* [PATCH][dizzy] grep2.19: CVE-2015-1345
@ 2015-09-16 14:31 Sona Sarmadi
2015-09-25 18:24 ` akuster808
0 siblings, 1 reply; 2+ messages in thread
From: Sona Sarmadi @ 2015-09-16 14:31 UTC (permalink / raw)
To: openembedded-core
Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21
Removed THANKS.in changes from upstream patch since this
file does not exist in version 2.19.
Replaced tab with spaces in SRC_URI as well.
Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=
83a95bd8c8561875b948cadd417c653dbe7ef2e2
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
.../grep/grep-2.19/grep2.19-CVE-2015-1345.patch | 129 +++++++++++++++++++++
meta/recipes-extended/grep/grep_2.19.bb | 4 +-
2 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 0000000..32846f5
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +0000
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file. In that case, the number of
+bytes read may be far less than the size of the buffer. However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match. With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether. This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+ printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+ Use of uninitialised value of size 8
+ at 0x4142BE: bmexec_trans (kwset.c:657)
+ by 0x4143CA: bmexec (kwset.c:678)
+ by 0x414973: kwsexec (kwset.c:848)
+ by 0x414DC4: Fexecute (kwsearch.c:128)
+ by 0x404E2E: grepbuf (grep.c:1238)
+ by 0x4054BF: grep (grep.c:1417)
+ by 0x405CEB: grepdesc (grep.c:1645)
+ by 0x405EC1: grep_command_line_arg (grep.c:1692)
+ by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS -*- outline -*-
+
+ * Noteworthy changes in release ?.? (????-??-??) [?]
+
++** Bug fixes
++
++ grep no longer reads from uninitialized memory or from beyond the end
++ of the heap-allocated input buffer.
++
+
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
++++ b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+ if (! tp)
+ return -1;
+ tp++;
++ if (ep <= tp)
++ break;
+ }
+ }
+ }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS = \
+ inconsistent-range \
+ invalid-multibyte-infloop \
+ khadafy \
++ kwset-abuse \
+ long-line-vs-2GiB-read \
+ match-lines \
+ max-count-overread \
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 0000000..6d8ec0c
+--- a/dev/null
++++ b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
++#! /bin/sh
++# Evoke a segfault in a hard-to-reach code path of kwset.c.
++# This bug affected grep versions 2.19 through 2.21.
++#
++# Copyright (C) 2015 Free Software Foundation, Inc.
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ../src
++
++fail=0
++
++# This test case chooses a haystack of size 260,000, since prodding
++# with gdb showed a reallocation slightly larger than that in fillbuf.
++# To reach the buggy code, the needle must have length < 1/11 that of
++# the haystack, and 10,000 is a nice round number that fits the bill.
++printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
++
++test $? = 1 || fail=1
++
++Exit $fail
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb
index 9c162cc..d60ce5e 100644
--- a/meta/recipes-extended/grep/grep_2.19.bb
+++ b/meta/recipes-extended/grep/grep_2.19.bb
@@ -5,7 +5,9 @@ SECTION = "console/utils"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
-SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"
+SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
+ file://grep2.19-CVE-2015-1345.patch \
+ "
SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH][dizzy] grep2.19: CVE-2015-1345
2015-09-16 14:31 [PATCH][dizzy] grep2.19: CVE-2015-1345 Sona Sarmadi
@ 2015-09-25 18:24 ` akuster808
0 siblings, 0 replies; 2+ messages in thread
From: akuster808 @ 2015-09-25 18:24 UTC (permalink / raw)
To: openembedded-core
Sona,
On 09/16/2015 07:31 AM, Sona Sarmadi wrote:
> Fixes heap-based buffer overflow flaw in grep.
> Affected versions are: grep 2.19 through 2.21
>
> Removed THANKS.in changes from upstream patch since this
> file does not exist in version 2.19.
> Replaced tab with spaces in SRC_URI as well.
thanks,
merge to akuster/dizzy-next
-armin
>
> Upstream fix:
> http://git.sv.gnu.org/cgit/grep.git/commit/?id=
> 83a95bd8c8561875b948cadd417c653dbe7ef2e2
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch | 129 +++++++++++++++++++++
> meta/recipes-extended/grep/grep_2.19.bb | 4 +-
> 2 files changed, 132 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
>
> diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
> new file mode 100644
> index 0000000..32846f5
> --- /dev/null
> +++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
> @@ -0,0 +1,129 @@
> +From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
> +From: Yuliy Pisetsky <ypisetsky@fb.com>
> +Date: Thu, 01 Jan 2015 23:36:55 +0000
> +Subject: grep -F: fix a heap buffer (read) overrun
> +
> +grep's read buffer is often filled to its full size, except when
> +reading the final buffer of a file. In that case, the number of
> +bytes read may be far less than the size of the buffer. However, for
> +certain unusual pattern/text combinations, grep -F would mistakenly
> +examine bytes in that uninitialized region of memory when searching
> +for a match. With carefully chosen inputs, one can cause grep -F to
> +read beyond the end of that buffer altogether. This problem arose via
> +commit v2.18-90-g73893ff with the introduction of a more efficient
> +heuristic using what is now the memchr_kwset function. The use of
> +that function in bmexec_trans could leave TP much larger than EP,
> +and the subsequent call to bm_delta2_search would mistakenly access
> +beyond end of the main input read buffer.
> +
> +* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
> +do not call bm_delta2_search.
> +* tests/kwset-abuse: New file.
> +* tests/Makefile.am (TESTS): Add it.
> +* NEWS (Bug fixes): Mention it.
> +
> +Prior to this patch, this command would trigger a UMR:
> +
> + printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
> +
> + Use of uninitialised value of size 8
> + at 0x4142BE: bmexec_trans (kwset.c:657)
> + by 0x4143CA: bmexec (kwset.c:678)
> + by 0x414973: kwsexec (kwset.c:848)
> + by 0x414DC4: Fexecute (kwsearch.c:128)
> + by 0x404E2E: grepbuf (grep.c:1238)
> + by 0x4054BF: grep (grep.c:1417)
> + by 0x405CEB: grepdesc (grep.c:1645)
> + by 0x405EC1: grep_command_line_arg (grep.c:1692)
> + by 0x4077D4: main (grep.c:2570)
> +
> +See the accompanying test for how to trigger the heap buffer overrun.
> +
> +Thanks to Nima Aghdaii for testing and finding numerous
> +ways to break early iterations of this patch.
> +
> +Fixes CVE-2015-1345.
> +Upstream-Status: Backport
> +
> +---
> +diff --git a/NEWS b/NEWS
> +index 975440d..3835d8d 100644
> +--- a/NEWS
> ++++ b/NEWS
> +@@ -2,6 +2,11 @@ GNU grep NEWS -*- outline -*-
> +
> + * Noteworthy changes in release ?.? (????-??-??) [?]
> +
> ++** Bug fixes
> ++
> ++ grep no longer reads from uninitialized memory or from beyond the end
> ++ of the heap-allocated input buffer.
> ++
> +
> + * Noteworthy changes in release 2.21 (2014-11-23) [stable]
> +
> +diff --git a/src/kwset.c b/src/kwset.c
> +index 4003c8d..376f7c3 100644
> +--- a/src/kwset.c
> ++++ b/src/kwset.c
> +@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
> + if (! tp)
> + return -1;
> + tp++;
> ++ if (ep <= tp)
> ++ break;
> + }
> + }
> + }
> +diff --git a/tests/Makefile.am b/tests/Makefile.am
> +index 2cba2cd..0508cd2 100644
> +--- a/tests/Makefile.am
> ++++ b/tests/Makefile.am
> +@@ -75,6 +75,7 @@ TESTS = \
> + inconsistent-range \
> + invalid-multibyte-infloop \
> + khadafy \
> ++ kwset-abuse \
> + long-line-vs-2GiB-read \
> + match-lines \
> + max-count-overread \
> +diff --git a/tests/kwset-abuse b/tests/kwset-abuse
> +new file mode 100755
> +index 0000000..6d8ec0c
> +--- a/dev/null
> ++++ b/tests/kwset-abuse
> +@@ -0,0 +1,32 @@
> ++#! /bin/sh
> ++# Evoke a segfault in a hard-to-reach code path of kwset.c.
> ++# This bug affected grep versions 2.19 through 2.21.
> ++#
> ++# Copyright (C) 2015 Free Software Foundation, Inc.
> ++#
> ++# This program is free software: you can redistribute it and/or modify
> ++# it under the terms of the GNU General Public License as published by
> ++# the Free Software Foundation, either version 3 of the License, or
> ++# (at your option) any later version.
> ++
> ++# This program is distributed in the hope that it will be useful,
> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of
> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> ++# GNU General Public License for more details.
> ++
> ++# You should have received a copy of the GNU General Public License
> ++# along with this program. If not, see <http://www.gnu.org/licenses/>.
> ++
> ++. "${srcdir=.}/init.sh"; path_prepend_ ../src
> ++
> ++fail=0
> ++
> ++# This test case chooses a haystack of size 260,000, since prodding
> ++# with gdb showed a reallocation slightly larger than that in fillbuf.
> ++# To reach the buggy code, the needle must have length < 1/11 that of
> ++# the haystack, and 10,000 is a nice round number that fits the bill.
> ++printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
> ++
> ++test $? = 1 || fail=1
> ++
> ++Exit $fail
> +--
> +cgit v0.9.0.2
> diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb
> index 9c162cc..d60ce5e 100644
> --- a/meta/recipes-extended/grep/grep_2.19.bb
> +++ b/meta/recipes-extended/grep/grep_2.19.bb
> @@ -5,7 +5,9 @@ SECTION = "console/utils"
> LICENSE = "GPLv3"
> LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
>
> -SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"
> +SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
> + file://grep2.19-CVE-2015-1345.patch \
> + "
>
> SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
> SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-09-25 18:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-16 14:31 [PATCH][dizzy] grep2.19: CVE-2015-1345 Sona Sarmadi
2015-09-25 18:24 ` akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.