wok-current view glibc/stuff/glibc-2.28-CVE-2024-2961.patch @ rev 25699

Patch glibc CVE-2024-2961
author Stanislas Leduc <shann@slitaz.org>
date Thu Apr 18 21:07:29 2024 +0000 (5 weeks ago)
parents
children 48865289e466
line source
1 --- a/iconvdata/Makefile
2 +++ b/iconvdata/Makefile
3 @@ -73,7 +73,7 @@
4 ifeq (yes,$(build-shared))
5 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
6 tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
7 - bug-iconv10 bug-iconv11 bug-iconv12
8 + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-iso-2022-cn-ext
9 ifeq ($(have-thread-library),yes)
10 tests += bug-iconv3
11 endif
12 @@ -316,6 +316,8 @@
13 $(addprefix $(objpfx),$(modules.so))
14 $(objpfx)bug-iconv12.out: $(objpfx)gconv-modules \
15 $(addprefix $(objpfx),$(modules.so))
16 +$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \
17 + $(addprefix $(objpfx),$(modules.so))
18
19 $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
20 $(addprefix $(objpfx),$(modules.so)) \
21 diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c
22 index 947b807421..34e1010bed 100644
23 --- a/iconvdata/iso-2022-cn-ext.c
24 +++ b/iconvdata/iso-2022-cn-ext.c
25 @@ -575,6 +575,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
26 { \
27 const char *escseq; \
28 \
29 + if (outptr + 4 > outend) \
30 + { \
31 + result = __GCONV_FULL_OUTPUT; \
32 + break; \
33 + } \
34 + \
35 assert (used == CNS11643_2_set); /* XXX */ \
36 escseq = "*H"; \
37 *outptr++ = ESC; \
38 @@ -588,6 +594,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
39 { \
40 const char *escseq; \
41 \
42 + if (outptr + 4 > outend) \
43 + { \
44 + result = __GCONV_FULL_OUTPUT; \
45 + break; \
46 + } \
47 + \
48 assert ((used >> 5) >= 3 && (used >> 5) <= 7); \
49 escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \
50 *outptr++ = ESC; \
51 diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c
52 new file mode 100644
53 index 0000000000..96a8765fd5
54 --- /dev/null
55 +++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c
56 @@ -0,0 +1,128 @@
57 +/* Verify ISO-2022-CN-EXT does not write out of the bounds.
58 + Copyright (C) 2024 Free Software Foundation, Inc.
59 + This file is part of the GNU C Library.
60 +
61 + The GNU C Library is free software; you can redistribute it and/or
62 + modify it under the terms of the GNU Lesser General Public
63 + License as published by the Free Software Foundation; either
64 + version 2.1 of the License, or (at your option) any later version.
65 +
66 + The GNU C Library is distributed in the hope that it will be useful,
67 + but WITHOUT ANY WARRANTY; without even the implied warranty of
68 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
69 + Lesser General Public License for more details.
70 +
71 + You should have received a copy of the GNU Lesser General Public
72 + License along with the GNU C Library; if not, see
73 + <https://www.gnu.org/licenses/>. */
74 +
75 +#include <stdio.h>
76 +#include <string.h>
77 +
78 +#include <errno.h>
79 +#include <iconv.h>
80 +#include <sys/mman.h>
81 +
82 +#include <support/xunistd.h>
83 +#include <support/check.h>
84 +#include <support/support.h>
85 +
86 +/* The test sets up a two memory page buffer with the second page marked
87 + PROT_NONE to trigger a fault if the conversion writes beyond the exact
88 + expected amount. Then we carry out various conversions and precisely
89 + place the start of the output buffer in order to trigger a SIGSEGV if the
90 + process writes anywhere between 1 and page sized bytes more (only one
91 + PROT_NONE page is setup as a canary) than expected. These tests exercise
92 + all three of the cases in ISO-2022-CN-EXT where the converter must switch
93 + character sets and may run out of buffer space while doing the
94 + operation. */
95 +
96 +static int
97 +do_test (void)
98 +{
99 + iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8");
100 + TEST_VERIFY_EXIT (cd != (iconv_t) -1);
101 +
102 + char *ntf;
103 + size_t ntfsize;
104 + char *outbufbase;
105 + {
106 + int pgz = getpagesize ();
107 + TEST_VERIFY_EXIT (pgz > 0);
108 + ntfsize = 2 * pgz;
109 +
110 + ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE
111 + | MAP_ANONYMOUS, -1);
112 + xmprotect (ntf + pgz, pgz, PROT_NONE);
113 +
114 + outbufbase = ntf + pgz;
115 + }
116 +
117 + /* Check if SOdesignation escape sequence does not trigger an OOB write. */
118 + {
119 + char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2";
120 +
121 + for (int i = 0; i < 9; i++)
122 + {
123 + char *inp = inbuf;
124 + size_t inleft = sizeof (inbuf) - 1;
125 +
126 + char *outp = outbufbase - i;
127 + size_t outleft = i;
128 +
129 + TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
130 + == (size_t) -1);
131 + TEST_COMPARE (errno, E2BIG);
132 +
133 + TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
134 + }
135 + }
136 +
137 + /* Same as before for SS2designation. */
138 + {
139 + char inbuf[] = "ã´½ \xe3\xb4\xbd";
140 +
141 + for (int i = 0; i < 14; i++)
142 + {
143 + char *inp = inbuf;
144 + size_t inleft = sizeof (inbuf) - 1;
145 +
146 + char *outp = outbufbase - i;
147 + size_t outleft = i;
148 +
149 + TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
150 + == (size_t) -1);
151 + TEST_COMPARE (errno, E2BIG);
152 +
153 + TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
154 + }
155 + }
156 +
157 + /* Same as before for SS3designation. */
158 + {
159 + char inbuf[] = "å \xe5\x8a\x84";
160 +
161 + for (int i = 0; i < 14; i++)
162 + {
163 + char *inp = inbuf;
164 + size_t inleft = sizeof (inbuf) - 1;
165 +
166 + char *outp = outbufbase - i;
167 + size_t outleft = i;
168 +
169 + TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
170 + == (size_t) -1);
171 + TEST_COMPARE (errno, E2BIG);
172 +
173 + TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
174 + }
175 + }
176 +
177 + TEST_VERIFY_EXIT (iconv_close (cd) != -1);
178 +
179 + xmunmap (ntf, ntfsize);
180 +
181 + return 0;
182 +}
183 +
184 +#include <support/test-driver.c>
185 --
186 2.39.3