From patchwork Sat May 2 19:54:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1281747 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=pFDE35Vo; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49F0D449P7z9sSr for ; Sun, 3 May 2020 05:53:24 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id C599086ECB; Sat, 2 May 2020 19:53:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruX6MC83aoMz; Sat, 2 May 2020 19:53:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 4E64686EEA; Sat, 2 May 2020 19:53:21 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 8F77F1BF3BE for ; Sat, 2 May 2020 19:53:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 8731520784 for ; Sat, 2 May 2020 19:53:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myl5k7TyNVeP for ; Sat, 2 May 2020 19:53:18 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by silver.osuosl.org (Postfix) with ESMTPS id F02AF20781 for ; Sat, 2 May 2020 19:53:17 +0000 (UTC) Received: by mail-wm1-f42.google.com with SMTP id z6so4111888wml.2 for ; Sat, 02 May 2020 12:53:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xZy9eUrfDQWwd+DycULi9JpdX2OuhW8+LLFsUxLNPhs=; b=pFDE35VojMrHaTvpa1p++eIEkgNTezIVOhlvhOx9biag6dCWTFGLvOLT8egI3mYbM9 gtY2Bbimib8IAYaWM2KHjf2UYyXs0gnAZQ2fGrfxHqAjTa4JDeUWTng9rIbjCvm7D9ER ncAdNG7rRwcaOOvUzpJNx5TIGIiKIYqCSRBuFYJt8UDdyaXMcbYah+OjQNq9cdaOnelW uced02HyWBpxyM6s0sTN15cK8+maxkDrT9MEWKJwJghapZ0ixer0JtmQG46IlBkkDbxz hNVZONrkgGYH9Vf3doixZTDoSSlyQY6S+a1ylTNljsRdJF+Sq/YBAi8HvzJtXOcrtmOZ f1og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xZy9eUrfDQWwd+DycULi9JpdX2OuhW8+LLFsUxLNPhs=; b=T+2MFvxda2jrnKtJ3bpw/U2CuFiBvByReBHBYTecu9lvciAKwdum2ENMtdK8j55Xgz +Pq5i4nDbI2Q00hqkX27T5OOL1Ly5venbX1aDncNpzVQ8cF9Mn0so9u8XPrxQ9yNa2c2 4YjYFDwDljuPEF8TTOjQ20VYIzbAPlGqX1MDoS0f96fjPPAL5G54CxsPZmcSzq+nLtsY iilUpN+idkR26TScpfFyT2IIoJa6eDKAgJZP6zDwc+QlGoIn+6oXQT3RQ+pvX1EuJnIW a0EFAUVPB/zF0sb9M4PQKjj/31gzl4awEwQR0v+W8wr6DSyvnbYQc6NGzKWu9V0gEr1e /O8A== X-Gm-Message-State: AGi0PubKd32gLvu3i3yi7mvRmiZe8hinNOGNwMbIyxFWuG0zaEZsnMRa Rq7489GN3gHph+WKAw8YNFFBGrNq X-Google-Smtp-Source: APiQypKIjj7mLm+2cyCqf6Wq0cDfiMczPN6I53sYuz7RrjNeW/U612bCTbOsTl01H+119kQh8G79lg== X-Received: by 2002:a7b:cf25:: with SMTP id m5mr6410512wmg.65.1588449195771; Sat, 02 May 2020 12:53:15 -0700 (PDT) Received: from kali.home (lfbn-ren-1-403-35.w2-10.abo.wanadoo.fr. [2.10.23.35]) by smtp.gmail.com with ESMTPSA id 91sm3468520wrj.57.2020.05.02.12.53.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2020 12:53:15 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Sat, 2 May 2020 21:54:38 +0200 Message-Id: <20200502195438.3358786-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/matio: add upstream security fixes X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gwenhael Goavec-Merou , Fabrice Fontaine Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fix the following CVEs: - CVE-2019-17533: Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed. - CVE-2019-20017: A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17. - CVE-2019-20018: A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17. - CVE-2019-20020: A stack-based buffer over-read was discovered in ReadNextStructField in mat5.c in matio 1.5.17. - CVE-2019-20052: A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case. Signed-off-by: Fabrice Fontaine --- .../0001-Avoid-uninitialized-memory.patch | 27 +++++++++++ .../0002-Fix-illegal-memory-access.patch | 47 +++++++++++++++++++ .../0003-Fix-illegal-memory-access.patch | 46 ++++++++++++++++++ package/matio/0004-Fix-memory-leak.patch | 39 +++++++++++++++ package/matio/matio.mk | 9 ++++ 5 files changed, 168 insertions(+) create mode 100644 package/matio/0001-Avoid-uninitialized-memory.patch create mode 100644 package/matio/0002-Fix-illegal-memory-access.patch create mode 100644 package/matio/0003-Fix-illegal-memory-access.patch create mode 100644 package/matio/0004-Fix-memory-leak.patch diff --git a/package/matio/0001-Avoid-uninitialized-memory.patch b/package/matio/0001-Avoid-uninitialized-memory.patch new file mode 100644 index 0000000000..01fc8f0f7d --- /dev/null +++ b/package/matio/0001-Avoid-uninitialized-memory.patch @@ -0,0 +1,27 @@ +From 651a8e28099edb5fbb9e4e1d4d3238848f446c9a Mon Sep 17 00:00:00 2001 +From: tbeu +Date: Fri, 30 Aug 2019 09:21:26 +0200 +Subject: [PATCH] Avoid uninitialized memory + +As reported by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16856 + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://github.com/tbeu/matio/commit/651a8e28099edb5fbb9e4e1d4d3238848f446c9a] +--- + src/mat4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/mat4.c b/src/mat4.c +index 601a3d6..93b4308 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -917,6 +917,8 @@ Mat_VarReadNextInfo4(mat_t *mat) + if ( tmp != readresult ) { + Mat_VarFree(matvar); + return NULL; ++ } else { ++ matvar->name[tmp - 1] = '\0'; + } + + matvar->internal->datapos = ftell((FILE*)mat->fp); diff --git a/package/matio/0002-Fix-illegal-memory-access.patch b/package/matio/0002-Fix-illegal-memory-access.patch new file mode 100644 index 0000000000..5150c79e29 --- /dev/null +++ b/package/matio/0002-Fix-illegal-memory-access.patch @@ -0,0 +1,47 @@ +From 7b4699854cc65874e13a8e6944cd8e62fa981068 Mon Sep 17 00:00:00 2001 +From: tbeu +Date: Mon, 11 Nov 2019 21:58:41 +0100 +Subject: [PATCH] Fix illegal memory access + +As reported by https://github.com/tbeu/matio/issues/128 + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://github.com/tbeu/matio/commit/7b4699854cc65874e13a8e6944cd8e62fa981068] +--- + src/mat5.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/mat5.c b/src/mat5.c +index 7f50da4..b76a331 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -1380,11 +1380,26 @@ ReadNextStructField( mat_t *mat, matvar_t *matvar ) + /* Rank and dimension */ + if ( uncomp_buf[0] == MAT_T_INT32 ) { + int j; ++ size_t size; + fields[i]->rank = uncomp_buf[1]; + nbytes -= fields[i]->rank; + fields[i]->rank /= 4; +- fields[i]->dims = (size_t*)malloc(fields[i]->rank* +- sizeof(*fields[i]->dims)); ++ if ( 0 == do_clean && fields[i]->rank > 13 ) { ++ int rank = fields[i]->rank; ++ fields[i]->rank = 0; ++ Mat_Critical("%d is not a valid rank", rank); ++ continue; ++ } ++ err = SafeMul(&size, fields[i]->rank, sizeof(*fields[i]->dims)); ++ if ( err ) { ++ if ( do_clean ) ++ free(dims); ++ Mat_VarFree(fields[i]); ++ fields[i] = NULL; ++ Mat_Critical("Integer multiplication overflow"); ++ continue; ++ } ++ fields[i]->dims = (size_t*)malloc(size); + if ( mat->byteswap ) { + for ( j = 0; j < fields[i]->rank; j++ ) + fields[i]->dims[j] = Mat_uint32Swap(dims+j); diff --git a/package/matio/0003-Fix-illegal-memory-access.patch b/package/matio/0003-Fix-illegal-memory-access.patch new file mode 100644 index 0000000000..787207f217 --- /dev/null +++ b/package/matio/0003-Fix-illegal-memory-access.patch @@ -0,0 +1,46 @@ +From 65831b7ec829b0ae0ac9d691a2f8fbc2b26af677 Mon Sep 17 00:00:00 2001 +From: tbeu +Date: Mon, 11 Nov 2019 22:03:54 +0100 +Subject: [PATCH] Fix illegal memory access + +As reported by https://github.com/tbeu/matio/issues/129 + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://github.com/tbeu/matio/commit/65831b7ec829b0ae0ac9d691a2f8fbc2b26af677] +--- + src/mat5.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/mat5.c b/src/mat5.c +index b76a331..5e3464e 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -989,10 +989,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar ) + /* Rank and Dimension */ + if ( uncomp_buf[0] == MAT_T_INT32 ) { + int j; ++ size_t size; + cells[i]->rank = uncomp_buf[1]; + nbytes -= cells[i]->rank; + cells[i]->rank /= 4; +- cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims)); ++ if ( 0 == do_clean && cells[i]->rank > 13 ) { ++ int rank = cells[i]->rank; ++ cells[i]->rank = 0; ++ Mat_Critical("%d is not a valid rank", rank); ++ continue; ++ } ++ err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims)); ++ if ( err ) { ++ if ( do_clean ) ++ free(dims); ++ Mat_VarFree(cells[i]); ++ cells[i] = NULL; ++ Mat_Critical("Integer multiplication overflow"); ++ continue; ++ } ++ cells[i]->dims = (size_t*)malloc(size); + if ( mat->byteswap ) { + for ( j = 0; j < cells[i]->rank; j++ ) + cells[i]->dims[j] = Mat_uint32Swap(dims + j); diff --git a/package/matio/0004-Fix-memory-leak.patch b/package/matio/0004-Fix-memory-leak.patch new file mode 100644 index 0000000000..1899d995da --- /dev/null +++ b/package/matio/0004-Fix-memory-leak.patch @@ -0,0 +1,39 @@ +From a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3 Mon Sep 17 00:00:00 2001 +From: tbeu +Date: Fri, 15 Nov 2019 23:20:41 +0100 +Subject: [PATCH] Fix memory leak + +As reported by https://github.com/tbeu/matio/issues/131 + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://github.com/tbeu/matio/commit/a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3] +--- + src/mat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/mat.c b/src/mat.c +index c9c6bd1..e62a9d2 100644 +--- a/src/mat.c ++++ b/src/mat.c +@@ -220,6 +220,11 @@ int SafeMulDims(const matvar_t *matvar, size_t* nelems) + { + int i; + ++ if ( matvar->rank == 0 ) { ++ *nelems = 0; ++ return 0; ++ } ++ + for ( i = 0; i < matvar->rank; i++ ) { + if ( !psnip_safe_size_mul(nelems, *nelems, matvar->dims[i]) ) { + *nelems = 0; +@@ -1640,7 +1645,7 @@ Mat_VarFree(matvar_t *matvar) + } + #endif + if ( NULL != matvar->internal->fieldnames && +- matvar->internal->num_fields > 0 ) { ++ matvar->internal->num_fields > 0 ) { + size_t i; + for ( i = 0; i < matvar->internal->num_fields; i++ ) { + if ( NULL != matvar->internal->fieldnames[i] ) diff --git a/package/matio/matio.mk b/package/matio/matio.mk index 8af39ce22c..b9bb476223 100644 --- a/package/matio/matio.mk +++ b/package/matio/matio.mk @@ -11,6 +11,15 @@ MATIO_LICENSE_FILES = COPYING MATIO_DEPENDENCIES = zlib MATIO_INSTALL_STAGING = YES +# 0001-Avoid-uninitialized-memory.patch +MATIO_IGNORE_CVES += CVE-2019-17533 +# 0002-Fix-illegal-memory-access.patch +MATIO_IGNORE_CVES += CVE-2019-20017 CVE-2019-20020 +# 0003-Fix-illegal-memory-access.patch +MATIO_IGNORE_CVES += CVE-2019-20017 CVE-2019-20018 +# 0004-Fix-memory-leak.patch +MATIO_IGNORE_CVES += CVE-2019-20052 + # va_copy() MATIO_CONF_ENV = ac_cv_va_copy=yes