!49 fix CVE-2025-0838

From: @xinghe_1 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

0001-add-loongarch-suopport-for-abseil-cpp.patch

@@ -1,34 +1,37 @@
-From a8c98703c8b7b1fc3ae104dce0bfd05dc92a1d7d Mon Sep 17 00:00:00 2001
-From: Wenlong Zhang <zhangwenlong@loongson.cn> Huang Yang <huangyang@loongson.cn>
-Date: Mon, 14 Nov 2022 11:48:49 +0000
+From 560380189ff29687e011eada93774af59452f2c5 Mon Sep 17 00:00:00 2001
+From: Wenlong Zhang <zhangwenlong@loongson.cn>
+Date: Wed, 6 Mar 2024 03:28:59 +0000
 Subject: [PATCH] add loongarch suopport for abseil-cpp
 
-Signed-off-by: Wenlong Zhang <zhangwenlong@loongson.cn>
 ---
- absl/base/internal/direct_mmap.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ absl/base/internal/direct_mmap.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/absl/base/internal/direct_mmap.h b/absl/base/internal/direct_mmap.h
-index e492bb0..d11a64e 100644
+index 1beb2ee..80fcbbb 100644
 --- a/absl/base/internal/direct_mmap.h
 +++ b/absl/base/internal/direct_mmap.h
-@@ -79,6 +79,7 @@ inline void* DirectMmap(void* start, size_t length, int prot, int flags, int fd,
-     (defined(__mips__) && _MIPS_SIM == _MIPS_SIM_ABI32) ||                   \
+@@ -80,7 +80,8 @@ inline void* DirectMmap(void* start, size_t length, int prot, int flags, int fd,
      (defined(__PPC__) && !defined(__PPC64__)) ||                             \
      (defined(__riscv) && __riscv_xlen == 32) ||                              \
-+    defined(__loongarch64)	||					     \
      (defined(__s390__) && !defined(__s390x__)) ||                            \
-     (defined(__sparc__) && !defined(__arch64__))
+-    (defined(__sparc__) && !defined(__arch64__))
++    (defined(__sparc__) && !defined(__arch64__)) ||                          \
++    defined(__loongarch64)
    // On these architectures, implement mmap with mmap2.
-@@ -100,7 +101,7 @@ inline void* DirectMmap(void* start, size_t length, int prot, int flags, int fd,
-   return __mmap2(start, length, prot, flags, fd, offset / pagesize);
+   static int pagesize = 0;
+   if (pagesize == 0) {
+@@ -99,6 +100,10 @@ inline void* DirectMmap(void* start, size_t length, int prot, int flags, int fd,
+   // Workaround by invoking __mmap2() instead.
+   return __mmap2(start, length, prot, flags, fd,
+                  static_cast<size_t>(offset / pagesize));
++#elif defined(__loongarch64)
++  return reinterpret_cast<void*>(
++      syscall(SYS_mmap, start, length, prot, flags, fd,
++              static_cast<unsigned long>(offset / pagesize)));  // NOLINT
  #else
    return reinterpret_cast<void*>(
--      syscall(SYS_mmap2, start, length, prot, flags, fd,
-+      syscall(SYS_mmap, start, length, prot, flags, fd,
-               static_cast<off_t>(offset / pagesize)));
- #endif
- #elif defined(__s390x__)
+       syscall(SYS_mmap2, start, length, prot, flags, fd,
 -- 
-2.33.0
+2.43.0
 

0002-PR-1644-unscaledcycleclock-remove-RISC-V-support.patch

@@ -0,0 +1,81 @@
+From 7335a36d0b5c1c597566f9aa3f458a5b6817c3b4 Mon Sep 17 00:00:00 2001
+From: aurel32 <aurelien@aurel32.net>
+Date: Fri, 22 Mar 2024 14:21:13 -0700
+Subject: [PATCH] PR #1644: unscaledcycleclock: remove RISC-V support
+
+Imported from GitHub PR https://github.com/abseil/abseil-cpp/pull/1644
+
+Starting with Linux 6.6 [1], RDCYCLE is a privileged instruction on RISC-V and can't be used directly from userland. There is a sysctl option to change that as a transition period, but it will eventually disappear.
+
+The RDTIME instruction is another less accurate alternative, however its frequency varies from board to board, and there is currently now way to get its frequency from userland [2].
+
+Therefore this patch just removes the code for unscaledcycleclock on RISC-V. Without processor specific implementation, abseil relies on std::chrono::steady_clock::now().time_since_epoch() which is basically a wrapper around clock_gettime (CLOCK_MONOTONIC), which in turns use __vdso_clock_gettime(). On RISC-V this VDSO is just a wrapper around RDTIME correctly scaled to use nanoseconds units.
+
+This fixes the testsuite on riscv64, tested on a VisionFive 2 board.
+
+[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc4c07c89aada16229084eeb93895c95b7eabaa3
+[2] https://github.com/abseil/abseil-cpp/pull/1631
+Merge 43356a2548cfde76e164d446cb69004b488c6a71 into 76f8011beabdaee872b5fde7546e02407b220cb1
+
+Merging this change closes #1644
+
+COPYBARA_INTEGRATE_REVIEW=https://github.com/abseil/abseil-cpp/pull/1644 from aurel32:rv64-no-unscaledcycleclock 43356a2548cfde76e164d446cb69004b488c6a71
+PiperOrigin-RevId: 618286262
+Change-Id: Ie4120a727e7d0bb185df6e06ea145c780ebe6652
+---
+ absl/base/internal/unscaledcycleclock.cc       | 12 ------------
+ absl/base/internal/unscaledcycleclock_config.h |  8 ++++----
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/absl/base/internal/unscaledcycleclock.cc b/absl/base/internal/unscaledcycleclock.cc
+index 05e0e7ba..a0bf3a65 100644
+--- a/absl/base/internal/unscaledcycleclock.cc
++++ b/absl/base/internal/unscaledcycleclock.cc
+@@ -121,18 +121,6 @@ double UnscaledCycleClock::Frequency() {
+   return aarch64_timer_frequency;
+ }
+ 
+-#elif defined(__riscv)
+-
+-int64_t UnscaledCycleClock::Now() {
+-  int64_t virtual_timer_value;
+-  asm volatile("rdcycle %0" : "=r"(virtual_timer_value));
+-  return virtual_timer_value;
+-}
+-
+-double UnscaledCycleClock::Frequency() {
+-  return base_internal::NominalCPUFrequency();
+-}
+-
+ #elif defined(_M_IX86) || defined(_M_X64)
+ 
+ #pragma intrinsic(__rdtsc)
+diff --git a/absl/base/internal/unscaledcycleclock_config.h b/absl/base/internal/unscaledcycleclock_config.h
+index 24b324ac..43a3dabe 100644
+--- a/absl/base/internal/unscaledcycleclock_config.h
++++ b/absl/base/internal/unscaledcycleclock_config.h
+@@ -21,8 +21,8 @@
+ 
+ // The following platforms have an implementation of a hardware counter.
+ #if defined(__i386__) || defined(__x86_64__) || defined(__aarch64__) || \
+-    defined(__powerpc__) || defined(__ppc__) || defined(__riscv) ||     \
+-    defined(_M_IX86) || (defined(_M_X64) && !defined(_M_ARM64EC))
++    defined(__powerpc__) || defined(__ppc__) || defined(_M_IX86) ||     \
++    (defined(_M_X64) && !defined(_M_ARM64EC))
+ #define ABSL_HAVE_UNSCALED_CYCLECLOCK_IMPLEMENTATION 1
+ #else
+ #define ABSL_HAVE_UNSCALED_CYCLECLOCK_IMPLEMENTATION 0
+@@ -53,8 +53,8 @@
+ #if ABSL_USE_UNSCALED_CYCLECLOCK
+ // This macro can be used to test if UnscaledCycleClock::Frequency()
+ // is NominalCPUFrequency() on a particular platform.
+-#if (defined(__i386__) || defined(__x86_64__) || defined(__riscv) || \
+-     defined(_M_IX86) || defined(_M_X64))
++#if (defined(__i386__) || defined(__x86_64__) || defined(_M_IX86) || \
++     defined(_M_X64))
+ #define ABSL_INTERNAL_UNSCALED_CYCLECLOCK_FREQUENCY_IS_CPU_FREQUENCY
+ #endif
+ #endif
+-- 
+2.39.2
+

abseil-cpp.spec

@@ -6,17 +6,17 @@
 
 Name:           abseil-cpp
 Version:        20230802.1
-Release:        1
+Release:        6
 Summary:        C++ Common Libraries
 
-License:        Apache-2.0 AND LicenseRef-Fedora-Public-Domain
+License:        Apache-2.0
 URL:            https://abseil.io
 Source0:        https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}-%{version}.tar.gz
 
 Patch1:         abseil-cpp-20210324.2-sw.patch
-%ifarch loongarch64
 Patch100:	0001-add-loongarch-suopport-for-abseil-cpp.patch
-%endif
+Patch101:       0002-PR-1644-unscaledcycleclock-remove-RISC-V-support.patch
+Patch102:       backport-CVE-2025-0838.patch
 
 BuildRequires:  cmake ninja-build
 BuildRequires:  gcc-c++
@@ -51,7 +51,9 @@ Development headers for %{name}
 %build
 %cmake -S %{_vpath_srcdir} -B  %{_vpath_builddir} -GNinja \
       -DCMAKE_BUILD_TYPE:STRING=None \
-      -DCMAKE_CXX_STANDARD:STRING=17
+      -DCMAKE_CXX_STANDARD:STRING=17 \
+      -DCMAKE_SHARED_LINKER_FLAGS="-Wl,--as-needed" \
+      -DCMAKE_BUILD_TYPE=RelWithDebInfo
 
 %__cmake --build %{_vpath_builddir} %{?_smp_mflags} --verbose
 
@@ -156,6 +158,36 @@ DESTDIR="%{buildroot}" %__cmake --install "%{_vpath_builddir}"
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Mon Feb 24 2025 xinghe <xinghe2@h-partners.com> - 20230802.1-6
+- Type:cves
+- CVE:CVE-2025-0838
+- SUG:NA
+- DESC:fix CVE-2025-0838
+
+* Thu Aug 01 2024 xinghe <xinghe2@h-partners.com> - 20230802.1-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix license
+
+* Fri May 31 2024 laokz <zhangkai@iscas.ac.cn> - 20230802.1-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix riscv64 'rdcycle' illegal instructor error
+
+* Wed Mar  6 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 20230802.1-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix build error for loongarch64
+
+* Tue Jan 23 2024 xinghe <xinghe2@h-partners.com> - 20230802.1-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:optimize redundant dependence
+
 * Mon Dec 25 2023 xinghe <xinghe2@h-partners.com> - 20230802.1-1
 - Type:requirement
 - ID:NA

backport-CVE-2025-0838.patch

@@ -0,0 +1,110 @@
+From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Wed, 22 Jan 2025 15:58:56 -0500
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize
+
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+
+The fix is in two parts:
+
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+
+Conflict: remove absl/base/config.h
+Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416
+---
+ absl/base/config.h                           |  2 +-
+ absl/container/internal/raw_hash_set.h       | 16 +++++++++++++++-
+ absl/container/internal/raw_hash_set_test.cc |  8 ++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
+index 5f89d8efee6..92b93453314 100644
+--- a/absl/container/internal/raw_hash_set.h
++++ b/absl/container/internal/raw_hash_set.h
+@@ -1076,6 +1076,12 @@ inline size_t NormalizeCapacity(size_t n) {
+   return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+ 
++template <size_t kSlotSize>
++size_t MaxValidCapacity() {
++  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
++                           kSlotSize);
++}
++
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ //   average of two empty slots per group.
+@@ -1717,6 +1723,8 @@ class raw_hash_set {
+       const allocator_type& alloc = allocator_type())
+       : settings_(CommonFields{}, hash, eq, alloc) {
+     if (bucket_count) {
++      ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
++                     "Hash table size overflow");
+       common().set_capacity(NormalizeCapacity(bucket_count));
+       initialize_slots();
+     }
+@@ -1916,7 +1924,10 @@ class raw_hash_set {
+   bool empty() const { return !size(); }
+   size_t size() const { return common().size(); }
+   size_t capacity() const { return common().capacity(); }
+-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
++  size_t max_size() const {
++    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
++  }
++
+ 
+   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+     // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -2266,6 +2277,8 @@ class raw_hash_set {
+     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+     // n == 0 unconditionally rehashes as per the standard.
+     if (n == 0 || m > capacity()) {
++      ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
++                     "Hash table size overflow");
+       resize(m);
+ 
+       // This is after resize, to ensure that we have completed the allocation
+@@ -2276,6 +2289,7 @@ class raw_hash_set {
+ 
+   void reserve(size_t n) {
+     if (n > size() + growth_left()) {
++      ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
+       size_t m = GrowthToLowerboundCapacity(n);
+       resize(NormalizeCapacity(m));
+ 
+diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
+index 242a97cbe3f..d5d5f3934da 100644
+--- a/absl/container/internal/raw_hash_set_test.cc
++++ b/absl/container/internal/raw_hash_set_test.cc
+@@ -2510,6 +2510,14 @@ TEST(Iterator, InvalidComparisonDifferentTables) {
+                             "Invalid iterator comparison.*non-end");
+ }
+ 
++TEST(Table, MaxSizeOverflow) {
++  size_t overflow = (std::numeric_limits<size_t>::max)();
++  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
++  IntTable t;
++  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
++  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
++}
++
+ }  // namespace
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END