| Message ID | 20240123052820.50430-1-virendrak@kpit.com |
|---|---|
| State | Accepted |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [dunfell] opkg: Fix bad memory acces error observe in file_read_line_alloc | expand |
ACK. This is a valid bug fix backport from just after opkg_0.4.2's release. On 1/23/24 00:28, virendra thakur wrote: > [You don't often get email from thakur.virendra1810@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > In the case of a zero length string being returned by fgets(), the condition > checking for a trailing new line would perform a bad memory access outside > of `buf`. This might happen when line with a leading null byte is read. > > Avoid this case by checking that the string has a length of at least one > byte. > > Link: https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba > > Signed-off-by: virendra thakur <virendrak@kpit.com> > --- > ...possible-bad-memory-access-in-file_r.patch | 50 +++++++++++++++++++ > meta/recipes-devtools/opkg/opkg_0.4.2.bb | 1 + > 2 files changed, 51 insertions(+) > create mode 100644 meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch > > diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch > new file mode 100644 > index 0000000000..bec21e67f4 > --- /dev/null > +++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch > @@ -0,0 +1,50 @@ > +From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001 > +From: Jo-Philipp Wich <jo@mein.io> > +Date: Wed, 1 Apr 2020 21:47:40 +0200 > +Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in > + file_read_line_alloc() > + > +In the case of a zero length string being returned by fgets(), the condition > +checking for a trailing new line would perform a bad memory access outside > +of `buf`. This might happen when line with a leading null byte is read. > + > +Avoid this case by checking that the string has a length of at least one > +byte. Also change the unsigned int types to size_t to store length values > +while we're at it. > + > +Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba] > + > +Signed-off-by: Jo-Philipp Wich <jo@mein.io> > +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> > +Signed-off-by: virendra thakur <virendrak@kpit.com> > +--- > + libopkg/file_util.c | 7 ++----- > + 1 file changed, 2 insertions(+), 5 deletions(-) > + > +diff --git a/libopkg/file_util.c b/libopkg/file_util.c > +index fbed7b4..ee9f59d 100644 > +--- a/libopkg/file_util.c > ++++ b/libopkg/file_util.c > +@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name) > + */ > + char *file_read_line_alloc(FILE * fp) > + { > ++ size_t buf_len, line_size; > + char buf[BUFSIZ]; > +- unsigned int buf_len; > + char *line = NULL; > +- unsigned int line_size = 0; > + int got_nl = 0; > + > +- buf[0] = '\0'; > +- > + while (fgets(buf, BUFSIZ, fp)) { > + buf_len = strlen(buf); > +- if (buf[buf_len - 1] == '\n') { > ++ if (buf_len > 0 && buf[buf_len - 1] == '\n') { > + buf_len--; > + buf[buf_len] = '\0'; > + got_nl = 1; > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb > index 55be6547c0..3ebc27c8ee 100644 > --- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb > +++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb > @@ -16,6 +16,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz > file://opkg.conf \ > file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ > file://sourcedateepoch.patch \ > + file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \ > file://run-ptest \ > " > > -- > 2.25.1 >
diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch new file mode 100644 index 0000000000..bec21e67f4 --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch @@ -0,0 +1,50 @@ +From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001 +From: Jo-Philipp Wich <jo@mein.io> +Date: Wed, 1 Apr 2020 21:47:40 +0200 +Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in + file_read_line_alloc() + +In the case of a zero length string being returned by fgets(), the condition +checking for a trailing new line would perform a bad memory access outside +of `buf`. This might happen when line with a leading null byte is read. + +Avoid this case by checking that the string has a length of at least one +byte. Also change the unsigned int types to size_t to store length values +while we're at it. + +Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba] + +Signed-off-by: Jo-Philipp Wich <jo@mein.io> +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> +Signed-off-by: virendra thakur <virendrak@kpit.com> +--- + libopkg/file_util.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index fbed7b4..ee9f59d 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name) + */ + char *file_read_line_alloc(FILE * fp) + { ++ size_t buf_len, line_size; + char buf[BUFSIZ]; +- unsigned int buf_len; + char *line = NULL; +- unsigned int line_size = 0; + int got_nl = 0; + +- buf[0] = '\0'; +- + while (fgets(buf, BUFSIZ, fp)) { + buf_len = strlen(buf); +- if (buf[buf_len - 1] == '\n') { ++ if (buf_len > 0 && buf[buf_len - 1] == '\n') { + buf_len--; + buf[buf_len] = '\0'; + got_nl = 1; +-- +2.25.1 + diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb index 55be6547c0..3ebc27c8ee 100644 --- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb +++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb @@ -16,6 +16,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz file://opkg.conf \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ file://sourcedateepoch.patch \ + file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \ file://run-ptest \ "
In the case of a zero length string being returned by fgets(), the condition checking for a trailing new line would perform a bad memory access outside of `buf`. This might happen when line with a leading null byte is read. Avoid this case by checking that the string has a length of at least one byte. Link: https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Signed-off-by: virendra thakur <virendrak@kpit.com> --- ...possible-bad-memory-access-in-file_r.patch | 50 +++++++++++++++++++ meta/recipes-devtools/opkg/opkg_0.4.2.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch