* [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562
@ 2020-12-14 10:52 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
0 siblings, 2 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../glibc/glibc/CVE-2020-29562.patch | 156 ++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 1 +
2 files changed, 157 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
new file mode 100644
index 0000000000..c51fb3223a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
@@ -0,0 +1,156 @@
+From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
+From: Michael Colavita <mcolavita@fb.com>
+Date: Thu, 19 Nov 2020 11:44:40 -0500
+Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
+
+Previously, in UCS4 conversion routines we limit the number of
+characters we examine to the minimum of the number of characters in the
+input and the number of characters in the output. This is not the
+correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
+an output character when we skip a code unit. Instead, track the input
+and output pointers and terminate the loop when either reaches its
+limit.
+
+This resolves assertion failures when resetting the input buffer in a step of
+iconv, which assumes that the input will be fully consumed given sufficient
+output space.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
+CVE: CVE-2020-29562
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ iconv/Makefile | 2 +-
+ iconv/gconv_simple.c | 16 ++++----------
+ iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 13 deletions(-)
+ create mode 100644 iconv/tst-iconv8.c
+
+diff --git a/iconv/Makefile b/iconv/Makefile
+index 30bf996d3a..f9b51e23ec 100644
+--- a/iconv/Makefile
++++ b/iconv/Makefile
+@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
+ CFLAGS-simple-hash.c += -I../locale
+
+ tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
+- tst-iconv7 tst-iconv-mt tst-iconv-opt
++ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
+
+ others = iconv_prog iconvconfig
+ install-others-programs = $(inst_bindir)/iconv
+diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
+index d4797fba17..963b29f246 100644
+--- a/iconv/gconv_simple.c
++++ b/iconv/gconv_simple.c
+@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ uint32_t inval;
+
+@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ if (__glibc_unlikely (inptr[0] > 0x80))
+ {
+@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ uint32_t inval;
+
+@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
+ int flags = step_data->__flags;
+ const unsigned char *inptr = *inptrp;
+ unsigned char *outptr = *outptrp;
+- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
+ int result;
+- size_t cnt;
+
+- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
+ {
+ if (__glibc_unlikely (inptr[3] > 0x80))
+ {
+diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
+new file mode 100644
+index 0000000000..0b92b19f66
+--- /dev/null
++++ b/iconv/tst-iconv8.c
+@@ -0,0 +1,50 @@
++/* Test iconv behavior on UCS4 conversions with //IGNORE.
++ Copyright (C) 2020 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++/* Derived from BZ #26923 */
++#include <errno.h>
++#include <iconv.h>
++#include <stdio.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
++ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
++
++ /*
++ * Convert sequence beginning with an irreversible character into buffer that
++ * is too small.
++ */
++ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
++ char *inptr = input;
++ size_t insize = sizeof (input);
++ char output[6];
++ char *outptr = output;
++ size_t outsize = sizeof (output);
++
++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
++ TEST_VERIFY (errno == E2BIG);
++
++ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
+--
+2.27.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 3d486fbb59..3a0d60abf8 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -41,6 +41,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
file://0028-inject-file-assembly-directives.patch \
file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+ file://CVE-2020-29562.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
@ 2020-12-14 10:52 ` Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-25723.patch | 52 +++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 067179fdeb..7a963ad57c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -51,6 +51,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
file://CVE-2019-20175.patch \
file://CVE-2020-24352.patch \
+ file://CVE-2020-25723.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..e6e0f5ec30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,52 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+CVE: CVE-2020-25723
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 58cceac..4da446d 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+ spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+ usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+ (p->qtd.token & QTD_TOKEN_IOC) != 0);
+- usb_packet_map(&p->packet, &p->sgl);
++ if (usb_packet_map(&p->packet, &p->sgl)) {
++ qemu_sglist_destroy(&p->sgl);
++ return -1;
++ }
+ p->async = EHCI_ASYNC_INITIALIZED;
+ }
+
+@@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+ usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+ (itd->transact[i] & ITD_XACT_IOC) != 0);
+- usb_packet_map(&ehci->ipacket, &ehci->isgl);
++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++ qemu_sglist_destroy(&ehci->isgl);
++ return -1;
++ }
+ usb_handle_packet(dev, &ehci->ipacket);
+ usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+ } else {
+--
+1.8.3.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
@ 2020-12-14 10:52 ` Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-12-14 10:52 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
fix CVE-2020-16592 & CVE-2020-16598
removed changes to Changelog in patch file
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../binutils/binutils-2.34.inc | 2 +
.../binutils/binutils/CVE-2020-16592.patch | 61 +++++++++++++++++++
.../binutils/binutils/CVE-2020-16598.patch | 32 ++++++++++
3 files changed, 95 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index b5f5a1c69a..f557fe970c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -44,5 +44,7 @@ SRC_URI = "\
file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
file://CVE-2020-0551.patch \
file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+ file://CVE-2020-16592.patch \
+ file://CVE-2020-16598.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
new file mode 100644
index 0000000000..f5f9ccdd53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
+From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Apr 2020 18:58:11 +0930
+Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
+
+ PR 25823
+ * peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+ pointer into strings that may be freed for section name, always
+ allocate a new string.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
+CVE: CVE-2020-16592
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ bfd/peXXigen.c | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b9eeb775d9b..8aa5914acd9 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
+ int unused_section_number = 0;
+ asection *sec;
+ flagword flags;
++ size_t name_len;
++ char *sec_name;
+
+ for (sec = abfd->sections; sec; sec = sec->next)
+ if (unused_section_number <= sec->target_index)
+ unused_section_number = sec->target_index + 1;
+
+- if (name == namebuf)
++ name_len = strlen (name) + 1;
++ sec_name = bfd_alloc (abfd, name_len);
++ if (sec_name == NULL)
+ {
+- name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
+- if (name == NULL)
+- {
+- _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
+- abfd);
+- return;
+- }
+- strcpy ((char *) name, namebuf);
++ _bfd_error_handler (_("%pB: out of memory creating name "
++ "for empty section"), abfd);
++ return;
+ }
++ memcpy (sec_name, name, name_len);
+
+ flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
+- sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
++ sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
+ if (sec == NULL)
+ {
+ _bfd_error_handler (_("%pB: unable to create fake empty section"),
+--
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
new file mode 100644
index 0000000000..52bd925c97
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
+From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Apr 2020 10:38:16 +0930
+Subject: [PATCH] PR25840, Null pointer dereference in objdump
+
+ PR 25840
+ * debug.c (debug_class_type_samep): Don't segfault on NULL type.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
+CVE: CVE-2020-16598
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ binutils/debug.c | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 022fa4edffb..5470e155edc 100644
+--- a/binutils/debug.c
++++ b/binutils/debug.c
+@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, struct debug_type_s *t1,
+ names, since that sometimes fails in the presence of
+ typedefs and we really don't care. */
+ if (strcmp (f1->name, f2->name) != 0
++ || f1->type == NULL
++ || f2->type == NULL
+ || ! debug_type_samep (info,
+ debug_get_real_type ((void *) info,
+ f1->type, NULL),
+--
+2.27.0
+
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-14 10:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-14 10:52 [PATCH][dunfell 1/3] glibc: fix CVE-2020-29562 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 2/3] qemu: fix CVE-2020-25723 Lee Chee Yang
2020-12-14 10:52 ` [PATCH][dunfell 3/3] binutils: fix CVE-2020-16592/16598 Lee Chee Yang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox