diff options
author | Kai Kang <kai.kang@windriver.com> | 2015-05-28 09:26:15 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-30 22:25:11 +0100 |
commit | ea97b1dee834594358c342515720559ad5d56f33 (patch) | |
tree | 05558fb2620da3e550b2364a2508d52fb6494a68 | |
parent | 421e21b08a6a32db88aaf46033ca503a99e49b74 (diff) | |
download | openembedded-core-ea97b1dee834594358c342515720559ad5d56f33.tar.gz openembedded-core-ea97b1dee834594358c342515720559ad5d56f33.tar.bz2 openembedded-core-ea97b1dee834594358c342515720559ad5d56f33.zip |
grep: fix CVE-2015-1345
Backport patch to fix CVE-2015-1345. The issue was introduced with
v2.18-90-g73893ff, and version 2.5.1a is not affected.
Replace tab with spaces in SRC_URI as well.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/grep/grep/grep-fix-CVE-2015-1345.patch | 154 | ||||
-rw-r--r-- | meta/recipes-extended/grep/grep_2.21.bb | 3 |
2 files changed, 156 insertions, 1 deletions
diff --git a/meta/recipes-extended/grep/grep/grep-fix-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep/grep-fix-CVE-2015-1345.patch new file mode 100644 index 0000000000..e88a9880f1 --- /dev/null +++ b/meta/recipes-extended/grep/grep/grep-fix-CVE-2015-1345.patch @@ -0,0 +1,154 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2015-1345. +http://git.savannah.gnu.org/cgit/grep.git/commit/?id=83a95bd + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001 +From: Yuliy Pisetsky <ypisetsky@fb.com> +Date: Thu, 1 Jan 2015 15:36:55 -0800 +Subject: [PATCH] grep -F: fix a heap buffer (read) overrun + +grep's read buffer is often filled to its full size, except when +reading the final buffer of a file. In that case, the number of +bytes read may be far less than the size of the buffer. However, for +certain unusual pattern/text combinations, grep -F would mistakenly +examine bytes in that uninitialized region of memory when searching +for a match. With carefully chosen inputs, one can cause grep -F to +read beyond the end of that buffer altogether. This problem arose via +commit v2.18-90-g73893ff with the introduction of a more efficient +heuristic using what is now the memchr_kwset function. The use of +that function in bmexec_trans could leave TP much larger than EP, +and the subsequent call to bm_delta2_search would mistakenly access +beyond end of the main input read buffer. + +* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP, +do not call bm_delta2_search. +* tests/kwset-abuse: New file. +* tests/Makefile.am (TESTS): Add it. +* THANKS.in: Update. +* NEWS (Bug fixes): Mention it. + +Prior to this patch, this command would trigger a UMR: + + printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0) + + Use of uninitialised value of size 8 + at 0x4142BE: bmexec_trans (kwset.c:657) + by 0x4143CA: bmexec (kwset.c:678) + by 0x414973: kwsexec (kwset.c:848) + by 0x414DC4: Fexecute (kwsearch.c:128) + by 0x404E2E: grepbuf (grep.c:1238) + by 0x4054BF: grep (grep.c:1417) + by 0x405CEB: grepdesc (grep.c:1645) + by 0x405EC1: grep_command_line_arg (grep.c:1692) + by 0x4077D4: main (grep.c:2570) + +See the accompanying test for how to trigger the heap buffer overrun. + +Thanks to Nima Aghdaii for testing and finding numerous +ways to break early iterations of this patch. +--- + NEWS | 5 +++++ + THANKS.in | 1 + + src/kwset.c | 2 ++ + tests/Makefile.am | 1 + + tests/kwset-abuse | 32 ++++++++++++++++++++++++++++++++ + 5 files changed, 41 insertions(+) + create mode 100755 tests/kwset-abuse + +diff --git a/NEWS b/NEWS +index 975440d..3835d8d 100644 +--- a/NEWS ++++ b/NEWS +@@ -2,6 +2,11 @@ GNU grep NEWS -*- outline -*- + + * Noteworthy changes in release ?.? (????-??-??) [?] + ++** Bug fixes ++ ++ grep no longer reads from uninitialized memory or from beyond the end ++ of the heap-allocated input buffer. ++ + + * Noteworthy changes in release 2.21 (2014-11-23) [stable] + +diff --git a/THANKS.in b/THANKS.in +index aeaf516..624478d 100644 +--- a/THANKS.in ++++ b/THANKS.in +@@ -62,6 +62,7 @@ Michael Aichlmayr mikla@nx.com + Miles Bader miles@ccs.mt.nec.co.jp + Mirraz Mirraz mirraz1@rambler.ru + Nelson H. F. Beebe beebe@math.utah.edu ++Nima Aghdaii naghdaii@fb.com + Olaf Kirch okir@ns.lst.de + Paul Kimoto kimoto@spacenet.tn.cornell.edu + Péter Radics mitchnull@gmail.com +diff --git a/src/kwset.c b/src/kwset.c +index 4003c8d..376f7c3 100644 +--- a/src/kwset.c ++++ b/src/kwset.c +@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size) + if (! tp) + return -1; + tp++; ++ if (ep <= tp) ++ break; + } + } + } +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2cba2cd..0508cd2 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -75,6 +75,7 @@ TESTS = \ + inconsistent-range \ + invalid-multibyte-infloop \ + khadafy \ ++ kwset-abuse \ + long-line-vs-2GiB-read \ + match-lines \ + max-count-overread \ +diff --git a/tests/kwset-abuse b/tests/kwset-abuse +new file mode 100755 +index 0000000..6d8ec0c +--- /dev/null ++++ b/tests/kwset-abuse +@@ -0,0 +1,32 @@ ++#! /bin/sh ++# Evoke a segfault in a hard-to-reach code path of kwset.c. ++# This bug affected grep versions 2.19 through 2.21. ++# ++# Copyright (C) 2015 Free Software Foundation, Inc. ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++. "${srcdir=.}/init.sh"; path_prepend_ ../src ++ ++fail=0 ++ ++# This test case chooses a haystack of size 260,000, since prodding ++# with gdb showed a reallocation slightly larger than that in fillbuf. ++# To reach the buggy code, the needle must have length < 1/11 that of ++# the haystack, and 10,000 is a nice round number that fits the bill. ++printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0) ++ ++test $? = 1 || fail=1 ++ ++Exit $fail +-- +2.4.1 + diff --git a/meta/recipes-extended/grep/grep_2.21.bb b/meta/recipes-extended/grep/grep_2.21.bb index 1c5f778690..3661098c51 100644 --- a/meta/recipes-extended/grep/grep_2.21.bb +++ b/meta/recipes-extended/grep/grep_2.21.bb @@ -7,7 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee" SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ - " + file://grep-fix-CVE-2015-1345.patch \ + " SRC_URI[md5sum] = "43c48064d6409862b8a850db83c8038a" SRC_URI[sha256sum] = "5244a11c00dee8e7e5e714b9aaa053ac6cbfa27e104abee20d3c778e4bb0e5de" |