grep2.19: CVE-2015-1345

Fixes heap-based buffer overflow flaw in grep. Affected versions are: grep 2.19 through 2.21 Removed THANKS.in changes from upstream patch since this file does not exist in version 2.19. Replaced tab with spaces in SRC_URI as well. Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id= 83a95bd8c8561875b948cadd417c653dbe7ef2e2 (From OE-Core rev: fb3e73fb2536b718dfce0e7b126f75464b9874aa) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-16 16:31:42 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-30 12:03:13 +0000
commit: 0facda51cea8bdf32515dfd6a7fd50b4ed3b0de0 (patch)
tree: d23d14aed1659f1267dc329bad4d1a084f4a86e4
parent: 8cf47f82b945c6940461da9d3358fca0a454d7bf (diff)
download: poky-0facda51cea8bdf32515dfd6a7fd50b4ed3b0de0.tar.gz
2 files changed, 132 insertions, 1 deletions
diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 0000000000..32846f50be
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +0000
+Subject: grep -F: fix a heap buffer (read) overrun
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+Prior to this patch, this command would trigger a UMR:
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+  Use of uninitialised value of size 8
+     at 0x4142BE: bmexec_trans (kwset.c:657)
+     by 0x4143CA: bmexec (kwset.c:678)
+     by 0x414973: kwsexec (kwset.c:848)
+     by 0x414DC4: Fexecute (kwsearch.c:128)
+     by 0x404E2E: grepbuf (grep.c:1238)
+     by 0x4054BF: grep (grep.c:1417)
+     by 0x405CEB: grepdesc (grep.c:1645)
+     by 0x405EC1: grep_command_line_arg (grep.c:1692)
+     by 0x4077D4: main (grep.c:2570)
+See the accompanying test for how to trigger the heap buffer overrun.
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
+++ b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS                                    -*- outline -*-
+ 
+ * Noteworthy changes in release ?.? (????-??-??) [?]
+ 
+** Bug fixes
+
+  grep no longer reads from uninitialized memory or from beyond the end
+  of the heap-allocated input buffer.
+
+ 
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+ 
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
+++ b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+                     if (! tp)
+                       return -1;
+                     tp++;
+                    if (ep <= tp)
+                      break;
+                   }
+               }
+           }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS =                                               \
+   inconsistent-range                           \
+   invalid-multibyte-infloop                    \
+   khadafy                                      \
+  kwset-abuse                                  \
+   long-line-vs-2GiB-read                       \
+   match-lines                                  \
+   max-count-overread                           \
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 0000000..6d8ec0c
+--- a/dev/null
+++ b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
+#! /bin/sh
+# Evoke a segfault in a hard-to-reach code path of kwset.c.
+# This bug affected grep versions 2.19 through 2.21.
+#
+# Copyright (C) 2015 Free Software Foundation, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+
+fail=0
+
+# This test case chooses a haystack of size 260,000, since prodding
+# with gdb showed a reallocation slightly larger than that in fillbuf.
+# To reach the buggy code, the needle must have length < 1/11 that of
+# the haystack, and 10,000 is a nice round number that fits the bill.
+printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
+
+test $? = 1 || fail=1
+
+Exit $fail
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb
index 9c162cca49..d60ce5e389 100644
--- a/meta/recipes-extended/grep/grep_2.19.bb
+++ b/meta/recipes-extended/grep/grep_2.19.bb
@@ -5,7 +5,9 @@ SECTION = "console/utils"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
-SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"
+SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
+           file://grep2.19-CVE-2015-1345.patch \
+           "
 SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
 SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-16 16:31:42 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-30 12:03:13 +0000
commit	0facda51cea8bdf32515dfd6a7fd50b4ed3b0de0 (patch)
tree	d23d14aed1659f1267dc329bad4d1a084f4a86e4
parent	8cf47f82b945c6940461da9d3358fca0a454d7bf (diff)
download	poky-0facda51cea8bdf32515dfd6a7fd50b4ed3b0de0.tar.gz

diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch new file mode 100644 index 0000000000..32846f50be --- /dev/null +++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
		1	From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
		2	From: Yuliy Pisetsky <ypisetsky@fb.com>
		3	Date: Thu, 01 Jan 2015 23:36:55 +0000
		4	Subject: grep -F: fix a heap buffer (read) overrun
		5
		6	grep's read buffer is often filled to its full size, except when
		7	reading the final buffer of a file. In that case, the number of
		8	bytes read may be far less than the size of the buffer. However, for
		9	certain unusual pattern/text combinations, grep -F would mistakenly
		10	examine bytes in that uninitialized region of memory when searching
		11	for a match. With carefully chosen inputs, one can cause grep -F to
		12	read beyond the end of that buffer altogether. This problem arose via
		13	commit v2.18-90-g73893ff with the introduction of a more efficient
		14	heuristic using what is now the memchr_kwset function. The use of
		15	that function in bmexec_trans could leave TP much larger than EP,
		16	and the subsequent call to bm_delta2_search would mistakenly access
		17	beyond end of the main input read buffer.
		18
		19	* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
		20	do not call bm_delta2_search.
		21	* tests/kwset-abuse: New file.
		22	* tests/Makefile.am (TESTS): Add it.
		23	* NEWS (Bug fixes): Mention it.
		24
		25	Prior to this patch, this command would trigger a UMR:
		26
		27	printf %0360db 0 \| valgrind src/grep -F $(printf %019dXb 0)
		28
		29	Use of uninitialised value of size 8
		30	at 0x4142BE: bmexec_trans (kwset.c:657)
		31	by 0x4143CA: bmexec (kwset.c:678)
		32	by 0x414973: kwsexec (kwset.c:848)
		33	by 0x414DC4: Fexecute (kwsearch.c:128)
		34	by 0x404E2E: grepbuf (grep.c:1238)
		35	by 0x4054BF: grep (grep.c:1417)
		36	by 0x405CEB: grepdesc (grep.c:1645)
		37	by 0x405EC1: grep_command_line_arg (grep.c:1692)
		38	by 0x4077D4: main (grep.c:2570)
		39
		40	See the accompanying test for how to trigger the heap buffer overrun.
		41
		42	Thanks to Nima Aghdaii for testing and finding numerous
		43	ways to break early iterations of this patch.
		44
		45	Fixes CVE-2015-1345.
		46	Upstream-Status: Backport
		47
		48	---
		49	diff --git a/NEWS b/NEWS
		50	index 975440d..3835d8d 100644
		51	--- a/NEWS
		52	+++ b/NEWS
		53	@@ -2,6 +2,11 @@ GNU grep NEWS -- outline --
		54
		55	* Noteworthy changes in release ?.? (????-??-??) [?]
		56
		57	+** Bug fixes
		58	+
		59	+ grep no longer reads from uninitialized memory or from beyond the end
		60	+ of the heap-allocated input buffer.
		61	+
		62
		63	* Noteworthy changes in release 2.21 (2014-11-23) [stable]
		64
		65	diff --git a/src/kwset.c b/src/kwset.c
		66	index 4003c8d..376f7c3 100644
		67	--- a/src/kwset.c
		68	+++ b/src/kwset.c
		69	@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
		70	if (! tp)
		71	return -1;
		72	tp++;
		73	+ if (ep <= tp)
		74	+ break;
		75	}
		76	}
		77	}
		78	diff --git a/tests/Makefile.am b/tests/Makefile.am
		79	index 2cba2cd..0508cd2 100644
		80	--- a/tests/Makefile.am
		81	+++ b/tests/Makefile.am
		82	@@ -75,6 +75,7 @@ TESTS = \
		83	inconsistent-range \
		84	invalid-multibyte-infloop \
		85	khadafy \
		86	+ kwset-abuse \
		87	long-line-vs-2GiB-read \
		88	match-lines \
		89	max-count-overread \
		90	diff --git a/tests/kwset-abuse b/tests/kwset-abuse
		91	new file mode 100755
		92	index 0000000..6d8ec0c
		93	--- a/dev/null
		94	+++ b/tests/kwset-abuse
		95	@@ -0,0 +1,32 @@
		96	+#! /bin/sh
		97	+# Evoke a segfault in a hard-to-reach code path of kwset.c.
		98	+# This bug affected grep versions 2.19 through 2.21.
		99	+#
		100	+# Copyright (C) 2015 Free Software Foundation, Inc.
		101	+#
		102	+# This program is free software: you can redistribute it and/or modify
		103	+# it under the terms of the GNU General Public License as published by
		104	+# the Free Software Foundation, either version 3 of the License, or
		105	+# (at your option) any later version.
		106	+
		107	+# This program is distributed in the hope that it will be useful,
		108	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
		109	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		110	+# GNU General Public License for more details.
		111	+
		112	+# You should have received a copy of the GNU General Public License
		113	+# along with this program. If not, see <http://www.gnu.org/licenses/>.
		114	+
		115	+. "${srcdir=.}/init.sh"; path_prepend_ ../src
		116	+
		117	+fail=0
		118	+
		119	+# This test case chooses a haystack of size 260,000, since prodding
		120	+# with gdb showed a reallocation slightly larger than that in fillbuf.
		121	+# To reach the buggy code, the needle must have length < 1/11 that of
		122	+# the haystack, and 10,000 is a nice round number that fits the bill.
		123	+printf '%0260000dXy\n' 0 \| grep -F $(printf %010000dy 0)
		124	+
		125	+test $? = 1 \|\| fail=1
		126	+
		127	+Exit $fail
		128	--
		129	cgit v0.9.0.2


diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb index 9c162cca49..d60ce5e389 100644 --- a/meta/recipes-extended/grep/grep_2.19.bb +++ b/meta/recipes-extended/grep/grep_2.19.bb
@@ -5,7 +5,9 @@ SECTION = "console/utils"
5	LICENSE = "GPLv3"	5	LICENSE = "GPLv3"
6	LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"	6	LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
7		7
8	SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"	8	SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
		9	file://grep2.19-CVE-2015-1345.patch \
		10	"
9		11
10	SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"	12	SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
11	SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"	13	SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"