CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat

Resolves: CVE-2021-45960
This commit is contained in:
Tomas Korbar 2022-02-10 13:59:03 +01:00
parent d183ecbb95
commit 21e8e5c32d
3 changed files with 68 additions and 2 deletions

View File

@ -0,0 +1,59 @@
From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 27 Dec 2021 20:15:02 +0100
Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
storeAtts (CVE-2021-45960)
---
expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index d730f41c3..b47c31b05 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
if (nPrefixes) {
int j; /* hash table index */
unsigned long version = parser->m_nsAttsVersion;
- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+ /* Detect and prevent invalid shift */
+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
unsigned char oldNsAttsPower = parser->m_nsAttsPower;
/* size of hash table must be at least 2 * (# of prefixed attributes) */
if ((nPrefixes << 1)
@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
;
if (parser->m_nsAttsPower < 3)
parser->m_nsAttsPower = 3;
- nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+ /* Detect and prevent invalid shift */
+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
+ /* Restore actual size of memory in m_nsAtts */
+ parser->m_nsAttsPower = oldNsAttsPower;
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ nsAttsSize = 1u << parser->m_nsAttsPower;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
+ /* Restore actual size of memory in m_nsAtts */
+ parser->m_nsAttsPower = oldNsAttsPower;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
nsAttsSize * sizeof(NS_ATT));
if (! temp) {

View File

@ -3,7 +3,7 @@
Summary: An XML parser library Summary: An XML parser library
Name: expat Name: expat
Version: %(echo %{unversion} | sed 's/_/./g') Version: %(echo %{unversion} | sed 's/_/./g')
Release: 7%{?dist} Release: 8%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/ URL: https://libexpat.github.io/
License: MIT License: MIT
@ -12,6 +12,7 @@ BuildRequires: make
Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
%description %description
This is expat, the C library for parsing XML, written by James Clark. Expat This is expat, the C library for parsing XML, written by James Clark. Expat
@ -42,6 +43,8 @@ Install it if you need to link statically with expat.
%patch0 -p1 -b .CVE-2022-23990 %patch0 -p1 -b .CVE-2022-23990
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827 %patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
%patch2 -p1 -b .CVE-2021-46143 %patch2 -p1 -b .CVE-2021-46143
%patch3 -p1 -b .CVE-2021-45960
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
./buildconf.sh ./buildconf.sh
@ -78,6 +81,10 @@ make check
%{_libdir}/lib*.a %{_libdir}/lib*.a
%changelog %changelog
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-8
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
- Resolves: CVE-2021-45960
* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-7 * Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-7
- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
- Resolves: CVE-2021-46143 - Resolves: CVE-2021-46143

View File

@ -44,7 +44,7 @@ rlJournalStart
for i in `seq -w $COUNT`; do for i in `seq -w $COUNT`; do
rlRun "dd if=/dev/urandom of=file$i.xml bs=1024 count=100" \ rlRun "dd if=/dev/urandom of=file$i.xml bs=1024 count=100" \
0 "Creating file$i.xml with random content" 0 "Creating file$i.xml with random content"
if ! rlRun "xmlwf file$i.xml"; then if ! rlRun "xmlwf file$i.xml" 0,2; then
rlFileSubmit "file$i.xml" rlFileSubmit "file$i.xml"
fi fi
done done