[dunfell,v2] json-c: Fix CVE-2020-12762

Message ID	20200831195854.3585669-1-raj.khem@gmail.com
State	New
Headers	show Received: from web01.groups.io ([66.175.222.12]) by do with esmtp (Exim 4.86_2) (envelope-from <bounce+67612+142032+3617530+8023705@lists.openembedded.org>) id 1kCpxF-0008Dq-RG for oe-patchwork@oe-patch.openembedded.org; Mon, 31 Aug 2020 19:59:01 +0000 From: "Khem Raj" <raj.khem@gmail.com> To: openembedded-core@lists.openembedded.org Cc: Khem Raj <raj.khem@gmail.com> Subject: [OE-core] [dunfell][PATCH v2] json-c: Fix CVE-2020-12762 Date: Mon, 31 Aug 2020 12:58:54 -0700 Message-Id: <20200831195854.3585669-1-raj.khem@gmail.com> MIME-Version: 1.0 Precedence: Bulk Sender: openembedded-core@lists.openembedded.org Mailing-List: list openembedded-core@lists.openembedded.org; contact openembedded-core+owner@lists.openembedded.org Content-Type: multipart/mixed; boundary="toDgOho7uYn8uEWCmLvw"

diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch new file mode 100644 index 0000000000..50674f0c5c --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch @@ -0,0 +1,231 @@ +From 865b5a65199973bb63dff8e47a2f57e04fec9736 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org> +Date: Thu, 14 May 2020 12:32:30 +0200 +Subject: [PATCH] Fix CVE-2020-12762. + +This commit is a squashed backport of the following commits +on the master branch: + + * 099016b7e8d70a6d5dd814e788bba08d33d48426 + * 77d935b7ae7871a1940cd827e850e6063044ec45 + * d07b91014986900a3a75f306d302e13e005e9d67 + * 519dfe1591d85432986f9762d41d1a883198c157 + * a59d5acfab4485d5133114df61785b1fc633e0c6 +--- +CVE: CVE-2020-12762 +Upstream-Status: Backport [https://github.com/json-c/json-c/commit/865b5a65199973bb63dff8e47a2f57e04fec9736] +Signed-off-by: Khem Raj <raj.khem@gmail.com> + + arraylist.c | 3 +++ + linkhash.c | 21 ++++++++++++++------- + printbuf.c | 38 ++++++++++++++++++++++++++------------ + tests/test4.c | 30 +++++++++++++++++++++++++++++- + tests/test4.expected | 1 + + 5 files changed, 73 insertions(+), 20 deletions(-) + +diff --git a/arraylist.c b/arraylist.c +index ddeb8d4eb4..e737052e32 100644 +--- a/arraylist.c ++++ b/arraylist.c +@@ -135,6 +135,9 @@ array_list_del_idx( struct array_list *arr, size_t idx, size_t count ) + { + size_t i, stop; + ++ /* Avoid overflow in calculation with large indices. */ ++ if (idx > SIZE_T_MAX - count) ++ return -1; + stop = idx + count; + if ( idx >= arr->length || stop > arr->length ) return -1; + for ( i = idx; i < stop; ++i ) { +diff --git a/linkhash.c b/linkhash.c +index 5497061a8a..6435a154ac 100644 +--- a/linkhash.c ++++ b/linkhash.c +@@ -12,12 +12,13 @@ + + #include "config.h" + +-#include <stdio.h> +-#include <string.h> +-#include <stdlib.h> ++#include <assert.h> ++#include <limits.h> + #include <stdarg.h> + #include <stddef.h> +-#include <limits.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> + + #ifdef HAVE_ENDIAN_H + # include <endian.h> /* attempt to define endianness */ +@@ -28,8 +29,8 @@ + # include <windows.h> /* Get InterlockedCompareExchange */ + #endif + +-#include "random_seed.h" + #include "linkhash.h" ++#include "random_seed.h" + + /* hash functions */ + static unsigned long lh_char_hash(const void *k); +@@ -498,7 +499,9 @@ struct lh_table* lh_table_new(int size, + int i; + struct lh_table *t; + +- t = (struct lh_table*)calloc(1, sizeof(struct lh_table)); ++ /* Allocate space for elements to avoid divisions by zero. */ ++ assert(size > 0); ++ t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); + if (!t) + return NULL; + +@@ -577,8 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con + unsigned long n; + + if (t->count >= t->size * LH_LOAD_FACTOR) +- if (lh_table_resize(t, t->size * 2) != 0) ++ { ++ /* Avoid signed integer overflow with large tables. */ ++ int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); ++ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) + return -1; ++ } + + n = h % t->size; + +diff --git a/printbuf.c b/printbuf.c +index 6c77b5defd..6fc56de455 100644 +--- a/printbuf.c ++++ b/printbuf.c +@@ -15,6 +15,7 @@ + + #include "config.h" + ++#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <string.h> +@@ -64,10 +65,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + if (p->size >= min_size) + return 0; +- +- new_size = p->size * 2; +- if (new_size < min_size + 8) +- new_size = min_size + 8; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) ++ new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -82,14 +89,18 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { +- if (p->size <= p->bpos + size + 1) { +- if (printbuf_extend(p, p->bpos + size + 1) < 0) +- return -1; +- } +- memcpy(p->buf + p->bpos, buf, size); +- p->bpos += size; +- p->buf[p->bpos]= '\0'; +- return size; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; ++ if (p->size <= p->bpos + size + 1) ++ { ++ if (printbuf_extend(p, p->bpos + size + 1) < 0) ++ return -1; ++ } ++ memcpy(p->buf + p->bpos, buf, size); ++ p->bpos += size; ++ p->buf[p->bpos] = '\0'; ++ return size; + } + + int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) +@@ -98,6 +109,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { +diff --git a/tests/test4.c b/tests/test4.c +index fc8b79dbf4..82d3f494de 100644 +--- a/tests/test4.c ++++ b/tests/test4.c +@@ -2,9 +2,11 @@ + * gcc -o utf8 utf8.c -I/home/y/include -L./.libs -ljson + */ + ++#include "config.h" ++#include <assert.h> + #include <stdio.h> ++#include <stdlib.h> + #include <string.h> +-#include "config.h" + + #include "json_inttypes.h" + #include "json_object.h" +@@ -24,6 +26,29 @@ void print_hex(const char* s) + putchar('\n'); + } + ++static void test_lot_of_adds(void); ++static void test_lot_of_adds() ++{ ++ int ii; ++ char key[50]; ++ json_object *jobj = json_object_new_object(); ++ assert(jobj != NULL); ++ for (ii = 0; ii < 500; ii++) ++ { ++ snprintf(key, sizeof(key), "k%d", ii); ++ json_object *iobj = json_object_new_int(ii); ++ assert(iobj != NULL); ++ if (json_object_object_add(jobj, key, iobj)) ++ { ++ fprintf(stderr, "FAILED to add object #%d\n", ii); ++ abort(); ++ } ++ } ++ printf("%s\n", json_object_to_json_string(jobj)); ++ assert(json_object_object_length(jobj) == 500); ++ json_object_put(jobj); ++} ++ + int main(void) + { + const char *input = "\"\\ud840\\udd26,\\ud840\\udd27,\\ud800\\udd26,\\ud800\\udd27\""; +@@ -49,5 +74,8 @@ int main(void) + retval = 1; + } + json_object_put(parse_result); ++ ++ test_lot_of_adds(); ++ + return retval; + } +diff --git a/tests/test4.expected b/tests/test4.expected +index 68d4336d90..cb2744012b 100644 +--- a/tests/test4.expected ++++ b/tests/test4.expected +@@ -1,3 +1,4 @@ + input: "\ud840\udd26,\ud840\udd27,\ud800\udd26,\ud800\udd27" + JSON parse result is correct:

[dunfell,v2] json-c: Fix CVE-2020-12762

Details

Commit Message

Patch hide | download patch | download mbox