2 files changed, 115 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch
new file mode 100644
index 0000000000..c8d5cd1f0a
--- /dev/null
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch
@@ -0,0 +1,114 @@
+From bdbad523d92cd2308139086226bfc36fc2068267 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2025 12:05:11 +0800
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize (#1813)
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+The fix is in two parts:
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+CVE: CVE-2025-0838
+Upstream-Status: Backport [https://github.com/abseil/abseil-cpp/commit/caa7bb4457bfcafcd55a940204ef78c1bf1f417d]
+This patch is backported from 20230802.3
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ absl/container/internal/raw_hash_set.h       | 15 ++++++++++++++-
+ absl/container/internal/raw_hash_set_test.cc |  8 ++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
+index 046a6939..ecea25b4 100644
+--- a/absl/container/internal/raw_hash_set.h
+++ b/absl/container/internal/raw_hash_set.h
+@@ -662,6 +662,12 @@ inline size_t NormalizeCapacity(size_t n) {
+   return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+ 
+template <size_t kSlotSize>
+size_t MaxValidCapacity() {
+  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
+                           kSlotSize);
+}
+
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ //   average of two empty slots per group.
+@@ -1065,6 +1071,8 @@ class raw_hash_set {
+       : ctrl_(EmptyGroup()),
+         settings_(0, HashtablezInfoHandle(), hash, eq, alloc) {
+     if (bucket_count) {
+      ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
+       capacity_ = NormalizeCapacity(bucket_count);
+       initialize_slots();
+     }
+@@ -1258,7 +1266,9 @@ class raw_hash_set {
+   bool empty() const { return !size(); }
+   size_t size() const { return size_; }
+   size_t capacity() const { return capacity_; }
+-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
+  size_t max_size() const {
+    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
+  }
+ 
+   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+     // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -1595,6 +1605,8 @@ class raw_hash_set {
+     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+     // n == 0 unconditionally rehashes as per the standard.
+     if (n == 0 || m > capacity_) {
+      ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
+       resize(m);
+ 
+       // This is after resize, to ensure that we have completed the allocation
+@@ -1605,6 +1617,7 @@ class raw_hash_set {
+ 
+   void reserve(size_t n) {
+     if (n > size() + growth_left()) {
+      ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
+       size_t m = GrowthToLowerboundCapacity(n);
+       resize(NormalizeCapacity(m));
+ 
+diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
+index 9cd88a28..81a5c866 100644
+--- a/absl/container/internal/raw_hash_set_test.cc
+++ b/absl/container/internal/raw_hash_set_test.cc
+@@ -2176,6 +2176,14 @@ TEST(Table, AlignOne) {
+   }
+ }
+ 
+TEST(Table, MaxSizeOverflow) {
+  size_t overflow = (std::numeric_limits<size_t>::max)();
+  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
+  IntTable t;
+  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
+  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
+}
+
+ }  // namespace
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
index 30eef75ffb..dd63aedab9 100644
--- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \
           file://0002-Remove-maes-option-from-cross-compilation.patch \
           file://abseil-ppc-fixes.patch \
           file://0001-absl-strings-internal-str_format-extension.h-add-mis.patch \
+           file://CVE-2025-0838.patch \
          "
 S = "${WORKDIR}/git"

diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch new file mode 100644 index 0000000000..c8d5cd1f0a --- /dev/null +++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/CVE-2025-0838.patch
@@ -0,0 +1,114 @@
		1	From bdbad523d92cd2308139086226bfc36fc2068267 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 27 Feb 2025 12:05:11 +0800
		4	Subject: [PATCH] Fix potential integer overflow in hash container
		5	create/resize (#1813)
		6
		7	The sized constructors, reserve(), and rehash() methods of
		8	absl::{flat,node}_hash_{set,map} did not impose an upper bound on
		9	their size argument. As a result, it was possible for a caller to pass
		10	a very large size that would cause an integer overflow when computing
		11	the size of the container's backing store. Subsequent accesses to the
		12	container might then access out-of-bounds memory.
		13
		14	The fix is in two parts:
		15
		16	1) Update max_size() to return the maximum number of items that can be
		17	stored in the container
		18
		19	2) Validate the size arguments to the constructors, reserve(), and
		20	rehash() methods, and abort the program when the argument is invalid
		21
		22	We've looked at uses of these containers in Google codebases like
		23	Chrome, and determined this vulnerability is likely to be difficult to
		24	exploit. This is primarily because container sizes are rarely
		25	attacker-controlled.
		26
		27	The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
		28
		29	CVE: CVE-2025-0838
		30	Upstream-Status: Backport [https://github.com/abseil/abseil-cpp/commit/caa7bb4457bfcafcd55a940204ef78c1bf1f417d]
		31	This patch is backported from 20230802.3
		32
		33	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		34	---
		35	absl/container/internal/raw_hash_set.h \| 15 ++++++++++++++-
		36	absl/container/internal/raw_hash_set_test.cc \| 8 ++++++++
		37	2 files changed, 22 insertions(+), 1 deletion(-)
		38
		39	diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
		40	index 046a6939..ecea25b4 100644
		41	--- a/absl/container/internal/raw_hash_set.h
		42	+++ b/absl/container/internal/raw_hash_set.h
		43	@@ -662,6 +662,12 @@ inline size_t NormalizeCapacity(size_t n) {
		44	return n ? ~size_t{} >> countl_zero(n) : 1;
		45	}
		46
		47	+template <size_t kSlotSize>
		48	+size_t MaxValidCapacity() {
		49	+ return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
		50	+ kSlotSize);
		51	+}
		52	+
		53	// General notes on capacity/growth methods below:
		54	// - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
		55	// average of two empty slots per group.
		56	@@ -1065,6 +1071,8 @@ class raw_hash_set {
		57	: ctrl_(EmptyGroup()),
		58	settings_(0, HashtablezInfoHandle(), hash, eq, alloc) {
		59	if (bucket_count) {
		60	+ ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
		61	+ "Hash table size overflow");
		62	capacity_ = NormalizeCapacity(bucket_count);
		63	initialize_slots();
		64	}
		65	@@ -1258,7 +1266,9 @@ class raw_hash_set {
		66	bool empty() const { return !size(); }
		67	size_t size() const { return size_; }
		68	size_t capacity() const { return capacity_; }
		69	- size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
		70	+ size_t max_size() const {
		71	+ return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
		72	+ }
		73
		74	ABSL_ATTRIBUTE_REINITIALIZES void clear() {
		75	// Iterating over this container is O(bucket_count()). When bucket_count()
		76	@@ -1595,6 +1605,8 @@ class raw_hash_set {
		77	auto m = NormalizeCapacity(n \| GrowthToLowerboundCapacity(size()));
		78	// n == 0 unconditionally rehashes as per the standard.
		79	if (n == 0 \|\| m > capacity_) {
		80	+ ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
		81	+ "Hash table size overflow");
		82	resize(m);
		83
		84	// This is after resize, to ensure that we have completed the allocation
		85	@@ -1605,6 +1617,7 @@ class raw_hash_set {
		86
		87	void reserve(size_t n) {
		88	if (n > size() + growth_left()) {
		89	+ ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
		90	size_t m = GrowthToLowerboundCapacity(n);
		91	resize(NormalizeCapacity(m));
		92
		93	diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
		94	index 9cd88a28..81a5c866 100644
		95	--- a/absl/container/internal/raw_hash_set_test.cc
		96	+++ b/absl/container/internal/raw_hash_set_test.cc
		97	@@ -2176,6 +2176,14 @@ TEST(Table, AlignOne) {
		98	}
		99	}
		100
		101	+TEST(Table, MaxSizeOverflow) {
		102	+ size_t overflow = (std::numeric_limits<size_t>::max)();
		103	+ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
		104	+ IntTable t;
		105	+ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
		106	+ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
		107	+}
		108	+
		109	} // namespace
		110	} // namespace container_internal
		111	ABSL_NAMESPACE_END
		112	--
		113	2.34.1
		114


diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb index 30eef75ffb..dd63aedab9 100644 --- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb +++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \
15	file://0002-Remove-maes-option-from-cross-compilation.patch \	15	file://0002-Remove-maes-option-from-cross-compilation.patch \
16	file://abseil-ppc-fixes.patch \	16	file://abseil-ppc-fixes.patch \
17	file://0001-absl-strings-internal-str_format-extension.h-add-mis.patch \	17	file://0001-absl-strings-internal-str_format-extension.h-add-mis.patch \
		18	file://CVE-2025-0838.patch \
18	"	19	"
19		20
20	S = "${WORKDIR}/git"	21	S = "${WORKDIR}/git"