All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [OE-core][PATCH] busybox: fix CVE-2021-28831
       [not found] <1673C8868459A69B.16683@lists.openembedded.org>
@ 2021-04-08  4:58 ` Chen Qi
  0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2021-04-08  4:58 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 4249 bytes --]

Sorry, please ignore this patch.

On 04/08/2021 12:46 PM, Chen Qi wrote:
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>   ...ss_gunzip-Fix-DoS-if-gzip-is-corrupt.patch | 57 +++++++++++++++++++
>   meta/recipes-core/busybox/busybox_1.33.0.bb   |  9 ++-
>   2 files changed, 65 insertions(+), 1 deletion(-)
>   create mode 100644 meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
> new file mode 100644
> index 0000000000..e8e9a8380e
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
> @@ -0,0 +1,57 @@
> +From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
> +From: Samuel Sapalski <samuel.sapalski@nokia.com>
> +Date: Wed, 3 Mar 2021 16:31:22 +0100
> +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
> +
> +On certain corrupt gzip files, huft_build will set the error bit on
> +the result pointer. If afterwards abort_unzip is called huft_free
> +might run into a segmentation fault or an invalid pointer to
> +free(p).
> +
> +In order to mitigate this, we check in huft_free if the error bit
> +is set and clear it before the linked list is freed.
> +
> +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +Upstream-Status: Backport
> +CVE: CVE-2021-28831
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
> + 1 file changed, 10 insertions(+), 2 deletions(-)
> +
> +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
> +index eb3b64930..e93cd5005 100644
> +--- a/archival/libarchive/decompress_gunzip.c
> ++++ b/archival/libarchive/decompress_gunzip.c
> +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
> +  * each table.
> +  * t: table to free
> +  */
> ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
> ++#define ERR_RET     ((huft_t*)(uintptr_t)1)
> + static void huft_free(huft_t *p)
> + {
> + 	huft_t *q;
> +
> ++	/*
> ++	 * If 'p' has the error bit set we have to clear it, otherwise we might run
> ++	 * into a segmentation fault or an invalid pointer to free(p)
> ++	 */
> ++	if (BAD_HUFT(p)) {
> ++		p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
> ++	}
> ++
> + 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
> + 	while (p) {
> + 		q = (--p)->v.t;
> +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
> +  * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
> +  * is given: "fixed inflate" decoder feeds us such data.
> +  */
> +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
> +-#define ERR_RET     ((huft_t*)(uintptr_t)1)
> + static huft_t* huft_build(const unsigned *b, const unsigned n,
> + 			const unsigned s, const struct cp_ext *cp_ext,
> + 			unsigned *m)
> diff --git a/meta/recipes-core/busybox/busybox_1.33.0.bb b/meta/recipes-core/busybox/busybox_1.33.0.bb
> index 1a3f218bca..4fcf533aa8 100644
> --- a/meta/recipes-core/busybox/busybox_1.33.0.bb
> +++ b/meta/recipes-core/busybox/busybox_1.33.0.bb
> @@ -46,7 +46,14 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>              file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
>              file://rev.cfg \
>              file://pgrep.cfg \
> -"
> +           file://lspci.cfg \
> +           file://lsusb.cfg \
> +           file://mdev.cfg \
> +           file://mount-cifs.cfg \
> +           file://ps-extras.cfg \
> +           file://getopt.cfg \
> +           file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
> +           "
>   SRC_URI_append_libc-musl = " file://musl.cfg "
>   
>   SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd"
>
>
> 
>


[-- Attachment #2: Type: text/html, Size: 5842 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [OE-core][PATCH] busybox: fix CVE-2021-28831
@ 2021-04-08  4:46 Chen Qi
  0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2021-04-08  4:46 UTC (permalink / raw)
  To: openembedded-core

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 ...ss_gunzip-Fix-DoS-if-gzip-is-corrupt.patch | 57 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.33.0.bb   |  9 ++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..e8e9a8380e
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,57 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+  * each table.
+  * t: table to free
+  */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET     ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ 	huft_t *q;
+ 
++	/*
++	 * If 'p' has the error bit set we have to clear it, otherwise we might run
++	 * into a segmentation fault or an invalid pointer to free(p)
++	 */
++	if (BAD_HUFT(p)) {
++		p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++	}
++
+ 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
+ 	while (p) {
+ 		q = (--p)->v.t;
+@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
+  * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table
+  * is given: "fixed inflate" decoder feeds us such data.
+  */
+-#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+-#define ERR_RET     ((huft_t*)(uintptr_t)1)
+ static huft_t* huft_build(const unsigned *b, const unsigned n,
+ 			const unsigned s, const struct cp_ext *cp_ext,
+ 			unsigned *m)
diff --git a/meta/recipes-core/busybox/busybox_1.33.0.bb b/meta/recipes-core/busybox/busybox_1.33.0.bb
index 1a3f218bca..4fcf533aa8 100644
--- a/meta/recipes-core/busybox/busybox_1.33.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.33.0.bb
@@ -46,7 +46,14 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
            file://rev.cfg \
            file://pgrep.cfg \
-"
+           file://lspci.cfg \
+           file://lsusb.cfg \
+           file://mdev.cfg \
+           file://mount-cifs.cfg \
+           file://ps-extras.cfg \
+           file://getopt.cfg \
+           file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+           "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
 SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd"
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-08  4:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1673C8868459A69B.16683@lists.openembedded.org>
2021-04-08  4:58 ` [OE-core][PATCH] busybox: fix CVE-2021-28831 Chen Qi
2021-04-08  4:46 Chen Qi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.