* Re: [OE-core][PATCH] busybox: fix CVE-2021-28831
[not found] <1673C8868459A69B.16683@lists.openembedded.org>
@ 2021-04-08 4:58 ` Chen Qi
0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2021-04-08 4:58 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 4249 bytes --]
Sorry, please ignore this patch.
On 04/08/2021 12:46 PM, Chen Qi wrote:
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> ...ss_gunzip-Fix-DoS-if-gzip-is-corrupt.patch | 57 +++++++++++++++++++
> meta/recipes-core/busybox/busybox_1.33.0.bb | 9 ++-
> 2 files changed, 65 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
> new file mode 100644
> index 0000000000..e8e9a8380e
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
> @@ -0,0 +1,57 @@
> +From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
> +From: Samuel Sapalski <samuel.sapalski@nokia.com>
> +Date: Wed, 3 Mar 2021 16:31:22 +0100
> +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
> +
> +On certain corrupt gzip files, huft_build will set the error bit on
> +the result pointer. If afterwards abort_unzip is called huft_free
> +might run into a segmentation fault or an invalid pointer to
> +free(p).
> +
> +In order to mitigate this, we check in huft_free if the error bit
> +is set and clear it before the linked list is freed.
> +
> +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +Upstream-Status: Backport
> +CVE: CVE-2021-28831
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
> + 1 file changed, 10 insertions(+), 2 deletions(-)
> +
> +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
> +index eb3b64930..e93cd5005 100644
> +--- a/archival/libarchive/decompress_gunzip.c
> ++++ b/archival/libarchive/decompress_gunzip.c
> +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
> + * each table.
> + * t: table to free
> + */
> ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
> ++#define ERR_RET ((huft_t*)(uintptr_t)1)
> + static void huft_free(huft_t *p)
> + {
> + huft_t *q;
> +
> ++ /*
> ++ * If 'p' has the error bit set we have to clear it, otherwise we might run
> ++ * into a segmentation fault or an invalid pointer to free(p)
> ++ */
> ++ if (BAD_HUFT(p)) {
> ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
> ++ }
> ++
> + /* Go through linked list, freeing from the malloced (t[-1]) address. */
> + while (p) {
> + q = (--p)->v.t;
> +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
> + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
> + * is given: "fixed inflate" decoder feeds us such data.
> + */
> +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
> +-#define ERR_RET ((huft_t*)(uintptr_t)1)
> + static huft_t* huft_build(const unsigned *b, const unsigned n,
> + const unsigned s, const struct cp_ext *cp_ext,
> + unsigned *m)
> diff --git a/meta/recipes-core/busybox/busybox_1.33.0.bb b/meta/recipes-core/busybox/busybox_1.33.0.bb
> index 1a3f218bca..4fcf533aa8 100644
> --- a/meta/recipes-core/busybox/busybox_1.33.0.bb
> +++ b/meta/recipes-core/busybox/busybox_1.33.0.bb
> @@ -46,7 +46,14 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
> file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
> file://rev.cfg \
> file://pgrep.cfg \
> -"
> + file://lspci.cfg \
> + file://lsusb.cfg \
> + file://mdev.cfg \
> + file://mount-cifs.cfg \
> + file://ps-extras.cfg \
> + file://getopt.cfg \
> + file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
> + "
> SRC_URI_append_libc-musl = " file://musl.cfg "
>
> SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd"
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 5842 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [OE-core][PATCH] busybox: fix CVE-2021-28831
@ 2021-04-08 4:46 Chen Qi
0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2021-04-08 4:46 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...ss_gunzip-Fix-DoS-if-gzip-is-corrupt.patch | 57 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.33.0.bb | 9 ++-
2 files changed, 65 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..e8e9a8380e
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,57 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+ * each table.
+ * t: table to free
+ */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ huft_t *q;
+
++ /*
++ * If 'p' has the error bit set we have to clear it, otherwise we might run
++ * into a segmentation fault or an invalid pointer to free(p)
++ */
++ if (BAD_HUFT(p)) {
++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++ }
++
+ /* Go through linked list, freeing from the malloced (t[-1]) address. */
+ while (p) {
+ q = (--p)->v.t;
+@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
+ * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
+ * is given: "fixed inflate" decoder feeds us such data.
+ */
+-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+-#define ERR_RET ((huft_t*)(uintptr_t)1)
+ static huft_t* huft_build(const unsigned *b, const unsigned n,
+ const unsigned s, const struct cp_ext *cp_ext,
+ unsigned *m)
diff --git a/meta/recipes-core/busybox/busybox_1.33.0.bb b/meta/recipes-core/busybox/busybox_1.33.0.bb
index 1a3f218bca..4fcf533aa8 100644
--- a/meta/recipes-core/busybox/busybox_1.33.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.33.0.bb
@@ -46,7 +46,14 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
file://rev.cfg \
file://pgrep.cfg \
-"
+ file://lspci.cfg \
+ file://lsusb.cfg \
+ file://mdev.cfg \
+ file://mount-cifs.cfg \
+ file://ps-extras.cfg \
+ file://getopt.cfg \
+ file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+ "
SRC_URI_append_libc-musl = " file://musl.cfg "
SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd"
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-08 4:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1673C8868459A69B.16683@lists.openembedded.org>
2021-04-08 4:58 ` [OE-core][PATCH] busybox: fix CVE-2021-28831 Chen Qi
2021-04-08 4:46 Chen Qi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.