[Buildroot] [PATCH 1/1] package/gmp: fix CVE-2021-43618

[Buildroot] [PATCH 1/1] package/gmp: fix CVE-2021-43618

[Fabrice Fontaine]

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an
mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted
input, leading to a segmentation fault on 32-bit platforms.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...z-inp_raw.c-Avoid-bit-size-overflows.patch | 27 +++++++++++++++++++
 package/gmp/gmp.mk                            |  3 +++
 2 files changed, 30 insertions(+)
 create mode 100644 package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch

diff --git a/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch b/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
new file mode 100644
index 0000000000..0003f342c3
--- /dev/null
+++ b/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
@@ -0,0 +1,27 @@
+# HG changeset patch
+# User Marco Bodrato <bodrato@mail.dm.unipi.it>
+# Date 1634836009 -7200
+# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
+# Parent  e1fd9db13b475209a864577237ea4b9105b3e96e
+mpz/inp_raw.c: Avoid bit size overflows
+
+[Retrieved from: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
+--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
+@@ -88,8 +88,11 @@
+ 
+   abs_csize = ABS (csize);
+ 
++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
++    return 0; /* Bit size overflows */
++
+   /* round up to a multiple of limbs */
+-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
+ 
+   if (abs_xsize != 0)
+     {
+
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index 5e16ef1916..9b402767fd 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -14,6 +14,9 @@ GMP_CPE_ID_VENDOR = gmplib
 GMP_DEPENDENCIES = host-m4
 HOST_GMP_DEPENDENCIES = host-m4
 
+# 0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
+GMP_IGNORE_CVES += CVE-2021-43618
+
 # GMP doesn't support assembly for coldfire or mips r6 ISA yet
 # Disable for ARM v7m since it has different asm constraints
 ifeq ($(BR2_m68k_cf)$(BR2_MIPS_CPU_MIPS32R6)$(BR2_MIPS_CPU_MIPS64R6)$(BR2_ARM_CPU_ARMV7M),y)
-- 
2.33.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/gmp: fix CVE-2021-43618

[Arnout Vandecappelle]

On 22/11/2021 23:44, Fabrice Fontaine wrote:
> GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an
> mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted
> input, leading to a segmentation fault on 32-bit platforms.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   ...z-inp_raw.c-Avoid-bit-size-overflows.patch | 27 +++++++++++++++++++
>   package/gmp/gmp.mk                            |  3 +++
>   2 files changed, 30 insertions(+)
>   create mode 100644 package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
> 
> diff --git a/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch b/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
> new file mode 100644
> index 0000000000..0003f342c3
> --- /dev/null
> +++ b/package/gmp/0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
> @@ -0,0 +1,27 @@
> +# HG changeset patch
> +# User Marco Bodrato <bodrato@mail.dm.unipi.it>
> +# Date 1634836009 -7200
> +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
> +# Parent  e1fd9db13b475209a864577237ea4b9105b3e96e
> +mpz/inp_raw.c: Avoid bit size overflows
> +
> +[Retrieved from: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +
> +diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
> +--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
> ++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
> +@@ -88,8 +88,11 @@
> +
> +   abs_csize = ABS (csize);
> +
> ++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
> ++    return 0; /* Bit size overflows */
> ++
> +   /* round up to a multiple of limbs */
> +-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
> ++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
> +
> +   if (abs_xsize != 0)
> +     {
> +
> diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
> index 5e16ef1916..9b402767fd 100644
> --- a/package/gmp/gmp.mk
> +++ b/package/gmp/gmp.mk
> @@ -14,6 +14,9 @@ GMP_CPE_ID_VENDOR = gmplib
>   GMP_DEPENDENCIES = host-m4
>   HOST_GMP_DEPENDENCIES = host-m4
>   
> +# 0001-mpz-inp_raw.c-Avoid-bit-size-overflows.patch
> +GMP_IGNORE_CVES += CVE-2021-43618
> +
>   # GMP doesn't support assembly for coldfire or mips r6 ISA yet
>   # Disable for ARM v7m since it has different asm constraints
>   ifeq ($(BR2_m68k_cf)$(BR2_MIPS_CPU_MIPS32R6)$(BR2_MIPS_CPU_MIPS64R6)$(BR2_ARM_CPU_ARMV7M),y)
> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/gmp: fix CVE-2021-43618

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an
 > mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted
 > input, leading to a segmentation fault on 32-bit platforms.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot