wok-current diff glibc/stuff/glibc-2.28-CVE-2024-2961.patch @ rev 25699
Patch glibc CVE-2024-2961
author | Stanislas Leduc <shann@slitaz.org> |
---|---|
date | Thu Apr 18 21:07:29 2024 +0000 (2 months ago) |
parents | |
children | 48865289e466 |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/glibc/stuff/glibc-2.28-CVE-2024-2961.patch Thu Apr 18 21:07:29 2024 +0000 1.3 @@ -0,0 +1,186 @@ 1.4 +--- a/iconvdata/Makefile 1.5 ++++ b/iconvdata/Makefile 1.6 +@@ -73,7 +73,7 @@ 1.7 + ifeq (yes,$(build-shared)) 1.8 + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ 1.9 + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ 1.10 +- bug-iconv10 bug-iconv11 bug-iconv12 1.11 ++ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-iso-2022-cn-ext 1.12 + ifeq ($(have-thread-library),yes) 1.13 + tests += bug-iconv3 1.14 + endif 1.15 +@@ -316,6 +316,8 @@ 1.16 + $(addprefix $(objpfx),$(modules.so)) 1.17 + $(objpfx)bug-iconv12.out: $(objpfx)gconv-modules \ 1.18 + $(addprefix $(objpfx),$(modules.so)) 1.19 ++$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ 1.20 ++ $(addprefix $(objpfx),$(modules.so)) 1.21 + 1.22 + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ 1.23 + $(addprefix $(objpfx),$(modules.so)) \ 1.24 +diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c 1.25 +index 947b807421..34e1010bed 100644 1.26 +--- a/iconvdata/iso-2022-cn-ext.c 1.27 ++++ b/iconvdata/iso-2022-cn-ext.c 1.28 +@@ -575,6 +575,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); 1.29 + { \ 1.30 + const char *escseq; \ 1.31 + \ 1.32 ++ if (outptr + 4 > outend) \ 1.33 ++ { \ 1.34 ++ result = __GCONV_FULL_OUTPUT; \ 1.35 ++ break; \ 1.36 ++ } \ 1.37 ++ \ 1.38 + assert (used == CNS11643_2_set); /* XXX */ \ 1.39 + escseq = "*H"; \ 1.40 + *outptr++ = ESC; \ 1.41 +@@ -588,6 +594,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); 1.42 + { \ 1.43 + const char *escseq; \ 1.44 + \ 1.45 ++ if (outptr + 4 > outend) \ 1.46 ++ { \ 1.47 ++ result = __GCONV_FULL_OUTPUT; \ 1.48 ++ break; \ 1.49 ++ } \ 1.50 ++ \ 1.51 + assert ((used >> 5) >= 3 && (used >> 5) <= 7); \ 1.52 + escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \ 1.53 + *outptr++ = ESC; \ 1.54 +diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c 1.55 +new file mode 100644 1.56 +index 0000000000..96a8765fd5 1.57 +--- /dev/null 1.58 ++++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c 1.59 +@@ -0,0 +1,128 @@ 1.60 ++/* Verify ISO-2022-CN-EXT does not write out of the bounds. 1.61 ++ Copyright (C) 2024 Free Software Foundation, Inc. 1.62 ++ This file is part of the GNU C Library. 1.63 ++ 1.64 ++ The GNU C Library is free software; you can redistribute it and/or 1.65 ++ modify it under the terms of the GNU Lesser General Public 1.66 ++ License as published by the Free Software Foundation; either 1.67 ++ version 2.1 of the License, or (at your option) any later version. 1.68 ++ 1.69 ++ The GNU C Library is distributed in the hope that it will be useful, 1.70 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 1.71 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 1.72 ++ Lesser General Public License for more details. 1.73 ++ 1.74 ++ You should have received a copy of the GNU Lesser General Public 1.75 ++ License along with the GNU C Library; if not, see 1.76 ++ <https://www.gnu.org/licenses/>. */ 1.77 ++ 1.78 ++#include <stdio.h> 1.79 ++#include <string.h> 1.80 ++ 1.81 ++#include <errno.h> 1.82 ++#include <iconv.h> 1.83 ++#include <sys/mman.h> 1.84 ++ 1.85 ++#include <support/xunistd.h> 1.86 ++#include <support/check.h> 1.87 ++#include <support/support.h> 1.88 ++ 1.89 ++/* The test sets up a two memory page buffer with the second page marked 1.90 ++ PROT_NONE to trigger a fault if the conversion writes beyond the exact 1.91 ++ expected amount. Then we carry out various conversions and precisely 1.92 ++ place the start of the output buffer in order to trigger a SIGSEGV if the 1.93 ++ process writes anywhere between 1 and page sized bytes more (only one 1.94 ++ PROT_NONE page is setup as a canary) than expected. These tests exercise 1.95 ++ all three of the cases in ISO-2022-CN-EXT where the converter must switch 1.96 ++ character sets and may run out of buffer space while doing the 1.97 ++ operation. */ 1.98 ++ 1.99 ++static int 1.100 ++do_test (void) 1.101 ++{ 1.102 ++ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8"); 1.103 ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); 1.104 ++ 1.105 ++ char *ntf; 1.106 ++ size_t ntfsize; 1.107 ++ char *outbufbase; 1.108 ++ { 1.109 ++ int pgz = getpagesize (); 1.110 ++ TEST_VERIFY_EXIT (pgz > 0); 1.111 ++ ntfsize = 2 * pgz; 1.112 ++ 1.113 ++ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE 1.114 ++ | MAP_ANONYMOUS, -1); 1.115 ++ xmprotect (ntf + pgz, pgz, PROT_NONE); 1.116 ++ 1.117 ++ outbufbase = ntf + pgz; 1.118 ++ } 1.119 ++ 1.120 ++ /* Check if SOdesignation escape sequence does not trigger an OOB write. */ 1.121 ++ { 1.122 ++ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2"; 1.123 ++ 1.124 ++ for (int i = 0; i < 9; i++) 1.125 ++ { 1.126 ++ char *inp = inbuf; 1.127 ++ size_t inleft = sizeof (inbuf) - 1; 1.128 ++ 1.129 ++ char *outp = outbufbase - i; 1.130 ++ size_t outleft = i; 1.131 ++ 1.132 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 1.133 ++ == (size_t) -1); 1.134 ++ TEST_COMPARE (errno, E2BIG); 1.135 ++ 1.136 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 1.137 ++ } 1.138 ++ } 1.139 ++ 1.140 ++ /* Same as before for SS2designation. */ 1.141 ++ { 1.142 ++ char inbuf[] = "ã´½ \xe3\xb4\xbd"; 1.143 ++ 1.144 ++ for (int i = 0; i < 14; i++) 1.145 ++ { 1.146 ++ char *inp = inbuf; 1.147 ++ size_t inleft = sizeof (inbuf) - 1; 1.148 ++ 1.149 ++ char *outp = outbufbase - i; 1.150 ++ size_t outleft = i; 1.151 ++ 1.152 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 1.153 ++ == (size_t) -1); 1.154 ++ TEST_COMPARE (errno, E2BIG); 1.155 ++ 1.156 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 1.157 ++ } 1.158 ++ } 1.159 ++ 1.160 ++ /* Same as before for SS3designation. */ 1.161 ++ { 1.162 ++ char inbuf[] = "å \xe5\x8a\x84"; 1.163 ++ 1.164 ++ for (int i = 0; i < 14; i++) 1.165 ++ { 1.166 ++ char *inp = inbuf; 1.167 ++ size_t inleft = sizeof (inbuf) - 1; 1.168 ++ 1.169 ++ char *outp = outbufbase - i; 1.170 ++ size_t outleft = i; 1.171 ++ 1.172 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 1.173 ++ == (size_t) -1); 1.174 ++ TEST_COMPARE (errno, E2BIG); 1.175 ++ 1.176 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 1.177 ++ } 1.178 ++ } 1.179 ++ 1.180 ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); 1.181 ++ 1.182 ++ xmunmap (ntf, ntfsize); 1.183 ++ 1.184 ++ return 0; 1.185 ++} 1.186 ++ 1.187 ++#include <support/test-driver.c> 1.188 +-- 1.189 +2.39.3