| Message ID | 20220124065404.4062-1-flowergom@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0 |
| Headers | show |
| Series | [dunfell,v2] ghostscript: fix CVE-2021-45949 | expand |
On Sun, Jan 23, 2022 at 8:54 PM Minjae Kim <flowergom@gmail.com> wrote: > > Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish > (called from sampled_data_continue and interp). > > To apply the CVE-2021-45949 patch, > check-stack-limits-after-function-evalution.patch should be applied first. Unfortunately I'm getting an error with this patch: ERROR: ghostscript-9.52-r0 do_patch: Applying patch 'CVE-2021-45949.patch' on target directory '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/ghostscript/9.52-r0/ghostscript-9.52' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/ghostscript/9.52-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2021-45949.patch patching file psi/zfsample.c Hunk #1 FAILED at 533. 1 out of 2 hunks FAILED -- rejects in file psi/zfsample.c Patch CVE-2021-45949.patch does not apply (enforce with -f) Steve > References: > https://nvd.nist.gov/vuln/detail/CVE-2021-45949 > > Signed-off-by: Minjae Kim <flowergom@gmail.com> > --- > .../ghostscript/CVE-2021-45949.patch | 68 +++++++++++++++++++ > ...tack-limits-after-function-evalution.patch | 51 ++++++++++++++ > .../ghostscript/ghostscript_9.52.bb | 2 + > 3 files changed, 121 insertions(+) > create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch > create mode 100644 meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch > > diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch > new file mode 100644 > index 0000000000..605155342e > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch > @@ -0,0 +1,68 @@ > +From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 > +From: Chris Liddell <chris.liddell@artifex.com> > +Date: Tue, 1 Jun 2021 19:57:16 +0100 > +Subject: [PATCH] Bug 703902: Fix op stack management in > + sampled_data_continue() > + > +Replace pop() (which does no checking, and doesn't handle stack extension > +blocks) with ref_stack_pop() which does do all that. > + > +We still use pop() in one case (it's faster), but we have to later use > +ref_stack_pop() before calling sampled_data_sample() which also accesses the > +op stack. > + > +Fixes: > +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 > + > +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] > +CVE: CVE-2021-45949 > +Signed-off-by: Minjae Kim <flowergom@gmail.com> > +--- > + psi/zfsample.c | 16 ++++++++++------ > + 1 file changed, 10 insertions(+), 6 deletions(-) > + > +diff --git a/psi/zfsample.c b/psi/zfsample.c > +index 0e8e4bc8d..00cd0cfdd 100644 > +--- a/psi/zfsample.c > ++++ b/psi/zfsample.c > +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) > + for (j = 0; j < bps; j++) > + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ > + } > +- pop(num_out); /* Move op to base of result values */ > + > +- /* Check if we are done collecting data. */ > ++ pop(num_out); /* Move op to base of result values */ > + > ++ /* From here on, we have to use ref_stack_pop() rather than pop() > ++ so that it handles stack extension blocks properly, before calling > ++ sampled_data_sample() which also uses the op stack. > ++ */ > ++ /* Check if we are done collecting data. */ > + if (increment_cube_indexes(params, penum->indexes)) { > + if (stack_depth_adjust == 0) > +- pop(O_STACK_PAD); /* Remove spare stack space */ > ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ > + else > +- pop(stack_depth_adjust - num_out); > ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); > + /* Execute the closing procedure, if given */ > + code = 0; > + if (esp_finish_proc != 0) > +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) > + if ((O_STACK_PAD - stack_depth_adjust) < 0) { > + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); > + check_op(stack_depth_adjust); > +- pop(stack_depth_adjust); > ++ ref_stack_pop(&o_stack, stack_depth_adjust); > + } > + else { > + check_ostack(O_STACK_PAD - stack_depth_adjust); > +- push(O_STACK_PAD - stack_depth_adjust); > ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); > + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) > + make_null(op - i); > + } > +-- > +2.25.1 > + > diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch > new file mode 100644 > index 0000000000..722bab4ddb > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch > @@ -0,0 +1,51 @@ > +From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 > +From: Chris Liddell <chris.liddell@artifex.com> > +Date: Fri, 12 Feb 2021 10:34:23 +0000 > +Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. > + > +During function result sampling, after the callout to the Postscript > +interpreter, make sure there is enough stack space available before pushing > +or popping entries. > + > +In thise case, the Postscript procedure for the "function" is totally invalid > +(as a function), and leaves the op stack in an unrecoverable state (as far as > +function evaluation is concerned). We end up popping more entries off the > +stack than are available. > + > +To cope, add in stack limit checking to throw an appropriate error when this > +happens. > + > +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] > +Signed-off-by: Minjae Kim <flowergom@gmail.com> > +--- > + psi/zfsample.c | 14 +++++++++++--- > + 1 file changed, 11 insertions(+), 3 deletions(-) > + > +diff --git a/psi/zfsample.c b/psi/zfsample.c > +index 290809405..652ae02c6 100644 > +--- a/psi/zfsample.c > ++++ b/psi/zfsample.c > +@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) > + } else { > + if (stack_depth_adjust) { > + stack_depth_adjust -= num_out; > +- push(O_STACK_PAD - stack_depth_adjust); > +- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) > +- make_null(op - i); > ++ if ((O_STACK_PAD - stack_depth_adjust) < 0) { > ++ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); > ++ check_op(stack_depth_adjust); > ++ pop(stack_depth_adjust); > ++ } > ++ else { > ++ check_ostack(O_STACK_PAD - stack_depth_adjust); > ++ push(O_STACK_PAD - stack_depth_adjust); > ++ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) > ++ make_null(op - i); > ++ } > + } > + } > + > +-- > +2.25.1 > + > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb > index 32346e6811..ac3d0dca43 100644 > --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb > @@ -39,6 +39,8 @@ SRC_URI = "${SRC_URI_BASE} \ > file://ghostscript-9.21-prevent_recompiling.patch \ > file://cups-no-gcrypt.patch \ > file://CVE-2020-15900.patch \ > + file://check-stack-limits-after-function-evalution.patch \ > + file://CVE-2021-45949.patch \ > " > > SRC_URI_class-native = "${SRC_URI_BASE} \ > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160870): https://lists.openembedded.org/g/openembedded-core/message/160870 > Mute This Topic: https://lists.openembedded.org/mt/88642112/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..605155342e --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch @@ -0,0 +1,68 @@ +From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 1 Jun 2021 19:57:16 +0100 +Subject: [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] +CVE: CVE-2021-45949 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + psi/zfsample.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0e8e4bc8d..00cd0cfdd 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + for (j = 0; j < bps; j++) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } +- pop(num_out); /* Move op to base of result values */ + +- /* Check if we are done collecting data. */ ++ pop(num_out); /* Move op to base of result values */ + ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ ++ /* Check if we are done collecting data. */ + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) + make_null(op - i); + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..722bab4ddb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch @@ -0,0 +1,51 @@ +From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 12 Feb 2021 10:34:23 +0000 +Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. + +During function result sampling, after the callout to the Postscript +interpreter, make sure there is enough stack space available before pushing +or popping entries. + +In thise case, the Postscript procedure for the "function" is totally invalid +(as a function), and leaves the op stack in an unrecoverable state (as far as +function evaluation is concerned). We end up popping more entries off the +stack than are available. + +To cope, add in stack limit checking to throw an appropriate error when this +happens. + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + psi/zfsample.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 290809405..652ae02c6 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + } else { + if (stack_depth_adjust) { + stack_depth_adjust -= num_out; +- push(O_STACK_PAD - stack_depth_adjust); +- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) +- make_null(op - i); ++ if ((O_STACK_PAD - stack_depth_adjust) < 0) { ++ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); ++ check_op(stack_depth_adjust); ++ pop(stack_depth_adjust); ++ } ++ else { ++ check_ostack(O_STACK_PAD - stack_depth_adjust); ++ push(O_STACK_PAD - stack_depth_adjust); ++ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) ++ make_null(op - i); ++ } + } + } + +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 32346e6811..ac3d0dca43 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -39,6 +39,8 @@ SRC_URI = "${SRC_URI_BASE} \ file://ghostscript-9.21-prevent_recompiling.patch \ file://cups-no-gcrypt.patch \ file://CVE-2020-15900.patch \ + file://check-stack-limits-after-function-evalution.patch \ + file://CVE-2021-45949.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply the CVE-2021-45949 patch, check-stack-limits-after-function-evalution.patch should be applied first. References: https://nvd.nist.gov/vuln/detail/CVE-2021-45949 Signed-off-by: Minjae Kim <flowergom@gmail.com> --- .../ghostscript/CVE-2021-45949.patch | 68 +++++++++++++++++++ ...tack-limits-after-function-evalution.patch | 51 ++++++++++++++ .../ghostscript/ghostscript_9.52.bb | 2 + 3 files changed, 121 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch