From patchwork Fri Nov 20 17:46:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1403920 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=ZmlLhnFC; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Cd3rk3yr8z9sSs for ; Sat, 21 Nov 2020 04:46:46 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D278F20349; Fri, 20 Nov 2020 17:46:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6W4Q1SOt2kn4; Fri, 20 Nov 2020 17:46:40 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id B1AFA2036D; Fri, 20 Nov 2020 17:46:40 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id EA39A1BF332 for ; Fri, 20 Nov 2020 17:46:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D1F7D2036D for ; Fri, 20 Nov 2020 17:46:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id by8Upuh4hWad for ; Fri, 20 Nov 2020 17:46:37 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by silver.osuosl.org (Postfix) with ESMTPS id 5D2A820349 for ; Fri, 20 Nov 2020 17:46:37 +0000 (UTC) Received: by mail-ed1-f65.google.com with SMTP id d18so10379504edt.7 for ; Fri, 20 Nov 2020 09:46:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jXLWFYsJMfM3Cwqd2LzUXY1QLQDZjjvJ0G5uu/dtbng=; b=ZmlLhnFCZkGXZOoDlcznsfzVvIpYt0Gkq2xJNbrCvnDbH2hTKhrOVQYYJZOiQwKEwm ebcP/WU3vr1chRv9MRRC48XlVs6s+tWUfW6uOeeLrUKFWeriks4quSuAJGYbhzLu4QaM xox/FlM4uNlP3SN5yFkToPkz/LkdmpvETuWN/6WeYyFzdDU6/sDAYw5ZAYn/+dYRFne2 Yomas8j4vWhkx5flbR22yLOcnZR6TJtTPlxNcSt/GK5Aeo/ZfgDFpOmGMePOK7UDDTDB zw1mRHbC8WamW+XnDu2oH0tWFleayv1QSOyxgcZ8Nm9c8KbohUyZ93KBGUm6+iriRRbG QC2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=jXLWFYsJMfM3Cwqd2LzUXY1QLQDZjjvJ0G5uu/dtbng=; b=Ph/mUHBjLKovdg86pnFNwBL57SLG2CpbZbfDclbTCJfqXCiApG00pb/BVj2WgQzRvy bVfe7xTPCWe2m/HO5e09DGqiM1ZiXtKL9Hu7hURsdiQlGbnAnpGlE6pCWtgDk8Z1bgNr flFiyoCd2u2QrmqWnfuMp0m5iNoyhhZZZdRl5uAXzb1PNyCz7mTBqEeZ2qaGmIxY9F+T v5nU9j0FNV4p5y113RIeLnFdlpc1iB6mTQXehx4Z4JqJF39j39c+cek2rmHdd4snPk4j 2Y3stOWgcOFbylb3DcOvBCrzxNEfv1hvTaZB9Nj9yWALqsaHfCcNpb4+Rhg9UqiGsbmV KH3w== X-Gm-Message-State: AOAM530znQkHb/WWUhaVsrE7oLE7TrrJgPEZF3AeWVmxa/n2n993Dh8U 68ScvJrmJT/lT3zFV4kr+/EzUMQeCtk= X-Google-Smtp-Source: ABdhPJy92/lermiUNPOa82Ik4DzQV2YCxeqorWyMOPJlALsTh5nIyiZ4ShQe53vM+m1u8LBYkEcWUQ== X-Received: by 2002:a50:858a:: with SMTP id a10mr31141531edh.190.1605894395269; Fri, 20 Nov 2020 09:46:35 -0800 (PST) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id d1sm1372260edd.59.2020.11.20.09.46.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Nov 2020 09:46:34 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1kgAUT-0007Ia-Sw; Fri, 20 Nov 2020 18:46:33 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Fri, 20 Nov 2020 18:46:32 +0100 Message-Id: <20201120174632.28003-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/musl: add upstream security fix for CVE-2020-28928 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Korsgaard , Thomas Petazzoni Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The wcsnrtombs function has been found to have multiple bugs in handling of destination buffer size when limiting the input character count, which can lead to infinite loop with no forward progress (no overflow) or writing past the end of the destination buffer. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2020/11/20/4 Signed-off-by: Peter Korsgaard --- ...bs-to-fix-buffer-overflow-and-other-.patch | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 package/musl/0003-rewrite-wcsnrtombs-to-fix-buffer-overflow-and-other-.patch diff --git a/package/musl/0003-rewrite-wcsnrtombs-to-fix-buffer-overflow-and-other-.patch b/package/musl/0003-rewrite-wcsnrtombs-to-fix-buffer-overflow-and-other-.patch new file mode 100644 index 0000000000..2fb29940a9 --- /dev/null +++ b/package/musl/0003-rewrite-wcsnrtombs-to-fix-buffer-overflow-and-other-.patch @@ -0,0 +1,114 @@ +From 3ab2a4e02682df1382955071919d8aa3c3ec40d4 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Thu, 19 Nov 2020 17:12:43 -0500 +Subject: [PATCH] rewrite wcsnrtombs to fix buffer overflow and other bugs + +the original wcsnrtombs implementation, which has been largely +untouched since 0.5.0, attempted to build input-length-limiting +conversion on top of wcsrtombs, which only limits output length. as +best I recall, this choice was made out of a mix of disdain over +having yet another variant function to implement (added in POSIX 2008; +not standard C) and preference not to switch things around and +implement the wcsrtombs in terms of the more general new function, +probably over namespace issues. the strategy employed was to impose +output limits that would ensure the input limit wasn't exceeded, then +finish up the tail character-at-a-time. unfortunately, none of that +worked correctly. + +first, the logic in the wcsrtombs loop was wrong in that it could +easily get stuck making no forward progress, by imposing an output +limit too small to convert even one character. + +the character-at-a-time loop that followed was even worse. it made no +effort to ensure that the converted multibyte character would fit in +the remaining output space, only that there was a nonzero amount of +output space remaining. it also employed an incorrect interpretation +of wcrtomb's interface contract for converting the null character, +thereby failing to act on end of input, and remaining space accounting +was subject to unsigned wrap-around. together these errors allow +unbounded overflow of the destination buffer, controlled by input +length limit and input wchar_t string contents. + +given the extent to which this function was broken, it's plausible +that most applications that would have been rendered exploitable were +sufficiently broken not to be usable in the first place. however, it's +also plausible that common (especially ASCII-only) inputs succeeded in +the wcsrtombs loop, which mostly worked, while leaving the wildly +erroneous code in the second loop exposed to particular non-ASCII +inputs. + +CVE-2020-28928 has been assigned for this issue. + +Signed-off-by: Peter Korsgaard +--- + src/multibyte/wcsnrtombs.c | 46 ++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 27 deletions(-) + +diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c +index 676932b5..95e25e70 100644 +--- a/src/multibyte/wcsnrtombs.c ++++ b/src/multibyte/wcsnrtombs.c +@@ -1,41 +1,33 @@ + #include ++#include ++#include + + size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st) + { +- size_t l, cnt=0, n2; +- char *s, buf[256]; + const wchar_t *ws = *wcs; +- const wchar_t *tmp_ws; +- +- if (!dst) s = buf, n = sizeof buf; +- else s = dst; +- +- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) { +- if (n2>=n) n2=n; +- tmp_ws = ws; +- l = wcsrtombs(s, &ws, n2, 0); +- if (!(l+1)) { +- cnt = l; +- n = 0; ++ size_t cnt = 0; ++ if (!dst) n=0; ++ while (ws && wn) { ++ char tmp[MB_LEN_MAX]; ++ size_t l = wcrtomb(nn) break; ++ memcpy(dst, tmp, l); ++ } ++ dst += l; + n -= l; + } +- wn = ws ? wn - (ws - tmp_ws) : 0; +- cnt += l; +- } +- if (ws) while (n && wn) { +- l = wcrtomb(s, *ws, 0); +- if ((l+1)<=1) { +- if (!l) ws = 0; +- else cnt = l; ++ if (!*ws) { ++ ws = 0; + break; + } +- ws++; wn--; +- /* safe - this loop runs fewer than sizeof(buf) times */ +- s+=l; n-=l; ++ ws++; ++ wn--; + cnt += l; + } + if (dst) *wcs = ws; +-- +2.20.1 +