* [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944
@ 2022-01-15 10:15 Fabrice Fontaine
2022-01-15 10:15 ` [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949 Fabrice Fontaine
2022-01-28 16:59 ` [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2022-01-15 10:15 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls, Fabrice Fontaine
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
sampled_data_sample (called from sampled_data_continue and interp).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...ack-limits-after-function-evaluation.patch | 52 +++++++++++++++++++
package/ghostscript/ghostscript.mk | 3 ++
2 files changed, 55 insertions(+)
create mode 100644 package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
diff --git a/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch b/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
new file mode 100644
index 0000000000..352f1754f6
--- /dev/null
+++ b/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
@@ -0,0 +1,52 @@
+From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 12 Feb 2021 10:34:23 +0000
+Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
+
+During function result sampling, after the callout to the Postscript
+interpreter, make sure there is enough stack space available before pushing
+or popping entries.
+
+In thise case, the Postscript procedure for the "function" is totally invalid
+(as a function), and leaves the op stack in an unrecoverable state (as far as
+function evaluation is concerned). We end up popping more entries off the
+stack than are available.
+
+To cope, add in stack limit checking to throw an appropriate error when this
+happens.
+
+[Retrieved from:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ psi/zfsample.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 290809405..652ae02c6 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+ } else {
+ if (stack_depth_adjust) {
+ stack_depth_adjust -= num_out;
+- push(O_STACK_PAD - stack_depth_adjust);
+- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+- make_null(op - i);
++ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
++ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
++ check_op(stack_depth_adjust);
++ pop(stack_depth_adjust);
++ }
++ else {
++ check_ostack(O_STACK_PAD - stack_depth_adjust);
++ push(O_STACK_PAD - stack_depth_adjust);
++ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
++ make_null(op - i);
++ }
+ }
+ }
+
+--
+2.25.1
+
diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
index d502d19206..91871728ba 100644
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@@ -24,6 +24,9 @@ GHOSTSCRIPT_DEPENDENCIES = \
# 0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
GHOSTSCRIPT_IGNORE_CVES += CVE-2021-3781
+# 0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
+GHOSTSCRIPT_IGNORE_CVES += CVE-2021-45944
+
# Ghostscript includes (old) copies of several libraries, delete them.
# Inspired by linuxfromscratch:
# http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949
2022-01-15 10:15 [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Fabrice Fontaine
@ 2022-01-15 10:15 ` Fabrice Fontaine
2022-01-28 16:59 ` Peter Korsgaard
2022-01-28 16:59 ` [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Peter Korsgaard
1 sibling, 1 reply; 4+ messages in thread
From: Fabrice Fontaine @ 2022-01-15 10:15 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls, Fabrice Fontaine
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer
overflow in sampled_data_finish (called from sampled_data_continue and
interp).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-management-in-sampled_data_continue.patch | 68 +++++++++++++++++++
package/ghostscript/ghostscript.mk | 3 +
2 files changed, 71 insertions(+)
create mode 100644 package/ghostscript/0004-Bug-703902-Fix-op-stack-management-in-sampled_data_continue.patch
diff --git a/package/ghostscript/0004-Bug-703902-Fix-op-stack-management-in-sampled_data_continue.patch b/package/ghostscript/0004-Bug-703902-Fix-op-stack-management-in-sampled_data_continue.patch
new file mode 100644
index 0000000000..72e07df0ac
--- /dev/null
+++ b/package/ghostscript/0004-Bug-703902-Fix-op-stack-management-in-sampled_data_continue.patch
@@ -0,0 +1,68 @@
+From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 1 Jun 2021 19:57:16 +0100
+Subject: [PATCH] Bug 703902: Fix op stack management in
+ sampled_data_continue()
+
+Replace pop() (which does no checking, and doesn't handle stack extension
+blocks) with ref_stack_pop() which does do all that.
+
+We still use pop() in one case (it's faster), but we have to later use
+ref_stack_pop() before calling sampled_data_sample() which also accesses the
+op stack.
+
+Fixes:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
+
+[Retrieved from:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ psi/zfsample.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 0e8e4bc8d..00cd0cfdd 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+ for (j = 0; j < bps; j++)
+ data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
+ }
+- pop(num_out); /* Move op to base of result values */
+
+- /* Check if we are done collecting data. */
++ pop(num_out); /* Move op to base of result values */
+
++ /* From here on, we have to use ref_stack_pop() rather than pop()
++ so that it handles stack extension blocks properly, before calling
++ sampled_data_sample() which also uses the op stack.
++ */
++ /* Check if we are done collecting data. */
+ if (increment_cube_indexes(params, penum->indexes)) {
+ if (stack_depth_adjust == 0)
+- pop(O_STACK_PAD); /* Remove spare stack space */
++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
+ else
+- pop(stack_depth_adjust - num_out);
++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
+ /* Execute the closing procedure, if given */
+ code = 0;
+ if (esp_finish_proc != 0)
+@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+ check_op(stack_depth_adjust);
+- pop(stack_depth_adjust);
++ ref_stack_pop(&o_stack, stack_depth_adjust);
+ }
+ else {
+ check_ostack(O_STACK_PAD - stack_depth_adjust);
+- push(O_STACK_PAD - stack_depth_adjust);
++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
+ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+ make_null(op - i);
+ }
+--
+2.25.1
+
diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
index 91871728ba..9e13f29fe9 100644
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@@ -27,6 +27,9 @@ GHOSTSCRIPT_IGNORE_CVES += CVE-2021-3781
# 0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
GHOSTSCRIPT_IGNORE_CVES += CVE-2021-45944
+# 0004-Bug-703902-Fix-op-stack-management-in-sampled_data_continue.patch
+GHOSTSCRIPT_IGNORE_CVES += CVE-2021-45949
+
# Ghostscript includes (old) copies of several libraries, delete them.
# Inspired by linuxfromscratch:
# http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944
2022-01-15 10:15 [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Fabrice Fontaine
2022-01-15 10:15 ` [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949 Fabrice Fontaine
@ 2022-01-28 16:59 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-01-28 16:59 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
> sampled_data_sample (called from sampled_data_continue and interp).
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949
2022-01-15 10:15 ` [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949 Fabrice Fontaine
@ 2022-01-28 16:59 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-01-28 16:59 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer
> overflow in sampled_data_finish (called from sampled_data_continue and
> interp).
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-28 17:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-15 10:15 [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Fabrice Fontaine
2022-01-15 10:15 ` [Buildroot] [PATCH 2/2] package/ghostscript: fix CVE-2021-45949 Fabrice Fontaine
2022-01-28 16:59 ` Peter Korsgaard
2022-01-28 16:59 ` [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.