mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-03 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

file: fix CVE-2019-18218

Browse Source 
(From OE-Core rev: 0a1b1e88b936177344392e185fbd077622d88b3e)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
2019-11-04 12:14:55 +00:00
committed by Richard Purdie
parent e612e9c933
commit c9a1a608f5
2 changed files with 57 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/file/file/CVE-2019-18218.patch
+55
View File
@@ -0,0 +1,55 @@
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte
out-of-bounds write).
CVE: CVE-2019-18218
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Mon, 26 Aug 2019 14:31:39 +0000
Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
---
src/cdf.c | 9 ++++-----
src/cdf.h | 1 +
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/cdf.c b/src/cdf.c
index 9d6396742..bb81d6374 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
}
nelements = CDF_GETUINT32(q, 1);
- if (nelements == 0) {
- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+ DPRINTF(("CDF_VECTOR with nelements == %"
+ SIZE_T_FORMAT "u\n", nelements));
goto out;
}
slen = 2;
@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
inp += nelem;
}
- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
- nelements));
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
diff --git a/src/cdf.h b/src/cdf.h
index 2f7e554b7..05056668f 100644
--- a/src/cdf.h
+++ b/src/cdf.h
@@ -48,6 +48,7 @@
typedef int32_t cdf_secid_t;
#define CDF_LOOP_LIMIT 10000
+#define CDF_ELEMENT_LIMIT 100000
#define CDF_SECID_NULL 0
#define CDF_SECID_FREE -1
meta/recipes-devtools/file/file_5.36.bb
+2 -1
View File
@@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native"
# Blacklist a bogus tag in upstream check # Blacklist a bogus tag in upstream check
UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)" UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
SRC_URI = "git://github.com/file/file.git" SRC_URI = "git://github.com/file/file.git \
file://CVE-2019-18218.patch"
SRCREV = "f3a4b9ada3ca99e62c62b9aa78eee4935a8094fe" SRCREV = "f3a4b9ada3ca99e62c62b9aa78eee4935a8094fe"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"