| Message ID | 20211122115418.1352-1-pavel@zhukoff.net |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,v2] gmp: Add security fix for CVE-2021-43618 | expand |
Hi Pavel, Close but you also need Upstream-Status, Signed-off-by, and CVE tags in the patch. You can see my version of this fix on the list, a few minutes before yours. :) Ross On Mon, 22 Nov 2021 at 11:54, Pavel Zhukov <pavel@zhukoff.net> wrote: > > From: Pavel Zhukov <pavel.zhukov@huawei.com> > > Fix mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, > leading to a segmentation fault on 32-bit platforms. > > References: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e > References: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html > References: https://bugs.debian.org/994405 > > Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com> > --- > .../gmp/gmp/CVE-2021-43618.patch | 25 +++++++++++++++++++ > meta/recipes-support/gmp/gmp_6.2.1.bb | 1 + > 2 files changed, 26 insertions(+) > create mode 100644 meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > > diff --git a/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > new file mode 100644 > index 0000000000..f741972439 > --- /dev/null > +++ b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > @@ -0,0 +1,25 @@ > + > +# HG changeset patch > +# User Marco Bodrato <bodrato@mail.dm.unipi.it> > +# Date 1634836009 -7200 > +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd > +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e > +mpz/inp_raw.c: Avoid bit size overflows > + > +diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c > +--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100 > ++++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200 > +@@ -88,8 +88,11 @@ > + > + abs_csize = ABS (csize); > + > ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) > ++ return 0; /* Bit size overflows */ > ++ > + /* round up to a multiple of limbs */ > +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); > ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); > + > + if (abs_xsize != 0) > + { > + > diff --git a/meta/recipes-support/gmp/gmp_6.2.1.bb b/meta/recipes-support/gmp/gmp_6.2.1.bb > index d5996abd00..7c12a97228 100644 > --- a/meta/recipes-support/gmp/gmp_6.2.1.bb > +++ b/meta/recipes-support/gmp/gmp_6.2.1.bb > @@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \ > file://use-includedir.patch \ > file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \ > file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \ > + file://CVE-2021-43618.patch \ > " > SRC_URI[md5sum] = "28971fc21cf028042d4897f02fd355ea" > SRC_URI[sha256sum] = "eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c" > -- > 2.32.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#158563): https://lists.openembedded.org/g/openembedded-core/message/158563 > Mute This Topic: https://lists.openembedded.org/mt/87233112/1676615 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross@burtonini.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Both of your patches don't meet the OE patch guideline [1]. Just look at Ross's patch for an exmaple [2] So just in case for this one I would prefer picking Ross's patch, which seems to me does the very same [1] https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status [2] https://lists.openembedded.org/g/openembedded-core/message/158561 On 22.11.21 12:54, Pavel Zhukov wrote: > From: Pavel Zhukov <pavel.zhukov@huawei.com> > > Fix mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, > leading to a segmentation fault on 32-bit platforms. > > References: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e > References: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html > References: https://bugs.debian.org/994405 > > Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com> > --- > .../gmp/gmp/CVE-2021-43618.patch | 25 +++++++++++++++++++ > meta/recipes-support/gmp/gmp_6.2.1.bb | 1 + > 2 files changed, 26 insertions(+) > create mode 100644 meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > > diff --git a/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > new file mode 100644 > index 0000000000..f741972439 > --- /dev/null > +++ b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch > @@ -0,0 +1,25 @@ > + > +# HG changeset patch > +# User Marco Bodrato <bodrato@mail.dm.unipi.it> > +# Date 1634836009 -7200 > +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd > +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e > +mpz/inp_raw.c: Avoid bit size overflows > + > +diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c > +--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100 > ++++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200 > +@@ -88,8 +88,11 @@ > + > + abs_csize = ABS (csize); > + > ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) > ++ return 0; /* Bit size overflows */ > ++ > + /* round up to a multiple of limbs */ > +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); > ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); > + > + if (abs_xsize != 0) > + { > + > diff --git a/meta/recipes-support/gmp/gmp_6.2.1.bb b/meta/recipes-support/gmp/gmp_6.2.1.bb > index d5996abd00..7c12a97228 100644 > --- a/meta/recipes-support/gmp/gmp_6.2.1.bb > +++ b/meta/recipes-support/gmp/gmp_6.2.1.bb > @@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \ > file://use-includedir.patch \ > file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \ > file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \ > + file://CVE-2021-43618.patch \ > " > SRC_URI[md5sum] = "28971fc21cf028042d4897f02fd355ea" > SRC_URI[sha256sum] = "eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c" > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#158563): https://lists.openembedded.org/g/openembedded-core/message/158563 > Mute This Topic: https://lists.openembedded.org/mt/87233112/3647476 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kweihmann@outlook.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch new file mode 100644 index 0000000000..f741972439 --- /dev/null +++ b/meta/recipes-support/gmp/gmp/CVE-2021-43618.patch @@ -0,0 +1,25 @@ + +# HG changeset patch +# User Marco Bodrato <bodrato@mail.dm.unipi.it> +# Date 1634836009 -7200 +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e +mpz/inp_raw.c: Avoid bit size overflows + +diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c +--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100 ++++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200 +@@ -88,8 +88,11 @@ + + abs_csize = ABS (csize); + ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) ++ return 0; /* Bit size overflows */ ++ + /* round up to a multiple of limbs */ +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); + + if (abs_xsize != 0) + { + diff --git a/meta/recipes-support/gmp/gmp_6.2.1.bb b/meta/recipes-support/gmp/gmp_6.2.1.bb index d5996abd00..7c12a97228 100644 --- a/meta/recipes-support/gmp/gmp_6.2.1.bb +++ b/meta/recipes-support/gmp/gmp_6.2.1.bb @@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \ file://use-includedir.patch \ file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \ file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \ + file://CVE-2021-43618.patch \ " SRC_URI[md5sum] = "28971fc21cf028042d4897f02fd355ea" SRC_URI[sha256sum] = "eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c"