diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2023-03-03 16:13:01 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-14 14:59:10 +0000 |
| commit | 7b9f7437edcc3de1c52345deefcc507452ee95fc (patch) | |
| tree | cf51dcd19d05051d658aae6a30932f7348762830 | |
| parent | c35692c6ebd704e7f4c13b34ac66eda35e8e251e (diff) | |
| download | poky-7b9f7437edcc3de1c52345deefcc507452ee95fc.tar.gz | |
git: Security fix for CVE-2022-41903
Upstream-Status: Backport from https://github.com/git/git/commit/a244dc5b & https://github.com/git/git/commit/81dc898d &
https://github.com/git/git/commit/b49f309a & https://github.com/git/git/commit/f6e0b9f3 &
https://github.com/git/git/commit/1de69c0c & https://github.com/git/git/commit/48050c42 &
https://github.com/git/git/commit/522cc87f & https://github.com/git/git/commit/17d23e8a &
https://github.com/git/git/commit/937b71cc & https://github.com/git/git/commit/81c2d4c3 &
https://github.com/git/git/commit/f930a239 & https://github.com/git/git/commit/304a50ad
(From OE-Core rev: d591ac4dfeff7b69086a47c7e88a8127f1d31299)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-01.patch | 39 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-02.patch | 187 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-03.patch | 146 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-04.patch | 150 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-05.patch | 98 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-06.patch | 90 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-07.patch | 123 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-08.patch | 67 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-09.patch | 162 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-10.patch | 99 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | 90 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-12.patch | 124 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/git.inc | 12 |
13 files changed, 1387 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch new file mode 100644 index 0000000000..87091abd47 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From a244dc5b0a629290881641467c7a545de7508ab2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Carlo Marcelo Arenas Belón <carenas@gmail.com> | ||
| 3 | Date: Tue, 2 Nov 2021 15:46:06 +0000 | ||
| 4 | Subject: [PATCH 01/12] test-lib: add prerequisite for 64-bit platforms | ||
| 5 | |||
| 6 | Allow tests that assume a 64-bit `size_t` to be skipped in 32-bit | ||
| 7 | platforms and regardless of the size of `long`. | ||
| 8 | |||
| 9 | This imitates the `LONG_IS_64BIT` prerequisite. | ||
| 10 | |||
| 11 | Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> | ||
| 12 | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> | ||
| 13 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 14 | |||
| 15 | Upstream-Status: Backport [https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2] | ||
| 16 | CVE: CVE-2022-41903 | ||
| 17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 18 | --- | ||
| 19 | t/test-lib.sh | 4 ++++ | ||
| 20 | 1 file changed, 4 insertions(+) | ||
| 21 | |||
| 22 | diff --git a/t/test-lib.sh b/t/test-lib.sh | ||
| 23 | index e06fa02..db5ec2f 100644 | ||
| 24 | --- a/t/test-lib.sh | ||
| 25 | +++ b/t/test-lib.sh | ||
| 26 | @@ -1613,6 +1613,10 @@ build_option () { | ||
| 27 | sed -ne "s/^$1: //p" | ||
| 28 | } | ||
| 29 | |||
| 30 | +test_lazy_prereq SIZE_T_IS_64BIT ' | ||
| 31 | + test 8 -eq "$(build_option sizeof-size_t)" | ||
| 32 | +' | ||
| 33 | + | ||
| 34 | test_lazy_prereq LONG_IS_64BIT ' | ||
| 35 | test 8 -le "$(build_option sizeof-long)" | ||
| 36 | ' | ||
| 37 | -- | ||
| 38 | 2.25.1 | ||
| 39 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch new file mode 100644 index 0000000000..f35e55b585 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch | |||
| @@ -0,0 +1,187 @@ | |||
| 1 | From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:25 +0100 | ||
| 4 | Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow | ||
| 5 | |||
| 6 | When using a padding specifier in the pretty format passed to git-log(1) | ||
| 7 | we need to calculate the string length in several places. These string | ||
| 8 | lengths are stored in `int`s though, which means that these can easily | ||
| 9 | overflow when the input lengths exceeds 2GB. This can ultimately lead to | ||
| 10 | an out-of-bounds write when these are used in a call to memcpy(3P): | ||
| 11 | |||
| 12 | ==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588 | ||
| 13 | WRITE of size 1 at 0x7f1ec62f97fe thread T0 | ||
| 14 | #0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 | ||
| 15 | #1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762 | ||
| 16 | #2 0x5628e96aa7f4 in format_commit_item pretty.c:1801 | ||
| 17 | #3 0x5628e97cdb24 in strbuf_expand strbuf.c:429 | ||
| 18 | #4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869 | ||
| 19 | #5 0x5628e96acd0f in pretty_print_commit pretty.c:2161 | ||
| 20 | #6 0x5628e95a44c8 in show_log log-tree.c:781 | ||
| 21 | #7 0x5628e95a76ba in log_tree_commit log-tree.c:1117 | ||
| 22 | #8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 23 | #9 0x5628e922c35b in cmd_log_walk builtin/log.c:549 | ||
| 24 | #10 0x5628e922f1a2 in cmd_log builtin/log.c:883 | ||
| 25 | #11 0x5628e9106993 in run_builtin git.c:466 | ||
| 26 | #12 0x5628e9107397 in handle_builtin git.c:721 | ||
| 27 | #13 0x5628e9107b07 in run_argv git.c:788 | ||
| 28 | #14 0x5628e91088a7 in cmd_main git.c:923 | ||
| 29 | #15 0x5628e939d682 in main common-main.c:57 | ||
| 30 | #16 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 31 | #17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 32 | #18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 33 | |||
| 34 | 0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839) | ||
| 35 | allocated by thread T0 here: | ||
| 36 | #0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85 | ||
| 37 | #1 0x5628e98774d4 in xrealloc wrapper.c:136 | ||
| 38 | #2 0x5628e97cb01c in strbuf_grow strbuf.c:99 | ||
| 39 | #3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327 | ||
| 40 | #4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761 | ||
| 41 | #5 0x5628e96aa7f4 in format_commit_item pretty.c:1801 | ||
| 42 | #6 0x5628e97cdb24 in strbuf_expand strbuf.c:429 | ||
| 43 | #7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869 | ||
| 44 | #8 0x5628e96acd0f in pretty_print_commit pretty.c:2161 | ||
| 45 | #9 0x5628e95a44c8 in show_log log-tree.c:781 | ||
| 46 | #10 0x5628e95a76ba in log_tree_commit log-tree.c:1117 | ||
| 47 | #11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 48 | #12 0x5628e922c35b in cmd_log_walk builtin/log.c:549 | ||
| 49 | #13 0x5628e922f1a2 in cmd_log builtin/log.c:883 | ||
| 50 | #14 0x5628e9106993 in run_builtin git.c:466 | ||
| 51 | #15 0x5628e9107397 in handle_builtin git.c:721 | ||
| 52 | #16 0x5628e9107b07 in run_argv git.c:788 | ||
| 53 | #17 0x5628e91088a7 in cmd_main git.c:923 | ||
| 54 | #18 0x5628e939d682 in main common-main.c:57 | ||
| 55 | #19 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 56 | #20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 57 | #21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 58 | |||
| 59 | SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy | ||
| 60 | Shadow bytes around the buggy address: | ||
| 61 | 0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 62 | 0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 63 | 0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 64 | 0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 65 | 0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 66 | =>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] | ||
| 67 | 0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
| 68 | 0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
| 69 | 0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
| 70 | 0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
| 71 | 0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
| 72 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
| 73 | Addressable: 00 | ||
| 74 | Partially addressable: 01 02 03 04 05 06 07 | ||
| 75 | Heap left redzone: fa | ||
| 76 | Freed heap region: fd | ||
| 77 | Stack left redzone: f1 | ||
| 78 | Stack mid redzone: f2 | ||
| 79 | Stack right redzone: f3 | ||
| 80 | Stack after return: f5 | ||
| 81 | Stack use after scope: f8 | ||
| 82 | Global redzone: f9 | ||
| 83 | Global init order: f6 | ||
| 84 | Poisoned by user: f7 | ||
| 85 | Container overflow: fc | ||
| 86 | Array cookie: ac | ||
| 87 | Intra object redzone: bb | ||
| 88 | ASan internal: fe | ||
| 89 | Left alloca redzone: ca | ||
| 90 | Right alloca redzone: cb | ||
| 91 | ==8340==ABORTING | ||
| 92 | |||
| 93 | The pretty format can also be used in `git archive` operations via the | ||
| 94 | `export-subst` attribute. So this is what in our opinion makes this a | ||
| 95 | critical issue in the context of Git forges which allow to download an | ||
| 96 | archive of user supplied Git repositories. | ||
| 97 | |||
| 98 | Fix this vulnerability by using `size_t` instead of `int` to track the | ||
| 99 | string lengths. Add tests which detect this vulnerability when Git is | ||
| 100 | compiled with the address sanitizer. | ||
| 101 | |||
| 102 | Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com> | ||
| 103 | Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com> | ||
| 104 | Modified-by: Taylor Blau <me@ttalorr.com> | ||
| 105 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 106 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 107 | |||
| 108 | Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf] | ||
| 109 | CVE: CVE-2022-41903 | ||
| 110 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 111 | --- | ||
| 112 | pretty.c | 11 ++++++----- | ||
| 113 | t/t4205-log-pretty-formats.sh | 17 +++++++++++++++++ | ||
| 114 | 2 files changed, 23 insertions(+), 5 deletions(-) | ||
| 115 | |||
| 116 | diff --git a/pretty.c b/pretty.c | ||
| 117 | index b32f036..637e344 100644 | ||
| 118 | --- a/pretty.c | ||
| 119 | +++ b/pretty.c | ||
| 120 | @@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 121 | struct format_commit_context *c) | ||
| 122 | { | ||
| 123 | struct strbuf local_sb = STRBUF_INIT; | ||
| 124 | - int total_consumed = 0, len, padding = c->padding; | ||
| 125 | + size_t total_consumed = 0; | ||
| 126 | + int len, padding = c->padding; | ||
| 127 | + | ||
| 128 | if (padding < 0) { | ||
| 129 | const char *start = strrchr(sb->buf, '\n'); | ||
| 130 | int occupied; | ||
| 131 | @@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 132 | } | ||
| 133 | while (1) { | ||
| 134 | int modifier = *placeholder == 'C'; | ||
| 135 | - int consumed = format_commit_one(&local_sb, placeholder, c); | ||
| 136 | + size_t consumed = format_commit_one(&local_sb, placeholder, c); | ||
| 137 | total_consumed += consumed; | ||
| 138 | |||
| 139 | if (!modifier) | ||
| 140 | @@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 141 | } | ||
| 142 | strbuf_addbuf(sb, &local_sb); | ||
| 143 | } else { | ||
| 144 | - int sb_len = sb->len, offset = 0; | ||
| 145 | + size_t sb_len = sb->len, offset = 0; | ||
| 146 | if (c->flush_type == flush_left) | ||
| 147 | offset = padding - len; | ||
| 148 | else if (c->flush_type == flush_both) | ||
| 149 | @@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */ | ||
| 150 | const char *placeholder, | ||
| 151 | void *context) | ||
| 152 | { | ||
| 153 | - int consumed; | ||
| 154 | - size_t orig_len; | ||
| 155 | + size_t consumed, orig_len; | ||
| 156 | enum { | ||
| 157 | NO_MAGIC, | ||
| 158 | ADD_LF_BEFORE_NON_EMPTY, | ||
| 159 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 160 | index f42a69f..a2acee1 100755 | ||
| 161 | --- a/t/t4205-log-pretty-formats.sh | ||
| 162 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 163 | @@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part | ||
| 164 | test_cmp expect actual | ||
| 165 | ' | ||
| 166 | |||
| 167 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 168 | + # We only assert that this command does not crash. This needs to be | ||
| 169 | + # executed with the address sanitizer to demonstrate failure. | ||
| 170 | + git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null | ||
| 171 | +' | ||
| 172 | + | ||
| 173 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' ' | ||
| 174 | + test-tool genzeros 2147483649 | tr "\000" "1" >expect && | ||
| 175 | + huge_commit=$(git commit-tree -F expect HEAD^{tree}) | ||
| 176 | +' | ||
| 177 | + | ||
| 178 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 179 | + git log -1 --format="%B%<(1)%x30" $huge_commit >actual && | ||
| 180 | + echo 0 >>expect && | ||
| 181 | + test_cmp expect actual | ||
| 182 | +' | ||
| 183 | + | ||
| 184 | test_done | ||
| 185 | -- | ||
| 186 | 2.25.1 | ||
| 187 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch new file mode 100644 index 0000000000..d83d77eaf7 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch | |||
| @@ -0,0 +1,146 @@ | |||
| 1 | From b49f309aa16febeddb65e82526640a91bbba3be3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:30 +0100 | ||
| 4 | Subject: [PATCH 03/12] pretty: fix out-of-bounds read when left-flushing with stealing | ||
| 5 | |||
| 6 | With the `%>>(<N>)` pretty formatter, you can ask git-log(1) et al to | ||
| 7 | steal spaces. To do so we need to look ahead of the next token to see | ||
| 8 | whether there are spaces there. This loop takes into account ANSI | ||
| 9 | sequences that end with an `m`, and if it finds any it will skip them | ||
| 10 | until it finds the first space. While doing so it does not take into | ||
| 11 | account the buffer's limits though and easily does an out-of-bounds | ||
| 12 | read. | ||
| 13 | |||
| 14 | Add a test that hits this behaviour. While we don't have an easy way to | ||
| 15 | verify this, the test causes the following failure when run with | ||
| 16 | `SANITIZE=address`: | ||
| 17 | |||
| 18 | ==37941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000baf at pc 0x55ba6f88e0d0 bp 0x7ffc84c50d20 sp 0x7ffc84c50d10 | ||
| 19 | READ of size 1 at 0x603000000baf thread T0 | ||
| 20 | #0 0x55ba6f88e0cf in format_and_pad_commit pretty.c:1712 | ||
| 21 | #1 0x55ba6f88e7b4 in format_commit_item pretty.c:1801 | ||
| 22 | #2 0x55ba6f9b1ae4 in strbuf_expand strbuf.c:429 | ||
| 23 | #3 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869 | ||
| 24 | #4 0x55ba6f890ccf in pretty_print_commit pretty.c:2161 | ||
| 25 | #5 0x55ba6f7884c8 in show_log log-tree.c:781 | ||
| 26 | #6 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117 | ||
| 27 | #7 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 28 | #8 0x55ba6f41035b in cmd_log_walk builtin/log.c:549 | ||
| 29 | #9 0x55ba6f4131a2 in cmd_log builtin/log.c:883 | ||
| 30 | #10 0x55ba6f2ea993 in run_builtin git.c:466 | ||
| 31 | #11 0x55ba6f2eb397 in handle_builtin git.c:721 | ||
| 32 | #12 0x55ba6f2ebb07 in run_argv git.c:788 | ||
| 33 | #13 0x55ba6f2ec8a7 in cmd_main git.c:923 | ||
| 34 | #14 0x55ba6f581682 in main common-main.c:57 | ||
| 35 | #15 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 36 | #16 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 37 | #17 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 38 | |||
| 39 | 0x603000000baf is located 1 bytes to the left of 24-byte region [0x603000000bb0,0x603000000bc8) | ||
| 40 | allocated by thread T0 here: | ||
| 41 | #0 0x7f2d08ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85 | ||
| 42 | #1 0x55ba6fa5b494 in xrealloc wrapper.c:136 | ||
| 43 | #2 0x55ba6f9aefdc in strbuf_grow strbuf.c:99 | ||
| 44 | #3 0x55ba6f9b0a06 in strbuf_add strbuf.c:298 | ||
| 45 | #4 0x55ba6f9b1a25 in strbuf_expand strbuf.c:418 | ||
| 46 | #5 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869 | ||
| 47 | #6 0x55ba6f890ccf in pretty_print_commit pretty.c:2161 | ||
| 48 | #7 0x55ba6f7884c8 in show_log log-tree.c:781 | ||
| 49 | #8 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117 | ||
| 50 | #9 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 51 | #10 0x55ba6f41035b in cmd_log_walk builtin/log.c:549 | ||
| 52 | #11 0x55ba6f4131a2 in cmd_log builtin/log.c:883 | ||
| 53 | #12 0x55ba6f2ea993 in run_builtin git.c:466 | ||
| 54 | #13 0x55ba6f2eb397 in handle_builtin git.c:721 | ||
| 55 | #14 0x55ba6f2ebb07 in run_argv git.c:788 | ||
| 56 | #15 0x55ba6f2ec8a7 in cmd_main git.c:923 | ||
| 57 | #16 0x55ba6f581682 in main common-main.c:57 | ||
| 58 | #17 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 59 | #18 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 60 | #19 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 61 | |||
| 62 | SUMMARY: AddressSanitizer: heap-buffer-overflow pretty.c:1712 in format_and_pad_commit | ||
| 63 | Shadow bytes around the buggy address: | ||
| 64 | 0x0c067fff8120: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd | ||
| 65 | 0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa | ||
| 66 | 0x0c067fff8140: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa | ||
| 67 | 0x0c067fff8150: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd | ||
| 68 | 0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa | ||
| 69 | =>0x0c067fff8170: fd fd fd fa fa[fa]00 00 00 fa fa fa 00 00 00 fa | ||
| 70 | 0x0c067fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 71 | 0x0c067fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 72 | 0x0c067fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 73 | 0x0c067fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 74 | 0x0c067fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 75 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
| 76 | Addressable: 00 | ||
| 77 | Partially addressable: 01 02 03 04 05 06 07 | ||
| 78 | Heap left redzone: fa | ||
| 79 | Freed heap region: fd | ||
| 80 | Stack left redzone: f1 | ||
| 81 | Stack mid redzone: f2 | ||
| 82 | Stack right redzone: f3 | ||
| 83 | Stack after return: f5 | ||
| 84 | Stack use after scope: f8 | ||
| 85 | Global redzone: f9 | ||
| 86 | Global init order: f6 | ||
| 87 | Poisoned by user: f7 | ||
| 88 | Container overflow: fc | ||
| 89 | Array cookie: ac | ||
| 90 | Intra object redzone: bb | ||
| 91 | ASan internal: fe | ||
| 92 | Left alloca redzone: ca | ||
| 93 | Right alloca redzone: cb | ||
| 94 | |||
| 95 | Luckily enough, this would only cause us to copy the out-of-bounds data | ||
| 96 | into the formatted commit in case we really had an ANSI sequence | ||
| 97 | preceding our buffer. So this bug likely has no security consequences. | ||
| 98 | |||
| 99 | Fix it regardless by not traversing past the buffer's start. | ||
| 100 | |||
| 101 | Reported-by: Patrick Steinhardt <ps@pks.im> | ||
| 102 | Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de> | ||
| 103 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 104 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 105 | |||
| 106 | Upstream-Status: Backport [https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3] | ||
| 107 | CVE: CVE-2022-41903 | ||
| 108 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 109 | --- | ||
| 110 | pretty.c | 2 +- | ||
| 111 | t/t4205-log-pretty-formats.sh | 6 ++++++ | ||
| 112 | 2 files changed, 7 insertions(+), 1 deletion(-) | ||
| 113 | |||
| 114 | diff --git a/pretty.c b/pretty.c | ||
| 115 | index 637e344..4348a82 100644 | ||
| 116 | --- a/pretty.c | ||
| 117 | +++ b/pretty.c | ||
| 118 | @@ -1468,7 +1468,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 119 | if (*ch != 'm') | ||
| 120 | break; | ||
| 121 | p = ch - 1; | ||
| 122 | - while (ch - p < 10 && *p != '\033') | ||
| 123 | + while (p > sb->buf && ch - p < 10 && *p != '\033') | ||
| 124 | p--; | ||
| 125 | if (*p != '\033' || | ||
| 126 | ch + 1 - p != display_mode_esc_sequence_len(p)) | ||
| 127 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 128 | index a2acee1..e69caba 100755 | ||
| 129 | --- a/t/t4205-log-pretty-formats.sh | ||
| 130 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 131 | @@ -788,6 +788,12 @@ test_expect_success '%S in git log --format works with other placeholders (part | ||
| 132 | test_cmp expect actual | ||
| 133 | ' | ||
| 134 | |||
| 135 | +test_expect_success 'log --pretty with space stealing' ' | ||
| 136 | + printf mm0 >expect && | ||
| 137 | + git log -1 --pretty="format:mm%>>|(1)%x30" >actual && | ||
| 138 | + test_cmp expect actual | ||
| 139 | +' | ||
| 140 | + | ||
| 141 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 142 | # We only assert that this command does not crash. This needs to be | ||
| 143 | # executed with the address sanitizer to demonstrate failure. | ||
| 144 | -- | ||
| 145 | 2.25.1 | ||
| 146 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch new file mode 100644 index 0000000000..9e3c74ff67 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch | |||
| @@ -0,0 +1,150 @@ | |||
| 1 | From f6e0b9f38987ad5e47bab551f8760b70689a5905 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:34 +0100 | ||
| 4 | Subject: [PATCH 04/12] pretty: fix out-of-bounds read when parsing invalid padding format | ||
| 5 | |||
| 6 | An out-of-bounds read can be triggered when parsing an incomplete | ||
| 7 | padding format string passed via `--pretty=format` or in Git archives | ||
| 8 | when files are marked with the `export-subst` gitattribute. | ||
| 9 | |||
| 10 | This bug exists since we have introduced support for truncating output | ||
| 11 | via the `trunc` keyword a7f01c6 (pretty: support truncating in %>, %< | ||
| 12 | and %><, 2013-04-19). Before this commit, we used to find the end of the | ||
| 13 | formatting string by using strchr(3P). This function returns a `NULL` | ||
| 14 | pointer in case the character in question wasn't found. The subsequent | ||
| 15 | check whether any character was found thus simply checked the returned | ||
| 16 | pointer. After the commit we switched to strcspn(3P) though, which only | ||
| 17 | returns the offset to the first found character or to the trailing NUL | ||
| 18 | byte. As the end pointer is now computed by adding the offset to the | ||
| 19 | start pointer it won't be `NULL` anymore, and as a consequence the check | ||
| 20 | doesn't do anything anymore. | ||
| 21 | |||
| 22 | The out-of-bounds data that is being read can in fact end up in the | ||
| 23 | formatted string. As a consequence, it is possible to leak memory | ||
| 24 | contents either by calling git-log(1) or via git-archive(1) when any of | ||
| 25 | the archived files is marked with the `export-subst` gitattribute. | ||
| 26 | |||
| 27 | ==10888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000398 at pc 0x7f0356047cb2 bp 0x7fff3ffb95d0 sp 0x7fff3ffb8d78 | ||
| 28 | READ of size 1 at 0x602000000398 thread T0 | ||
| 29 | #0 0x7f0356047cb1 in __interceptor_strchrnul /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 | ||
| 30 | #1 0x563b7cec9a43 in strbuf_expand strbuf.c:417 | ||
| 31 | #2 0x563b7cda7060 in repo_format_commit_message pretty.c:1869 | ||
| 32 | #3 0x563b7cda8d0f in pretty_print_commit pretty.c:2161 | ||
| 33 | #4 0x563b7cca04c8 in show_log log-tree.c:781 | ||
| 34 | #5 0x563b7cca36ba in log_tree_commit log-tree.c:1117 | ||
| 35 | #6 0x563b7c927ed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 36 | #7 0x563b7c92835b in cmd_log_walk builtin/log.c:549 | ||
| 37 | #8 0x563b7c92b1a2 in cmd_log builtin/log.c:883 | ||
| 38 | #9 0x563b7c802993 in run_builtin git.c:466 | ||
| 39 | #10 0x563b7c803397 in handle_builtin git.c:721 | ||
| 40 | #11 0x563b7c803b07 in run_argv git.c:788 | ||
| 41 | #12 0x563b7c8048a7 in cmd_main git.c:923 | ||
| 42 | #13 0x563b7ca99682 in main common-main.c:57 | ||
| 43 | #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 44 | #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 45 | #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 46 | |||
| 47 | 0x602000000398 is located 0 bytes to the right of 8-byte region [0x602000000390,0x602000000398) | ||
| 48 | allocated by thread T0 here: | ||
| 49 | #0 0x7f0356072faa in __interceptor_strdup /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:439 | ||
| 50 | #1 0x563b7cf7317c in xstrdup wrapper.c:39 | ||
| 51 | #2 0x563b7cd9a06a in save_user_format pretty.c:40 | ||
| 52 | #3 0x563b7cd9b3e5 in get_commit_format pretty.c:173 | ||
| 53 | #4 0x563b7ce54ea0 in handle_revision_opt revision.c:2456 | ||
| 54 | #5 0x563b7ce597c9 in setup_revisions revision.c:2850 | ||
| 55 | #6 0x563b7c9269e0 in cmd_log_init_finish builtin/log.c:269 | ||
| 56 | #7 0x563b7c927362 in cmd_log_init builtin/log.c:348 | ||
| 57 | #8 0x563b7c92b193 in cmd_log builtin/log.c:882 | ||
| 58 | #9 0x563b7c802993 in run_builtin git.c:466 | ||
| 59 | #10 0x563b7c803397 in handle_builtin git.c:721 | ||
| 60 | #11 0x563b7c803b07 in run_argv git.c:788 | ||
| 61 | #12 0x563b7c8048a7 in cmd_main git.c:923 | ||
| 62 | #13 0x563b7ca99682 in main common-main.c:57 | ||
| 63 | #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 64 | #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 65 | #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 66 | |||
| 67 | SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 in __interceptor_strchrnul | ||
| 68 | Shadow bytes around the buggy address: | ||
| 69 | 0x0c047fff8020: fa fa fd fd fa fa 00 06 fa fa 05 fa fa fa fd fd | ||
| 70 | 0x0c047fff8030: fa fa 00 02 fa fa 06 fa fa fa 05 fa fa fa fd fd | ||
| 71 | 0x0c047fff8040: fa fa 00 07 fa fa 03 fa fa fa fd fd fa fa 00 00 | ||
| 72 | 0x0c047fff8050: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa 00 01 | ||
| 73 | 0x0c047fff8060: fa fa 00 06 fa fa 00 06 fa fa 05 fa fa fa 05 fa | ||
| 74 | =>0x0c047fff8070: fa fa 00[fa]fa fa fd fa fa fa fd fd fa fa fd fd | ||
| 75 | 0x0c047fff8080: fa fa fd fd fa fa 00 00 fa fa 00 fa fa fa fd fa | ||
| 76 | 0x0c047fff8090: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa | ||
| 77 | 0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 78 | 0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 79 | 0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 80 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
| 81 | Addressable: 00 | ||
| 82 | Partially addressable: 01 02 03 04 05 06 07 | ||
| 83 | Heap left redzone: fa | ||
| 84 | Freed heap region: fd | ||
| 85 | Stack left redzone: f1 | ||
| 86 | Stack mid redzone: f2 | ||
| 87 | Stack right redzone: f3 | ||
| 88 | Stack after return: f5 | ||
| 89 | Stack use after scope: f8 | ||
| 90 | Global redzone: f9 | ||
| 91 | Global init order: f6 | ||
| 92 | Poisoned by user: f7 | ||
| 93 | Container overflow: fc | ||
| 94 | Array cookie: ac | ||
| 95 | Intra object redzone: bb | ||
| 96 | ASan internal: fe | ||
| 97 | Left alloca redzone: ca | ||
| 98 | Right alloca redzone: cb | ||
| 99 | ==10888==ABORTING | ||
| 100 | |||
| 101 | Fix this bug by checking whether `end` points at the trailing NUL byte. | ||
| 102 | Add a test which catches this out-of-bounds read and which demonstrates | ||
| 103 | that we used to write out-of-bounds data into the formatted message. | ||
| 104 | |||
| 105 | Reported-by: Markus Vervier <markus.vervier@x41-dsec.de> | ||
| 106 | Original-patch-by: Markus Vervier <markus.vervier@x41-dsec.de> | ||
| 107 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 108 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 109 | |||
| 110 | Upstream-Status: Backport [https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905] | ||
| 111 | CVE: CVE-2022-41903 | ||
| 112 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 113 | --- | ||
| 114 | pretty.c | 2 +- | ||
| 115 | t/t4205-log-pretty-formats.sh | 6 ++++++ | ||
| 116 | 2 files changed, 7 insertions(+), 1 deletion(-) | ||
| 117 | |||
| 118 | diff --git a/pretty.c b/pretty.c | ||
| 119 | index 4348a82..c49e818 100644 | ||
| 120 | --- a/pretty.c | ||
| 121 | +++ b/pretty.c | ||
| 122 | @@ -1024,7 +1024,7 @@ static size_t parse_padding_placeholder(const char *placeholder, | ||
| 123 | const char *end = start + strcspn(start, ",)"); | ||
| 124 | char *next; | ||
| 125 | int width; | ||
| 126 | - if (!end || end == start) | ||
| 127 | + if (!*end || end == start) | ||
| 128 | return 0; | ||
| 129 | width = strtol(start, &next, 10); | ||
| 130 | if (next == start || width == 0) | ||
| 131 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 132 | index e69caba..8a349df 100755 | ||
| 133 | --- a/t/t4205-log-pretty-formats.sh | ||
| 134 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 135 | @@ -794,6 +794,12 @@ test_expect_success 'log --pretty with space stealing' ' | ||
| 136 | test_cmp expect actual | ||
| 137 | ' | ||
| 138 | |||
| 139 | +test_expect_success 'log --pretty with invalid padding format' ' | ||
| 140 | + printf "%s%%<(20" "$(git rev-parse HEAD)" >expect && | ||
| 141 | + git log -1 --pretty="format:%H%<(20" >actual && | ||
| 142 | + test_cmp expect actual | ||
| 143 | +' | ||
| 144 | + | ||
| 145 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 146 | # We only assert that this command does not crash. This needs to be | ||
| 147 | # executed with the address sanitizer to demonstrate failure. | ||
| 148 | -- | ||
| 149 | 2.25.1 | ||
| 150 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch new file mode 100644 index 0000000000..994f7a55b1 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch | |||
| @@ -0,0 +1,98 @@ | |||
| 1 | From 1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:39 +0100 | ||
| 4 | Subject: [PATCH 05/12] pretty: fix adding linefeed when placeholder is not expanded | ||
| 5 | |||
| 6 | When a formatting directive has a `+` or ` ` after the `%`, then we add | ||
| 7 | either a line feed or space if the placeholder expands to a non-empty | ||
| 8 | string. In specific cases though this logic doesn't work as expected, | ||
| 9 | and we try to add the character even in the case where the formatting | ||
| 10 | directive is empty. | ||
| 11 | |||
| 12 | One such pattern is `%w(1)%+d%+w(2)`. `%+d` expands to reference names | ||
| 13 | pointing to a certain commit, like in `git log --decorate`. For a tagged | ||
| 14 | commit this would for example expand to `\n (tag: v1.0.0)`, which has a | ||
| 15 | leading newline due to the `+` modifier and a space added by `%d`. Now | ||
| 16 | the second wrapping directive will cause us to rewrap the text to | ||
| 17 | `\n(tag:\nv1.0.0)`, which is one byte shorter due to the missing leading | ||
| 18 | space. The code that handles the `+` magic now notices that the length | ||
| 19 | has changed and will thus try to insert a leading line feed at the | ||
| 20 | original posititon. But as the string was shortened, the original | ||
| 21 | position is past the buffer's boundary and thus we die with an error. | ||
| 22 | |||
| 23 | Now there are two issues here: | ||
| 24 | |||
| 25 | 1. We check whether the buffer length has changed, not whether it | ||
| 26 | has been extended. This causes us to try and add the character | ||
| 27 | past the string boundary. | ||
| 28 | |||
| 29 | 2. The current logic does not make any sense whatsoever. When the | ||
| 30 | string got expanded due to the rewrap, putting the separator into | ||
| 31 | the original position is likely to put it somewhere into the | ||
| 32 | middle of the rewrapped contents. | ||
| 33 | |||
| 34 | It is debatable whether `%+w()` makes any sense in the first place. | ||
| 35 | Strictly speaking, the placeholder never expands to a non-empty string, | ||
| 36 | and consequentially we shouldn't ever accept this combination. We thus | ||
| 37 | fix the bug by simply refusing `%+w()`. | ||
| 38 | |||
| 39 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 40 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 41 | |||
| 42 | Upstream-Status: Backport [https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0] | ||
| 43 | CVE: CVE-2022-41903 | ||
| 44 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 45 | --- | ||
| 46 | pretty.c | 14 +++++++++++++- | ||
| 47 | t/t4205-log-pretty-formats.sh | 8 ++++++++ | ||
| 48 | 2 files changed, 21 insertions(+), 1 deletion(-) | ||
| 49 | |||
| 50 | diff --git a/pretty.c b/pretty.c | ||
| 51 | index c49e818..195d005 100644 | ||
| 52 | --- a/pretty.c | ||
| 53 | +++ b/pretty.c | ||
| 54 | @@ -1551,9 +1551,21 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */ | ||
| 55 | default: | ||
| 56 | break; | ||
| 57 | } | ||
| 58 | - if (magic != NO_MAGIC) | ||
| 59 | + if (magic != NO_MAGIC) { | ||
| 60 | placeholder++; | ||
| 61 | |||
| 62 | + switch (placeholder[0]) { | ||
| 63 | + case 'w': | ||
| 64 | + /* | ||
| 65 | + * `%+w()` cannot ever expand to a non-empty string, | ||
| 66 | + * and it potentially changes the layout of preceding | ||
| 67 | + * contents. We're thus not able to handle the magic in | ||
| 68 | + * this combination and refuse the pattern. | ||
| 69 | + */ | ||
| 70 | + return 0; | ||
| 71 | + }; | ||
| 72 | + } | ||
| 73 | + | ||
| 74 | orig_len = sb->len; | ||
| 75 | if (((struct format_commit_context *)context)->flush_type != no_flush) | ||
| 76 | consumed = format_and_pad_commit(sb, placeholder, context); | ||
| 77 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 78 | index 8a349df..fa1bc2b 100755 | ||
| 79 | --- a/t/t4205-log-pretty-formats.sh | ||
| 80 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 81 | @@ -800,6 +800,14 @@ test_expect_success 'log --pretty with invalid padding format' ' | ||
| 82 | test_cmp expect actual | ||
| 83 | ' | ||
| 84 | |||
| 85 | +test_expect_success 'log --pretty with magical wrapping directives' ' | ||
| 86 | + commit_id=$(git commit-tree HEAD^{tree} -m "describe me") && | ||
| 87 | + git tag describe-me $commit_id && | ||
| 88 | + printf "\n(tag:\ndescribe-me)%%+w(2)" >expect && | ||
| 89 | + git log -1 --pretty="format:%w(1)%+d%+w(2)" $commit_id >actual && | ||
| 90 | + test_cmp expect actual | ||
| 91 | +' | ||
| 92 | + | ||
| 93 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 94 | # We only assert that this command does not crash. This needs to be | ||
| 95 | # executed with the address sanitizer to demonstrate failure. | ||
| 96 | -- | ||
| 97 | 2.25.1 | ||
| 98 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch new file mode 100644 index 0000000000..93fbe5c7fe --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch | |||
| @@ -0,0 +1,90 @@ | |||
| 1 | From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:49 +0100 | ||
| 4 | Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format | ||
| 5 | |||
| 6 | The `%w(width,indent1,indent2)` formatting directive can be used to | ||
| 7 | rewrap text to a specific width and is designed after git-shortlog(1)'s | ||
| 8 | `-w` parameter. While the three parameters are all stored as `size_t` | ||
| 9 | internally, `strbuf_add_wrapped_text()` accepts integers as input. As a | ||
| 10 | result, the casted integers may overflow. As these now-negative integers | ||
| 11 | are later on passed to `strbuf_addchars()`, we will ultimately run into | ||
| 12 | implementation-defined behaviour due to casting a negative number back | ||
| 13 | to `size_t` again. On my platform, this results in trying to allocate | ||
| 14 | 9000 petabyte of memory. | ||
| 15 | |||
| 16 | Fix this overflow by using `cast_size_t_to_int()` so that we reject | ||
| 17 | inputs that cannot be represented as an integer. | ||
| 18 | |||
| 19 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 20 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 21 | |||
| 22 | Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b] | ||
| 23 | CVE: CVE-2022-41903 | ||
| 24 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 25 | --- | ||
| 26 | git-compat-util.h | 8 ++++++++ | ||
| 27 | pretty.c | 4 +++- | ||
| 28 | t/t4205-log-pretty-formats.sh | 12 ++++++++++++ | ||
| 29 | 3 files changed, 23 insertions(+), 1 deletion(-) | ||
| 30 | |||
| 31 | diff --git a/git-compat-util.h b/git-compat-util.h | ||
| 32 | index a1ecfd3..b0f3890 100644 | ||
| 33 | --- a/git-compat-util.h | ||
| 34 | +++ b/git-compat-util.h | ||
| 35 | @@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b) | ||
| 36 | return a - b; | ||
| 37 | } | ||
| 38 | |||
| 39 | +static inline int cast_size_t_to_int(size_t a) | ||
| 40 | +{ | ||
| 41 | + if (a > INT_MAX) | ||
| 42 | + die("number too large to represent as int on this platform: %"PRIuMAX, | ||
| 43 | + (uintmax_t)a); | ||
| 44 | + return (int)a; | ||
| 45 | +} | ||
| 46 | + | ||
| 47 | #ifdef HAVE_ALLOCA_H | ||
| 48 | # include <alloca.h> | ||
| 49 | # define xalloca(size) (alloca(size)) | ||
| 50 | diff --git a/pretty.c b/pretty.c | ||
| 51 | index 195d005..ff9fc97 100644 | ||
| 52 | --- a/pretty.c | ||
| 53 | +++ b/pretty.c | ||
| 54 | @@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos, | ||
| 55 | if (pos) | ||
| 56 | strbuf_add(&tmp, sb->buf, pos); | ||
| 57 | strbuf_add_wrapped_text(&tmp, sb->buf + pos, | ||
| 58 | - (int) indent1, (int) indent2, (int) width); | ||
| 59 | + cast_size_t_to_int(indent1), | ||
| 60 | + cast_size_t_to_int(indent2), | ||
| 61 | + cast_size_t_to_int(width)); | ||
| 62 | strbuf_swap(&tmp, sb); | ||
| 63 | strbuf_release(&tmp); | ||
| 64 | } | ||
| 65 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 66 | index fa1bc2b..23ac508 100755 | ||
| 67 | --- a/t/t4205-log-pretty-formats.sh | ||
| 68 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 69 | @@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' ' | ||
| 70 | test_cmp expect actual | ||
| 71 | ' | ||
| 72 | |||
| 73 | +test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' ' | ||
| 74 | + cat >expect <<-EOF && | ||
| 75 | + fatal: number too large to represent as int on this platform: 2147483649 | ||
| 76 | + EOF | ||
| 77 | + test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error && | ||
| 78 | + test_cmp expect error && | ||
| 79 | + test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error && | ||
| 80 | + test_cmp expect error && | ||
| 81 | + test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error && | ||
| 82 | + test_cmp expect error | ||
| 83 | +' | ||
| 84 | + | ||
| 85 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 86 | # We only assert that this command does not crash. This needs to be | ||
| 87 | # executed with the address sanitizer to demonstrate failure. | ||
| 88 | -- | ||
| 89 | 2.25.1 | ||
| 90 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch new file mode 100644 index 0000000000..ec248ad6c2 --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch | |||
| @@ -0,0 +1,123 @@ | |||
| 1 | From 522cc87fdc25449222a5894a428eebf4b8d5eaa9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:46:53 +0100 | ||
| 4 | Subject: [PATCH 07/12] utf8: fix truncated string lengths in utf8_strnwidth() | ||
| 5 | |||
| 6 | The `utf8_strnwidth()` function accepts an optional string length as | ||
| 7 | input parameter. This parameter can either be set to `-1`, in which case | ||
| 8 | we call `strlen()` on the input. Or it can be set to a positive integer | ||
| 9 | that indicates a precomputed length, which callers typically compute by | ||
| 10 | calling `strlen()` at some point themselves. | ||
| 11 | |||
| 12 | The input parameter is an `int` though, whereas `strlen()` returns a | ||
| 13 | `size_t`. This can lead to implementation-defined behaviour though when | ||
| 14 | the `size_t` cannot be represented by the `int`. In the general case | ||
| 15 | though this leads to wrap-around and thus to negative string sizes, | ||
| 16 | which is sure enough to not lead to well-defined behaviour. | ||
| 17 | |||
| 18 | Fix this by accepting a `size_t` instead of an `int` as string length. | ||
| 19 | While this takes away the ability of callers to simply pass in `-1` as | ||
| 20 | string length, it really is trivial enough to convert them to instead | ||
| 21 | pass in `strlen()` instead. | ||
| 22 | |||
| 23 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 24 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 25 | |||
| 26 | Upstream-Status: Backport [https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9] | ||
| 27 | CVE: CVE-2022-41903 | ||
| 28 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 29 | --- | ||
| 30 | column.c | 2 +- | ||
| 31 | pretty.c | 4 ++-- | ||
| 32 | utf8.c | 8 +++----- | ||
| 33 | utf8.h | 2 +- | ||
| 34 | 4 files changed, 7 insertions(+), 9 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/column.c b/column.c | ||
| 37 | index 4a38eed..0c79850 100644 | ||
| 38 | --- a/column.c | ||
| 39 | +++ b/column.c | ||
| 40 | @@ -23,7 +23,7 @@ struct column_data { | ||
| 41 | /* return length of 's' in letters, ANSI escapes stripped */ | ||
| 42 | static int item_length(const char *s) | ||
| 43 | { | ||
| 44 | - return utf8_strnwidth(s, -1, 1); | ||
| 45 | + return utf8_strnwidth(s, strlen(s), 1); | ||
| 46 | } | ||
| 47 | |||
| 48 | /* | ||
| 49 | diff --git a/pretty.c b/pretty.c | ||
| 50 | index ff9fc97..c3c1443 100644 | ||
| 51 | --- a/pretty.c | ||
| 52 | +++ b/pretty.c | ||
| 53 | @@ -1437,7 +1437,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 54 | int occupied; | ||
| 55 | if (!start) | ||
| 56 | start = sb->buf; | ||
| 57 | - occupied = utf8_strnwidth(start, -1, 1); | ||
| 58 | + occupied = utf8_strnwidth(start, strlen(start), 1); | ||
| 59 | occupied += c->pretty_ctx->graph_width; | ||
| 60 | padding = (-padding) - occupied; | ||
| 61 | } | ||
| 62 | @@ -1455,7 +1455,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */ | ||
| 63 | placeholder++; | ||
| 64 | total_consumed++; | ||
| 65 | } | ||
| 66 | - len = utf8_strnwidth(local_sb.buf, -1, 1); | ||
| 67 | + len = utf8_strnwidth(local_sb.buf, local_sb.len, 1); | ||
| 68 | |||
| 69 | if (c->flush_type == flush_left_and_steal) { | ||
| 70 | const char *ch = sb->buf + sb->len - 1; | ||
| 71 | diff --git a/utf8.c b/utf8.c | ||
| 72 | index 5c8f151..a66984b 100644 | ||
| 73 | --- a/utf8.c | ||
| 74 | +++ b/utf8.c | ||
| 75 | @@ -206,13 +206,11 @@ int utf8_width(const char **start, size_t *remainder_p) | ||
| 76 | * string, assuming that the string is utf8. Returns strlen() instead | ||
| 77 | * if the string does not look like a valid utf8 string. | ||
| 78 | */ | ||
| 79 | -int utf8_strnwidth(const char *string, int len, int skip_ansi) | ||
| 80 | +int utf8_strnwidth(const char *string, size_t len, int skip_ansi) | ||
| 81 | { | ||
| 82 | int width = 0; | ||
| 83 | const char *orig = string; | ||
| 84 | |||
| 85 | - if (len == -1) | ||
| 86 | - len = strlen(string); | ||
| 87 | while (string && string < orig + len) { | ||
| 88 | int skip; | ||
| 89 | while (skip_ansi && | ||
| 90 | @@ -225,7 +223,7 @@ int utf8_strnwidth(const char *string, int len, int skip_ansi) | ||
| 91 | |||
| 92 | int utf8_strwidth(const char *string) | ||
| 93 | { | ||
| 94 | - return utf8_strnwidth(string, -1, 0); | ||
| 95 | + return utf8_strnwidth(string, strlen(string), 0); | ||
| 96 | } | ||
| 97 | |||
| 98 | int is_utf8(const char *text) | ||
| 99 | @@ -792,7 +790,7 @@ int skip_utf8_bom(char **text, size_t len) | ||
| 100 | void strbuf_utf8_align(struct strbuf *buf, align_type position, unsigned int width, | ||
| 101 | const char *s) | ||
| 102 | { | ||
| 103 | - int slen = strlen(s); | ||
| 104 | + size_t slen = strlen(s); | ||
| 105 | int display_len = utf8_strnwidth(s, slen, 0); | ||
| 106 | int utf8_compensation = slen - display_len; | ||
| 107 | |||
| 108 | diff --git a/utf8.h b/utf8.h | ||
| 109 | index fcd5167..6da1b6d 100644 | ||
| 110 | --- a/utf8.h | ||
| 111 | +++ b/utf8.h | ||
| 112 | @@ -7,7 +7,7 @@ typedef unsigned int ucs_char_t; /* assuming 32bit int */ | ||
| 113 | |||
| 114 | size_t display_mode_esc_sequence_len(const char *s); | ||
| 115 | int utf8_width(const char **start, size_t *remainder_p); | ||
| 116 | -int utf8_strnwidth(const char *string, int len, int skip_ansi); | ||
| 117 | +int utf8_strnwidth(const char *string, size_t len, int skip_ansi); | ||
| 118 | int utf8_strwidth(const char *string); | ||
| 119 | int is_utf8(const char *text); | ||
| 120 | int is_encoding_utf8(const char *name); | ||
| 121 | -- | ||
| 122 | 2.25.1 | ||
| 123 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch new file mode 100644 index 0000000000..3de6a5ba6a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | From 17d23e8a3812a5ca3dd6564e74d5250f22e5d76d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:00 +0100 | ||
| 4 | Subject: [PATCH 08/12] utf8: fix returning negative string width | ||
| 5 | |||
| 6 | The `utf8_strnwidth()` function calls `utf8_width()` in a loop and adds | ||
| 7 | its returned width to the end result. `utf8_width()` can return `-1` | ||
| 8 | though in case it reads a control character, which means that the | ||
| 9 | computed string width is going to be wrong. In the worst case where | ||
| 10 | there are more control characters than non-control characters, we may | ||
| 11 | even return a negative string width. | ||
| 12 | |||
| 13 | Fix this bug by treating control characters as having zero width. | ||
| 14 | |||
| 15 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 16 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 17 | |||
| 18 | Upstream-Status: Backport [https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d] | ||
| 19 | CVE: CVE-2022-41903 | ||
| 20 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 21 | --- | ||
| 22 | t/t4205-log-pretty-formats.sh | 6 ++++++ | ||
| 23 | utf8.c | 8 ++++++-- | ||
| 24 | 2 files changed, 12 insertions(+), 2 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 27 | index 23ac508..261a6f0 100755 | ||
| 28 | --- a/t/t4205-log-pretty-formats.sh | ||
| 29 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 30 | @@ -820,6 +820,12 @@ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping dire | ||
| 31 | test_cmp expect error | ||
| 32 | ' | ||
| 33 | |||
| 34 | +test_expect_success 'log --pretty with padding and preceding control chars' ' | ||
| 35 | + printf "\20\20 0" >expect && | ||
| 36 | + git log -1 --pretty="format:%x10%x10%>|(4)%x30" >actual && | ||
| 37 | + test_cmp expect actual | ||
| 38 | +' | ||
| 39 | + | ||
| 40 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 41 | # We only assert that this command does not crash. This needs to be | ||
| 42 | # executed with the address sanitizer to demonstrate failure. | ||
| 43 | diff --git a/utf8.c b/utf8.c | ||
| 44 | index a66984b..6632bd2 100644 | ||
| 45 | --- a/utf8.c | ||
| 46 | +++ b/utf8.c | ||
| 47 | @@ -212,11 +212,15 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi) | ||
| 48 | const char *orig = string; | ||
| 49 | |||
| 50 | while (string && string < orig + len) { | ||
| 51 | - int skip; | ||
| 52 | + int glyph_width, skip; | ||
| 53 | + | ||
| 54 | while (skip_ansi && | ||
| 55 | (skip = display_mode_esc_sequence_len(string)) != 0) | ||
| 56 | string += skip; | ||
| 57 | - width += utf8_width(&string, NULL); | ||
| 58 | + | ||
| 59 | + glyph_width = utf8_width(&string, NULL); | ||
| 60 | + if (glyph_width > 0) | ||
| 61 | + width += glyph_width; | ||
| 62 | } | ||
| 63 | return string ? width : len; | ||
| 64 | } | ||
| 65 | -- | ||
| 66 | 2.25.1 | ||
| 67 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch new file mode 100644 index 0000000000..761d4c6a9f --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch | |||
| @@ -0,0 +1,162 @@ | |||
| 1 | From 937b71cc8b5b998963a7f9a33312ba3549d55510 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:04 +0100 | ||
| 4 | Subject: [PATCH 09/12] utf8: fix overflow when returning string width | ||
| 5 | |||
| 6 | The return type of both `utf8_strwidth()` and `utf8_strnwidth()` is | ||
| 7 | `int`, but we operate on string lengths which are typically of type | ||
| 8 | `size_t`. This means that when the string is longer than `INT_MAX`, we | ||
| 9 | will overflow and thus return a negative result. | ||
| 10 | |||
| 11 | This can lead to an out-of-bounds write with `--pretty=format:%<1)%B` | ||
| 12 | and a commit message that is 2^31+1 bytes long: | ||
| 13 | |||
| 14 | ================================================================= | ||
| 15 | ==26009==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001168 at pc 0x7f95c4e5f427 bp 0x7ffd8541c900 sp 0x7ffd8541c0a8 | ||
| 16 | WRITE of size 2147483649 at 0x603000001168 thread T0 | ||
| 17 | #0 0x7f95c4e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 | ||
| 18 | #1 0x5612bbb1068c in format_and_pad_commit pretty.c:1763 | ||
| 19 | #2 0x5612bbb1087a in format_commit_item pretty.c:1801 | ||
| 20 | #3 0x5612bbc33bab in strbuf_expand strbuf.c:429 | ||
| 21 | #4 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869 | ||
| 22 | #5 0x5612bbb12d96 in pretty_print_commit pretty.c:2161 | ||
| 23 | #6 0x5612bba0a4d5 in show_log log-tree.c:781 | ||
| 24 | #7 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117 | ||
| 25 | #8 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 26 | #9 0x5612bb69235b in cmd_log_walk builtin/log.c:549 | ||
| 27 | #10 0x5612bb6951a2 in cmd_log builtin/log.c:883 | ||
| 28 | #11 0x5612bb56c993 in run_builtin git.c:466 | ||
| 29 | #12 0x5612bb56d397 in handle_builtin git.c:721 | ||
| 30 | #13 0x5612bb56db07 in run_argv git.c:788 | ||
| 31 | #14 0x5612bb56e8a7 in cmd_main git.c:923 | ||
| 32 | #15 0x5612bb803682 in main common-main.c:57 | ||
| 33 | #16 0x7f95c4c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 34 | #17 0x7f95c4c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) | ||
| 35 | #18 0x5612bb5680e4 in _start ../sysdeps/x86_64/start.S:115 | ||
| 36 | |||
| 37 | 0x603000001168 is located 0 bytes to the right of 24-byte region [0x603000001150,0x603000001168) | ||
| 38 | allocated by thread T0 here: | ||
| 39 | #0 0x7f95c4ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85 | ||
| 40 | #1 0x5612bbcdd556 in xrealloc wrapper.c:136 | ||
| 41 | #2 0x5612bbc310a3 in strbuf_grow strbuf.c:99 | ||
| 42 | #3 0x5612bbc32acd in strbuf_add strbuf.c:298 | ||
| 43 | #4 0x5612bbc33aec in strbuf_expand strbuf.c:418 | ||
| 44 | #5 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869 | ||
| 45 | #6 0x5612bbb12d96 in pretty_print_commit pretty.c:2161 | ||
| 46 | #7 0x5612bba0a4d5 in show_log log-tree.c:781 | ||
| 47 | #8 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117 | ||
| 48 | #9 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508 | ||
| 49 | #10 0x5612bb69235b in cmd_log_walk builtin/log.c:549 | ||
| 50 | #11 0x5612bb6951a2 in cmd_log builtin/log.c:883 | ||
| 51 | #12 0x5612bb56c993 in run_builtin git.c:466 | ||
| 52 | #13 0x5612bb56d397 in handle_builtin git.c:721 | ||
| 53 | #14 0x5612bb56db07 in run_argv git.c:788 | ||
| 54 | #15 0x5612bb56e8a7 in cmd_main git.c:923 | ||
| 55 | #16 0x5612bb803682 in main common-main.c:57 | ||
| 56 | #17 0x7f95c4c3c28f (/usr/lib/libc.so.6+0x2328f) | ||
| 57 | |||
| 58 | SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy | ||
| 59 | Shadow bytes around the buggy address: | ||
| 60 | 0x0c067fff81d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa | ||
| 61 | 0x0c067fff81e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd | ||
| 62 | 0x0c067fff81f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa | ||
| 63 | 0x0c067fff8200: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 fa | ||
| 64 | 0x0c067fff8210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd | ||
| 65 | =>0x0c067fff8220: fd fa fa fa fd fd fd fa fa fa 00 00 00[fa]fa fa | ||
| 66 | 0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 67 | 0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 68 | 0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 69 | 0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 70 | 0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
| 71 | Shadow byte legend (one shadow byte represents 8 application bytes): | ||
| 72 | Addressable: 00 | ||
| 73 | Partially addressable: 01 02 03 04 05 06 07 | ||
| 74 | Heap left redzone: fa | ||
| 75 | Freed heap region: fd | ||
| 76 | Stack left redzone: f1 | ||
| 77 | Stack mid redzone: f2 | ||
| 78 | Stack right redzone: f3 | ||
| 79 | Stack after return: f5 | ||
| 80 | Stack use after scope: f8 | ||
| 81 | Global redzone: f9 | ||
| 82 | Global init order: f6 | ||
| 83 | Poisoned by user: f7 | ||
| 84 | Container overflow: fc | ||
| 85 | Array cookie: ac | ||
| 86 | Intra object redzone: bb | ||
| 87 | ASan internal: fe | ||
| 88 | Left alloca redzone: ca | ||
| 89 | Right alloca redzone: cb | ||
| 90 | ==26009==ABORTING | ||
| 91 | |||
| 92 | Now the proper fix for this would be to convert both functions to return | ||
| 93 | an `size_t` instead of an `int`. But given that this commit may be part | ||
| 94 | of a security release, let's instead do the minimal viable fix and die | ||
| 95 | in case we see an overflow. | ||
| 96 | |||
| 97 | Add a test that would have previously caused us to crash. | ||
| 98 | |||
| 99 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 100 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 101 | |||
| 102 | Upstream-Status: Backport [https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510] | ||
| 103 | CVE: CVE-2022-41903 | ||
| 104 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 105 | --- | ||
| 106 | t/t4205-log-pretty-formats.sh | 8 ++++++++ | ||
| 107 | utf8.c | 12 +++++++++--- | ||
| 108 | 2 files changed, 17 insertions(+), 3 deletions(-) | ||
| 109 | |||
| 110 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 111 | index 261a6f0..de15007 100755 | ||
| 112 | --- a/t/t4205-log-pretty-formats.sh | ||
| 113 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 114 | @@ -843,4 +843,12 @@ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit mes | ||
| 115 | test_cmp expect actual | ||
| 116 | ' | ||
| 117 | |||
| 118 | +test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message does not cause allocation failure' ' | ||
| 119 | + test_must_fail git log -1 --format="%<(1)%B" $huge_commit 2>error && | ||
| 120 | + cat >expect <<-EOF && | ||
| 121 | + fatal: number too large to represent as int on this platform: 2147483649 | ||
| 122 | + EOF | ||
| 123 | + test_cmp expect error | ||
| 124 | +' | ||
| 125 | + | ||
| 126 | test_done | ||
| 127 | diff --git a/utf8.c b/utf8.c | ||
| 128 | index 6632bd2..03be475 100644 | ||
| 129 | --- a/utf8.c | ||
| 130 | +++ b/utf8.c | ||
| 131 | @@ -208,11 +208,12 @@ int utf8_width(const char **start, size_t *remainder_p) | ||
| 132 | */ | ||
| 133 | int utf8_strnwidth(const char *string, size_t len, int skip_ansi) | ||
| 134 | { | ||
| 135 | - int width = 0; | ||
| 136 | const char *orig = string; | ||
| 137 | + size_t width = 0; | ||
| 138 | |||
| 139 | while (string && string < orig + len) { | ||
| 140 | - int glyph_width, skip; | ||
| 141 | + int glyph_width; | ||
| 142 | + size_t skip; | ||
| 143 | |||
| 144 | while (skip_ansi && | ||
| 145 | (skip = display_mode_esc_sequence_len(string)) != 0) | ||
| 146 | @@ -222,7 +223,12 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi) | ||
| 147 | if (glyph_width > 0) | ||
| 148 | width += glyph_width; | ||
| 149 | } | ||
| 150 | - return string ? width : len; | ||
| 151 | + | ||
| 152 | + /* | ||
| 153 | + * TODO: fix the interface of this function and `utf8_strwidth()` to | ||
| 154 | + * return `size_t` instead of `int`. | ||
| 155 | + */ | ||
| 156 | + return cast_size_t_to_int(string ? width : len); | ||
| 157 | } | ||
| 158 | |||
| 159 | int utf8_strwidth(const char *string) | ||
| 160 | -- | ||
| 161 | 2.25.1 | ||
| 162 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch new file mode 100644 index 0000000000..bbfc6e758f --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch | |||
| @@ -0,0 +1,99 @@ | |||
| 1 | From 81c2d4c3a5ba0e6ab8c348708441fed170e63a82 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:10 +0100 | ||
| 4 | Subject: [PATCH 10/12] utf8: fix checking for glyph width in strbuf_utf8_replace() | ||
| 5 | |||
| 6 | In `strbuf_utf8_replace()`, we call `utf8_width()` to compute the width | ||
| 7 | of the current glyph. If the glyph is a control character though it can | ||
| 8 | be that `utf8_width()` returns `-1`, but because we assign this value to | ||
| 9 | a `size_t` the conversion will cause us to underflow. This bug can | ||
| 10 | easily be triggered with the following command: | ||
| 11 | |||
| 12 | $ git log --pretty='format:xxx%<|(1,trunc)%x10' | ||
| 13 | |||
| 14 | >From all I can see though this seems to be a benign underflow that has | ||
| 15 | no security-related consequences. | ||
| 16 | |||
| 17 | Fix the bug by using an `int` instead. When we see a control character, | ||
| 18 | we now copy it into the target buffer but don't advance the current | ||
| 19 | width of the string. | ||
| 20 | |||
| 21 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 22 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82] | ||
| 25 | CVE: CVE-2022-41903 | ||
| 26 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 27 | --- | ||
| 28 | t/t4205-log-pretty-formats.sh | 7 +++++++ | ||
| 29 | utf8.c | 19 ++++++++++++++----- | ||
| 30 | 2 files changed, 21 insertions(+), 5 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 33 | index de15007..52c8bc8 100755 | ||
| 34 | --- a/t/t4205-log-pretty-formats.sh | ||
| 35 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 36 | @@ -826,6 +826,13 @@ test_expect_success 'log --pretty with padding and preceding control chars' ' | ||
| 37 | test_cmp expect actual | ||
| 38 | ' | ||
| 39 | |||
| 40 | +test_expect_success 'log --pretty truncation with control chars' ' | ||
| 41 | + test_commit "$(printf "\20\20\20\20xxxx")" file contents commit-with-control-chars && | ||
| 42 | + printf "\20\20\20\20x.." >expect && | ||
| 43 | + git log -1 --pretty="format:%<(3,trunc)%s" commit-with-control-chars >actual && | ||
| 44 | + test_cmp expect actual | ||
| 45 | +' | ||
| 46 | + | ||
| 47 | test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' | ||
| 48 | # We only assert that this command does not crash. This needs to be | ||
| 49 | # executed with the address sanitizer to demonstrate failure. | ||
| 50 | diff --git a/utf8.c b/utf8.c | ||
| 51 | index 03be475..ec03e69 100644 | ||
| 52 | --- a/utf8.c | ||
| 53 | +++ b/utf8.c | ||
| 54 | @@ -377,6 +377,7 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 55 | dst = sb_dst.buf; | ||
| 56 | |||
| 57 | while (src < end) { | ||
| 58 | + int glyph_width; | ||
| 59 | char *old; | ||
| 60 | size_t n; | ||
| 61 | |||
| 62 | @@ -390,21 +391,29 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 63 | break; | ||
| 64 | |||
| 65 | old = src; | ||
| 66 | - n = utf8_width((const char**)&src, NULL); | ||
| 67 | - if (!src) /* broken utf-8, do nothing */ | ||
| 68 | + glyph_width = utf8_width((const char**)&src, NULL); | ||
| 69 | + if (!src) /* broken utf-8, do nothing */ | ||
| 70 | goto out; | ||
| 71 | - if (n && w >= pos && w < pos + width) { | ||
| 72 | + | ||
| 73 | + /* | ||
| 74 | + * In case we see a control character we copy it into the | ||
| 75 | + * buffer, but don't add it to the width. | ||
| 76 | + */ | ||
| 77 | + if (glyph_width < 0) | ||
| 78 | + glyph_width = 0; | ||
| 79 | + | ||
| 80 | + if (glyph_width && w >= pos && w < pos + width) { | ||
| 81 | if (subst) { | ||
| 82 | memcpy(dst, subst, subst_len); | ||
| 83 | dst += subst_len; | ||
| 84 | subst = NULL; | ||
| 85 | } | ||
| 86 | - w += n; | ||
| 87 | + w += glyph_width; | ||
| 88 | continue; | ||
| 89 | } | ||
| 90 | memcpy(dst, old, src - old); | ||
| 91 | dst += src - old; | ||
| 92 | - w += n; | ||
| 93 | + w += glyph_width; | ||
| 94 | } | ||
| 95 | strbuf_setlen(&sb_dst, dst - sb_dst.buf); | ||
| 96 | strbuf_swap(sb_src, &sb_dst); | ||
| 97 | -- | ||
| 98 | 2.25.1 | ||
| 99 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch new file mode 100644 index 0000000000..f339edfc8a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | |||
| @@ -0,0 +1,90 @@ | |||
| 1 | From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:15 +0100 | ||
| 4 | Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer | ||
| 5 | |||
| 6 | In `strbuf_utf8_replace`, we preallocate the destination buffer and then | ||
| 7 | use `memcpy` to copy bytes into it at computed offsets. This feels | ||
| 8 | rather fragile and is hard to understand at times. Refactor the code to | ||
| 9 | instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that | ||
| 10 | there is no possibility to perform an out-of-bounds write. | ||
| 11 | |||
| 12 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 13 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 14 | |||
| 15 | Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc] | ||
| 16 | CVE: CVE-2022-41903 | ||
| 17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 18 | --- | ||
| 19 | utf8.c | 34 +++++++++++++--------------------- | ||
| 20 | 1 file changed, 13 insertions(+), 21 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/utf8.c b/utf8.c | ||
| 23 | index ec03e69..a13f5e3 100644 | ||
| 24 | --- a/utf8.c | ||
| 25 | +++ b/utf8.c | ||
| 26 | @@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len, | ||
| 27 | void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 28 | const char *subst) | ||
| 29 | { | ||
| 30 | - struct strbuf sb_dst = STRBUF_INIT; | ||
| 31 | - char *src = sb_src->buf; | ||
| 32 | - char *end = src + sb_src->len; | ||
| 33 | - char *dst; | ||
| 34 | - int w = 0, subst_len = 0; | ||
| 35 | + const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len; | ||
| 36 | + struct strbuf dst; | ||
| 37 | + int w = 0; | ||
| 38 | |||
| 39 | - if (subst) | ||
| 40 | - subst_len = strlen(subst); | ||
| 41 | - strbuf_grow(&sb_dst, sb_src->len + subst_len); | ||
| 42 | - dst = sb_dst.buf; | ||
| 43 | + strbuf_init(&dst, sb_src->len); | ||
| 44 | |||
| 45 | while (src < end) { | ||
| 46 | + const char *old; | ||
| 47 | int glyph_width; | ||
| 48 | - char *old; | ||
| 49 | size_t n; | ||
| 50 | |||
| 51 | while ((n = display_mode_esc_sequence_len(src))) { | ||
| 52 | - memcpy(dst, src, n); | ||
| 53 | + strbuf_add(&dst, src, n); | ||
| 54 | src += n; | ||
| 55 | - dst += n; | ||
| 56 | } | ||
| 57 | |||
| 58 | if (src >= end) | ||
| 59 | @@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 60 | |||
| 61 | if (glyph_width && w >= pos && w < pos + width) { | ||
| 62 | if (subst) { | ||
| 63 | - memcpy(dst, subst, subst_len); | ||
| 64 | - dst += subst_len; | ||
| 65 | + strbuf_addstr(&dst, subst); | ||
| 66 | subst = NULL; | ||
| 67 | } | ||
| 68 | - w += glyph_width; | ||
| 69 | - continue; | ||
| 70 | + } else { | ||
| 71 | + strbuf_add(&dst, old, src - old); | ||
| 72 | } | ||
| 73 | - memcpy(dst, old, src - old); | ||
| 74 | - dst += src - old; | ||
| 75 | + | ||
| 76 | w += glyph_width; | ||
| 77 | } | ||
| 78 | - strbuf_setlen(&sb_dst, dst - sb_dst.buf); | ||
| 79 | - strbuf_swap(sb_src, &sb_dst); | ||
| 80 | + | ||
| 81 | + strbuf_swap(sb_src, &dst); | ||
| 82 | out: | ||
| 83 | - strbuf_release(&sb_dst); | ||
| 84 | + strbuf_release(&dst); | ||
| 85 | } | ||
| 86 | |||
| 87 | /* | ||
| 88 | -- | ||
| 89 | 2.25.1 | ||
| 90 | |||
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch new file mode 100644 index 0000000000..978865978d --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch | |||
| @@ -0,0 +1,124 @@ | |||
| 1 | From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:23 +0100 | ||
| 4 | Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats | ||
| 5 | |||
| 6 | Both the padding and wrapping formatting directives allow the caller to | ||
| 7 | specify an integer that ultimately leads to us adding this many chars to | ||
| 8 | the result buffer. As a consequence, it is trivial to e.g. allocate 2GB | ||
| 9 | of RAM via a single formatting directive and cause resource exhaustion | ||
| 10 | on the machine executing this logic. Furthermore, it is debatable | ||
| 11 | whether there are any sane usecases that require the user to pad data to | ||
| 12 | 2GB boundaries or to indent wrapped data by 2GB. | ||
| 13 | |||
| 14 | Restrict the input sizes to 16 kilobytes at a maximum to limit the | ||
| 15 | amount of bytes that can be requested by the user. This is not meant | ||
| 16 | as a fix because there are ways to trivially amplify the amount of | ||
| 17 | data we generate via formatting directives; the real protection is | ||
| 18 | achieved by the changes in previous steps to catch and avoid integer | ||
| 19 | wraparound that causes us to under-allocate and access beyond the | ||
| 20 | end of allocated memory reagions. But having such a limit | ||
| 21 | significantly helps fuzzing the pretty format, because the fuzzer is | ||
| 22 | otherwise quite fast to run out-of-memory as it discovers these | ||
| 23 | formatters. | ||
| 24 | |||
| 25 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 26 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 27 | |||
| 28 | Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46] | ||
| 29 | CVE: CVE-2022-41903 | ||
| 30 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 31 | --- | ||
| 32 | pretty.c | 26 ++++++++++++++++++++++++++ | ||
| 33 | t/t4205-log-pretty-formats.sh | 24 +++++++++++++++--------- | ||
| 34 | 2 files changed, 41 insertions(+), 9 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/pretty.c b/pretty.c | ||
| 37 | index c3c1443..e9687f0 100644 | ||
| 38 | --- a/pretty.c | ||
| 39 | +++ b/pretty.c | ||
| 40 | @@ -13,6 +13,13 @@ | ||
| 41 | #include "gpg-interface.h" | ||
| 42 | #include "trailer.h" | ||
| 43 | |||
| 44 | +/* | ||
| 45 | + * The limit for formatting directives, which enable the caller to append | ||
| 46 | + * arbitrarily many bytes to the formatted buffer. This includes padding | ||
| 47 | + * and wrapping formatters. | ||
| 48 | + */ | ||
| 49 | +#define FORMATTING_LIMIT (16 * 1024) | ||
| 50 | + | ||
| 51 | static char *user_format; | ||
| 52 | static struct cmt_fmt_map { | ||
| 53 | const char *name; | ||
| 54 | @@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder, | ||
| 55 | if (!*end || end == start) | ||
| 56 | return 0; | ||
| 57 | width = strtol(start, &next, 10); | ||
| 58 | + | ||
| 59 | + /* | ||
| 60 | + * We need to limit the amount of padding, or otherwise this | ||
| 61 | + * would allow the user to pad the buffer by arbitrarily many | ||
| 62 | + * bytes and thus cause resource exhaustion. | ||
| 63 | + */ | ||
| 64 | + if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT) | ||
| 65 | + return 0; | ||
| 66 | + | ||
| 67 | if (next == start || width == 0) | ||
| 68 | return 0; | ||
| 69 | if (width < 0) { | ||
| 70 | @@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ | ||
| 71 | if (*next != ')') | ||
| 72 | return 0; | ||
| 73 | } | ||
| 74 | + | ||
| 75 | + /* | ||
| 76 | + * We need to limit the format here as it allows the | ||
| 77 | + * user to prepend arbitrarily many bytes to the buffer | ||
| 78 | + * when rewrapping. | ||
| 79 | + */ | ||
| 80 | + if (width > FORMATTING_LIMIT || | ||
| 81 | + indent1 > FORMATTING_LIMIT || | ||
| 82 | + indent2 > FORMATTING_LIMIT) | ||
| 83 | + return 0; | ||
| 84 | rewrap_message_tail(sb, c, width, indent1, indent2); | ||
| 85 | return end - placeholder + 1; | ||
| 86 | } else | ||
| 87 | diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh | ||
| 88 | index 52c8bc8..572d02f 100755 | ||
| 89 | --- a/t/t4205-log-pretty-formats.sh | ||
| 90 | +++ b/t/t4205-log-pretty-formats.sh | ||
| 91 | @@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' ' | ||
| 92 | ' | ||
| 93 | |||
| 94 | test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' ' | ||
| 95 | - cat >expect <<-EOF && | ||
| 96 | - fatal: number too large to represent as int on this platform: 2147483649 | ||
| 97 | - EOF | ||
| 98 | - test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error && | ||
| 99 | - test_cmp expect error && | ||
| 100 | - test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error && | ||
| 101 | - test_cmp expect error && | ||
| 102 | - test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error && | ||
| 103 | - test_cmp expect error | ||
| 104 | + printf "%%w(2147483649,1,1)0" >expect && | ||
| 105 | + git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual && | ||
| 106 | + test_cmp expect actual && | ||
| 107 | + printf "%%w(1,2147483649,1)0" >expect && | ||
| 108 | + git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual && | ||
| 109 | + test_cmp expect actual && | ||
| 110 | + printf "%%w(1,1,2147483649)0" >expect && | ||
| 111 | + git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual && | ||
| 112 | + test_cmp expect actual | ||
| 113 | +' | ||
| 114 | + | ||
| 115 | +test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' ' | ||
| 116 | + printf "%%<(2147483649)0" >expect && | ||
| 117 | + git log -1 --pretty="format:%<(2147483649)%x30" >actual && | ||
| 118 | + test_cmp expect actual | ||
| 119 | ' | ||
| 120 | |||
| 121 | test_expect_success 'log --pretty with padding and preceding control chars' ' | ||
| 122 | -- | ||
| 123 | 2.25.1 | ||
| 124 | |||
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index ed6308ea2d..3c4c0fd37b 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc | |||
| @@ -12,6 +12,18 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ | |||
| 12 | file://fixsort.patch \ | 12 | file://fixsort.patch \ |
| 13 | file://CVE-2021-40330.patch \ | 13 | file://CVE-2021-40330.patch \ |
| 14 | file://CVE-2022-23521.patch \ | 14 | file://CVE-2022-23521.patch \ |
| 15 | file://CVE-2022-41903-01.patch \ | ||
| 16 | file://CVE-2022-41903-02.patch \ | ||
| 17 | file://CVE-2022-41903-03.patch \ | ||
| 18 | file://CVE-2022-41903-04.patch \ | ||
| 19 | file://CVE-2022-41903-05.patch \ | ||
| 20 | file://CVE-2022-41903-06.patch \ | ||
| 21 | file://CVE-2022-41903-07.patch \ | ||
| 22 | file://CVE-2022-41903-08.patch \ | ||
| 23 | file://CVE-2022-41903-09.patch \ | ||
| 24 | file://CVE-2022-41903-10.patch \ | ||
| 25 | file://CVE-2022-41903-11.patch \ | ||
| 26 | file://CVE-2022-41903-12.patch \ | ||
| 15 | " | 27 | " |
| 16 | S = "${WORKDIR}/git-${PV}" | 28 | S = "${WORKDIR}/git-${PV}" |
| 17 | 29 | ||
