2 files changed, 164 insertions, 1 deletions
diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch
new file mode 100644
index 0000000000..a45cfb61bc
--- /dev/null
+++ b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch
@@ -0,0 +1,160 @@
+From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 4 May 2020 19:41:16 +0200
+Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow.
+If the assignment of stop overflows due to idx and count being
+larger than SIZE_T_MAX in sum, out of boundary access could happen.
+It takes invalid usage of this function for this to happen, but
+I decided to add this check so array_list_del_idx is as safe against
+bad usage as the other arraylist functions.
+Upstream-Status: Backport [https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be]
+CVE: CVE-2020-12762
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ arraylist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/arraylist.c b/arraylist.c
+index 12ad8af6d3..e5524aca75 100644
+--- a/arraylist.c
+++ b/arraylist.c
+@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
+ {
+        size_t i, stop;
+ 
+       /* Avoid overflow in calculation with large indices. */
+       if (idx > SIZE_T_MAX - count)
+               return -1;
+        stop = idx + count;
+        if (idx >= arr->length || stop > arr->length)
+                return -1;
+From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 4 May 2020 19:46:45 +0200
+Subject: [PATCH 2/3] Prevent division by zero in linkhash.
+If a linkhash with a size of zero is created, then modulo operations
+are prone to division by zero operations.
+Purely protective measure against bad usage.
+---
+ linkhash.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/linkhash.c b/linkhash.c
+index 7ea58c0abf..f05cc38030 100644
+--- a/linkhash.c
+++ b/linkhash.c
+@@ -12,6 +12,7 @@
+ 
+ #include "config.h"
+ 
+#include <assert.h>
+ #include <limits.h>
+ #include <stdarg.h>
+ #include <stddef.h>
+@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h
+        int i;
+        struct lh_table *t;
+ 
+       /* Allocate space for elements to avoid divisions by zero. */
+       assert(size > 0);
+        t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
+        if (!t)
+                return NULL;
+From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Mon, 4 May 2020 19:47:25 +0200
+Subject: [PATCH 3/3] Fix integer overflows.
+The data structures linkhash and printbuf are limited to 2 GB in size
+due to a signed integer being used to track their current size.
+If too much data is added, then size variable can overflow, which is
+an undefined behaviour in C programming language.
+Assuming that a signed int overflow just leads to a negative value,
+like it happens on many sytems (Linux i686/amd64 with gcc), then
+printbuf is vulnerable to an out of boundary write on 64 bit systems.
+---
+ linkhash.c |  7 +++++--
+ printbuf.c | 19 ++++++++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+diff --git a/linkhash.c b/linkhash.c
+index f05cc38030..51e90b13a2 100644
+--- a/linkhash.c
+++ b/linkhash.c
+@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con
+ {
+        unsigned long n;
+ 
+-       if (t->count >= t->size * LH_LOAD_FACTOR)
+-               if (lh_table_resize(t, t->size * 2) != 0)
+       if (t->count >= t->size * LH_LOAD_FACTOR) {
+               /* Avoid signed integer overflow with large tables. */
+               int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX;
+               if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0)
+                        return -1;
+       }
+ 
+        n = h % t->size;
+ 
+diff --git a/printbuf.c b/printbuf.c
+index 976c12dde5..00822fac4f 100644
+--- a/printbuf.c
+++ b/printbuf.c
+@@ -15,6 +15,7 @@
+ 
+ #include "config.h"
+ 
+#include <limits.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
+ 
+        if (p->size >= min_size)
+                return 0;
+-
+-       new_size = p->size * 2;
+-       if (new_size < min_size + 8)
+       /* Prevent signed integer overflows with large buffers. */
+       if (min_size > INT_MAX - 8)
+               return -1;
+       if (p->size > INT_MAX / 2)
+                new_size = min_size + 8;
+       else {
+               new_size = p->size * 2;
+               if (new_size < min_size + 8)
+                       new_size = min_size + 8;
+       }
+ #ifdef PRINTBUF_DEBUG
+        MC_DEBUG("printbuf_memappend: realloc "
+                 "bpos=%d min_size=%d old_size=%d new_size=%d\n",
+@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size)
+ 
+ int printbuf_memappend(struct printbuf *p, const char *buf, int size)
+ {
+       /* Prevent signed integer overflows with large buffers. */
+       if (size > INT_MAX - p->bpos - 1)
+               return -1;
+        if (p->size <= p->bpos + size + 1)
+        {
+                if (printbuf_extend(p, p->bpos + size + 1) < 0)
+@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
+ 
+        if (offset == -1)
+                offset = pb->bpos;
+       /* Prevent signed integer overflows with large buffers. */
+       if (len > INT_MAX - offset)
+               return -1;
+        size_needed = offset + len;
+        if (pb->size < size_needed)
+        {
diff --git a/meta/recipes-devtools/json-c/json-c_0.14.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb
index 99fde873b1..1d501d1294 100644
--- a/meta/recipes-devtools/json-c/json-c_0.14.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
@@ -4,7 +4,10 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
-SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz"
+SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
+           file://CVE-2020-12762.patch \
+"
 SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"

diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch new file mode 100644 index 0000000000..a45cfb61bc --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch
@@ -0,0 +1,160 @@
		1	From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Mon, 4 May 2020 19:41:16 +0200
		4	Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow.
		5
		6	If the assignment of stop overflows due to idx and count being
		7	larger than SIZE_T_MAX in sum, out of boundary access could happen.
		8
		9	It takes invalid usage of this function for this to happen, but
		10	I decided to add this check so array_list_del_idx is as safe against
		11	bad usage as the other arraylist functions.
		12
		13	Upstream-Status: Backport [https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be]
		14	CVE: CVE-2020-12762
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16
		17	---
		18	arraylist.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/arraylist.c b/arraylist.c
		22	index 12ad8af6d3..e5524aca75 100644
		23	--- a/arraylist.c
		24	+++ b/arraylist.c
		25	@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
		26	{
		27	size_t i, stop;
		28
		29	+ /* Avoid overflow in calculation with large indices. */
		30	+ if (idx > SIZE_T_MAX - count)
		31	+ return -1;
		32	stop = idx + count;
		33	if (idx >= arr->length \|\| stop > arr->length)
		34	return -1;
		35
		36	From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
		37	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		38	Date: Mon, 4 May 2020 19:46:45 +0200
		39	Subject: [PATCH 2/3] Prevent division by zero in linkhash.
		40
		41	If a linkhash with a size of zero is created, then modulo operations
		42	are prone to division by zero operations.
		43
		44	Purely protective measure against bad usage.
		45	---
		46	linkhash.c \| 3 +++
		47	1 file changed, 3 insertions(+)
		48
		49	diff --git a/linkhash.c b/linkhash.c
		50	index 7ea58c0abf..f05cc38030 100644
		51	--- a/linkhash.c
		52	+++ b/linkhash.c
		53	@@ -12,6 +12,7 @@
		54
		55	#include "config.h"
		56
		57	+#include <assert.h>
		58	#include <limits.h>
		59	#include <stdarg.h>
		60	#include <stddef.h>
		61	@@ -499,6 +500,8 @@ struct lh_table lh_table_new(int size, lh_entry_free_fn free_fn, lh_hash_fn *h
		62	int i;
		63	struct lh_table *t;
		64
		65	+ /* Allocate space for elements to avoid divisions by zero. */
		66	+ assert(size > 0);
		67	t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
		68	if (!t)
		69	return NULL;
		70
		71	From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
		72	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		73	Date: Mon, 4 May 2020 19:47:25 +0200
		74	Subject: [PATCH 3/3] Fix integer overflows.
		75
		76	The data structures linkhash and printbuf are limited to 2 GB in size
		77	due to a signed integer being used to track their current size.
		78
		79	If too much data is added, then size variable can overflow, which is
		80	an undefined behaviour in C programming language.
		81
		82	Assuming that a signed int overflow just leads to a negative value,
		83	like it happens on many sytems (Linux i686/amd64 with gcc), then
		84	printbuf is vulnerable to an out of boundary write on 64 bit systems.
		85	---
		86	linkhash.c \| 7 +++++--
		87	printbuf.c \| 19 ++++++++++++++++---
		88	2 files changed, 21 insertions(+), 5 deletions(-)
		89
		90	diff --git a/linkhash.c b/linkhash.c
		91	index f05cc38030..51e90b13a2 100644
		92	--- a/linkhash.c
		93	+++ b/linkhash.c
		94	@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table t, const void k, const void *v, con
		95	{
		96	unsigned long n;
		97
		98	- if (t->count >= t->size * LH_LOAD_FACTOR)
		99	- if (lh_table_resize(t, t->size * 2) != 0)
		100	+ if (t->count >= t->size * LH_LOAD_FACTOR) {
		101	+ /* Avoid signed integer overflow with large tables. */
		102	+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX;
		103	+ if (t->size == INT_MAX \|\| lh_table_resize(t, new_size) != 0)
		104	return -1;
		105	+ }
		106
		107	n = h % t->size;
		108
		109	diff --git a/printbuf.c b/printbuf.c
		110	index 976c12dde5..00822fac4f 100644
		111	--- a/printbuf.c
		112	+++ b/printbuf.c
		113	@@ -15,6 +15,7 @@
		114
		115	#include "config.h"
		116
		117	+#include <limits.h>
		118	#include <stdio.h>
		119	#include <stdlib.h>
		120	#include <string.h>
		121	@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
		122
		123	if (p->size >= min_size)
		124	return 0;
		125	-
		126	- new_size = p->size * 2;
		127	- if (new_size < min_size + 8)
		128	+ /* Prevent signed integer overflows with large buffers. */
		129	+ if (min_size > INT_MAX - 8)
		130	+ return -1;
		131	+ if (p->size > INT_MAX / 2)
		132	new_size = min_size + 8;
		133	+ else {
		134	+ new_size = p->size * 2;
		135	+ if (new_size < min_size + 8)
		136	+ new_size = min_size + 8;
		137	+ }
		138	#ifdef PRINTBUF_DEBUG
		139	MC_DEBUG("printbuf_memappend: realloc "
		140	"bpos=%d min_size=%d old_size=%d new_size=%d\n",
		141	@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size)
		142
		143	int printbuf_memappend(struct printbuf p, const char buf, int size)
		144	{
		145	+ /* Prevent signed integer overflows with large buffers. */
		146	+ if (size > INT_MAX - p->bpos - 1)
		147	+ return -1;
		148	if (p->size <= p->bpos + size + 1)
		149	{
		150	if (printbuf_extend(p, p->bpos + size + 1) < 0)
		151	@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
		152
		153	if (offset == -1)
		154	offset = pb->bpos;
		155	+ /* Prevent signed integer overflows with large buffers. */
		156	+ if (len > INT_MAX - offset)
		157	+ return -1;
		158	size_needed = offset + len;
		159	if (pb->size < size_needed)
		160	{


diff --git a/meta/recipes-devtools/json-c/json-c_0.14.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb index 99fde873b1..1d501d1294 100644 --- a/meta/recipes-devtools/json-c/json-c_0.14.bb +++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
@@ -4,7 +4,10 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki"
4	LICENSE = "MIT"	4	LICENSE = "MIT"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"	5	LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
6		6
7	SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz"	7	SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
		8	file://CVE-2020-12762.patch \
		9	"
		10
8	SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"	11	SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
9		12
10	UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"	13	UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"