Add security fix for CVE-2021-43618

Message ID	20211122114442.20032-1-pavel@zhukoff.net
State	New
Headers	show Return-Path: <pavel@zhukoff.net> ip: 5.45.198.249, mailfrom: pavel@zhukoff.net) From: Pavel Zhukov <pavel@zhukoff.net> To: openembedded-core@lists.openembedded.org Cc: Pavel Zhukov <pavel.zhukov@huawei.com>, pavel@zhukoff.net Subject: [PATCH] Add security fix for CVE-2021-43618 Date: Mon, 22 Nov 2021 12:44:43 +0100 Message-Id: <20211122114442.20032-1-pavel@zhukoff.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	Add security fix for CVE-2021-43618 \| expand Add security fix for CVE-2021-43618

Message ID

20211122114442.20032-1-pavel@zhukoff.net

State

New

Headers

From: Pavel Zhukov <pavel@zhukoff.net>
To: openembedded-core@lists.openembedded.org
Cc: Pavel Zhukov <pavel.zhukov@huawei.com>,
	pavel@zhukoff.net
Subject: [PATCH] Add security fix for CVE-2021-43618
Date: Mon, 22 Nov 2021 12:44:43 +0100
Message-Id: <20211122114442.20032-1-pavel@zhukoff.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

Add security fix for CVE-2021-43618 | expand

Commit Message

Pavel Zhukov Nov. 22, 2021, 11:44 a.m. UTC

From: Pavel Zhukov <pavel.zhukov@huawei.com>

Fix mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input,
leading to a segmentation fault on 32-bit platforms.

References: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
References: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
References: https://bugs.debian.org/994405

Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
---
 .../gmp/gmp/CVE-2021-43618.patch              | 25 +++++++++++++++++++
 meta/recipes-support/gmp/gmp_6.2.1.bb         |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 meta/recipes-support/gmp/gmp/CVE-2021-43618.patch

diff --git a/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch
new file mode 100644
index 0000000000..f741972439
--- /dev/null
+++ b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch
@@ -0,0 +1,25 @@ 
+
+# HG changeset patch
+# User Marco Bodrato <bodrato@mail.dm.unipi.it>
+# Date 1634836009 -7200
+# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
+# Parent  e1fd9db13b475209a864577237ea4b9105b3e96e
+mpz/inp_raw.c: Avoid bit size overflows
+
+diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
+--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
+@@ -88,8 +88,11 @@
+ 
+   abs_csize = ABS (csize);
+ 
++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
++    return 0; /* Bit size overflows */
++
+   /* round up to a multiple of limbs */
+-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
+ 
+   if (abs_xsize != 0)
+     {
+
diff --git a/meta/recipes-support/gmp/gmp_6.2.1.bb b/meta/recipes-support/gmp/gmp_6.2.1.bb
index d5996abd00..7c12a97228 100644
--- a/meta/recipes-support/gmp/gmp_6.2.1.bb
+++ b/meta/recipes-support/gmp/gmp_6.2.1.bb
@@ -12,6 +12,7 @@  SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \
            file://use-includedir.patch \
            file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \
            file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \
+           file://CVE-2021-43618.patch \
            "
 SRC_URI[md5sum] = "28971fc21cf028042d4897f02fd355ea"
 SRC_URI[sha256sum] = "eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c"

Add security fix for CVE-2021-43618

Commit Message

Patch