 25 +++++++++++++++++++++++++
+ common.h    |  2 ++
+ sa_common.c |  6 ++++++
+ 3 files changed, 33 insertions(+)
+diff --git a/common.c b/common.c
+index ddfe75d..28d475e 100644
+--- a/common.c
+++ b/common.c
+@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
+ 
+        return 0;
+ }
+
+/*
+ ***************************************************************************
+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+ *
+ * IN:
+ * @val1       First value.
+ * @val2       Second value.
+ * @val3       Third value.
+ ***************************************************************************
+ */
+void check_overflow(size_t val1, size_t val2, size_t val3)
+{
+       if ((unsigned long long) val1 *
+           (unsigned long long) val2 *
+           (unsigned long long) val3 > UINT_MAX) {
+#ifdef DEBUG
+               fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+                       __FUNCTION__,
+                       (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
+#endif
+       exit(4);
+       }
+}
+
+ #endif /* SOURCE_SADC undefined */
+diff --git a/common.h b/common.h
+index 86905ba..75f837a 100644
+--- a/common.h
+++ b/common.h
+@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
+        (char *, unsigned long long *, unsigned int *);
+ 
+ #ifndef SOURCE_SADC
+void check_overflow
+       (size_t, size_t, size_t);
+ int count_bits
+        (void *, int);
+ int count_csvalues
+diff --git a/sa_common.c b/sa_common.c
+index 8a03099..ff90c1f 100644
+--- a/sa_common.c
+++ b/sa_common.c
+@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
+        int i, j;
+ 
+        for (i = 0; i < NR_ACT; i++) {
+
+                if (act[i]->nr_ini > 0) {
+
+                       /* Look for a possible overflow */
+                       check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
+                                      (size_t) act[i]->nr2);
+
+                        for (j = 0; j < 3; j++) {
+                                SREALLOC(act[i]->buf[j], void,
+                                                (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
+-- 
+2.25.1
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
new file mode 100644
index 0000000000..9a27945a8b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
@@ -0,0 +1,46 @@
+Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-02-18
+From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001
+From: Pavel Kopylov <pkopylov@cloudlinux.com>
+Date: Wed, 17 May 2023 11:33:45 +0200
+Subject: [PATCH] Fix an overflow which is still possible for some values.
+CVE: CVE-2023-33204
+Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 
+debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+Index: sysstat-12.0.3/common.c
+===================================================================
+--- sysstat-12.0.3.orig/common.c
+++ sysstat-12.0.3/common.c
+@@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned
+  */
+ void check_overflow(size_t val1, size_t val2, size_t val3)
+ {
+-       if ((unsigned long long) val1 *
+-           (unsigned long long) val2 *
+-           (unsigned long long) val3 > UINT_MAX) {
+       if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
+           (((unsigned long long) UINT_MAX / (unsigned long long) val1 <
+             (unsigned long long) val2) ||
+            ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) <
+             (unsigned long long) val3))) {
+ #ifdef DEBUG
+-               fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-                       __FUNCTION__,
+-                       (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
+               fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
+                       __FUNCTION__, val1, val2, val3);
+ #endif
+-       exit(4);
+               exit(4);
+        }
+ }
+

diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..972cc8938b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,92 @@
	1	From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
	2	From: Sebastien <seb@fedora-2.home>
	3	Date: Sat, 15 Oct 2022 14:24:22 +0200
	4	Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
	5
	6	allocate_structures function located in sa_common.c insufficiently
	7	checks bounds before arithmetic multiplication allowing for an
	8	overflow in the size allocated for the buffer representing system
	9	activities.
	10
	11	This patch checks that the post-multiplied value is not greater than
	12	UINT_MAX.
	13
	14	Signed-off-by: Sebastien <seb@fedora-2.home>
	15
	16	Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
	17	CVE : CVE-2022-39377
	18	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	19	---
	20	common.c \| 25 +++++++++++++++++++++++++
	21	common.h \| 2 ++
	22	sa_common.c \| 6 ++++++
	23	3 files changed, 33 insertions(+)
	24
	25	diff --git a/common.c b/common.c
	26	index ddfe75d..28d475e 100644
	27	--- a/common.c
	28	+++ b/common.c
	29	@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
	30
	31	return 0;
	32	}
	33	+
	34	+/*
	35	+ ***************************************************************************
	36	+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
	37	+ *
	38	+ * IN:
	39	+ * @val1 First value.
	40	+ * @val2 Second value.
	41	+ * @val3 Third value.
	42	+ ***************************************************************************
	43	+ */
	44	+void check_overflow(size_t val1, size_t val2, size_t val3)
	45	+{
	46	+ if ((unsigned long long) val1 *
	47	+ (unsigned long long) val2 *
	48	+ (unsigned long long) val3 > UINT_MAX) {
	49	+#ifdef DEBUG
	50	+ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
	51	+ __FUNCTION__,
	52	+ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
	53	+#endif
	54	+ exit(4);
	55	+ }
	56	+}
	57	+
	58	#endif /* SOURCE_SADC undefined */
	59	diff --git a/common.h b/common.h
	60	index 86905ba..75f837a 100644
	61	--- a/common.h
	62	+++ b/common.h
	63	@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
	64	(char , unsigned long long , unsigned int *);
	65
	66	#ifndef SOURCE_SADC
	67	+void check_overflow
	68	+ (size_t, size_t, size_t);
	69	int count_bits
	70	(void *, int);
	71	int count_csvalues
	72	diff --git a/sa_common.c b/sa_common.c
	73	index 8a03099..ff90c1f 100644
	74	--- a/sa_common.c
	75	+++ b/sa_common.c
	76	@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
	77	int i, j;
	78
	79	for (i = 0; i < NR_ACT; i++) {
	80	+
	81	if (act[i]->nr_ini > 0) {
	82	+
	83	+ /* Look for a possible overflow */
	84	+ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
	85	+ (size_t) act[i]->nr2);
	86	+
	87	for (j = 0; j < 3; j++) {
	88	SREALLOC(act[i]->buf[j], void,
	89	(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
	90	--
	91	2.25.1
	92


diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch new file mode 100644 index 0000000000..9a27945a8b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
@@ -0,0 +1,46 @@
	1	Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
	2	Reviewed-by: Sylvain Beucler <beuc@debian.org>
	3	Last-Update: 2023-02-18
	4
	5	From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001
	6	From: Pavel Kopylov <pkopylov@cloudlinux.com>
	7	Date: Wed, 17 May 2023 11:33:45 +0200
	8	Subject: [PATCH] Fix an overflow which is still possible for some values.
	9
	10	CVE: CVE-2023-33204
	11	Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
	12	debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ]
	13	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
	14
	15	---
	16	common.c \| 7 +++++--
	17	1 file changed, 5 insertions(+), 2 deletions(-)
	18
	19	Index: sysstat-12.0.3/common.c
	20	===================================================================
	21	--- sysstat-12.0.3.orig/common.c
	22	+++ sysstat-12.0.3/common.c
	23	@@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned
	24	*/
	25	void check_overflow(size_t val1, size_t val2, size_t val3)
	26	{
	27	- if ((unsigned long long) val1 *
	28	- (unsigned long long) val2 *
	29	- (unsigned long long) val3 > UINT_MAX) {
	30	+ if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
	31	+ (((unsigned long long) UINT_MAX / (unsigned long long) val1 <
	32	+ (unsigned long long) val2) \|\|
	33	+ ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) <
	34	+ (unsigned long long) val3))) {
	35	#ifdef DEBUG
	36	- fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
	37	- __FUNCTION__,
	38	- (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
	39	+ fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
	40	+ __FUNCTION__, val1, val2, val3);
	41	#endif
	42	- exit(4);
	43	+ exit(4);
	44	}
	45	}
	46