!49 fix CVE-2025-0838

From: @xinghe_1 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2025-02-26 02:08:09 +00:00 · 2025-02-26 02:08:09 +00:00 · e6bde936af
commit e6bde936af
parent 8f47a889cc 551a81f130
2 changed files with 118 additions and 1 deletions
--- a/abseil-cpp.spec
+++ b/abseil-cpp.spec
@ -6,7 +6,7 @@

 Name:           abseil-cpp
 Version:        20230802.1
-Release:        5
+Release:        6
 Summary:        C++ Common Libraries

 License:        Apache-2.0
@ -16,6 +16,7 @@ Source0:        https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}-
 Patch1:         abseil-cpp-20210324.2-sw.patch
 Patch100:	0001-add-loongarch-suopport-for-abseil-cpp.patch
 Patch101:       0002-PR-1644-unscaledcycleclock-remove-RISC-V-support.patch
+Patch102:       backport-CVE-2025-0838.patch

 BuildRequires:  cmake ninja-build
 BuildRequires:  gcc-c++
@ -157,6 +158,12 @@ DESTDIR="%{buildroot}" %__cmake --install "%{_vpath_builddir}"
 %{_libdir}/pkgconfig/*.pc

 %changelog
+* Mon Feb 24 2025 xinghe <xinghe2@h-partners.com> - 20230802.1-6
+- Type:cves
+- CVE:CVE-2025-0838
+- SUG:NA
+- DESC:fix CVE-2025-0838
+
 * Thu Aug 01 2024 xinghe <xinghe2@h-partners.com> - 20230802.1-5
 - Type:bugfix
 - ID:NA
--- a/backport-CVE-2025-0838.patch
+++ b/backport-CVE-2025-0838.patch
@ -0,0 +1,110 @@
+From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Wed, 22 Jan 2025 15:58:56 -0500
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize
+
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+
+The fix is in two parts:
+
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+
+Conflict: remove absl/base/config.h
+Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416
+---
+ absl/base/config.h                           |  2 +-
+ absl/container/internal/raw_hash_set.h       | 16 +++++++++++++++-
+ absl/container/internal/raw_hash_set_test.cc |  8 ++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
+index 5f89d8efee6..92b93453314 100644
+--- a/absl/container/internal/raw_hash_set.h
+++ b/absl/container/internal/raw_hash_set.h
+@@ -1076,6 +1076,12 @@ inline size_t NormalizeCapacity(size_t n) {
+   return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+ 
+template <size_t kSlotSize>
+size_t MaxValidCapacity() {
+  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
+                           kSlotSize);
+}
+
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ //   average of two empty slots per group.
+@@ -1717,6 +1723,8 @@ class raw_hash_set {
+       const allocator_type& alloc = allocator_type())
+       : settings_(CommonFields{}, hash, eq, alloc) {
+     if (bucket_count) {
+      ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
+       common().set_capacity(NormalizeCapacity(bucket_count));
+       initialize_slots();
+     }
+@@ -1916,7 +1924,10 @@ class raw_hash_set {
+   bool empty() const { return !size(); }
+   size_t size() const { return common().size(); }
+   size_t capacity() const { return common().capacity(); }
+-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
+  size_t max_size() const {
+    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
+  }
+
+ 
+   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+     // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -2266,6 +2277,8 @@ class raw_hash_set {
+     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+     // n == 0 unconditionally rehashes as per the standard.
+     if (n == 0 || m > capacity()) {
+      ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
+       resize(m);
+ 
+       // This is after resize, to ensure that we have completed the allocation
+@@ -2276,6 +2289,7 @@ class raw_hash_set {
+ 
+   void reserve(size_t n) {
+     if (n > size() + growth_left()) {
+      ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
+       size_t m = GrowthToLowerboundCapacity(n);
+       resize(NormalizeCapacity(m));
+ 
+diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
+index 242a97cbe3f..d5d5f3934da 100644
+--- a/absl/container/internal/raw_hash_set_test.cc
+++ b/absl/container/internal/raw_hash_set_test.cc
+@@ -2510,6 +2510,14 @@ TEST(Iterator, InvalidComparisonDifferentTables) {
+                             "Invalid iterator comparison.*non-end");
+ }
+ 
+TEST(Table, MaxSizeOverflow) {
+  size_t overflow = (std::numeric_limits<size_t>::max)();
+  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
+  IntTable t;
+  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
+  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
+}
+
+ }  // namespace
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END