* [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562
@ 2020-12-14 10:52 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
0 siblings, 2 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../glibc/glibc/CVE-2020-29562.patch | 156 ++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 1 +
2 files changed, 157 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
new file mode 100644
index 0000000000..c51fb3223a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
@@ -0,0 +1,156 @@
+From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
+From: Michael Colavita <mcolavita@fb.com>
+Date: Thu, 19 Nov 2020 11:44:40 -0500
+Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
+
+Previously, in UCS4 conversion routines we limit the number of
+characters we examine to the minimum of the number of characters in the
+input and the number of characters in the output. This is not the
+correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
+an output character when we skip a code unit. Instead, track the input
+and output pointers and terminate the loop when either reaches its
+limit.
+
+This resolves assertion failures when resetting the input buffer in a step of
+iconv, which assumes that the input will be fully consumed given sufficient
+output space.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
+CVE: CVE-2020-29562
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ iconv/Makefile | 2 +-
+ iconv/gconv_simple.c | 16 ++++----------
+ iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 13 deletions(-)
+ create mode 100644 iconv/tst-iconv8.c
+
+diff --git a/iconv/Makefile b/iconv/Makefile
+index 30bf996d3a..f9b51e23ec 100644
+--- a/iconv/Makefile
++++ b/iconv/Makefile
+@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
+ CFLAGS-simple-hash.c += -I../locale
+
+ tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
+- tst-iconv7 tst-iconv-mt tst-iconv-opt
++ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
+
+ others = iconv_prog iconvconfig
+ install-others-programs = $(inst_bindir)/iconv
+diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
+index d4797fba17..963b29f246 100644
+--- a/iconv/gconv_simple.c
++++ b/iconv/gconv_simple.c
+@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ uint32_t inval;
+
+@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ if (__glibc_unlikely (inptr[0] > 0x80))
+ {
+@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ uint32_t inval;
+
+@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ if (__glibc_unlikely (inptr[3] > 0x80))
+ {
+diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
+new file mode 100644
+index 0000000000..0b92b19f66
+--- /dev/null
++++ b/iconv/tst-iconv8.c
+@@ -0,0 +1,50 @@
++/* Test iconv behavior on UCS4 conversions with //IGNORE.
++ Copyright (C) 2020 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++/* Derived from BZ #26923 */
++#include <errno.h>
++#include <iconv.h>
++#include <stdio.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
++ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
++
++ /*
++ * Convert sequence beginning with an irreversible character into buffer that
++ * is too small.
++ */
++ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
++ char *inptr = input;
++ size_t insize = sizeof (input);
++ char output[6];
++ char *outptr = output;
++ size_t outsize = sizeof (output);
++
++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
++ TEST_VERIFY (errno == E2BIG);
++
++ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
+--
+2.27.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 3d486fbb59..3a0d60abf8 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -41,6 +41,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
file://0028-inject-file-assembly-directives.patch \
file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+ file://CVE-2020-29562.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
@ 2020-12-14 10:52 ` Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-25723.patch | 52 +++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 067179fdeb..7a963ad57c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -51,6 +51,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
file://CVE-2019-20175.patch \
file://CVE-2020-24352.patch \
+ file://CVE-2020-25723.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..e6e0f5ec30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,52 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+CVE: CVE-2020-25723
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 58cceac..4da446d 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+ spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+ usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+ (p->qtd.token & QTD_TOKEN_IOC) != 0);
+- usb_packet_map(&p->packet, &p->sgl);
++ if (usb_packet_map(&p->packet, &p->sgl)) {
++ qemu_sglist_destroy(&p->sgl);
++ return -1;
++ }
+ p->async = EHCI_ASYNC_INITIALIZED;
+ }
+
+@@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+ usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+ (itd->transact[i] & ITD_XACT_IOC) != 0);
+- usb_packet_map(&ehci->ipacket, &ehci->isgl);
++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++ qemu_sglist_destroy(&ehci->isgl);
++ return -1;
++ }
+ usb_handle_packet(dev, &ehci->ipacket);
+ usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+ } else {
+--
+1.8.3.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
@ 2020-12-14 10:52 ` Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
fix CVE-2020-16592 & CVE-2020-16598
removed changes to Changelog in patch file
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../binutils/binutils-2.34.inc | 2 +
.../binutils/binutils/CVE-2020-16592.patch | 61 +++++++++++++++++++
.../binutils/binutils/CVE-2020-16598.patch | 32 ++++++++++
3 files changed, 95 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index b5f5a1c69a..f557fe970c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
file://CVE-2020-0551.patch \
file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+ file://CVE-2020-16592.patch \
+ file://CVE-2020-16598.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
new file mode 100644
index 0000000000..f5f9ccdd53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
+From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Apr 2020 18:58:11 +0930
+Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
+
+ PR 25823
+ * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+ pointer into strings that may be freed for section name, always
+ allocate a new string.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
+CVE: CVE-2020-16592
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ bfd/peXXigen.c | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b9eeb775d9b..8aa5914acd9 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
+ int unused_section_number = 0;
+ asection *sec;
+ flagword flags;
++ size_t name_len;
++ char *sec_name;
+
+ for (sec = abfd->sections; sec; sec = sec->next)
+ if (unused_section_number <= sec->target_index)
+ unused_section_number = sec->target_index + 1;
+
+- if (name == namebuf)
++ name_len = strlen (name) + 1;
++ sec_name = bfd_alloc (abfd, name_len);
++ if (sec_name == NULL)
+ {
+- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
+- if (name == NULL)
+- {
+- _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
+- abfd);
+- return;
+- }
+- strcpy ((char *) name, namebuf);
++ _bfd_error_handler (_("%pB: out of memory creating name "
++ "for empty section"), abfd);
++ return;
+ }
++ memcpy (sec_name, name, name_len);
+
+ flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
+- sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
++ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
+ if (sec == NULL)
+ {
+ _bfd_error_handler (_("%pB: unable to create fake empty section"),
+--
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
new file mode 100644
index 0000000000..52bd925c97
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
+From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Apr 2020 10:38:16 +0930
+Subject: [PATCH] PR25840, Null pointer dereference in objdump
+
+ PR 25840
+ * debug.c (debug_class_type_samep): Don't segfault on NULL type.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
+CVE: CVE-2020-16598
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ binutils/debug.c | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 022fa4edffb..5470e155edc 100644
+--- a/binutils/debug.c
++++ b/binutils/debug.c
+@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, struct debug_type_s *t1,
+ names, since that sometimes fails in the presence of
+ typedefs and we really don't care. */
+ if (strcmp (f1->name, f2->name) != 0
++ || f1->type == NULL
++ || f2->type == NULL
+ || ! debug_type_samep (info,
+ debug_get_real_type ((void *) info,
+ f1->type, NULL),
+--
+2.27.0
+
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-14 10:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.