!13 fix CVE-2024-30949
From: @changtao615 Reviewed-by: @liqingqing_1229 Signed-off-by: @liqingqing_1229
This commit is contained in:
openeuler-ci-bot
Gitee
commit
741d92b816
@ -1,107 +0,0 @@
|
||||
From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
|
||||
From: Corinna Vinschen <vinschen@redhat.com>
|
||||
Date: Tue, 17 Nov 2020 10:50:57 +0100
|
||||
Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds
|
||||
allocation reqs
|
||||
CVE: CVE-2021-3420
|
||||
Reference: https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
|
||||
|
||||
The overflow check in mEMALIGn erroneously checks for INT_MAX,
|
||||
albeit the input parameter is size_t. Fix this to check for
|
||||
__SIZE_MAX__ instead. Also, it misses to check the req against
|
||||
adding the alignment before calling mALLOc.
|
||||
|
||||
While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
|
||||
nano_valloc, and Cygwin's (unused) dlpvalloc.
|
||||
|
||||
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
|
||||
---
|
||||
newlib/libc/stdlib/mallocr.c | 7 ++++++-
|
||||
newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++-
|
||||
winsup/cygwin/malloc.cc | 4 ++++
|
||||
3 files changed, 31 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
|
||||
index 26d1c89c..af877605 100644
|
||||
--- a/newlib/libc/stdlib/mallocr.c
|
||||
+++ b/newlib/libc/stdlib/mallocr.c
|
||||
@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
|
||||
nb = request2size(bytes);
|
||||
|
||||
/* Check for overflow. */
|
||||
- if (nb > INT_MAX || nb < bytes)
|
||||
+ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
|
||||
{
|
||||
RERRNO = ENOMEM;
|
||||
return 0;
|
||||
@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
|
||||
#endif
|
||||
{
|
||||
size_t pagesize = malloc_getpagesize;
|
||||
+ if (bytes > __SIZE_MAX__ - pagesize)
|
||||
+ {
|
||||
+ RERRNO = ENOMEM;
|
||||
+ return 0;
|
||||
+ }
|
||||
return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
|
||||
}
|
||||
|
||||
diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
|
||||
index 13b72c99..edf68e7a 100644
|
||||
--- a/newlib/libc/stdlib/nano-mallocr.c
|
||||
+++ b/newlib/libc/stdlib/nano-mallocr.c
|
||||
@@ -568,8 +568,22 @@ void * nano_memalign(RARG size_t align, size_t s)
|
||||
if ((align & (align-1)) != 0) return NULL;
|
||||
|
||||
align = MAX(align, MALLOC_ALIGN);
|
||||
+
|
||||
+ /* Make sure ma_size does not overflow */
|
||||
+ if (s > __SIZE_MAX__ - CHUNK_ALIGN)
|
||||
+ {
|
||||
+ RERRNO = ENOMEM;
|
||||
+ return NULL;
|
||||
+ }
|
||||
ma_size = ALIGN_TO(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN);
|
||||
- size_with_padding = ma_size + align - MALLOC_ALIGN;
|
||||
+
|
||||
+ /* Make sure size_with_padding does not overflow */
|
||||
+ if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN))
|
||||
+ {
|
||||
+ RERRNO = ENOMEM;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ size_with_padding = ma_size + (align - MALLOC_ALIGN);
|
||||
|
||||
allocated = nano_malloc(RCALL size_with_padding);
|
||||
if (allocated == NULL) return NULL;
|
||||
@@ -632,6 +646,12 @@ void * nano_valloc(RARG size_t s)
|
||||
#ifdef DEFINE_PVALLOC
|
||||
void * nano_pvalloc(RARG size_t s)
|
||||
{
|
||||
+ /* Make sure size given to nano_valloc does not overflow */
|
||||
+ if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN)
|
||||
+ {
|
||||
+ RERRNO = ENOMEM;
|
||||
+ return NULL;
|
||||
+ }
|
||||
return nano_valloc(RCALL ALIGN_TO(s, MALLOC_PAGE_ALIGN));
|
||||
}
|
||||
#endif /* DEFINE_PVALLOC */
|
||||
diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc
|
||||
index 23c35407..8a1fc257 100644
|
||||
--- a/winsup/cygwin/malloc.cc
|
||||
+++ b/winsup/cygwin/malloc.cc
|
||||
@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) {
|
||||
size_t pagesz;
|
||||
ensure_initialization();
|
||||
pagesz = mparams.page_size;
|
||||
+ if (bytes > MAX_REQUEST) {
|
||||
+ MALLOC_FAILURE_ACTION;
|
||||
+ return NULL;
|
||||
+ }
|
||||
return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
|
||||
}
|
||||
|
||||
--
|
||||
2.33.0.windows.2
|
||||
|
||||
54
fix-CVE-2024-30949.patch
Normal file
54
fix-CVE-2024-30949.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 5f15d7c5817b07a6b18cbab17342c95cb7b42be4 Mon Sep 17 00:00:00 2001
|
||||
From: Kuan-Wei Chiu <visitorckw@gmail.com>
|
||||
Date: Fri, 20 Sep 2024 12:44:40 +0800
|
||||
Subject: [PATCH] fix CVE-2024-30949
|
||||
|
||||
RISC-V: Fix timeval conversion in _gettimeofday()
|
||||
|
||||
Replace multiplication with division for microseconds calculation from
|
||||
nanoseconds in _gettimeofday function.
|
||||
|
||||
---
|
||||
libgloss/riscv/sys_gettimeofday.c | 23 ++++++++++++++++++++++-
|
||||
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libgloss/riscv/sys_gettimeofday.c b/libgloss/riscv/sys_gettimeofday.c
|
||||
index 457dcbc..5379a89 100644
|
||||
--- a/libgloss/riscv/sys_gettimeofday.c
|
||||
+++ b/libgloss/riscv/sys_gettimeofday.c
|
||||
@@ -1,10 +1,31 @@
|
||||
#include <machine/syscall.h>
|
||||
#include <sys/time.h>
|
||||
+#include <stdint.h>
|
||||
#include "internal_syscall.h"
|
||||
|
||||
/* Get the current time. Only relatively correct. */
|
||||
int
|
||||
_gettimeofday(struct timeval *tp, void *tzp)
|
||||
{
|
||||
- return syscall_errno (SYS_gettimeofday, tp, 0, 0, 0, 0, 0);
|
||||
+#if __riscv_xlen == 32
|
||||
+ struct __timespec64
|
||||
+ {
|
||||
+ int64_t tv_sec; /* Seconds */
|
||||
+# if BYTE_ORDER == BIG_ENDIAN
|
||||
+ int32_t __padding; /* Padding */
|
||||
+ int32_t tv_nsec; /* Nanoseconds */
|
||||
+# else
|
||||
+ int32_t tv_nsec; /* Nanoseconds */
|
||||
+ int32_t __padding; /* Padding */
|
||||
+# endif
|
||||
+ };
|
||||
+ struct __timespec64 ts64;
|
||||
+ int rv;
|
||||
+ rv = syscall_errno (SYS_clock_gettime64, 2, 0, (long)&ts64, 0, 0, 0, 0);
|
||||
+ tp->tv_sec = ts64.tv_sec;
|
||||
+ tp->tv_usec = ts64.tv_nsec / 1000;
|
||||
+ return rv;
|
||||
+#else
|
||||
+ return syscall_errno (SYS_gettimeofday, 1, tp, 0, 0, 0, 0, 0);
|
||||
+#endif
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -2,15 +2,15 @@
|
||||
%global _newlib newlib
|
||||
Name: newlib
|
||||
Version: 3.3.0
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: Newlib is a C library intended for use on embedded systems.
|
||||
|
||||
License: BSD
|
||||
URL: https://sourceware.org/newlib/
|
||||
Source0: ftp://sourceware.org/pub/newlib/newlib-%{version}.tar.gz
|
||||
|
||||
Patch01: Modify-neon-instruction.patch
|
||||
|
||||
Patch01: Modify-neon-instruction.patch
|
||||
Patch02: fix-CVE-2024-30949.patch
|
||||
BuildRequires: make gcc binutils texinfo texinfo-tex
|
||||
|
||||
Excludearch: loongarch64
|
||||
@ -64,6 +64,9 @@ cd ..
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Sep 25 2024 changtao <changtao@kylinos.cn> - 3.3.0-5
|
||||
- fix CVE-2024-30949
|
||||
|
||||
* Sat Jun 08 2024 yueyuankun <yueyuankun@kylinos.cn> - 3.3.0-4
|
||||
- add Excludearch: loongarch64
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user